SG1 00314301

BitSpyder - The Culture of Knowledge
 Copyright 2011 Hewlett-Packard Development Company, L.P.

The information contained herein is subject to change without notice. The only warranties
for HP products and services are set forth in the express warranty statements
accompanying such products and services. Nothing herein should be construed as
constituting an additional warranty. HP shall not be liable for technical or editorial errors or
omissions contained herein.
This is an HP copyrighted work that may not be reproduced without the written permission
of HP. You may not use these materials to deliver training to any person outside of your
organization without the written permission of HP.
Printed in United States of America
Accelerated Migrating and Troubleshooting HP Enterprise Networks
Part 1: Migrating to an Open Standards Network
Student guide – Book 1 of 2

May 2011
HP Restricted
Contents
Introduction to Migrating to an Open Standards Network

Course objectives ...................................................................................... Intro-1
Course agenda ........................................................................................ Intro-2
HP MASE Network Infrastructure certification training ................................... Intro-3
HP MASE Network Infrastructure certification training ................................... Intro-4
Module 1: Migrating a Cisco Network to Open Standards

Objectives .................................................................................................... 1-1
Why migrate a Cisco network to open standards? ............................................. 1-2
Why migrate to open standards?..................................................................... 1-3
The advantages of using open standards .......................................................... 1-4
Customers use proprietary protocols ................................................................. 1-5
Reason 1: Vendor expertise ................................................................ 1-5
Reason 2: Vendor responsiveness ....................................................... 1-5
Reason 3: Currently functional proprietary protocol ............................... 1-5
Can you replace all proprietary protocols? ....................................................... 1-6
What are the risks of a migration? ................................................................... 1-7
“Reload at” migration strategy ........................................................................ 1-8
Conclusions .................................................................................................. 1-9
Migrating Layer 2 protocols ........................................................................... 1-10
Migrating to open standards: Layer 2 protocols ................................................ 1-11
Replace CDP with LLDP ................................................................................. 1-12
Replace CDPv2 with LLDP-MED ...................................................................... 1-13
CDP, LLDP, and LLDP-MED .............................................................................. 1-14
CDP, LLDP and LLDP-MED (optimized) .............................................................. 1-16
Replace VTP with GVRP ................................................................................. 1-19
Comparing GVRP and VTP .............................................................. 1-19
GVRP and VTP: Advantages and disadvantages ................................. 1-19
VTP versus GVRP ......................................................................................... 1-21
Migrating VTP to GVRP ................................................................................ 1-22
Trunk and static VLANs: A best practice?........................................................ 1-23
Planning a PVST+-to-MSTP migration .............................................................. 1-24
What should you verify before migration?.......................................... 1-24
What information do you need to collect? ......................................... 1-24
What MSTP settings do you need to configure? .................................. 1-25
General guidelines ......................................................................... 1-25
Replace PVST+ with MSTP ............................................................................ 1-26
Additional references ...................................................................... 1-28
Operating on a single star topology .............................................................. 1-29
Strategy for migrating with a single star topology ............................... 1-30
Rev. 11.21 i
Migrating to an Open Standards Network
PVST+ to MSTP migration steps—Activity ........................................................ 1-31

Migrate PVST+ to MSTP during a maintenance time ............................ 1-32
Migrate PVST+ to MSTP on distribution switches first............................ 1-32
Migrating Layer 3 protocols .......................................................................... 1-34
Migrating to Layer 3 open standard protocols ................................................. 1-35
Why replace EIGRP with OSPF?: An expert’s opinion ......................... 1-35
VRRP support on Cisco ................................................................................. 1-37
Cisco VRRP configuration examples .................................................. 1-37
HSRP to VRRP migration ............................................................................... 1-39
EIGRP to OSPF pre-migration tasks ................................................................ 1-40
Collect information.......................................................................... 1-40
Clean up the routing protocol configuration ....................................... 1-41
Design your new configuration ......................................................... 1-42
Consider factors that might cause downtime....................................... 1-43
OSPF Overlay Model migration..................................................................... 1-45
OSPF Overlay Model ...................................................................... 1-45
Overlay Migration Model migration steps 1 and 2 ............................. 1-46
OSPF Overlay Model migration (cont.) ........................................................... 1-48
Step 3 ........................................................................................... 1-48
Step 4 ........................................................................................... 1-48
Route Redistribution Model migration ............................................................. 1-49
Route Redistribution Model............................................................... 1-49
Route Redistribution Model migration steps 1 and 2 ............................ 1-50
Route Redistribution Model migration (cont.) ................................................... 1-51
Step 3 ........................................................................................... 1-51
Step 4 ........................................................................................... 1-52
Route Redistribution Model migration (cont.) ................................................... 1-53
Step 5 ........................................................................................... 1-53
Step 6 ........................................................................................... 1-53
Additional references ...................................................................... 1-53
Summary .................................................................................................... 1-54
Lab activity 1: Migrating a Cisco Network to Open Standards .......................... 1-55
Lab activity 1: Migrating a Cisco Network to Open Standards .......................... 1-56
Lab debrief ................................................................................................. 1-57
Learning check ............................................................................................ 1-58
Module 2: Migrating Edge Devices

Objectives .................................................................................................... 2-1
Why migrate to HP switches? .......................................................................... 2-2
What is edge migration? ................................................................................2-3
Connection needs at the edge........................................................................ 2-4
Protection needs at the edge ........................................................................... 2-5
How do you prevent… ...................................................................... 2-5
More needs at the edge ................................................................................. 2-7
How do you… ................................................................................. 2-7
ii Rev. 11.21
Contents
Migration step 1: Uplink connections................................................................2-8

Migration step 2: Edge connections .................................................................2-9
Replace a Cisco access switch with an HP edge switch .................................... 2-10
Strategy for adding an HP edge switch ............................................. 2-10
Strategy for replacing a Cisco access switch with an HP edge
switch ............................................................................................ 2-11
Proposed migration strategy ............................................................. 2-12
Connecting edge switches to the network ....................................................... 2-13
Connecting HP edge uplinks ......................................................................... 2-14
VLAN configuration commands ........................................................ 2-14
Choice A: Connect the HP edge with MSTP .................................................... 2-16
Which uplink is blocked on HP edge switches? .................................. 2-16
Is load balancing an option? ........................................................... 2-17
How do I get this result? .................................................................. 2-17
Configurations ................................................................................ 2-18
Choice B: Connect the HP edge without MSTP ................................................ 2-20
What happens if STP is disabled? ....................................................2-20
What is the resulting topology? ........................................................2-20
What are the risks of this solution? How can you improve the
configuration? ................................................................................ 2-21
Configurations ................................................................................ 2-21
Choice C: Connect the HP edge with Smart Link ............................................. 2-23
What does Smart Link provide? ........................................................ 2-23
Can you configure Smart Link to support load balancing? ................... 2-23
Configurations ................................................................................ 2-24
Choice D: Connect the HP edge with Monitor Link ........................................... 2-26
When would this architecture be useful? ............................................ 2-27
Monitor Link configuration ............................................................... 2-27
Configuring device management ................................................................... 2-28
Device management .................................................................................... 2-29
Management configuration ........................................................................... 2-30
Cisco secure management configuration ............................................ 2-30
HP A-Series secure management configuration ................................... 2-31
HP E-Series secure management configuration .................................... 2-33
AAA secured access with RADIUS and TACACS+............................................ 2-35
Cisco configuration: Control SSH access with AAA to a
RADIUS server................................................................................ 2-35
Cisco configuration: Control SSH access with AAA to a
TACACS+ server ............................................................................. 2-36
AAA for SSH with RADIUS on HP A-Series ...................................................... 2-37
HP A-Series switch configuration ....................................................... 2-37
AAA for SSH with RADIUS on HP A-Series (cont.) ............................................ 2-39
Configure the RADIUS server (HP Intelligent Management
Center [IMC]) ................................................................................. 2-40
Rev. 11.21 iii

AAA for SSH with HWTACACS on HP A-Series ............................................... 2-41

HP A-Series switch configuration ....................................................... 2-41
AAA for SSH with HWTACACS on HP A-Series (cont.) ..................................... 2-42
AAA for SSH with HWTACACS on HP A-Series (cont.) .....................................2-43
AAA for SSH with RADIUS on HP E-Series ..................................................... 2-44
HP E-Series switch configuration ........................................................2-44
Configuring Commands Authorization on a RADIUS Server:
Using Vendor-Specific Attributes (VSAs) ............................................. 2-45
AAA for SSH with TACACS+ on HP E-Series .................................................. 2-46
Configuring edge features ............................................................................ 2-47
Edge connections and features ..................................................................... 2-48
Protecting the edge ...................................................................................... 2-49
DHCP snooping and ARP protection ................................................. 2-49
STP hardening: BPDU guard, loop protect, and root guard .................. 2-51
Configuring IP phones .................................................................................. 2-53
Voice over IP configuration............................................................... 2-53
Securing access........................................................................................... 2-57
802.1X and MAC authentication on Cisco IOS ................................... 2-57
802.1X and MAC authentication on HP A-Series ................................. 2-58
802.1 and MAC authentication on HP E-Series ................................... 2-59
Summary .................................................................................................... 2-60
Lab activity 2.1: Migrating the Edge in a Cisco Network ................................... 2-61
Lab debrief ................................................................................................. 2-62
Lab activity 2.2: Converting the Configuration on a Cisco Edge Device to
an HP Device .............................................................................................. 2-63
Lab debrief ................................................................................................. 2-64
Learning check ............................................................................................ 2-65
Module 3: Migrating and Expanding the Distribution Layer with HP E-Series

Objectives .................................................................................................... 3-1
Migration overview ........................................................................................ 3-2
Migration scenario: Replacing Cisco with HP E-Series at the distribution layer ...... 3-3
Why migrate to HP E-Series devices ................................................................ 3-4
Migration goals............................................................................................ 3-5
Existing configuration .................................................................................... 3-6
Configurations ................................................................................. 3-7
What is the final configuration?..................................................................... 3-15
Proposed final configuration ......................................................................... 3-23
Migration to open standards ............................................................3-23
Spanning tree protocol .................................................................... 3-24
IP addressing and virtual router protocol configuration ....................... 3-25
Routing protocol ............................................................................. 3-27
Plan for migrating to open standards ............................................................. 3-29
iv Rev. 11.21
Contents
When should you migrate the Cisco switches to open standards? ..................... 3-30
Routing protocol ............................................................................ 3-30
Discovery protocol .......................................................................... 3-31
VTPs to Static VLANs ....................................................................... 3-31
Spanning tree protocol .................................................................... 3-31
When should you migrate to MSTP? ..............................................................3-32
Plan the migration to the new distribution layer............................................... 3-33
Methods for migrating to the new distribution layer......................................... 3-34
Forklift ....................................................................................................... 3-35
Forklift (cont.) ............................................................................................. 3-36
Parallel network .......................................................................................... 3-38
Parallel network (cont.) ................................................................................ 3-40
Where might issues occur? ........................................................................... 3-41
Potential problem spot 1: STP behavior when you connect the parallel
network ..................................................................................................... 3-42
Cisco Core 1 configuration ............................................................. 3-43
Cisco Distribution 1 configuration .................................................... 3-45
Cisco Edge 1 configuration ............................................................. 3-50
Cisco Edge 2 configuration .............................................................. 3-51
HP E-Series Distribution 1 configuration ............................................. 3-52
HP E-Series Distribution 2 configuration .............................................3-55
Answer....................................................................................................... 3-59
Potential problem spot 2: Migrating the edge ................................................. 3-60
Activity: Analyzing your readiness for a quick migration ................................... 3-61
Cisco Distribution 1 configuration ..................................................... 3-62
Cisco Distribution 2 configuration ..................................................... 3-62
HP E-Series Distribution 1 configuration ............................................ 3-65
HP E-Series Distribution 2 configuration ............................................ 3-66
Answer: VLAN 1 ......................................................................................... 3-67
Answer: Other VLANs ................................................................................. 3-68
Activity: Continuing to analyze your readiness for a seamless migration .............3-69
Answers ..................................................................................................... 3-70
Activity: Optimizing the edge connections for the migration .............................. 3-71
Answers ..................................................................................................... 3-72
Potential problem spot 3: When will you migrate the Layer 3 functionality? ......... 3-73
Migrating the routing protocol .......................................................... 3-73
Migrating the default gateway.......................................................... 3-74
Potential problem spot 4: How will you migrate the routing functionality?............ 3-75
Strategy 1: VRRP behavior on HP E-Series switches ........................................... 3-76
Strategy 1: Endpoint ARP behavior................................................................. 3-78
Strategy 1: Suggested process ...................................................................... 3-80
Strategy 2: Migrate the endpoints to a new default gateway address .................3-82
Rev. 11.21 v
Comparing the strategies ............................................................................. 3-84

Analyzing the parallel network method ......................................................... 3-86
Replacing switches one at a time .................................................................. 3-88
Replacing switches one at a time (cont.) ........................................................ 3-89
Replacing switches one at a time (cont.) ........................................................ 3-90
Where might issues occur? .......................................................................... 3-92
Potential problem spot 1: Migrating routing functionality to one
distribution switch ........................................................................................ 3-93
Potential problem spot 2: STP behavior when you replace the switch .................. 3-94
Possible solution: Disabling STP .....................................................................3-95
Analyzing the replacement method ................................................................3-97
Creating alternative strategies ..................................................................... 3-100
Summary ...................................................................................................3-101
Prelab activity: Plan a complete migration strategy ......................................... 3-102
My migration strategy ................................................................... 3-103
Lab 3-1: Migrating the Distribution Layer from Cisco to HP E-Series Devices ....... 3-124
Lab debrief ............................................................................................... 3-125
Learning check .......................................................................................... 3-126
Appendix: Implementing ACLs and QoS on the replacement
HP E-Series switches ................................................................................... 3-128
Migrate ACLs and QoS policies ............................................................ 3-128
Configuring ACLs on HP E-Series switches .............................................. 3-129
Applying the ACLs............................................................................... 3-130
RACLs ......................................................................................... 3-130
VACLs ......................................................................................... 3-130
Port ACLs ..................................................................................... 3-131
Planning the ACL migration .................................................................. 3-132
Planning VACLs ............................................................................ 3-132
Planning Port-based ACLs .............................................................. 3-134
Determine when to migrate the ACLs ..................................................... 3-135
Migrating QoS policies ........................................................................ 3-137
HP E-Series QoS Concepts ................................................................... 3-138
Honor prioritization ............................................................................. 3-139
Classify and mark traffic ...................................................................... 3-140
Optional Lab 3.2: Migrating ACLs and QoS Policies from a Cisco to
an HP E-Series Distribution Layer ................................................................... 3-141
Module 4: Migrating and Expanding the Distribution Layer with

HP A-Series
Objectives .................................................................................................... 4-1
Migration overview ....................................................................................... 4-2
Migration scenario ....................................................................................... 4-3
Why migrate to HP A-Series devices? .............................................................. 4-4
Migration goals............................................................................................ 4-5
vi Rev. 11.21
Contents
Existing configuration .................................................................................... 4-6

Configurations ................................................................................. 4-7
What is the final configuration?..................................................................... 4-15
Proposed final configuration ......................................................................... 4-22
Migration to open standards ........................................................... 4-22
Spanning tree protocol ................................................................... 4-23
IP addressing and virtual router protocol configuration ....................... 4-24
Plan for migrating to open standards ............................................................. 4-27
When should you migrate the Cisco switches to open standards? ......................4-28
Discovery protocol ......................................................................... 4-29
Spanning tree protocol ................................................................... 4-29
When should you migrate to MSTP? ............................................................. 4-30
Plan the migration to the new distribution layer................................................ 4-31
Advantages of HP A-Series IRF ..................................................................... 4-32
IRF simplifies network design and implementation ........................................... 4-34
Advantages of this topology ............................................................ 4-34
Methods for migrating to the new distribution layer......................................... 4-35
Forklift ....................................................................................................... 4-36
Analyzing the forklift method ....................................................................... 4-37
Parallel network .......................................................................................... 4-39
Parallel network (cont.) ................................................................................. 4-41
Where might issues occur? .......................................................................... 4-42
Potential problem spot 1: STP behavior when you connect the parallel
network ..................................................................................................... 4-43
HP A-Series Distribution configuration ............................................... 4-50
Answer...................................................................................................... 4-54
Potential problem spot 2: Migrating the edge ................................................. 4-55
Activity: Analyzing your readiness for a quick migration .................................. 4-56
HP A-Series Distribution configuration ............................................... 4-59
Answer: VLAN 1 ......................................................................................... 4-61
Answer: Other VLANs ................................................................................. 4-62
Rev. 11.21 vii

Potential problem spot 3: When will you migrate the Layer 3 functionality? ........ 4-63
Migrating the routing protocol ......................................................... 4-63
Migrating the default gateway......................................................... 4-64
Potential problem spot 4: How will you migrate the routing functionality?........... 4-65
Strategy: Migrate the current virtual IP addresses to the new distribution
switch ....................................................................................................... 4-66
Analyzing the parallel network method ......................................................... 4-68
Creating alternate strategies ......................................................................... 4-70
Summary .................................................................................................... 4-71
Prelab activity: Plan a complete migration strategy ........................................... 4-72
My migration strategy .................................................................... 4-73
Lab Activity 4.1: Migrating the Distribution Layer from Cisco to HP
A-Series Devices ......................................................................................... 4-94
Lab debrief ................................................................................................ 4-95
Learning check ........................................................................................... 4-96
Appendix: Implementing ACLs and QoS on the replacement HP
A-Series switches ........................................................................................ 4-97
Migrate ACLs and QoS policies ............................................................. 4-97
Configuring ACLs on HP A-Series switches............................................... 4-98
Applying the ACLs................................................................................ 4-99
RACLs .......................................................................................... 4-99
VACLs .......................................................................................... 4-99
Port ACLs ..................................................................................... 4-100
Planning the ACL migration .................................................................. 4-101
Planning VACLs ............................................................................ 4-101
Planning Port-based ACLs .............................................................. 4-102
Determine when to migrate the ACLs ..................................................... 4-103
Migrating QoS policies ........................................................................ 4-105
HP A-Series QoS Concepts ................................................................... 4-106
Configure QoS policies on HP A-Series switches ..................................... 4-107
Honor prioritization ....................................................................... 4-107
Classify and mark traffic ................................................................ 4-108
Optional Lab Activity 4.2: Migrating ACLs and QoS Policies from
a Cisco to an HP A-Series Distribution Layer ................................................... 4-110
Module 5: Migrating Border Gateway Protocol

Objectives .................................................................................................... 5-1
BGP session establishment and disconnection ................................................... 5-2
BGP session establishment ............................................................................. 5-3
BGP capabilities ............................................................................................5-7
Hard reset ................................................................................................... 5-9
Route refresh ............................................................................................... 5-10
If BGP neighbor does not support route refresh ................................................. 5-11
viii Rev. 11.21

Contents
What will happen if… ................................................................................. 5-12

What will happen on Router A if the eBGP interface
goes down? ................................................................................... 5-12
What will happen if the iBGP interface goes down? ........................... 5-13
What will happen if eBGP neighboring is shut down? ......................... 5-13
What will happen if you trigger a soft reset? ...................................... 5-13
Destination reachability and BGP convergence time......................................... 5-14
What is destination reachability? ...................................................... 5-14
Impact on reducing time to convergence......................................................... 5-16
BGP advertising and receiving prefixes........................................................... 5-18
BGP advertising and receiving IP prefixes ....................................................... 5-19
Multihome BGP scenario .............................................................................. 5-20
Multihome outbound filter configuration ............................................ 5-20
Multihome inbound filter configuration .............................................. 5-21
Small ISP BGP scenario ................................................................................ 5-23
Small ISP BGP configuration for communicating with customers...................5-23
Small ISP configuration .................................................................... 5-23
Customer router configuration...........................................................5-24
Small ISP configuration for communicating with its upstream ISPs ............... 5-25
Small ISP router config with an upstream ISP ..................................... 5-25
Recommendations for filtering inbound prefixes.........................................5-26
Large ISP scenario ....................................................................................... 5-28
IBGP Peering ....................................................................................... 5-28
Announcing network ...................................................................... 5-28
iBGP basic configuration example ................................................... 5-29
Announcing redistributed static routes:.............................................. 5-29
More iBGP recommendations .......................................................... 5-30
RIPE recommended BGP template for eBGP peers ..................................... 5-31
What will happen to traffic if… .................................................................... 5-34
How can you prevent Router A from…........................................................... 5-36
What will you do to “shut down” Router A….................................................. 5-38
Power off ...................................................................................... 5-38
Shut down eBGP neighboring ......................................................... 5-38
Shut down iBGP peering(s) ............................................................. 5-39
disable network command .............................................................. 5-39
Disable forwarding of default route to LAN ....................................... 5-39
Conclusion .................................................................................... 5-39
BGP HP Comware CLI and Cisco IOS ........................................................... 5-40
Cisco IOS configuration.................................................................. 5-40
HP A-Series configuration ............................................................... 5-40
Rev. 11.21 ix
1—Creating a BGP connection .................................................................... 5-42

2—Controlling route generation and redistribution .......................................... 5-43
3—BGP advertisement/reception filters ......................................................... 5-44
4—BGP route attributes ............................................................................... 5-45
5—Tuning and optimizing BGP networks....................................................... 5-46
6—BGP peer groups....................................................................................5-47
7—BGP communities .................................................................................. 5-48
8—BGP route reflector and confederation...................................................... 5-49
9—BGP Graceful Restart and log ................................................................. 5-50
Summary .................................................................................................... 5-51
Lab activity 5: Migrating BGP ....................................................................... 5-52
Lab debrief .................................................................................................5-53
Learning check ........................................................................................... 5-54
Appendix A: Learning Check Answers
x Rev. 11.21
Introduction to Migrating to an Open Standards

Network
Introduction
Course objectives
In this course you will review the reasons why companies want to install HP A-Series
or E-Series switches in a Cisco-based network—whether they are replacing existing
switches or expanding their network with new HP switches. HP A-Series devices are
designed for large and complex enterprises; HP E-Series devices are intended for
Small-to-Medium Businesses (SMBs), which might, nonetheless, have some
sophisticated requirements.
You will learn how to assess the existing Cisco network and analyze the
configuration of the proprietary protocols running on those devices. You will then
learn how to develop strategies for replacing Cisco switches with HP A-Series and E-
Series switches, including migrating the proprietary protocols to their open-standard
protocol counterpart.
Specifically, you will learn how to:
 Replace proprietary protocols with their open standard counterpart
 Add or replace switches in a Cisco-based network with an HP switch:
• Add or replace switches at the access, distribution, and core layers using
HP A-Series and HP E-Series switches
• Replace BGP-configured Cisco router with an HP A-Series router
• Configure connections between HP and Cisco devices
• Migrate features to prevent unnecessary downtime
Rev. 11.21 Intro –1

Migrating a Cisco Network

to Open Standards
Module 1
d.
ite
ib
oh
Objectives
pr
is
After completing this module, you will be able to:
n
io
 Replace the Cisco proprietary protocols Cisco Discovery Protocol (CDP), Per
s
is
VLAN Spanning Tree Plus (PVST+), and Enhanced Interior Gateway Routing
m
Protocol (EIGRP) with the following open standards protocols: Link Layer
er
tp
Discovery Protocol (LLDP), Multiple Spanning Tree Protocol (MSTP), and Open
ou
Shortest Path First (OSPF)
ith
 Devise a strategy to replace proprietary Layer 2 and Layer 3 protocols with their
w
open standards counterpart while minimizing downtime
rt
pa
i n
or
l e
ho
w
in
n
ctio
du
ro
ep
.R
ly
on
use
er
ld
ho
ake
St
&L
C
P
H
Rev. 11.21 1 –1
Why migrate a Cisco network to open standards?

In this section, you will learn about the advantages of migrating proprietary protocols
to open standards protocols. You will also explore some of the challenges you may
d.
face when you suggest this type of migration to your company or customer.
ite
ib
oh
NOTES
pr
is
_____________________________________________________________________
n
sio
is
_____________________________________________________________________
m
er
tp
_____________________________________________________________________
ou
ith
_____________________________________________________________________
w
rt
pa
_____________________________________________________________________
i n
or
e
_____________________________________________________________________
l
ho
w
_____________________________________________________________________
in
n
c tio
_____________________________________________________________________
du
ro
ep
_____________________________________________________________________
.R
ly
_____________________________________________________________________
on
u se
_____________________________________________________________________
er
ld
ho
____________________________________________________________________
ake
St
____________________________________________________________________
&L
C
____________________________________________________________________
P
H
____________________________________________________________________
____________________________________________________________________
1 –2 Rev. 11.21
Migrating a Cisco Network to Open Standards
Why migrate to open standards?

Before you begin migrating a Cisco network to open standards, you should consider
the following questions:
d.
Is migrating a Cisco network to open standards worth the effort?
ite

ib
 What are the advantages of open standards versus proprietary protocols?
oh
pr
• Are there any potential disadvantages?
is
• Are some features only supported by proprietary protocols?
n
io
Can all Cisco proprietary protocols be replaced by open standards protocols?
s

is
m
 What are the risks of a migration?
er
tp
You will now discuss each of these questions.
ou
ith
w
rt
pa
i n
or
l e
ho
w
in
n
c tio
du
ro
ep
.R
ly
on
use
er
ld
ho
ake
St
&L
C
P
H
Rev. 11.21 1 –3
Customers use proprietary protocols

Keep in mind that your customers may have good reasons for using proprietary
protocols.
d.
Reason 1: Vendor expertise
ite
ib
For example, customers might tell you that vendors are experts for the proprietary
oh
solutions they provide.
pr
is
However, open standards are no less robust and, when adopted by a large
n
community of vendors and customers, provide an excellence on which customers can
sio
rely. Vendors that implement open standards test their implementations among
is
m
multiple vendors, strengthening the protocol interoperability. In addition, even though
er
an open standard might take longer to evolve than a proprietary protocol, the open
tp
discussion makes the standard’s evolution and its current implementation transparent.
ou
The transparency will help you to better understand and become expert in
ith
implementing the standard.
w
rt
Reason 2: Vendor responsiveness
pa
n
Another reason that customers might implement proprietary protocols is that they feel
i
or
that, if they have a problem with the protocol, a single vendor will be better able to
e
react and provide a solution for them.

l
ho
It might be true that one vendor can more quickly develop a solution to a given
w
in
problem. However, the customer’s investment in the proprietary protocol comes at the
n
risk that the solution will later become obsolete. It will no longer matter that the
tio
protocol once worked well if the customer can no longer expand the network with
c
du
new products that implement the open standard. For this reason, although, a few
ro
companies will become early adopters of proprietary protocols, the vast majority will
ep
not take that risk if it does not offer a good return on investment.
.R
Reason 3: Currently functional proprietary protocol

ly
on
If a proprietary protocol works, you cannot simply say “Replace it because it’s not an
se
open standard.”
u
er
Be flexible: although using open standards is often the best option, recognize that
ld
proprietary protocols may be useful in some cases. For example, many clustering
ho
protocols (such as Firewall Cluster, HP Intelligent Resilient Framework [IRF], and Cisco
ake
Virtual Switching System [VSS]) are proprietary. However, because these clustered
St
devices do interoperate in a standard way with external devices, the proprietary

&L
protocol does not cause a major issue in interoperability.

C
P
H
Rev. 11.21 1 –5
Can you replace all proprietary protocols?

You also need to determine if each proprietary protocol can replaced:
 The open standard must be supported on the Cisco devices you are using.
d.
ite
 Not all open standards protocols are supported:
ib
•
oh
Generic Attribute Registration Protocol (GARP) VLAN Registration Protocol
pr
(GVRP) and Virtual Router Redundancy Protocol (VRRP) are not widely
is
supported by Cisco devices.
n
io
• Cisco Network Admission Control (NAC) is proprietary and has no open
s
version equivalent.
is
m
er
 Consider each protocol to be replaced:
tp
• Look closely at what the proprietary protocol provides a network. For
ou
example, is it providing:
ith
w
 Security
rt
pa
 Convergence speed
 Ease of implementation i n
or
 Management
l e
ho
w
in
NOTES
n
tio
_____________________________________________________________________
c
du
ro
_____________________________________________________________________
ep
.R
_____________________________________________________________________
ly
on
se
_____________________________________________________________________
u
er
ld
_____________________________________________________________________
ho
ake
_____________________________________________________________________
St
&L
_____________________________________________________________________
C
P
H
_____________________________________________________________________
1 –6 Rev. 11.21
Conclusions
Before migrating a Cisco network to open standards, you should:
 Clearly identify the functions of the customer’s current proprietary protocols
d.
ite
 Make sure you provide an overall “better” solution
ib
Analyze the solution on a protocol-by-protocol basis
oh

pr
Replacing even some proprietary protocols can provide long-term benefits to the
is
network.
n
io
Open standards truly provide a key advantage in most cases.
s
is
m
er
tp
ou
ith
w
rt
pa
i n
or
l e
ho
w
in
n
c tio
du
ro
ep
.R
ly
on
use
er
ld
ho
ake
St
&L
C
P
H
Rev. 11.21 1 –9
Migrating Layer 2 protocols

In the next section, you will focus on replacing protocols that function at Layer 2 in
the Open Systems Interconnection (OSI) model.
d.
ite
ib
NOTES
oh
pr
_____________________________________________________________________
is
n
io
_____________________________________________________________________
s
is
m
er
_____________________________________________________________________
tp
ou
_____________________________________________________________________
ith
w
rt
_____________________________________________________________________
pa
i n
or
_____________________________________________________________________
l e
ho
_____________________________________________________________________
w
in
n
_____________________________________________________________________
c tio
du
_____________________________________________________________________
ro
ep
.R
_____________________________________________________________________
ly
on
se
_____________________________________________________________________
u
er
____________________________________________________________________
ld
ho
ke
____________________________________________________________________
a
St
&L
____________________________________________________________________
C
P
H
____________________________________________________________________
____________________________________________________________________
1 –10 Rev. 11.21

Migrating to open standards: Layer 2 protocols
CDP, CDP V2 LLDP, LLDP-MED
d.
ite
VTP 802.1Q VLANs
ib
oh
MSTP
pr
PVST+, Rapid-PVST+
is
n
io
Figure 1 - 1: Migrating to open standards: Layer 2 protocols
s
is
m
You will now consider what is required to migrate the following Layer 2 protocols to
er
their open standards counterpart:
tp
ou
 CDP to LLDP
ith
 VTP to GVRP or static 802.1Q VLANs
w
rt
 PVST+/Rapid PVST+ to MSTP
pa
i n
or
l e
ho
w
in
n
c tio
du
ro
ep
.R
ly
on
use
er
ld
ho
ake
St
&L
C
P
H
Rev. 11.21 1 –11

Replace CDP with LLDP

What should you verify before you begin replacing CDP with LLDP?
Does the Cisco device or its software version support LLDP?
d.
ite
A quick way to answer this question is to enter the lldp run command in
ib
configuration mode. The other way is to use the Cisco Feature Navigator, which can
oh
be found at http://tools.cisco.com/ITDIT/CFN/.
pr
is
Cisco is now starting to support LLDP and LLDP-MED on Catalyst switches (3760,
n
3750, 2960, 2970) and on switches running 12.2(37) SE. The protocols are also
sio
supported on Cisco Catalyst 6500 switches running 12.2(33 )SXH.
is
m
Is CDP used as a discovery protocol between network equipment (such as
er
routers and switches)?
tp
ou
CDP provides information about connected neighbors or, more generally speaking,
ith
Layer 2 neighbors.
w
rt
In this case, CDP, like LLDP, is not necessary for a network to operate. However, it is
pa
a good troubleshooting tool and can solve connection issues, which can be useful
when you are managing multiple cables. i n
or
Is CDP used between network devices and end points?
l e
ho
CDPv2 is used to provision Cisco IP phones with VLAN and Quality of Service (QoS)
w
power information.
in
n
Are CDP and LLDP used by a management solution?

c tio
Verify that this management software can also function with the information given by
du
LLDP.
ro
ep
Is CDP disabled for security reasons?

.R
Some customers disable CDP for security reasons, since it gives device information
ly
on
such as the device names and IP addresses in VLAN 1. Any node can sniff and read
se
information that CDP contains.

u
Note that CDP is enabled on all ports of a Cisco switch. LLDP is not enabled and can
er
ld
be enabled by using the global lldp run command.

ho
What is the best strategy for migrating CDP to LLDP?

ake
Both protocols can be enabled at the same time on all devices, allowing for a
St
smooth migration phase. Once LLDP is activated on all equipment and all
&L
management software can use it, you can the disable CDP:
C
P
Cisco(config)# lldp run

H
Cisco# show lldp neighbors

Cisco(config)# no cdp run
1 –12 Rev. 11.21

Replace CDPv2 with LLDP-MED

CDPv2 and LLDP-MED serve the same purpose of provisioning end-point equipment
with VLANs, QoS, and power allocation. Both support capability discovery if the
d.
phone is connected to a PC, whether the port is enabled or not.
ite
Is the switch used to connect Cisco IP phones?
ib
oh
CDPv2 is used to provision Cisco IP phones, providing VLAN and QoS information,
pr
for example.
is
n
To verify that CDP is used for that purpose:
sio
Determine whether there are any “voice” commands in the switch. A typical
is

m
setup for a port supporting an IP phone is:
er
tp
interface GigabitEthernet 1/20
ou
switchport
ith
switchport access vlan 2
switchport mode access
w
switchport voice vlan 3
rt
pa
Look for the voice vlan command in the configuration.
Note i n
or
The setup is the same for LLDP-MED.
l e
ho
w
Look for this command:

in

n
router1(config)# cdp advertise-v2

ctio
Do the IP phones support LLDP-MED?

du
ro
Cisco IP phones released after 2006-2007 will support LLDP. LLDP-MED is supported
ep
on the following models since release 8.3(3):

.R
7906G, 7911G, 7931G, 7941G/7941G-GE, 7942G, 7945G, 7961G/7961G-GE,

ly
on
7962G, 7965G, 7970G/7971G-GE, 7975G

se
Older models generally won’t support LLDP or LLDP-MED.

u
er
ld
ho
ake
St
&L
C
P
H
Rev. 11.21 1 –13

CDP, LLDP, and LLDP-MED

HP A-Series Cisco Phone
d.
6 7
ite
4
Cisco HP E-Series
ib
9
oh
5
pr
8
3rd party 2
is
IP Phone Cisco
3
n
1
ios
Cisco Switches are
is
PC Cisco Phone
m
enabled with CDP
er
and LLDP
tp
Dropped
ou
CDP
LLDP-MED
ith
LLDP
w
Figure 1 - 2: CDP, LLDP, and LLDP-MED
rt
pa
In Figure 1-2, the Cisco switches have been enabled with CDP and LLDP. The figure
i n
shows scenarios of how CDP and LLDP protocols can be used and where challenges
or
lie, if any:
l e
ho
1. An endpoint connected to a Cisco phone.

w
in
In this scenario, a PC connected to a Cisco phone can support CDP or LLDP and
n
some applications that run on a PC (Cisco VT Advantage and LLDP, for example)
tio
support this protocol. The phone uses the protocol to support these applications.
c
du
Note that a PC can also support LLDP in various forms.

ro
ep
OpenLLDP, a free open source driver, supports LLDP on Mac OS X, Linux, FreeBSD,
.R
and NetBSD. A third-party LLDP agent (haneWIN LLDP) is also available for
ly
Windows platforms, and can be downloaded at www.hanewin.net.

on
2. A Cisco phone connected to a Cisco switch

u se
Both the Cisco switch and the Cisco phone have to support the same protocol, either
er
CDP v2 or LLDP-MED. They can use one or the other. LLDP-MED is preferred because
ld
it is an open standard protocol.

ho
ke
3. A Cisco switch connected to another Cisco switch

a
St
Both LLDP and CDP may be used. If the Cisco switch is old and does not support
&L
LLDP, CDP can be used.

C
4. A Cisco switch connected to an HP A-Series switch or third-party switch

P
H
In this case, the Cisco switch generates the CDP messages and LLDP messages.
On most third-party switches the CDP messages are ignored and flooded out the
other interfaces, meaning devices connected to a third-party switch receive CDP
messages from the Cisco switch.
1 –14 Rev. 11.21
With HP A-Series switches, CDP messages are flooded by default. Cisco phones on
that switch receive these CDP messages and send CDP messages as if they were
directly connected to the Cisco switch. Therefore, when Cisco switches are connected
to third-party switches (and the third-party switches support LLDP-MED), CDP should
be turned off on ports connecting to the third-party switches.
d.
ite
For old Cisco IP phones that do not support LLDP, you can use a Cisco switch to
ib
continue provisioning Cisco IP phones. However, in this case, CDP will show the
oh
Cisco devices several IP Phones connected on one link.
pr
is
5. A third-party phone connected to a Cisco switch
n
io
The switch generates both CDP and LLDP-MED messages. The phone drops the CDP
s
is
messages.
m
er
6. A third-party phone connected to a third-party switch
tp
ou
In this case, only LLDP-MED is expected.
ith
7. A Cisco phone connected to a third-party switch
w
rt
The phone will generate both LLDP-MED and CDP messages. The switch uses LLDP-
pa
MED messages but usually ignores the CDP messages and floods them out other
i n
interfaces. If a Cisco switch is connected to the third-party switch, then CDP should
or
be disabled on the Cisco switch trunk interface.
l e
ho
Although Figure 1-2 depicts CDP and LLDP or LLDP-MED running simultaneously on
w
Cisco devices, control must be provided so that any of these protocols can be
in
disabled.
n
tio
8. A Cisco switch connected to a HP E-Series switch

c
du
The HP E-Series switch reads the CDP messages but does not send any messages.
ro
CDP message are not passed on. By default, HP E-Series switches send and receive
ep
LLDP messages.
.R
ly
9. An HP E-Series switch and either third-party or Cisco IP phones

on
The switch will exchange LLDP-MED messages with the phones.

use
er
ld
ho
ake
St
&L
C
P
H
Rev. 11.21 1 –15

CDP, LLDP and LLDP-MED (optimized)

HP A-Series Old Cisco Phone
d.
6 7
ite
4
Cisco HP E-Series
ib
9
oh
5 8
pr
3rd party 2
is
IP Phone Cisco
3
1
n
io
s
Cisco Phone
is
PC
m
Cisco Switches are
er
tp
Dropped tuned on CDP and
CDP LLDP support
ou
LLDP-MED
ith
LLDP
w
Figure 1 - 3: CDP, LLDP and LLDP-MED (optimized)
rt
pa
In Figure 1-3, LLDP and LLD-MED are used as much as possible. There are a few
i
situations which may require CDP to be maintained on Cisco switches: n
or
e
Discovery of old Cisco devices that only support CDP.

l

ho
w
 Provisioning older phones that only support CDPv2.

in
Management software that does not yet support LLDP for network device
n

tio
mapping.
c
du
Note that HP A-Series switches have a CDP- compliant mode to support Cisco IP
ro
phones using CDPv2 for provisioning. To globally enable LLDP and enable LLDP to
ep
be compatible with CDP globally, use the following commands:

.R
[SwitchA] lldp enable

ly
on
[SwitchA] lldp compliance cdp

se
To enable LLDP (you can skip this step because LLDP is enabled on ports by default),
u
configure LLDP to operate in TxRx mode, and configure CDP-compatible LLDP to

er
operate in TxRx mode on Ethernet 1/1 and Ethernet 1/2, use the following
ld
ho
commands:
ke
[SwitchA] interface ethernet 1/1

a
St
[SwitchA-Ethernet1/1] lldp enable

&L
[SwitchA-Ethernet1/1] lldp admin-status txrx

C
[SwitchA-Ethernet1/1] lldp compliance admin-status cdp txrx

P
H
[SwitchA-Ethernet1/1] quit
[SwitchA] interface ethernet 1/2

[SwitchA-Ethernet1/2] lldp enable
1 –16 Rev. 11.21

[SwitchA-Ethernet1/2] lldp admin-status txrx

[SwitchA-Ethernet1/2] lldp compliance admin-status cdp txrx
[SwitchA-Ethernet1/2] quit
Alternate strategy: Voice VLAN on HP A-Series devices
d.
ite
Note that HP A-Series devices also support a voice VLAN feature that enables the
ib
devices to recognize various vendors’ IP phones based on the OUI of the phones’
oh
MAC address. Thus, the devices can support Cisco and other vendor IP phones
pr
without needing to support CDP or LLDP-MED.
is
n
Voice VLANs are configured specially for voice traffic as follows:
sio
You add the ports that connect voice devices to voice VLANs.
is

m
You can configure QOS attributes for the voice traffic, increasing transmission
er

tp
priority and ensuring voice quality.
ou
After you configure the voice VLAN, a device determines whether a received packet
ith
is a voice packet by checking its source MAC address. Packets containing source
w
MAC addresses that match with the voice device OUI are regarded as voice traffic
rt
pa
and are forwarded in the voice VLANs.
i n
A voice VLAN can operate in two working modes, which you specify when you add
or
the port to the voice VLAN:
l e
ho
 Automatic mode:
w
• The system identifies the source MAC address sent when the IP phone is
in
powered on and matches it against the OUI addresses.

n
tio
• If a match is found, the system will automatically add the port into the
c
du
voice VLAN and apply ACL rules to ensure the packet precedence. An
ro
aging time can be configured for the voice VLAN.

ep
.R
• The system will remove a port from the voice VLAN if no voice packet is
ly
received on it after the aging time.

on
Manual mode:
se

u
• The IP phone access port must be added to the voice VLAN manually.
er
ld
• The device still matches frames’ source MAC addresses against the OUI
ho
addresses. If a match is found, the system issues ACL rules and configures
ke
the precedence for the packets. In this mode, the operation of adding ports
a
St
to the voice VLAN and removing ports from the voice VLAN are carried out
by the administrators.
&L
C
Both modes forward tagged packets according to their tags.

P
H
Enabling the automatic voice VLAN

This section provides the configuration for a voice VLAN that operates in automatic
mode
Rev. 11.21 1 –17

Enable the Voice VLAN feature globally

voice vlan vlan-id enable
Enable the Voice VLAN feature on the ports
d.
Interface gigabitethernet 1/0/10
ite
voice vlan enable
ib
Configuring the OUI List
oh
pr
The HP A-Series devices have a default OUI list:
is
OUI Address Vendor
n
sio
1 0001-e300-0000 Siemens
is
m
2 0003-6b00-0000 Cisco
er
tp
3 0004-0d00-0000 Avaya
ou
4 0060-b900-0000 Philips/NEC
ith
w
5 00d0-1e00-0000 Pingtel
rt
pa
6 00e0-7500-0000 Polycom
7 00e0-bb00-0000 3com i n
or
e
This list can be edited with this command:

l
ho
voice vlan mac-address oui mask oui-mask (description text)

w
in
Configuring the voice VLAN security mode

n
tio
You can configure the HP A-Series voice VLAN in either security mode or normal
c
mode. Depending on the mode, the voice VLAN-enabled ports process untagged
du
frames and frames tagged with the voice VLAN in different ways:
ro
ep
 In security mode,
.R
• If the frame’s source-MAC address is in OUI list, the frame is tagged with
ly
on
the voice-ID and forwarded

se
• Otherwise, the frame is discarded

u
er
 In normal mode:
ld
ho
• If the frame’s source-MAC address is in OUI list, the frame is tagged with
ke
the voice-ID and forwarded

a
St
• Otherwise, the frame is tagged with the PVID (the port’s default-VLAN) and
&L
forwarded
C
To enable the voice security mode, enter this command:

P
H
voice vlan security enable
1 –18 Rev. 11.21

Replace VTP with GVRP

 The biggest issue is the lack of GVRP support on Cisco switches.
 If GVRP and VTP are enabled on the same network, switches that support each
d.
protocol are flooded by both GVRP and VTP frames.
ite
ib
 GVRP and VTP have advantages and disadvantages. What are some of these
oh
advantages and disadvantages?
pr
_________________________________________________________________________
is
n
sio
_________________________________________________________________________
is
m
er
tp
_________________________________________________________________________
ou
ith
_________________________________________________________________________
w
rt
pa
Comparing GVRP and VTP
i n
or
When GVRP and VTP run on the same network:
l e
GVRP BPDUs go through Cisco switches and also switches that are not GVRP
ho
aware.
w
in
 VTP frames go through GVRP devices.

n
tio
 Both GVRP and VTP require VLAN 1

c
du
GVRP and VTP: Advantages and disadvantages

ro
ep
Both GVRP and VTP have features that have advantages and disadvantages.
.R
GVRP and VTP automatically create VLANs from one switch to all others.
ly
on
 Advantage: Automatic creation significantly simplifies setup.

se
Disadvantages: VLANs are created everywhere, and there is no control. The

u

er
broadcast domain is extended everywhere.

ld
ho
• It is possible to reach the limit of the number of supported VLANs on some

ke
switches.
a
St
VLANs can be deleted.

&L
If VTP puts a port in an errdisable state, the network stops working.

C
P
 Advantage: VLANs are easily deleted if necessary.

H
 Disadvantage: VLANs can accidentally be deleted. Some companies refuse to

use VTP because of the possibility of losing a VLAN by mistake.
• GVRP will only delete a VLAN if no port is statically attached to it.
Rev. 11.21 1 –19

VTP versus GVRP

VTP GVRP
d.
Cisco proprietary Standard 802.1Q and 802.1P
ite
ib
On most vendors including HP
oh
On Cisco IOS and CatOS switches
pr
On Cisco CatOS only
is
Password protected No password protection
n
io
VLAN creation- Addition of VLAN
s
VLAN creation and port pruning
is
to trunk ports
m
er
Requires trunk port (ISL or 802.1Q) Requires trunk ports
tp
ou
VTP roles: server, client, transparent GVRP roles: all switches are equal
ith
w
Figure 1 - 4: VTP versus GVRP
rt
pa
Like GVRP, VTP can reduce the time it takes to configure VLANs on your network.
i n
Rather than creating, deleting, or renaming VLANs on multiple switches in a network,
or
you can make these changes once on the VTP server, which distributes the changes
l e
to other switches.
ho
w
VTP is a Cisco proprietary protocol, which is available on the majority of Cisco

in
Catalyst switches. GVRP, on the other hand, is an open standards protocol. GVRP
n
tio
can be used to configure VLANs on switches from different vendors (as long as each
c
switch supports it).

du
ro
ep
.R
ly
on
use
er
ld
ho
ake
St
&L
C
P
H
Rev. 11.21 1 –21

Migrating VTP to GVRP

Cisco switch role Equivalent GVRP role on HP
d.
Specify all ports that participate in GVRP as trunk
ite
ports and assign them to VLANs that are carried on
VTP Server their counterpart trunk ports on the VTP server.
ib
Enable GVRP globally and on all trunk ports.
oh
Create all static VLANs.
pr
Specify all ports that participate in GVRP as trunk
is
ports and assign them to VLANs that are carried on
VTP Client
n
their counterpart trunk ports on the VTP client.
io
Enable GVRP globally and on all trunk ports.
s
is
m
VTP Transparent Disable GVRP globally.
er
tp
Figure 1 - 5: Migrating VTP to GVRP
ou
ith
On HP E-Series switches, enable GVRP globally by entering:
w
HP-E(config)# gvrp
rt
pa
On HP A-Series switches, first enable GVRP globally by entering
<ASeries> system-view i n
or
e
[ASeries] gvrp
l
ho
Then, configure a port, such as Ethernet 1/1, as a trunk port and assign it to all
w
VLANs.
in
n
[ASeries]interface ethernet 1/1

c tio
[ASeries-Ethernet1/1] port link-type trunk

du
[ASeries-Ethernet1/1] port trunk permit vlan all

ro
ep
Next, enable GVRP on the port, such as Ethernet 1/1, and use the default GVRP
.R
registration mode (normal mode) on the port.

ly
[ASeries-Ethernet1/1] gvrp
on
[ASeries-Ethernet1/1] quit
se
Finally, create static VLANs.

u
er
ld
[ASeries] vlan 2 to 100

ho
ake
St
&L
C
P
H
1 –22 Rev. 11.21

Trunk and static VLANs: A best practice?

1 Static VLANs
Static VLANs
10,20,30,40
10,20,30,40
d.
ite
Trunk ports
Permitted VLANs: 10,20,30,40
ib
2
oh
Static VLANs
Static VLANs
10,20,30,40
pr
10,20,30,40
Trunk ports
is
Permitted VLANs: ALL
n
io
3 Static VLANs
s
Static VLANs
is
10,20,30,40
10,20,30,40
m
50,60,70,80
Trunk ports
er
Permitted VLANs: ALL
tp
ou
What do you think of these three setups?
ith
With a Cisco switch? With an HP switch?
w
rt
Figure 1 - 6: Trunk and static VLANs: A best practice?
pa
n
With VTP and PVST+ (or Rapid PVST+) a switch learns all VLANs and creates one
i
or
STP instance per VLAN, which is very CPU-intensive. Therefore, Cisco recommends
e
permitting only necessary VLANs on trunk ports. In addition, to reducing the

l
ho
broadcast domain, the switch operates more efficiently when PVST+ is running.
w
in
Heavy processing loads are not such a big issue with MSTP on HP switches. MSTP
n
only uses one BPDU for all instances, so the number of VLANs does not change CPU
tio
time for MSTP. Even if all VLANs are allowed on trunk ports, only the frames of the
c
du
configured VLANs will be received and transmitted, so the broadcast domains are
ro
not extended if VLANs are not set on the device.

ep
.R
If VLANs are not the same on both sides, as in case 3, broadcast frames for VLANs
ly
50, 60, 70, and 80 will be dropped when received by the switch on the right.
on
Conclusion: If VLANs are not set dynamically, the trunk ports can be set with all
se
VLANs permitted. This practice eases the setup of uplinks while reducing
u
misconfigurations.
er
ld
ho
ake
St
&L
C
P
H
Rev. 11.21 1 –23

Planning a PVST+-to-MSTP migration

What should you verify before migration?
Verify whether MSTP is supported by your equipment and by the current version of
d.
ite
IOS. Table 1-1 displays Cisco switches and whether they support MSTP.
ib
Table 1-1: MSTP support on Cisco switches
oh
pr
Cisco product MSTP support
is
Catalyst Platform MST with RSTP
n
io
Catalyst 2900 XL Not Available
s
Catalyst 3500 XL Not Available
is
Catalyst 2950 and 3550 Cisco IOS® 12.1(9)EA1
m
er
Catalyst 3560 Cisco IOS 12.1(9)EA1
tp
Catalyst 3750 Cisco IOS 12.1(14)EA1
ou
Catalyst 2955 All Cisco IOS versions
Catalyst 2948G-L3 Not Available
ith
Catalyst 4908G-L3 Not Available
w
Catalyst 4000 Catalyst OS 7.1
rt
pa
Catalyst 2948G, 2980G Catalyst OS 7.1
Catalyst 4000 and 4500 Cisco IOS 12.1(12c)EW
Catalyst 5000 and 5500 Not Available i n
or
Catalyst 6000 and 6500 CatOS 7.1
e
Catalyst 6000 and 6500 Cisco IOS 12.1(11b)EX, 12.1(13)E, 12.2(14)SX

l
ho
Catalyst 8500 Not Available

w
in
n
Note
tio
If a version update is required, that will cause downtime. In such a case, preload
c
a firmware that supports MSTP as well as a configuration that contains the

du
changes you intend to make to MSTP.

ro
ep
Also verify whether uplinks are set as full duplex and at maximum speed, and if the
.R
uplinks are set as trunk and carry all VLANs or none of a given MSTP instance.
ly
on
What information do you need to collect?

u se
Which ports are edge ports (defined as portfast on Cisco) and which ports are
er
uplinks? You also need to verify the root of each VLAN and the associated master in
ld
HSRP.
ho
ake
St
&L
C
P
H
1 –24 Rev. 11.21

What MSTP settings do you need to configure?

