You are on page 1of 236

Getting Started with HP Switching & Routing

Rev. 13.31 Course ID: 00731204


Track: HP ATP – FlexNetwork Solutions V1 certification

HP ExpertOne
Web-based Training
 Copyright 2013 Hewlett‐Packard Development Company, L.P.
The information contained herein is subject to change without notice. The only warranties for HP products and 
services are set forth in the express warranty statements accompanying such products and services. Nothing 
herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial 
errors or omissions contained herein.
This is an HP copyrighted work that may not be reproduced without the written permission of HP. You may not 
use these materials to deliver training to any person outside of your organization without the written permission 
of HP.

Getting Started with HP Switching & Routing


Web-based Training
Rev. 13.31
HP Switch Overview
Module 1

Module 1: HP Switch Overview

Objectives

Describe the following types of switches and explain how they


are used in today’s networks:
•Core, distribution, and access layer switches
•Layer 2 and Layer 3 switches
•Modular and fixed-port switches
After completing this •Managed, smart-managed, and unmanaged switches
module, you should be
able to:
Explain how HP switches help organizations meet today’s
business and technical challenges

Explain how the HP ProVision command line interface (CLI)


and the Comware CLI are separated into different privilege
levels and identify tasks that can be completed at each level

Comware ProVision

After completing this module, you should be able to:

• Describe the following types of switches and explain how they are used
in today’s networks:
• Core, distribution, and access layer switches
• Layer 2 and Layer 3 switches
• Modular and fixed-port switches
• Managed, smart-managed, and unmanaged switches
• Explain how HP switches help organizations meet today’s business and
technical challenges
• Explain how the HP ProVision command line interface (CLI) and the
Comware CLI are separated into different privilege levels and identify
tasks that can be completed at each level

Rev. 13.31 1 –1
Getting Started with HP Switching and Routing

Module 1: HP Switch Overview

Lesson 1: Introduction

In this lesson, you will review what small, medium, and


large companies require from their network to meet their
current business goals.

You will then learn how HP helps IT organizations meet


these requirements, allowing companies to move beyond
the limitations of aging, traditional networks.

In this lesson, you will review what small, medium, and large companies
require from their network to meet their current business goals.

You will then learn how HP helps IT organizations meet these requirements,
allowing companies to move beyond the limitations of aging, traditional
networks.

1 –2 Rev. 13.31
HP Switch Overview

Module 1: HP Switch Overview

Current networking challenges

Data center

Campus LAN

Branch office

Introduction
To understand the challenges companies are facing today, you should
consider three areas: data center, campus LAN, and branch office.

Data Center
Companies, seeking to improve efficiency and save money, are
consolidating resources in centralized data centers, which are rapidly
evolving and generating dramatic changes:

• Server virtualization, which allows a single physical system to host


multiple virtual machines, increases the demand for bandwidth at the
data center edge. The portability of virtual servers also means that the
network edge must constantly adjust to new services.
• Traditional client-server application models drove traffic from the
workstation to the server (north-south). In the data center, cloud
computing and federated applications now drive more traffic between
servers (east-west).
• Administrators also want to converge LAN and Storage Area Network
(SAN) traffic.

To accommodate all of these services, the network must deliver high


performance, high flexibility, high scalability, high availability, and low
latency. To keep up, you also need a single pane of glass management tool
through which you can manage all components.

Rev. 13.31 1 –3
Getting Started with HP Switching and Routing

Campus LAN
Companies are moving resources out of the LAN and into the data center
and private or public clouds, driving more traffic across WAN connections.
At the same time, documents and applications—such as Unified
Communications and Collaboration (UC&C) solutions—are becoming more
media rich, increasing the need for more bandwidth and less latency. If the
network cannot deliver, the user experience suffers.

Users are also relying more heavily on mobile devices—increasingly as


their preferred method of access—and wireless LANs (WLANs) are being
deployed in hospitals, campuses, warehouses, and other spaces. Campus
networks must transform to support the delivery of applications and
services to wired and mobile workers alike. Unfortunately, existing WLAN
deployments often deliver a substandard user experience.

Branch office
Rather than deploy services at each branch office, companies are
consolidating services at centralized data centers. Resource consolidation
increases the demand for bandwidth and low latency on WAN links.
Companies are also reducing the number of IT staff at branch office or even
eliminating them.

While these changes may save money and increase efficiency, they
introduce new challenges for branch office solutions. Customers need fast,
reliable WAN connections and solutions that can survive locally when a
WAN outage occurs.

1 –4 Rev. 13.31
HP Switch Overview

Module 1: HP Switch Overview

Customer requirements

Companies of all sizes—small, medium, and large—now find themselves with networks that hinder rather than drive the
delivery of high-quality network services.

Companies have… But they need…


An infrastructure that supports An infrastructure that responds to
connectivity but does not add diverse users and applications
intelligence in a coherent fashion appropriately and consistently

A complicated system of A single-pane-of-glass solution that


management solutions for different manages the entire infrastructure
segments of the network

Separate silos of servers that All of their resources to work


experience differing traffic loads efficiently all of the time

Companies of all sizes—small, medium, and large—now find themselves


with networks that hinder rather than drive the delivery of high-quality
network services.

Companies have…

• An infrastructure that supports connectivity but does not add intelligence


in a coherent fashion
• A complicated system of management solutions for different segments of
the network
• Separate silos of servers that experience differing traffic loads

But they need…

• An infrastructure that responds to diverse users and applications


appropriately and consistently
• A single-pane-of-glass solution that manages the entire infrastructure
• All of their resources to work efficiently all of the time

Rev. 13.31 1 –5
Getting Started with HP Switching and Routing

Module 1: HP Switch Overview

Converged networks with HP FlexNetwork

Introduction
To help companies evolve their network to meet these needs, HP provides
the FlexNetwork architecture.

HP FlexFabric
HP FlexFabric creates a low-latency, highly resilient infrastructure, uniquely
tuned for adapting to a virtualized environment, on which compute and
storage traffic converges.

HP FlexCampus
HP FlexCampus converges wired and wireless networks to deliver secure
identity-based access to employees and guests.

HP FlexBranch
HP FlexBranch simplifies the deployment and management of
standardized, secure, responsive, and resilient end-to-end solutions across
many branches.

HP FlexManagement
HP FlexManagement converges management of all network components
into a single solution, helping to orchestrate network management
according to business needs.

1 –6 Rev. 13.31
HP Switch Overview

HP FlexNetwork
HP FlexNetwork is based on open standards. It is scalable, secure, and
agile. Although divided into different components, the HP FlexNetwork
offers a consistent set of services and a unified management solution.

Rev. 13.31 1 –7
Getting Started with HP Switching and Routing

Module 1: HP Switch Overview

HP FlexFabric LAN/SAN convergence

Introduction
Another issue facing companies is having to manage LANs and Storage
Area Networks (SANs) as separate infrastructures. Companies want to
simplify and save money by converging data and storage traffic onto a
single network. However, traditional Ethernet does not meet storage’s need
for high-speed, lossless delivery.

HP provides servers with Converged Network Adaptors (CNAs) as well as


Fibre Channel over Ethernet (FCoE) switches, enabling companies to
benefit from the first phase of LAN/SAN convergence.

1) In a traditional network, the LAN and SAN are completely separate


physical networks, one devoted to data traffic and the other to storage.
Servers require two sets of NICs, and different groups manage each
network, increasing costs and creating logistical problems.

1 –8 Rev. 13.31
HP Switch Overview

Module 1: HP Switch Overview

HP FlexFabric LAN/SAN convergence (cont.)

2) HP servers and switches provide an interim step toward LAN/SAN


convergence. In this step, the SAN still hosts the storage components.
However, the server connects only to the LAN, using its Converged
Network Adapters to handle both data and storage traffic. This phase
allows customers to save money on server components without
requiring a pitchfork upgrade for storage.

Rev. 13.31 1 –9
Getting Started with HP Switching and Routing

Module 1: HP Switch Overview

HP FlexFabric LAN/SAN convergence (cont.)

3) With full convergence, LAN and SAN traffic traverse the same network
infrastructure and both are managed through a single pane of glass.

1 –10 Rev. 13.31


HP Switch Overview

Module 1: HP Switch Overview

Open standards

HP is also committed to supporting industry open


standards. Open standards give companies the freedom
to implement multivendor solutions and ensure
continuing support for a converged network—no matter
what applications are later deployed.
For example, HP AllianceOne, an extensive system of
partnerships, tests a wide variety of solutions across the
server, storage, and network components of the HP
FlexNetwork.
HP AllianceOne
Thus, HP products:

Make it easy to integrate new applications


into core business practices

Increase application flexibility

Help reduce costs

HP is also committed to supporting industry open standards. Open


standards give companies the freedom to implement multivendor solutions
and ensure continuing support for a converged network—no matter what
applications are later deployed.

For example, HP AllianceOne, an extensive system of partnerships, tests a


wide variety of solutions across the server, storage, and network
components of the HP FlexNetwork.