MSTP configuration information that will be shared by all switches includes:
 Name
 Revision number
 VLAN-to-instance mapping
When you migrate to MSTP, it may be an opportunity to evaluate your instances
again. For example, you may want to synchronize MSTP instances with the HSRP
setup.
 The root and secondary root of each instance
General guidelines
As you complete the migration, keep these things in mind:
 There is not a single way to migrate to open standards.
 You will not have the same constraints if you execute a migration during a
maintenance time or online.
 Changing the configuration on a distribution switch will have a greater impact
on the overall network, but you must do it. You should think about whether you
want to do it at the beginning or the end of the migration.
Before migrating, here is a step that could help:
 Migrate the STP network to Rapid PVST+
 In addition, make sure that all edge ports are defined as such with the
spanning-tree portfast command:
Cisco(config)# interface range gigabitethernet 1/0/1 - 46
Cisco(config-if)#spanning-tree portfast default
Or enter the spanning-tree portfast default global command:

Cisco(config)# spanning-tree portfast default
Rev. 11.21 1 –25

To understand what this message means, you must understand how Cisco
switches implement spanning tree. Even when the Cisco switch is set to MST
mode, the switch listens for BPDUs and runs a PVST+ simulation. The idea
behind this simulation is to synchronize the MSTP configuration with the PVST+
configuration. The switch will send out PVST+ BPDUs on all VLANs on the trunk
with the parameters that it uses for the CIST. The switch also listens for PVST+
BPDUs on all VLANs and applies them to the CIST. This behavior is different
from the standard behavior of HP MSTP switches, which only use standard
untagged MSTP BPDUs to participate in the CIST.
Because behaving in Cisco manner could cause loops in the PVST+ topology,
the switch checks these BPDUs for consistency with the switch’s CIST settings.
That is, if the Cisco MSTP switch defines a port as root on the CIST, it expects
PVST+ BPDUs on all VLANs to offer superior root paths. Conversely, if the Cisco
MSTP switch defines a port as designated on the CIST, it expects all PVST+
BPDUs to offer inferior root paths. If an inconsistency arises, the Cisco switch
shuts down the port as broken.
When you enable MSTP on a Cisco edge switch first, these inconsistencies will
occur. Even though the switch should learn that a distribution switch is root in the
CIST, it will start to shut down ports as soon as it receives PVST+ BPDUs that
advertise a root other than the root that it wants for the CIST.
As a result, even though the PVST+ domain contains the CIST root, the MSTP
domain cannot reach it. Cisco implements this feature to implement potential
loops, but, in fact, the MSTP domain loses connectivity to the PVST+ domain. If
you were to look at the edge switch’s MSTP status (show spanning-tree mst 1),
you would see that the “Master Port” is blocked (BKN, or broken) due to the
“PSVT simulation inconsistency. “
The best way to eliminate these types of inconsistencies is to ensure that the
MSTP domain contains the root bridge for the CIST. In other words, you must
migrate the future root for the CIST, here CBridge_1, to MSTP first. You also need
to assign this switch as low a priority or a lower priority in the IST than any
PVST+ switch in any VLAN. This enables the switch to become the root for all
PVST+ spanning trees, which prevents other PVST+ simulation inconsistencies
from arising.
3. During the migration to MSTP, you will observe a failover of up to 30 seconds.
To reduce this failover time, you must reduce the STP timers using these
commands:
CDist_1(config)# spanning-tree mst hello-time 1
CDist_1(config)# spanning-tree mst max-age 6
CDist_1(config)# spanning-tree mst forward-time 4
When you use these timers, the downtime is halved to about 15 seconds.
Rev. 11.21 1 –27

Note
Do not change the timers in this way in a complex network in which the diameter
of the network is superior to two (two bridges from root).
4. Migrate any other distribution switches and then the edge switches.
5. After migration, remove PVST+-specific features such as UplinkFast and
BackboneFast. MSTP, which is based on RSTP, offers features that are similar to
these on its own.
Additional references
Although this class will provide practice migrating PVST+ to MSTP, you may want to
consult additional resources after the class. HP provides the following guidelines:
 Migrating from Cisco to ProCurve Networks (http://h10147.www1.hp.com/
docs/security/Migrating_from_Cisco_to_ProCurve_Apr_08_AM_Eng_Ltr.pdf
 Migration from Cisco PVST+ to H3C STP
Cisco also provides an example configuration for migrating from its proprietary
protocol to the industry-standard MSTP:
 Configuration example to migrate Spanning Tree from PVST+ to MST
(http://www.cisco.com/en/US/products/hw/switches/ps708/products_config
uration_example09186a00807b075f.shtml)
1 –28 Rev. 11.21

Strategy for migrating with a single star topology

To replace PVST+ with MSTP using this strategy, follow this procedure.
1. Disable spanning-tree. To do so on Cisco switches, enter this command:
Cisco(config)# no spanning-tree vlan 1–4094
2. While STP is down, configure the MSTP parameters on all switches (including the
distribution switch that is still running PVST+). You can also configure the MSTP
priorities on the distribution switches.
3. First enable MSTP on the edge switches. This strategy produces the shortest
downtime, as you can test in the lab. With the default timers, the network
experiences between 15 to 30 seconds of downtime. You can reduce the
downtime to four to ten seconds if you reduce the timers:
• Hello timer = one second (compared to the two second default)
• Forward delay = four seconds (compared to the 15 second default)
• Aging time= six seconds (compared to the 20 second default)
4. Enable MSTP on the routing switch.
5. Enable MSTP on the other distribution switch (on which you previously disabled
the connections).
6. Open the ports between the second distribution switch and the first.
7. Finally, open the ports between the second distribution switch and the edge
switches.
1 –30 Rev. 11.21

Migrate PVST+ to MSTP during a maintenance time

Remember that downtime is not as important if the migration is taking place during a
maintenance downtime.
Configure MSTP region parameters
 Region name, revision number, mapping instances-VLAN
Cisco(config)# spanning-tree mst configuration
Cisco(config-mst)# name region1
Cisco(config-mst)# revision 10
Cisco(config-mst)# instance 1 vlan 10, 30, 100
Cisco(config-mst)# instance 2 vlan 20, 40, 200
Cisco(config-mst)# exit
Configure priorities on Distrib1

Distrib1(config)# spanning-tree mst 0-1 root primary
Distrib1(config)# spanning-tree mst 2 root secondary
Configure priorities on Distrib2

Distrib2(config)# spanning-tree mst 2 root primary
Distrib2 (config)# spanning-tree mst 0-1 root secondary
Enable MSTP mode on Distrib1.

Distrib1(config)# spanning-tree mode mst
Enable MSTP mode on Distrib2.

Distrib2(config)# spanning-tree mode mst
Enable MSTP mode on edge switches.

Edge(config)# spanning-tree mode mst
Verify MSTP.
Cisco# show spanning-tree mst-config
Cisco# show spanning-tree mst 0
Migrate PVST+ to MSTP on distribution switches first

To reduce downtime, you can generate a failover to Distrib1 by shutting down all the
ports on Distrib2 in one step:
Distrib2(config)# interface range gigabitethernet 1/0/1 – 46
Distrib2(config-if)# shutdown
1 –32 Rev. 11.21

Migrating Layer 3 protocols

You will now learn how to migrate the network’s proprietary Layer 3 protocols to
their open standard equivalents.
1 –34 Rev. 11.21

Migrating to Layer 3 open standard protocols

IGRP, EIGRP OSPF, ISIS
HSRP VRRP?
Figure 1 - 10: Migrating to Layer 3 open standard protocols
Here you see several Cisco proprietary Layer 3 protocols and their open standard
equivalents. In this section, you will learn a bit about migrating HSRP to VRRP;
however, many Cisco devices do not support this protocol, so the section focuses
more on the routing protocol migration, specifically EIGRP to OSPF.
Why replace EIGRP with OSPF?: An expert’s opinion

As you learn how to replace EIGRP with OSPF, you might find yourself wondering
again what benefits you will receive from the migration. In the following article, Jeff
Doyle, a prominent network consultant, CCIE, and author of many books on
networking, gives his opinion about EIGRP versus OSPF:
“A good place to start is with a request from Murilo, in response to the last post:
I would like to ask you if you could speak a bit about EIGRP vs. OSPF. Both are IGP
protocols and if you have a network only with Cisco routers what is the best option?
With apologies to my friends at Cisco, I have to say that I’ve never recommended
EIGRP to any of my clients. I’ve worked with many who have already made up their
mind in favor of EIGRP and I’ve acquiesced to their wishes, but if I’m asked I
adamantly recommend OSPF.
For years I’ve referred to EIGRP as a consultant’s best friend. It’s easy to configure,
doesn’t require you to think much about your network topology, and works very well
in networks up to a certain size. Just slap another router in the network as needed,
turn on EIGRP, and you’re done. But then when your network grows large enough to
need some scaling limits, forcing you to finally think about your topology, untangling
EIGRP can be daunting. That’s when many operators call a consultant like me, who
is happy to come in and implement an EIGRP to OSPF migration project for lots and
lots of money. So in that mercenary way I’m quite fond of the protocol.
The primary scaling limitation with EIGRP is that it doesn’t have a capability for
setting internal boundaries, important for controlling prefix summarization and
database sizes, the way OSPF areas do. You can artificially do this by using multiple
EIGRP processes, but why use a kludge to accomplish something OSPF does as an
integral part of the protocol? The above is not to say areas are always a good thing,
either.
Rev. 11.21 1 –35

An interesting phenomenon I’ve observed over the years is that while EIGRP networks
tend to get out of control because they remain a single, flat domain as the network
expands, many OSPF designers go to the other extreme and overuse areas. I’ve seen
networks of 50 or so OSPF routers, which would operate just fine as one big area,
needlessly divided into more than a dozen areas. Where EIGRP scaling problems
usually become evident is with stuck-in-active (SIA) conditions, in which responses to
queries are not heard within a certain time, causing neighbors to be incorrectly
flushed from the neighbor table, resulting in severe network destabilization. SIAs
should not happen even in very large networks, but once again because you don’t
have to think much about growing EIGRP topologies you can get yourself into a
situation where they do in fact occur. Cisco has added some optimizations in recent
years to help prevent SIAs, but they still happen. EIGRP does have summarization
capabilities, but again it doesn’t make you think too much about your topology,
which again can get you into trouble as the topology grows. But all this stuff about
being forced to think about your topology begs the question: If you choose OSPF at
the start because you are considering where your topology might be in five years,
then you are aware enough to build an EIGRP topology that would also scale.
And then there’s DUAL. The algorithm is lots of fun to study and to write about, but
it’s not so fun when you’re in the middle of a serious network outage. It just isn’t as
easy to understand as OSPF, and can lead to some lengthy head-scratching when
trying to figure out an intricate network behavior.
Last is, of course, the “proprietary protocol” thing. Yeah, yeah, you only have Cisco
in your network and always will have only Cisco in your network, so this isn’t an
issue. Cisco certainly wants you to see it that way. But are you sure? It makes no
sense to consciously lock yourself out of future options; if start-up Murilo Network
Systems comes out with a 5-pound, $100 terabit router, you might change your mind.
Far more important in the proprietary versus open protocol debate, however, is
reliability and security. It’s true that many vendors add their own proprietary tweaks
to their OSPF implementations, making them somewhat less open. But all in all
you’ve got the eyes of a host of vendors and the entire IETF community on OSPF, with
everyone understanding its inner workings and contributing to its improvement. With
EIGRP you’re dependent on a single vendor to get it right. Cisco has some of the
best protocol coders in the world, and I’d trust their work over many lesser vendors.
But given the choice, I’d rather not have to trust anyone more than necessary.”
http://www.networkworld.com/community/node/16276
1 –36 Rev. 11.21

VRRP support on Cisco

You might migrate HSRP on your Cisco switches to VRRP for all the reasons that you
might migrate other protocols to open standards. However, many Cisco switches do
not support HSRP. You can check whether your switch does, and if so, the necessary
IOS version with the Cisco Feature Navigation at
http://toos.cisco.com/ITDIT/CFN/.
Cisco VRRP configuration examples

Cisco provides several configuration examples for VRRP.
This following is a configuration example of Router A and Router B each belonging
to three VRRP groups:
 Group 1:
• Virtual IP address is 10.1.0.10.
• Router A will become the master for this group with priority 120.
• The advertising interval is 3 seconds.
• Preemption is enabled.
 Group 5:
• Router B will become master for this group with priority 200.
• The advertising interval is 30 seconds.
• Preemption is enabled.
 Group 100:
• Both routers have the same priority, but Router A will become master for this
group because it has a higher IP address (10.1.0.2)
• The advertising interval is the default 1 second.
• Preemption is disabled.
Rev. 11.21 1 –37

HSRP to VRRP migration

In order to migrate from HSRP to VRRP, endpoints that use the HSRP group as their
default router must learn the VRRP virtual MAC address for their default gateway
address. When a switch starts a virtual IP protocol on a VLAN interface, it sends a
gratuitous ARP to update the ARP cache of devices in the VLAN with the new virtual
MAC address. Therefore, if you enable VRRP on each HSRP VLAN using the same IP
address used by HSRP, the gratuitous ARP will update the ARP cache on all
endpoints so that they send their routed traffic to the VRRP MAC address.
However, endpoints (including Windows clients) often do not accept the gratuitous
ARP. In this case, you can either:
 Reset the Ethernet interface of the node (from the switch side, shut down
interfaces)
 Wait for ARC cache entry to age out (note, however, that on Windows devices
the entry will never age out as long as it is active)
What strategy can you design to migrate from HSRP to VRRP? A typical one is as
follows:
1. On one VLAN, on the router that is HSRP Backup:
a. Remove HSRP.
b. Shut down the VLAN interface
c. Enable VRRP
2. On the router that is HSRP Master for the VLAN.
a. Shut down the VLAN interface.
b. Remove HSRP on that VLAN.
c. Configure VRRP on that VLAN with preemption and a higher priority.
d. Open the VLAN interface.
3. Proceed the same way for all VLANs.
Rev. 11.21 1 –39

EIGRP to OSPF pre-migration tasks

Migrating your routing protocol can pose some challenges and risks. However, if you
plan carefully, the migration should proceed smoothly. The section below describe
the tasks that you should complete before the migration.
Collect information
You need a complete inventory of existing network. Answer these questions:
 What are the IP subnets currently on the corporate network?
• List of IP subnets/IP routes
• Up-to-date map of the network, with locations and sites and their subnets
marked on it
 What devices compose the network?
• List of routers, routing switches, and firewalls that acting as firewalls and as
routers
• List of IP interfaces , including WAN, LAN, and VLANs interfaces and the
associated IP subnets
• Are routers connected to endpoints, to servers, or to both?
• Are routers an entry in the network from outside?
• What is each router’s place within the hierarchy? The Core, distribution
layer, or edge?
You must also inventory current router configuration and performance, including this
information:
• IOS version
• CPU and memory in current network
• Is CPU time average over 50%?
• Is memory usage over 60%?
It is important that you verify this information, particularly on access routers, because
a router that is operating near its capacity might not be able to support two routing
protocols simultaneously.
You must also inventory the current configurations for routing protocols:
 Which routing protocols are currently in use in the network? (IGRP, EIGRP, RIP,
OSPF, ISIS, BGP, static routes-)
1 –40 Rev. 11.21

Summary
In this module, you have learned about the advantages of using open standard
protocols to create a network that is interoperable with equipment from different
d.
vendors. Networks built on open standards are typically more flexible and provide a
ite
better long-term investment for customers.
ib
oh
You have been given the tools to migrate a Cisco network with proprietary protocols
pr
such as CDP, PVST+ and EIGRP to an open standards network using LLDP, MSTP and
is
OSPF protocols. You also learned how to complete the migration while minimizing
n
downtime.
sio
is
m
er
NOTES
tp
_____________________________________________________________________
ou
ith
w
_____________________________________________________________________
rt
pa
n
_____________________________________________________________________
i
or
l e
_____________________________________________________________________
ho
w
in
_____________________________________________________________________
n
c tio
du
_____________________________________________________________________
ro
ep
_____________________________________________________________________
.R
ly
on
_____________________________________________________________________
u se
_____________________________________________________________________
er
ld
ho
_____________________________________________________________________
ake
St
_____________________________________________________________________
&L
C
P
_____________________________________________________________________
H
_____________________________________________________________________
1 –54 Rev. 11.21

Lab activity 1: Migrating a Cisco Network to Open

Standards
d.
ite
ib
oh
pr
is
n
sio
is
m
er
tp
ou
ith
w
rt
pa
i n
or
l e
ho
w
in
n
c tio
du
ro
ep
.R
ly
on
se
u
er
ld
ho
ake
St
&L
C
P
H
Rev. 11.21 1 –55

Lab activity 1: Migrating a Cisco Network to Open

Standards
INTIAL
d.
FINAL
ite
CCore_1 CCore_2 CCore_1 CCore_2
ib
oh
pr
EIGRP OSPF
is
CDist_1 CDist_2 CDist_1 CDist_2
n
s io
is
CDP LLDP
m
VTP Static VLAN
er
GROUP X PVST+ GROUP X MSTP
tp
HSRP HSRP
ou
ith
CEdge_1 CEdge_2 CEdge_1 CEdge_2
w
PC_1 PC_1 PC_2
PC_2
rt
pa
Figure 1-16: Lab activity 1: Migrating a Cisco Network to Open Standards
ni
You will now practice implementing the migration strategies covered in this module.
or
Consult your Lab Activity Guide for instructions for performing this activity.
l e
ho
w
in
n
tio
c
du
ro
ep
.R
ly
on
u se
er
ld
ho
ake
St
&L
C
P
H
1 –56 Rev. 11.21

Lab debrief
Use the space below to record the key things you learned, and also the challenges
you faced in lab activity 1.
d.
Table 1-1: Debrief for lab activity 1
ite
ib
Challenges Key things learned
oh
pr
is
n
sio
is
m
er
tp
ou
ith
w
rt
pa
i n
or
NOTES
l e
ho
_____________________________________________________________________
w
in
n
_____________________________________________________________________
ctio
du
_____________________________________________________________________
ro
ep
.R
_____________________________________________________________________
ly
on
se
_____________________________________________________________________
u
er
_____________________________________________________________________
ld
ho
ke
_____________________________________________________________________
a
St
&L
_____________________________________________________________________
C
P
H
_____________________________________________________________________
_____________________________________________________________________
Rev. 11.21 1 –57

Learning check
Q1: Could removing CDP from a switch cause problems for network devices?
_____________________________________________________________________
d.
ite
ib
_____________________________________________________________________
oh
pr
_____________________________________________________________________
is
n
sio
_____________________________________________________________________
is
m
er
tp
Q2: What is a simple strategy for migrating an EIGRP network to OSPF?
ou
_____________________________________________________________________
ith
w
rt
_____________________________________________________________________
pa
i n
_____________________________________________________________________
or
l e
ho
_____________________________________________________________________
w
in
n
_____________________________________________________________________
c tio
du
_____________________________________________________________________
ro
ep
.R
_____________________________________________________________________
ly
on
_____________________________________________________________________
u se
er
Q3: What does a switch send when a virtual IP protocol starts and takes the Master
ld
ho
role on an interface or when the switch preempts the Master role? How does this
ke
message function in migrations?

a
St
_____________________________________________________________________
&L
C
_____________________________________________________________________
P
H
_____________________________________________________________________
_____________________________________________________________________
1 –58 Rev. 11.21
Q4: What considerations should you make as you migrate from PVST+ to MSTP?
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
Rev. 11.21 1 –59

1 –60 Rev. 11.21

Migrating Edge Devices

Module 2
Objectives
 Replace Cisco edge switches with HP switches
 Configure the connections between HP devices and Cisco distribution or core
devices
 Configure edge features:
• Harden switch access along with network access
• Enable IP phones to connect
• Prevent attacks or high CPU utilization
Rev. 11.21 2 –1
What is edge migration?

In a Cisco-based network:
4 Distribution layer
Add an HP Replace a Cisco Replace Cisco edge

1 edge switch 2 edge switch 3
switches in DC
Edge
layer
Cisco 3rd party Blade server

PC Printer Server
IP phone IP phone chassis
Figure 2 - 1: What is edge migration?
The slide illustrates three examples of edge migrations:

 You can simply add an HP edge switch to the network—you are expanding a
Cisco-based network with HP switches. In this case, the HP edge switch will
need to interoperate with the Cisco distribution switches, as well as other Cisco
edge switches.
 You can replace a Cisco edge switch with an HP switch—You might replace an
older Cisco switch with a new HP switch that offers an attractive feature set and
warranty. If you migrate the entire edge, the HP switches will need to
interoperate with Cisco distribution switches. Otherwise, they will also need to
interoperate with the remaining Cisco edge switches as in the previous case.
 You can replace (or add to) Cisco edge switches in the datacenter with HP
switches—HP offers several switches that are optimized specifically for the data
center. Replacing Cisco switches in the data center is a similar process as
replacing them at the user edge; however, a quick and seamless migration is
even more crucial.
Rev. 11.21 2 –3
Connection needs at the edge

– Use the HP Product
Selector to find:
• An L2 switch that provides 40 to
60 PoE and Gigabit ports
• An L3 switch with more than 150
Gigabit ports
• An L2 solution with 60 Gigabit
ports; can scale to 120 in the future
• A redundant switch that can
provide 40 10 Gigabit ports for a
blade chassis or server connection
and can also scale
Figure 2 - 2: Connection needs at the edge
The following are the initial criteria for selecting an HP edge switch:
 The number of ports needed
 The capacity of the switch to scale
 The port speed: 100 Mbps, 1 Gbps, 10 Gbps
A product selector is part of the HP Networking Online Configurator, and can be
accessed at: http://h10144.www1.hp.com/configurator/configurator.htm.
Note
The tools require Internet Explorer.
There is also a product selector that is specific to the HP E-Series. That one can be
accessed at http://h10144.www1.hp.com/products/tools/selectors/switches.asp.
HP offers many switch options:
 Switches with a fixed number of ports
 Modular switches
• Mainly chassis switches
• Provide a large range of ports and can scale
When choosing a switch, remember that HP A-Series switches offer Intelligent
Resilient Framework (IRF), which allows you to create a stack of switches or cluster of
chassis.
2 –4 Rev. 11.21
Protection needs at the edge

– How do you prevent:
•A hub or switch from connecting to an edge port?
•A rogue access point from connecting?
• A rogue DHCP server from connecting?
• Unauthorized devices or users from connecting to the LAN?
• MAC address spoofing?
• IP address changes?
• A node that watches traffic from being inserted into the VLAN?
• Nodes in the same VLAN from seeing each other?
Figure 2 - 3: Protection needs at the edge
How do you prevent…

A hub or switch from connecting to an edge port?
There are two different ways. The first would be to count the number of MAC
addresses on the port. This is done with the Port Security feature, which restricts the
number of MAC addresses and either sends a trap or blocks the ports if this number
is exceeded.
The second way would be to use Bridge Protocol Data Unit (BPDU) Guard or BPDU
Protect, which can help if the rogue switch sends BPDUs.
A rogue access point from connecting?
The Port Security feature (which detects multiple MAC addresses on a port) is also
useful for preventing rogue APs from connecting to edge devices. However, it is not a
complete solution; if the AP is also a router, only one MAC address will be detected.
Access authentication is always a good prevention, but this requires a more global
infrastructure and organization.
Another option is to use a wireless tool such as Wireless IPS to detect the rogue AP.
A rogue DHCP server from connecting?
The DHCP Snooping feature prevents a server from becoming a network’s DHCP
server, whether maliciously or by accident.
Unauthorized devices or users from connecting to the LAN?
Network authentication is, of course, the solution. It includes:
 802.1X for all nodes that support it, such as PCs, Macs, printers, and IP phones
 MAC authentication for nodes that do not support 802.1X
 Web authentication for guests or users that require access but whose computers
are not controlled by the network administrator
Rev. 11.21 2 –5
MAC address spoofing?

Usually MAC address changes are malicious and done for the purpose of an attack.
Port Security can prevent them, but it takes a lot of resources to manage. Instead, you
would use ARP Protection, which can detect MAC address changes in a frame.
IP address changes?
The feature to prevent IP address changes is called Dynamic IP Protection on HP E-
Series switches and IP Source Guard on HP A-Series switches. It uses DHCP
Snooping as a base for determining the right IP and MAC addresses. Then it makes
sure the traffic from IP nodes uses the correct source IP and MAC addresses.
A node that watches traffic from being inserted into the VLAN?
This is typically achieved by a man-in-the-middle attack that starts with malicious
ARPs. A node pretends to be the default gateway and answers ARP requests faster
than the default gateway itself.
ARP Protection or Detection and DHCP Snooping work together to build a table of
correct IP and MAC addresses that have been learned from DHCP requests. They
make sure that the IP addresses the nodes use in their ARP responses are the same
ones learned from DHCP, or that they have been manually bound by a network
administrator.
Nodes in the same VLAN from seeing each other?
In many cases end nodes do not require direct communication. They communicate by
means of a server. Organizations find it an efficient way to protect privacy and
prevent the spread of viruses and other type of attacks. The goal is usually to prevent
switching between nodes in the same VLAN but to allow communication with the
default gateway. It is a common feature required by Internet service providers (ISPs).
On HP E-Series switches this can be achieved in two ways:
 With Source Port Filtering—available on most L2 managed switches. It only
allows edge ports to communicate with uplink ports.
 With Port or VLAN access control lists (ACLs)—available on the provision-based
switch that controls communication of IP switched traffic.
On HP A-Series switches this can be achieved with different features:
 The simplest feature to implement is called Isolated Ports, where isolated ports
are the edge ports and only communicate to the defined uplinks ports.
Also available:
 Private VLANs
 Port and VLAN ACLs
 Super VLANs, where multiple VLANs share a common gateway without being
able to communicate.
2 –6 Rev. 11.21
More needs at the edge

– How do you:
• Select a switch to connect iSCSI devices?
• Select a switch to connect servers?
• Power and provision IP phones?
• Prevent latency for sensitive traffic such as VoIP and video?
• Guarantee bandwidth to critical applications?
• Control available bandwidth per port?
Figure 2 - 4: More needs at the edge
How do you…
Select a switch to connect iSCSI devices?
Internet Small Computer System Interface (iSCSI) traffic, which is used in data storage
environments, usually requires buffering and jumbo frames.
Select a switch to connect servers?
Server connections usually require the following:
 Redundant power supply for a 24/7 connection.
 Redundant connections: stacking, such as that provided with IRF.
Power and provision IP phones?
Power over Ethernet (PoE) ports can be found on many HP E-Series and A-Series
switches. Link Layer Discovery Protocol – Media Endpoint Discovery (LLDP-MED) is the
main way to provision IP phones. The HP A-Series also provides a voice VLAN with
automatic configuration based on the OUI (Organizationally Unique Identifier, which
is the first 24 bits) of the IP phone’s MAC address.
Prevent latency for sensitive traffic such VoIP and video?
The most common way is to prioritize traffic either by prioritizing based on the voice
VLAN, a port, or even an ACL and a given UDP or TCP port. In addition, it can be
done by simply trusting the priority (Class of Service [CoS] or Differentiated Services
Code Point [DSCP]) of the traffic.
How do you guarantee bandwidth to critical applications?
Quality-of-service (QoS) classification based on TCP or UDP ports is available on L3
switches or L2 switches with L3 recognition capabilities in their ASIC.
How do you control available bandwidth per port?
The HP E-Series and HP A-Series offer features to rate limit traffic on a per-port basis.
Rev. 11.21 2 –7
Migration step 1: Uplink connections

1 Configure
management
AAA Cisco-based network
SSH
SNMP v2, v3 Distribution
Syslog
NTP… Configure and Configure and
2 connect uplinks connect uplinks
VLAN trunking, VLAN trunking,
Link aggregation, link aggregation,
Spanning Tree, Spanning Tree,
or Smart Link or Monitor Link
Data
Edge center
Figure 2 - 5: Migration step 1: Uplink connections
The first step in an effective migration will be to connect the uplinks to the rest of the
network. This will usually have been preceded by device configuration.
You must configure your uplinks to carry your VLANs, and in a redundant network
you need a way to avoid loops. Although spanning tree is the most common way,
you need to take into consideration that Cisco networks may use the proprietary
protocols Per-VLAN Spanning Tree Plus (PVST+) or Rapid-PVST+. These can be
combined with Rapid Spanning Tree Protocol (RSTP) or Multiple Spanning Tree
Protocol (MSTP), as explained in the HP Networking Interoperability training and
reviewed in this training.
There are also others ways to avoid loops using one of the following:
 Smart Link and Monitor Link
 Link Aggregation Control Protocol (LACP) for link aggregation to a Cisco Virtual
Switching System (VSS) cluster if in place at the distribution level
You will look at some of these solutions a bit later in this module.
2 –8 Rev. 11.21
Migration step 2: Edge connections

What edge features Distribution
are implemented? Cisco-based network
What new features
can be introduced?
Edge
Cisco Printer
3rd party PC
IP phone Server
IP phone Blade server
Prevention chassis
3 Security DHCP snooping, Traffic
IP Phones:, Access control: 802.1x, ARP Protection, Jumbo,
PoE, QoS, Mac-Auth. Web-Auth, IP Source Guard, sFlow, Net
LLDP-MED… Port Security, ACLs Loop Protect, Stream
Multicast BPDU Guard… QoS
Figure 2 - 6: Migration step 2: Edge connections
Once the uplinks of the edge switch are connected and they are carrying VLANs,
end node devices can be transferred to the edge. Of course pre-configuration will
help with a quick transition.
You will need to:
 List features used at the network edge.
 You may also propose new features that will, for example, better prevent
attacks in the LAN.
Rev. 11.21 2 –9
Replace a Cisco access switch with an HP edge

switch
Drawing on what you have learned so far, start to consider strategies for adding an
d.
ite
HP switch at the edge of a Cisco-based network. Then consider how to replace a
ib
Cisco access switch with an HP edge switch. You can save time by listing only the
oh
differences between the second strategy and the first.
pr
Include as much information in your plan as you can such as:
is
n
io
 Information that you need about the current solution
s
is
Settings that you would configure on the new switch in advance
m

er
 Strategies for connecting the switch
tp
In the case of the second type of migration, strategies for migrating endpoint
ou

ith
connections
w
Strategy for adding an HP edge switch
rt
pa
_____________________________________________________________________
i n
or
e
_____________________________________________________________________
l
ho
w
_____________________________________________________________________
in
n
tio
_____________________________________________________________________
c
du
ro
ep
_____________________________________________________________________
.R
ly
_____________________________________________________________________
on
u se
_____________________________________________________________________
er
ld
ho
_____________________________________________________________________
ake
St
_____________________________________________________________________
&L
C
_____________________________________________________________________
P
H
_____________________________________________________________________
_____________________________________________________________________
2 –10 Rev. 11.21
Proposed migration strategy

This section provides a proposal for step-by-step migration strategies, which you can
compare to yours. You can experiment with different strategies during the lab.
Document requirements
d.
ite
You must determine requirements for the edge switch. How you will manage it? What
ib
oh
type of support do the endpoints (computers, servers, or IP phones) need?
pr
Pre-configure the HP edge switch
is
n
Management features
io

s
• Secure Shell (SSH), Authentication, Authorization, and Accounting (AAA),
is
m
SNMP, and so forth
er
tp
 Uplink ports
ou
• VLAN trunking (or tagging)
ith
w
• A solution for controlling redundant connections: STP, Loop guard or Loop
rt
Protection, Smart Link, or Monitor Link
pa
Note i n
or
The next section of this module will explain these options in more detail.
l e
ho
 Edge ports:
w
in
• VLAN assignment
n
tio
• LLDP-MED and Voice VLAN for IP phones

c
du
• 802.1X or MAC authentication

ro
•
ep
Protection features
.R
Note
ly
on
The end of this module provides commands for configuring these features.
se
Add a new HP switch

u
er
Connect the preconfigured HP switch to the distribution switches.

ld

ho
 Connect endpoints to the HP switch.

ke
Replace an Cisco switch

a
St
Disconnect one uplink on the Cisco access switch.

&L

C
 Connect the freed uplink to the HP switch.

P
H
 Migrate the edge device’s connections.

 Disconnect the second uplink of the Cisco access switch.
 Connect the uplink to the HP switch.
2 –12 Rev. 11.21

Connecting edge switches to the network

This section will focus on spanning tree setup. You will learn how to deal with the
potentially challenging situation in which HP switches require redundant connections
d.
to Cisco distribution layer switches that are implementing PVST+ or Rapid PVST+.
ite
This section provides you with several options for resolving the issue.
ib
oh
pr
NOTES
is
_____________________________________________________________________
n
io
s
is
_____________________________________________________________________
m
er
tp
_____________________________________________________________________
ou
ith
w
_____________________________________________________________________
rt
pa
n
_____________________________________________________________________
i
or
l e
_____________________________________________________________________
ho
w
in
_____________________________________________________________________
n
ctio
du
_____________________________________________________________________
ro
ep
_____________________________________________________________________
.R
ly
on
_____________________________________________________________________
use
_____________________________________________________________________
er
ld
ho
_____________________________________________________________________
ake
St
_____________________________________________________________________
&L
C
P
_____________________________________________________________________
H
Rev. 11.21 2 –13

Connecting HP edge uplinks

How can you implement redundant connections on the HP
edge switch in a Cisco PVST+ network?
d.
ite
ib
PVST+ or Rapid
oh
Cisco distribution PVST+ Root and
pr
Secondary Root
is
n
VLAN Trunking
sio
is
m
er
HP edge
tp
1 2 3 4
ou
MSTP No STP Smart Link Monitor Link
ith
w
Figure 2 - 7: Connecting HP edge uplinks
rt
pa
In this scenario, assume that you will be integrating the HP edge switches into a
i n
Cisco network, which the customer does not want, at least in this first phase, to
or
migrate to open standards. Of course, a migration to MSTP would make integration
l e
ho
much simpler; and if you could complete it on all existing Cisco switches, that would
w
be the obvious path.

in
But, even if the Cisco network must remain PVST+ or Rapid PVST+ based, you have
n
tio
several solutions available to you:

c
du
 Implement MSTP on the HP edge switches

ro
ep
 Disable spanning tree on the HP edge switches and rely on the distribution
.R
switches to block redundant links

ly
Configure Smart Link on HP A-Series edge switches

on
Set up Monitor Link on two HP A-Series switches connected to NIC teaming

se
servers
u
er
The following pages explain these solutions, but for complete explanations you
ld
ho
should refer to the HP Networking Interoperability course.

ke
VLAN configuration commands

a
St
Of course, you also need to set up the VLANs on the uplinks correctly. The sections
&L
below provide commands.

C
P
H
2 –14 Rev. 11.21

HP E-Series commands
If the uplink ports are 47, 48, enter:
Conf t
d.
! VLAN 1 is untagged by default
ite
! If you wish to set up another vlan as untagged
ib
oh
Vlan 99 untagged 47,48
pr
! For Tagged VLANs
is
Vlan 10 tagged 47,48
n
io
s
is
m
er
tp
HP A-Series commands:
ou
ith
By default, no VLAN is authorized on a trunk port except the default VLAN (also
w
called the PVID, 1 by default):
rt
pa
system-view
i n
or
interface gigabitethernet 1/0/47
l e
ho
port link-type trunk

w
port trunk permit vlan 1,10,11,20,21

in
n
tio

c
du

ro
port trunk permit vlan 1,10,11,20,21

ep
.R
ly
on
use
er
ld
ho
ake
St
&L
C
P
H
Rev. 11.21 2 –15

Choice A: Connect the HP edge with MSTP

– Which uplink is blocked on HP edge switches?
– Can you obtain load balancing between uplinks?
d.
ite
Cisco1 Cisco2
ib
PVST+ Root PVST+ Root
Cisco distribution
oh
VLANs 1, 10, 11 VLANs 20, 21
pr
is
n
VLAN Trunking
sio
is
U2
m
U1
U2 U1
er
HP edge HP E-Series HP A-Series
tp
ou
MSTP MSTP
Default Config Default Config
ith
w
Figure 2 - 8: Choice A: Connect the HP edge with MSTP
rt
pa
MSTP and PVST+/Rapid PVST+ can interoperate. Consider the topology for the
n
network shown in the figure when the HP edge switches run MSTP and the Cisco
i
or
distribution switches run PVST+.
l e
ho
Which uplink is blocked on HP edge switches?

w
An HP edge switch with MSTP enabled will interoperate with the standard BPDUs
in
n
sent by the Cisco distribution switch in VLAN 1.

c tio
If Cisco1 is the PVST+ or Rapid PVST+ root in VLAN 1, then the root port on the HP
du
edge will be on uplink 1 (leading to Cisco1). Then uplink U2 will be blocked.

ro
ep
Note that port blocking relies heavily on path cost. The table displays the default
.R
cost values for ports of various speeds on the different platforms.

ly
Table 2-1: STP link cost based on speed

on
Port Speed Cisco PVST+ and HP E-Series default HP A-series

se
Rapid PVST+ cost default

u
er
default cost
ld
10 Gigabit 2 2 000 2
ho
ke
Gigabit 4 20 000 20
a
St
Fast Ethernet 19 200 0000 200

&L
Note that the HP E-Series default costs displayed in the third column (which apply to
C
both MSTP and RSTP mode) are the 802.1t standard costs. You can configure Cisco
P
H
switches and HP A-Series switches to use the same costs:

 On Cisco switches, enter spanning-tree path-cost method long from the global
configuration context.
2 –16 Rev. 11.21

 On HP A-Series switches, enter stp pathcost-standard dot1s from the system

view.
Is load balancing an option?

Load balancing considerations are explained in detail in Module 7 of the HP
d.
ite
Networking Interoperability course. Although MSTP does support load balancing
ib
between instances, you do not obtain that effect in the topology shown above.
oh
When MSTP interoperates with PVST+, it functions like RSTP and blocks ports
pr
entirely, preventing any load balancing over the redundant links.
is
n
Load balancing is possible, however, if you have PVST+ or Rapid PVST+ block the
io
redundant link. If uplink U2 on the HP edge switch is not blocked, the PVST+ or
s
is
Rapid-PVST+ BPDUs in VLANs other than 1 will be transmitted from Cisco 1 to Cisco
m
er
2 or from Cisco 2 to Cisco 1. Then both Cisco distribution switches will act as if they
tp
were connected together. Cisco 2 will block the VLANs for which it is not root on
ou
one of its ports (which seems to PVST+ to be an alternate connection to Cisco 1),
ith
and Cisco 1 will do the same on its ports.
w
rt
How do I get this result?
pa
To ensure that the port is blocked on the distribution side instead of the HP edge
i n
or
side, you can increase the cost in VLAN 1 of the uplink between the two Cisco
switches to 30000. Then the HP edge switch is closer to the root than to Cisco 2,
l e
ho
and uplink U2 becomes the designated port on that segment. Now, in the other
w
VLANs, the HP edge switch transmits PVST+ BPDUs.

in
You should also decrease the cost on the uplink between the two Cisco switches on
n
tio
all VLANs except VLAN 1. In this way, you ensure that the distribution-to-distribution
c
du
switch connection remains open rather than the connection to the edge switches
ro
ep
Note
.R
This configuration is rather complex and may be hard for a customer to maintain
if the IT staff does not understand it well. In addition, changing the link cost
ly
on
between the two Cisco switches will cause the Cisco switches that remain at the
edge to lose their blocked ports in VLAN 1. UplinkFast will not work for those
se
switches in VLAN 1. If VLAN 1 is not used, this is a minor concern. If it used for
u
er
management purposes, it could be a bigger issue, although user traffic may not
ld
be impacted.
ho
You could also attempt to achieve the same result by lowering the cost on an HP
ke
edge switch port (in the IST) rather than raising it on a Cisco switch port.
a
St
&L
C
P
H
Rev. 11.21 2 –17

Scenario 2: With load balancing

In this example the uplink between the two Cisco switches is a link aggregation
(port-channel).
Cisco1 PVST configuration
d.
ite
spanning-tree mode rapid-pvst
ib
oh
spanning-tree extend system-id
pr
spanning-tree path cost method long
is
spanning-tree vlan 1,12 priority 0
n
io
s
is
interface po 1
m
er
spanning-tree vlan 1 cost 30000
tp
spanning-tree vlan 11-13 cost 10000
ou
ith
w
Cisco2 PVST configuration
rt
pa
n
i
or
spanning-tree path cost method long
l e
ho

w

in
interface po 1
n
tio
spanning-tree vlan 1 cost 30000

c
du
spanning-tree vlan 11-13 cost 10000

ro
HP edge switches configuration

ep
.R
Same as in scenario 1
ly
on
use
er
ld
ho
ake
St
&L
C
P
H
Rev. 11.21 2 –19

Choice B: Connect the HP edge without MSTP

– What happens if STP is disabled?
– What are the risks here? How can you improve the
d.
ite
configuration?
ib
oh
VLANs 1, 10, 11 VLANs 20, 21
Cisco distribution
pr
is
n
io
VLAN Trunking
s
is
m
er
tp
HP edge HP E-Series HP A-Series
ou
ith
STP disabled STP disabled
w
Figure 2 - 9: Choice B: Connect the HP edge without MSTP
rt
pa
You will now consider another option: disabling spanning tree on the HP edge
switch. i n
or
e
What happens if STP is disabled?

l
ho
w
When spanning tree is disabled on an HP switch, it will forward standard BPDUs

in
and PVST+ BPDUs. An HP switch will not be the destination for Cisco PVST BPDUs
n
(with a Cisco multicast MAC address) and is no longer the destination for the
tio
multicast MAC address (01:80:c2:00:00:00) of the standard BPDUs. Therefore, it will

c
du
forward all the BPDUs. As far as PVST+ is concerned, the two distribution layer
ro
switches are connected directly together by a simple link. From the PVST point of
ep
view, the HP switches are “transparent.”

.R
ly
Note that this solution requires STP to be fully disabled (which is the default on HP
on
switches) rather than disabled only on specific ports. STP cannot be enabled at all in
se
order for the HP switch to pass the BPDUs sent by one Cisco distribution switch to the
u
other Cisco distribution switches.

er
ld
What is the resulting topology?

ho
ke
If all links have the same cost, then the root path on all these ports will have an equal
a
cost. The tie breaker to define the root port will then be the neighbor bridge ID. Here
St
it is the same for all ports (the other distribution switch’s Bridge ID).
&L
C
The neighbor port ID then becomes the tie breaker; the neighbor port with the lowest
P
ID is preferred. Typically, the interface Gi0/1 has a lower port ID than Gi0/2 and
H
also a lower one than Po1. So the root port might simply be a port leading to an
edge switch, which will cause traffic between the two distribution switches to go
through an HP edge switch.
2 –20 Rev. 11.21

This is not a desirable result. (You could cause an inadvertent denial of service [DoS]
attack on your system.) You need to consider path costs carefully and adjust them to
favor the link between the two Cisco switches. Note that, if the link between the two
Cisco switches is a port channel of Gigabit ports, its STP cost will be automatically
reduced to a lower value (3 or 10000 if the path cost method is set to long).
d.
ite
What are the risks of this solution? How can you improve the
ib
oh
configuration?
pr
If STP is disabled on an edge switch, a loop can result if edge ports are connected
is
together. This can be prevented with:
n
io
s
Loop Protect on the HP E-Series
is

m
Loopback Detection on the HP A-Series
er

tp
Configurations
ou
ith
This section provides configurations for this solution.
w
Cisco 1 PVST+ configuration
rt
pa
spanning-tree extend system-id i n
or
e
spanning-tree pathcost method long

l
ho
spanning-tree vlan 1,10,11 priority 0

w

in
n
interface po 1
ctio
Description link between distribution

du
spanning-tree cost 10000

ro
ep
Cisco 2 PVST+ configuration

.R

ly
on

se
spanning-tree pathcost method long

u
spanning-tree vlan 1,10,11 priority 4096

er
ld

ho
interface po 1
ke
Description link between distribution

a
St
spanning-tree cost 10000

&L
HP E-Series edge configuration

C
P
no spanning-tree
H
One easy way to prevent loops at the edge is to disable the auto-crossing mode.
Automatic detection is enabled by default, and only a cross cable can then create a
loop:
int 1-44 mdix-mode mdi
Rev. 11.21 2 –21
Configurations
The sections below provide two example configurations.
Simple Smart Link configuration
d.
In this simple configuration, the role of Smart Link ports is defined for all VLANs (all
ite
instances). Port gig 1/0/1 is the master/active, and gig 1/0/2 is the slave. If the
ib
oh
master fails, the slave will take over. If the master comes back up again, the master
pr
will preempt the active role.
is
Create a smart link group 1:
n
sio
[Switch C] smart-link group 1
is
m
# Configure all VLANs mapped to MSTIs 0 -15 as the protected VLANs
er
[SwitchC-smlk-group1] protected-vlan reference-instance 0 to 15
tp
ou
# Configure Gigabit 1/0/1 as the master port
ith
[SwitchC-smlk-group1] port gigabitethernet 1/0/1 master
w
# Configure Gigabit 1/0/2 as the slave port of smart link group 1
rt
pa
[SwitchC-smlk-group1] port gigabitethernet 1/0/2 slave
n
# Configure preemption
i
or
[SwitchC-smlk-group1] preemption mode role
l e
Configuring Smart Link with load balancing

ho
w
In this configuration, you want to make the best use of both uplinks of the edge
in
switch, so you implement load balancing.

n
tio
Create two instances:

c
du
[SwitchC] vlan 1 to 200

ro
ep
[SwitchC] stp region-configuration

.R
[SwitchC-mst-region] instance 1 vlan 1 to 100

ly
[SwitchC-mst-region] instance 2 vlan 101 to 200

on
[SwitchC-mst-region] active region-configuration

u se
er
Configure the ports as trunks and disable STP:

ld
ho
[SwitchC] interface gigabitethernet 1/0/1

ake
[SwitchC-GigabitEthernet1/0/1] stp disable

St
[SwitchC-GigabitEthernet1/0/1] port link-type trunk

&L
[SwitchC-GigabitEthernet1/0/1] port trunk permit vlan all

C
P
H
Create smart link group 1:

[SwitchC] smart-link group 1
[SwitchC-smlk-group1] protected-vlan reference-instance 1
2 –24 Rev. 11.21

# Gigabit 1/0/1 is the master & Gigabit 1/0/2 is the slave

# Enable role preemption in smart link group 1
d.
ite
ib
oh
Create smart link group 2:
pr
is
[SwitchC] smart-link group 2
n
io
[SwitchC-smlk-group1] protected-vlan reference-instance 2
s
is
# Gigabit 1/0/2 is the master & Gigabit 1/0/1 the slave
m
er
tp
ou
# Enable role preemption in smart link group 2
ith
w
rt
pa
[SwitchC] display smart-link group all
i n
or
l e
ho
w
in
n
ctio
du
ro
ep
.R
ly
on
use
er
ld
ho
ake
St
&L
C
P
H
Rev. 11.21 2 –25

Choice D: Connect the HP edge with Monitor Link

– What does Monitor Link provide?
– Can it be configured to support load balancing?
d.
ite
ib
VLANs 1, 10, 11 VLANs 20, 21
Cisco distribution
oh
pr
is
n
VLAN
io
Trunking
s
is
Monitor Link Monitor Link
m
er
HP edge HP A-Series
tp
“Downlinks”
ou
“NIC
ith
Teaming”
w
Figure 2-11: Choice D: Connect the HP edge with Monitor Link
rt
pa
The final option approaches redundancy in a different way. Instead of creating
n
redundant links between the edge switches and distribution switches, create
i
or
redundant links between the endpoints and the edge switches. This option can be
e
suitable for switches that only connect to servers with two NICs that are capable of
l
ho
NIC teaming.
w
in
Look at the architecture illustrated above: does it create a loop? The servers are
n
connected to the two HP A-Series switches, but the two switches are not connected
tio
together, and each switch is connected with a single link to an upstream switch. The
c
du
setup does not create a loop as servers do not bridge the traffic. Therefore, you do
ro
not need to worry about implement spanning tree on the HP edge switches when you
ep
use this option.

.R
ly
However, without special configuration, a server is protected in case one of its

on
connections fails but not if the uplink fails on the switch to which it is actively
se
connected. The issue arises because servers cannot sense the uplink failure, so they
u
continue to send traffic to the switch with the failed connection.

er
ld
In order to protect the switch in this circumstance and to make the redundancy
ho
provided by the servers’ dual connections closer in effect to redundant switch uplink
ke
connections, you must implement Monitor Link, an HP A-Series feature. With Monitor
a
St
Link, the status of downlinks is tied to the status of uplinks. An uplink failure on the
&L
edge switch triggers the switch to close the downlink port. The server implementing
NIC teaming then detects the failure and fails over to its other connection. Failover
C
P
occurs in milliseconds.
H
2 –26 Rev. 11.21

Thus the servers continue to have connectivity even if a switch’s uplink fails. However,
the solution is not precisely equivalent to true redundant uplinks on the edge
switches. For one thing, if an uplink fails on a switch with a redundant uplink, the
switch can continue to handle traffic. But when the single uplink fails on a switch
using Monitor Link, the switch becomes useless and the other server edge switch has
d.
ite
to carry the full load. Another drawback is that load balancing depends entirely on
ib
the capabilities of the servers. Therefore, you might not always want to use Monitor
oh
Link as a replacement for redundant uplinks between the edge and distribution layer.
pr
When would this architecture be useful?
is
n
io
The advantage of such a configuration is that it enables you to connect servers
s
is
redundantly to an existing network without requiring you to enable spanning tree.
m
When you do not want to interact with a customer’s configuration, this design can
er
work very well.
tp
ou
Connecting HP edge switches in a Cisco-based network is a typical case where this
ith
architecture will fit perfectly.
w
rt
Monitor Link configuration
pa
Create monitor link group 1:
i n
or
[SwitchC] monitor-link group 1
l e
Configure Gigabit 1/0/1 as an uplink port and Gigabit 1/0/2 - 3 as downlink

ho
ports:
w
in
[SwitchC-mtlk-group1] port gigabitethernet1/0/1 uplink

n
tio
[SwitchC-mtlk-group1] port gigabitethernet1/0/2 downlink

c
du
[SwitchC-mtlk-group1] port gigabitethernet1/0/3 downlink

ro
ep
.R
ly
on
use
er
ld
ho
ake
St
&L
C
P
H
Rev. 11.21 2 –27

Configuring device management

In this section, you will review AAA configurations on HP A-Series and HP E-Series
switches.
d.
ite
NOTES
ib
oh
_____________________________________________________________________
pr
is
n
_____________________________________________________________________
sio
is
m
_____________________________________________________________________
er
tp
ou
_____________________________________________________________________
ith
w
_____________________________________________________________________
rt
pa
i n
_____________________________________________________________________
or
l e
ho
_____________________________________________________________________
w
in
_____________________________________________________________________
n
c tio
du
_____________________________________________________________________
ro
ep
.R
_____________________________________________________________________
ly
on
_____________________________________________________________________
u se
er
_____________________________________________________________________
ld
ho
ke
_____________________________________________________________________
a
St
&L
_____________________________________________________________________
C
P
_____________________________________________________________________
H
_____________________________________________________________________
2 –28 Rev. 11.21

Device management
–Goals:
• Make devices manageable
d.
ite
• Secure access to device to create a secure infrastructure
ib
oh
pr
Figure 2 - 12: Device management
is
n
The following scenario focuses on securing the configuration of a device.
io
s
is
m
er
tp
ou
ith
w
rt
pa
i n
or
l e
ho
w
in
n
ctio
du
ro
ep
.R
ly
on
use
er
ld
ho
ake
St
&L
C
P
H
Rev. 11.21 2 –29

Management configuration
1 Encrypting passwords
Time protocol client
d.
2
ite
3 Syslog services
ib
oh
4 SSH v2.0
pr
SNMP v3
is
5
n
io
6 AAA secured access with RADIUS / TACACS
s
is
m
Figure 2-13: Management configuration
er
tp
The first five configuration tasks displayed in the figure were covered in the HP
ou
Networking Interoperability course, and this course will not focus on them. For your
ith
reference, the sections below provide configuration commands for these tasks.
w
Cisco secure management configuration
rt
pa
The Cisco commands are provided so that you can easily match configurations on
i n
your existing Cisco switches to the necessary commands for your new HP switches.
or
e
Encrypt passwords:
l
ho
w
Service password-encryption
in
Set time with NTP, time zone, and summertime

n
tio
ntp server 10.1.1.100

c
du
clock timezone gmt1 1

ro
ep
clock summer-time GMT1 recurring last Sun Mar 1:00 last Sun Oct
1:00 60
.R
Set syslog server and info log level

ly
on
Logging host 10.1.1.100

se
Logging alarm notifications

u
er
service timestamps log datetime localtime

ld
Generate a key pair, enable SSH server, and disable Telnet access
ho
ke
crypto key generate rsa usage-keys modulus 1024

a
St
ip ssh version 2
&L
line vty 0 4
C
transport input ssh

P
H
exit
Set authentication mode to AAA – Default authentication : Local user

line vty 0 4
login local
2 –30 Rev. 11.21
Generate key pair and enable SSH server

public-key local create rsa
ssh server enable
Undo telnet server enable
d.
ite
Set authentication mode to AAA – Default auth. : local user
ib
oh
user-interface vty 0 4
pr
authentication-mode scheme
is
protocol inbound ssh
n
io
user privilege level 3
s
is
quit
m
er
Define local user and privilege level and associated services
tp
ou
local-user admin123
ith
password cipher verysecret
w
service-type ssh
rt
pa
authorization-attribute level 3
n
quit
i
or
Set SNMP trap and trap receiver
l e
ho
snmp-agent trap source loopback 0

w
snmp-agent trap enable

in
n
snmp-agent target-host trap address udp-domain 10.1.1.100 udp-port

tio
5000 params securityname public v3

c
du
Disable trap for link up/down

ro
Interface gigabitethernet 1/0/10

ep
.R
Undo enable snmp trap updown

ly
Disable SNMP trap on link up/down globally

on
Undo snmp-agent trap enable standard linkup-linkdown

se
Extend the standard linkup/linkdown traps defined in RFC

u
er
ld
snmp-agent trap if-mib link extended

ho
Enable SNMPv3 (continue)

ake
snmp-agent
St
snmp-agent sys-info version v3

&L
Create a SNMPv3 group

C
P
snmp-agent group v3 admin3group

H
Create a SNMPv3 user

snmp-agent usm-user v3 clara3 admin3group authentication-mode sha
authkey privacy-mode aes128 prikey
2 –32 Rev. 11.21

Set SNMP contact and location information

snmp-agent sys-info contact Mr. Smith :+1 510 234 4849
snmp-agent sys-info location phone-closet,3rd-floor,bldg A
HP E-Series secure management configuration
d.
ite
The sections below provide the commands for completing the same tasks on HP E-
ib
oh
Series devices.
pr
Encrypt passwords
is
n
conf t
io
s
include-credentials
is
m
Set time with SNTP, timezone, and summertime
er
tp
timesync sntp
ou
sntp unicast
ith
sntp server 10.1.1.100
w
rt
time timezone 60 daylight-savings western-europe
pa
Set the syslog server and log level
i n
or
logging server 10.1.1.100
e
logging severity informational

l
ho
Generate key pair and enable SSH server (default)

w
in
crypto key generate ssh rsa

n
tio
ip ssh (default)
c
du
no telnet
ro
Set local users (only manager and operator level)

ep
.R
password manager user-name admin123 plaintext verysecret

ly
SNMP trap and trap receiver

on
snmp-server host 10.1.100 public all

use
snmp-server trap-source vlan 1

er
Disable trap on link up/down on ports 1 to 46

ld
ho
no snmp-server enable traps link-change 1-46

ke
Disable SNMP trap on all links up/down globally

a
St
no snmp-server enable traps link-change all

&L
Remove SNMPv2 community RW public that is default

C
P
H
no snmp-server community public
Enable SNMPv3 – Restrict V2 access to read-only

snmpv3 enable
snmpv3 restricted-access
Rev. 11.21 2 –33

Create a SNMPv3 user and associate with predefined group managerpriv

snmpv3 user clara3 auth sha secret priv aes supersecret
snmpv3 group managerpriv user clara3 sec-model ver3
Set SNMP contact and location information
d.
ite
snmp-server contact “Lucas Kett :3306”
ib
oh
snmp-server location “telephone-closet,3rd-floor”
pr
is
n
sio
is
m
er
tp
ou
ith
w
rt
pa
i n
or
l e
ho
w
in
n
c tio
du
ro
ep
.R
ly
on
u se
er
ld
ho
ake
St
&L
C
P
H
2 –34 Rev. 11.21

AAA secured access with RADIUS and TACACS+

– Configure:
• SSH
d.
ite
• RADIUS or TACACS+ server(s)
ib
• Authentication method for login access
oh
pr
• Authorization and accounting for login
is
n
Figure 2 - 14: AAA secured access with RADIUS and TACACS+
io
s
is
A customer might have a security policy that requires AAA to secure management
m
er
access. You must configure the new HP edge switches to meet this requirement. The
tp
next pages provide HP configurations for several different AAA solutions:
ou
Controlling SSH access with AAA to a RADIUS server
ith

w
 Controlling SSH access with AAA to a TACACS+ server
rt
pa
For your reference, the sections below provide the Cisco IOS configurations for these
n
solutions. Then you can compare the HP configurations to the Cisco configurations.
i
or
Cisco configuration: Control SSH access with AAA to a RADIUS server
l e
ho
Set the AAA policy for management logins

w
in
aaa new-model
n
tio
aaa authentication login default group loginrad local

c
aaa authentication login method2 none

du
ro
enable password enable7500pw

ep
Configure the RADIUS severs

.R
aaa group server radius loginrad

ly
on
server 172.16.2.3
se
server 172.16.2 17
u
er
server 172.16.2.32
ld
Create local users

ho
ke
username admin1 password mariespw

a
St
username admin2 password jmmspw

&L
Configure the management interface settings

C
line con 0
P
H
exec-timeout 0 0
On the console there is no authentication.

login authentication method2
transport input none
Rev. 11.21 2 –35
line aux 0
transport input all
On SSH or Telnet access, the default method applies.

line vty 0 4
d.
ite
ib
end
oh
Cisco configuration: Control SSH access with AAA to a TACACS+ server
pr
is
Set the AAA policy for management logins
n
sio
aaa new-model
is
m
aaa authentication login default group tacacs+ local
er
tp
aaa authentication login method1 none
ou
enable password enable7200pw
ith
Create local users
w
rt
username admin1 password mariespw
pa
username admin2 password jmmspw
Configure SSH i n
or
e
ip ssh version 2
l
ho
ip ssh time-out 60
w
in
ip ssh authentication-retries 2
n
Configure TACACS+ and RADIUS servers

c tio
du
tacacs-server host 192.168.109.216 port 9000

ro
tacacs-server key cisco

ep
radius-server host 192.168.109.216 auth-port 1650 acct-port 1651

.R
radius-server key cisco

ly
on
Configure the management interfaces

se
line con 0
u
er
exec-timeout 0 0
ld
login authentication method1

ho
ke
transport input none

a
line aux 0
St
&L
line vty 0 4
C
password enable7200pw
P
H
2 –36 Rev. 11.21

AAA for SSH with RADIUS on HP A-Series

1 # Enable SSH
[Switch] ssh server enable
d.
2 # Configure AAA for SSH users and the user interfaces to support SSH only.
ite
ib
[Switch] user-interface vty 0 4
oh
[Switch-ui-vty0-4] authentication-mode scheme
[Switch-ui-vty0-4] protocol inbound ssh
pr
[Switch-ui-vty0-4] quit
is
# Create RADIUS scheme “rad”.
n
3
io
[Switch] radius scheme rad
s
# Specify the primary authentication & accounting server.
is
m
[Switch-radius-rad] primary authentication 10.1.1.1 1812
er
[Switch-radius-rad] primary accounting 10.1.1.1 1813
# Set the shared key for authentication & accounting packets to “expert”.
tp
[Switch-radius-rad] key authentication expert
ou
[Switch-radius-rad] key accounting expert
ith
# A username sent to the RADIUS server do not carry the domain name.
w
[Switch-radius-rad] user-name-format without-domain
rt
Figure 2-15: AAA for SSH with RADIUS on HP A-Series
pa
This slide displays the commands for configuring an A-Series switch to support SSH
i n
and to control SSH access using AAA to a RADIUS server. In this example, the IP
or
address of the RADIUS server is 10.1.1.1/24. You set both the shared keys for
l e
ho
authentication and accounting packets exchanged with the RADIUS server to

w
“expert,” and specify that a username sent to the RADIUS server carries the domain
in
name. The RADIUS server provides different user services according to the domain
n
names.
c tio
du
HP A-Series switch configuration

ro
Generate RSA and DSA key pairs and enable the SSH server
ep
.R
[Switch] public-key local create rsa

ly
on
[Switch] public-key local create dsa

se

u
Configure the switch to use AAA for SSH users

er
ld

ho

ke
Configure the user interfaces to support SSH:

a
St
[Switch-ui-vty0-4] protocol inbound ssh

&L
C
[Switch-ui-vty0-4] quit
P
Configure other settings on the user interface

H
Idle timeout (default to 10 Min, 0 = infinite):

[Switch-ui-vty0-4] idle-timeout 20
Rev. 11.21 2 –37

Number of lines on the screen (24 per default):

[Switch-ui-vty0-4] screen-length 0
Number of recorded commands in session history (10 by default):
d.
[Switch-ui-vty0-4] history-command 20
ite
Restrict access to some IP source addresses via ACL:
ib
oh
[Switch-ui-vty0-4] Acl 2001 inbound
pr
Restrict access to Telnet or SSH. (Default: both are enabled. Note: Telnet and the
is
SSH server are not enabled by default):
n
io
[Switch-ui-vty0-4] protocol inbound ssh | telnet | all
s
is
Authentication mode one, password or scheme (default). Scheme defaults to local
m
er
username:
tp
[Switch-ui-vty0-4] authentication mode none | password | scheme
ou
Create a RADIUS scheme
ith
w
[Switch] radius scheme rad
rt
pa
Specify the primary authentication server:
[Switch-radius-rad] primary authentication 10.1.1.1 1812 i n
or
Specify the primary accounting server:
l e
ho
[Switch-radius-rad] primary accounting 10.1.1.1 1813

w
Set the shared key for authentication packets to expert:

in
n
[Switch-radius-rad] key authentication expert

c tio
Set the shared key for accounting packets to expert:

du
ro
[Switch-radius-rad] key accounting expert

ep
Specify that a username sent to the RADIUS server carries the domain name:
.R
[Switch-radius-rad] user-name-format with-domain

ly
on
u se
er
ld
ho
ake
St
&L
C
P
H
2 –38 Rev. 11.21

AAA for SSH

(
with
)
RADIUS on HP A-Series (cont.)
4 # Configure the AAA methods for the domain.
[Switch] domain bbb
[Switch-isp-bbb] authentication login radius-scheme rad local
d.
[Switch-isp-bbb] authorization login radius-scheme rad local
ite
[Switch-isp-bbb] accounting login radius-scheme rad local
ib
[Switch-isp-bbb] quit
oh
# When using SSH to log in, a user enters a username in the form userid@bbb for
pr
authentication using the domain bbb.
is
n
# Activate the RADIUS domain bbb as the default. Users who log in without a domain
io
are assigned to the default domain. Note: the default domain is “system”.
s
is
[Switch]domain default enable bbb
m
er
# Add a local user named admin
tp
[Switch] local-user admin
[Switch-luser-admin] password cipher C0mplEx2fInD
ou
[Switch-luser-admin] service-type ssh
ith
[Device-luser-admin] authorization-attribute level 3
w
Figure 2 - 16: AAA for SSH with RADIUS on HP A-Series (cont.)
rt
pa
Configure the AAA methods for the domain
i n
or
[Switch] domain bbb
e
[Switch-isp-bbb] authentication login radius-scheme rad local

l
ho
[Switch-isp-bbb] authorization login radius-scheme rad local

w
in
[Switch-isp-bbb] accounting login radius-scheme rad local

n
[Switch-isp-bbb] quit
c tio
When using SSH to log in, a user enters a username in the form userid@bbb for
du
authentication using domain bbb. Domains have been created mainly for ISPF
ro
where users that access a network may be set in various directories and associated
ep
with different domain names.

.R
ly
Set the RADIUS domain bbb as the default. Users who log in without a domain are
on
assigned to the default domain. Note that the default domain is “system”:
se
[Switch]domain default enable bbb

u
er
In a case where there is only one domain for users, you could directly use the
ld
domain system, because “system” is the default domain and specifies what the AAA
ho
Methods are for users that do not enter a domain name.

ake
Add a local user named admin:

St
&L

C

P
H

Rev. 11.21 2 –39

Configure the RADIUS server (HP Intelligent Management Center [IMC])

You might suggest IMC as a management solution for the network because it
supports Cisco and HP devices. In this case, IMC can function as the RADIUS server.
For your reference, this section provides instructions for configuring IMC to support
d.
the solution. You can use this same configuration if you are using IMC with HP E-
ite
Series devices.
ib
oh
Add an access device
pr
is
Log into the IMC management platform, select the Service tab, and select Access
n
Service > Access Device from the navigation tree to enter the Access Device page.
sio
Then, click Add to enter the Add Access Device window and perform the following
is
configurations:
m
er
Set both the shared keys for authentication and accounting packets to “expert”.
tp

ou
 Specify the ports for authentication and accounting as 1812 and 1813
ith
respectively.
w
Select Device Management Service as the service type.
rt

pa
 Select H3C as the access device type.
i n
or
 Select the access device from the device list or manually add the device with
e
the IP address of 10.1.1.2

l
ho
Click OK to finish the operation

w

in
Add a user for device management

n
tio
Log into the IMC management platform, select the User tab, and select Access User
c
du
View > Device Mgmt User from the navigation tree to enter the Device Management
ro
User page. Then, click Add to enter the Add Device Management User window and
ep
perform the following configurations:

.R
 Add a user named “hello@bbb” and specify the password.

ly
on
 Select SSH as the service type.

se
Specify the IP address range of the hosts to be managed as 192.168.1.0 to

u
192.168.1.255, and click Add to finish the operation.

er
ld
ho
ake
St
&L
C
P
H
2 –40 Rev. 11.21

AAA for SSH with HWTACACS on HP A-Series

1 # Enable SSH
d.
2
ite
# Configure AAA for SSH users
ib
oh
pr
# Enable command authorization to restrict the command level for login
is
users
n
io
[Switch-ui-vty0-4] command authorization
s
is
m
# Enable command accounting
er
[Switch-ui-vty0-4] command accounting
tp
ou
Figure 2 - 17: AAA for SSH with HWTACACS on HP A-Series
ith
w
The sections below provide configurations for controlling SSH access to an HP A-
rt
Series switch using AAA with HWTACACS. Some of the configuration is similar to
pa
the RADIUS solution. However, you need to enable command authorization and
i n
accounting on the user interface, and you must create an HWTACACS authentication
or
scheme.
l e
ho
Note
w
HWTACACS is compatible with TACACS+ and can be used with Cisco devices.
in
n
tio
HP A-Series switch configuration

c
du
Enable SSH
ro
ep

.R
Configure AAA for SSH users and the user interfaces to support SSH only
ly
on

se

u
Enable command authorization to restrict the command level for login users
er
ld
ho
[Switch-ui-vty0-4] command authorization

ke
Enable command accounting

a
St
[Switch-ui-vty0-4] command accounting

&L
C
P
H
Rev. 11.21 2 –41


(cont.)
d.
3 # Create HWTACACACS scheme “tac”.
ite
[Switch] hwtacacs scheme tac
ib
oh
# Specify the primary authentication, accounting & authorization server.
pr
[Switch-hwtacacs-tac] primary authentication 10.1.1.1 49
[Switch-hwtacacs-tac] primary accounting 10.1.1.1 49
is
[Switch-hwtacacs-tac] primary authorization 10.1.1.1 49
n
io
# Set the shared key to “expert”.
s
is
[Switch-hwtacacs-tac] key authentication expert
m
[Switch-hwtacacs-tac] key authorization expert
er
[Switch-hwtacacs-tac] key accounting expert
tp
ou
# A username sent to the hwtacacs server do not carry the domain name.
ith
[Switch-hwtacacs-tac] user-name-format without-domain
[Switch-hwtacacs-tac] server-type standard
w
rt
pa
Figure 2 - 18: AAA for SSH with HWTACACS on HP A-Series (cont.)
Note i n
or
HWTACACS is compatible with TACACS+ and can be used with Cisco devices.
l e
ho
w
Create HWTACACACS scheme “tac”

in
[Switch] hwtacacs scheme tac

n
tio
Specify the primary authentication, accounting, and authorization server

c
du
[Switch-hwtacacs-tac] primary authentication 10.1.1.1 49

ro
ep
[Switch-hwtacacs-tac] primary accounting 10.1.1.1 49

.R
[Switch-hwtacacs-tac] primary authorization 10.1.1.1 49

ly
Set the shared key to “expert”

on
se
[Switch-hwtacacs-tac] key authentication expert

u
[Switch-hwtacacs-tac] key authorization expert

er
ld
[Switch-hwtacacs-tac] key accounting expert

ho
Strip the domain name from username sent to the HWTACACS server
ake
[Switch-hwtacacs-tac] user-name-format without-domain

St
[Switch-hwtacacs-tac] server-type standard

&L
C
P
H
2 –42 Rev. 11.21


(cont.)
d.
4 # Configure the AAA methods for the domain.
ite
[Switch] domain system
ib
[Switch-isp-system]authentication login hwtacacs-scheme tac local
oh
[Switch-isp-system]authorization command hwtacacs-scheme tac local
[Switch-isp-system]accounting command hwtacacs-scheme tac
pr
is
# Add a local user named admin
n
io
s
is
m
er
tp
ou
Figure 2 - 19: AAA for SSH with HWTACACS on HP A-Series (cont.)
ith
w
Configure the AAA methods for the domain
rt
pa
[Switch] domain system
n
[Switch-isp-system] authentication login hwtacacs-scheme tac local
i
or
[Switch-isp-system] authorization command hwtacacs-scheme tac local
l e
ho
[Switch-isp-system] accounting login hwtacacs-scheme tac local

w
[Switch-isp-system] quit
in
Add a local user

n
tio

c
du

ro
ep

.R

ly
on
se
u
er
ld
ho
ake
St
&L
C
P
H
Rev. 11.21 2 –43

AAA for SSH with RADIUS on HP E-Series

1 # Telnet and SSH V2 are enabled by default
Switch(config)#ip ssh
d.
Switch(config)# no telnet
ite
# Configure AAA for SSH users for login and enable access levels
2
ib
Switch(config)# aaa authentication ssh login radius local
oh
Switch(config)# aaa authentication ssh enable radius local
# Configure login accounting on the switch and reboot
pr
Switch(config)# aaa accounting exec Start-stop
is
Switch(config)# aaa accounting system Start-stop
n
# Configure authorization and command accounting. Requires Vendor-Specific
io
Attributes RADIUS
s
is
Switch(config)# aaa authorization commands radius
m
Switch(config)# aaa accounting commands Start-stop
er
# Create RADIUS servers
tp
Switch(config)# radius-server host 10.1.1.1 key expert
3 # Create username
ou
Switch(config)# password VeRyc0omplex admin user-name admin
ith
w
Figure 2 - 20: AAA for SSH with RADIUS on HP E-Series
rt
pa
HP E-Series switches can work also within the customer’s existing management and
n
AAA solutions. The sections below provide commands for controlling SSH access to
i
or
an E-Series switch using AAA with a RADIUS server. You need to set up SSH,
e
configure the AAA methods for different types of authentication, set up accounting,
l
ho
and configure your RADIUS settings.

w
in
HP E-Series switch configuration

n
tio
Disable Telnet (Telnet and SSHv2 are enabled by default)

c
du
ro
ep
.R
Configure AAA for SSH users for login and enable access levels
ly
on
Switch(config)# aaa authentication ssh login radius local

se
Switch(config)# aaa authentication ssh enable radius local

u
Configure login accounting on the switch and reboot

er
ld
Switch(config)# aaa accounting exec Start-stop

ho
ke
Switch(config)# aaa accounting system Start-stop

a
Configure authorization and command accounting. (Requires Vendor-Specific

St
Attributes RADIUS)
&L
C
Switch(config)# aaa authorization commands radius

P
Switch(config)# aaa accounting commands Start-stop

H
Create RADIUS servers

Switch(config)# radius-server host 10.1.1.1 key expert
2 –44 Rev. 11.21

Create username
The following option permits a single login:
d.
Switch (config) aaa authentication login privilege-mode
ite
When you set up AAA management authentication, the switch can read the service-
ib
type field in the RADIUS response to a user’s request for management access. The
oh
following table describes the applicable service-type values and corresponding
pr
client access levels the switch allows upon authentication by the server:
is
n
Table 2-1: Service-type values
io
s
is
Service type Value Client access level
m
er
Administrative 6 Manager user
tp
NAS-Prompt 7 Operator user
ou
Any other type Other value Access denied
ith
This feature applies to console (serial port), Telnet, SSH, and Web browser interface
w
access to the switch. It does not apply to 802.1X port access.
rt
pa
Configuring Commands Authorization on a RADIUS Server: Using Vendor-
Specific Attributes (VSAs)
i n
or
l e
Some RADIUS-based features implemented on HP switches use HP VSAs for

ho
exchanging information with the RADIUS server. RADIUS Access- Accept packets
w
in
sent to the switch may contain the vendor-specific information. The attributes
n
supported with commands authorization are:

c tio
HP-Command-String: This is a list of commands (regular expressions) that are

du
permitted (or denied) execution by the user. The commands are delimited by
ro
semi-colons and must be between 1 and 249 characters in length. Multiple

ep
instances of this attribute may be present in Access-Accept packets. (A single

.R
instance may be present in Accounting-Request packets.)

ly
on
 HP-Command-Exception: This is a flag that specifies whether the commands

se
indicated by the HP-Command-String attribute are permitted or denied to the

u
user. A zero (0) means permit all listed commands and deny all others; a one
er
(1) means deny all listed commands and permit all others.
ld
ho
For the results of using the HP-Command-String and HP-Command-Exception

ke
attributes in various combinations, see “Sample Configuration on Cisco Secure ACS

a
St
for MS Windows” of the Advanced Security Guide for your HP switch.

&L
C
P
H
Rev. 11.21 2 –45

AAA for SSH with TACACS+ on HP E-Series

1 # Telnet and SSH V2 are enabled by default
d.
ite
2 # Configure AAA for SSH users for login and enable access levels
ib
oh
Switch(config)# aaa authentication ssh login tacacs local
Switch(config)# aaa authentication ssh enable tacacs local
pr
# Accounting & Authorization not supported with TACACS
is
3 # Create TACACS servers
n
io
Switch(config)# tacacs-server host 10.1.1.2 key expert
s
# Create username
is
m
er
tp
Figure 2 - 21: AAA for SSH with TACACS on HP E-Series
ou
ith
HP E-Series switches also support SSH with TACACS+. The configuration is similar to
w
the RADIUS solution configuration. However, you specify TACACS+ for the AAA
rt
pa
method, and you specify TACACS+ server settings. Note that HP E-Series switches do
not support accounting and authorization with TACACS+.
i n
or
Disable Telnet (Telnet and SSHv2 are enabled by default)
l e
ho
w
in
Configure AAA for SSH users for login and enable access levels
n
tio
Switch(config)# aaa authentication ssh login tacacs local

c
du
Switch(config)# aaa authentication ssh enable tacacs local

ro
ep
Accounting is not supported with TACACS.

.R
Create TACACS servers

ly
on
Switch(config)# tacacs-server host 10.1.1.2 key expert

se
Create a username
u
er

ld
The following option permits a single login:

ho
ke
Switch (config) aaa authentication login privilege-mode

a
The server grants privileges at the Operator privilege level. If the privilege-mode
St
option is entered, TACACS+ is enabled for a single login. The authorized privilege
&L
level (Operator or Manager) is returned to the switch by the TACACS+ server.

C
P
See “Configuring TACACS+ for a Single Login” of the Advanced Security Guide for
H
your HP switch.
2 –46 Rev. 11.21

Configuring edge features

In this section we will discuss configuring security at the edge. We will also look at
IP phone configuration.
d.
ite
NOTES
ib
oh
_____________________________________________________________________
pr
is
n
_____________________________________________________________________
io
s
is
m
_____________________________________________________________________
er
tp
ou
_____________________________________________________________________
ith
w
_____________________________________________________________________
rt
pa
i n
_____________________________________________________________________
or
l e
ho
_____________________________________________________________________
w
in
_____________________________________________________________________
n
ctio
du
_____________________________________________________________________
ro
ep
.R
_____________________________________________________________________
ly
on
_____________________________________________________________________
use
er
_____________________________________________________________________
ld
ho
ke
_____________________________________________________________________
a
St
&L
_____________________________________________________________________
C
P
H
_____________________________________________________________________
_____________________________________________________________________
Rev. 11.21 2 –47

Edge connections and features

Cisco-based Network
Distribution
d.
ite
ib
oh
pr
Edge
is
n
io
s
is
m
Cisco 3rd party Blade Server
PC Printer Server
IP Phone
er
IP Phone Chassis
Prevention
tp
3
IP Phones:, Security Traffic Monitoring
DHCP snooping, ARP
Access control: 802.1X,
ou
PoE, QoS, Jumbo,
protection, IP source
LLDP-MED… MAC-Auth, Web-Auth, SFlow, Netstream,
ith
guard, loop protect,
Multicast port security ACL QoS
BPDU guard….
w
rt
Figure 2 - 22: Edge connections and features
pa
How will you migrate end nodes? i n
or
Prepare configuration of edge ports.
e

l
ho
• You must configure the connections before you move the physical
w
connections.
in
n
• The following pages will describe how to configure some of the features
tio
available for edge ports.

c
du
Plan the migration of connections carefully.

ro

ep
• The new switch will very often offer more ports, in which case a list of the
.R
mappings between the old and new ports is required.

ly
on
 Move cables
se
• Migrating existing end nodes from a Cisco edge switch to an HP edge

u
switch will involve either a little or a lot of downtime. It will depend on

er
whether cables have to be patched/wired or just plugged in using the

ld
ho
RJ45 connector.
ke
• Downtime also depends on if you move cables individually or in groups.

a
St
 If the old and new switches are in the same location, the cables can
&L
be moved more easily.

C
P
H
2 –48 Rev. 11.21

DHCP snooping and ARP detection on HP A-Series Comware configuration

system-view
! Enable DHCP snooping globally
d.
dhcp-snooping
ite
! Enable ARP protection globally
ib
oh
arp detection validate ip src-mac
pr
! Enable ARP detection per VLAN
is
n
vlan 220
sio
name test
is
m
arp detection enable
er
tp
ou
! Define trusted interfaces for DHCP snooping and ARP protection
ith
w
rt
description link-to-core
pa
port trunk permit vlan 1 100 220 i n
or
e
arp detection trust

l
ho
dhcp-snooping trust
w
#
in
n
display dhcp-snooping
tio
#
c
du
DHCP snooping and ARP protect on HP E-Series

ro
ep
conf t
.R
! Enable DHCP snooping and ARP protect globally

ly
on
dhcp-snooping
se
arp-protect
u
!DHCP Snooping database on TFTP server

er
ld
dhcp- snooping database file tftp://10.0.100.21/ProVision_ dhcp.txt

ho
! Enable DHCP snooping and ARP protection in VLANs

ake
St
dhcp-snooping vlan 220

&L
arp-protect vlan 220

C
P
H
! Define trusted interfaces for DHCP snooping and ARP protection

dhcp-snooping trust 47,48
arp-protect trust 47,48
2 –50 Rev. 11.21

STP hardening: BPDU guard, loop protect, and root guard

These features protect against spanning tree exploits.
BPDU guard and root guard configuration on Cisco IOS
d.
conf t
ite
! BPDU guard is configured on edge ports
ib
oh
interface GigabitEthernet0/1
pr
is
description Access-port
n
io
s
spanning-tree bpduguard enable
is
m
er
tp
! On the distribution switches, root guard is configured on uplink ports leading to
ou
edge (or access) switches.
ith
interface GigabitEthernet0/9
w
rt
description link_to_core
pa
switchport trunk encapsulation dot1q
switchport mode trunk i n
or
spanning-tree guard root
l e
ho
w
BPDU guard, loopback detection, and root guard configuration on HP A-

in
n
Series
ctio
System-view
du
# Global enablement
ro
ep
stp enable
.R
loopback-detection enable
ly
on
# Loopback-detection and BPDU protection are configured on edge ports.

se
Interface GigabitEthernet 1/0/1

u
er
description Access-port
ld
port link-type access

ho
ke
stp bpdu-protection
a
loopback-detection enable
St
# On distribution switches, root protection is configured on uplink ports leading to

&L
edge (access) switches.

C
P
interface GigabitEthernet 1/0/47

H
description link-to-core
stp root-protection
Rev. 11.21 2 –51

BPDU guard, loopback detection, and root guard configuration on HP E-

Series
Conf t
d.
ite
! Enabling timeout for STP BPDU protection and traps for loop protect
ib
oh
spanning-tree bpdu-protection-timeout 300
pr
loop-protect trap loop-detected
is
n
io
! Enabling STP BPDU protection and loop protect on edge ports
s
is
m
spanning-tree 1-46 bpdu-protection
er
tp
loop-protect 1-46 receiver-action send-disable
ou
ith
! On distribution switches, root guard is defined on uplink ports leading to edge
w
(access) switches.
rt
pa
spanning-tree 1-20 root-guard
i n
or
l e
ho
w
in
n
c tio
du
ro
ep
.R
ly
on
u se
er
ld
ho
ake
St
&L
C
P
H
2 –52 Rev. 11.21

Lab activity 2.2: Converting the Configuration on a

Cisco Edge Device to an HP Device
d.
INITIAL
ite
FINAL
ib
oh
CEdge_1 HaEdge_1 HeEdge_1
pr
Edge features: BPDU Guard, Edge features: BPDU Guard,
is
DHCP snooping, VoIP, and more DHCP Snooping, VoIP, and more
n
io
s
is
Figure 2 - 27: Lab activity 2.2: Converting the Configuration on a Cisco Edge Device to an HP Device
m
er
Consult your Lab Activity Guide for instructions on how to perform this lab.
tp
ou
ith
w
rt
pa
i n
or
l e
ho
w
in
n
c tio
du
ro
ep
.R
ly
on
use
er
ld
ho
ake
St
&L
C
P
H
Rev. 11.21 2 –63

Lab debrief
you faced in lab activity 2.2.
d.
Table 2-2: Debrief for lab activity 2.2
ite
ib
oh
pr
is
n
io
s
is
m
er
tp
ou
ith
w
rt
pa
i n
or
NOTES
l e
ho
_____________________________________________________________________
w
in
n
_____________________________________________________________________
c tio
du
_____________________________________________________________________
ro
ep
.R
_____________________________________________________________________
ly
on
se
_____________________________________________________________________
u
er
_____________________________________________________________________
ld
ho
ke
_____________________________________________________________________
a
St
&L
_____________________________________________________________________
C
P
H
_____________________________________________________________________
2 –64 Rev. 11.21

Learning check
Q1: What are the different methods you can use to set up redundancy when
connecting an HP switch to a Cisco network?
d.
ite
ib
_____________________________________________________________________
oh
pr
_____________________________________________________________________
is
n
io
s
_____________________________________________________________________
is
m
er
tp
_____________________________________________________________________
ou
ith
_____________________________________________________________________
w
rt
pa
_____________________________________________________________________
i n
or
_____________________________________________________________________
l e
ho
w
_____________________________________________________________________
in
n
tio
_____________________________________________________________________
c
du
ro
ep
Q2: When the rest of network is set with PVST+, what should you take care to do
.R
when configuring MSTP on an edge switch?

ly
on
_____________________________________________________________________
use
er
_____________________________________________________________________
ld
ho
ke
_____________________________________________________________________
a
St
&L
_____________________________________________________________________
C
P
H
_____________________________________________________________________
_____________________________________________________________________
Rev. 11.21 2 –65

Q3: What should you verify before connecting Cisco IP phones to an HP edge
switch?
_____________________________________________________________________
d.
ite
ib
_____________________________________________________________________
oh
pr
is
_____________________________________________________________________
n
sio
is
_____________________________________________________________________
m
er
tp
_____________________________________________________________________
ou
ith
_____________________________________________________________________
w
rt
pa
_____________________________________________________________________
i n
or
e
Q4: What setup should you perform on an HP edge switch before you connect Cisco
l
ho
IP phones to it?
w
in
n
_____________________________________________________________________
c tio
du
ro
_____________________________________________________________________
ep
.R
_____________________________________________________________________
ly
on
se
_____________________________________________________________________
u
er
ld
_____________________________________________________________________
ho
ke
_____________________________________________________________________
a
St
&L
_____________________________________________________________________
C
P
H
_____________________________________________________________________
2 –66 Rev. 11.21

Migrating and Expanding the Distribution Layer

with HP E-Series
Module 3
d.
ite
ib
oh
Objectives
pr
is
This module will help you to plan and execute successful migrations of Cisco
n
distribution layer switches to HP E-Series distribution layer switches. You will explore
sio
several strategies, learning how to assess their advantages and disadvantages for
is
m
various environments—and how to avoid common issues.
er
tp
By the time that you have completed this module, you will be able to:
ou
 Replace Cisco switches at the distribution layer with HP E-Series switches
ith
Consider the order in which you migrate various features in order to reduce
w

rt
issues and downtime
pa
Assess the advantages of various strategies in different customer environments
n

i
or
 Select distribution layer features to improve your new network
l e
ho
w
in
n
ctio
du
ro
ep
.R
ly
on
use
er
ld
ho
ake
St
&L
C
P
H
Rev. 11.21 3 –1
Migrating and Expanding the Distribution Layer with HP E-Series
Migration scenario: Replacing Cisco with HP E-

Series at the distribution layer y
d.
INITIAL FINAL
ite
ib
oh
Cisco Cisco
pr
is
EIGRP ?
n
ios
Cisco
HP E-Series
is
HSRP ?
m
er
tp
CDP ?
VTP
ou
RPVST+
ith
Cisco
w
Cisco
rt
pa
Figure 3 - 1: Migration scenario: Replacing Cisco with HP E-Series at the distribution layer
i n
or
On the left, you see a simplified design for an existing customer network that uses
l e
Cisco devices. Two distribution layer switches work as redundant routing switches for
ho
the network using Hot Standby Router Protocol (HSRP). They connect to two edge
w
in
switches in the figure—far more in a real world scenario—and to two different core
n
switches, each of which offers a connection to the Internet. The core and distribution
tio
switches communicate routes using Enhanced Internal Gateway Routing Protocol

c
du
(EIGRP).
ro
With the LAN, Rapid Per-VLAN Spanning Tree Plus (RPVST+) eliminates loops created
ep
by the redundant edge-to-distribution connections, VLAN Trunking Protocol (VTP)

.R
extends VLANs throughout the network, and Cisco Discovery Protocol (CDP) provides
ly
on
neighbor discovery.
se
Your goal in this scenario is to replace the Cisco distribution layer switches with HP E-
u
Series switches. Because the HP E-Series switches use open-standard protocols, part
er
of the migration involves moving the network from the current proprietary protocols to
ld
ho
the open-standard ones. For this reason, the figure on the right, which depicts the
ke
final network, indicates that the protocols in the final network might differ from the
a
original protocols.
St
&L
In this module, you will plan

C
 What will be the configuration, based on open-standard protocols, in the final

P
H
network
 How you will proceed, step-by-step, to reach the final topology and
configuration
Rev. 11.21 3 –3
Why migrate to HP E-Series devices

– Solid features at the distribution layer
at an attractive cost:
d.
• Wirespeed switching and routing
ite
ib
• High Gigabit and 10-Gigabit port density
oh
• Routing protocols (OSPF and RIP)
pr
• VRRP
is
• Redundantmanagement module and fabric in
n
io
the E8200 zl Series
s
is
• Lifetime warranties
m
– HP Product Selector helps you select a
er
tp
switch.
ou
ith
Figure 3 - 2: Why migrate to HP E-Series devices
w
rt
In this migration scenario, the customer is replacing outdated Cisco switches with
pa
new HP E-Series switches. The E-Series portfolio offers several switches with attractive
n
features for the distribution layer, including wirespeed switching and routing and
i
or
high Gigabit and 10G port density, at an attractive cost and typically with an
l e
included Lifetime Warranty.

ho
w
This module focuses on the migration process rather than specific features of various
in
E-Series devices. If you need help selecting the correct product for a customer
n
environment, you can refer to the HP Product Selector on the HP Networking

c tio
Web site.
du
ro
ep
.R
ly
on
u se
er
ld
ho
ake
St
&L
C
P
H
3 –4 Rev. 11.21
Migration goals
Before you begin the migration to the replacement switches, you need to understand
the customer’s goals and priorities. Most customers will want an enhanced network
d.
by the end of the migration—why else would the customer decide to migrate? You
ite
must understand the customer’s priorities:
ib
oh
 Do they want better performance?
pr
 Do they want greater energy efficiency?
is
n
 Do they want new features?
sio
While much of satisfying many of these requirements falls to assembling the correct
is
m
networking solution for the customer, which is beyond the scope of this course, you
er
should keep the goals in mind as you plan the migration. At the very least, you will
tp
need to ensure that your configuration at the end of the migration supports the
ou
services required by the customer.
ith
w
In addition to considering the customer’s end goals, you must consider the goals for
rt
the migration process itself. One of the most important considerations is downtime.
pa
Can your customer schedule an outage, or does the network need to remain up
i n
throughout the migration? How important is zero downtime to the customer’s
or
satisfaction with the migration process?
l e
ho
You should also ask the customer about other constraints that might affect your plan.
w
For example, ascertain how many ports the core and distribution switches have
in
available. As you will see, port constraints might alter the way in which you migrate
n
tio
to the new distribution layer.

c
du
ro
ep
.R
ly
on
use
er
ld
ho
ake
St
&L
C
P
H
Rev. 11.21 3 –5
Configurations
The sections below list the relevant sections of the configurations for your reference
during the next activity.
Cisco Core 1 configuration
d.
ite
hostname CCore_1
ib
oh
pr
vlan 110
is
vlan 111
n
sio
is
ip subnet-zero
m
er
tp
ip routing
ou
ith
w
no spanning-tree vlan 1-4094
rt
pa
n
interface Loopback0
i
or
ip address 10.0.0.3 255.255.255.255
l e
ho
interface GigabitEthernet1/0/1
w
description to CDist_1
in

n
tio

c
du
ro
ep
description to CCore_2
.R

ly
on

use
interface Vlan100
er
ip address 10.0.100.3 255.255.255.0

ld
ho
ke
interface Vlan111
a
St
ip address 10.0.111.3 255.255.255.0

&L
C
router eigrp 1
P
network 10.0.0.0
H

hostname CCore_2
Rev. 11.21 3 –7
vlan 100
vlan 112
ip subnet-zero
d.
ite
ib
ip routing
oh
pr
is
n
sio
interface Loopback0
is
m
ip address 10.0.0.4 255.255.255.255
er
tp
ou
ith
w
rt
pa
interface GigabitEthernet1/0/2 i n
or
l e
ho

w

in
n
tio
interface Vlan100
c
ip address 10.0.100.4 255.255.255.0

du
ro
ep
interface Vlan112
.R
ip address 10.0.112.4 255.255.255.0

ly
on
se
router eigrp 1
u
network 10.0.0.0
er
ld
Cisco Distribution 1 configuration

ho
hostname CDist_1
ake
St
ip subnet-zero
&L
ip routing
C
P
H

spanning-tree vlan 1,2,10-11,111 priority 0
3 –8 Rev. 11.21
spanning-tree vlan 20-21 priority 4096
Vlan 2
Vlan 10
d.
Vlan 11
ite
Vlan 20
ib
VLan 21
oh
Vlan 111
pr
is
n
interface Loopback0
sio
ip address 10.1.0.1 255.255.255.255
is
m
er
tp
ou
description to CEdge_1
ith
w
switchport mode trunk
rt
pa
i n
or
e

l
ho

w
in
n
tio
c
du

ro

ep
.R
ly
on
se

u
er

ld
spanning-tree bpdufilter enable

ho
ake
interface Vlan1
St
ip address 10.1.1.1 255.255.255.0

&L
standby 1 ip 10.1.1.254
C
standby 1 priority 255

P
H
standby 1 preempt
interface Vlan2
Rev. 11.21 3 –9
ip address 10.1.2.1 255.255.255.0

standby 1 ip 10.1.2.254
standby 1 preempt
d.
ite
interface Vlan10
ib
ip address 10.1.10.1 255.255.255.0
oh
ip helper-address 10.1.2.100
pr
standby 10 ip 10.1.10.254
is
n
io
standby 10 preempt
s
is
m
er
interface Vlan11
tp
ip address 10.1.11.1 255.255.255.0
ou
ith
standby 11 ip 10.1.11.254
w
rt
pa
standby 11 preempt
i n
or
interface Vlan20
l e
ip address 10.1.20.1 255.255.255.0

ho
w
in
standby 20 ip 10.1.20.254
n
c tio
interface Vlan21
du
ip address 10.1.21.1 255.255.255.0

ro
ep
standby 21 ip 10.1.21.254
.R
ly
on
interface Vlan111
se
ip address 10.0.111.1 255.255.255.0

u
er
ld
router eigrp 1
ho
network 10.0.0.0
ake
St
ip classless
&L
C
P
These commands are not displayed in the configuration but have been applied:
H
vtp domain cisco

vtp password secret
vtp mode server
3 –10 Rev. 11.21

vtp pruning

hostname CDist_2
d.
ite
ib
ip subnet-zero
oh
ip routing
pr
is
n
sio
is
m
spanning-tree vlan 1,2,10-111 priority 4096
er
spanning-tree vlan 20-21,112 priority 0
tp
ou
ith
Vlan 2
w
Vlan 10
rt
pa
Vlan 11
Vlan 20
VLan 21 i n
or
Vlan 112
l e
ho
w
interface Loopback0
in
ip address 10.1.0.2 255.255.255.255

n
c tio
du
ro
ep

.R

ly
on
se
u
er

ld
ho

ake
St
&L

C

P
H
Rev. 11.21 3 –11

interface Vlan1
d.
ip address 10.1.1.2 255.255.255.0
ite
standby 1 ip 10.1.1.254
ib
oh
pr
interface Vlan2
is
ip address 10.1.2.2 255.255.255.0
n
standby 1 ip 10.1.2.254
sio
is
m
interface Vlan10
er
tp
ip address 10.1.10.2 255.255.255.0
ou
ith
standby 10 ip 10.1.10.254
w
rt
pa
interface Vlan11
ip address 10.1.11.2 255.255.255.0
i n
or
e
standby 11 ip 10.1.11.254
l
ho
w
interface Vlan20
in
ip address 10.1.20.2 255.255.255.0

n
tio
c
du
standby 20 ip 10.1.20.254
ro

ep
standby 1 preempt
.R
ly
on
interface Vlan21
ip address 10.1.21.2 255.255.255.0
se
u
er
standby 21 ip 10.1.21.254
ld

ho
standby 1 preempt
ake
St
&L
interface Vlan112
C
ip address 10.0.112.2 255.255.255.0

P
H
router eigrp 1
network 10.0.0.0
3 –12 Rev. 11.21

ip classless
vtp domain cisco
d.
vtp password secret
ite
ib
vtp mode server
oh
vtp pruning
pr
Cisco Edge 1 configuration
is
n
hostname CEdge_1
sio
is
m
er
tp
spanning-tree portfast default
ou
ith
w
rt
pa
or
l e
ho
w
in

n
tio

c
du
ro
ep
description toServer
.R

ly

on
u se
interface Vlan1
er
ip address 10.1.1.11 255.255.255.0

ld
ho
ke
ip default-gateway 10.1.1.254
a
St
ip classless
&L
C
P
H
vtp domain cisco

vtp password secret
vtp mode client
vtp pruning
Rev. 11.21 3 –13


hostname CEdge_2
d.
ite
ib
oh
pr
is
n
io
s
is
m
er
tp
ou
ith
w
rt
pa
or
description toClient
l e

ho

w
in
n
interface Vlan1
c tio
ip address 10.1.1.11 255.255.255.0

du
ro
ep
.R
ip classless
ly
on
u se
vtp domain cisco

er
vtp password secret

ld
ho
vtp mode client

ke
vtp pruning
a
St
&L
C
P
H
3 –14 Rev. 11.21

What is the final configuration?

Internet
CCore_2
d.
CCore_1
.4
ite
.3 Routing
protocol?
ib
VLAN VLAN
101
oh
102
Layer 2
pr
redundancy? ? ?
Layer 3
is
HeDist_1 HeDist_2
redundancy? Virtual
n
?
sio
Trunks
is
Native VLAN 1
m
Permit All .12
.11
er
VLANs? CEdge_1 CEdge_2
tp
Discovery Access
protocol? Ports in VLANs
ou
2, 10, 11, 20.21
ith
IP address:
w
10.X.VLAN.0/24
rt
Figure 3 - 4: What is the final configuration?
pa
n
With your group, plan configurations for the switches after the migration so that they
i
or
provide equivalent functionality as the existing network. You have learned about
e
methods for making these plans earlier in this course. Now you have another chance
l
ho
to practice your new skills. You will also be able to leverage your plans during the
w
lab for this module, so make sure to record your plans carefully.
in
n
Note that the Cisco distribution switches are not included in the final plans because
tio
they will be removed by the end of the migration; however, you might migrate these
c
du
switches to the open standard protocol as part of the migration process. You will look
ro
at that process in more detail a bit later.

ep
.R
As you answer the questions, you can refer to the tables within the questions as well
as the configurations on the previous pages.
ly
on
1. First plan the open standard protocols to which you will migrate proprietary
se
protocols.
u
er
Table 3-1: Migrating proprietary protocol to open standards

ld
ho
Function Proprietary protocol Open-standard equivalent

ke
Routing protocol EIGRP

a
Layer 3 redundancy
St
HSRP
protocol
&L
Layer 2 redundancy
RPVST+
C
protocol (spanning tree)

P
VLAN registration VTP

H
Discovery protocol CDP
Rev. 11.21 3 –15

2. Will you implement the open standard VLAN registration protocol or configure
static VLANs? Why?
_____________________________________________________________________
d.
_____________________________________________________________________
ite
ib
oh
_____________________________________________________________________
pr
is
n
_____________________________________________________________________
sio
is
m
_____________________________________________________________________
er
tp
ou
3. Will you implement the open standard discovery protocol? Why or why not?
ith
_____________________________________________________________________
w
rt
pa
_____________________________________________________________________
i n
or
e
_____________________________________________________________________
l
ho
w
_____________________________________________________________________
in
n
c tio
4. The current spanning tree settings are displayed in the first table below. In the
du
other table, indicate the settings that you want on each switch at the end of the
ro
migration. Note that you might adjust these settings during the migration. For
ep
now, you are planning the end goal. Also note, that you do not plan to enable
.R
MSTP on a switch, you can leave the cells empty.

ly
on
Table 3-2: Current spanning tree settings

se
Setting for Setting for Setting for Setting for Setting for
u
Parameter
er
Core switches CDist_1 CDist_2 CEdge_1 CEdge_2

ld
Spanning tree disabled Rapid PVST+ Rapid PVST+ Rapid PVST+ Rapid PVST+
ho
mode
ke
Priority — VLANs 1, 2, VLANs 1, 2, Default on all Default on all

a
10, 11, 111: 0 10, 11, 111: VLANs VLANs

St
VLANs 20, 4096 (32768) (32768)

&L
21: 4096 VLANs 20,

C
21, 112: 0
P
Other settings — BPDU filter BPDU filter on — —

H
on P4 (to P4 (to Core)

Core)
3 –16 Rev. 11.21

Table 3-3: Planned MSTP settings

Setting for Setting for Setting for Setting for Setting for Setting for
Parameter
CCore_1 CCore_2 HeDist_1 HeDist_2 CEdge_1 CEdge_2
Region
d.
name
ite
Revision
ib
number
oh
VLAN
pr
mapping
is
n
sio
is
m
er
Priority for
tp
each
ou
instance
ith
w
rt
pa
Other
settings i n
or
l e
ho
w
in
Justify your plans:

n
tio
_____________________________________________________________________
c
du
ro
_____________________________________________________________________
ep
.R
_____________________________________________________________________
ly
on
se
_____________________________________________________________________
u
er
ld
_____________________________________________________________________
ho
ke
5. The IP addressing and Layer 3 redundancy configurations for the existing

a
St
distribution switches are displayed in the first table below. In the next table,
&L
indicate the settings for the new HP E-Series switches. Again, you are planning
C
the final configurations.

P
H
Note that, if you are using software version 15, you can set one switch as owner
with priority 255 and still assign a virtual IP address to the VRID. Otherwise, you
must assign both switches as backup to use a different virtual IP address than the
one on the owner.
Rev. 11.21 3 –17

Table 3-4: Current distribution IP address and HSRP settings

Parameter Setting for CDist_1 Setting for CDist_2
VLAN 1
IP address 10.1.1.1 255.255.255.0 10.1.1.2 255.255.255.0
Helper address Not configured Not configured
Standby ID 1 1
Priority 255 Default (100)
Preempt mode Enabled Not enabled
Virtual IP address 10.1.1.254 10.1.1.254 255.255.255.0
VLAN 2
IP address 10.1.2.1 255.255.255.0 10.1.2.2 255.255.255.0
Standby ID 1 1
Virtual IP address 10.1.2.254 255.255.255.0 10.1.2.254 255.255.255.0
VLAN 10
IP address 10.1.10.1 255.255.255.0 10.1.10.2
Helper address 10.1.2.100 10.1.2.100
Standby ID 10 10
Virtual IP address 10.1.10.254 10.1.10.254
VLAN 11
IP address 10.1.11.1 255.255.255.0 10.1.11.1 255.255.255.0
Helper address 10.1.2.100 10.1.2.100
Standby ID 11 11
Preempt-mode Enabled Not enabled
Virtual IP address 10.1.11.254 10.1.11.254
VLAN 20
IP address 10.1.11.1 255.255.255.0 10.1.11.1 255.255.255.0
Helper address 10.1.2.100 10.1.2.100
Standby ID 20 20
Priority Default (100) 255
Preempt-mode Not enabled Enabled
VLAN 21
IP address 10.1.21.1 255.255.255.0 10.1.21.1 255.255.255.0
Helper address 10.1.2.100 10.1.2.100
Standby ID 21 21
Preempt mode Not enabled Enabled
VLAN 111
IP address 10.0.111.1 255.255.255.0 Not configured
Helper address Not configured —
Standby ID Not configured —
VLAN 112
IP address Not configured 10.0.112.1 255.255.255.0
Helper address — Not configured
3 –18 Rev. 11.21

Loopback 0
IP address 10.1.0.1 10.1.0.2
Table 3-5: Planned IP addressing and VRRP settings for the new HP E-Series
switches
Parameter Setting for HeDist_1 Setting for HeDist_2
VLAN 1
IP address
Helper address
Mode
VRID
Priority
Preempt mode
Virtual IP address
VLAN 2
IP address
Helper address
Mode
VRID
Priority
Preempt mode
Virtual IP address
VLAN 10
IP address
Helper address
Mode
VRID
Priority
Preempt mode
Virtual IP address
Rev. 11.21 3 –19

VLAN 11
IP address
Helper address
Mode
VRID
Priority
Preempt-mode
Virtual IP address
VLAN 20
IP address
Helper address
Mode
VRID
Priority
Preempt-mode
Virtual IP address
VLAN 21
IP address
Helper address
Mode
VRID
Priority
Preempt mode
Virtual IP address
VLAN 111
IP address
Helper address
VRID
3 –20 Rev. 11.21

VLAN 112
IP address
Helper address
VRID
Loopback 0
IP address
Justify your plans:

_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
6. Does your plan for IP addressing, including the virtual routing IP addresses,
necessitate any configuration changes at the core or edge? If so, list these
changes:
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
Rev. 11.21 3 –21

7. Plan the final configuration for the routing protocol. Currently, EIGRP is enabled
on the entire 10.0.0.0/8 network on both core switches and on bath distribution
switches. The table provides a space for you to plan your final settings for OSPF.
Your goal is to ensure that the distribution switches can route traffic between
VLANs 1, 2, 10, 11, 20, and 21 and the core. Several valid designs exist; yours
might not include all of the settings in the table.
Table 3-6: Final OSPF settings
Setting for Setting for Setting for Setting for
Parameter
CCore_1 CCore_2 HeDist_1 HeDist_1
Area
OSPF interfaces
and their area
assignments
Passive
interfaces
Redistribution
settings
Administrative
distance and
metrics
Route summaries
Justify your plans:

_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
3 –22 Rev. 11.21

Proposed final configuration

Internet
CCore_1 CCore_2
d.
.3 .4
ite
VLAN OSPF
VLAN
ib
101 102
oh
MSTP root for IST
.6 MSTP root for
and instance 1 .5
pr
VRRP HeDist_2
instance 2 and
and VRRP Master HeDist_1
VRRP Master for
is
for VLANs 1, 2, Virtual .254
VLANs 20. 21
n
10, 11 or .253
io
Trunks
s
Native VLAN 1
is
Permit All .12
.11
m
LLDP CEdge_1 CEdge_2
er
Static VLAN
tp
MSTP Access
Ports in VLANs
ou
2, 10, 11, 20.21
ith
IP address:
10.X.VLAN.0/24
w
rt
Figure 3 - 5: Proposed final configuration
pa
Migration to open standards i n
or
You learned about migrating to open standards in Module 1, so you should
l e
ho
understand the protocols listed in the table well.

w

in
n
Function Proprietary protocol Open-standard equivalent

c tio
Routing protocol EIGRP OSPF (or ISIS)

du
Layer 3 redundancy
HSRP VRRP
ro
protocol
ep
Layer 2 redundancy
RPVST+ MSTP
.R

VLAN registration VTP GVRP
ly
on
Discovery protocol CDP LLDP

se
For the proposed final configuration, you will migrate the network to all of the
u
protocols listed in the table except GVRP. As you learned in Module 1, while GVRP
er
ld
enables switches to advertise and register for VLAN memberships automatically, just
ho
like VTP, GVRP does not work for heterogeneous environments. Creating the VLANs
ke
statically on the switches will not be complicated, and the final functionality will be
a
St
the same as it is now.