Thus, HP products:

 Make it easy to integrate new applications into core business practices


 Increase application flexibility
 Help reduce costs

Rev. 13.31 1 –11


Getting Started with HP Switching and Routing

Module 1: HP Switch Overview

HP warranty

For many switches, HP provides a lifetime warranty,


which includes:

Fans and power supplies

Advanced replacement at no cost

Next-day business delivery

Software maintenance

Technical assistance

Some restrictions apply. For complete warranty


information, visit:
http://www.hp.com/networking/warranty

For many switches, HP provides a lifetime warranty, which includes:

 Fans and power supplies


 Advanced replacement at no cost
 Next-day business delivery
 Software maintenance
 Technical assistance

Some restrictions apply. For complete warranty information, visit:


http://www.hp.com/networking/warranty

1 –12 Rev. 13.31


HP Switch Overview

Module 1: HP Switch Overview

Green business technology

In addition, HP is committed to developing energy-efficient products.


Some of HP’s green technologies include options such as low-power idle
mode and the ability to power down unused Ethernet ports on switches.
Most energy efficient functions are easily monitored and managed.
Several of HP’s switches have earned the Miercom Certified Green
Standard for networking devices.

In addition, HP is committed to developing energy-efficient products. Some


of HP’s green technologies include options such as low power idle mode
and the ability to power down unused Ethernet ports on switches. Most
energy efficient functions are easily monitored and managed. Several of
HP’s switches have earned the Miercom Certified Green Standard for
networking devices.

Rev. 13.31 1 –13


Getting Started with HP Switching and Routing

Module 1: HP Switch Overview

Lesson 1: Summary

In this lesson, you learned how HP is helping companies


transform their network, providing an infrastructure that
responds to diverse users and applications appropriately
and consistently.

You also learned that this highly scalable network


architecture is built on the FlexFabric architecture.

Because the FlexNetwork is built on open standards, you


are not locked into proprietary applications or services.
You can choose solutions that best meet your company’s
needs.

 In this lesson, you learned how HP is helping companies transform their


network, providing an infrastructure that responds to diverse users and
applications appropriately and consistently.
 You also learned that this highly scalable network architecture is built on
the FlexFabric architecture.
 Because the FlexNetwork is built on open standards, you are not locked
into proprietary applications or services. You can choose solutions that
best meet your company’s needs.

1 –14 Rev. 13.31


HP Switch Overview

Module 1: HP Switch Overview

Lesson 2: Introduction

In this lesson, you will begin to learn about switch technology.


Specifically, you will learn how switches can be categorized
based on the following criteria:

Deployment in the network architecture

Open Systems Interconnection (OSI) layer

Manageability

Form factor

Support for stacking technologies

In this lesson, you will begin to learn about switch technology. Specifically,
you will learn how switches can be categorized based on the following
criteria:

 Deployment in the network architecture


 Open Systems Interconnection (OSI) layer
 Manageability
 Form factor
 Support for stacking technologies

Rev. 13.31 1 –15


Getting Started with HP Switching and Routing

Module 1: HP Switch Overview

Deployment options: three-tier networks

Switches can be categorized by where they are


deployed in the network environment. Traditional
networks are organized into three tiers:

Core switches establish the backbone of the


network.

Distribution switches are consolidation


points for LAN access or server access
switches and connect to the core switches.

LAN or server access switches support


workstations and servers.

Switches can be categorized by where they are deployed in the network


environment. Traditional networks are organized into three tiers:

 Core switches establish the backbone of the network.


 Distribution switches are consolidation points for LAN access or server
access switches and connect to the core switches.
 LAN or server access switches support workstations and servers.

1 –16 Rev. 13.31


HP Switch Overview

Module 1: HP Switch Overview

Deployment options: two-tier networks

HP also supports two-tier networks:

The distribution layer is eliminated; the LAN


and server access switches connect directly
to the core switches.

Traffic flows directly from the edge to the


core, reducing latency.

HP also supports two-tier networks:

 The distribution layer is eliminated; the LAN and server access switches
connect directly to the core switches.
 Traffic flows directly from the edge to the core, reducing latency.

Rev. 13.31 1 –17


Getting Started with HP Switching and Routing

Module 1: HP Switch Overview

Layer 2 and Layer 3 switches

Introduction
Switches are also categorized based on their ability to forward traffic at the
Data Link or the Network Layer of the Open Systems Interconnection (OSI)
model.

Layer 1
The Physical Layer controls the physical medium, defining the electrical and
mechanical specifications for the network connection.

Layer 2
The Data Link Layer describes the procedures (called protocols) that
control data transfer across the physical infrastructure.