&L
C
P
H
Rev. 11.21 3 –23

Spanning tree protocol

You need to consider several issues as you plan your final MSTP configuration:
 How you will map VLANs to MSTP instances?
d.
For this example, you should map the VLANs such that the root and secondary
ite
root roles can be divided as they are in the old distribution layer. You should
ib
oh
always leave at least one VLAN in the IST (instance 0), which allows the HP E-
pr
Series switches to interoperate with switches in different MSTP regions and using
is
different spanning tree protocols. PVST+ and RPVST+ switches use VLAN 1 for
n
interoperation—make sure that all trunks between the HP E-Series and Cisco
io
switches allow VLAN 1. You do not have to use VLAN 1 for the IST, but in this
s
is
proposal you are. You also leave VLANs that are not shared across the region in
m
er
the IST. Note that no configuration is necessary to place a VLAN in the IST; all
tp
VLANs are placed in the IST by default.
ou
Which priorities and costs will you assign to switches?
ith

w
This question is rather straightforward. You would assign the priorities such that
rt
one of the new distribution switches is primary root in the first instance and
pa
secondary root in the second instance and vice versa on the other HP E-Series
switch. i n
or
e
You might also assign a lower cost to the distribution switch-to-switch link to favor
l
ho
it. (In the real-world, this link is often a link aggregation; however the HP E-Series
w
switch does not automatically assign an aggregation a lower cost.)

in
n
 How will you prevent links that are acting like routed links from being blocked?
c tio
MSTP functions differently from RPVST+ in several important ways. It blocks links
du
for an instance regardless of the VLAN configuration. Therefore links such as the
ro
ones shown between the HP E-Series switches and the core could be blocked by
ep
MSTP even though no loop exists in VLAN 101 and VLAN 102. For example, this
.R
would happen if there were a connection between the core switches and they
ly
on
implemented MSTP.
se
To prevent the links from being blocked, you can disable spanning-tree at the
u
root, which does not need to implement this protocol because it connects to the
er
rest of the network on routed links. For failsafe measures, you could also
ld
ho
implement BPDU filters on the HP E-Series switch ports that connect to the core.
ke
And you could enable loop guard on the Cisco core switches in case they are
a
accidently connected to the distribution layer on the same VLAN on two

St
connections.
&L
C
The proposed final configuration is shown in the table.

P
H
3 –24 Rev. 11.21

On the other hand, if you plan to connect the new switches as a parallel network
before completing the migration, you must carefully plan the sequence for the
migration to prevent connectivity errors caused by the duplicate addresses. You might
find it simpler to assign the new distribution layer switches new IP addresses and
migrate the configurations in the DHCP scopes, device configurations, and firewall
d.
policies.
ite
ib
This module will describe strategies for both methods. For this proposed
oh
configuration, the first method is selected because it offers fewer opportunities for
pr
errors in the long run. And you will not need to change any of the IP configurations
is
at the core. (However, you will at first use different actual IP addresses on the
n
switches; only the virtual IP addresses will be the same.)
io
s
is
Having decided that you will use the same virtual router IP address for the new
m
switches, you can easily configure the rest of the VRRP settings. You simply need to
er
synchronize the VRRP Master role with the MSTP primary root role in each VLAN.
tp
ou
Table 3-9: Planned IP addressing and VRRP settings for the new HP E-Series
ith
switches
w
Parameter Setting for HeDist_1 Setting for HeDist_2
rt
pa
VLAN 1
IP address 10.1.1.5/24 10.1.1.6/24
Helper address None i n None
or
Mode Backup Backup
l e
VRID 1 1
ho
Priority 254 100

w
Preempt mode Enabled Disabled

in
Virtual IP address 10.1.1.254/24 10.1.1.254/24

n
tio
VLAN 2
c
IP address 10.1.2.5/24 10.1.2.6/24

du
Helper address None None

ro
Mode Backup Backup

ep
VRID 2 2
.R
Priority 254 100

ly

on

se
VLAN 10
IP address 10.1.10.5/24 10.1.10.6/24
u
er
Helper address 10.1.2.100 10.1.2.100

ld
Mode Backup Backup

ho
VRID 10 10
ke
Priority 254 100

a

St

&L
VLAN 11
C
IP address 10.1.11.5/24 10.1.11.6/24

P
Helper address 10.1.2.100 10.1.2.100

H
Mode Backup Backup

VRID 11 11
Priority 254 100
Preempt-mode Enabled Disabled
3 –26 Rev. 11.21

VLAN 20
IP address 10.1.20.5/24 10.1.20.6/24
Helper address 10.1.2.100 10.1.2.100
Mode Backup Backup
VRID 20 20
Priority 100 254
Preempt-mode Disabled Enabled
VLAN 21
IP address 10.1.21.5/24 10.1.21.6/24
Helper address 10.1.2.100 10.1.2.100
Mode Backup Backup
VRID 21 21
Priority 100 254
Preempt mode Disabled Enabled
VLAN 111
IP address 10.0.111.5/24 Not configured
Helper address None —
VRID None —
VLAN 112
IP address Not configured 10.0.112.6/24
Helper address — None
VRID — None
Loopback 0
IP address 10.1.0.5 10.1.0.6
Routing protocol
You need to plan OSPF such that:
 The core switches receive routes to the private network from the distribution layer
 The distribution layer switches receive core and Internet routes from the core
 The distribution switches can act as backup for each other in case one of the
core connections goes down.
There are several ways that you could design OSPF. It is proposed that you configure
the distribution switches as area border routers (ABRs) between area 0, which is at
the core, and an area for this segment of the network. That is, VLAN 111 and VLAN
112 are in area 0, and VLANs 1, 2, 10, 11, 20, and 21 in area 1.
This second area can be a stub area, in which case you would enable OSPF on all
the VLANs in that area and make every VLAN except VLAN 1 a passive interface.
Or you can make the second area normal, in which case you could use passive
interfaces or alternatively only place VLAN 1 in the area and redistribute connected
routes.
You should also consider route summarization. In the proposed configuration, you do
not use route summarization because the network has relatively few subnets.
The proposed configuration is displayed in the table.
Rev. 11.21 3 –27

Table 3-10: OSPF settings for the HP E-Series distribution switches

Settings for Settings for Setting for
Parameter Setting for HeDist_2
CCore_1 CCore_2 HeDist_1
Loopback address 10.1.0.3 10.1.0.4 10.1.0.5 10.1.0.6
Areas 0 0 1 stub 1 stub
0 0
OSPF interfaces Area 0: Area 0: area 1: VLAN 1, 2, area 1: VLAN 1, 2,
10.0.1X1.0 10.0.1X2.0 10-11, 20-21 10-11, 20-21
0.0.0.255 0.0.0.255 area 0: 111, area 0: 112, loopback
10.0.0.0 0.0.0.255 10.0.0.0 0.0.0.255 loopback interface interface
10.1.110.0 0.0.0.255 10.1.110.0 0.0.0.255
Passive interfaces Not applicable Not applicable VLAN 2, 10-11, 20- VLAN 2, 10-11, 20-21
21
3 –28 Rev. 11.21

Plan for migrating to open standards

You will now look in more detail at strategies for migrating from the initial
configuration to the final configuration that you planned in the previous section.
d.
Many of the considerations for this process will be familiar to you from Module 1.
ite
However, because you are not only migrating to open standards, but also migrating
ib
to new routing switches at the distribution layer, you might want to follow a slightly
oh
different process for the migration. This section covers the considerations for this
pr
process.
is
n
sio
is
m
er
tp
ou
ith
w
rt
pa
i n
or
l e
ho
w
in
n
ctio
du
ro
ep
.R
ly
on
use
er
ld
ho
ake
St
&L
C
P
H
Rev. 11.21 3 –29

When should you migrate the Cisco switches to

open standards?
d.
Switches Migrate When Issues or downtime
ite
Core (and EIGRP to OSPF Anytime before Possible issues, but,
ib
distribution) the new properly done, no
oh
distribution downtime
pr
switches begin to
is
take over routing
n
CDP to LLDP Anytime before Few or none
io
the migration
s
is
Edge (and CDP to LLDP ends
m
distribution) VTP to Static Anytime before Few or none
er
VLANs you move the
tp
edge to the new
ou
distribution layer
ith
RPVST+ to MSTP ? Potentially several
w
issues
rt
pa
Figure 3 - 6: When should you migrate the Cisco switches to open standards?
i n
In the final configuration, Cisco edge and core switches will implement the open
or
standard protocols as the new HP E-Series distribution switches. You must determine
l e
ho
the best time to migrate these switches to the new protocols. Consider these basic
w
issues:
in
Will migrating the protocols while the existing distribution switches remain active
n

tio
in the network cause interoperability issues or downtime? Would you need to

c
du
migrate the existing switches to the new protocol?

ro
Will failing to migrate the protocols before introducing the HP E-Series

ep
distribution switches cause interoperability issues or downtime?

.R
The answers to these questions will guide you to the proper time to migrate the
ly
on
protocols with the fewest issues and least downtime.

se
Routing protocol
u
er
First examine migrating EIGRP to OSPF. As you learned in Module 1, migrating the
ld
ho
routing protocol in an active network takes planning but can be done without
ke
introducing downtime. In answer to the second question, you would simply need to
a
migrate the protocol before the new distribution switches take over routing.
St
&L
Typically, you should configure OSPF on the existing Cisco distribution switches and
migrate entirely to OSPF before the new switches take over routing.
C
P
Doing so ensures that you have a solid solution in place before you worry about
H
complicating it with a migration. For example, during the migration, you might
connect the Cisco distribution and HP E-Series distribution switches and have the
Cisco switches and HP E-Series switches each route traffic in some VLANs. In that
3 –30 Rev. 11.21

case, the switches might need a way to communicate routes to each other. You will
learn more later in this module.
You, or the customer, might not want to migrate the Cisco distribution switches to
OSPF because you are removing them. You could try migrating the core to OSPF
d.
before the new distribution switches take over routing, but leaving EIGRP active so
ite
that the Cisco switches can continue routing. You would disable EIGRP at the core
ib
only after migrating all Layer 3 functionality to the new switches.
oh
pr
In a simple network, this strategy could work, but in more complicated network, you
is
open yourself to possibility of creating routing loops and other routing problems.
n
io
Discovery protocol
s
is
m
Migrating the discovery protocol should not cause any issues. The Cisco switches can
er
run CDP and LLDP at the same time, so you can easily enable LLDP at the beginning
tp
of the migration and then disable CDP after completing the migration. If your
ou
network has IP phones that require CDP, you could leave CDP running on the Cisco
ith
edge switches.
w
rt
VTPs to Static VLANs
pa
n
As discussed in Module 1, static 802.1Q VLANs are the best option for a network
i
or
with Cisco and HP devices.
l e
ho
At some point before you remove the Cisco distribution switches, you need to ensure
w
that your network’s VLANs are configured on the edge switches. Otherwise, when
in
the edge switches lose contact with their VTP servers, you could encounter
n
connectivity issues.
ctio
You can use the same process that you practiced in the lab for Module 1 (changing
du
the VTP clients to VTP servers, then changing all switches to VTP transparent mode,
ro
ep
and finally removing the VTP configuration) or a variation. As you observed in the
.R
lab, this relatively simple process produces few issues.

ly

on
se
As you learned in Module 1, transitioning from PVST+ or Rapid PVST+ to MSTP in an

u
active network can cause a loss of connectivity. Because PVST+ and MSTP
er
interoperate, you can wait to migrate until after connecting the new switches.
ld
ho
However, you will need to carefully plan how the protocols interoperate to ensure
ke
that connections are enabled and blocked as you expect.

a
St
The next slide explains more.

&L
C
P
H
Rev. 11.21 3 –31

When should you migrate to MSTP?

To come up with the best strategy for migrating to MSTP, consider the reasons that
migrating to MSTP causes loss of connectivity in an online network, which you
d.
investigated thoroughly in Module 1:
ite
You must migrate the eventual CIST root to MSTP first—otherwise, PVST+
ib

oh
simulation errors disrupt connections.
pr
 However, when you change the spanning tree mode to MSTP on a Cisco switch
is
in a PVST+ environment, the VLANs are disabled and then re-enabled. Initiating
n
io
MSTP on the CIST root (a routing switch) then takes about 30 seconds, during
s
is
which time connectivity is disrupted. You can reduce the initiation time by
m
altering timers, but traffic is still dropped for several seconds.
er
tp
 In the final network, only the edge switches among the Cisco switches need to
ou
implement MSTP. For this reason, you might choose to configure MSTP on the
ith
edge switches only. However, the same PVST+ simulations errors will cause
w
problems because you are migrating the edge switches before the CIST root.
rt
pa
During Module 1, you discovered a migration process that reduces downtime to four
n
or five seconds. You can certainly use that same process for this migration as well.
i
or
However, you are now looking at a different scenario, in which the Cisco distribution
e
switches will eventually be removed entirely.

l
ho
w
Q1: What is an alternative process for migrating MSTP that might further reduce
in
downtime?
n
tio
_____________________________________________________________________
c
du
ro
_____________________________________________________________________
ep
.R
_____________________________________________________________________
ly
on
se
_____________________________________________________________________
u
er
ld
_____________________________________________________________________
ho
ake
_____________________________________________________________________
St
&L
_____________________________________________________________________
C
P
H
_____________________________________________________________________
3 –32 Rev. 11.21

Methods for migrating to the new distribution layer

You will now explore three general strategies for migrating to a new distribution
layer:
d.
Forklift—Schedule an outage. Then simply remove the old switches and add the
ite

new ones.
ib
oh
 Parallel network—Set up the new distribution layer in parallel and gradually
pr
migrate functionality to it.
is
n
 Replacement—Replace distribution switches one at a time. While you are
io
replacing the switches, part of the old distribution layer and new distribution
s
is
layer will run in parallel.
m
er
tp
ou
ith
w
rt
pa
i n
or
l e
ho
w
in
n
c tio
du
ro
ep
.R
ly
on
u se
er
ld
ho
ake
St
&L
C
P
H
3 –34 Rev. 11.21

Forklift (cont.)
With your classmates, assess the advantages of the forklift method. Also discuss
potential challenges introduced by this method and disadvantages.
d.
Advantages:
ite
ib
_____________________________________________________________________
oh
pr
_____________________________________________________________________
is
n
sio
_____________________________________________________________________
is
m
er
tp
_____________________________________________________________________
ou
ith
_____________________________________________________________________
w
rt
pa
_____________________________________________________________________
i n
or
_____________________________________________________________________
l e
ho
w
_____________________________________________________________________
in
n
tio
Challenges and disadvantages:

c
du
_____________________________________________________________________
ro
ep
.R
_____________________________________________________________________
ly
on
_____________________________________________________________________
u se
er
_____________________________________________________________________
ld
ho
ke
_____________________________________________________________________
a
St
&L
_____________________________________________________________________
C
P
H
_____________________________________________________________________
3 –36 Rev. 11.21

A disadvantage for one environment might not be a grave concern for another.
Brainstorm situations in which you would use the forklift method.
_____________________________________________________________________
d.
_____________________________________________________________________
ite
ib
oh
_____________________________________________________________________
pr
is
n
_____________________________________________________________________
sio
is
m
_____________________________________________________________________
er
tp
ou
_____________________________________________________________________
ith
w
_____________________________________________________________________
rt
pa
i n
_____________________________________________________________________
or
l e
ho
_____________________________________________________________________
w
in
n
_____________________________________________________________________
c tio
du
_____________________________________________________________________
ro
ep
.R
_____________________________________________________________________
ly
on
_____________________________________________________________________
use
er
_____________________________________________________________________
ld
ho
ke
_____________________________________________________________________
a
St
&L
_____________________________________________________________________
C
P
H
_____________________________________________________________________
_____________________________________________________________________
Rev. 11.21 3 –37

Parallel network
2—Add the parallel
network
d.
ite
1—Configure Cisco
Cisco
the new
ib
switches offline
oh
pr
HP E-Series
is
Cisco Cisco HP E-Series
n
sio
1—Begin
is
m
migration to
er
open standards
tp
ou
Cisco Cisco
ith
w
rt
Figure 3 - 8: Parallel network
pa
n
In this strategy, you add the new distribution layer as a parallel network and
i
or
gradually migrate functionality to it.
le
1. In a first step, similar to the forklift method’s first step, you configure the new
ho
switches offline. You also begin to migrate Cisco switches to open standards,
w
in
following the plan that you created earlier.

n
tio
However, unlike the forklift method, you must consider how the HP E-Series
c
configuration will interact with the existing configuration. For example, you
du
cannot simply assign the E-Series switches the default gateway IP addresses
ro
because that would cause an address conflict. A good strategy is to configure

ep
all of the settings at this point but not to enable them until they are required. In
.R
the slides to follow, you will explore the best times to enable particular features.
ly
on
2. Next, you connect the HP E-Series switches as a parallel network. The figure
se
shows one strategy for connecting the parallel network:

u
er
a. Connect the two new distribution layer switches to the two existing
ld
distribution layer switches on a single connection.

ho
ke
b. Connect all of the edge switches to one of the new distribution layer
a
switches.
St
&L
c. Connect one of the new distribution layer switches to the core.

C
P
H
3 –38 Rev. 11.21

You can vary this strategy as called on by your environment. For example, you
might connect both HP E-Series switches to the core. Or you might distribute the
edge switch connections between the new distribution switches. You can connect
the parallel network as you desire; simply ensure that these criteria are met:
d.
• The new distribution layer connects to the old distribution layer on one link
ite
or aggregated link, which simplifies the spanning tree topology.
ib
oh
• Each HP E-Series switch connects to the core before you start migrating
pr
routing functionality to that switch.
is
n
sio
is
m
er
tp
ou
ith
w
rt
pa
i n
or
l e
ho
w
in
n
ctio
du
ro
ep
.R
ly
on
se
u
er
ld
ho
ake
St
&L
C
P
H
Rev. 11.21 3 –39

Where might issues occur?

The parallel network migration, because it involves making changes to and
introducing new devices to an active network, can introduce more issues than a
d.
forklift migration. You will now look more closely at some potential trouble spots
ite
during the migration:
ib
oh
 Connecting the parallel network—Will STP convergence cause any downtime?
pr
Without STP, will loops occur?
is
Migrating the edge:
n

io
• How can you minimize downtime?
s
is
m
• How will the new traffic flow affect the network?
er
tp
 Migrating the routing functionality
ou
• When will you migrate the functionality?
ith
w
• What mechanisms will you use?
rt
pa
You will now explore these issues so that you will fully comprehend the potential
n
pitfalls—and plan ways to avoid them.
i
or
l e
ho
w
in
n
ctio
du
ro
ep
.R
ly
on
use
er
ld
ho
ake
St
&L
C
P
H
Rev. 11.21 3 –41

Potential problem spot 1: STP behavior when you

connect they parallel network
p
d.
ite
ib
Based on the
oh
Cisco
configuration, what
pr
happens when you
connect the parallel
is
RPVST+ root for RPVST+ root for network?
n
VLANs 1, 2, 10, 11 VLANs 20, 21
io
Cisco
s
HP E-Series
is
m
er
tp
Legend
ou
ith
Cisco Blocked by RPVST+ on VLANs 1, 2, 10, 11
w
Blocked by RPVST+ on VLANs 20, 21
rt
pa
Figure 3 - 10: Potential problem spot 1: STP behavior when you connect the parallel network
i n
or
You will first explore the type of issues that might occur when you connect the HP E-
e
Series switches as a parallel network. As discussed earlier, you will very probably
l
ho
have the Cisco switches still implementing Rapid PVST+ and the HP E-Series switches
w
implementing MSTP. The two protocols can interoperate, but you should carefully
in
consider how they will interoperate so that you can proceed in the migration with
n
tio
confidence.
c
du
The figure displays the RPVST+ topology before you connect the parallel network.
ro
The sections below display the configuration for the Cisco switches and for the HP E-
ep
Series switches. (Hint: The boldface settings in each configuration are the most
.R
important for you to consider.)

ly
on
Based on the configuration, what occurs when you connect the new switches?
u se
_____________________________________________________________________
er
ld
ho
_____________________________________________________________________
ake
St
_____________________________________________________________________
&L
C
_____________________________________________________________________
P
H
_____________________________________________________________________
3 –42 Rev. 11.21

Does this cause downtime?
_____________________________________________________________________
d.
What steps could you take to solve the problem?
ite
ib
_____________________________________________________________________
oh
pr
is
_____________________________________________________________________
n
sio
is
_____________________________________________________________________
m
er
tp
_____________________________________________________________________
ou
ith
_____________________________________________________________________
w
rt
pa
_____________________________________________________________________
i n
or
e

l
ho
w
hostname CCore_1
in
n
tio
vlan 100
c
vlan 111
du
ro
ep
ip subnet-zero
.R
ly
on
ip routing
use

er
ld
ho
interface Loopback0
ke
ip address 10.0.0.3 255.255.255.255

a
St
&L
C
P
H

Rev. 11.21 3 –43

d.
ite
ib
description to HeDist_1
oh
pr
is
n
sio
interface Vlan100
is
m
ip address 10.0.100.3 255.255.255.0
er
tp
ou
interface Vlan111
ith
ip address 10.0.111.3 255.255.255.0
w
rt
pa
router eigrp 1
network 10.0.0.0
i n
or
l e
ho
The switch’s MAC address is 001de5-00003.

w

in
n
hostname CCore_2
c tio
du
vlan 100
ro
ep
vlan 112
.R
ly
ip subnet-zero
on
u se
ip routing
er
ld
ho

ake
St
interface Loopback0
&L
ip address 10.0.0.4 255.255.255.255

C
P
H
3 –44 Rev. 11.21

d.
ite
interface Vlan100
ib
ip address 10.0.100.4 255.255.255.0
oh
pr
is
interface Vlan112
n
ip address 10.0.112.4 255.255.255.0
sio
is
m
router eigrp 1
er
tp
network 10.0.0.0
ou
ith
w
rt
pa
hostname CDist_1
i n
or
ip subnet-zero
l e
ip routing
ho
w
in
lldp run
n
tio

c
du

ro
spanning-tree vlan 1,2,10-11,111-112 priority 0

ep

.R
ly
Vlan 2
on
Vlan 10
se
Vlan 11
u
er
Vlan 20
ld
Vlan 21
ho
Vlan 111
ake
St
interface Loopback0
&L
ip address 10.1.0.1 255.255.255.255

C
P
H
Rev. 11.21 3 –45

d.
ite
ib
oh
pr
is
n
sio
is
m
er
tp
ou
ith
w
rt
pa
i n
or
e
l
ho

w

in
n
tio
interface Vlan1
c
du
ip address 10.1.1.1 255.255.255.0

ro
standby 1 ip 10.1.1.254
ep

.R
standby 1 preempt
ly
on
interface Vlan2
se
ip address 10.1.2.1 255.255.255.0

u
er
standby 1 ip 10.1.2.254
ld

ho
standby 1 preempt
ake
St
ip address 10.1.2.1 255.255.255.0

&L
standby 1 ip 10.1.2.254
C

P
H
standby 1 preempt
interface Vlan10
ip address 10.1.10.1 255.255.255.0
3 –46 Rev. 11.21

standby 10 ip 10.1.10.254
standby 10 preempt
d.
ite
interface Vlan11
ib
ip address 10.1.11.1 255.255.255.0
oh
pr
standby 11 ip 10.1.11.254
is
n
io
standby 11 preempt
s
is
m
er
interface Vlan20
tp
ip address 10.1.20.1 255.255.255.0
ou
ith
standby 20 ip 10.1.20.254
w
rt
pa
interface Vlan21
ip address 10.1.21.1 255.255.255.0 i n
or
l e
standby 21 ip 10.1.21.254
ho
w
in
interface Vlan111
n
tio
ip address 10.0.111.1 255.255.255.0

c
du
ro
router ospf 1
ep
area 1 stub
.R
network 10.1.0.0 0.0.0.255 area 0

ly
network 10.1.1.0 0.0.0.255 area 1

on
network 10.1.2.0 0.0.0.255 area 1

se
network 10.1.10.0 0.0.1.255 area 1

u
network 10.1.20.0 0.0.1.255 area 1

er
network 10.0.111.0 0.0.0.255 area 0

ld
ho
passive-interface vlan 2
ke
a
St
&L
C
P
H
ip classless
Rev. 11.21 3 –47


hostname CDist_2
ip subnet-zero
ip routing
d.
ite
ib
oh
lldp run
pr
is
n
io
s
is
m
er
tp
Vlan 2
ou
Vlan 10
ith
Vlan 11
w
Vlan 20
rt
Vlan 21
pa
Vlan 111
i n
or
e
interface Loopback0
l
ho
ip address 10.1.0.2 255.255.255.255

w
in
n
tio
c
du

ro

ep
.R
ly
on
se

u
er
ld
ho
ke
a

St

&L
C
P
H
3 –48 Rev. 11.21

interface Vlan1
ip address 10.1.1.2 255.255.255.0
d.
standby 1 ip 10.1.1.254
ite
ib
oh
interface Vlan2
pr
ip address 10.1.2.2 255.255.255.0
is
standby 1 ip 10.1.2.254
n
sio
is
interface Vlan10
m
ip address 10.1.10.2 255.255.255.0
er
tp
ou
standby 10 ip 10.1.10.254
ith
w
interface Vlan11
rt
pa
ip address 10.1.11.2 255.255.255.0
i n
or
standby 11 ip 10.1.11.254
l e
ho
interface Vlan20
w
ip address 10.1.20.2 255.255.255.0

in
n
tio
standby 20 ip 10.1.20.254
c
du

ro
standby 1 preempt
ep
.R
interface Vlan21
ly
on
ip address 10.1.21.2 255.255.255.0

se
standby 21 ip 10.1.21.254
u
er

ld
standby 1 preempt
ho
ke
interface Vlan112
a
St
ip address 10.0.112.2 255.255.255.0

&L
C
router ospf 1
P
H
area 1 stub
network 10.1.0.0 0.0.0.255 area 0
network 10.1.1.0 0.0.0.255 area 1
network 10.1.2.0 0.0.0.255 area 1
network 10.1.10.0 0.0.1.255 area 1
Rev. 11.21 3 –49
network 10.1.20.0 0.0.1.255 area 1

network 10.0.112.0 0.0.0.255 area 0
d.
ite
ib
oh
pr
is
ip classless
n
io
s
is
m
er
tp
hostname CEdge_1
ou
ith
w
rt
pa
or
l e
ho
Vlan 2
w
Vlan 10
in
Vlan 11
n
Vlan 20
c tio
Vlan 21
du
ro
ep
.R
ly

on

u se
er
ld
ho

ke

a
St
&L
C
P

H
3 –50 Rev. 11.21

d.
ite
interface Vlan1
ib
ip address 10.1.1.11 255.255.255.0
oh
pr
is
n
ip classless
sio
is
m
er
tp
ou
ith
hostname CEdge_2
w
rt
pa
n
i
or
l e
ho
Vlan 2
w
Vlan 10
in
n
Vlan 11
tio
Vlan 20
c
du
Vlan 21
ro
ep
.R
ly
on

se

u
er
ld
ho
ke

a
St

&L
C
P
H
Rev. 11.21 3 –51

d.
ite
interface Vlan1
ib
ip address 10.1.1.11 255.255.255.0
oh
pr
is
n
sio
is
m
er
HP E-Series Distribution 1 configuration
tp
ou
Note that, on HP E-Series switches, all VLANs not explicitly assigned to an MSTP
ith
instance are in the IST (instance 0).
w
hostname "HeDist_1"
rt
pa
ip routing
vlan 1 i n
or
e
name "DEFAULT_VLAN"
l
ho
w
untagged 1-3,5-24
in
ip address 10.1.1.5 255.255.255.0

n
tio
no untagged 4
c
du
exit
ro
ep
vlan 10
.R
name "VLAN10"
ly
on
se
ip address 10.1.10.5 255.255.255.0

u
er
tagged 1-3,5
ld
ho
exit
ke
vlan 11
a
St
name "VLAN11"
&L
C
P
ip address 10.1.11.5 255.255.255.0

H
tagged 1-3,5
exit
vlan 20
3 –52 Rev. 11.21
name "VLAN20"
ip address 10.1.20.5 255.255.255.0
d.
tagged 1-3,5
ite
exit
ib
oh
vlan 21
pr
name "VLAN21"
is
n
io
s
is
ip address 10.1.21.5 255.255.255.0
m
er
tagged 1-3,5
tp
ou
exit
ith
vlan 111
w
rt
name "VLAN111"
pa
untagged 4
i n
or
ip address 10.0.111.5 255.255.255.0
l e
exit
ho
w
interface loopback 0
in
ip address 10.1.0.5 255.255.255.255

n
tio
ip ospf 10.1.0.5 area 0.0.0.0

c
du
router ospf
ro
ep
area 0.0.0.1 stub 10

.R
exit
ly
on
snmp-server community "public" unrestricted

se
spanning-tree
u
er
spanning-tree 4 bpdu-filter
ld
ho
spanning-tree config-name "migration"

ake
spanning-tree config-revision 1
St
spanning-tree instance 1 vlan 10 11

&L
C
spanning-tree instance 1 priority 0

P
H

spanning-tree priority 0
Rev. 11.21 3 –53

vlan 1
ip ospf 10.1.1.5 area 0.0.0.1
vrrp vrid 1
d.
backup
ite
virtual-ip-address 10.1.1.254 255.255.255.0
ib
oh
priority 254
pr
exit
is
n
io
exit
s
is
vlan 2
m
er
ip ospf 10.1.2.5 area 0.0.0.1
tp
ou
vrrp vrid 2
ith
backup
w
rt
pa
priority 254
i n
or
exit
l e
exit
ho
w
vlan 10
in
ip ospf 10.1.10.5 area 0.0.0.1

n
tio
vrrp vrid 10
c
du
backup
ro
ep

.R
priority 254
ly
on
exit
se
exit
u
er
vlan 11
ld
ho
ip ospf 10.1.11.5 area 0.0.0.1

ake
vrrp vrid 11
St
backup
&L
C

P
H
priority 254
exit
exit
3 –54 Rev. 11.21

vlan 20
ip ospf 10.1.20.5 area 0.0.0.1
vrrp vrid 20
d.
backup
ite
ib
oh
exit
pr
exit
is
n
io
vlan 21
s
is
ip ospf 10.1.21.5 area 0.0.0.1
m
er
vrrp vrid 21
tp
ou
backup
ith
w
rt
exit
pa
exit
i n
or
vlan 111
l e
ip ospf 10.0.111.5 area 0.0.0.0

ho
w
exit
in
The switch’s MAC address is 0016ba-0001.

n
tio

c
du
ro
ep

.R
hostname "HeDist_2"
ly
on
ip routing
se
vlan 1
u
er
name "DEFAULT_VLAN"
ld
ho
untagged 1-3,5-24
ke
ip address 10.1.1.6 255.255.255.0

a
St
no untagged 4
&L
C
exit
P
H
vlan 10
name "VLAN10"
Rev. 11.21 3 –55

ip address 10.1.10.6 255.255.255.0

tagged 1-3,5
exit
d.
vlan 11
ite
name "VLAN11"
ib
oh
pr
ip address 10.1.11.6 255.255.255.0
is
n
io
tagged 1-3,5
s
is
exit
m
er
vlan 20
tp
ou
name "VLAN20"
ith
w
rt
ip address 10.1.20.6 255.255.255.0
pa
tagged 1-3,5
i n
or
exit
l e
vlan 21
ho
w
name "VLAN21"
in
n
tio
ip address 10.1.21.6 255.255.255.0

c
du
tagged 1-3,5
ro
ep
exit
.R
vlan 112
ly
on
name "VLAN112"
se
untagged 4
u
er
ip address 10.0.112.6 255.255.255.0

ld
ho
exit
ake
interface loopback 0
St
ip address 10.1.0.6 255.255.255.255

&L
C
ip ospf 10.1.0.6 area 0.0.0.0

P
H
router ospf
area 0.0.0.1 stub 10
exit
3 –56 Rev. 11.21

snmp-server community "public" unrestricted

spanning-tree
d.
ite
ib
oh
pr
is
n
io
s
is
m
er
tp
ou
vlan 1
ith
ip ospf 10.1.1.6 area 0.0.0.1
w
rt
vrrp vrid 1
pa
backup
i n
or
l e
exit
ho
w
exit
in
vlan 2
n
tio
ip ospf 10.1.2.6 area 0.0.0.1

c
du
vrrp vrid 2
ro
ep
backup
.R

ly
on
exit
se
exit
u
er
vlan 10
ld
ho
ip ospf 10.1.10.6 area 0.0.0.1

ake
vrrp vrid 10
St
backup
&L
C

P
H
exit
exit
vlan 11
Rev. 11.21 3 –57

ip ospf 10.1.11.6 area 0.0.0.1

vrrp vrid 11
backup
d.
ite
exit
ib
oh
exit
pr
vlan 20
is
n
io
ip ospf 10.1.20.6 area 0.0.0.1
s
is
vrrp vrid 20
m
er
backup
tp
ou
ith
priority 254
w
rt
exit
pa
exit
i n
or
vlan 21
l e
ip ospf 10.1.21.6 area 0.0.0.1

ho
w
vrrp vrid 21
in
backup
n
tio

c
du
priority 254
ro
ep
exit
.R
exit
ly
on
vlan 112
se
ip ospf 10.0.112.6 area 0.0.0.0

u
er
exit
ld
ho
The switch’s MAC address is 0016ba-0002.

ake
St
&L
C
P
H
3 –58 Rev. 11.21

Answer
d.
ite
Cisco
ib
VLAN 1 might experience
oh
downtime when the HP E- Temporarily block
pr
Series IST advertises itself designated ports when it
receives a better BPDU.
is
with a low priority.
Cisco
n
HP E-Series
s io
is
m
Solution: Set the new
er
distribution switches’ IST
tp
priorities higher than the
ou
Cisco priority for the current
ith
VLAN 1.
w
rt
Figure 3 - 11: Answer
pa
Did you arrive at this answer?
i n
or
MSTP and RPVST+ interoperate on VLAN 1. The HP E-Series switches use the settings
e
for the IST root in the election for the bridge in this VLAN. Because HP E-Series switch
l
ho
E and Cisco switch A both have 0 priority, an election is held. Either the Cisco switch
w
or the E-Series switch might become root based on which one has the lower MAC
in
address. In either case, the election will cause downtime in VLAN 1.

n
tio
To prevent this situation from occurring, you should set the new distribution switches’
c
du
IST priorities higher than the current VLAN 1 root priority. On the other hand, the
ro
new distribution switches’ priorities should also be lower than the default priority used
ep
by the edge switches. Therefore, you could set the IST priorities on the HP E-Series to
.R
2 (8192) and 3 (12288).

ly
on
use
er
ld
ho
ake
St
&L
C
P
H
Rev. 11.21 3 –59

Potential problem spot 2: Migrating the edge

Use RPVST+ (or PVST+ uplinkfast) behavior to select the best
way to migrate the connections.
d.
ite
ib
Method RVSTP+ behavior
oh
pr
Disable the connection at • After detecting that the link is down,
the old distribution switch. the edge switch opens an alternative
is
port.
n
• But an alternative port on the other
io
side is opened only after the
s
is
topology reconverges.
m
Remove the connection • The edge switch immediately opens
er
physically an alternative port.
tp
• But an alternative port on the other
ou
Disable the connection at side is opened only after the
ith
the edge switch. topology reconverges.
w
rt
Figure 3 - 12: Potential problem spot 2: Migrating the edge
pa
Assume that you are at the point in the migration in which each edge switch is
i n
connected to at least one Cisco distribution switch and one HP E-Series distribution
or
switch. RPVST+/MSTP are eliminating loops. You want to remove the connection to
l e
ho
the Cisco switch and have the connection to the HP E-Series switch open as quickly
w
and seamlessly as possible. You must consider RPVST+ behavior to select the best
in
method.
n
tio
What happens on a switch that implements RPVST+ when a physical connection

c
du
goes down? Only after the edge switch realizes that the connection has been lost
ro
(which might take a second or two) does the edge switch open an alternative port. If,
ep
the switch has the designated port in the blocked link, and the other side has the
.R
alternative port, the link take might take even longer to open. It does so only after the
ly
topology reconverges, which might be an additional second or two.

on
The same principles apply when the connection is disabled on the other side. After
se
the switch detects that it is no longer receiving BPDUs, it opens the alternative port if
u
er
it has this port. Otherwise, after the topology reconverges, the switch on the other
ld
side opens its port.

ho
ke
When you disable the connection at the edge switch, it immediately opens the
a
alternative port. Again, if the other side has the alternative port, the topology must
St
reconverge before the link opens.

&L
In summary, to migrate an edge switch to the new distribution switch most seamlessly,
C
you ensure that the switch is connected to both a Cisco distribution switch and an HP
P
H
E-Series switch. Next ensure that the port that connects to the HP E-Series switch is
listed as an alternate port. Finally, disable (or disconnect) the port that connects to
the Cisco switch. The edge switch will rapidly open the alternate port to the HP E-
Series switch, maintaining connectivity for its endpoints.
3 –60 Rev. 11.21

Activity: Analyzing your readiness for a quick

migration g
d.
Based on the
ite
configuration, which
ib
ports are blocked?
oh
Cisco
pr
is
n
io
Cisco
s
HP E-Series
is
m
er
tp
ou
ith
Cisco
w
rt
pa
Figure 3 - 13: Activity: Analyzing your readiness for a quick migration
i n
or
You will now consider methods to ensure that your edge switches have this desired
e
configuration (port that connects to the HP E-Series switch is the alternate port on
l
ho
each VLAN).
w
in
The sections below display each switch’s configuration, which are identical to the
n
configurations for the previous activity with the exception that the HP E-Series
tio
switches’ IST priorities have been raised. Only the most relevant settings are provided
c
du
in these sections. For other settings, you can assume that the switches are using the
ro
same configurations as in the previous activity.

ep
Based on these configurations, which ports are blocked as alternate ports in each
.R
VLAN when you connect the HP E-Series switches to the network? Mark the blocked
ly
on
port in each VLAN in the figure above.

se
Is this the desired configuration? What issues might you encounter?

u
er
_____________________________________________________________________
ld
ho
ke
_____________________________________________________________________
a
St
&L
_____________________________________________________________________
C
P
_____________________________________________________________________
H
Rev. 11.21 3 –61


hostname CDist_1
d.
ite
ib
oh
pr
is
n
io
s
is
m
er
tp
ou
ith
w
rt
pa
i n
or
l e
ho
w

in

n
c tio
du
ro
ep

.R

ly
on
se
u
er
ld

ho

ake
St

&L
hostname CDist_2
C
P

H

3 –62 Rev. 11.21

d.
ite
ib
oh
pr
is
n
sio
is
m
er
tp
ou
ith
w
rt
pa
switchport mode access i n
or
l e
ho
w

in
n
hostname CEdge_1
c tio
du

ro
ep

.R

ly
on
Vlan 2
se
Vlan 10
u
Vlan 11
er
ld
Vlan 20
ho
Vlan 21
ake
St
&L
C

P

H
Rev. 11.21 3 –63
d.
ite
ib
oh
pr
is
n
sio
is
m
er
tp
ou
hostname CEdge_2
ith
w
rt
pa
or
l e
ho
Vlan 2
w
Vlan 10
in
Vlan 11
n
tio
Vlan 20
c
Vlan 21
du
ro
ep
.R
ly
on

u se
er
ld
ho
ke

a

St
&L
C
P
H

3 –64 Rev. 11.21

d.
ite
ib
oh
pr
is
n
hostname "HeDist_1"
sio
vlan 1
is
m
untagged 1-3,5-24
er
tp
no untagged 4
ou
ith
vlan 10
w
tagged 1-3,5
rt
pa
vlan 11
tagged 1-3,5 i n
or
e
vlan 20
l
ho
tagged 1-3,5
w
in
vlan 21
n
tio
tagged 1-3,5
c
du
vlan 111
ro
ep
untagged 4
.R
spanning-tree
ly
on
se

u
er
ld
ho

ke

a
St

&L

C
P
H
Rev. 11.21 3 –65


hostname "HeDist_2"
d.
ite
hostname "HeDist_1"
ib
oh
vlan 1
pr
untagged 1-3,5-24
is
n
no untagged 4
sio
is
vlan 10
m
er
tagged 1-3,5
tp
vlan 11
ou
ith
tagged 1-3,5
w
vlan 20
rt
pa
tagged 1-3,5
i n
or
vlan 21
e
tagged 1-3,5
l
ho
w
vlan 112
in
untagged 4
n
tio
spanning-tree
c
du
ro
ep

.R
ly
on

se

u
er

ld
ho

ke
a
St
&L
C
P
H
3 –66 Rev. 11.21

Answer: VLAN y1
d.
ite
Cisco
ib
oh
pr
is
Root
Cisco
HP E-Series
n
ios
is
m
er
tp
Legend
Cisco Blocked by RPVST+ on VLAN 1
ou
Blocked on all VLANs by MSTP
ith
w
rt
Figure 3 - 14: Answer: VLAN 1
pa
Here you see the answer for VLAN 1, which is the VLAN on which RVPST+ and MSTP
i n
interoperate. Each Cisco edge switch defines the port that connects to the secondary
or
root in VLAN 1 as an alternate port and blocks it. However, the port that connects to
le
ho
the HP E-Series switch is selected as the designated port because the Cisco switches,
w
using the default RPVST+ cost method, advertise a lower root path cost than the HP E-
in
Series switches.
n
tio
The HP E-Series switch, in turn, defines the ports that connect to the Cisco edge
c
du
switches as alternate ports and blocks them. Because MSTP interoperates on the CIST
ro
as if it were RSTP, it blocks the port entirely for all traffic.

ep
As you will see in a moment, this configuration can cause migration problems. First,
.R
however, examine the topology for the other VLANs.

ly
on
use
er
ld
ho
ake
St
&L
C
P
H
Rev. 11.21 3 –67

Answer: Other VLANs
d.
ite
Cisco
ib
oh
pr
is
Root
Cisco HP E-Series
n
Drops RPVST+ BPDUs
io
on blocked ports
s
is
m
er
Legend
tp
Blocked by RPVST+ on VLANs 2, 10, 11
ou
Cisco
ith
w
Figure 3 - 15: Answer: Other VLANs
rt
pa
In other VLANs, the edge switches define the port that connects to the primary root
i n
for those VLANs as the root port. The other port that connects to a Cisco switch is a
or
blocked alternate port. This configuration is as it should be because it provides a
l e
ho
quick failover as you disable the other edge port uplink.

w
However, the status for the port that connects to the HP E-Series switch is more
in
problematic. The HP E-Series switches would simply pass RPVST+ BPDUs on other
n
tio
VLANs, appearing like a hub. However, MSTP has blocked the ports, preventing the
c
BPDUs from passing. Therefore, the edge switches leave these ports open as
du
designated ports that are not receiving BPDUs. Because the HP E-Series switches
ro
ep
block the ports, loops do not occur. However, this configuration is not ideal for the
.R
migration as you will explore in the next slide.

ly
on
u se
er
ld
ho
ake
St
&L
C
P
H
3 –68 Rev. 11.21

Activity: Continuing to analyze your readiness for a

seamless migration
d.
What happens when
ite
you disable Ports 1
ib
Cisco and 2 on the edge
oh
switches?
pr
is
n
io
Cisco
HP E-Series
s
is
m
er
tp
P2
P2 Legend
ou
P1 P1
ith
Cisco Blocked by RPVST+ on VLANs 1, 2, 10, 11
w
rt
pa
Figure 3 - 16: Activity: Continuing to analyze your readiness for a seamless migration
i n
or
The figure shows the RPVST+/MSTP topology that you have determined that this
e
network forms when you connect the parallel network.

l
ho
What do you expect will happen when you disable port 1 on each edge switch?
w
in
_____________________________________________________________________
n
tio
c
du
_____________________________________________________________________
ro
ep
.R
_____________________________________________________________________
ly
on
What do you expect will happen when you then disable port 2 on each edge
se
switch?
u
er
_____________________________________________________________________
ld
ho
ke
_____________________________________________________________________
a
St
&L
_____________________________________________________________________
C
P
H
Rev. 11.21 3 –69

Answers
 When you disable Port 1, the alternate port immediately opens for VLANs 1, 2,
10, and 11.
d.
However, when you disable Port 2, connectivity is temporarily lost in all VLANs
ite

while the topology reconverges. The downtime will be quite short, probably only
ib
oh
a second or perhaps a bit longer for a network with a more complicated
pr
topology.
is
n
sio
is
m
er
tp
ou
ith
w
rt
pa
i n
or
l e
ho
w
in
n
c tio
du
ro
ep
.R
ly
on
u se
er
ld
ho
ake
St
&L
C
P
H
3 –70 Rev. 11.21

Answers
To create the optimal spanning tree topology, you should take one, or preferably all,
of these steps:
d.
Set the path cost method to long on the Cisco switches.
ite

ib
Cisco(config)# spanning-tree pathcost method long
oh
Reduce the cost on the IST for the ports that connect the HP E-Series distribution
pr

layer switches to the PVST+ VLAN 1 root.
is
n
io
HP-E(config)# spanning-tree <port ID> cost 5000
s
is
Set the IST priority lower on the HP E-Series switches than on the edge (but
m

higher than on the root).
er
tp
HP-E(config)# spanning-tree priority <2-7>
ou
ith
Changing the path cost method on the Cisco switches ensures that the HP E-Series
w
switches and Cisco switches assign the same cost to links with the same speeds. This
rt
configuration might be enough to ensure that the HP E-Series switch to which the
pa
edge switches connect offers the same root path cost as the Cisco switches.
i n
However, as in the illustrated topology, the HP E-Series switch might not be directly
or
connected to the VLAN 1 root. In that case, you would need to take further steps to
l e
ho
ensure a lower path cost on the HP E-Series switch. You could alter the port cost on
w
each switch-to-switch port between the HP E-Series switch and the Cisco VLAN 1
in
root. In fact, in a real world scenario, these switches might connect with link
n
aggregations. Therefore, it would be quite appropriate to assign the links a lower

c tio
cost permanently. Note that link aggregation groups on HP E-Series switches by

du
default use the port cost for the link with the highest bandwidth. Therefore; you must
ro
set the lower cost manually.

ep
.R
Finally, to ensure that when the E-Series and Cisco edge switches’ root path costs tie,
ly
the E-Series switches are selected as the designated switches, set the IST priority on
on
these switches higher than the priority on the edge switches.

u se
er
ld
ho
ake
St
&L
C
P
H
3 –72 Rev. 11.21

Migrating the default gateway

Once you have completed the routing protocol migration, and the HP E-Series
switches have the proper routes in place, you can migrate the default gateway role to
those switches. You can complete this step either before or after you migrate the
d.
edge switches connections (step 3 in the process that you examined earlier)
ite
ib
The primary difference between the two approaches will be the traffic flow:
oh
pr
 If you migrate the default gateway functionality before migrating the edge switch
is
connections, all traffic will flow across the link between the parallel distribution
n
layers until you migrate the edge connections.
sio
If you migrate the edge connections first, all traffic will flow across the link
is

m
between the parallel distribution layers until you migrate the default gateway
er
functionality.
tp
ou
As long as the link can handle the traffic during the migration, you need not be
ith
concerned.
w
rt
pa
i n
or
l e
ho
w
in
n
c tio
du
ro
ep
.R
ly
on
u se
er
ld
ho
ake
St
&L
C
P
H
3 –74 Rev. 11.21

_____________________________________________________________________
_____________________________________________________________________
d.
_____________________________________________________________________
ite
ib
oh
_____________________________________________________________________
pr
is
n
_____________________________________________________________________
sio
is
m
_____________________________________________________________________
er
tp
ou
_____________________________________________________________________
ith
w
_____________________________________________________________________
rt
pa
i n
_____________________________________________________________________
or
l e
ho
_____________________________________________________________________
w
in
n
Strategy 1: Endpoint ARP behavior

c tio
du
Unfortunately, this exact process will usually not work quite as smoothly as you might
ro
anticipate. Many endpoints, including those running Windows OSs, might not accept
ep
the gratuitous ARP message. This means that, unfortunately, you probably will not be
.R
able to take advantage of the gratuitous ARP to update your network.

ly
on
Because Windows endpoints make up the majority of most networks, you will find it
se
useful to consider how Windows handles ARP.

u
A Windows OS (this description is for Vista and later) has an ARP cache that consists
er
ld
of static entries (added manually) and dynamic entries (discovered through ARP
ho
requests). The Windows device will continue to use the same ARP entry as long as
ke
the entry is reachable, which means that traffic reaches it. A reachable entry
a
St
becomes stale after not being used for a random interval between 15 and 45
seconds. If the Windows device needs to reach the IP address in a stale entry again,
&L
it sends an ARP request for the MAC address.

C
P
If, on the other hand, an address in a reachable entry becomes unreachable, the
H
Windows devices will reattempt two or three times before sending a new ARP
request.
Q1: What will happen in a typical network full of Windows devices if you implement
the process discussed on the previous slide:
Rev. 11.21 3 –77
 Configuring all VRRP settings on the HP E-Series switches but not enabling VRRP
 Enabling VRRP globally and on one VLAN on one HP switch
 Waiting a moment for the gratuitous ARP to propagate
d.
 Disabling the VLAN interface on Cisco routing switch or switches
ite
Will the network be disrupted and, if so, to what extent, and for how long?
ib
oh
pr
_____________________________________________________________________
is
n
io
_____________________________________________________________________
s
is
m
_____________________________________________________________________
er
tp
ou
_____________________________________________________________________
ith
w
rt
_____________________________________________________________________
pa
i n
_____________________________________________________________________
or
l e
ho
Q2: Based on typical Windows behavior, what will happen if you delay too long
w
between enabling VRRP on a VLAN on the new HP switch and disabling that VLAN
in
interface on the Cisco routing switch or switches?

n
c tio
_____________________________________________________________________
du
ro
ep
_____________________________________________________________________
.R
ly
on
_____________________________________________________________________
u se
_____________________________________________________________________
er
ld
ho
_____________________________________________________________________
ake
St
_____________________________________________________________________
&L
C
P
_____________________________________________________________________
H
_____________________________________________________________________
3 –78 Rev. 11.21

Strategy 1: Suggested process

You can put together a complete strategy for migrating the default gateway
functionality for the customer’s LAN to HP E-Series switches using the same gateway
d.
addresses as the current routing switches:
ite
1. Configure VRRP settings on each user VLAN on the new distribution switches.
ib
oh
2. Ensure that at least one of the new distribution switches has established
pr
adjacency with the core and is ready to route.
is
n
3. Move routing functionality to a single Cisco distribution switch.
sio
This step is optional. However, it is recommended because it allows you only to
is
m
disable the VLAN interface on only one Cisco switch as you migrate the virtual
er
address to the HP E-Series switches. Therefore, you might find the process less
tp
complicated and more seamless.
ou
ith
If you have time, you can experiment with completing and not completing this
w
step in the lab and discover which you prefer.
rt
pa
If you do complete this step, you must carefully consider how to move the
n
functionality to the single switch in the HSRP group. However, because you will
i
or
explore such strategies later in this module, you will not stop to consider them
e
now.
l
ho
4. In a moment, you will begin to shut down VLAN interfaces on the Cisco
w
distribution switch (or switches). Because the Cisco switch will temporarily
in
n
continue to route traffic for endpoints in some VLANs, you must ensure that it will
tio
have a route to the subnet associated with the shutdown interface.

c
du
Otherwise, endpoints in other VLANs (which still use the Cisco switch as their
ro
default gateway) will not be able to reach the VLAN that you migrated to the HP
ep
E-Series switch.
.R
ly
You will not encounter a problem as long as your Cisco distribution switch has a
on
default route to the core, and the core has learned routes through the HP E-Series
se
switch to the VLANs that you are migrating. If this is not the case in your
u
environment, you could create a default route to the core manually. Or you could
er
create a default route to the new HP E-Series switch on VLAN 1 and shut down
ld
ho
VLAN 1 last. Or you could use OSPF to communicate the routes. In this case,
ke
you must ensure that OSPF is active on both the Cisco switch and the HP E-Series
a
switch in one of the VLANs that is still active on the Cisco switch.
St
&L
5. Optionally, schedule an outage.