Layer 3
The Network Layer is primarily responsible for logical addressing and the
routing of traffic across internetworks.

Layer 4
The Transport Layer ensures the reliable transfer of data between hosts. It
provides flow control, error checking, and data recovery.

Layer 5
The Session Layer defines the process of establishing and maintaining a
session (a two-way communication) between two applications.

1 –18 Rev. 13.31


HP Switch Overview

Layer 6
The Presentation Layer translates the data from the lower layers to a format
that can be used by the Application Layer.

Layer 7
The Application Layer defines how applications access network services.

Ethernet
Ethernet is a Layer 1 and Layer 2 protocol. It defines the electrical and
mechanical specifications of the physical media that the network uses and
also controls data transfer across the physical infrastructure.

Layer 2 switch
A Layer 2 switch forwards traffic based on the frame’s Data Link Layer
information, specifically the hardware address, which is called the Media
Access Control (MAC) address. (You will learn more about Layer 2
forwarding later in this course.)

Layer 3 switch
A Layer 3 switch can route traffic based on Network Layer information. To
route traffic, Layer 3 switches must have the appropriate IP route. Layer 3
switches support static routes and routes learned through routing protocols.
Some switches support only static routes and are called Light Layer 3
switches. (You will learn more about Layer 3 routing later in this course.)

Rev. 13.31 1 –19


Getting Started with HP Switching and Routing

Module 1: HP Switch Overview

Switch manageability

Managed

Smart web-managed
Unmanaged

Introduction
Switches are also categorized based on their level of manageability.

Managed
Managed switches support Simple Network Management Protocol (SNMP)
and allow you to configure each port’s communication parameters and
many other aspects of the switch through a command line interface (CLI).
Many managed switches also provide a graphical user interface, such as a
Web browser interface. All of HP’s enterprise switches are managed.

Smart web-managed
Smart web-managed switches, as the name suggests, can be managed
through a Web browser interface. The Web browser interface is designed to
be intuitive, making it easy to configure and manage switch features.

In addition, these switch support Simple Network Management Protocol


(SNMP). You can, therefore, manage them through a centralized SNMP
console.

Unmanaged
Unmanaged switches provide basic Layer 2 switching and are not
configurable. These switches are commonly referred to as “plug-and-play”
switches and are designed for small to medium businesses (SMBs) that
need basic switch functionality.

1 –20 Rev. 13.31


HP Switch Overview

Module 1: HP Switch Overview

Form factor

Fixed-port switches

Modular switches

Flex-chassis switches

Introduction
Another way switches are categorized is by their form factor or physical
frame. (Regardless of their form factor, all types of switches support high-
speed links, either through traditional copper cabling or fiber optic cabling.)

Fixed-port switches
Fixed-port switches have a predefined number of ports. Typically, the switch
is one rack unit (RU).

An RU refers to the amount of vertical space the hardware will take up in an


equipment rack in the wiring, server room, or data center. For example,
most server racks have 42U, meaning that they can accommodate 42 1U
devices.

Modular switches
Modular switches do not have a defined number of ports. Instead, port type
and density in a modular switch are defined by the type and number of
modules that are installed in the chassis.

Flex-chassis switches
Flex-chassis switches contain a number of fixed ports as well as room to
accommodate a limited number of modules, which allow you to add extra
high-speed ports or advanced features or services.

Rev. 13.31 1 –21


Getting Started with HP Switching and Routing

Module 1: HP Switch Overview

Meshed stacking and IRF

Meshed stacking

Introduction
Switches may also be categorized based on their support for stacking.
Traditional stacking enables you to connect several switches and manage
them through a single IP address.

HP also offers two, more advanced stacking technologies: meshed stacking


and Intelligent Resilient Framework (IRF).

Meshed stacking
Available on the HP 3800 Switch Series, meshed stacking allows you to
aggregate up to five switches to form a fully meshed stack for resiliency and
management via a single interface. Direct links run to and from each switch
in the stack, forming a single logical switch.

1 –22 Rev. 13.31


HP Switch Overview

Module 1: HP Switch Overview

Meshed stacking and IRF (cont.)

IRF

IRF
IRF allows you to combine multiple switches, creating a single resilient
virtual switch. To other devices on the network, each IRF system appears to
be one device, which has one MAC address and one bridge ID. Routing
updates originate from this one device.

The IRF system draws on each switch’s capabilities during normal


operation. As a result, the IRF system provides high performance while
greatly simplifying the design and operations of data center and campus
networks.

In addition, the IRF system provides both device-level and link-level


redundancy. If a switch (or a switch component) fails or becomes
unavailable, the IRF system can quickly and seamlessly fail over,
preventing service interruption and guaranteeing complete continuity for
business-critical applications.

IRF runs on many HP switches, including the HP 5120, 5500, 5800, 5820,
5830, 7500, 9500, 10500, and 12500 Switch Series.

Benefits
IRF and meshed stacking offer many benefits over traditional stacking:

 Unified management: You can manage the stack through a single


master switch.

Rev. 13.31 1 –23


Getting Started with HP Switching and Routing

 High availability: IRF and meshed stacking provide N:1 failover and
redundant links.
 Increased performance: All available links remain active and provide
load balancing, which increases efficiency in switching and routing.
 Scalability: You can increase network bandwidth and processing
capabilities by adding switches to the meshed stack or IRF system.
 Flattened architecture: By enabling access layer switches to share
highly available links to the core, meshed stacking and IRF help
customers create low-latency, two-tier architectures in both the campus
LAN and data center.

1 –24 Rev. 13.31


HP Switch Overview

Module 1: HP Switch Overview

Lesson 2: Summary

In this lesson, you learned how switches can be


categorized based on criteria such as the network tier
where they are deployed, Layer 2 or 3 functionality,
manageability, form factor, and stacking capability.

In this lesson, you learned how switches can be categorized based on


criteria such as the network tier where they are deployed, Layer 2 or 3
functionality, manageability, form factor, and stacking capability.

Rev. 13.31 1 –25


Getting Started with HP Switching and Routing

Module 1: HP Switch Overview

Lesson 3: Introduction

In this lesson, you will begin to apply what you have


learned about switches. You will take a look at a few HP
switches, considering features such as their form factor,
manageability, forwarding and switching capabilities, and
stacking capabilities.

You will also learn how to access and begin managing HP


switches.

 In this lesson, you will begin to apply what you have learned about
switches. You will take a look at a few HP switches, considering features
such as their form factor, manageability, forwarding and switching
capabilities, and stacking capabilities.
 You will also learn how to access and begin managing HP switches.

1 –26 Rev. 13.31


HP Switch Overview

Module 1: HP Switch Overview

HP switch portfolio

FlexFabric switches

Featured Switch Form Switches Manageability Forwarding & Power over Stacking
Series Factor Routing Ethernet (PoE) / IRF

5800 Switch Series Flex- • 5800-24G, 5800-24G- Managed Layer 3/4 Yes IRF with
chassis PoE+, & 5800-24G-SFP up to 9
• 5800-48G, 5800-48G- switches
PoE, & 5800-48G with 2
slots
• 5800AF-48G
5820 Switch Series Flex- • 5820-14XG-SFP+ with 2 Managed Layer 3/4 No IRF with
chassis slots up to 9
• 5820-24XG-SFP+ switches
• 5820AF-24XG
5830 Switch Series Fixed-port • 5830AF-48G with 1 Managed Layer 3/4 No IRF with
interface slot up to 4
• 5830AF-96G switches
5920 Switch Series Fixed-port • 5920AF-24XG Managed Layer 3/4 No IRF with
up to 4
switches
12500 Switch Series Modular • 12504 (4 slots) Managed Layer 3/4 Yes IRF with
• 12508 (8 slots) up to 4
• 12518 (18 slots) switches

Introduction
You will now be introduced to several switches in each part of the
FlexNetwork architecture. And because small businesses have specific
technical, management, and budget requirements, you will examine
switches ideally suited for these environments.

FlexFabric switches
This table provides basic information about some of the switches that can
be used to implement FlexFabric. To view information about other switches
that play a role in FlexFabric, go to http://www.hp.com/go/networking.

Rev. 13.31 1 –27


Getting Started with HP Switching and Routing

Module 1: HP Switch Overview

HP switch portfolio (cont.)

FlexCampus switches

Featured Switch Form Factor Switches Manageability Forwarding & PoE Stacking
Series Routing

2530 Switch Series Fixed • 2530-24G Managed Layer 2 Yes Yes, up


• 2530-48G (designated to 16
• 2530-24G-PoE+ switches) switches
• 2530-48G-PoE+
3800 Switch Series Fixed • 3800-24G-2SFP+ Managed Layer 3/4 Yes Meshed
• 3800-24G-2XG (designated stacking
• 3800-24G-PoE+-2XG switches)
• 3800-24G-PoE+-2SFP+
• 3800-48G-PoE+-4SFP+
• 3800-48G-4SFP+
• 3800-48G-4XG
• 3800-48G-PoE+-4XG
• 3800-24SFP-2SFP+
8200 zl Switch Modular • 8206 zl Managed Layer 3/4 Yes No
Series • 8212 zl (designated
modules)
10500 Switch Series Modular • 10504 Managed Layer 3/4 Yes IRF with
• 10508 & 10508-V* up to 4
• 10512 switches

FlexCampus switches
This table provides basic information about some of the switches that can
be used to implement FlexCampus. To view information about other
switches that play a role in FlexCampus, go to
http://www.hp.com/go/networking. (Keep in mind that some FlexCampus
switches, such as the 2530 Switch Series, can be deployed in FlexBranch
as well.)