C
In the lab, you will observe the relatively brief downtime that this strategy might
P
involve, and you can communicate this observation to the customer. Often it is
H
better practice to schedule a brief outage than to disrupt users without warning,
however briefly.
3 –80 Rev. 11.21

Note
In the lab, you will experiment with adding a static ARP entry and clearing an
endpoint’s ARP cache to eliminate the downtime completely. However, this
process does not use that technique, which can be difficult to implement in a real-
world network with a great many endpoints running different OSs.
d.
ite
ib
6. Prepare to shut down the VLAN interface on the active Cisco routing switch but
oh
do not do so yet. Then enable VRRP on one of the new distribution switches.
pr
Enable VRRP on one VLAN on one new distribution switch. (Again, it is simpler
is
to migrate the IP address when you are dealing with only one switch.)
n
io
7. Shut down the VLAN interface on the Cisco routing switch.
s
is
m
Clients will detect the issue and send an ARP request for the new MAC address,
er
restoring their connectivity to other subnets within two to five seconds.
tp
ou
8. Repeat the process for each VLAN.
ith
9. After the migration is complete, you can remove the old switches and then
w
enable VRRP on the other new switch.
rt
pa
i n
or
l e
ho
w
in
n
c tio
du
ro
ep
.R
ly
on
u se
er
ld
ho
ake
St
&L
C
P
H
Rev. 11.21 3 –81

_____________________________________________________________________
_____________________________________________________________________
d.
_____________________________________________________________________
ite
ib
oh
_____________________________________________________________________
pr
is
n
_____________________________________________________________________
sio
is
m
_____________________________________________________________________
er
tp
ou
_____________________________________________________________________
ith
w
_____________________________________________________________________
rt
pa
i n
_____________________________________________________________________
or
l e
ho
_____________________________________________________________________
w
in
n
_____________________________________________________________________
ctio
du
_____________________________________________________________________
ro
ep
.R
_____________________________________________________________________
ly
on
_____________________________________________________________________
se
u
er
_____________________________________________________________________
ld
ho
ke
_____________________________________________________________________
a
St
&L
_____________________________________________________________________
C
P
H
_____________________________________________________________________
Rev. 11.21 3 –85

Analyzing the parallel network method

With your classmates, assess the advantages of the parallel network method. Also
discuss potential challenges introduced by this method and disadvantages.
d.
Advantages:
ite
ib
_____________________________________________________________________
oh
pr
_____________________________________________________________________
is
n
sio
_____________________________________________________________________
is
m
er
tp
_____________________________________________________________________
ou
ith
_____________________________________________________________________
w
rt
pa
_____________________________________________________________________
i n
or
_____________________________________________________________________
l e
ho
w

in
n
_____________________________________________________________________
c tio
du
_____________________________________________________________________
ro
ep
.R
_____________________________________________________________________
ly
on
_____________________________________________________________________
u se
er
_____________________________________________________________________
ld
ho
ke
_____________________________________________________________________
a
St
&L
_____________________________________________________________________
C
P
H
_____________________________________________________________________
3 –86 Rev. 11.21

Brainstorm situations in which you would use the parallel network method. Have you
encountered customers whose priorities aligned with the advantages of this method?
_____________________________________________________________________
d.
ite
_____________________________________________________________________
ib
oh
pr
_____________________________________________________________________
is
n
io
_____________________________________________________________________
s
is
m
er
_____________________________________________________________________
tp
ou
_____________________________________________________________________
ith
w
rt
_____________________________________________________________________
pa
i n
or
_____________________________________________________________________
l e
ho
_____________________________________________________________________
w
in
n
_____________________________________________________________________
ctio
du
ro
_____________________________________________________________________
ep
.R
_____________________________________________________________________
ly
on
se
_____________________________________________________________________
u
er
ld
_____________________________________________________________________
ho
ke
_____________________________________________________________________
a
St
&L
_____________________________________________________________________
C
P
H
_____________________________________________________________________
Rev. 11.21 3 –87

Replacing switches one at a time

2—Move routing
functionality to one
d.
distribution switch.
1—Configure
ite
Cisco Cisco
the new
ib
switches offline
oh
HP E-Series
pr
Routing
is
Cisco Cisco
n
sio
is
m
1—Begin
er
migration to
tp
open standards
ou
Cisco Cisco
ith
w
rt
Figure 3 - 20: Replacing switches one at a time
pa
You will now explore a final strategy: replacing switches one at a time. This strategy
i n
closely resembles the parallel network strategy because it involves Cisco distribution
or
switches and HP E-Series switches working within the same network at the same time.
l e
ho
However, this method introduces one new switch at a time, removing old switches at
w
the same time, and so requires fewer ports at the core.

in
You follow these basic steps:

n
tio
1. As always, you begin by configuring the new switches offline and migrating the
c
du
Cisco switches to open standards, following the plan that you created earlier.
ro
ep
For this method, as for the parallel network method, you must be careful to
.R
enable features on the HP E-Series switches only as you need them. At this point,
you would probably enable MSTP but leave VRRP disabled. You could enable
ly
on
OSPF or not as you desire.

se
2. In the existing network, each Cisco distribution switch acts as HSRP Master
u
Router in same of the VLANs. You want to remove one of the distribution
er
ld
switches, so you must move the Master router role for all VLANs to the other
ho
switch. You will learn a strategy for doing so in a little while.

ake
St
&L
C
P
H
3 –88 Rev. 11.21

Replacing switches one at a time (cont.)

3—Replace the 4—Move the routing
non-routing functionality to the
d.
distribution switch. new switch.
ite
Cisco Cisco
ib
oh
pr
Routing Routing
is
Cisco Cisco
n
sio
is
m
er
tp
ou
Cisco Cisco
ith
w
rt
Figure 3 - 21: Replacing switches one at a time (cont.)
pa
n
3. After you verify that one Cisco distribution switch is handling all routing, you can
i
or
remove the other. Connect the HP E-Series switch in its place.
le
You can complete this step with several variations. For example, you can connect
ho
the HP E-Series switch to the distribution switch and to the core at this point but
w
not yet to the edge. You will consider the implications of choices like these in a
in
n
moment.
c tio
4. With the HP E-Series switch connected and receiving routes from the core
du
(enable OSPF at this time if not already enabled), you are ready to migrate all
ro
routing functionality to this switch.

ep
.R
This process for this migration is just like the process about which you learned
ly
for the parallel network strategy. You can configure the existing default gateway
on
addresses as the HP E-Series switches’ VRRP IP addresses and shut down VLAN
se
interfaces on the Cisco switch as you enable VRRP on interfaces on the HP E-

u
Series switch. Or you can assign a new VRRP IP addresses to the HP E-Series
er
switches and change the default gateway configurations.

ld
ho
ake
St
&L
C
P
H
Rev. 11.21 3 –89

Replacing switches one at a time (cont.)

5—Replace the 6—Enable
remaining VRRP on all
d.
switches. switches.
ite
Cisco Cisco
ib
oh
pr
Routing Routing
is
HP E-Series HP E-Series
n
sio
is
m
er
tp
ou
Cisco Cisco
ith
w
rt
Figure 3 - 22: Replacing switches one at a time (cont.)
pa
n
5. With the HP E-Series switch now handling routing, you can remove the
i
or
remaining Cisco distribution switch and connect the second HP E-Series switch.
e
This step should not introduce any particular issues because the E-Series switch is
l
ho
handling all routing.

w
Note that before you establish redundant connections from the Cisco edge
in
n
switches to the second HP E-Series switch, you must migrate the edge switches to
tio
MSTP. You can perform this task in between disconnecting the last Cisco
c
du
distribution switch and establishing the redundant connections.

ro
6. The second HP E-Series switch should already be configured with all necessary
ep
settings. Now permit the switch to assume its part in handling traffic at the
.R
distribution layer. Enable OSPF, wait for the switch to receive the routes from the
ly
on
core, and then enable VRRP on each VLAN.

u se
er
ld
ho
ake
St
&L
C
P
H
3 –90 Rev. 11.21

NOTES
_____________________________________________________________________
_____________________________________________________________________
d.
ite
ib
_____________________________________________________________________
oh
pr
is
_____________________________________________________________________
n
sio
is
_____________________________________________________________________
m
er
tp
_____________________________________________________________________
ou
ith
_____________________________________________________________________
w
rt
pa
_____________________________________________________________________
i n
or
e
_____________________________________________________________________
l
ho
w
_____________________________________________________________________
in
n
ctio
_____________________________________________________________________
du
ro
ep
_____________________________________________________________________
.R
ly
_____________________________________________________________________
on
se
u
_____________________________________________________________________
er
ld
ho
_____________________________________________________________________
ake
St
_____________________________________________________________________
&L
C
_____________________________________________________________________
P
H
Rev. 11.21 3 –91


You will now examine in more detail the issues that you must confront during this
type of migration. In many ways, these issues resemble those presented by the
d.
parallel network strategy. Although the migration process looks different, you are, in
ite
fact, manipulating the network in a similar way:
ib
oh
 Adding an HP E-Series switch that must run in parallel with a Cisco switch
pr
 Moving routing responsibilities from a Cisco switch to an HP E-Series switch
is
n
However, eliminating one of the redundant switches for the duration of the migration
io
can simplify the process—which might cause you to select this method. (You can
s
is
incorporate features of this method and the parallel network method in your own
m
er
strategy.)
tp
Still the replacement method presents its own challenges, which you will learn about
ou
in this section. You will develop a strategy for migrating the routing functionality to a
ith
single Cisco distribution switch without introducing downtime. You will also plan to
w
head off issues that might occur with spanning tree as you remove and replace the
rt
pa
distribution layer switches.
i n
You will encounter the same issues in migrating the routing functionality to the new
or
distribution switch that you encountered with the parallel network migration strategy.
l e
Therefore, you will not explore those issues again.

ho
w
in
n
c tio
du
ro
ep
.R
ly
on
u se
er
ld
ho
ake
St
&L
C
P
H
3 –92 Rev. 11.21


replace they switch
p
Cisco
Similar issues to the parallel

method:
 Prevent a root election from
Cisco occurring
HP E-Series
 Make sure that the edge ports
are alternate
Cisco
Figure 3 - 24: Potential problem spot 2: STP behavior when you replace the switch
You might encounter the same sorts of problems with MSTP/RPVST+ convergence
when you replace the Cisco switch with an HP switch as you would see when you
connect a parallel HP E-Series distribution layer to an existing Cisco layer.
Remember how to solve these problems:
 Set the IST priorities on the HP E-Series switches higher than on the current root
in VLAN 1 but lower than on the edge switches. You can change the priority
later.
 Set the path cost method on the Cisco switches to long. Optionally, adjust port
costs to favor the distribution link.
3 –94 Rev. 11.21

Possible solution: Disabling STP g

1. Remove the non-routing Cisco
switch.
Cisco 2. Disable STP on the HP E-Series

switch.
3. Connect the HP E-Series switch

to the distribution and core layers.
Cisco
HP E-Series
4. Disable ports on the HP E-
Series switch and connect them to
the Cisco edge switches.
5. Disable the edge switch ports

on the Cisco switch as you enable
Cisco
them on the HP E-Series switch.
Could you modify this approach to work in

the parallel network migration strategy?
Figure 3 - 25: Possible solution: Disabling STP
You looked at several possible solutions to such problems earlier in this module—
setting the IST priorities on the HP E-Series switches higher than on the Cisco
distribution switches but lower than on the edge switches, setting the Cisco path cost
method to long, lowering the path cost on the E-Series distribution ports, and so forth.
You will now examine an alternate method.
1. When you remove one of the Cisco distribution switches, the edge switches no
longer require spanning tree for the moment.
2. You can now disable STP on the edge switches and on the HP E-Series switch.
You will then be certain that the HP E-Series switch will not interfere with the
topology.
Do not disable STP on the Cisco distribution switch because this action will
cause the switch to restart all of its VLAN interfaces, introducing downtime.
3. Connect the HP E-Series switch to the distribution and core layers but not to the
edge.
4. First, disable ports on the HP E-Series switch and connect the disabled ports to
the edge switches.
5. Ready the commands for enabling the disabled ports on the HP E-Series switch
and for disabling the distribution-to-edge switch ports on the Cisco distribution
switch. Enable the ports and then quickly disable them.
After minimal if any downtime, the edge switches are connected on to the HP E-
Series switch only. You could then move the routing functionality to that switch.
Rev. 11.21 3 –95

Analyzing the replacement method

Challenges and possible
Advantages
disadvantages
• Very brief or no • Need for careful

outage required planning on how the
• Ability to migrate Cisco and HP E-Series
functionality gradually switches will
• Fewer ports required at interoperate
the core and at the • Fewer opportunities for
distribution layer pretesting in a non-live
• Ability to test network
functionality in a live
network during the
gradual migration
Figure 3 - 26: Analyzing the replacement method
With your classmates, assess the advantages of the replacement method. Also
discuss potential challenges introduced by this method and disadvantages.
Advantages:
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
Rev. 11.21 3 –97


_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
3 –98 Rev. 11.21

Brainstorm situations in which you would use this method. Have you encountered
customers whose priorities aligned with the advantages of this method?
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
Rev. 11.21 3 –99

Creating alternative strategies

Whatever plan you choose, you must customize it to meet your customer’s constraints
and priorities. For example, the customer might not allow you to alter configurations
on the DHCP server or other network services. In that case, you would be required to
use the same virtual IP addresses for VRRP that you were using for HSRP.
Or the customer might have port constraints at the core that require you to disconnect
some of the old switches before connecting new distribution switches. You would
need to select the replacement or forklift strategy, or develop a combination of the
parallel network and replacement method of your own. The lab actually features such
a constraint, with which you will need to deal.
NOTES
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
3 –100 Rev. 11.21

Summary
This module has guided you through many of the design considerations and potential
pitfalls of a migration from a Cisco distribution layer to an HP E-Series distribution
layer. You have learned how to plan the configuration for an open-standards-based
network with an HP E-Series distribution layer, and you have experimented with and
analyzed the results of several migration strategies for reaching this final
configuration. Along the way, you have discovered potential issues and areas of
concern—and you have developed solutions for these problems.
Rev. 11.21 3 –101

Prelab activity: Plan a complete migration strategy

INITIAL FINAL
CCore_1 CCore_2
CCore_1 CCore_2
EIGRP
OSPF
HSRP
CDist_1 CDist_2
VRRP
HeDist_1 HeDist_2
CDP
LLDP
VTP
VLAN
PVST
MSTP
CEdge_1 CEdge_2 CEdge_1 CEdge_2
PC_1 PC_2 PC_1 PC_2

(server) (client) (server) (client)
Figure 3 - 27: Prelab activity: Plan a complete migration strategy
In preparation for the lab, you and your partner will now plan a strategy for the
migration. Follow the instructions in the sections below until:
 The HP E-Series switches have replaced the Cisco distribution switches and have
redundant connections to the edge
 The Cisco distribution switches have been disconnected
 Both HP E-Series switches are routing traffic and their STP roles synchronize with
their VRRP roles
 You might not need to use all of the steps.
 If a question in a step does not apply to your strategy, simply ignore it and move
on.
You are working with these constraints:
 Each Cisco switch has four available ports for all switch-to-switch and edge
connections.
 You want to minimize downtime.
Be prepared to present your plan to your classmates.
3 –102 Rev. 11.21

My migration strategy
Design your strategy.
Step 1: Begin to migrate the Cisco network to open standards
CCore_1 CCore_2
CDist_1 CDist_2
CEdge_1 CEdge_2
PC_1 PC_2
(server) (client)
Figure 3 - 28: Migration step
Circle the settings that you will migrate on the Cisco switches at this step:
 LLDP to CDP
 VTP to GVRP or Static VLANs
 RPVST+ to MSTP
 EIGRP to OSPF
What are the issues that are involved in your choices?
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
Rev. 11.21 3 –103

For any protocol that you do not plan migrate at this point, explain how the Cisco
protocol will interoperate with the HP E-Series protocol.
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
What settings will you use for these protocols? You can use the plan that you created
at the beginning of this module beginning on page 3-19 or the plan that was
proposed beginning on page 3-24.
If you are planning to migrate the Cisco distribution switches to open standard
protocols such as OSPF, you must use settings that are compatible with your plan for
the HP E-Series configuration. Plan those settings:
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
3 –104 Rev. 11.21

Step 2: Begin to configure the HP E-Series switches

Before touching the connections, you will also configure settings on the HP E-Series
switch. Circle and place a star next to the settings that you will enable at this point:
 LLDP
 VLANs
 MSTP
 IP settings
 OSPF
 VRRP
at the beginning of this module beginning on page 3-19 or the plan that was
proposed beginning on page 3-24.
Step 3
You will now begin to migrate your Layer 2 connections or Layer 3 functionality (as
you choose).
Will you alter any settings before you begin? If so, indicate which settings you will
change.
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
Rev. 11.21 3 –105

CCore_1 CCore_2
CDist_1 CDist_2 HeDist_1 HeDist_2
CEdge_1 CEdge_2
PC_1 PC_2
(server) (client)
Circle the settings that are currently migrated on the Cisco switches at this step. Place
a star next to the settings that you will now migrate:
 LLDP to CDP
 VTP to GVRP or static VLANs
 RPVST+ to MSTP
 EIGRP to OSPF
Circle the settings that are currently enabled on the HP E-Series switches. Place a star
next to the settings that you will enable at this point:
 LLDP
 VLANs
 MSTP
 IP settings
 OSPF
 VRRP
Step 5
Continue to migrate your Layer 2 connections or Layer 3 functionality (as you
choose).
Rev. 11.21 3 –107

Will you alter any settings before you make the next change in connections or in
which switch is routing? If so, indicate which settings you will change.
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
Label the switch or switches that will be routing at the end of this step. If you are
moving the routing functionality from one switch to another, from two switches to one
switch, or one switch to two switches, plan a process for doing so:
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
3 –108 Rev. 11.21
Mark in the connections for this step of the migration. Indicate which ports you
expect STP to block. During the lab, you will verify whether what you expect to occur
actually occurs.
CCore_1 CCore_2
CEdge_1 CEdge_2
PC_1 PC_2
(server) (client)
 LLDP to CDP
 RPVST+ to MSTP
 EIGRP to OSPF
 LLDP
 VLANs
 MSTP
 IP settings
 OSPF
 VRRP
Step 6
choose).
Rev. 11.21 3 –109

_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
3 –110 Rev. 11.21
actually occurs.
CCore_1 CCore_2
CEdge_1 CEdge_2
PC_1 PC_2
(server) (client)
 LLDP to CDP
 RPVST+ to MSTP
 EIGRP to OSPF
 LLDP
 VLANs
 MSTP
 IP settings
 OSPF
 VRRP
Step 7
choose).
Rev. 11.21 3 –111

_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
3 –112 Rev. 11.21

actually occurs.
CCore_1 CCore_2
CEdge_1 CEdge_2
PC_1 PC_2
(server) (client)
 LLDP to CDP
 RPVST+ to MSTP
 EIGRP to OSPF
 LLDP
 VLANs
 MSTP
 IP settings
 OSPF
 VRRP
Step 8
choose).
Rev. 11.21 3 –113

_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
3 –114 Rev. 11.21
actually occurs.
CCore_1 CCore_2
CEdge_1 CEdge_2
PC_1 PC_2
(server) (client)
 LLDP to CDP
 RPVST+ to MSTP
 EIGRP to OSPF
 LLDP
 VLANs
 MSTP
 IP settings
 OSPF
 VRRP
Step 9
choose).
Rev. 11.21 3 –115

_____________________________________________________________________
d.
_____________________________________________________________________
ite
ib
oh
_____________________________________________________________________
pr
is
n
_____________________________________________________________________
sio
is
m
_____________________________________________________________________
er
tp
ou
_____________________________________________________________________
ith
w
_____________________________________________________________________
rt
pa
i n
_____________________________________________________________________
or
l e
ho
w
in
n
tio
_____________________________________________________________________
c
du
ro
_____________________________________________________________________
ep
.R
ly
_____________________________________________________________________
on
se
_____________________________________________________________________
u
er
ld
_____________________________________________________________________
ho
ake
St
_____________________________________________________________________
&L
C
_____________________________________________________________________
P
H
_____________________________________________________________________
3 –116 Rev. 11.21

actually occurs.
d.
CCore_1 CCore_2
ite
ib
oh
pr
is
n
s io
CDist_1 CDist_2
is
HeDist_1 HeDist_2
m
er
tp
ou
CEdge_1 CEdge_2
ith
PC_1 PC_2
w
(server) (client)
rt
pa
n
i
or
l e
ho
 LLDP to CDP
w
VTP to GVRP or static VLANs

in

n
RPVST+ to MSTP
tio

c
EIGRP to OSPF
du

ro
ep

.R
LLDP
ly

on
 VLANs
se
MSTP
u

er
IP settings
ld

ho
 OSPF
ke
VRRP
a

St
Step 10
&L
C

P
choose).
H
Rev. 11.21 3 –117

_____________________________________________________________________
d.
_____________________________________________________________________
ite
ib
oh
_____________________________________________________________________
pr
is
n
_____________________________________________________________________
sio
is
m
_____________________________________________________________________
er
tp
ou
_____________________________________________________________________
ith
w
_____________________________________________________________________
rt
pa
i n
_____________________________________________________________________
or
l e
ho
w
in
n
tio
_____________________________________________________________________
c
du
ro
_____________________________________________________________________
ep
.R
ly
_____________________________________________________________________
on
se
_____________________________________________________________________
u
er
ld
_____________________________________________________________________
ho
ake
St
_____________________________________________________________________
&L
C
_____________________________________________________________________
P
H
_____________________________________________________________________
_____________________________________________________________________
3 –118 Rev. 11.21
actually occurs.
d.
CCore_1 CCore_2
ite
ib
oh
pr
is
n
s io
CDist_1 CDist_2
is
HeDist_1 HeDist_2
m
er
tp
ou
CEdge_1 CEdge_2
ith
PC_1 PC_2
w
(server) (client)
rt
pa
n
i
or
l e
ho
 LLDP to CDP
w

in

n
RPVST+ to MSTP
tio

c
EIGRP to OSPF
du

ro
ep

.R
LLDP
ly

on
 VLANs
se
MSTP
u

er
IP settings
ld

ho
 OSPF
ke
VRRP
a

St
Step 11
&L
C

P
choose).
H
Rev. 11.21 3 –119

_____________________________________________________________________
d.
_____________________________________________________________________
ite
ib
oh
_____________________________________________________________________
pr
is
n
_____________________________________________________________________
sio
is
m
_____________________________________________________________________
er
tp
ou
_____________________________________________________________________
ith
w
_____________________________________________________________________
rt
pa
i n
_____________________________________________________________________
or
l e
ho
w
in
n
tio
_____________________________________________________________________
c
du
ro
_____________________________________________________________________
ep
.R
ly
_____________________________________________________________________
on
se
_____________________________________________________________________
u
er
ld
_____________________________________________________________________
ho
ake
St
_____________________________________________________________________
&L
C
_____________________________________________________________________
P
H
_____________________________________________________________________
_____________________________________________________________________
3 –120 Rev. 11.21
actually occurs.
d.
CCore_1 CCore_2
ite
ib
oh
pr
is
n
s io
CDist_1 CDist_2
is
HeDist_1 HeDist_2
m
er
tp
ou
CEdge_1 CEdge_2
ith
PC_1 PC_2
w
(server) (client)
rt
pa
n
i
or
l e
ho
 LLDP to CDP
w

in

n
RPVST+ to MSTP
tio

c
EIGRP to OSPF
du

ro
ep

.R
LLDP
ly

on
 VLANs
se
MSTP
u

er
IP settings
ld

ho
 OSPF
ke
VRRP
a

St
Step 12
&L
C

P
choose).
H
Rev. 11.21 3 –121

_____________________________________________________________________
d.
_____________________________________________________________________
ite
ib
oh
_____________________________________________________________________
pr
is
n
_____________________________________________________________________
sio
is
m
_____________________________________________________________________
er
tp
ou
_____________________________________________________________________
ith
w
_____________________________________________________________________
rt
pa
i n
_____________________________________________________________________
or
l e
ho
w
in
n
tio
_____________________________________________________________________
c
du
ro
_____________________________________________________________________
ep
.R
ly
_____________________________________________________________________
on
se
_____________________________________________________________________
u
er
ld
_____________________________________________________________________
ho
ake
St
_____________________________________________________________________
&L
C
_____________________________________________________________________
P
H
_____________________________________________________________________
_____________________________________________________________________
3 –122 Rev. 11.21
actually occurs.
d.
CCore_1 CCore_2
ite
ib
oh
pr
is
n
s io
CDist_1 CDist_2
is
HeDist_1 HeDist_2
m
er
tp
ou
CEdge_1 CEdge_2
ith
PC_1 PC_2
w
(server) (client)
rt
pa
n
i
or
l e
ho
 LLDP to CDP
w

in

n
RPVST+ to MSTP
tio

c
EIGRP to OSPF
du

ro
ep

.R
LLDP
ly

on
 VLANs
se
MSTP
u

er
IP settings
ld

ho
 OSPF
ke
VRRP
a

St
&L
C
P
H
Rev. 11.21 3 –123

Lab 3-1: Migrating the Distribution Layer from Cisco

to HP E-Series Devices
d.
INITIAL FINAL
ite
ib
oh
pr
is
EIGRP OSPF
n
s io
is
HSRP VRRP
m
er
CDP
tp
LLDP
Rapid- VLAN
ou
PVST MSTP
ith
CEdge_2 CEdge_1 CEdge_2
w
CEdge_1
PC_1 PC_2 PC_1 PC_2
rt
pa
Figure 3 - 38: Lab 3-1: Migrating the Distribution Layer from Cisco to HP E-Series Devices
in
or
l e
ho
w
in
n
c tio
du
ro
ep
.R
ly
on
u se
er
ld
ho
ake
St
&L
C
P
H
3 –124 Rev. 11.21

Lab debrief
d.
ite
ib
oh
pr
is
n
sio
is
m
er
tp
ou
ith
w
rt
pa
i n
or
NOTES
l e
ho
_____________________________________________________________________
w
in
n
_____________________________________________________________________
ctio
du
_____________________________________________________________________
ro
ep
.R
_____________________________________________________________________
ly
on
se
_____________________________________________________________________
u
er
_____________________________________________________________________
ld
ho
ke
_____________________________________________________________________
a
St
&L
_____________________________________________________________________
C
P
H
_____________________________________________________________________
_____________________________________________________________________
Rev. 11.21 3 –125

Learning check
Discuss these questions with your classmates:
Q1: Before you connect replacement HP E-Series distribution devices in parallel to
d.
existing Cisco ones, what should you check?
ite
ib
oh
____________________________________________________________________
pr
is
____________________________________________________________________
n
sio
is
____________________________________________________________________
m
er
tp
____________________________________________________________________
ou
ith
____________________________________________________________________
w
rt
pa
____________________________________________________________________
i n
or
____________________________________________________________________
l e
ho

w

in
n
tio
____________________________________________________________________
c
du
____________________________________________________________________
ro
ep
.R
____________________________________________________________________
ly
on
____________________________________________________________________
u se
er
____________________________________________________________________
ld
ho
____________________________________________________________________
ake
St
____________________________________________________________________
&L
C
P
H
3 –126 Rev. 11.21


____________________________________________________________________
d.
ite
____________________________________________________________________
ib
oh
____________________________________________________________________
pr
is
n
____________________________________________________________________
sio
is
m
____________________________________________________________________
er
tp
____________________________________________________________________
ou
ith
w
____________________________________________________________________
rt
pa
____________________________________________________________________
i n
or
l e
ho
w
in
n
c tio
du
ro
ep
.R
ly
on
use
er
ld
ho
ake
St
&L
C
P
H
Rev. 11.21 3 –127

Appendix: Implementing ACLs and QoS on the

replacement HP E-Series switches
This appendix provides information on reproducing Cisco access control lists (ACLs)
d.
ite
and Quality of Service (QoS) policies on HP E-Series devices.
ib
Migrate ACLs and QoS policies
oh
pr
In order to help you concentrate on the fundamentals of the migration, until now you
is
have examined migrating distribution layers with relatively simple configurations. But
n
io
in a production environment, you will often encounter switches that implement more
s
is
sophisticated features, and you must consider the effects of these features on the
m
migration.
er
tp
The last section in this module introduces you to a few considerations for migrating a
ou
distribution layer from Cisco to HP E-Series devices when the distribution switches
ith
enforce access control lists (ACLs) and quality of service (QoS) policies.
w
rt
Your two main goals for this migration for this section are to:
pa
Configure HP E-Series ACLs and QoS policies that provide the expected
n

functionality i
or
e
Determine the best time to enable the new ACLs or policies during the migration.
l
ho

w
You can meet these goals within any of the migration models that you have
in
examined in this module. The first question remains more or less the same no matter
n
which method you use. The second question is more complicated for the parallel
tio
network and replacement strategies in which you migrate functionality gradually

c
du
while attempting to minimize downtime.

ro
ep
.R
ly
on
u se
er
ld
ho
ake
St
&L
C
P
H
3 –128 Rev. 11.21

Applying the ACLs

ACL
Cisco functionality HP E-Series functionality
application
d.
Routed ACL • Applied to a routed port or • Applied to a VLAN interface as
ite
(RACL) VLAN interface as inbound (in) inbound (in) or outbound (out)
or outbound (out) • Controls all traffic routed from (in)
ib
• Controls all traffic routed from or to (out) the interface
oh
(in) or to (out) the interface
pr
VLAN-based • Applied as ACLs in a VLAN • Applied to a VLAN interface as a
is
ACL (VACL) access map, which is applied to VLAN ACL (vlan)
a VLAN list • Controls all traffic arriving on the
n
io
• Controls all traffic routed to the VLAN
s
VLAN and arriving on the VLAN
is
m
Port ACL • Applied to a physical port as • Applied to a physical port as
er
inbound (in) or outbound (out) inbound (in)
• Controls all traffic arriving on (in) • Controls all traffic arriving on the
tp
or leaving the port (out) port
ou
ith
Figure 3 - 39: Applying the ACLs
w
rt
You do need to understand some differences in the ways that you apply ACLs on HP
pa
E-Series switches as compared to applying them to Cisco switches. Otherwise, you
might find the ACLs allowing or denying unexpected traffic.i n
or
RACLs
l e
ho
You apply routed ACLs (RACLs) to inbound or outbound traffic on routed E-Series
w
interfaces much as you do on Cisco switches (in and out options in the ip access-
in
n
group command).
c tio
Note that E-Series switches do not have routed physical interfaces. Instead, you must
du
create a VLAN interface for the subnet and specify the IP address there; you can then
ro
assign that VLAN as an untagged VLAN on a physical port. As long as you do not
ep
assign that VLAN to any other ports, the port behaves much like a routed port.
.R
However, remember that you apply all IP settings and so forth to the VLAN interface.
ly
on
VACLs
u se
It is VLAN-based ACLs (VACLs) that differ most in configuration between the two
er
vendors. On Cisco switches, when you want to control both routed on non-routed
ld
traffic that arrives on a VLAN interface, you use VLAN access maps. You configure
ho
ACLs to select traffic and then apply an action to traffic selected by the ACL in the
ke
VLAN access map. A VLAN access map, like a typical ACL, has an implicit drop all
a
St
statement at the end.

&L
On HP E-Series switches, you configure VACLs to control routed and non-routed traffic
C
just as you do other ACLs. You then apply the ACL to the VLAN interface using the
P
H
vlan option in the ip access-group command.
3 –130 Rev. 11.21

Port ACLs
On HP E-Series switches, you can also apply port ACLs o inbound traffic on a port by
applying the ACL to a physical port. You cannot apply the ACL to outbound traffic.
The E-Series PACL filters all traffic, routed or not, that arrives on the interface.
d.
ite
ib
oh
pr
is
n
sio
is
m
er
tp
ou
ith
w
rt
pa
i n
or
l e
ho
w
in
n
ctio
du
ro
ep
.R
ly
on
use
er
ld
ho
ake
St
&L
C
P
H
Rev. 11.21 3 –131

Planning the ACL migration

You will often find migrating your ACLs to the HP E-Series devices rather
straightforward. RACLs, which are commonly applied at the distribution level,
function on the HP E-Series devices just as they do on the Cisco devices.
d.
ite
On the other hand, the table in Figure 3-39 highlighted features on the Cisco
ib
switches that the HP E-Series switches do not reproduce in the same way. If the Cisco
oh
distribution devices’ ACLs include these features, you must create a plan to account
pr
for that. The sections below focus on specific, potentially problematic features.
is
n
Planning VACLs
sio
is
A Cisco VLAN access map filters all traffic on a VLAN:
m
er
Traffic that arrives on the VLAN at Layer 2 and is switched within that VLAN
tp

ou
 Traffic that arrives on the VLAN at Layer 2 and is routed out of the VLAN
ith
 Traffic that arrives on a different interface and is routed to the VLAN
w
rt
An HP E-Series VACL filters the first two types of traffic but not the third.
pa
Therefore, you must check your Cisco VLAN access map for entries which match the
i n
third use case—they will have a source address in another subnet (or, perhaps, any)
or
and a destination address in the subnet associated with the VLAN (or, perhaps, any).
l e
ho
If you find any such entries, create another ACL to select them. Then apply that
w
second ACL to the HP E-Series VLAN as an outbound RACL in addition to applying

in
the VACL.
n
tio
When you apply both a VACL and a RACL to a VLAN interface on an HP E-Series
c
switch, these rules apply:

du
ro
 Any switched traffic explicitly permitted by the VACL is forwarded without being
ep
checked against the RACL.

.R
Any routed traffic explicitly permitted by the VACL is checked against the RACL
ly

on
before it is forwarded. If the RACL denies the traffic, the switch drops it.
se
VACL example
u
er
A Cisco switch is the default router for VLAN 10 (10.1.10.0/24), VLAN 11

ld
(10.1.11.0/24), and VLAN 20 (10.1.20.0/24). It also connects to a WAN router,

ho
which connects to the Internet, on a routed port. It has this ACL configuration:
ake
access-list 100 permit ip 10.1.11.0 0.0.0.255 host 10.1.10.10

St
&L

C
access-list 100 permit ip 10.1.10.0 0.0.1.255 10.1.20.0 0.0.0.255

P
vlan access-map VLAN10_11_AC 10

H
match ip address 100

action drop
3 –132 Rev. 11.21

action forward
vlan filter VLAN10_11_AC vlan-list 10-11
You can create a table that shows how the Cisco switch is controlling traffic.
Table 3-13: Example Cisco VLAN access map
d.
ite
Traffic that is controlled How traffic is controlled
ib
oh
Traffic that arrives on VLAN 10 Endpoints between 10.1.10.128 and 10.1.10.254 are denied access
and is switched in VLAN 10 to 10.1.10.10. All other switched traffic is permitted.
pr
Traffic that arrives on VLAN 10 Traffic to VLAN 20 is dropped, but all other traffic is permitted.
is
and is routed to another VLAN
n
io
or routed port.
s
Traffic that arrives on another All endpoints in VLAN 11 are denied access to 10.1.10.10. (This
is
VLAN or routed port and is statement will actually be redundant because the map applied to
m
er
routed to VLAN 10 VLAN 11 will also filter this traffic. However, you have saved time
tp
by applying the same map to two VLANs.)
All other traffic to VLAN 10 is permitted.
ou
Traffic that arrives on VLAN 11 All switched traffic is permitted.
ith
and is switched in VLAN 11
w
rt
pa
Traffic that arrives on VLAN 11 Traffic to VLAN 20 is dropped, as is traffic to host 10.1.10.10 but
and is routed to another VLAN all other traffic is permitted.
or routed port. i n
or
Traffic that arrives on another All traffic is permitted.
e
VLAN or routed port and is

l
ho
routed to VLAN 11
w
in
n
On the HP E-Series switch, you can apply VACLs to VLANs 4 and 5 to filter the traffic
tio
indicated in rows 1, 2, 4, and 5. Examine rows 3 and 6, which would not be

c
du
controlled by HP E-Series VACLs. Row 3 permits all traffic except traffic between
ro
endpoints in VLAN 11 and 10.1.10.10. This access control, however, is covered by the
ep
VACL applied to VLAN 11. Row 6 permits all traffic, so you do not need to worry
.R
about creating another VACL. In this case, the proper E-Series VACLs will provide the
ly
correct functionality:
on
se
access-list 100 deny ip 10.1.10.128 0.0.0.127 host 10.1.10.10

u
access-list 100 deny ip 10.1.10.0 0.0.0.255 10.1.20.0 0.0.0.255

er
access-list 100 permit ip any any

ld
ho
access-list 101 deny ip 10.1.11.0 0.0.0.255 host 10.1.10.10

ke
access-list 101 deny ip 10.1.11.0 0.0.0.255 10.1.20.0 0.0.0.255

a
St
access-list 101 permit ip any any

&L
vlan 10
C
ip access-group 100 vlan

P
H
vlan 11
ip access-group 101 vlan
Rev. 11.21 3 –133

Note
Because the ACL applied to VLAN 11 does not control switched traffic, you could
apply it as an inbound RACL instead.
d.
Planning Port-based ACLs
ite
ib
HP E-Series switches only apply port-based ACLs to inbound traffic. If your network
oh
features outbound port ACLs, you must redesign the ACL. For example, you can move
pr
the ACL to the port on which the traffic to be controlled arrives.
is
n
sio
is
Outbound port
m
ACL
er
tp
Original ACL
configuration
ou
ith
w
rt
pa
New ACL Inbound port
ACL
configuration
i n
or
l e
ho
w
in
n
tio
Figure 3 - 40: Migrating outbound port ACLs

c
du
ro
ep
.R
ly
on
u se
er
ld
ho
ake
St
&L
C
P
H
3 –134 Rev. 11.21

Determine when to migrate the ACLs
ACL
When you must migrate
function
d.
Filter routed Before the new switch But you can
ite
traffic. begins to route traffic generally just
ib
oh
enable the ACLs
Filter traffic Before the traffic passes when you first
pr
within a through the new switch configure the
is
VLAN switch.
n
io
Filter traffic Before the traffic passes
s
on a port through the new switch
is
m
er
tp
Figure 3 - 41: Determine when to migrate the ACLs
ou
ith
You must understand which type of traffic the ACL affects to determine when the HP
w
E-Series ACL must take over. If the ACL is filtering routed traffic, for example, the HP E-
rt
pa
Series switch must begin applying the ACL as soon as it routes the traffic. However, if
the ACL filters traffic within a VLAN or traffic that arrives on a specific port, the HP E-
i n
Series ACL must filter the traffic as soon as the traffic flow alters and the traffic begins
or
to pass through the HP E-Series switch instead of the old chokepoint.
l e
ho
w
in
n
c tio
du
ro
ep
.R
ly
on
use
er
ld
ho
ke
Figure 3 - 42: Migrating a port ACL or VACL

a
St
Often, there are no adverse consequences to enabling all the ACLs before you
&L
connect the HP E-Series switch to the network as a replacement or parallel

C
distribution switch. Then you are sure that the ACLs are in place and ready to control
P
H
traffic.
Note that during the migration process, the route path might temporarily alter. For
example, in the first section of this module, you learned strategies for migrating the
Layer 3 functionality in which an old distribution switch temporarily routes some
Rev. 11.21 3 –135

VLANs while a new switch routes others. However, as long as you have the correct
RACLs in place on the new HP E-Series switches, the traffic should be controlled
correctly as illustrated in the figures below.
Outbound RACL
on VLAN 10
d.
VLAN 20 VLAN 10
Original routing path
ite
ib
oh
pr
Outbound RACL
VLAN 20 VLAN 10 on VLAN 10
is
Temporary routing
n
path if you migrate
io
another VLAN first
s
is
m
Temporary routing VLAN 20 VLAN 1 VLAN 1 VLAN 10
er
path if you migrate
tp
VLAN 10 first
ou
ith
VLAN 20 VLAN 10
w
Final routing path
rt
pa
n
Figure 3 - 43: Migrating an outbound RACL
i
or
Note that outbound RACLs need to be in place on the new routing switch as soon as
l e
ho
you begin migrating any VLAN routing responsibilities to this switch not simply
w
before you migrate the VLAN in question. Even though the new switch is not yet the
in
default gateway for that VLAN, it is routing traffic to it. Again, it is generally best
n
practice simply to configure the ACLs in advance and know that they are in place.
c tio
du
ro
ep
.R
ly
on
u se
er
ld
ho
ake
St
&L
C
P
H
Figure 3 - 44: Migrating an inbound RACL
3 –136 Rev. 11.21

Migrating QoS policies

When you replace your Cisco distribution switches with HP E-Series switches, you
must assess the Cisco switches’ role in your current QoS solution and plan how to
configure the E-Series switches to take over that role.
d.
ite
Devices at the distribution layer might implement a variety of QoS features that fall in
ib
several broad categories:
oh
pr
 Honoring prioritization—Honor traffic’s 802.1p Class of Service (CoS) or
is
Differentiated Services Code Point (DSCP) values, typically by placing them in
n
different priority queues
sio
is
 Classifying (and marking) traffic—Classify traffic according to characteristics
m
such as source and destination IP address, protocol, or TCP/UDP port and
er
assign it to the correct priority queue. Typically the switch then marks each type
tp
of traffic with the appropriate CoS or DSCP to be honored after it is forwarded
ou
ith
to another device.
w
Because it is best to classify traffic as close to the source as possible (at the edge),
rt
pa
the distribution layer often plays only the first role. However, it can play both.
i n
or
l e
ho
w
in
n
ctio
du
ro
ep
.R
ly
on
use
er
ld
ho
ake
St
&L
C
P
H
Rev. 11.21 3 –137

Honor prioritization
You can now consider some of the specific QoS functionalities. Sometimes the
distribution layer only needs to honor priorities that have already been established
by trusted applications or by switches at the edge.
d.
ite
On Cisco switches, you must manually specify on which ports the switch can accept
ib
and honor CoS values and DSCPs. HP E-Series switches, on the other hand, by
oh
default honor these values. Of course, as always, a frame must arrive on a tagged
pr
VLAN (have the 802.1Q tag) in order for it to carry a CoS value. The DSCP is
is
located in the Layer 3 header, so it can be detected in traffic that arrives on a
n
io
tagged or untagged VLAN.
s
is
m
Once the switch determines that it honors traffic’s QoS value, it must decide how it
er
will treat the traffic based on that value. On both Cisco and E-Series devices, CoS
tp
values are assigned to specific priority queues; the switch then forwards traffic in
ou
higher queues first. Also, on both types of switch, you map DSCPs to CoS values in
ith
order to assign the traffic with that DSCP . Both types of devices also allow you to
w
apply
rt
pa
The table provides some guidelines.
i n
Table 3-14: QoS capabilities on Cisco and HP E-Series switches
or
l e
Capability Cisco configuration HP E-Series configuration

ho
Assign traffic to a Globally:

w
priority queue based mls qos

in
None necessary
on a CoS value. On the port that receives the traffic:
n
tio
mls qos trust cos

c
Assign traffic to a Globally: Globally:

du
priority queue based mls qos qos type-of-service diff-services

ro
on a DSCP. On the port that receives the traffic: qos dscp-map <dscp> priority <1-7>
ep
mls qos trust cos [name <ascii-string>]

.R
Globally: You can create multiple maps;

mls qos map cos-dscp <dscp1...dscp7> several are created by default (enter
ly
dscp1 is the DSCP that corresponds to show qos dscp-map to see these
on
the CoS 0 priority queue and so forth. maps).

se
Assign a rate limit to

u
traffic based on a CoS

er
value or DSCP.
ld
ho
ake
St
&L
C
P
H
Rev. 11.21 3 –139

Classify and mark traffic

Sometimes—perhaps because you have legacy edge switches—you need to classify
some traffic at the distribution level.
d.
Cisco switches generally classify traffic with class maps and policy maps. The class
ite
map selects a particular type of traffic while the policy map applies actions to the
ib
class maps such as marking the traffic with a QoS value or enforcing policing. You
oh
then apply the policy map to an interface as a service policy.
pr
is
On HP E-Series switches with the ProVision ASIC, you can similarly create traffic
n
classes that select particular types of IPv4 or IPv6 traffic. You then create service
s io
policies that select the classes and apply actions such as QoS-value marking or rate
is
m
limiting. Finally, just as on the Cisco switches, you apply the service policy to a port
er
or VLAN interface.
tp
Note that one difference between the class maps on Cisco and HP E-Series devices is
ou
ith
that the Cisco class maps can select previously-configured ACLs, but you always
w
configure the selection criteria in the HP class map.
rt
pa
Alternatively, on HP E-Series switches, you can create a global QoS map that selects
traffic directly and marks it with a QoS value. In this case, you can only select traffic
i n
by one criteria at a time (TCP/UDP port or source or destination IP address, for
or
example). (If the switch also has service policies applied to interfaces, those take
l e
ho
precedence.)
w
The table provides an example of QoS traffic classification, comparing the Cisco
in
configuration, the HP E-Series per-port or per-VLAN configuration, and the HP E-

n
tio
Series global configuration.

c
du
Table 3-15: QoS classification capabilities on Cisco and HP E-Series switches

ro
ep
HP E-Series per-port or per- HP E-Series global configuration

Capability Cisco configuration
.R
VLAN configuration
ly
Select specific Globally: qos <udp-port | tcp-port> [ipv4 |

on
traffic according mls qos class-<ipv4 | ipv6> <name> ipv6 | ip-all] <port-number | range
to its source, access-list <ID> <permit | deny> <seq-number> < match | ignore > start end > <priority | dscp>
se
destination, <standard or extended ACL <ip-protocol> <source-address> <value>

u
protocol, or selectors> <destination-address> qos

er
TCP/UDP ports class-map [match-all | match-any] exit qos device-priority<IPv4 address|

ld
ho
and assign this <name> policy qos <name> [ipv4] IPv4 address/mask length |
traffic a priority. match access-group <ID> <seq number> class-<ipv4 | ipv6> IPv6 address | ipv6 address/prefix
ke
exit <name> action <priority | dscp> length><priority | dscp> <value>

a
St
policy-map <name> <value> qos protocol < ip | ipx | arp |

class <name> exit appletalk | sna | netbeui> <priority
&L
set <dscp | cos> <value> interface <port-list> service-policy | dscp> <value>

C
exit <name> in *The device-priority command

P
interface <type> <ID> vlan <ID> service-policy <name> in selects traffic to or from that device.
H
service-policy input <name>
3 –140 Rev. 11.21

Optional Lab 3.2: Migrating ACLs and QoS Policies

from a Cisco to an HP E-Series Distribution Layer
d.
INITIAL FINAL
ite
CCore_1 CCore_2
ib
CCore_1 CCore_2
oh
pr
is
ACLs and QoS
n
io
ACLs and QoS
P4
s
HeDist_1
is
HeDist_2
CDist_2
m
P1
P2
er
tp
ou
CEdge_1 CEdge_2 P2
ith
P2 P4 PC_3 PC_3
w
P3 P3 (client) (client)
rt
PC_1 PC_2 PC_1 PC_2
pa
Figure 3 - 45: Optional Lab 3.2: Migrating ACLs and QoS Policies from a Cisco to an HP E-Series
Distribution Layer in
or
l e
ho
w
in
n
c tio
du
ro
ep
.R
ly
on
use
er
ld
ho
ake
St
&L
C
P
H
Rev. 11.21 3 –141

d.
ite
ib
oh
pr
is
n
sio
is
m
er
tp
ou
ith
w
rt
pa
i n
or
l e
ho
w
in
n
c tio
du
ro
ep
.R
ly
on
u se
er
ld
ho
ake
St
&L
C
P
H
3 –142 Rev. 11.21

Migrating and Expanding the Distribution Layer

with HP A-Series
Module 4
d.
ite
ib
oh
Objectives
pr
is
This module will help you to plan and execute successful migrations of Cisco
n
distribution layer switches to HP A-Series distribution layer switches. You will explore
sio
several strategies, assessing their advantages and disadvantages—and learning how
is
m
to avoid common issues.
er
tp
By the time that you have completed this module, you will be able to:
ou
 Replace Cisco switches at the distribution layer with HP A-Series switches
ith
Consider the order in which you migrate various features in order to reduce
w

rt
issues and downtime
pa
Assess the advantages of various strategies in different customer environments
n

i
or
 Select distribution layer features to improve your new network
l e
ho
w
in
n
c tio
du
ro
ep
.R
ly
on
use
er
ld
ho
ake
St
&L
C
P
H
Rev. 11.21 4 –1
Migrating and Expanding the Distribution Layer with HP A-Series
Migration scenario
INITIAL FINAL
d.
ite
Cisco Cisco
ib
oh
pr
EIGRP ?
is
Cisco
n
HP A-Series
io
HSRP ?
s
is
m
CDP ?
er
VTP
tp
RPVST+
ou
Cisco Cisco
ith
w
rt
Figure 4-1: Migration scenario
pa
n
On the left you see a simplified design for an existing customer network that uses
i
or
Cisco devices. Two distribution layer switches work as redundant routing switches for
e
the network using Hot Standby Router Protocol (HSRP). They connect to two edge
l
ho
switches in the figure—they would connect to far more in a real-world scenario—and

w
to two different core switches, each of which offers a connection to the Internet. The
in
core and distribution switches communicate routes using Enhanced Internal Gateway
n
tio
Routing Protocol (EIGRP).

c
du
With the LAN, Rapid Per-VLAN Spanning Tree Plus (RPVST+) eliminates loops created
ro
by the redundant edge-to-distribution connections, VLAN Trunking Protocol (VTP)

ep
extends VLANs throughout the network, and Cisco Discovery Protocol (CDP) provides
.R
neighbor discovery.
ly
on
Your goal in this scenario is to replace the Cisco distribution layer switches with HP
A-Series switches. Because the HP A-Series switches use open standard protocols,
use
part of the migration involves moving the network from the current proprietary
er
protocols to the open standard ones. For this reason, the figure on the right, which
ld
depicts the final network, indicates that the protocols in the final network might differ
ho
from the original protocols.

ake
In this module, you will plan the following:

St
&L
 What the configuration will be, based on open standard protocols, in the final
C
network.
P
H
 How you will proceed, step by step, to reach the final topology and
configuration.
Rev. 11.21 4 –3
Why migrate to HP A-Series devices?

– Competitive switches with many advanced features designed
for enterprise and the ISP distribution and core:
d.
• Very high performance for routing and switching
ite
• Very high 10G port-density
ib
oh
• Scalability and ultramodern architecture
pr
• Routing protocols (RIP, OSPF, BGP)
is
• VRRP and IRF for high-availability
n
io
• Many other traffic control and QoS features
s
is
– See the HP Product Selector.
m
er
tp
ou
ith
Figure 4-2 Why migrate to HP A-Series devices?
w
rt
Before you move on to specific goals of this migration, consider the customer’s
pa
primary goal—obtaining better performance at the distribution layer. A-Series
i n
switches are truly enterprise-grade devices that offer very high-performance switching
or
and routing and a high 10G port density. In addition to a wide variety of standard
l e
ho
features, including but not limited to those displayed in the slide, they offer Intelligent
w
Resilient Framework (IRF), a feature that this module will highlight. IRF combines two
in
switches into an incredibly redundant and high-functioning virtual switch. This feature
n
will be a selling point that convinces many customers to make this type of migration.
ctio
du
ro
ep
.R
ly
on
u se
er
ld
ho
ake
St
&L
C
P
H
4 –4 Rev. 11.21
Migration goals
Now turn your attention to the customer’s other goals and priorities. Most customers
will want an enhanced network by the end of the migration. Why else would the
d.
customer decide to migrate? You must understand the customer’s priorities:
ite
Do they want better performance?
ib

oh
 Do they want greater energy efficiency?
pr
Do they want new features?
is

n
io
To satisfy many of these requirements fully, you would need to assemble the correct
s
networking solution for the customer, a task that is beyond the scope of this course.
is
m
You should keep the goals in mind, however, as you plan the migration. At the very
er
least, you will need to ensure that your configuration at the end of the migration
tp
supports the services required by the customer.
ou
ith
In addition to considering the customer’s end goals, you must consider the goals for
w
the migration process itself. One of the most important considerations is downtime.
rt
Can your customer schedule an outage, or does the network need to remain up
pa
throughout the migration? How important is zero downtime to the customer’s
satisfaction with the migration process? i n
or
e
You should also ask the customer about other constraints that might affect your plan.
l
ho
For example, ascertain how many ports core and distribution switches have
w
available. As you will see, port constraints might alter the way in which you migrate
in
to the new distribution layer.

n
ctio
du
ro
ep
.R
ly
on
use
er
ld
ho
ake
St
&L
C
P
H
Rev. 11.21 4 –5
Configurations
hostname CCore_1
d.
ite
vlan 110
ib
oh
vlan 111
pr
is
ip subnet-zero
n
sio
is
ip routing
m
er
tp
ou
ith
w
interface Loopback0
rt
ip address 10.0.0.3 255.255.255.255
pa
i n
or
e
l
ho

w

in
n
tio
c
du
ro

ep

.R
ly
on
interface Vlan100
ip address 10.0.100.3 255.255.255.0
use
er
interface Vlan111
ld
ho
ip address 10.0.111.3 255.255.255.0

ake
St
router eigrp 1
&L
network 10.0.0.0
C

P
H
hostname CCore_2
Rev. 11.21 4 –7
vlan 100
vlan 112
ip subnet-zero
d.
ite
ib
ip routing
oh
pr
is
n
sio
interface Loopback0
is
m
ip address 10.0.0.4 255.255.255.255
er
tp
ou
ith
w
rt
pa
or
l e
ho

w

in
n
tio
interface Vlan100
c
ip address 10.0.100.4 255.255.255.0

du
ro
ep
interface Vlan112
.R
ip address 10.0.112.4 255.255.255.0

ly
on
se
router eigrp 1
u
network 10.0.0.0
er
ld

ho
hostname CDist_1
ake
St
ip subnet-zero
&L
ip routing
C
P
H

4 –8 Rev. 11.21
Vlan 2
Vlan 10
d.
Vlan 11
ite
Vlan 20
ib
Vlan 21
oh
Vlan 111
pr
is
n
interface Loopback0
sio
ip address 10.1.0.1 255.255.255.255
is
m
er
tp
ou
ith
w
rt
pa
i n
or
e

l
ho

w
in
n
tio
c
du

ro

ep
.R
ly
on
se

u
er

ld

ho
ake
interface Vlan1
St
ip address 10.1.1.1 255.255.255.0

&L
standby 1 ip 10.1.1.254
C

P
H
standby 1 preempt
interface Vlan2
Rev. 11.21 4 –9
ip address 10.1.2.1 255.255.255.0

standby 1 ip 10.1.2.254
standby 1 preempt
d.
ite
interface Vlan10
ib
ip address 10.1.10.1 255.255.255.0
oh
pr
standby 10 ip 10.1.10.254
is
n
io
standby 10 preempt
s
is
m
er
interface Vlan11
tp
ip address 10.1.11.1 255.255.255.0
ou
ith
standby 11 ip 10.1.11.254
w
rt
pa
standby 11 preempt
i n
or
interface Vlan20
l e
ip address 10.1.20.1 255.255.255.0

ho
w
in
standby 20 ip 10.1.20.254
n
c tio
interface Vlan21
du
ip address 10.1.21.1 255.255.255.0

ro
ep
standby 21 ip 10.1.21.254
.R
ly
on
interface Vlan111
se
ip address 10.0.111.1 255.255.255.0

u
er
ld
router eigrp 1
ho
network 10.0.0.0
ake
St
ip classless
&L
C
P
H
vtp domain cisco

vtp password secret
vtp mode server
4 –10 Rev. 11.21

vtp pruning

hostname CDist_2
d.
ite
ib
ip subnet-zero
oh
ip routing
pr
is
n
sio
is
m
er
tp
ou
ith
Vlan 2
w
Vlan 10
rt
pa
Vlan 11
Vlan 20
Vlan 21 i n
or
Vlan 112
l e
ho
w
interface Loopback0
in
ip address 10.1.0.2 255.255.255.255

n
ctio
du
ro
ep

.R

ly
on
se
u
er

ld
ho

ake
St
&L

C

P
H
Rev. 11.21 4 –11

interface Vlan1
d.
ip address 10.1.1.2 255.255.255.0
ite
standby 1 ip 10.1.1.254
ib
oh
pr
interface Vlan2
is
ip address 10.1.2.2 255.255.255.0
n
standby 1 ip 10.1.2.254
sio
is
m
interface Vlan10
er
tp
ip address 10.1.10.2 255.255.255.0
ou
ith
standby 10 ip 10.1.10.254
w
rt
pa
interface Vlan11
ip address 10.1.11.2 255.255.255.0
i n
or
e
standby 11 ip 10.1.11.254
l
ho
w
interface Vlan20
in
ip address 10.1.20.2 255.255.255.0

n
tio
c
du
standby 20 ip 10.1.20.254
ro

ep
standby 1 preempt
.R
ly
on
interface Vlan21
ip address 10.1.21.2 255.255.255.0
se
u
er
standby 21 ip 10.1.21.254
ld

ho
standby 1 preempt
ake
St
&L
interface Vlan112
C
ip address 10.0.112.2 255.255.255.0

P
H
router eigrp 1
network 10.0.0.0
4 –12 Rev. 11.21

ip classless
vtp domain cisco
d.
vtp password secret
ite
ib
vtp mode server
oh
vtp pruning
pr
is
n
hostname CEdge_1
sio
is
m
er
tp
ou
ith
w
rt
pa
or
l e
ho
w
in

n
tio

c
du
ro
ep
.R

ly

on
u se
interface Vlan1
er
ip address 10.1.1.11 255.255.255.0

ld
ho
ke
a
St
ip classless
&L
C
P
H
vtp domain cisco

vtp password secret
vtp mode client
vtp pruning
Rev. 11.21 4 –13


hostname CEdge_2
d.
ite
ib
oh
pr
is
n
io
s
is
m
er
tp
ou
ith
w
rt
pa
or
l e

ho

w
in
n
interface Vlan1
c tio
ip address 10.1.1.11 255.255.255.0

du
ro
ep
.R
ip classless
ly
on
u se
vtp domain cisco

er
vtp password secret

ld
ho
vtp mode client

ke
vtp pruning
a
St
&L
C
P
H
4 –14 Rev. 11.21

What is the final configuration?

Internet
d.
CCore_1 CCore_2
ite
.3 Routing .4
ib
VLAN
protocol?
oh
VLAN
101 102
pr
Layer 2
redundancy? ? ?
is
Layer 3 HaDist_1 HaDist_2
n
redundancy?
io
Trunks
s
is
Native VLAN 1
Permit All
m
.12
er
.11
tp
VLANs? CEdge_1 CEdge_2
Discovery
ou
protocol? Access
Ports in VLANs
ith
2, 10, 11, 20.21
w
IP address:
10.X.VLAN.0/24
rt
8 Rev. 11.11
pa
Figure 4-4: What is the final configuration?
i n
or
With your group, plan configurations for the switches after the migration so that they
e
l
provide functionality equivalent to that in the existing network. You have learned
ho
w
about methods for making these plans earlier in this course. Now you have another
in
chance to practice your new skills. You will also be able to leverage your plans
n
during the lab for this module, so make sure to record your plans carefully.
c tio
Note that the Cisco distribution switches are not included in the final plans because
du
they will be removed by the end of the migration; however, you might migrate these
ro
ep
switches to the open standard protocol as part of the migration process. You will look
.R
at that process in more detail a bit later.

ly
As you answer the questions, you can refer to the tables within the questions as well
on
as to the configurations on the previous pages.

se
1. First, plan the open standard protocols to which you will migrate proprietary
u
er
protocols.
ld
ho

ke
Function Proprietary protocol Open standard equivalent

a
St
Routing protocol EIGRP

&L
Layer 3 redundancy
HSRP
protocol
C
Layer 2 redundancy
P
RPVST+
H

VLAN registration VTP
Discovery protocol CDP
Rev. 11.21 4 –15

2. Will you implement the open standard VLAN registration protocol or configure
static VLANs? Why?
___________________________________________________________________
d.
ite
___________________________________________________________________
ib
oh
___________________________________________________________________
pr
is
n
___________________________________________________________________
io
s
is
m
___________________________________________________________________
er
tp
3. The current spanning tree settings are displayed in the first table below. In the
ou
other table, indicate the settings that you want on each switch at the end of the
ith
migration. Note that you might adjust these settings during the migration. For
w
now, you are planning the end goal. Also note that, if you do not plan to enable
rt
pa
Multiple Spanning Tree Protocol (MSTP) on a switch, you can leave the cells
empty.
i n
or
Table 4-2: Current spanning tree settings
l e
ho
Setting for Setting for Setting for Setting for Setting for
Parameter
w
Core switches CDist_1 CDist_2 CEdge_1 CEdge_2

in
Spanning tree disabled Rapid PVST+ Rapid PVST+ Rapid PVST+ Rapid PVST+
n
mode
tio
Priority — VLANs 1, 2, VLANs 1, 2, Default on all Default on all

c
du
10, 11, 111, 10, 11, 111, VLANs VLANs

112: 0 112: 4096 (32768) (32768)
ro
VLANs 20, VLANs 20,

ep
21: 4096 21: 0

.R
Other settings — BPDU filter BPDU filter on — —

ly
on P4 (to P4 (to Core)

on
Core)
u se
Table 4-3: Planned MSTP settings

er
ld
Setting for Setting for Setting for Setting for Setting for Setting for
ho
Parameter
CCore_1 CCore_2 HaDist_1 HaDist_2 CEdge_1 CEdge_2
ake
Mode
St
Region
&L
name
Revision
C
number
P
H
VLAN
mapping
4 –16 Rev. 11.21

Priority for
each
instance
d.
ite
ib
Other
oh
settings
pr
is
n
io
Justify your plans:
s
is
m
er
___________________________________________________________________
tp
ou
___________________________________________________________________
ith
w
___________________________________________________________________
rt
pa
n
___________________________________________________________________
i
or
l e
___________________________________________________________________
ho
w
4. The IP addressing and Layer 3 redundancy configurations for the existing

in
distribution switches are displayed in the first table below. In the next table,
n
tio
indicate the settings for the new HP A-Series switches. Again, you are planning
c
the final configurations.

du
ro
Note that, if you are using software version 15, you can set one switch as owner
ep
with priority 255 and still assign a virtual IP address to the virtual router
.R
identifier (VRID). Otherwise, you must assign both switches as backup to use a
ly
different virtual IP address than the one on the owner.

on
Table 4-4: Current distribution IP address and HSRP settings

u se
Parameter Setting for CDist_1 Setting for CDist_2

er
VLAN 1
ld
IP address 10.1.1.1 255.255.255.0 10.1.1.2 255.255.255.0

ho

ke
Standby ID 1 1
a
St

&L

C
VLAN 2
P
H
IP address 10.1.2.1 255.255.255.0 10.1.2.2 255.255.255.0

Standby ID 1 1
Rev. 11.21 4 –17
VLAN 10
IP address 10.1.10.1 255.255.255.0 10.1.10.2
Helper address 10.1.2.100 10.1.2.100
Standby ID 10 10
d.
ite
ib
VLAN 11
oh
IP address 10.1.11.1 255.255.255.0 10.1.11.1 255.255.255.0
pr
Helper address 10.1.2.100 10.1.2.100
is
Standby ID 11 11
n
io
s
Preempt-mode Enabled Not enabled
is
m
er
VLAN 20
tp
IP address 10.1.11.1 255.255.255.0 10.1.11.1 255.255.255.0
ou
Helper address 10.1.2.100 10.1.2.100
Standby ID 20 20
ith
w
Preempt-mode Not enabled Enabled
rt
pa
VLAN 21
IP address i n
10.1.21.1 255.255.255.0 10.1.21.1 255.255.255.0
or
Helper address 10.1.2.100 10.1.2.100
e
Standby ID 21 21
l
ho

w
Preempt mode Not enabled Enabled

in

n
VLAN 111
tio
IP address 10.0.111.1 255.255.255.0 Not configured

c
du
Helper address Not configured —

ro
Standby ID Not configured —

ep
VLAN 112
IP address Not configured 10.0.112.1 255.255.255.0
.R
Helper address — Not configured

ly
Loopback 0
on
IP address 10.1.0.1 10.1.0.2

u se
Table 4-5: Planned IP addressing and VRRP settings for the new HP A-Series
er
ld
switches
ho
ke
Parameter Setting for HaDist_1 Setting for HaDist_2

a
VLAN 1
St
IP address
&L
Helper address
C
Mode
P
VRID
H
Priority
Preempt mode
Virtual IP address
4 –18 Rev. 11.21

VLAN 2
IP address
Helper address
Mode
VRID
d.
Priority
ite
Preempt mode
ib
Virtual IP address
oh
VLAN 10
pr
IP address
is
Helper address
n
Mode
io
VRID
s
is
Priority
m
Preempt mode
er
Virtual IP address
tp
VLAN 11
ou
IP address
ith
Helper address
w
Mode
rt
VRID
pa
Priority
Preempt-mode
i n
or
Virtual IP address
e
VLAN 20
l
ho
IP address
w
Helper address
in
Mode
n
VRID
tio
Priority
c
Preempt-mode
du
Virtual IP address
ro
VLAN 21
ep
IP address
.R
Helper address
ly
Mode
on
VRID
se
Priority
u
Preempt mode
er
Virtual IP address
ld
VLAN 111
ho
IP address
ke
Helper address
a
VRID
St
VLAN 112
&L
IP address
C
Helper address
P
VRID
H
Loopback 0
IP address
Rev. 11.21 4 –19

Justify your plans:
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
5. Does your plan for IP addressing, including the virtual routing IP addresses,
necessitate any configuration changes at the core or edge? If so, list these
changes:
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
6. Plan the final configuration for the routing protocol. Currently, EIGRP is enabled
on the entire 10.0.0.0/8 network on both core switches and on both distribution
switches. The table provides a space for you to plan your final settings for Open
Shortest Path First (OSPF). Your goal is to ensure that the distribution switches
can route traffic between VLANs 1, 2, 10, 11, 20, and 21 and the core. Several
valid designs exist; yours might not include all of the settings in the table.
Table 4-6: Final OSPF settings
Setting for Setting for Setting for Setting for
Parameter
CCore_1 CCore_2 HaDist_1 HaDist_2
Area
OSPF interfaces
and their area
assignments
Passive
interfaces
4 –20 Rev. 11.21

Redistribution
settings
Administrative
distance and
metrics
Route summaries
Justify your plans:
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
Rev. 11.21 4 –21

Proposed final configuration

Internet
CCore_1 CCore_2
.3 .4
VLAN OSPF
VLAN
101 102
.254
HaDist
MSTP root for IST, IRF

instance 1 and
instance 2
Trunks
Native VLAN 1
Permit All
.11 .12
LLDP CEdge_1 CEdge_2
Static VLAN
MSTP Access
Ports in VLANs
2, 10, 11, 20, 21
IP address:
9 Rev. 11.11 10.X.VLAN.0/24
Figure 4-5: Proposed final configuration
Migration to open standards

You learned about migrating to open standards in Module 1, so you should
understand the protocols listed in the table well.
Function Proprietary protocol Open standard equivalent
Routing protocol EIGRP OSPF (or ISIS)
Layer 3 redundancy protocol HSRP VRRP *
Layer 2 redundancy protocol
RPVST+ MSTP
(spanning tree)
VLAN registration VTP GVRP *
Discovery protocol CDP LLDP
For the proposed final configuration, you will migrate the network to all of the
protocols listed in the table except VRRP and Generic Attribute Registration Protocol
(GARP) VLAN Registration Protocol (GVRP).
As you learned in Module 1, while GVRP enables switches to advertise and register
for VLAN memberships automatically, just like VTP, GVRP can introduce some issues.
Creating the VLANs statically on the switches will not be complicated, and the final
functionality will be the same as it is now.
Instead of Virtual Router Redundancy Protocol (VRRP) for the Layer 3 redundancy
protocol, Intelligent Resilient Framework (IRF)—a feature specific to the HP A-Series
platform —will be implemented. More information on this technology follows after
the MSTP section.
4 –22 Rev. 11.21


You need to consider several issues as you plan your final MSTP configuration:
 How you will map VLANs to MSTP instances?
For this example, you should map the VLANs such that the root and secondary
root roles can be divided as they are in the old distribution layer. You should
always leave at least one VLAN in the Internal Spanning Tree (IST), which allows
the HP A-Series switches to interoperate with switches in different MSTP regions
and using different spanning tree protocols. Because the PVST+ and RPVST+
switches use VLAN 1 for interoperation, you should leave that VLAN in the IST
(instance 0). VLANs that are not shared across the region you also leave in the
IST (no configuration necessary).
 Which priorities and costs will you assign to switches?
This question is rather straightforward. You would assign the priorities such that
one of the new distribution switches is primary root in the first instance and
secondary root in the second instance; vice versa on the other HP A-Series
switch.
You might also assign a lower cost to the distribution switch-to-switch link to favor
it. (In the real world, this link is often a link aggregation; however the HP A-
Series switch does not automatically assign an aggregation a lower cost.)
 How will you prevent links that are acting like routed links from being blocked?
MSTP functions differently from RPVST+ in several important ways. It blocks links
for an instance regardless of the VLAN configuration. Therefore, links such as the
ones shown between the HP A-Series switches and the core could be blocked by
MSTP even though no loop exists in VLAN 101 and VLAN 102. For example, this
would happen if there were a connection between the core switches and they
implemented MSTP.
To prevent the links from being blocked, you can disable spanning tree at the
root, which does not need to implement this protocol because it connects to the
rest of the network on routed links. For failsafe measures, you could also
implement Bridge Protocol Data Unit (BPDU) filters on the HP A-Series switch
ports that connect to the core. And you could enable loop guard on the Cisco
core switches in case they are accidently connected to the distribution layer on
the same VLAN on two connections.
Rev. 11.21 4 –23

Analyzing the forklift method

With your classmates, assess the advantages of the forklift method. Also discuss
potential challenges introduced by this method and disadvantages.
d.
Advantages:
ite
ib
oh
_______________________________________________________________________
pr
is
_______________________________________________________________________
n
sio
is
_______________________________________________________________________
m
er
tp
_______________________________________________________________________
ou
ith
_______________________________________________________________________
w
rt
pa
_______________________________________________________________________
i n
or
_______________________________________________________________________
l e
ho
_______________________________________________________________________
w
in

n
c tio
_______________________________________________________________________
du
ro
ep
_______________________________________________________________________
.R
ly
_______________________________________________________________________
on
se
_______________________________________________________________________
u
er
ld
_______________________________________________________________________
ho
ake
_______________________________________________________________________
St
&L
_______________________________________________________________________
C
P
H
Rev. 11.21 4 –37

A disadvantage for one environment might not be a grave concern for another.
Brainstorm situations in which you would use the forklift method.
_______________________________________________________________________
d.
ite
_______________________________________________________________________
ib
oh
_______________________________________________________________________
pr
is
n
_______________________________________________________________________
sio
is
m
_______________________________________________________________________
er
tp
_______________________________________________________________________
ou
ith
w
_______________________________________________________________________
rt
pa
_______________________________________________________________________
i n
or
e
_______________________________________________________________________
l
ho
w
in
n
c tio
du
ro
ep
.R
ly
on
u se
er
ld
ho
ake
St
&L
C
P
H
4 –38 Rev. 11.21

Parallel network
2—Simplify old
distribution. Add the
parallel network.
d.
1—Configure
ite
the new Cisco
Cisco
ib
switches offline.
oh
HP A-Series
pr
IRF HP A-Series
is
Cisco
n
Cisco
IRF
sio
is
1—Begin
m
migration to
er
open standards.
tp
ou
Cisco Cisco
ith
w
rt
pa
Figure 4-9: Parallel network
i n
In this strategy, you add the new distribution layer as a parallel network and
or
gradually migrate functionality to it.
l e
ho
1. In a first step similar to the forklift method’s first step, you configure the new
w
switches offline. You also begin to migrate Cisco switches to open standards,
in
following the plan that you created earlier.

n
tio
However, unlike the forklift method, you must consider how the HP A-Series
c
du
configuration will interact with the existing configuration. For example, you
ro
cannot simply assign the A-Series switches the default gateway IP addresses
ep
because that would cause an address conflict. A good strategy is to configure

.R
all of the settings at this point but not to enable them until they are required. In
ly
the slides to follow, you will explore the best times to enable particular features.
on
2. Next, you connect the HP A-Series switches as a parallel network. The figure
se
shows one strategy for connecting the parallel network:

u
er
a. Disconnect the #2 old distribution layer switch from the network completely
ld
ho
b. Connect the two new distribution layer switches to the existing distribution
ke
layer switch on a single connection.

a
St
c. Connect one of the new distribution layer switches to the core.

&L
C
P
H
Rev. 11.21 4 –39

You can vary this strategy as called for by your environment. For example, you
might connect both HP A-Series switches to the core. Or you might distribute the
edge switch connections between the new distribution switches. You can connect
the parallel network as you desire; simply ensure that these criteria are met:
d.
• The new distribution layer connects to the old distribution layer on one link
ite
or aggregated link, which simplifies the spanning tree topology.
ib
oh
• Each HP A-Series switch connects to the core before you start migrating
pr
routing functionality to that switch.
is
n
sio
is
m
er
tp
ou
ith
w
rt
pa
i n
or
l e
ho
w
in
n
c tio
du
ro
ep
.R
ly
on
u se
er
ld
ho
ake
St
&L
C
P
H
4 –40 Rev. 11.21


The parallel network migration, because it involves making changes to and
introducing new devices to an active network, can introduce more issues than a
d.
forklift migration. You will now look more closely at some potential trouble spots
ite
ib
oh
 Connecting the parallel network:
pr
 Will STP convergence cause any downtime?
is
n
 Without STP, will loops occur?
sio
Migrating the edge:
is

m
• How can you minimize downtime?
er
tp
• How will the new traffic flow affect the network?
ou
ith
 Migrating the routing functionality
w
• When will you migrate the functionality?
rt
pa
• What mechanisms will you use?
i n
You will now explore these issues so that you will fully comprehend the potential
or
pitfalls—and plan ways to avoid them.
l e
ho
w
in
n
c tio
du
ro
ep
.R
ly
on
u se
er
ld
ho
ake
St
&L
C
P
H
4 –42 Rev. 11.21


connect the parallel network
d.
ite
ib
Based on the
oh
Cisco
configuration, what
pr
happens when you
connect the parallel
is
RPVST+ root for network?
n
HP A-Series
VLANs 1, 2, 10,
io
Cisco
11, 20, 21
s
IRF
is
m
er
tp
ou
ith
Cisco
w
rt
pa
Figure 4-11: Potential problem spot 1: STP behavior when you connect the parallel network
i n
or
You will first explore the type of issues that might occur when you connect the HP A-
e
Series switches as a parallel network. As discussed earlier, you will very probably
l
ho
have the Cisco switches still implementing Rapid PVST+ and the HP A-Series switches
w
implementing MSTP. The two protocols can interoperate, but you should carefully
in
consider how they will interoperate so that you can proceed in the migration with
n
tio
confidence.
c
du
The figure displays the RPVST+ topology after you connect the parallel network. The
ro
sections below display the configuration for the Cisco switches and for the HP A-
ep
Series switch (IRF stack). (Hint: The boldface settings in each configuration are the
.R
most important for you to consider.)

ly
on
Based on the configuration, what occurs when you connect the new switches?
use
er
_______________________________________________________________________
ld
ho
ke
_______________________________________________________________________
a
St
_______________________________________________________________________
&L
C
P
_______________________________________________________________________
H
_______________________________________________________________________
Rev. 11.21 4 –43

Does this cause downtime?
_______________________________________________________________________
d.
What steps could you take to solve the problem?
ite
ib
_______________________________________________________________________
oh
pr
_______________________________________________________________________
is
n
sio
_______________________________________________________________________
is
m
er
_______________________________________________________________________
tp
ou
ith
_______________________________________________________________________
w
rt
pa
hostname CCore_1
i n
or
e
vlan 100
l
ho
vlan 111
w
in
n
ip subnet-zero
c tio
du
ip routing
ro
ep
.R

ly
on
interface Loopback0
se
ip address 10.1.0.3 255.255.255.255

u
er
ld
ho
ke
a

St

&L
C
P
H
4 –44 Rev. 11.21

d.
ite
interface Vlan100
ib
ip address 10.1.100.3 255.255.255.0
oh
pr
is
interface Vlan111
n
ip address 10.1.111.3 255.255.255.0
sio
is
m
router ospf 1
er
tp
router-id 10.1.0.3
ou
log-adjacency-changes
ith
network 10.1.0.0 0.0.0.255 area 0
w
network 10.1.110.0 0.0.0.255 area 0
rt
network 10.1.111.0 0.0.0.255 area 0
pa
The switch’s MAC address is 001de5-00003. i n
or
e

l
ho
w
hostname CCore_2
in
n
tio
vlan 100
c
vlan 112
du
ro
ep
ip subnet-zero
.R
ly
on
ip routing
use

er
ld
ho
interface Loopback0
ke
ip address 10.1.0.4 255.255.255.255

a
St
&L
C
P
H

Rev. 11.21 4 –45

d.
ite
interface Vlan100
ib
ip address 10.1.100.4 255.255.255.0
oh
pr
is
interface Vlan112
n
ip address 10.1.112.4 255.255.255.0
sio
is
m
router ospf 1
er
tp
router-id 10.1.0.4
ou
log-adjacency-changes
ith
network 10.1.0.0 0.0.0.255 area 0
w
network 10.1.110.0 0.0.0.255 area 0
rt
network 10.1.111.0 0.0.0.255 area 0
pa
i n
or
e

l
ho
w
hostname CDist_1
in
n
tio
ip subnet-zero
c
du
ip routing
ro
ep
lldp run
.R
ly

on

se

u

er
ld
ho
Vlan 2
ke
Vlan 10
a
St
Vlan 11
&L
Vlan 20
C
Vlan 21
P
Vlan 111
H
interface Loopback0
ip address 10.1.0.1 255.255.255.255
4 –46 Rev. 11.21

d.
ite
ib
oh
pr
is
n
sio
is
m
description to HaDist_1
er
tp
ou
ith
w
rt
pa
switchport mode access i n
or
l e
ho
w
interface Vlan1
in
ip address 10.1.1.1 255.255.255.0

n
tio
standby 1 ip 10.1.1.254
c

du
standby 1 preempt
ro
ep
.R
interface Vlan2
ly
ip address 10.1.2.1 255.255.255.0

on
standby 1 ip 10.1.2.254
se

u
standby 1 preempt
er
ld
ho
ip address 10.1.2.1 255.255.255.0

ke
standby 1 ip 10.1.2.254
a
St

&L
standby 1 preempt
C
P
H
interface Vlan10
ip address 10.1.10.1 255.255.255.0
standby 10 ip 10.1.10.254
Rev. 11.21 4 –47
standby 10 preempt
interface Vlan11
ip address 10.1.11.1 255.255.255.0
d.
ite
standby 11 ip 10.1.11.254
ib
oh
standby 11 preempt
pr
is
n
interface Vlan20
sio
ip address 10.1.20.1 255.255.255.0
is
m
er
standby 20 ip 10.1.20.254
tp
ou
ith
interface Vlan21
w
ip address 10.1.21.1 255.255.255.0
rt
pa
standby 21 ip 10.1.21.254
i n
or
e
interface Vlan111
l
ho
ip address 10.1.111.1 255.255.255.0

w
in
router ospf 1
n
tio
router-id 10.1.0.1
c
du
area 1 stub
ro
network 10.1.0.0 0.0.0.255 area 0

ep
network 10.1.1.0 0.0.0.255 area 1

.R
network 10.1.2.0 0.0.0.255 area 1

ly
network 10.1.10.0 0.0.1.255 area 1

on
network 10.1.20.0 0.0.1.255 area 1

se
network 10.1.111.0 0.0.0.255 area 0

u
er
ld
ho
ke
a
St
&L

C

P
H
hostname CEdge_1

4 –48 Rev. 11.21
Vlan 2
Vlan 10
d.
Vlan 11
ite
Vlan 20
ib
Vlan 21
oh
pr
is
n
sio
is
m
er
tp
ou
ith
w
rt
pa
i n
or
e
l
ho

w

in
n
tio
interface Vlan1
c
du
ip address 10.1.1.11 255.255.255.0

ro
ep
.R
ip classless
ly
on
se

u

er
ld
ho
hostname CEdge_2
ake
St

&L

C

P
H
Vlan 2
Vlan 10
Vlan 11
Rev. 11.21 4 –49

Vlan 20
Vlan 21
d.
ite
ib
oh
pr
is
n
io
s
is
m
er
tp
ou
ith
w
rt
pa
i n
or
interface Vlan1
e
ip address 10.1.1.12 255.255.255.0

l
ho
w
in
n
c tio

du
ro
HP A-Series Distribution configuration

ep
.R
Note that, on HP A-Series switches, all VLANs not explicitly assigned to an MSTP
ly

on
sysname HaDist
se
#
u
er
irf mac-address persistent timer

ld
irf auto-update enable

ho
undo irf link-delay

ke
irf member 1 priority 32

a
St
#
&L
vlan 1
C
#
P
vlan 2
H
#
vlan 10 to 11
#
vlan 20 to 21
4 –50 Rev. 11.21
#
vlan 111 to 112
#
stp instance 0 priority 8192
d.
ite
ib
stp enable
oh
stp region-configuration
pr
region-name migration
is
n
revision-level 1
io
instance 1 vlan 10 to 11
s
is
m
er
active region-configuration
tp
#
ou
interface Bridge-Aggregation1
ith
w
port trunk permit vlan 1 to 2 10 to 11 20 to 21
rt
link-aggregation mode dynamic
pa
#
interface Bridge-Aggregation2 i n
or
l e
ho

w

in
#
n
interface Vlan-interface1
tio
shutdown
c
du
ip address 10.1.1.254 255.255.255.0

ro
#
ep
.R
shutdown
ly
ip address 10.1.2.254 255.255.255.0

on
#
se
u
er
shutdown
ld
ip address 10.1.10.254 255.255.255.0

ho
#
ke
a
St
shutdown
&L
ip address 10.1.11.254 255.255.255.0

C
#
P
H
shutdown
ip address 10.1.20.254 255.255.255.0
#
Rev. 11.21 4 –51

shutdown
ip address 10.1.21.254 255.255.255.0
#
ip address 10.1.111.1 255.255.255.0
d.
ite
#
ib
oh
ip address 10.1.112.1 255.255.255.0
pr
#
is
n
io
s
is
m
port link-aggregation group 1
er
#
tp
ou
ith
w
rt
pa
#
or
e

l
ho
#
w
in

n
tio

c
du

ro
#
ep
.R

ly

on

se
#
u
er
port access vlan 112

ld
ho
#
ke
interface Ten-GigabitEthernet1/0/25
a
shutdown
St
#
&L
C
shutdown
P
H
#
shutdown
#
4 –52 Rev. 11.21
shutdown
#
ospf 1 router-id 10.1.0.7
area 0.0.0.0
network 10.1.0.0 0.0.0.255
d.
ite
network 10.1.111.0 0.0.0.255
ib
network 10.1.112.0 0.0.0.255
oh
area 0.0.0.1
pr
network 10.1.1.0 0.0.0.255
is
network 10.1.2.0 0.0.0.255
n
io
network 10.1.10.0 0.0.1.255
s
is
network 10.1.20.0 0.0.1.255
m
stub
er
#
tp
irf-port 1/1
ou
port group interface Ten-GigabitEthernet1/0/27 mode enhanced
ith
w
rt
#
pa
irf-port 2/2
n
i
or
l e
ho
w
in
n
ctio
du
ro
ep
.R
ly
on
use
er
ld
ho
ake
St
&L
C
P
H
Rev. 11.21 4 –53

Answer
d.
ite
Cisco
It may temporarily block
ib
VLAN 1 might experience designated ports when it
oh
downtime when the HP A- receives a better BPDU.
pr
Series IST advertises itself HP A-Series
with a low priority.
is
Cisco
n
IRF
s io
is
m
Solution: Set the new
er
distribution switches’ IST
tp
priorities higher than the
Cisco priority for the current
ou
VLAN 1.
ith
w
Figure 4-12: Answer
rt
pa
Did you arrive at this answer?
i n
or
MSTP and RPVST+ interoperate on VLAN 1. The HP A-Series switches use the settings
e
for the IST root in the election for the bridge in this VLAN. Because the HP A-Series
l
ho
switch and the Cisco switch both have 0 priority, an election is held. Either the Cisco
w
switch or the A-Series switch might become the root based on which one has the
in
lower MAC address. In either case, the election will cause downtime in VLAN 1.
n
tio
To prevent this situation from occurring, you should set the new distribution switches’
c
du
IST priorities higher than the current VLAN 1 root priority. On the other hand, the
ro
new distribution switches’ priorities should also be lower than the default priority used
ep
by the edge switches. Therefore, you could set the IST priorities on the HP A-Series to
.R
8192.
ly
on
u se
er
ld
ho
ake
St
&L
C
P
H
4 –54 Rev. 11.21

Potential problem spot 2: Migrating the edge

Use RPVST+ behavior to select the best way to migrate the
connections.
d.
ite
Method RVSTP+ behavior
ib
oh
Disable the connection at • After detecting that the link is down,
pr
the old distribution switch. the edge switch opens an alternate
is
port.
n
• But an alternate port on the other
io
side is opened only after the
s
is
topology reconverges.
m
Remove the connection • The edge switch immediately opens
er
physically. an alternate port.
tp
• But an alternate port on the other
ou
Disable the connection at side is opened only after the
the edge switch. topology reconverges.
ith
w
Figure 4-13: Potential problem spot 2: Migrating the edge
rt
pa
Assume that you are at the point in the migration in which each edge switch is
i n
connected to at least one Cisco distribution switch and one HP A-Series distribution
or
switch. RPVST+/MSTP are eliminating loops. You want to remove the connection to
le
the Cisco switch and have the connection to the HP A-Series switch open as quickly
ho
and seamlessly as possible. You must consider RPVST+ behavior to select the best
w
in
method.
n
tio
What happens on a switch that implements RPVST+ when a physical connection

c
goes down? Only after the edge switch realizes that the connection has been lost
du
(which might take a second or two) does the edge switch open an alternate port. If,
ro
the switch has the designated port in the blocked link, and the other side has the
ep
.R
alternate port, the link take might take even longer to open. It does so only after the
topology reconverges, which might be an additional second or two.
ly
on
The same principles apply when the connection is disabled on the other side. After
se
the switch detects that it is no longer receiving BPDUs, it opens the alternate port if it
u
has this port. Otherwise, after the topology reconverges, the switch on the other side
er
opens its port.

ld
ho
When you disable the connection at the edge switch, it immediately opens the
ke
alternate port. Again, if the other side has the alternate port, the topology must
a
St
reconverge before the link opens.

&L
In summary, to migrate an edge switch to the new distribution switch most seamlessly,
C
you ensure that the switch is connected to both a Cisco distribution switch and an HP
P
H
A-Series switch. Next ensure that the port that connects to the HP A-Series switch is
listed as an alternate port and not a designated port. Finally, disable the port that
connects to the Cisco switch. The edge switch will rapidly open the alternate port to
the HP A-Series switch, maintaining connectivity for its endpoints.
Rev. 11.21 4 –55

Activity: Analyzing your readiness for a quick

migration
d.
ite
ib
Based on the
oh
Cisco
configuration, which
pr
ports are blocked?
is
n
HP A-Series
io
Cisco
s
IRF
is
m
er
tp
ou
ith
Cisco
w
rt
pa
Figure 4-14: Activity: Analyzing your readiness for a quick migration
i n
or
You will now consider methods to ensure that your edge switches have this desired
e
configuration (the port that connects to the HP A-Series switch is the alternate port on
l
ho
each VLAN).
w
in
The sections below display each switch’s configuration, which are identical to the
n
configurations for the previous activity with the exception that the HP A-Series
tio
switches’ IST priorities have been raised. Only the most relevant settings are provided
c
du
in these sections. For other settings, you can assume that the switches are using the
ro
same configurations as in the previous activity.

ep
.R
Based on these configurations, which ports are blocked as alternate ports in each
ly
VLAN when you connect the HP A-Series switches to the network? Mark the blocked
on
port in each VLAN in the figure above.

se
Is this the desired configuration? What issues might you encounter?

u
er
ld
_______________________________________________________________________
ho
ke
_______________________________________________________________________
a
St
&L
_______________________________________________________________________
C
P
H
_______________________________________________________________________
4 –56 Rev. 11.21


hostname CDist_1
d.
ite
ib
oh
pr
is
n
io
s
is
m
er
tp
ou
ith
w
rt
pa
i n
or
l e
ho
w

in

n
c tio
du
ro
ep

.R

ly
on
se

u
er
hostname CEdge_1
ld
ho
ke

a
St

&L
C
P
Vlan 2
H
Vlan 10
Vlan 11
Vlan 20
Rev. 11.21 4 –57

Vlan 21
d.
ite
ib
oh
pr
is
n
sio
is
m
er
tp
ou
ith
w
rt
pa
Cisco Edge 2 configuration i n
or
hostname CEdge_2
l e
ho
w

in

n
tio

c
du
ro
Vlan 2
ep
Vlan 10
.R
Vlan 11
ly
Vlan 20
on
Vlan 21
u se
er
ld
ho
ke

a

St
&L
C
P
H

4 –58 Rev. 11.21

d.
ite
HP A-Series Distribution configuration
ib
oh
Note that, on HP A-Series switches, all VLANs not explicitly assigned to an MSTP
pr
is
n
sysname "HaDist"
io
#
s
is
m
er
tp
ou
stp enable
ith
stp region-configuration
w
region-name migration
rt
pa
revision-level 1
instance 2 vlan 20 to 21 i n
or
active region-configuration
l e
ho
#
w
in

n

tio

c
du
#
ro
ep

.R

ly
on

#
se
u
er

ld

ho

ke
#
a
St
&L

C

P

H
#
Rev. 11.21 4 –59
#
d.
ite
#
ib
oh
pr
is
n
io
#
s
is
m
port access vlan 112
er
#
tp
ou
ith
w
rt
pa
i n
or
l e
ho
w
in
n
c tio
du
ro
ep
.R
ly
on
u se
er
ld
ho
ake
St
&L
C
P
H
4 –60 Rev. 11.21

Answer: VLAN 1
d.
ite
Cisco
ib
oh
pr
HP A-Series
Root
is
Cisco
IRF
n
ios
is
m
er
Legend
tp
Cisco Blocked on all VLANs by MSTP
ou
ith
w
Figure 4-15: Answer: VLAN 1
rt
pa
Here you see the answer for VLAN 1, which is the VLAN on which RVPST+ and MSTP
i n
interoperate. Each Cisco edge switch defines the port that connects to the Cisco
or
distribution switch as the root port. However, the port that connects to the HP A-Series
le
ho
switch is selected as the designated port because the Cisco switches, using the
w
default RPVST+ cost method, advertise a lower root path cost than the HP A-Series
in
switches.
n
tio
The HP A-Series switch, in turn, defines the ports that connect to the Cisco edge
c
du
switches as alternate ports and blocks them. Because MSTP interoperates on the
ro
Common and Internal Spanning Tree (CIST) as if it were RSTP, it blocks the port
ep
entirely for all traffic.

.R
As you will see in a moment, this configuration can cause migration problems. First,
ly
however, examine the topology for the other VLANs.

on
use
er
ld
ho
ake
St
&L
C
P
H
Rev. 11.21 4 –61

Answer: Other VLANs
d.
ite
Cisco
ib
oh
pr
HP A-Series
Root
is
Cisco
IRF
n
sio
is
Drops RPVST+ BPDUs
m
on blocked ports
er
tp
Cisco Legend
ou
ith
w
Figure 4-16: Answer: Other VLANs
rt
pa
In other VLANs, the edge switches define the port that connects to the primary root
for those VLANs as the root port. i n
or
e
The HP A-Series switches would simply pass RPVST+ BPDUs on other VLANs,
l
ho
appearing like a hub. However, MSTP has blocked the ports, preventing the BPDUs
w
from passing. Therefore, the edge switches leave these ports open as designated
in
ports that are not receiving BPDUs. Because the HP A-Series switches block the ports,
n
tio
loops do not occur.

c
du
ro
ep
.R
ly
on
u se
er
ld
ho
ake
St
&L
C
P
H
4 –62 Rev. 11.21

Potential problem spot 3: When will you migrate the

Layer 3 functionality?
– Migrate the routing protocol first.
d.
ite
– You can migrate the default gateway functionality:
ib
oh
• Before migrating the edge switch connections
pr
• After migrating the edge switch connections
is
Consider traffic flow on this link.
n
sio
is
m
HP A-Series
Cisco
er
IRF
tp
ou
ith
…
w
rt
pa
Figure 4-17: Potential problem spot 3: When will you migrate the Layer 3 functionality?
i n
There are two steps involved in migrating the Layer 3 functionality:
or
e
Migrating the routing protocol between the distribution layer and the core from
l
ho
EIGRP to OSPF
w
in
 Migrating the default gateway role from the old distribution switches to the new
n
HP A-Series switches
c tio
Migrating the routing protocol

du
ro
Of course, you must complete the routing protocol migration first. Otherwise,
ep
endpoints will lose connectivity with the core and the Internet when they begin to use
.R
the new switches as their default gateways.

ly
on
As long as you follow the guidelines that you learned in Module 1, you should not
se
experience any difficulty with this migration. You should, however, consider the new
u
elements that the HP A-Series switches bring to this migration.

er
ld
For example, the core switches might select the new distribution switches as the next
ho
hop to the user VLANs for which the old switch is still routing. The temporary
ke
asynchronous routing should not cause any issues, but you can test this fact in the
a
St
lab. In fact, it prevents brief downtime when you remove the old distribution switches.
&L
Note
C
If your customer does not use a routing protocol at the distribution layer, you
P
H
would simply need to configure the correct static routes on the HP A-Series
switches.
Rev. 11.21 4 –63

Migrating the default gateway

Once you have completed the routing protocol migration, and the HP A-Series
switches have the proper routes in place, you can migrate the default gateway role to
those switches. You can complete this step either before or after you migrate the
d.
edge switches connections (step 3 in the process that you examined earlier).The
ite
primary difference between the two approaches will be the traffic flow:
ib
oh
 If you migrate the default gateway functionality before migrating the edge switch
pr
connections, all traffic will flow across the link between the parallel distribution
is
layers until you migrate the edge connections.
n
io
If you migrate the edge connections first, all traffic will flow across the link
s

is
between the parallel distribution layers until you migrate the default gateway
m
er
functionality.
tp
As long as the link can handle the traffic during the migration, you need not be
ou
concerned.
ith
w
rt
pa
i n
or
l e
ho
w
in
n
c tio
du
ro
ep
.R
ly
on
u se
er
ld
ho
ake
St
&L
C
P
H
4 –64 Rev. 11.21

Important
! In order to minimize the outage to the network, pre-stage the commands (step 5
and step 6) on each switch before executing them.
5. Disable one of the VLANs on the current routing switch.
d.
ite
Ready the command in advance so that you can press [Enter] and then move to
ib
the new distribution switch session quickly.
oh
pr
6. Enable the same VLAN on the new distribution switch.
is
Ready the command in advance so that you can press [Enter] as soon as you
n
io
execute [Enter] on the old distribution switch.
s
is
Again, it is simpler to migrate the IP address when you are dealing with only
m
one switch.
er
tp
ou
Note
ith
This suggested process does not attempt to clear the endpoints’ ARP caches and
w
force them to use the new gateway’s MAC address. Instead, you simply shut
rt
down the VLAN on the current switch and tolerate the two to four seconds it takes
pa
the endpoints to realize that they need to send a new ARP request.
i n
or
7. Repeat the process for each VLAN.
e
8. After the migration is complete, you can remove the old distribution switch.
l
ho
w
in
n
c tio
du
ro
ep
.R
ly
on
u se
er
ld
ho
ake
St
&L
C
P
H
Rev. 11.21 4 –67

Brainstorm situations in which you would use the parallel network method. Have you
encountered customers whose priorities aligned with the advantages of this method?
_______________________________________________________________________
d.
ite
_______________________________________________________________________
ib
oh
_______________________________________________________________________
pr
is
n
_______________________________________________________________________
sio
is
m
_______________________________________________________________________
er
tp
_______________________________________________________________________
ou
ith
w
_______________________________________________________________________
rt
pa
_______________________________________________________________________
i n
or
e
_______________________________________________________________________
l
ho
w
in
n
ctio
du
ro
ep
.R
ly
on
use
er
ld
ho
ake
St
&L
C
P
H
Rev. 11.21 4 –69

Creating alternate strategies

Whatever plan you choose, you must customize it to meet your customer’s constraints
and priorities. For example, the customer might not allow you to alter configurations
d.
on the DHCP server or other network services. In that case, you would be required to
ite
use the same IP addresses for the new distribution switch that you were using for
ib
HSRP.
oh
pr
Or the customer might have port constraints at the core that require you to disconnect
is
some of the old switches before connecting new distribution switches. You would
n
need to select the replacement or forklift strategy, or develop a combination of the
sio
parallel network and replacement method of your own. The lab actually features such
is
m
a constraint, with which you will need to deal.
er
NOTES
tp
ou
ith
_______________________________________________________________________
w
rt
_______________________________________________________________________
pa
i n
_______________________________________________________________________
or
l e
ho
_______________________________________________________________________
w
in
_______________________________________________________________________
n
c tio
du
_______________________________________________________________________
ro
ep
_______________________________________________________________________
.R
ly
on
_______________________________________________________________________
u se
_______________________________________________________________________
er
ld
ho
_______________________________________________________________________
ake
St
_______________________________________________________________________
&L
C
_______________________________________________________________________
P
H
4 –70 Rev. 11.21

Summary
This module has guided you through many of the design considerations and potential
pitfalls of a migration from a Cisco distribution layer to an HP A-Series distribution
d.
layer. You have learned how to plan the configuration for an open standards–based
ite
network with an HP A-Series distribution layer, and you have experimented with and
ib
analyzed the results of several migration strategies for reaching this final
oh
configuration. Along the way, you have discovered potential issues and areas of
pr
concern—and you have developed solutions for these problems.
is
n
sio
is
m
er
tp
ou
ith
w
rt
pa
i n
or
l e
ho
w
in
n
c tio
du
ro
ep
.R
ly
on
use
er
ld
ho
ake
St
&L
C
P
H
Rev. 11.21 4 –71

Prelab activity: Plan a complete migration strategy

INITIAL FINAL
d.
ite
ib
oh
EIGRP OSPF
pr
HaDist
is
IRF
n
HSRP
io
CDist_1 CDist_2
s
is
CDP LLDP
m
VTP VLAN
er
PVST MSTP
tp
ou
CEdge_1
PC_1 PC_2 PC_1 PC_2
ith
w
Figure 4-18: Prelab activity: Plan a complete migration strategy
rt
pa
In preparation for the lab, you and your partner will now plan a strategy for the
migration. Follow the instructions in the sections below until: n i
or
The HP A-Series switches have replaced the Cisco distribution switches and have
e

l
ho
redundant connections to the edge

w
The Cisco distribution switches have been disconnected

in

n
Both HP A-Series switches are routing traffic and STP is operating as planned
tio

c
You might not need to use each step.

du
ro
You are working with these constraints:

ep
Each distribution and edge switch has only four available ports for all switch-to-
.R
switch and edge connections.

ly
on
 You want to minimize downtime.

se
Be prepared to present your plan to your classmates.

u
er
ld
ho
ake
St
&L
C
P
H
4 –72 Rev. 11.21

For any protocol that you do not plan to migrate at this point, explain how the Cisco
protocol will interoperate with the HP A-Series protocol.
_______________________________________________________________________
d.
ite
_______________________________________________________________________
ib
oh
_______________________________________________________________________
pr
is
n
_______________________________________________________________________
sio
is
m
_______________________________________________________________________
er
tp
_______________________________________________________________________
ou
ith
w
_______________________________________________________________________
rt
pa
_______________________________________________________________________
i n
or
e
_______________________________________________________________________
l
ho
w
in
beginning on page 4-15 or the plan that was proposed beginning on page 4-22.
n
tio
_______________________________________________________________________
c
du
ro
If you are planning to migrate the Cisco distribution switches to open standard
ep
protocols such as OSPF, you must use settings that are compatible with your plan for
.R
the HP A-Series configuration. Plan those settings:

ly
on
_______________________________________________________________________
u se
_______________________________________________________________________
er
ld
ho
_______________________________________________________________________
ake
St
_______________________________________________________________________
&L
C
_______________________________________________________________________
P
H
_______________________________________________________________________
_______________________________________________________________________
4 –74 Rev. 11.21

Step 2: Begin to configure the HP A-Series switches

Before touching the connections, you will also configure settings on the HP A-Series
switch. Circle and place a star next to the settings that you will enable at this point:
LLDP
d.

ite
 VLANs
ib
oh
 MSTP
pr
IP settings
is

n
OSPF
io

s
IRF
is

m
er
tp
beginning on page 4-15 or the plan that was proposed beginning on page 4-22.
ou
ith
_______________________________________________________________________
w
rt
Step 3
pa
You will now begin to migrate your Layer 2 connections or Layer 3 functionality (as
you choose). i n
or
e
Will you alter any settings before you begin? If so, indicate which settings you will
l
ho
change.
w
in
_______________________________________________________________________
n
ctio
du
_______________________________________________________________________
ro
ep
_______________________________________________________________________
.R
ly
on
_______________________________________________________________________
use
_______________________________________________________________________
er
ld
ho
_______________________________________________________________________
ake
St
_______________________________________________________________________
&L
C
_______________________________________________________________________
P
H
_______________________________________________________________________
Rev. 11.21 4 –75

Add to the network diagram the connections for this step of the migration. Indicate
which ports you expect STP to block. During the lab, you will verify whether what you
expect to occur actually occurs.
d.
CCore_1 CCore_2
ite
ib
oh
pr
is
HaDist_1 HaDist_2
n
s io
is
CDist_1 CDist_2
m
er
tp
ou
CEdge_2
ith
CEdge_1
PC_1 PC_2
w
(server) (client)
rt
pa
Figure 4-20: Migration step
n i
or
l e
ho
 LLDP to CDP
w

in

n
RPVST+ to MSTP
tio

c
EIGRP to OSPF
du

ro
Circle the settings that are currently enabled on the HP A-Series switches. Place a star
ep