1 –28 Rev. 13.31


HP Switch Overview

Module 1: HP Switch Overview

HP switch portfolio (cont.)

FlexBranch switches

Featured Switch Form Switches Manageability Forwarding PoE Stacking/


Series Factor & Routing IRF

2620 Switch Series Fixed-port • 2620-24, 26020-24-PP0E+, Managed Layer 3/4 Yes Up to 16
& 2620-24-PoE+ (designated switches
• 2620-48 & 2620-48-PoE+ switches)
2910 al Switch Fixed-port • 2910-24G al Managed Layer 3/4 Yes Up to 16
Series • 2910-48G al (designated switches
• 2910-24-G-PoE+ al switches)
• 2910-48G-PoE+ al
2920 Switch Series Fixed-port • 2920-24G Managed Layer 3/4 Yes Up to 4
• 2920-24G-PoE+ (designated switches
• 2920-48G switches)
• 2920-48G-PoE+
5400 zl Switch Modular • 5406 zl Managed Layer 3/4 Yes No
Series • 5412 zl (designated
modules)
5500 HI Switch Fixed-port • 5500-24G-4SFP HI Switch Managed Layer 3/4 No IRF with
Series with 2 Interface Slots up to 9
• 5500-48G-4SFP HI Switch switches
with 2 Interface Slots

FlexBranch switches
This table provides basic information about some of the switches that can
be used to implement FlexBranch. To view information about other switches
that play a role in FlexBranch, go to http://www.hp.com/go/networking.
(Keep in mind that some switches, such as the 2620, 2910 al, 2920, and
5400 zl, can be deployed in FlexCampus as well.)

Rev. 13.31 1 –29


Getting Started with HP Switching and Routing

Module 1: HP Switch Overview

HP switch portfolio (cont.)

Small business switches

Featured Switch Form Factor Switches Manageability Forwarding & PoE Stacking
Series Routing

1410 Switch Series Fixed-port • 1410-8G Unmanaged Layer 2 No No


• 1410-16G
• 1410-24G
• 1410-8
• 1410-16
• 1410-24
• 1410-24-2G
1810 Switch Series Fixed-port • 1810-8G v2 Web browser Layer 2 No No
• 1810-24G v2 Interface;
• 1810-48G SNMP v1 & v2
• 1810-8 v2
• 1810-24 v2
1910 Switch Series Modular • 1910-48G Web browser Light Layer 3 Yes No
• 1910-24G-PoE Interface; (32 static (designated
• 1910-24G SNMP v1, v2, & routes) switches)
• 1910-16G v3
• 1910-8G
• 1910-8G-PoE+

Small business switches


Small businesses need to provide competitive services but do not have the
budgets and IT staff of larger companies. They need switches that are easy
to deploy and manage. To see a complete list of switches for small
businesses, visit http://www.hp.com/go/networking.

1 –30 Rev. 13.31


HP Switch Overview

Module 1: HP Switch Overview

Switch software

HP managed switches run one of the following:

ProVision software Comware software

The 8200 zl Switch Series


runs the ProVision software.

The 10500 Switch Series


runs the Comware software.

Both ProVision software and Comware software provide many of the same features. There are some differences, of
course, but a detailed comparison is beyond the scope of this course. For now, you simply need to understand that the
software determines the structure of the command line interface (CLI) and the commands you enter. (For more in-depth
information, attend Building SMB Networks with HP Technologies, which is an instructor-led training course.)
You will now learn more about ProVision and Comware switches.

HP managed switches run one of the following:

 ProVision software
 Comware software

Both ProVision software and Comware software provide many of the same
features. There are some differences, of course, but a detailed comparison
is beyond the scope of this course. For now, you simply need to understand
that the software determines the structure of the command line interface
(CLI) and the commands you enter. (For more in-depth information, attend
Building SMB Networks with HP Technologies, which is an instructor-led
training course.)

You will now learn more about ProVision and Comware switches.