.R
LLDP
ly

on
 VLANs
se
MSTP
u

er
IP settings
ld

ho
 OSPF
ake
 IRF
St
Step 5
&L
C

P
choose).
H
Rev. 11.21 4 –77

_______________________________________________________________________
d.
ite
_______________________________________________________________________
ib
oh
_______________________________________________________________________
pr
is
n
_______________________________________________________________________
sio
is
m
_______________________________________________________________________
er
tp
_______________________________________________________________________
ou
ith
w
_______________________________________________________________________
rt
pa
_______________________________________________________________________
i n
or
e
moving the routing functionality from one switch to another, two switches to one
l
ho
w
in
n
_______________________________________________________________________
c tio
du
_______________________________________________________________________
ro
ep
_______________________________________________________________________
.R
ly
on
_______________________________________________________________________
u se
_______________________________________________________________________
er
ld
ho
_______________________________________________________________________
ake
St
_______________________________________________________________________
&L
C
_______________________________________________________________________
P
H
_______________________________________________________________________
4 –78 Rev. 11.21

d.
CCore_1 CCore_2
ite
ib
oh
pr
is
HaDist_1 HaDist_2
n
s io
is
CDist_1 CDist_2
m
er
tp
ou
CEdge_2
ith
CEdge_1
PC_1 PC_2
w
(server) (client)
rt
pa
n i
or
l e
ho
 LLDP to CDP
w

in

n
RPVST+ to MSTP
tio

c
EIGRP to OSPF
du

ro
ep

.R
LLDP
ly

on
 VLANs
se
MSTP
u

er
IP settings
ld

ho
 OSPF
ake
 IRF
St
Step 6
&L
C

P
choose).
H
Rev. 11.21 4 –79

_______________________________________________________________________
d.
ite
_______________________________________________________________________
ib
oh
_______________________________________________________________________
pr
is
n
_______________________________________________________________________
sio
is
m
_______________________________________________________________________
er
tp
_______________________________________________________________________
ou
ith
w
_______________________________________________________________________
rt
pa
_______________________________________________________________________
i n
or
e
l
ho
w
in
n
_______________________________________________________________________
c tio
du
_______________________________________________________________________
ro
ep
_______________________________________________________________________
.R
ly
on
_______________________________________________________________________
u se
_______________________________________________________________________
er
ld
ho
_______________________________________________________________________
ake
St
_______________________________________________________________________
&L
C
_______________________________________________________________________
P
H
_______________________________________________________________________
4 –80 Rev. 11.21

d.
CCore_1 CCore_2
ite
ib
oh
pr
is
HaDist_1 HaDist_2
n
s io
is
CDist_1 CDist_2
m
er
tp
ou
CEdge_2
ith
CEdge_1
PC_1 PC_2
w
(server) (client)
rt
pa
n i
or
l e
ho
 LLDP to CDP
w

in

n
RPVST+ to MSTP
tio

c
EIGRP to OSPF
du

ro
ep

.R
LLDP
ly

on
 VLANs
se
MSTP
u

er
IP settings
ld

ho
 OSPF
ake
 IRF
St
Step 7
&L
C

P
choose).
H
Rev. 11.21 4 –81

_______________________________________________________________________
d.
ite
_______________________________________________________________________
ib
oh
_______________________________________________________________________
pr
is
n
_______________________________________________________________________
sio
is
m
_______________________________________________________________________
er
tp
_______________________________________________________________________
ou
ith
w
_______________________________________________________________________
rt
pa
_______________________________________________________________________
i n
or
e
l
ho
w
in
n
_______________________________________________________________________
c tio
du
_______________________________________________________________________
ro
ep
_______________________________________________________________________
.R
ly
on
_______________________________________________________________________
u se
_______________________________________________________________________
er
ld
ho
_______________________________________________________________________
ake
St
_______________________________________________________________________
&L
C
_______________________________________________________________________
P
H
_______________________________________________________________________
4 –82 Rev. 11.21

d.
CCore_1 CCore_2
ite
ib
oh
pr
is
HaDist_1 HaDist_2
n
s io
is
CDist_1 CDist_2
m
er
tp
ou
CEdge_2
ith
CEdge_1
PC_1 PC_2
w
(server) (client)
rt
pa
n i
or
l e
ho
 LLDP to CDP
w

in

n
RPVST+ to MSTP
tio

c
EIGRP to OSPF
du

ro
ep

.R
LLDP
ly

on
 VLANs
se
MSTP
u

er
IP settings
ld

ho
 OSPF
ake
 IRF
St
Step 8
&L
C

P
choose).
H
Rev. 11.21 4 –83

_______________________________________________________________________
d.
ite
_______________________________________________________________________
ib
oh
_______________________________________________________________________
pr
is
n
_______________________________________________________________________
sio
is
m
_______________________________________________________________________
er
tp
_______________________________________________________________________
ou
ith
w
_______________________________________________________________________
rt
pa
_______________________________________________________________________
i n
or
e
l
ho
w
in
n
_______________________________________________________________________
c tio
du
_______________________________________________________________________
ro
ep
_______________________________________________________________________
.R
ly
on
_______________________________________________________________________
u se
_______________________________________________________________________
er
ld
ho
_______________________________________________________________________
ake
St
_______________________________________________________________________
&L
C
_______________________________________________________________________
P
H
_______________________________________________________________________
4 –84 Rev. 11.21

d.
CCore_1 CCore_2
ite
ib
oh
pr
is
HaDist_1 HaDist_2
n
s io
is
CDist_1 CDist_2
m
er
tp
ou
CEdge_2
ith
CEdge_1
PC_1 PC_2
w
(server) (client)
rt
pa
n i
or
l e
ho
 LLDP to CDP
w

in

n
RPVST+ to MSTP
tio

c
EIGRP to OSPF
du

ro
ep

.R
LLDP
ly

on
 VLANs
se
MSTP
u

er
IP settings
ld

ho
 OSPF
ake
 IRF
St
Step 9
&L
C

P
choose).
H
Rev. 11.21 4 –85

_______________________________________________________________________
d.
ite
_______________________________________________________________________
ib
oh
_______________________________________________________________________
pr
is
n
_______________________________________________________________________
sio
is
m
_______________________________________________________________________
er
tp
_______________________________________________________________________
ou
ith
w
_______________________________________________________________________
rt
pa
_______________________________________________________________________
i n
or
e
l
ho
w
in
n
_______________________________________________________________________
c tio
du
_______________________________________________________________________
ro
ep
_______________________________________________________________________
.R
ly
on
_______________________________________________________________________
u se
_______________________________________________________________________
er
ld
ho
_______________________________________________________________________
ake
St
_______________________________________________________________________
&L
C
_______________________________________________________________________
P
H
_______________________________________________________________________
4 –86 Rev. 11.21

d.
CCore_1 CCore_2
ite
ib
oh
pr
is
HaDist_1 HaDist_2
n
s io
is
CDist_1 CDist_2
m
er
tp
ou
CEdge_2
ith
CEdge_1
PC_1 PC_2
w
(server) (client)
rt
pa
n i
or
l e
ho
 LLDP to CDP
w

in

n
RPVST+ to MSTP
tio

c
EIGRP to OSPF
du

ro
ep

.R
LLDP
ly

on
 VLANs
se
MSTP
u

er
IP settings
ld

ho
 OSPF
ake
 IRF
St
Step 10
&L
C

P
choose).
H
Rev. 11.21 4 –87

_______________________________________________________________________
d.
ite
_______________________________________________________________________
ib
oh
_______________________________________________________________________
pr
is
n
_______________________________________________________________________
sio
is
m
_______________________________________________________________________
er
tp
_______________________________________________________________________
ou
ith
w
_______________________________________________________________________
rt
pa
_______________________________________________________________________
i n
or
e
l
ho
w
in
n
_______________________________________________________________________
c tio
du
_______________________________________________________________________
ro
ep
_______________________________________________________________________
.R
ly
on
_______________________________________________________________________
u se
_______________________________________________________________________
er
ld
ho
_______________________________________________________________________
ake
St
_______________________________________________________________________
&L
C
_______________________________________________________________________
P
H
_______________________________________________________________________
4 –88 Rev. 11.21

d.
CCore_1 CCore_2
ite
ib
oh
pr
is
HaDist_1 HaDist_2
n
s io
is
CDist_1 CDist_2
m
er
tp
ou
CEdge_2
ith
CEdge_1
PC_1 PC_2
w
(server) (client)
rt
pa
n i
or
l e
ho
 LLDP to CDP
w

in

n
RPVST+ to MSTP
tio

c
EIGRP to OSPF
du

ro
ep

.R
LLDP
ly

on
 VLANs
se
MSTP
u

er
IP settings
ld

ho
 OSPF
ake
 IRF
St
Step 11
&L
C

P
choose).
H
Rev. 11.21 4 –89

_______________________________________________________________________
d.
ite
_______________________________________________________________________
ib
oh
_______________________________________________________________________
pr
is
n
_______________________________________________________________________
sio
is
m
_______________________________________________________________________
er
tp
_______________________________________________________________________
ou
ith
w
_______________________________________________________________________
rt
pa
_______________________________________________________________________
i n
or
e
l
ho
w
in
n
_______________________________________________________________________
c tio
du
_______________________________________________________________________
ro
ep
_______________________________________________________________________
.R
ly
on
_______________________________________________________________________
u se
_______________________________________________________________________
er
ld
ho
_______________________________________________________________________
ake
St
_______________________________________________________________________
&L
C
_______________________________________________________________________
P
H
_______________________________________________________________________
4 –90 Rev. 11.21

d.
CCore_1 CCore_2
ite
ib
oh
pr
is
HaDist_1 HaDist_2
n
s io
is
CDist_1 CDist_2
m
er
tp
ou
CEdge_2
ith
CEdge_1
PC_1 PC_2
w
(server) (client)
rt
pa
n i
or
l e
ho
 LLDP to CDP
w

in

n
RPVST+ to MSTP
tio

c
EIGRP to OSPF
du

ro
ep

.R
LLDP
ly

on
 VLANs
se
MSTP
u

er
IP settings
ld

ho
 OSPF
ake
 IRF
St
Step 12
&L
C

P
choose).
H
Rev. 11.21 4 –91

_______________________________________________________________________
d.
ite
_______________________________________________________________________
ib
oh
_______________________________________________________________________
pr
is
n
_______________________________________________________________________
sio
is
m
_______________________________________________________________________
er
tp
_______________________________________________________________________
ou
ith
w
_______________________________________________________________________
rt
pa
_______________________________________________________________________
i n
or
e
l
ho
w
in
n
_______________________________________________________________________
c tio
du
_______________________________________________________________________
ro
ep
_______________________________________________________________________
.R
ly
on
_______________________________________________________________________
u se
_______________________________________________________________________
er
ld
ho
_______________________________________________________________________
ake
St
_______________________________________________________________________
&L
C
_______________________________________________________________________
P
H
_______________________________________________________________________
4 –92 Rev. 11.21

d.
CCore_1 CCore_2
ite
ib
oh
pr
is
HaDist_1 HaDist_2
n
s io
is
CDist_1 CDist_2
m
er
tp
ou
CEdge_2
ith
CEdge_1
PC_1 PC_2
w
(server) (client)
rt
pa
n i
or
l e
ho
 LLDP to CDP
w

in

n
RPVST+ to MSTP
tio

c
EIGRP to OSPF
du

ro
ep

.R
LLDP
ly

on
 VLANs
se
MSTP
u

er
IP settings
ld

ho
 OSPF
ake
 IRF
St
&L
C
P
H
Rev. 11.21 4 –93

Lab Activity 4.1: Migrating the Distribution Layer from

Cisco to HP A-Series Devices
d.
INITIAL FINAL
ite
ib
oh
pr
is
EIGRP OSPF
n
HaDist
s io
is
HSRP IRF
m
CDist_1 CDist_2
er
CDP LLDP
tp
Rapid VLAN
ou
PVST MSTP
ith
w
CEdge_1
PC_1 PC_2 PC_1 PC_2
rt
pa
Figure 4-29: Lab Activity 4.1: Migrating the Distribution Layer from Cisco to HP A-Series Devices
n i
or
l e
ho
w
in
n
tio
c
du
ro
ep
.R
ly
on
u se
er
ld
ho
ake
St
&L
C
P
H
4 –94 Rev. 11.21

Lab debrief
d.
ite
ib
oh
pr
is
n
sio
is
m
er
tp
ou
ith
w
rt
pa
i n
or
NOTES
l e
ho
w
_______________________________________________________________________
in
n
tio
_______________________________________________________________________
c
du
ro
_______________________________________________________________________
ep
.R
_______________________________________________________________________
ly
on
_______________________________________________________________________
use
er
_______________________________________________________________________
ld
ho
ke
_______________________________________________________________________
a
St
_______________________________________________________________________
&L
C
P
_______________________________________________________________________
H
Rev. 11.21 4 –95

Learning check
Discuss these questions with your classmates:
Q1: What is the simplest method for eliminating loops on redundant connections
d.
between Cisco edge switches and two HP A-Series switches at the distribution layer?
ite
ib
oh
____________________________________________________________________
pr
is
____________________________________________________________________
n
sio
is
____________________________________________________________________
m
er
tp
____________________________________________________________________
ou
ith
____________________________________________________________________
w
rt
pa
____________________________________________________________________
i n
or
____________________________________________________________________
l e
ho
____________________________________________________________________
w
in
Q2: What advantages does IRF provide on the new HP A-Series devices in
n
tio
comparison to VRRP and MSTP?

c
du
____________________________________________________________________
ro
ep
.R
____________________________________________________________________
ly
on
____________________________________________________________________
u se
er
____________________________________________________________________
ld
ho
____________________________________________________________________
ake
St
____________________________________________________________________
&L
C
____________________________________________________________________
P
H
4 –96 Rev. 11.21

Appendix: Implementing ACLs and QoS on the

replacement HP A-Series switches
This appendix provides information on reproducing Cisco access control lists (ACLs)
d.
ite
and Quality of Service (QoS) policies on HP A-Series devices.
ib
Migrate ACLs and QoS policies
oh
pr
In order to help you concentrate on the fundamentals of the migration, until now you
is
have examined migrating distribution layers with relatively simple configurations. But
n
io
in a production environment you will often encounter switches that implement more
s
is
sophisticated features, and you must consider the effects of these features on the
m
migration.
er
tp
The last section in this module introduces you to a few considerations for migrating a
ou
distribution layer from Cisco to HP A-Series devices when the distribution switches
ith
enforce ACLs and QoS policies.
w
rt
Your two main goals for this section are to:
pa
Configure HP A-Series ACLs and QoS policies that provide the expected
n

functionality i
or
e
Determine the best time to enable the new ACLs or policies during the migration
l
ho

w
You can meet these goals within any of the migration models that you have
in
examined in this module. The first question remains more or less the same no matter
n
which method you use. The second question is more complicated for the parallel
tio
network and replacement strategies in which you migrate functionality gradually

c
du
while attempting to minimize downtime.

ro
ep
.R
ly
on
use
er
ld
ho
ake
St
&L
C
P
H
Rev. 11.21 4 –97

Applying the ACLs
ACL
Cisco functionality HP A-Series functionality
application
d.
ite
Routed ACL • Applied to a routed port or • Applied to a physical port or
(RACL) VLAN interface as inbound (in) VLAN interface as inbound (in) or
ib
or outbound (out) outbound (out)
oh
• Controls all traffic routed from • Controls all traffic routed from (in)
pr
(in) or to (out) the interface or to (out) the interface
is
VLAN-based • Applied as ACLs in a VLAN • Applied to a VLAN interface as
ACL (VACL) access map, which is applied to inbound (in) or outbound (out)
n
a VLAN list • Controls all traffic leaving or
io
• Controls all traffic routed to the arriving on all ports in the VLAN
s
is
VLAN and arriving on the VLAN
m
Port ACL • Applied to a physical port as • Applied to a physical port as
er
inbound (in) or outbound (out) inbound (in) or outbound (out)
tp
• Controls all traffic arriving on (in) • Controls all traffic arriving (in) or
ou
or leaving the port (out) leaving the port (out)
ith
Figure 4-30: Applying the ACLs
w
rt
You do need to understand some differences in the ways that you apply ACLs on HP
pa
A-Series switches as compared to applying them to Cisco switches. Otherwise, you
i
might find the ACLs allowing or denying unexpected traffic. n
or
e
RACLs
l
ho
w
You apply routed ACLs (RACLs) to inbound or outbound traffic on routed A-Series
in
interfaces much as you do on Cisco switches (in and out options in the packet-filter
n
command).
c tio
Note that A-Series switches do not have routed physical interfaces. Instead, you must
du
create a VLAN interface for the subnet and specify the IP address there; you can then
ro
ep
assign that VLAN as a port access VLAN on a physical port. As long as you do not
.R
assign that VLAN to any other ports, the port behaves much like a routed port.
ly
However, remember that you apply all IP settings and so forth to the VLAN interface.
on
VACLs
use
It is VLAN-based ACLs (VACLs) that differ most in configuration between the two
er
vendors. On Cisco switches, when you want to control both routed and non-routed
ld
ho
traffic that arrives on a VLAN interface, you use VLAN access maps. You configure
ke
ACLs to select traffic and then apply an action to traffic selected by the ACL in the
a
VLAN access map. A VLAN access map, like a typical ACL, has an implicit drop all
St
statement at the end.

&L
C
On HP A-Series switches, you configure VACLs to control routed and non-routed

P
traffic just as you do other ACLs. You then apply the ACL to the VLAN interface using
H
the packet-filter command.
Rev. 11.21 4 –99

Port ACLs
On HP A-Series switches, you apply port ACLs to inbound or outbound traffic on a
port by applying the ACL to a physical port.
d.
ite
ib
oh
pr
is
n
sio
is
m
er
tp
ou
ith
w
rt
pa
i n
or
l e
ho
w
in
n
c tio
du
ro
ep
.R
ly
on
u se
er
ld
ho
ake
St
&L
C
P
H
4 –100 Rev. 11.21

Planning the ACL migration

You will often find migrating your ACLs to the HP A-Series devices rather
straightforward. RACLs, which are commonly applied at the distribution level,
function on the HP A-Series devices just as they do on the Cisco devices.
d.
ite
Planning VACLs
ib
oh
A Cisco VLAN access map filters all traffic on a VLAN:
pr
Traffic that arrives on the VLAN at Layer 2 and is switched within that VLAN
is

n
Traffic that arrives on the VLAN at Layer 2 and is routed out of the VLAN
io

s
is
 Traffic that arrives on a different interface and is routed to the VLAN
m
er
VACL example
tp
ou
A Cisco switch is the default router for VLAN 10 (10.1.10.0/24), VLAN 11
ith
(10.1.11.0/24), and VLAN 20 (10.1.20.0/24). It also connects to a WAN router,
w
which connects to the Internet, on a routed port. It has this ACL configuration:
rt
pa
n
i
or
access-list 100 permit ip 10.1.10.0 0.0.1.255 10.1.20.0 0.0.0.255
l e

ho
w
match ip address 100

in
action drop
n
tio

c
du
action forward
ro
vlan filter VLAN10_11_AC vlan-list 10-11

ep
You can create a table that shows how the Cisco switch is controlling traffic.
.R
Table 4-13: Example Cisco VLAN access map

ly
on
Traffic that is controlled How traffic is controlled

se
Traffic that arrives on VLAN 10 Endpoints between 10.1.10.128 and 10.1.10.254 are denied access
u
and is switched in VLAN 10 to 10.1.10.10. All other switched traffic is permitted.

er
Traffic that arrives on VLAN 10 Traffic to VLAN 20 is dropped, but all other traffic is permitted.
ld
ho
and is routed to another VLAN

or routed port
ke
Traffic that arrives on another All endpoints in VLAN 11 are denied access to 10.1.10.10. (This
a
St
VLAN or routed port and is statement will actually be redundant because the map applied to
routed to VLAN 10 VLAN 11 will also filter this traffic. However, you have saved time
&L
by applying the same map to two VLANs.)

C
All other traffic to VLAN 10 is permitted.

P
Traffic that arrives on VLAN 11 All switched traffic is permitted.

H
and is switched in VLAN 11
Rev. 11.21 4 –101

Determine when to migrate the ACLs
ACL
When you must migrate
function
d.
Filter routed Before the new switch But you can
ite
traffic begins to route traffic generally just
ib
enable the ACLs
oh
Filter traffic Before the traffic passes when you first
pr
within a through the new switch configure the
is
VLAN switch.
n
io
Filter traffic Before the traffic passes
s
on a port through the new switch
is
m
er
tp
Figure 4-31: Determine when to migrate the ACLs
ou
ith
You must understand which type of traffic the ACL affects to determine when the HP
w
A-Series ACL must take over. If the ACL is filtering routed traffic, for example, the HP
rt
A-Series switch must begin applying the ACL as soon as it routes the traffic. However,
pa
if the ACL filters traffic within a VLAN or traffic that arrives on a specific port, the HP
i n
A-Series ACL must filter the traffic as soon as the traffic flow alters and the traffic
or
begins to pass through the HP A-Series switch instead of the old chokepoint.
l e
ho
w
in
n
c tio
du
ro
ep
.R
ly
on
use
er
ld
ho
ke
Figure 4-32: Migrating a port ACL or VACL

a
St
Often, there are no adverse consequences to enabling all the ACLs before you
&L
connect the HP A-Series switch to the network as a replacement or parallel

C
distribution switch. Then you are sure that the ACLs are in place and ready to control
P
traffic.
H
Rev. 11.21 4 –103

Note that during the migration process the route path might temporarily alter. For
example, in the first section of this module, you learned strategies for migrating the
Layer 3 functionality in which an old distribution switch temporarily routes some
VLANs while a new switch routes others. However, as long as you have the correct
RACLs in place on the new HP A-Series switches, the traffic should be controlled
d.
ite
correctly as illustrated in the figures below.
ib
oh
Outbound RACL
on VLAN 10
VLAN 20 VLAN 10
pr
Original routing path
is
n
s io
Outbound RACL
is
VLAN 20 VLAN 10 on VLAN 10
Temporary routing
m
er
path if you migrate
tp
another VLAN first
ou
Temporary routing VLAN 10
ith
VLAN 20 VLAN 1 VLAN 1
path if you migrate
w
VLAN 10 first
rt
pa
n
VLAN 20 VLAN 10
i
or
Final routing path
l e
ho
Figure 4-33: Migrating an outbound RACL

w
in
Note that outbound RACLs need to be in place on the new routing switch as soon as
n
you begin migrating any VLAN routing responsibilities to this switch—not simply
tio
before you migrate the VLAN in question. Even though the new switch is not yet the
c
du
default gateway for that VLAN, it is routing traffic to it. Again, it is generally best
ro
practice simply to configure the ACLs in advance and know that they are in place.
ep
.R
ly
on
u se
er
ld
ho
ake
St
&L
C
P
H
Figure 4-34: Migrating an inbound RACL
4 –104 Rev. 11.21

Migrating QoS policies

When you replace your Cisco distribution switches with HP A-Series switches, you
must assess the Cisco switches’ role in your current QoS solution, and plan how to
configure the A-Series switches to take over that role.
d.
ite
Devices at the distribution layer might implement a variety of QoS features that fall in
ib
several broad categories:
oh
pr
 Honoring prioritization—The switch honors traffic’s 802.1p Class of Service
is
(CoS) or Differentiated Services Code Point (DSCP) values, typically by placing
n
them in different priority queues.
sio
is
 Classifying (and marking) traffic—The switch classifies traffic according to
m
characteristics such as source and destination IP address, protocol, or TCP/UDP
er
port, and assigns it to the correct priority queue. Typically the switch then marks
tp
each type of traffic with the appropriate CoS or DSCP to be honored after it is
ou
ith
forwarded to another device.
w
Because it is best to classify traffic as close to the source as possible (at the edge),
rt
pa
the distribution layer often plays only the first role. However, it can play both.
i n
or
l e
ho
w
in
n
c tio
du
ro
ep
.R
ly
on
use
er
ld
ho
ake
St
&L
C
P
H
Rev. 11.21 4 –105

Configure QoS policies on HP A-Series switches

You can now consider some of the specific QoS functionalities.
Honor prioritization
d.
ite
Sometimes the distribution layer only needs to honor priorities that have already
ib
been established by trusted applications or by switches at the edge.
oh
On Cisco switches you must manually specify on which ports the switch can accept
pr
and honor CoS values and DSCPs. HP A-Series switches, on the other hand, by
is
default honor these values. Of course, as always, a frame must arrive on a tagged
n
io
VLAN (have the 802.1Q tag) in order for it to carry a CoS value. The DSCP is
s
is
located in the Layer 3 header, so it can be detected in traffic that arrives on a
m
er
tagged or untagged VLAN.
tp
Once the switch determines that it honors traffic’s QoS value, it must decide how it
ou
will treat the traffic based on that value. On both Cisco and A-Series devices CoS
ith
values are assigned to specific priority queues; the switch then forwards traffic in
w
higher queues first. Also, on both types of switch you map DSCPs to CoS values in
rt
pa
order to assign the traffic with that DSCP.
The table provides some guidelines. i n
or
Table 4-14: QoS capabilities on Cisco and HP A-Series switches

l e
ho
Capability Cisco configuration HP A-Series configuration

w
in

n
priority queue based mls qos

None necessary
tio
on a CoS value On the port that receives the traffic:

c
mls qos trust cos

du

ro
Globally:
priority queue based qos map-table dscp-dot1p
ep
mls qos
on a DSCP import <0-63> export <0-7>
On the port that receives the traffic:
.R
You can create multiple maps;

mls qos trust cos
ly
several are created by default (enter

Globally:
on
display qos map-table <dot1p-

mls qos map cos-dscp <dscp1...dscp7>
dp>|<dot1p-lp>|<dscp-
se
dscp1 is the DSCP that corresponds to

dot1p>|<dscp-dp>|<dscp-dscp> to
u
the CoS 0 priority queue and so forth.

see these maps).
er
ld
ho
ake
St
&L
C
P
H
Rev. 11.21 4 –107

Assign a rate limit to Globally:

selected traffic Globally: traffic classifier <name>
mls qos if-match any
access-list <ID> <permit | deny> quit
<standard or extended ACL selectors> traffic behavior <name>
class-map [match-all | match-any] car cir <64-32000000>
<name> quit
match access-group <ID> qos policy <name>
exit classifier <name> behavior <name>
policy-map <name> quit
class <name> qos apply policy <name> global
police <bps> <burst rate> exceed- <in|out>
action drop or
exit interface <port-list> qos apply policy
On the interface that receives the traffic: <name>< in|out>
interface <type> <ID> or
service-policy input <name> vlan <ID> qos apply policy <name><
in|out>
Classify and mark traffic

Sometimes—perhaps because you have legacy edge switches—you need to classify
some traffic at the distribution level.
Cisco switches generally classify traffic with class maps and policy maps. The class
map selects a particular type of traffic while the policy map applies actions to the
class maps such as marking the traffic with a QoS value or enforcing policing. You
then apply the policy map to an interface as a service policy.
On HP A-Series switches you can similarly create traffic classes that select particular
types of IPv4 or IPv6 traffic. You then create service policies that select the classes
and apply actions such as QoS-value marking or rate limiting. Finally, just as on the
Cisco switches, you apply the service policy to a port or VLAN interface.
The table provides an example of QoS traffic classification, comparing the Cisco
configuration, the HP A-Series per-port or per-VLAN configuration, and the HP A-
Series global configuration.
4 –108 Rev. 11.21

Table 4-15: QoS classification capabilities on Cisco and HP A-Series switches

HP A-Series per-port or per-VLAN HP A-Series global configuration
Capability Cisco configuration
configuration
Select specific Globally: traffic classifier <name> Select traffic by TCP/UDP port or by
traffic according to mls qos if-match <any> <acl> <customer- IP address or by IP protocol:
its source, access-list <ID> <permit | dot1p> <customer-vlan-id> Create ACL to match (see previous
destination, deny> <standard or extended <destination-mac> <dscp> section on ACL for details)
protocol, or ACL selectors> <protocol> <service-dot1p> <service- traffic classifier <name>
TCP/UDP ports; class-map [match-all | match- vlan-id> <source-mac> if-match <any> <acl> <customer-
assign this traffic a any] <name> quit dot1p> <customer-vlan-id>
priority; and mark match access-group <ID> traffic behavior <name> <destination-mac> <dscp>
the traffic with a exit remark <customer-vlan-id> <dot1p> <protocol> <service-dot1p>
QoS value policy-map <name> <drop-precedence> <dscp> <local- <service-vlan-id> <source-mac>
class <name> precedence> <service-vlan-id> quit
set <dscp | cos> <value> quit traffic behavior <name>
exit qos policy <name> remark <customer-vlan-id>
On the interface that receives classifier <name> behavior <name> <dot1p> <drop-precedence>
the traffic: quit <dscp> <local-precedence>
interface <type> <ID> interface <port-list> qos apply policy <service-vlan-id>
service-policy input <name> <name>< in|out> quit
or qos policy <name>
vlan <ID> qos apply policy <name>< classifier <name> behavior
in|out> <name>
quit
qos apply policy <name> global
<in|out>
Rev. 11.21 4 –109

Optional Lab Activity 4.2: Migrating ACLs and QoS

Policies from a Cisco to an HP A-Series Distribution
Layer
CCore_1 CCore_2
CCore_1 CCore_2
ACLs and QoS

HaDist
ACLs and QoS
CDist_1
IRF
HaDist_1 HaDist_2
CEdge_1 CEdge_2
CEdge_1 CEdge_2 PC_3 PC_3
(client) (client)
PC_1 PC_2 PC_1 PC_2
Figure 4-35: Optional Lab Activity 4.2: Migrating ACLs and QoS Policies from a Cisco to an HP A-
Series Distribution Layer
4 –110 Rev. 11.21

Migrating Border Gateway Protocol

Module 5
Objectives
 Replace a BGP-configured Cisco router with a BGP-configured HP A-Series router
 Consider operation order to reduce downtime
 Convert a BGP configuration of a Cisco router to a configuration of an HP A-
Series router
 Select HP A-Series BGP features such as Bi-Directional Forwarding (BFD) to
improve your new BGP configuration
Rev. 11.21 5 –1
BGP session establishment
Idle BGP started or reset Idle
Connect TCP session with BGP speaker Connect

Error Reset
(Active)
BGP OPEN message
OpenSent OpenConfirm
BGP OPEN message
OpenConfirm
First keepalive
Established Established
Hold
Start sending UPDATE
timer
Exchange of full RT
If no UPDATE send keepalive
Figure 5-1: BGP session establishment
BGP’s primary function is to enable BGP routers to exchange “reachability

information,” including information about relevant autonomous systems. (Request for
Comments [RFC] 4271: A Border Gateway Protocol 4, p. 1.) An autonomous system
(AS) is “a set of routers under a single technical administration.” Today these routers
may use more than one interior gateway protocol and more than one set of metrics
to route packets within the AS; they will typically also use an exterior gateway
protocol to route packets to other ASs. (RFC 4271, p. 4.)
BGP routers that exchange reachability information are called “peer routers.” If two
peers are in the same AS, they are called “internal peers.” If peers are in different
ASs, they are called “external peers;” external peers are adjacent and share a
subnet.
When a BGP routing process establishes a peering session with a peer, it goes
through several state changes, which are listed in the boxes in the slide. The Two
BGP peers initially exchange messages to form a TCP connection. Once this
connection is established, they exchange their entire BGP routing tables. Thereafter,
the two peers exchange only updates. For example, a BGP router sends an update
if configuration changes affect routing policies or if a topology change has
occurred.
To ensure that BGP peers are still operational, each BGP router sends keepalive
messages. If a router does not receive a keepalive from one of its peers, it ends the
connection.
The sections below describe the states in more detail.
Rev. 11.21 5 –3
Idle
The BGP routing process is initially in the idle state. If the BGP routing process
receives a start event (either an administrator manually starts it or the system starts it
automatically), the process initializes the BGP resources, starts the ConnectRetry
timer, tries to set up a transport connection to another BGP peer, and listens for a
connection from a BGP peer. It changes its state to Connect.
If at any time the BGP routing process is reset, then the peer is reset, and the BGP
routing process returns to the Idle state.
Note
If the BGP routing process is set to start in passive TCP mode, it listens for
connections but does not initiate them and changes its state to Active.
Connect
During the Connect state, the BGP routing process waits for the TCP connection to
another BGP peer to be completed. If the connection is established successfully, the
BGP routing process:
 Clears the ConnectRetry timer
 Sends an open message to its peer, either immediately or after a delay,
depending on the configuration
 Either:
• Transitions to the OpenSent state—if it sends the open message first
• Transitions to the OpenConfirm state (but first sends its open message)—if it
receives the peer’s valid open message first
If the connection fails to be established, the BGP router resets to the Idle state.
However, if the process was waiting to send a delayed open message and the
connection then fails, the router moves to the Active state.
Active
In the Active state, the BGP routing process continues to listen for a TCP session with
a BGP peer.
 Failures
• If the ConnectRetry timer expires before the connection is established
successfully, the BGP router will restart the timer. It will then move to the
Connect state and try to initiate a TCP connection to a BGP peer again as
well as continue to listen for other connections. If the second attempt is
unsuccessful, the BGP routing process will return to the Idle state.
• If the BGP router receives a connection request from an unknown IP
address, it will reject the request, restart the ConnectRetry timer, and
continue to listen for connections from other BGP peers.
5 –4 Rev. 11.21
 Success
• If the connection is established successfully, the BGP routing process takes
the same steps that it takes at a successful connection in the Connect state.
The process sends an open message and transitions to the OpenSent or
OpenConfirm state (depending on whether it first received an open
message from the peer).
OpenSent
The BGP routing process listens for an open message from its BGP peer. When it
receives the message, it determines whether its BGP parameters match those of the
BGP peer. If the parameters fail to match, the BGP routing process sends a
notification to its BGP peer. The local router’s BGP routing process transitions to the
Idle state.
If the parameters match, the BGP routing process sends a keepalive message and
transitions to the OpenConfirm state.OpenConfirm
The BGP routing process listens for a keepalive from the BGP peer. If its Keepalive
timer expires first, it sends its own keepalive and continues to wait for the peer’s.
The process continues to wait for the duration of the HoldTime, which started
running when the process sent its open message. (The HoldTime is quite long,
typically four minutes). If the HoldTime expires before the process receives a
keepalive, the routing process resets the connection and returns to the Idle state.
However, if the BGP routing process does receive a keepalive message, it transitions
to the Established state.
On the other hand, if it receives a notification message (such as one that indicates
mismatched parameters), the BGP routing process transitions to the Idle state. If an
error or configuration change occurs, the BGP routing process sends a notification
message with the Finite State Machine (FSM) error code and then transitions to the
Idle state.
Established
The BGP routing process has established a peer and will now exchange update
messages with that peer. It will restart the hold timer when it receives an update or
keepalive message.
If the BGP routing process receives an error notification, however, it will move to the
Idle state.
Rev. 11.21 5 –5
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
5 –6 Rev. 11.21
BGP capabilities
OPEN message
Route Refresh Capability
BGP Graceful Restart Capability
ORF Send Receive Capabilities BGP Peer 2

BGP Peer 1
Multiprotocol extension
Display BGP peer capabilities

[HP] display bgp peer verbose
Cisco# show ip bgp neighbors
Figure 5-2: BGP capabilities
BGP routers exchange capability parameters in a BGP open message. If an open

message contains an unknown or unsupported capability, the BGP router will send
its BGP peer a notification message, indicating the problem.
Some of the current BGP capabilities, their capability code, and the RFC in which
they are defined are listed below:
 Capability code 0, Reserved, RFC 2842
 Capability code 1, Multiprotocol Extensions for BGP 4, RFC 2858)
 Capability code 2, Route Refresh Capability for BGP 4, RFC 2918
 Capability code 3, Cooperative Route Filtering Capability, RFC 4684
 Capability code 4, Multiple routes to a destination capability, RFC 3107
 Capability code 64, Graceful Restart Capability, RFC 4724
To determine if a BGP router supports a capability, use the following commands:
Cisco# show ip bgp neighbors
Route refresh
A BGP router applies inbound routing policies to the routes that it receives from its
neighbors to determine which routes to accept and so forth. However, if the router’s
policies change, it needs to be able to access the original routes so that it can apply
the new policy to them. Traditionally, BGP routers had to store the original routes
locally for the rare occasions when the policies changed, which consumed needless
memory and processing power.
Rev. 11.21 5 –7
Hard reset
To trigger a BGP reset
[HP] reset bgp all
Cisco#clear ip bgp all
Comware or IOS 12.1
BGP
Path IP
Filter Table Selection
Routing Filter
In Out
Table
Peer BGP peer Peer
What is the difference between a hard reset and powering off a BGP
router?
Figure 5-3: Hard reset
A hard reset tears down the specified peering sessions, including the TCP
connection and deletes routes coming from the specified peer.
To perform a hard reset of a BGP neighbor connection, use the following
commands:
[HP] reset bgp { all | ip-address | group group-name | external |
internal }
Cisco#clear ip bgp {* | address | peer-group name}
Cisco#clear ip bgp {all | address | peer-group name}
When you reset a BGP neighbor connection, the routes announced by that BGP
router are removed.
Q1: What is the difference between a hard reset and powering off a BGP router?
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
Rev. 11.21 5 –9
Route refresh
To request a route refresh from neighbor:
[HP] refresh bgp all import
Cisco#clear ip bgp * soft in
BGP IP
Path
Selection Routing
Filter Filter
In Out
Table
Table
BGP peer
Peer Peer
Comware or IOS 12.1
Figure 5-4: Route refresh
A soft reset allows a BGP peer to apply new route policies without tearing down its
BGP session with its peers. Cisco refers to this type of refresh as a “dynamic
inbound soft reset.”
As mentioned earlier, the route refresh capability allows a local BGP router to
exchange route refresh requests with its BGP peers, thereby refreshing its inbound
routing tables. This capability saves memory and processing power on the BGP
router because the router can request the information that it needs in order to update
policies rather than store that information locally at all times.
To use the route refresh capability, BGP peers must exchange the BGP capabilities
advertisement to show that they support this capability. All BGP peers must support
the route refresh capability.
Route refresh is supported in Comware OS and in Cisco IOS 12.1 by default. To
perform a soft reset or trigger route refresh from neighbors:
[HP] refresh bgp { all | ip-address | group group-name | external |
internal } import
Cisco#clear ip bgp {* | address | peer-group name} soft in
To perform a soft reset or trigger route refresh to neighbors:

[HP] refresh bgp { all | ip-address | group group-name | external |
internal } export
Cisco#clear ip bgp {* | address | peer-group name} soft out
To determine if a BGP router supports this capability, use the following commands:
Cisco# show ip bgp neighbors command
5 –10 Rev. 11.21

If BGP neighbor does not support route refresh

To store BGP updates from a BGP peer and allow inbound soft-reset:
[HP-bgp-100] peer 10.1.1.2 keep-all-routes
Cisco(config-bgp)#neighbor 10.1.12 soft-reconfiguration inbound
IP
Stored BGP Path
Updates Selection
Filter Filter
In Out
Routing
of Table
remote Table
peers
Peer BGP Peer Peer
Figure 5-5: If BGP neighbor does not support route refresh
If a BGP neighbor does not support the route refresh feature, you can configure a
local peer to store remote peer updates and then allow a soft reset inbound without
breaking the BGP connection.
[HP] peer { group-name | ip-address } keep-all-routes
Cisco(config-bgp)#neighbor {Ip-address | peer-group-name} soft-
reconfiguration inbound
Because this configuration consumes memory, you should first verify that the BGP
peers do not support route refresh.
Rev. 11.21 5 –11

What will happen if…

Internet
On Router A:
ISP1
AS 100
ISP2
AS 200
1. The eBGP interface goes
down?
BGP 2. The iBGP interface goes
down?
Router A Router B 3. The eBGP neighboring is
IGP
shut down?
AS 23 4. You trigger a soft reset with
Router C
eBGP peer?
Describe what happens to
routing convergence and the
network traffic.
Figure 5-6: What will happen if…
The figure illustrates a network that implements BGP. The customer wants to replace
Router A with a new HP A-Series router, and you need to plan a smooth migration.
Next to the illustration, you see a list of four steps that you might consider taking
 Taking the eBGP interface down
 Taking the iBGP interface down
 Shutting down eBGP neighboring
 Triggering a soft reset with an eBGP peer
But before, you take such a step, you must carefully consider the consequences.
What will happen on Router A if the eBGP interface goes down?

If there is a direct connection and the eBGP interface goes down, the BGP
connection will go down as well. This is equivalent to a hard reset; the BGP
connection is restarted. All prefixes from that neighbor that are in BGP and the
routing table are removed.
If the eBGP interface goes down, Router A will not send any traffic or receive any
traffic. Because the local AS route withdrawal will take some time—typically several
minutes on the Internet (see the following slides about convergence time)—a number
of routers will keep sending traffic to this BGP router.
Convergence may occur very quickly because the closest AS will be updated in
some seconds, and if BGP routers know about the alternate route, they will return
traffic to the right entry.
5 –12 Rev. 11.21

If a neighbor is not directly connected or the remote BGP peer cannot sense the
failure of the interface, then the remote peer will detect the failure of BGP only after
180 seconds. This is the default holdtime on Cisco and HP A-Series routers.
Note
With regard to route damping or dampening, an eBGP neighbor going down or
up is not considered a flap.
What will happen if the iBGP interface goes down?

If iBGP routing is set, as recommended, via loopback, iBGP peering can be
maintained via Router C. Because Router C is not an iBGP peer, however, it will not
be able to handle traffic destined to the Internet between Router A and Router B.
In this case it will be better to set iBGP neighboring based on the physical interface
so both peers will stop BGP peering. Both routers will remove the information they
received from their iBGP peers. When they receive LAN traffic that is destined to
Internet, the routers will send it directly because both will see themselves as having
the best routes.
Traffic from the Internet may come back by the same BGP router or by the other BGP
router; as long as both are able to transmit IP packets to the Internet, that should be
fine. In a real world-scenario, a firewall may be facing the Internet and may NAT
the traffic source from a LAN; in this case traffic will return to the same path.
What will happen if eBGP neighboring is shut down?

This closes the BGP connection and all IP prefixes that were learned from the
neighbor are removed. Networks that originate from that peer will generate a
withdrawal that is propagated through the Internet. The BGP shutdown ensures a
quick BGP connection cleanup if that is your goal.
What will happen if you trigger a soft reset?

If the route refresh capability is available on both sides, a soft reset on Router A will
trigger ISP1’s router to resend updates. No connection will be lost during this
operation.
Rev. 11.21 5 –13

Destination reachability and BGP convergence time
d.
ite
ib
oh
pr
is
•
n
sio
Extra downtime=downtime – disconnected
is
•
=additional reachability loss due to BGP convergence
m
• False uptime: S has a route to D, but packets are not delivered
er
• U= disconnection timSe
tp
• BGP GF: BGP Graceful Restart
ou
(From Beichuan Zhang, Dan Massey, and Lixia Zhang, Destination Reachability and BGP Convergence
ith
Time)
w
Figure 5-7: Destination reachability and BGP convergence time
rt
pa
In Destination Reachability and BGP Convergence Time, Beichuan Zhang, Dan
n
Massey, and Lixia Zhang defined and analyzed destination reachability. Their
i
or
presentation explained how they measured destination reachability, determined what
e
factors affected BGP convergence time, and suggested solutions to optimize

l
ho
reachability. (See http://www.cs.arizona.edu/~bzhang/paper/04-globecom-

w
destreach.pdf.)
in
n
What is destination reachability?

c tio
du
According to this study:

ro
”D is connected at time t when there exists at least one path from S to D.

ep

.R
• “decided by physical topology.

ly
“D is reachable at time t when packets sent from S at time t will eventually

on
reach D.
u se
• “decided by both topology and routing” (Destination Reachability and BGP

er
Convergence Time).
ld
ho
 Destination reachability is measured with extra downtime.

ke
• As explained below, (e(s)) and false uptime (f(s)) can be used as metrics.
a
St
&L
C
P
H
5 –14 Rev. 11.21

Extra downtime
 “e(s) = downtime(s) - disconnected(s)
• ”downtime(s): total time that D is unreachable from S.
d.
• “disconnected(s): total time that D is disconnected from S.
ite
ib
 “e(s) measures the additional loss of reachability due to routing dynamics
oh
following topological changes” (Destination Reachability and BGP Convergence
pr
Time).
is
False uptime
n
io
s
“f(s): The time period during which S has a route to D, but packets sent by S will
is

m
be eventually dropped in the network.
er
tp
 “It measures the overhead on network resources” (Destination Reachability and
ou
BGP Convergence Time).
ith
w
rt
pa
i n
or
l e
ho
w
in
n
c tio
du
ro
ep
.R
ly
on
use
er
ld
ho
ake
St
&L
C
P
H
Rev. 11.21 5 –15

Impact on reducing time to convergence
d.
ite
ib
oh
pr
is
n
sio
• Tdown: The time it takes for a source to converge after D is
is
disconnected.
m
er
• Tup: The time is takes to converge when D is reconnected
tp
• BGP GF: BGP Graceful Restart
ou
(From Beichuan Zhang, Dan Massey, and Lixia Zhang, Destination Reachability and BGP
Convergence Time)
ith
w
Figure 5-8: Impact on reducing time to convergence
rt
pa
Case study
i n
Beichuan Zhang, Dan Massey, and Lixia Zhang posed this question in their study:
or
“When the destination is disconnected for a period of time, what is its reachability
l e
ho
viewed from different sources?”

w
“D is disconnected at time d1. It takes time Tdown(s) for S to converge.

in

n
“D is re-connected at time d2. It takes time Tup(s) for S to converge.

tio

c
• “Total disconnection time is u=d2-d1. Calculate e(s) and f(s).” (Destination

du
Reachability and BGP Convergence Time, p. 7.)

ro
ep
They discovered that “by reducing Tdown, BGP-GF has a mixed impact on packet
.R
delivery, providing shorter f(s) but longer e(s).” They then concluded the following:
ly
on
 “Packet delivery is the primary goal of routing.

se
 “Extra downtime and false uptime reflect the impact of routing on packet
u
delivery.
er
ld
“Current BGP convergence improvement proposals could have a negative

ho
impact on packet delivery during transient failures.

ake
“Two possible:
St

&L
• “Mask transient failures[avoiding network withdrawal]

C
• Shorten Tup” (Destination Reachability and BGP Convergence Time).

P
H
5 –16 Rev. 11.21

In their simulations, the authors found:

 40 percent of failures last less than 1 minute.
 80 percent failures last less than 15 minutes (Iannaccone et al. on Sprint network
BGP).
d.
ite
 Tdown can be as many as several minutes longer than Tup ( Labovitz et al. from
ib
Internet measurement).
oh
pr
Therefore, the case of Tdown(s) > Tup(s) + u may indeed exist in operational Internet
is
(Destination Reachability and BGP Convergence Time).
n
io
s
is
m
er
tp
ou
ith
w
rt
pa
i n
or
l e
ho
w
in
n
c tio
du
ro
ep
.R
ly
on
use
er
ld
ho
ake
St
&L
C
P
H
Rev. 11.21 5 –17

BGP advertising and receiving prefixes

This section reviews the process BGP routers use to advertise and receive prefixes.
You will then examine several use models for BGP; for your reference HP Comware
d.
and Cisco IOS configurations are provided. These example configurations will help
ite
you to plan the configuration for HP A-Series routers with which you replace Cisco
ib
routers.
oh
pr
Finally, you will think about the best ways to prepare an existing BGP router to be
is
removed from the system.
n
io
NOTES
s
is
_______________________________________________________________________
m
er
tp
_______________________________________________________________________
ou
ith
w
_______________________________________________________________________
rt
pa
n
_______________________________________________________________________
i
or
l e
_______________________________________________________________________
ho
w
in
_______________________________________________________________________
n
c tio
du
_______________________________________________________________________
ro
ep
_______________________________________________________________________
.R
ly
on
_______________________________________________________________________
u se
er
ld
ho
ake
St
&L
C
P
H
5 –18 Rev. 11.21

BGP advertising and receiving IP prefixes

– Basically, advertisements Internet
and traffic flow are ISP1 ISP2
d.
related:
ite
• An AS announcing a BGP
ib
10.1.0.0/23 10.1.0.0/23
network to the Internet
oh
may generate incoming traffic
pr
to this AS. Router A Router B
is
• An AS learning networks from
Internet may generate traffic to
n
io
Internet. AS 100
s
RouterC
is
10.1.0.0/23
m
er
Announcement for 10.1.0.0/23
tp
Data traffic for a destination in
ou
10.1.0.0/23
Announcement of full Internet routes
ith
Data traffic for Internet
w
Figure 5-9: BGP advertising and receiving IP prefixes
rt
pa
There are two basic relationships between advertisements and traffic:
i n
or
 If an AS announces a network to the Internet, the announcement may generate
e
incoming traffic to this AS. In other words, a router will not receive traffic if it
l
ho
does not announce networks (except from any static routes that point to it).
w
in
 Learning networks from the Internet may generate traffic to the Internet. If there
n
are entries in the routing table, the router is able to forward traffic.
c tio
These basic considerations will be useful when removing or inserting a router from a
du
network. In IGP, as in OSPF and ISIS, removing a router will trigger a quick update in
ro
the routing table.

ep
.R
BGP is slower to converge. Network updates or withdrawals have to be carried over

ly
a much larger network. As a prefix may remain on the Internet for a certain time, it
on
may generate traffic to the Internet for a long time afterward.

use
er
ld
ho
ake
St
&L
C
P
H
Rev. 11.21 5 –19

Multihome BGP scenario

– Announces its own network only
– Receives traffic that is destined to the AS only
d.
ite
Announcing Receiving
Prefix
ib
Prefix
ISP2 ISP1 ISP2
oh
ISP1
Internet Internet
pr
0.0.0.0/0 0.0.0.0/0
is
10.1.0.0/23 10.1.0.0/23 or Partial RT or Partial RT
or Full RT BGP or Full RT
n
BGP
s io
Router A Router B Router A Router B
is
IGP IGP
m
0.0.0.0/0 0.0.0.0/0 IP Subnets of IP Subnets of
er
10.1.0.0/23 10.1.0.0/23
tp
AS 100 Router C
AS 100 Router C
ou
Announcement Announcement
ith
Data traffic Data traffic
w
Figure 5-10: Multihome BGP scenario
rt
pa
You will now look at BGP configurations for a common scenario—a multihomed AS.
i n
A multihomed AS is typically an enterprise network with connections to two ISPs. The
or
AS only receives traffic for the private network and should not transit traffic between
l e
ho
the two ISPs.

w
Multihome outbound filter configuration

in
n
Listed below is a typical configuration for a multihome AS. In this configuration, the
tio
multihome AS only announces its own network in order to avoid becoming a transit
c
du
AS. Typically the ISP’s BGP peers will set a filter inbound policy to accept only the
ro
prefix of the multihome AS, which serves as a double-check.

ep
.R
In this, and other sections in this module, the configuration for a Cisco router and the
ly
equivalent configuration for an A-Series router are provided.

on
se
Note
u
All configurations will include addresses in the 10.0.0.0/8 and 172.16.0.0/20

er
range. In the real world, these would be public IP addresses; the private
ld
addresses are simply used for the purposes of an example.

ho
ke
HP A-Series configuration
a
St
bgp 100
&L
network 10.1.0.0 23
C
P
peer 172.16.10.1 ip-prefix out-filter export

H
ip route-static 10.1.0.0 23 null0

ip ip-prefix out-filter permit 10.1.0.0 23
5 –20 Rev. 11.21

Cisco IOS configuration

router bgp 100
network 10.1.0.0 mask 255.255.254.0
neighbor 172.16.10.1 prefix-list out-filter out
d.
ite
ib
ip route 10.1.0.0 255.255.254.0 null0
oh
pr
ip prefix-list out-filter permit 10.1.0.0/23
is
The static route is a pull-up route; more specific prefixes within this address block
n
ensure connectivity to the ISP’s customers’ “longest match lookup.”
io
s
is
Note
m
er
An inbound ACL on the eBGP connection may verify that traffic is only destined
tp
to announced networks and may also verify the traffic source. See guidance
ou
documents from the US National Security Agency for details:
ith
http://www.nsa.gov/ia/guidance/security_configuration_guides/
w
cisco_router_guides.shtml
rt
pa
Multihome inbound filter configuration
i n
or
When receiving a network, the multihomed AS typically has three alternatives:
e
Receive the full routing table from all ISPs

l
ho

w
 Receive a default route only

in
Receive a partial route

n

tio
Typically the ISP peer is configured with a route-map (Cisco IOS) or route-policy (HP
c
du
Comware) that allows BGP to manipulate received prefixes. The match condition
ro
applies to the prefixes themselves or to their attributes’ route-map apply “set”

ep
attributes (such as AS-Path).

.R
The sections below provide example configurations for the following example:
ly
on
 Received networks 10.X/16 are filtered

se
The local preference is set to 200 for networks originating from AS 200 (ISP1)
u

er
The local preference is set to 100 for other networks

ld

ho
ake
bgp 100
St
network 10.1.0.0 255.255.254.0

&L
C
peer 172.16.10.1 as-number 200

P
peer 172.16.10.1 route-policy IN-CORP1 import

H
peer 172.16.10.1 bfd

quit
#
Rev. 11.21 5 –21

acl number 2001

description all networks in 10.x/16
rule 0 permit source 10.0.0.0 0.255.0.0
#
d.
ite
ip as-path 2 permit _200$
ib
#
oh
route-policy IN-CORP1 deny node 10
pr
is
if-match acl 2001
n
route-policy IN-CORP1 permit node 20
sio
if-match as-path 2 apply local-preference 200
is
m
route-policy IN-CORP1 permit node 30
er
tp
apply local-preference 100
ou
ith
router bgp 100
w
rt
pa
network 10.1.0.0 mask 255.255.254.0
i n
or
neighbor 172.16.10.1 remote-as 200
e
neighbor 172.16.10.1 route-map IN-CORP1 in

l
ho
neighbor 172.16.10.1 fall-over bfd

w
in
!
n
ip as-path access-list 2 permit _200$

c tio
!
du
access-list 2 permit 10.0.0.0 0.255.0.0

ro
ep
.R
route-map IN-CORP1 deny 10

ly
match ip address 2
on
route-map IN-CORP1 permit 20

u se
match as-path 2
er
set local-preference 200

ld
ho
route-map IN-CORP1 permit 30

ke

a
St
&L
C
P
H
5 –22 Rev. 11.21

Small ISP BGP scenario

– From customers, accept accurate and well-defined prefixes
– From upstream ISPs, receive full or partial RT
d.
– Announce aggregated network, typically not smaller than /20
ite
Receiving
ib
Announcing
Prefix Prefix
oh
ISP1 ISP2
ISP2
ISP1 Internet
Internet
pr
AS 201
AS 201 Partial RT
eBGP
is
or Full RT
eBGP
n
10.10.0.0/19
s io
is
Router A iBGP Router B
m
Router C
er
Router C
AS 100
AS 100
tp
10.10.0.0/24 10.10.10.0/24
ou
0.0.0.0/0 Partial RT
eBGP
ith
Announcement
AS 101 eBGP
Customer A Customer Z
w
Customer A Customer Z Data traffic
rt
Figure 5-11: Small ISP BGP scenario
pa
n
With a small ISP, you must look at the BGP customers’ peering and at the BGP
i
or
upstream ISP peering.
le
ho
Small ISP BGP configuration for communicating with customers

w
in
Typically, a small ISP will receive an exact IP prefix from customers and will announce
n
either:
c tio
A default route
du

ro
 Partial Internet routing table

ep
Full Internet routing table

.R

ly
Some ISPs send full routing tables and the default route and let the customer choose
on
what to import.
se
Small ISP configuration

u
er
This section includes the configurations that Router C in the illustration uses to
ld
ho
advertise and receive routes from Customer A.

ke
a
St
bgp 100
&L

C
P
peer 10.5.7.2 default-route-advertise

H
peer 10.5.7.2 ip-prefix cust1-in import

peer 10.5.7.2 ip prefix cust-out export
ip ip-prefix cust1-in permit 10.10.0.0 24
ip ip-prefix cust-out permit 0.0.0.0 0
Rev. 11.21 5 –23
Small ISP router config with an upstream ISP

This section includes the BGP configurations for Router A, which communicates with
the ISP1 router using eBGP.
d.
ite
bgp 100
ib
oh
network 10.10.0.0 19
pr
is
peer 10.15.10.2 ip-route-policy isp-in1 import
n
io
peer 10.15.10.2 ip-prefix isp-out export
s
is
m
er
# Announce the aggregated route
tp
ou
ip ip-prefix isp-out permit 10.10.0.0 19
ith
ip route-static 10.10.0.0 19 null 0
w
rt
pa
# Set a local preference of 200 on networks originated from AS 201 and all ASs
i n
directly attached to AS 201 will be set with a local preference of 200.
or
e
ip as-path 4 permit ^201_[0-9]*$

l
ho
#
w
in
route-policy isp-in1 permit node 10

n
if-match as-path 4
c tio

du
#
ro
ep
route-policy isp-in1 permit node 20

.R

ly

on
se
router bgp 100

u
network 10.10.0.0 mask 255.255.224.0

er
ld

ho
neighbor 10.5.7.2 route-map isp-in1 in

ke
neighbor 10.5.7.2 prefix-list isp-out out

a
St
! Announce aggregate
&L
ip prefix-list isp-out permit 10.10.0.0/19

C
P
ip route 10.10.0.0 255.255.224.0 null 0

H
! Networks originated from AS 201 and all directly attached ASs of AS 201
ip as-path access-list 4 permit ^201_[0-9]*$
Rev. 11.21 5 –25

match as-path 4
route-map isp-in1 permit 20
d.
Recommendations for filtering inbound prefixes
ite
ib
oh
When a downstream router needs to receive more than a default route, care must be
pr
taken. Here are some recommendations provided by RIPE Network Coordination
is
Centre (NCC):
n
io
 Don’t accept RFC1918 prefixes.
s
is
Don’t accept your own prefix.
m

er
Don’t accept default (unless you need it).
tp

ou
 Don’t accept prefixes longer than /24.
ith
Note that these guidelines might change.
w
rt
(Source: www.ripe.net)
pa
i n
or
bgp 100
l e
ho
network 10.10.0.0 255.255.224.0

w

in
peer 10.5.7.1 ip-prefix in-filter in

n
c tio
du
ip ip-prefix in-filter deny 0.0.0.0 0 # Block default

ro
ip ip-prefix in-filter deny 0.0.0.0 8 less-equal 32

ep

.R

ly
on

se

u
er

ld

ho
ke
ip ip-prefix in-filter deny 10.10.0.0 19 less-equal 32 # Block

local prefix
a
St
ip ip-prefix in-filter deny 224.0.0.0 3 less-equal 32 # Block

&L
multicast
C
ip ip-prefix in-filter deny 0.0.0.0 0 greater-equal 25 # Block

P
prefixes >/24
H
ip ip-prefix in-filter permit 0.0.0.0 0 less-equal 32 # Accept

anything else

router bgp 100
5 –26 Rev. 11.21
network 10.10.0.0 mask 255.255.224.0

neighbor 10.5.7.1 prefix-list in-filter in
d.
ite
ip prefix-list in-filter deny 0.0.0.0/0 ! Block default
ib
ip prefix-list in-filter deny 0.0.0.0/8 le 32
oh
pr
is
n
io
s
is
m
er
tp
ou
ip prefix-list in-filter deny 10.10.0.0/19 le 32 ! Block local
ith
prefix
w
ip prefix-list in-filter deny 224.0.0.0/3 le 32 ! Block multicast
rt
pa
ip prefix-list in-filter deny 0.0.0.0/0 ge 25 ! Block prefixes >/24
n
ip prefix-list in-filter permit 0.0.0.0/0 le 32 ! Accept anything
i
or
else
l e
Note
ho
Remember: The 10.0.0.0/8 prefix is denied because it is a private address

w
block. The 10.10.0.0/19 prefix, in this example, is denied because it is the local
in
prefix—in the real world, this would be a public subnet. The configuration is just
n
tio
using the private subnet for the purposes of the example.

c
du
ro
ep
.R
ly
on
se
u
er
ld
ho
ake
St
&L
C
P
H
Rev. 11.21 5 –27

Large ISP scenario

– Exchange full routing tables with:
• ISP peers
d.
ite
• Internal peers (iBGP)
ISP2 Announcement
ib
oh
ISP1 Data traffic
eBGP
pr
Full RT Full RT
is
n
io
s
is
m
AS 100
er
0.0.0.0/0 Partial RT
tp
Router C
ou
Customer B
ith
Customer A
w
Figure 5-12: Large ISP scenario
rt
pa
Like small ISPs, large ISPs will only accept prefixes they have assigned to their
n
customers. They exchange full Internet routes with other ISPs and mark networks with
i
or
the community to help their customers and ISP peers set their policies.
le
ho
IBGP Peering
w
in
The following recommendations are taken from a tutorial published on RIPE, an

n
independent, not-for-profit membership organization that supports the infrastructure of

tio
the Internet through technical co-ordination in its service region. (See

c
du
http://www.ripe.net/ripe/meetings/ripe-40/tutorials/bgp-tutorial/tsld001.html.)
ro
ep
Announcing network
.R
1. Use iBGP to carry customer prefixes; don’t ever use IGP.

ly
on
2. Point static route to customer interface.

se
2. Use BGP network statement.

u
er
3. As long as static route exists (interface active), prefix will be in BGP.

ld
ho
4. Use peer-groups iBGP between loopbacks.

ke
5. Avoid flapping of network using “permanent” static-route.

a
St
a. Use network statement as much possible.

&L
C
b. Use redistribute Static if well understood (only announces the

P
“right”network.”
H
c. Redistribute of IGP: avoid if possible or must be tightly controlled with route-

map.
6. Route-map can be used to set communities and other attributes.
5 –28 Rev. 11.21

iBGP basic configuration example

Interface loopback 0
d.
ip address 215.17.3.1 32
ite
!
ib
oh
interface Serial 5/1
pr
ip address unnumbered interface loopback 0
is
ip urpf strict
n
io
!
s
is
m
ip route-static 215.34.10.0 22 Serial 5/1
er
!
tp
ou
bgp 100
ith
network 215.34.10.0 255.255.252.0
w
rt
pa
Interface loopback 0
ip address 215.17.3.1 255.255.255.255
i n
or
!
l e
ho
interface Serial 5/0

w
ip unnumbered loopback 0
in
ip verify unicast reverse-path

n
tio
!
c
du
ip route 215.34.10.0 255.255.252.0 Serial 5/0

ro
!
ep
.R
router bgp 100

ly
network 215.34.10.0 mask 255.255.252.0

on
Announcing redistributed static routes:

u se
er
ld
ip route-static 215.34.10.0 22 Serial 5/0

ho
!
ake
bgp 100
St
Import-route static route-policy static-to-bgp

&L
<skip>
C
P
!
H
route-policy static-to-bgp permit node 10

if-match ip-prefix ISP-block
Apply origin igp
Rev. 11.21 5 –29

<skip>
!
ip ip-prefix ISP-block permit 215.34.10.0 22 less-equal 30
d.
ite
ip route 215.34.10.0 255.255.252.0 Serial 5/0
ib
!
oh
pr
router bgp 100
is
redistribute static route-map static-to-bgp
n
io
<skip>
s
is
!
m
er
route-map static-to-bgp permit 10
tp
match ip address prefix-list ISP-block
ou
set origin igp
ith
<skip>
w
rt
!
pa
ip prefix-list ISP-block permit 215.34.10.0/22 le 30
More iBGP recommendations i n

or
l e
Configure the following:

ho
w
 Next-hop-self—This always keeps DMZ and point-to-point out of IGP.

in
Send communities in iBGP; otherwise accidents will occur.

n

tio
Use passwords on iBGP sessions—It’s not paranoid to use passwords; they are
c

du
very necessary to secure your network.

ro
ep
HP A-Series configuration: Internal peer group example

.R
bgp 100
ly
on
group peers100 internal

se
peer peers100 description ibgp peers

u
peer peers100 as-number 100

er
ld
peer peers100 connect-interface Loopback0

ho
peer peers100 next-hop-local

ke
peer peers100 advertise-ext-community

a
St
peer peers100 password cipher 03085A09

&L
peer 1.0.0.1 group peers100

C
P
peer 1.0.0.2 group peers100

H
5 –30 Rev. 11.21

Cisco IOS configuration: Internal peer group example

router bgp 100
neighbor peers100 peer-group
neighbor peers100 description ibgp peers
neighbor peers100 remote-as 100
neighbor peers100 update-source Loopback0
neighbor peers100 next-hop-self
neighbor peers100 send-community
neighbor peers100 password 7 03085A09
neighbor 1.0.0.1 peer-group peers100
neighbor 1.0.0.2 peer-group peers100
RIPE recommended BGP template for eBGP peers

 BGP damping—use “RIPE Routing-WG Recommendation for coordinated route-
flap damping,” which is available at ftp://ftp.ripe.net/ripe/docs/ripe-210.txt.
 Remove private ASs from announcements---This is a common omission on today’s
networks.
 Use extensive filters, with backups—Use the password agreed between your
local BGP router and its peer for the eBGP session.
 Use maximum-prefix tracking—The BGP router will warn you if there are sudden
changes in BGP table size, bringing down eBGP if necessary.
Customer aggregation default
Define at least three peer groups:
 cust-default—send default route only
 cust-cust—send customer routes only
 cust-full—send full Internet routes
Identify routes through communities, such as:
 100:4000=my address blocks
 100:4200=customers from my block
 100:4300=customers outside my block
This helps with aggregation and iBGP filtering.
Rev. 11.21 5 –31

More recommendations for eBGP settings

 Apply an inbound and outbound prefix-list per neighbor.
 Log neighbor changes
bgp log-neighbor-changes
 Enable deterministic MED.

bgp deterministic-med
If you do not enable deterministic MED, the best path could be different every
time a BGP session is reset.
 Configure the BGP admin distance so that it is higher than any IGP.
distance bgp 200 200 200
HP A-Series eBGP template

bgp 100
# Distance for bgp is 255 for external, 25 for internal, and 130 for local.
preference 200 200 200
dampening route-policy RIPE-210-flap
network 10.60.0.0 255.255.0.0
group ext100 external
peer ext100 as-number 200
peer ext100 description ISP connection
peer ext100 public-as-only
peer ext100 ip-prefix ispout export# “accident” filter
peer ext100 route-policy ispout export # “real” filter
peer ext100 route-map ispin import
peer ext100 password cipher verysecret
peer ext100 route-limit 120000 alert-only
peer 10.200.0.1 group external
ip route-static 10.60.0.0 16 null0 preference 254
Cisco IOS eBGP template

router bgp 100
distance bgp 200 200 200
bgp dampening route-map RIPE-210-flap
network 10.60.0.0 mask 255.255.0.0
neighbor ext100 peer-group
neighbor ext100 remote-as 200
neighbor ext100 description ISP connection
neighbor ext100 remove-private-AS
neighbor ext100 version 4
5 –32 Rev. 11.21
neighbor ext100 prefix-list ispout out ! “accident” filter

neighbor ext100 route-map ispout out ! “real” filter
neighbor ext100 route-map ispin in
neighbor ext100 password 7 020A0559
neighbor ext100 maximum-prefix 120000 [warning-only]
neighbor 10.200.0.1 peer-group external
ip route 10.60.0.0 255.255.0.0 null0 254
Source: “BGP for Service Providers” at http://www.ripe.net/ripe/meetings/ripe-

40/tutorials/bgp-tutorial/tsld001.html.
Rev. 11.21 5 –33

What will happen to traffic if…

1. Router A does not have the
network command for ISP1
Internet
ISP2
10.1.0.0/23?
Full RT eBGP Full RT
2. Router A shuts down BGP 10.1.0.0/23 10.1.0.0/23
peering with ISP1?
3. Router B announces Router A iBGP Router B
10.1.0.0/23 but drops all 0.0.0.0/0 0.0.0.0/0

networks received from IGP
ISP2? AS 100 Router C
Announcement
Figure 5-13: What will happen to traffic if…
You have now studied several types of networks that you might encounter at the
beginning of a migration. Now you need to consider how you will proceed to
replace routers with new HP A-Series routers. The figure lists several actions that you
might take in an attempt to remove an existing router from the BGP system. Consider
the consequences of these actions.
Q1: What will happen if Router A does not have the network command for
10.1.0.0/23?
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
5 –34 Rev. 11.21

Q2: What will happen if Router A shuts down BGP peering with ISP1?
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
Q3: What will happen if Router B announces 10.1.0.0/23 but rejects all received
networks from ISP2?
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
Rev. 11.21 5 –35

How can you prevent Router A from…

1. Receiving any traffic from
a LAN? ISP1
Internet
ISP2
2. Receiving traffic from the Full RT eBGP Full RT

Internet? (Or at least 10.1.0.0/23 10.1.0.0/23
minimize the traffic?)
3. Sending traffic to the Router A iBGP Router B
Internet? 0.0.0.0/0 0.0.0.0/0
IGP
AS 100 Router C
Announcement
Figure 5-14: How can you prevent Router A from…
Before you replace Router A with a new router, you want to ensure that it is not
actively routing traffic between the LAN and the Internet. You will now consider ways
to achieve this goal.
Q1: How can you prevent Router A from receiving any traffic from a LAN?
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
5 –36 Rev. 11.21

Q2: How can you prevent Router A from receiving traffic from the Internet? Or how
can you at least minimize the traffic?
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
Q3: How can you prevent Router A from sending traffic to the Internet?
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
Rev. 11.21 5 –37
What will you do to “shut down” Router A…

. . . for maintenance or
replacement? ISP1
Internet
ISP2
Full RT eBGP Full RT
1. Power it off. 10.1.0.0/23 10.1.0.0/23
2. Shut down eBGP

iBGP
neighboring. Router A Router B
0.0.0.0/0 0.0.0.0/0
3. Shut down iBGP peering(s).
IGP
4. Issue the disable network AS 100 Router C
command.
Announcement
5. Disable forwarding of the
default route to the LAN.
Figure 5-15: What will you do to “shut down” Router A…
What is the best way to shut down Router A for maintenance or replacement?
1. Power off.
2. Shut down eBGP neighboring.
3. Shut down iBGP peering.
4. Disable network command.
5. Disable forwarding of default route to LAN.
Power off
As mentioned before, powering a router off will trigger the eBGP IP interface to go
down if peers are directly connected and can be remotely sensed immediately. If the
peers are not directly connected, the remote peer will have to wait for the holdtime
period (180 sec by default).
Shut down eBGP neighboring

This method truly triggers the removal of peer information. On the local LAN, only
Router B will have Internet routes, so traffic sourced from LAN will be directed to it
due to the iBGP exchange.
It should take some time for the local network to withdraw into the Internet. However,
the closest AS will have updated their routes to the AS 100 network.
Note that when eBGP neighboring is shut down, some loop situations may occur
between updated and non updated routers.
5 –38 Rev. 11.21

Shut down iBGP peering(s)

When Router A shuts down iBGP peering it loses the Internet routes that it received
from Router B. Router A will still receive and transmit traffic from the Internet and
LAN.
It would be interesting to stop iBGP peering after eBGP peering has been shut down
and after the default route is no longer announced by Router A.
disable network command

This blocks Internet traffic from entering Router A. It does not block traffic sourced
from AS100 and destined to the Internet.
Disable forwarding of default route to LAN

That will prevent traffic from the LAN being sent to Router A. However, Router A will
forward traffic destined to the Internet from Router B due to iBGP exchange. In other
words, it is safe for Router A to announce a default route as long as it maintains an
iBGP connection with Router B.
If iBGP connection is shutdown, Router A should previously or simultaneously stop
sending a default route.
Conclusion
Removing the default route and simultaneously shutting down the BGP connection will
prevent Router A from receiving LAN and Internet traffic and from transmitting traffic
to the Internet. This method isolates Router A without powering it off.
Rev. 11.21 5 –39

BGP HP Comware CLI and Cisco IOS

This section provides BGP commands for HP A-Series switches, which run the
Comware software, and Cisco switches, which run the Cisco IOS.
Using the tables in this section, you should be able to reproduce the Cisco
commands in the section below on an HP A-Series router.

router bgp 105
network 10.5.2.0 mask 255.255.254.0
neighbor 172.17.10.2 prefix-list out-filter in
neighbor 172.17.10.2 fall-over bfd
neighbor 172.17.10.2 default originate
neighbor 172.17.10.2 timers 90 270
aggregate-address 10.5.0.0 255.255.240.0
bgp deterministic-med
bgp graceful-restart
bgp graceful-restart 240
bgp log-neighbor-changes
ip route 100.5.0.0 255.255.254.0 null0
ip prefix-list out-filter permit 200.1.0.0/23
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
5 –40 Rev. 11.21

_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
Rev. 11.21 5 –41

1—Creating a BGP connection

The table provides you with an at-a-glance comparison for many of the commands
that you need to configure BGP. As you see, you will use peer commands on HP A-
Series devices to perform many of the tasks for which you use neighbor commands
on Cisco devices.
Table 5-1: Creating a BGP connection
BGP Feature HP Comware CLI Cisco IOS CLI
Enable BGP and enter BGP
bgp as-number router bgp as-number
view
bgp router-id ip-
Specify a Router ID router-id ip-address
address
peer { group-name |
Specify a peer or a peer group neighbor ip-address
ip-address } as-number
and its AS number as-number
remote-as AS-number
peer { group-name |
neighbor ip-address
Configure a description for a ip-address }
description
peer/peer group description
description-text
description-text
neighbor {ip-address |
Forbid session establishment peer { group-name |
peer-group-name}
with a peer or peer group ip-address } ignore
shutdown
peer { group-name |
Enable MD5 authentication for ip-address } password
TCP connections { cipher | simple }
password
peer { group-name |
neighbor ip-address
Specify the source interface for ip-address } connect-
update-source
BGP interface interface-
interface-name
type interface-number
Allow establishment of an eBGP peer { group-name | neighbor ip-address
connection to a non directly ip-address } ebgp-max- ebgp-multihop [hop-
connected peer/peer group hop [ hop-count ] count]
Enable BFD for the specified neighbor ip-address
peer ip-address bfd
BGP peer fall-over bfd
5 –42 Rev. 11.21

2—Controlling route generation and redistribution

You have many of the same options for controlling route generation and
redistribution on the HP A-Series devices as on the Cisco devices. In fact, you have a
d.
few more. For both networks on which you enable BGP and redistributed networks,
ite
you can filter the routes using route policies and filter policies (like Cisco’s route maps
ib
and distribution lists). You can also redistribute a default route into BGP.
oh
pr
Table 5-2: Controlling route generation and redistribution
is
n
io
network ip-address [ network network-number
s
is
mask | mask-length ] [ [mask network-mask]
Inject a local network
m
route-policy route- [route-map route-map-
er
policy-name ] name]
tp
import-route protocol
redistribute protocol
[ process-id | all-
ou
Configure BGP route [process-id] [route-
processes ] [ med med-
redistribution type] [route-map map-
ith
value | route-policy
tag]
w
route-policy-name ] *
Enable default route
rt
default-route imported NA
pa
redistribution into BGP
Configure BGP automatic route
n
summary automatic auto-summary
summarization i
or
aggregate ip-address {
aggregate-address
e
mask | mask-length } [
l
address mask [as-set]

ho
as-set | attribute-
[as-confed-set]
w
policy route-policy-
Configure BGP manual route [summary-only]
name | detail-
in
summarization suppressed | origin-

[suppress-map map-
name] [advertise-map
n
policy route-policy-
tio
map-name] [attribute-
name | suppress-policy
map map-name]
c
route-policy-name ]*
du
peer { group-name |
ro
ip-address } default-
Advertise a default route to a peer-group-name}
ep
route-advertise [
peer or peer group route-policy route-
default-originate
.R
[route-map map-name]
policy-name ]
ly
filter-policy { acl-
on
number | ip-prefix ip-

prefix-name } export [
Configure the filtering of
se
direct | isis process-

redistributed routes
u
id | ospf process-id |
er
rip process-id | |
ld
static ]
ho
ake
St
&L
C
P
H
Rev. 11.21 5 –43

3—BGP advertisement/reception filters

This table shows the commands for applying a variety of filters to the BGP inbound
and outbound routes. In addition to the route policies and filter policies, you can filter
d.
routes on HP A-Series devices with AS paths. You can also apply a maximum number
ite
for received routes.
ib
oh
Note that the A-Series devices support route synchronization between BGP and IGP
pr
with the same command as Cisco.
is
Table 5-3: BGP advertisement/reception filters
n
s io
is
m
peer { group-name | neighbor {ip-address |
er
ip-address } route- peer-group-name }
With a routing policy
tp
policy route-policy- route-map map-name {in
name {import | export} | out}
ou
ith
peer-group-name}
w
peer { group-name | ip- distribute-list
address } filter-
rt
{access-list-number |
With a filter policy
pa
policy acl-number expanded-list-number |
{import | export} access-list-name|
n
prefix-list-name} {in
i
or
| out}
e
peer { group-name | ip-

l
peer-group-name}
ho
address } as-path-acl
With an ACL AS-Path as-path-acl-number
filter-list as-path-
w
access-list-number {in
{import | export}
in
| out}
peer { group-name | ip-
n
tio
address } ip-prefix ip- peer-group-name}

With an IP prefix-list
prefix-name {import |
c
prefix-list prefix-
du
export} list-name {in | out}

ro
Enable synchronization BGP

synchronization synchronization
ep
and IGP route

.R
peer { group-name | ip- neighbor {ip-address |

address } route-limit peer-group-name}
Specify the maximum number
ly
prefix-number [alert- maximum-prefix maximum

on
of prefixes that can be received

only] [reconnect [threshold] [restart
from a peer/peer group
se
reconnect-time] [ restart-interval]
[warning-only]
u
percentage-value ]
er
ld
ho
ake
St
&L
C
P
H
5 –44 Rev. 11.21

4—BGP route attributes

On HP A-Series devices as Cisco devices, you can specify a variety of attributes for
routes, which influence which routes the local router and its peers prefer. You can
d.
also manipulate the AS in a variety of ways.
ite
Table 5-4: BGP route attributes
ib
oh
pr
is
Specify a preferred value for
ip-address } peer-group-name}
n
routes received preferred-value value weight number
s io
preference { external-
is
preference internal- distance bgp external-
m
Configure preferences for BGP preference local- distance internal-
er
routes preference | route- distance local-
tp
policy route-policy- distance
name }
ou
Configure the default local
ith
default local- bgp default local-
preference used with other
w
preference value preference number
iBGP peers
rt
Configure the MED attribute default med value NA
pa
Enable the comparison of MED compare-different-as-
n
bgp always-compare-med
of routes from different ASs med
i
or
Enable the comparison of MED
bestroute compare-med bgp deterministic-med
of routes from each AS
l e
ho

Configure the next hop attribute ip-address } next-hop- peer-group-name} next-
w
local hop-self
in
Permit local AS number to

n
peer { group-name |
appear in routes from a
tio
ip-address } allow-as- NA
peer/peer group and specify
c
loop [ number ]
du
the appearance times

Disable BGP from considering
ro
bestroute as-path- bgp bestpath as-path

AS_PATH during best route
ep
neglect ignore
selection
.R
ly
peer { group-name |
Specify a fake AS number for a peer-group-name}
on
ip-address } fake-as
peer/peer group as-number
remove-private-as
replace-as
se
Replace the AS number of a

u

peer/peer group in the
er
ip-address } peer-group-name}
AS_PATH attribute as the local
ld
substitute-as remove-private-as all

AS number
ho
ake
St
&L
C
P
H
Rev. 11.21 5 –45

5—Tuning and optimizing BGP networks

This table provides the commands for several more tasks for refining your BGP
configuration. You can alter times. You can implement outbound filters. You can
d.
prohibit sessions to particular routers. And you can configure other features discussed
ite
earlier in this module such as route refresh. Note that Cisco requires IOS 12.1 to
ib
implement the route refresh feature, so this might be a nice feature to recommend to
oh
the customer as an enhancement with the new A-Series devices.
pr
is
Table 5-5: Tuning and optimizing BGP networks
n
io
s
is
timer keepalive
Configure global BGP
m
timers bgp keepalive
keepalive hold
er
keepalive interval and holdtime holdtime
holdtime
tp
neighbor [ip-address |
peer { group-name |
ou
peer-group-name]
Configure BGP keepalive ip-address } timer
timers keepalive
ith
interval and holdtime per peer keepalive keepalive
holdtime [min-
w
hold holdtime
holdtime]
rt
pa
Configure the interval for ip-address } route- peer-group-name}
sending the same update update-interval advertisement-interval
interval
i n seconds
or
peer { group-name |
Configure BGP automatic soft-
e
ip-address }
in IOS 12.1
l
reset
ho
capability-advertise
route-refresh
w
Disable BGP route-refresh and peer { group-name |

in
multi-protocol extension ip-address } no bgp soft-reconfig-

n
capability for a peer/peer capability-advertise backup

tio
group conventionnal
c
du
peer { group-name |
Save all routes from a peer-group-name} soft-
ro
ip-address } keep-all-
peer/peer group reconfiguration
ep
routes
inbound
.R
refresh bgp { all |

ip-address | group clear ip bgp {* |
ly
Perform manual soft reset on

group-name | external address | peer-group
on
BGP connections in user view | internal } { export name} soft in | out

se
| import }
peer { group-name |
u
neighbor ip-address
ip-address }
er
Enable the outbound route filter capability orf prefix-

capability-advertise
ld
capability for a BGP peer/peer orf

list [send | receive |
ho
group ip-prefix { both |

both]
ke
receive | send }
a
peer { group-name |
St
peer-group-name}
Define the outbound route filter ip-address } ip-prefix
prefix-list prefix-
&L
ip-prefix-name export
list-name out
C
Enable quick eBGP session ebgp-interface- bgp fast-external-

P
reestablishment sensitive fallover

H
Configure the maximum number

of BGP routes for load balance number bgp dmzlink-bw
balancing
Forbid session establishment peer { group-name |
peer-group-name}
with a peer or peer group ip-address } ignore
shutdown
5 –46 Rev. 11.21
6—BGP peer groups

On both HP A-Series and Cisco IOS devices, you can create groups for BGP peers.
The table provides commands for managing those groups.
d.
Table 5-6: BGP peer groups
ite
ib
oh
group group-name [ neighbor peer-group-
pr
Create an iBGP peer group internal ] name peer-group
is
neighbor {ip-address }
Add a peer into the iBGP peer peer ip-address group
n
peer-group peer-group-
group
io
group-name
name
s
Create an eBGP peer group
is
group group-name [ neighbor peer-group-
m
(same AS) external ] name peer-group
er
neighbor peer-group-
Specify the AS number for the peer group-name as-
tp
name remote-as as-
group number as-number
ou
number
peer ip-address group
Add a peer into the eBGP peer
ith
group-name [ as-number
group
w
as-number ]
rt
peer ip-address group
Add a peer into the iBGP peer
pa
group-name [ as-number
group as-number ]
n
group group-name [
Create an iBGP peer group i neighbor peer-group-
or
internal ] name peer-group
neighbor {ip-address }
e
Add a peer into the iBGP peer peer ip-address group

l
peer-group peer-group-
ho
group group-name
name
w
Create an eBGP peer group group group-name [ neighbor peer-group-

in
(same AS) external ] name peer-group

n
neighbor peer-group-
Specify the AS number for the
tio
peer group-name as-

name remote-as as-
group number as-number
c
number
du
ro
ep
.R
ly
on
use
er
ld
ho
ake
St
&L
C
P
H
Rev. 11.21 5 –47

7—BGP communities
Here you see commands for configuring BGP communities for both HP Comware and
Cisco IOS.
Table 5-7: BGP communities
peer { group-name | neighbor peer-group-
Advertise the community
ip-address } name send-community
attribute to a peer/peer group advertise-community standard
peer { group-name |
Advertise the extended neighbor peer-group-
ip-address }
community attribute to a advertise-ext-
name send-community
peer/peer group community
[both | extended]
peer { group-name |
Apply a routing policy to routes neighbor peer-group-
ip-address } route-
advertised to a peer/peer policy route-policy-
name route-map route-
group name export
map-name
5 –48 Rev. 11.21

8—BGP route reflector and confederation

The table displays the HP Comware and Cisco IOS commands for reducing the mesh
size for iBGP. BGP confederation divides an AS into multiple segments that appear
as a single AS to external peers. You can also configure a router as a route reflector,
to which the other iBGP routers establish sessions rather than create a full mesh.
Table 5-8: BGP route reflector and confederation
Configure the router as a route peer { group-name | neighbor {ip-address
reflector and specify a ip-address } reflect- | peer-group-name}
peer/peer group as its client client route-reflector-client
Advertise the extended reflect between-
bgp client-to-client
community attribute to a clients
reflection
peer/peer group
Apply a routing policy to routes
reflector cluster-id bgp cluster-id
advertised to a peer/peer cluster-id cluster-id
group
confederation id as- bgp confederation
Configure a confederation ID number identifier as-number
bgp confederation
Specify peering sub ASs in the confederation id peer-
identifier as-number1
confederation as as-number-list
as-number-2…
Enable compatibility with
confederation
routers not compliant with RFC nonstandard
NA
3065 in the confederation
Enable the comparison of MED bgp bestpath med
bestroute med-
of routes from confederation confederation
confed [missing-as-
peers worst]
Rev. 11.21 5 –49

Summary
In this module, you learned how a BGP session begins and ends. You also learned
how IP prefixes are exchanged between peers, and how that can impact traffic flow.
You considered the consequences of removing a Cisco switch running BGP in several
different ways and explored the best ways of doing so. You also learned about
different BGP features and the Cisco IOS and Comware commands for those
features.
Rev. 11.21 5 –51

Lab activity 5: Migrating BGP

INITIAL FINAL
HaCore_1 HaCore_1
AS 300 AS300
CCore_1 CCore_2
CCore_1 CCore_2
AS 100 AS 200 AS 100 AS 200
BGP BGP
CDist_1 CDist_1 HaDist_1 HaDist_2

OSPF OSPF
AS X AS X
HeEdge_1 HeEdge_1
POD X POD X
Figure 5-16: Lab activity 5: Migrating BGP
You will now plan your BGP migration, drawing on what you have learned. You can
then experiment in the lab and observe the results.
5 –52 Rev. 11.21

Lab debrief
you faced in lab activity 5.
d.
Table 5-1: Debrief for lab activity 5
ite
ib
oh
pr
is
n
io
s
is
m
er
tp
ou
ith
w
rt
pa
i n
or
NOTES
l e
ho
_____________________________________________________________________
w
in
n
_____________________________________________________________________
ctio
du
_____________________________________________________________________
ro
ep
.R
_____________________________________________________________________
ly
on
se
_____________________________________________________________________
u
er
_____________________________________________________________________
ld
ho
ke
_____________________________________________________________________
a
St
&L
_____________________________________________________________________
C
P
H
_____________________________________________________________________
_____________________________________________________________________
Rev. 11.21 5 –53

Learning check
Q1: What conditions are necessary for a local network to be advertized to a BGP
peer?
d.
_____________________________________________________________________
ite
ib
oh
_____________________________________________________________________
pr
is
n
_____________________________________________________________________
sio
is
m
Q2: What feature would you use to announce a small number of networks?
er
tp
ou
_____________________________________________________________________
ith
w
_____________________________________________________________________
rt
pa
n
_____________________________________________________________________
i
or
l e
ho
_____________________________________________________________________
w
in
Q3: How do you disable a BGP session?

n
c tio
du
_____________________________________________________________________
ro
ep
.R
_____________________________________________________________________
ly
on
_____________________________________________________________________
u se
er
_____________________________________________________________________
ld
ho
ke
Q4: What method would you use to change the attributes of a received prefix?
a
St
&L
_____________________________________________________________________
C
P
H
_____________________________________________________________________
5 –54 Rev. 11.21

_____________________________________________________________________
_____________________________________________________________________
d.
_____________________________________________________________________
ite
ib
oh
Q5: What makes an AS a multihome AS?
pr
is
n
_____________________________________________________________________
io
s
is
m
_____________________________________________________________________
er
tp
ou
_____________________________________________________________________
ith
w
_____________________________________________________________________
rt
pa
i n
_____________________________________________________________________
or
l e
ho
_____________________________________________________________________
w
in
n
_____________________________________________________________________
ctio
du
Q6: As an ISP are you required to control what customers advertise to you?
ro
ep
.R
_____________________________________________________________________
ly
on
_____________________________________________________________________
use
er
_____________________________________________________________________
ld
ho
ke
_____________________________________________________________________
a
St
&L
_____________________________________________________________________
C
P
H
_____________________________________________________________________
Rev. 11.21 5 –55

d.
ite
ib
oh
pr
is
n
sio
is
m
er
tp
ou
ith
w
rt
pa
i n
or
l e
ho
w
in
n
c tio
du
ro
ep
.R
ly
on
u se
er
ld
ho
ake
St
&L
C
P
H
5 –56 Rev. 11.21

Learning Check Answers

Appendix A
d.
Module 1
ite
ib
oh
Q1: Could removing CDP from a switch cause problems for network devices?
pr
A1: Yes if the switch is connected to Cisco IP phones. CDP in used to provision these
is
IP phones with VLAN and QoS settings. If all IP phones are booted when you remove
n
io
CDP, the phones will not be disconnected. However, the IP phone will not be able to
s
is
get its configuration using CDP when it next starts up.
m
er
You might be able to use LLDP-MED to provision the phone instead. Or the phone
tp
might be able to use DHCP options if the network DHCP server supports this option.
ou
Otherwise, you must retain CDP on the switch.
ith
Q2: What is a simple strategy for migrating an EIGRP network to OSPF?
w
rt
A2: Depending on the customer constraints, you might be able to schedule an
pa
outage. Then you can use the “reload at” migration method.
i n
or
If you need to complete the migration in an online network, the OSPF Overlay Model
e
is typically the simplest:

l
ho
1. You first raise the OSPF administrative distances so that they are higher than
w
in
external EIGRP’s distance.

n
tio
2. Then you set up OSPF on all routers.

c
du
3. When you are sure that OSPF is running correctly, you increase the EIGRP
ro
administrative distances. Once OSPF advertizes all networks on all routers, you
ep
can safely remove EIGRP.

.R
Q3: What does a switch send when a virtual IP protocol starts and takes the Master
ly
on
role on an interface or when the switch preempts the Master role? How does this
message function in migrations?
u se
A3: The switch sends a gratuitous ARP, which endpoints in the subnet can use to
er
update their ARP caches. However, some devices do not accept the gratuitous ARP.
ld
ho
Q4: What considerations should you make as you migrate from PVST+ to MSTP?
ake
A4: First verify whether MSTP is supported on the Cisco platform.

St
You should also consider differences between how PVST+ and MSTP operate
&L
because you might need to change ports’ VLAN assignments or disable . One major
C
difference in behavior is that PVST+ is aware of ports VLAN configuration because

P
H
PVST+ BPDUs are forwarded on each VLAN itself. It can shut down a port for the
VLAN IT then avoid bridging loop is it exist within a VLAN.
Rev. 11.21 A –1
MSTP BPDUs are sent untagged, and MSTP is unaware of VLAN configuration. In
other words, although when MSTP actually blocks a port in an instance, it blocks just
the VLANs in that instance, MSTP looks only at the physical port configuration when
deciding whether to block the instance on the port. Therefore, MSTP could block
ports in such a way that a routed port is blocked or a port with a VLAN that is not
d.
ite
supported on non-blocked ports. This disadvantage is compensated by MSTP’s lower
ib
consumption of CPU resources, its use of rapid convergence algorithms, and its
oh
interoperability.
pr
However, you should keep this limitation in mind while planning MSTP, and verify
is
n
that you do not implement MSTP on a port such as a routed port, which PVST+ would
io
not block, but MSTP would. In addition, you might want to add support for all VLANs
s
is
on all trunks, which prevents misconfigurations and does not burden the CPU when
m
er
you use MSTP.
tp
Other considerations for the migration include finding the CIST root and migrating
ou
this switch first, as well as deciding whether you want to create a single star topology
ith
for the migration.
w
rt
Module 2
pa
i n
Q1: What are the different methods you can use to set up redundancy when
or
connecting an HP switch to a Cisco network?
l e
ho
A1: You can select from these options:

w
in
 If the Cisco network is using MSTP, implement MSTP on the edge switch
n
tio
 If the Cisco network is using PVST+ or Rapid PVST+:

c
du
• Implement MSTP on the edge switch with minimal setup (because the switch
ro
will not be part of a region but only communicate with PVST+ as if using
ep
RSTP)
.R
• Do not configure spanning tree on the HP edge switch. Use Loop protect on
ly
on
HP E-Series switches or Loopback detection on HP A-Series to prevent loops

that could occur on edge ports
u se
• Use Smart Link on HP A-Series switches and implement load balancing

er
between instances
ld
ho
• Create redundant connections between dual-NIC servers and HP A-Series

ke
edge switches (rather than redundant connections between the edge

a
St
switches and the distribution switches); then configure Monitor Link on the
&L
HP A-Series switches
C
P
H
A –2 Rev. 11.21
Q2: When the rest of the network is set to PVST+, what should you take care to do
when configuring MSTP on an edge switch?
A2: An MSTP switch interoperates with PVST+ switches using its IST settings, which
are included in the RSTP-compatible portion of its MSTP BPDUs. Therefore, you must
d.
ensure that the edge switch’s IST bridge priority is higher than the PVST+ root’s. On
ite
the other hand, the MSTP switch understands only the VLAN 1 BPDUs sent by the
ib
PVST+ switches because only these BPDUs comply with the IEEE standard. Therefore,
oh
you must ensure that the MSTP edge switch allows VLAN 1 on the trunk port and so
pr
does the PVST+ switch.
is
n
Q3: What should you verify before connecting Cisco IP phones to an HP edge
sio
switch?
is
m
A3: Verify that the IP phone supports LLDP-MED, which is the open standard protocol
er
tp
that HP switches use for provisioning IP phones with the correct PoE settings, VLAN
ou
assignment, QoS settings, and so forth. The IP phone might require a software
ith
update.
w
Also note that you can configure HP A-Series switches to run LLDP in a CDP-compliant
rt
pa
mode. You can use this setting to support Cisco IP phones that do not support LLDP.
n
Q4: What setup should you perform on an HP edge switch before you connect Cisco
i
or
IP phones to it?
l e
ho
A4: Enabling LLDP-MED may be the only task that you need to perform on the switch.
w
On HP E-Series switches, you must simply create the voice VLAN and tag that VLAN
in
on the ports for IP phones. The switch will use LLDP-MED to provide the IP phone with
n
tio
the voice VLAN and QoS setting (by default, CoS 5).
c
du
On HP A-Series switches, you can set up a voice VLAN that recognizes traffic from IP
ro
phones according to the MAC address OUI (24 first bits).

ep
.R
Refer learners to the “Configuring IP phones” section in their Learner’s Guide for
complete lists of commands for completing these tasks.
ly
on
Module 3
use
er
Answers for topic: “When should you migrate to MSTP?”

ld
ho
Q1: What is an alternate process?

ke
A1: You can delay migrating to MSTP until after the Cisco distribution devices have
a
St
been removed. By then the edge switches will be connected only to MSTP switches,
&L
so they will not experience the PVST+ simulation errors. And endpoints’ traffic is
C
being routed by the HP E-Series switches by then.

P
H
Rev. 11.21 A –3
Answers for topic: “Strategy 1: VRRP behavior on HP E-Series

switches”
Q1: Based on this VRRP behavior, how would you plan a migration of routing
d.
responsibilities from HSRP routing switches to VRRP routing switches that are using the
ite
same IP addresses?
ib
oh
A1: You can configure all VRRP settings, including the appropriate virtual IP address,
pr
on your HP E-Series switches in advance. You can even enable VRRP as long as you
is
verify that VRRP is disabled on all interfaces. You will then be ready to quickly bring
n
up VRRP. Because you can enable VRRP on individual VLANs, you can migrate the
sio
VLANs gradually, assessing the status as you progress.
is
m
When you are ready to migrate the routing responsibilities on one of the VLANs, you
er
tp
simply enable VRRP on that VLAN on one of the HP switches (you might want to
ou
bring up one switch at a time to simplify the process). When the switch assumes the
ith
Master VRRP role, it sends a gratuitous ARP, which causes endpoints to send routed
w
traffic to it instead. Then you can safely shut down the VLAN interface on the HSRP
rt
router.
pa
To minimize the possibilities for errors, you might want to make a single HSRP routing
i n
switch the Active Router on all VLANs and shut down routing on the other switch. (A
or
strategy for doing so is provided a bit later.)
l e
ho
Answers for topic: “Strategy 2: Endpoint ARP behavior”

w
in
n
tio

c
du
 Configuring all VRRP settings on the HP E-Series switches but not enabling VRRP
ro
Enabling VRRP globally and on one VLAN on one HP switch

ep

.R

ly
on
 Disabling the VLAN interface on Cisco routing switch or switches

se
u
A1: When you enable VRRP on the HP switch and it sends the gratuitous ARP, the
er
ld
Cisco switch and other endpoints interpret this message (correctly) as a duplicate IP
ho
address.
ake
Endpoints that have live entries for the default gateway MAC address continue to
St
send their routed traffic to the current default gateway HSRP MAC address. As long
&L
as they continue sending routed traffic without too long a pause (a random time
C
between 15 and 45 seconds), they will continue to use the HSRP address—until you
P
shut down the VLAN interface on the Cisco switch (or switches). Then the endpoints
H
continue to send traffic to the HSRP MAC address for a few seconds, but the traffic is
dropped. The endpoints then send an ARP request, to which the VRRP Master replies.
At that point, the endpoint’s ability to reach locations in other networks is restored.
A –4 Rev. 11.21
Answers for topic: “Strategy 1: VRRP behavior on HP E-Series

switches
Q1: Based on this VRRP behavior, how would you plan a migration of routing
d.
responsibilities from HSRP routing switches to VRRP routing switches that are using the
ite
same IP addresses?
ib
oh
A1: You can configure all VRRP settings, including the appropriate virtual IP address,
pr
on your HP E-Series switches in advance. You can even enable VRRP as long as you
is
verify that VRRP is disabled on all interfaces. You will then be ready to quickly bring
n
up VRRP. Because you can enable VRRP on individual VLANs, you can migrate the
sio
VLANs gradually, assessing the status as you progress.
is
m
When you are ready to migrate the routing responsibilities on one of the VLANs, you
er
tp
simply enable VRRP on that VLAN on one of the HP switches (you might want to
ou
bring up one switch at a time to simplify the process). When the switch assumes the
ith
Master VRRP role, it sends a gratuitous ARP, which causes endpoints to send routed
w
traffic to it instead. Then you can safely shut down the VLAN interface on the HSRP
rt
router.
pa
To minimize the possibilities for errors, you might want to make a single HSRP routing
i n
switch the Active Router on all VLANs and shut down routing on the other switch.
or
e
Answers for topic: “Strategy 1: Endpoint ARP behavior”

l
ho
w
in

n
tio
Configuring all VRRP settings on the HP E-Series switches but not enabling VRRP
c

du
Enabling VRRP globally and on one VLAN on one HP switch

ro

ep

.R
Disabling the VLAN interface on a Cisco routing switch or switches

ly

on
se
A1: When you enable VRRP on the HP switch and it sends the gratuitous ARP, the
u
Cisco switch and other endpoints interpret this message (correctly) as a duplicate IP
er
ld
address.
ho
Endpoints that have live entries for the default gateway MAC address continue to
ake
send their routed traffic to the current default gateway HSRP MAC address. As long
St
as they continue sending routed traffic without too long a pause (a random time
&L
between 15 and 45 seconds), they will continue to use the HSRP address—until you
C
shut down the VLAN interface on the Cisco switch (or switches). Then the endpoints
P
continue to send traffic to the HSRP MAC address for a few seconds, but the traffic is
H
dropped. The endpoints then send an ARP request, to which the VRRP Master replies.
At that point, the endpoint’s ability to reach locations in other networks is restored.
A –6 Rev. 11.21
Q2: Before you migrate the default router role to a new HP E-Series switch, you want
to remove one of your redundant HSRP Cisco routers. What process should you
follow?
A2: You should determine on which VLANs this switch is acting as the Active Router.
d.
Then give the other Cisco switch a higher priority on those VLANs and also enable
ite
preempt mode. After this Cisco switch has become the Active Router on all VLANs,
ib
you can remove the other switch.
oh
pr
Q3: What are the advantages and disadvantages of assigning new virtual IP
is
addresses on your new HP E-Series routing switches?
n
io
A3: The best point of this strategy is that it, if you proceed properly, the network
s
is
should not experience any downtime. You can migrate the routing functionality
m
gradually and carefully test as you do.
er
tp
However, this strategy has several disadvantages. You have to change the default
ou
gateway address manually on each device that has a statically assigned IP address,
ith
which might be few or many depending on the environment. You need a good
w
inventory of devices, which some customers might not have. In addition, you must
rt
pa
look for every location in which the current distribution switches’ IP addresses are
referenced (such as firewall and management solution policies) so that you can
i n
or
update the polices for the new addresses. To complete these steps, as well as
e
change the DHCP scopes to reference the new gateway addresses, you must work
l
ho
with the customer’s server and possibly firewall administrators, which might be
w
difficult in some companies.

in
Module 4
n
c tio
du
Q1: What is the simplest method for eliminating loops on redundant connections
ro
between Cisco edge switches and two HP A-Series switches at the distribution layer?
ep
.R
A1: You should configure the A-Series switches as an IRF group because that provides
the best redundancy. You can then connect the edge switches to the IRF group with
ly
on
multiple cables in a link aggregation group. The IRF group acts as a single virtual
se
switch, so the link aggregation can span multiple physical chassis.

u
Q2: What advantages does IRF provide on the new HP A-Series devices in
er
ld
comparison to VRRP and MSTP?

ho
A2: IRF acts like a single virtual switch running one instance of the routing protocol
ke
and using a single routing table. Therefore, if a routing switch fails, the failover is
a
St
immediate. Similarly the failover for Layer 2 connections is immediate. In addition,

&L
because you can use link aggregation groups for redundant connections rather than
C
implement MSTP, you have more bandwidth available on edge-to-distribution uplinks.

P
Module 5
H
The implementation is simpler as well.
A –8 Rev. 11.21
Answers for topic: “What will happen to traffic if…”

Q1: What will happen if Router A does not have the network command for
10.1.0.0/23?
d.
A1: Router A will receive the announcement from Router B via IBG and will then
ite
announce it in return, so traffic should be sent and received without disruption. In
ib
other words, not using the network command is not a way for Router A to stop
oh
announcing a given network. Filtering out the network will be the way to do it.
pr
is
Q2: What will happen if Router A shuts down BGP peering with ISP1?
n
io
A2: As peering is shutdown, the IPS1 peer will remove the network 10.1.0.0/23 from
s
is
its routing table and will generate a withdrawal to its other peer. While the
m
withdrawal is transmitted to the overall Internet, traffic sourced from the Internet may
er
still be directed to Router A. However, when it reaches the closed router of Router A,
tp
those should have updated their routing table and use the prefix sent by Router B as
ou
ith
their best route. Convergence should be pretty fast.
w
On the LAN side, Router A still announces a default route and will still receive traffic
rt
pa
destined to the Internet. If iBGP peering is still up, it should direct Internet traffic to
Router B, so any disruption should be pretty short.
i n
or
Q3: What will happen if Router B announces 10.1.0.0/23 but rejects all received
e
networks from ISP2?

l
ho
w
A3: As Router B announces 10.1.0.0/23 it should still receive traffic destined for it.
in
As it does not learn networks from the Internet via ISP2, but instead gets all of its BGP
n
updates from Router A, it should then direct its update to Router A. Traffic between
tio
the corporate network and the Internet will enter through both routers and will leave
c
du
through Router A.
ro
ep
Answers for topic: “How can you prevent Router A from…”

.R
Q1: How can you prevent Router A from receiving any traffic from a LAN?
ly
on
A1: Router A can simply stop sending a default route via IGP. However, it will still
se
receive traffic forwarded by Router B due to its iBGP route exchange. If Router A
u
shuts down eBGP peering, it will stop sending prefixes to Router B, and that will stop
er
traffic from going to Router A.

ld
ho
Q2: How can you prevent Router A from receiving traffic from the Internet? Or how
ke
can you at least minimize the traffic?

a
St
A2: Router A should stop advertising all networks. If you remove the network
&L
command on Router A, in the case of a multihome network, internal routes from B's
C
network command (or redistribution) will be passed to A and out to the ISP even if A
P
H
has no network command. So, removing the networks from A does not cause A to
stop advertising the routes and does not trigger the shift of traffic to the other router.
Also simply filtering out the prefix (from A to the ISP) will not generate a BGP
withdraw message and will not trigger the traffic shift.
Rev. 11.21 A –9
You can try to prepend the AS on router A several times to create a long and
undesirable AS path for its routes. Prepend the AS and examine how much inbound
traffic comes in from the Internet. You should observe the inbound traffic decreasing.
If necessary, prepend the AS a few more times until you observe the inbound traffic
disappear or more nearly disappear.
You could also trigger the sending of a withdraw message (versus a power off
requiring a 180 sec BGP holdtime to expire on the neighbor) to trigger the
recalculation of routes.
Router B could announce more specific networks such as 10.1.0.0/24 and
10.1.1.0/24 instead of 10.1.0.0/23. Router B would be then always the preferred
entry because routes are more specific. You could then summarize the routes again
after the migration. The more specific routes will have a faster and more definite
result than other methods, but if you are originating hundreds of prefixes, this method
is more difficult.
You cannot control the ISP, and with multiple, wide-spread ISPs the traffic shift will be
slower and less controlled. With only one ISP (multihomed) the traffic shift should be
quick and easy.
For a more gradual way to complete the migration, you could have Router A
announce the network with a longer AS-Path, which would make it less likely for its
routes to be accepted than those from Router B. However, this method is not
guaranteed to work because each AS can manage BGP attributes differently.
Q3: How can you prevent Router A from sending traffic to the Internet?
A3: The simplest way is to close the eBGP connection which will block sending and
receiving. If the router is powered off, it may take 180 seconds (holdtime) for the BGP
neighbor to realize it. For simply blocking traffic from being sent to the Internet, you
can filter out network advertisements to the Internet.
Answers to Learning Check:

Q1: What conditions are necessary for a local network to be advertized to a BGP
peer?
A2: First, the network must exist in a routing table and in a BGP table. Most
commonly this is accomplished by using a static route that points to the null 0
interface, which also provides a “permanent” presence for the entry. Then the
network can be advertised by a network command or an aggregate command.
(Network is preferable most of the time.)
Q2: What feature would you use to announce a small number of networks?
Either the peer or neighbor command used with a prefix list or with a filter list where
networks are defined with an ACL.
Q3: How do you disable a BGP session?
A3: Cisco(config-bgp)# Neighbor xxxx shutdown
[HP-bgp] peer xxxx ignore
A –10 Rev. 11.21
Q4: What method would you use to change the attributes of a received prefix?
A4: Cisco route maps and HP A-Series route policies are ideal for changing the
attributes of received or advertised prefixes:
Cisco(config-bgp)# Neighbor <ID> router-map route-map-name in
[HP-bgp] peer <ID> router-policy router-policy-name import
Q5: What makes an AS a multihome AS?

A5: A multihome AS is not a transit AS and does not advertise prefixes that are not
local to its AS. A multihome AS only advertises its own local network.
Q6: As an ISP are you required to control what customers advertise to you?
A6: Yes, this is recommended. A customer advertises a prefix, and the ISP should
only accept prefixes that have been allocated to the customer.
Rev. 11.21 A –11

To learn more about HP networking, visit

www.hp.com/networking
© 2011 Hewlett-Packard Development Company, L.P. The information contained herein is
subject to change without notice. The only warranties for HP products and services are set forth
in the express warranty statements accompanying such products and services. Nothing herein
should be construed as constituting an additional warranty. HP shall not be liable for technical
or editorial errors or omissions contained herein.

SG1 00314301

Uploaded by

Copyright:

Available Formats

You might also like

SG1 00314301

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

SG1 00314301

Uploaded by

Copyright:

Available Formats

BitSpyder - The Culture of Knowledge

BitSpyder - The Culture of Knowledge

 Copyright 2011 Hewlett-Packard Development Company, L.P.

Student guide – Book 1 of 2

Introduction to Migrating to an Open Standards Network

Module 1: Migrating a Cisco Network to Open Standards

Migrating to an Open Standards Network

PVST+ to MSTP migration steps—Activity ........................................................ 1-31

Module 2: Migrating Edge Devices

Migration step 1: Uplink connections................................................................2-8

Rev. 11.21 iii

Migrating to an Open Standards Network

AAA for SSH with HWTACACS on HP A-Series ............................................... 2-41

Module 3: Migrating and Expanding the Distribution Layer with HP E-Series

Migrating to an Open Standards Network

Comparing the strategies ............................................................................. 3-84

Module 4: Migrating and Expanding the Distribution Layer with

Existing configuration .................................................................................... 4-6

Rev. 11.21 vii

Migrating to an Open Standards Network

Module 5: Migrating Border Gateway Protocol

viii Rev. 11.21

What will happen if… ................................................................................. 5-12

Migrating to an Open Standards Network

1—Creating a BGP connection .................................................................... 5-42

Appendix A: Learning Check Answers

Introduction to Migrating to an Open Standards

Rev. 11.21 Intro –1

Migrating a Cisco Network

Migrating to an Open Standards Network

Why migrate a Cisco network to open standards?

Migrating a Cisco Network to Open Standards

Why migrate to open standards?

Migrating a Cisco Network to Open Standards

Customers use proprietary protocols

react and provide a solution for them.

Reason 3: Currently functional proprietary protocol

devices do interoperate in a standard way with external devices, the proprietary

protocol does not cause a major issue in interoperability.

Migrating to an Open Standards Network

Can you replace all proprietary protocols?

Migrating a Cisco Network to Open Standards

Migrating to an Open Standards Network

Migrating Layer 2 protocols

1 –10 Rev. 11.21

Migrating a Cisco Network to Open Standards

Migrating to open standards: Layer 2 protocols

CDP, CDP V2 LLDP, LLDP-MED

Rev. 11.21 1 –11

Migrating to an Open Standards Network

Replace CDP with LLDP

Are CDP and LLDP used by a management solution?

Is CDP disabled for security reasons?

information that CDP contains.

be enabled by using the global lldp run command.

What is the best strategy for migrating CDP to LLDP?

Cisco(config)# lldp run