Rev. 13.31 1 –31


Getting Started with HP Switching and Routing

Module 1: HP Switch Overview

Switch management interfaces

ProVision CLI

Comware CLI

ProVision menu interface

Comware Web browser interface

ProVision Web browser interface

Introduction
Both ProVision and Comware switches are managed primarily through their
CLI. ProVision switches offer two additional management interfaces: the
menu interface and the Web browser interface. Some Comware switches
also provide a Web browser interface.

Keep in mind that the CLI is the primary interface for both ProVision and
Comware switches, and this course will focus on that interface.

ProVision CLI
The example above shows the ProVision CLI. You will learn more about
how to access the CLI and navigate in it in the next slides.

ProVision menu interface


The example above shows the ProVision menu interface, which you initially
access through the CLI by entering the menu command. As mentioned
earlier, this course will not cover the menu interface, focusing instead on the
CLI.

ProVision Web browser interface


The example above shows the ProVision web browser interface. As
mentioned earlier, this course will not cover the web browser interface,
focusing instead on the CLI.

1 –32 Rev. 13.31


HP Switch Overview

Comware CLI
The example above shows the Comware CLI. You will learn more about
how to access the CLI and navigate in it in the next slides.

Comware Web browser interface


The example above shows the Comware web browser interface. As
mentioned earlier, this course will not cover the web browser interface,
focusing instead on the CLI.

Rev. 13.31 1 –33


Getting Started with HP Switching and Routing

Module 1: HP Switch Overview

In-band and out-of-band management

Introduction
You can access a switch’s CLI in two ways.

What is out-of-band management?


With out-of-band management, you connect your management station to
the switch’s console port with a serial cable and access the CLI with
terminal emulation software. This is called out-of-band management
because you are not connecting to the switch through a network port.

Some Comware switches also permit you to connect to an AUX port


through a modem connection.

What is in-band management?


With in-band management, your management communications run over
network connections. You require IP connectivity to the switch through a
direct or indirect Ethernet connection. To open a management session, you
must use terminal emulation software that supports either Telnet or Secure
Shell (SSH). With the Telnet protocol, data is transmitted in clear text and is
vulnerable to snooping. With the SSH protocol, data is encrypted. You will
learn more about SSH in “Module 2: Security.”

What application do you need to access the CLI?


There are many options, but one commonly used terminal emulation
application is Tera Term, which is shareware that you can download and
use for free.

1 –34 Rev. 13.31


HP Switch Overview

Module 1: HP Switch Overview

HP ProVision switches: management users


You can access the CLI of an HP ProVision switch as operator or manager:

Operator provides read-only access. You can view only


statistics and configuration information.

Manager provides read-write access. You can make


configuration changes and view information.

You can protect access to the switch by configuring a password for each user. At factory default settings, there are no
passwords for either user.

You can access the CLI of an HP ProVision switch as operator or manager:

 Operator provides read-only access. You can view only statistics and
configuration information.
 Manager provides read-write access. You can make configuration
changes and view information.

You can protect access to the switch by configuring a password for each
user. At factory default settings, there are no passwords for either user.

Rev. 13.31 1 –35


Getting Started with HP Switching and Routing

Module 1: HP Switch Overview

HP ProVision switches: CLI structure

View Switch prompt Tasks


Operator Switch> View statistics and configuration
information.

Manager Switch# Begin configuring the switch (such as


updating system software).

Global configuration Switch(config)# Make configuration changes to the


switch features.

Context configuration Switch Make configuration changes within a


(<context>)# specific context, such as to a VLAN,
one or more ports, or routing
Examples: protocols.
Switch(vlan-1)#
Switch(rip)#

Introduction
The HP ProVision switch CLI is organized into different levels, or contexts.
You can tell the context by the switch prompt.

Operator context
The > symbol in the switch prompt indicates you are at the operator level.
At this level you can view statistics and configuration information. To move
to the manager level, enter enable. If a manager password has been
configured on the switch, you will be prompted to enter that password.

Manager context
The # symbol in the switch prompt appears at the manager level. From this
context, you can view additional information and begin managing the
switch. For example, you can update the switch software. To move to the
global configuration context, enter configure terminal (or a command
shortcut such as config).

Global configuration context


The word config in the switch prompt indicates you are at the global
configuration context. At this context, you can make configuration changes
to the system’s software features.

Context configuration
From the global configuration context, you can enter commands to move to
other contexts, from which you configure particular settings. For example,
you might move to a physical interface context or a VLAN context to
1 –36 Rev. 13.31
HP Switch Overview

configure settings specific to that interface or VLAN. You can also access
contexts for protocols such as Routing Information Protocol (RIP) or Open
Shortest Path First (OSPF).

The prompt changes to indicate the context as shown in these examples:

Switch(vlan-1)#
Switch(rip)#

Rev. 13.31 1 –37


Getting Started with HP Switching and Routing

Module 1: HP Switch Overview

HP Comware switches: User interfaces

Introduction
On Comware switches, you access the CLI through user interfaces.

Inband management
In-band access, which allows multiple users to access the switch through
the IP network, uses virtual interfaces VTY0, VTY1, VTY2, and so on. At a
switch’s default settings, you are required to enter a password for these
interfaces, but to eliminate a potential security weakness, the switch does
not have a default password. You must configure a unique password for
your particular company.

To access a Comware switch for the first time, you must use out-of-band
management. You can then configure a password for in-band management
or change the authentication method to any of the three methods described
for out-of-band management.

Out-of-band management
Out-of-band connections use the AUX0 interface and require no password
at default settings, enabling initial access to the switch. You can leave this
default authentication method (none) for out-of-band management, or you
can configure the AUX0 interface to require users to log in with a password
or with a username and password. If you require a username and password
(an authentication method called scheme authentication), the switch checks
the credentials against a local list of users or an external authentication
server, as dictated by its Authentication, Authorization, and Accounting
(AAA) domain settings.
1 –38 Rev. 13.31
HP Switch Overview

Module 1: HP Switch Overview

HP Comware switches: CLI command levels

On Comware switches, each CLI command is associated with one of four command levels. The command level for each
command is configurable, but most network managers leave the commands at the default settings.
The figure below shows the four command levels and the types of commands that are available at each level.

Manager: System (file and user)


3 management commands (read-write)

System: Services configuration


2 commands (read-write)
CLI
command
levels
1 Monitor: Basic read-only commands

Visitor: Diagnosis commands such as


0 ping and traceroute

On Comware switches, each CLI command is associated with one of four


command levels. The command level for each command is configurable,
but most network managers leave the commands at the default settings.

The figure below shows the four command levels and the types of
commands that are available at each level.

Rev. 13.31 1 –39


Getting Started with HP Switching and Routing

Module 1: HP Switch Overview

HP Comware switches: Privilege levels

The types of commands that you can enter depend on


your privilege level, which the Comware switch assigns To move between levels, simply enter super <level>.
you when you log in. Privilege levels equate to the CLI
command levels. To move to a higher level, enter the super password
for that level. For example, to move to the manager
You may enter any command that is available to your
level, enter super 3 <password>.
current privilege level and lower.
You can always move to a lower level than your
current level although this action is not necessary
because you have access to those commands at the
higher level.

User Privilege Levels CLI Command Levels


Manager 3 Manager super 3

System 2 System super 2

Monitor 1 Monitor super 1

Visitor 0 Visitor super 0

The types of commands that you can enter depend on your privilege level,
which the Comware switch assigns you when you log in. Privilege levels
equate to the CLI command levels.

You may enter any command that is available to your current privilege level
and lower.

 To move between levels, simply enter super <level>.


 To move to a higher level, enter the super password for that level. For
example, to move to the manager level, enter super 3 <password>.
 You can always move to a lower level than your current level although
this action is not necessary because you have access to those
commands at the higher level.

1 –40 Rev. 13.31


HP Switch Overview

Module 1: HP Switch Overview

HP ProVision switches: CLI structure

Introduction
The Comware CLI is divided into views, each of which contains a set of
related commands. In addition to having the privilege to enter a particular
command, you must be in the correct view. As the table shows, the switch
prompt indicates the current view.

User view
The user view is indicated by angle brackets (<>). In this view, you can view
settings, troubleshoot system problems, and manage files. You can move to
the system view by entering the command: system-view.

System view
The system view is indicated by square brackets ([ ]). In this view, you can
make configuration changes to the switch’s software. You can also access
other command views. You can return to the user view by entering quit.

Other command views


Other command views give you access to configure interfaces, both
physical and virtual, including the user interfaces. Many other features can
be configured within their specific view mode. To exit a specific view and
return to the system view, enter quit.

Rev. 13.31 1 –41


Getting Started with HP Switching and Routing

Module 1: HP Switch Overview

HP CLI help

Both HP ProVision and Comware CLIs offer help features to assist you in navigating the interface. The table shows the
common help commands for both.

You want to: HP ProVision HP Comware


View a brief description for help [Enter] ?
all available commands at ?
your context or view
[Tab]

View commands that start <string>? <string>?


with certain letters <string>[Tab]
Auto-complete a command Type as many characters as necessary to identify the
command uniquely and press [Tab]
Note that you do not have to complete the command. You
just need to enter enough characters to complete the
command.
View the options for a <command> ? <command> ?
command
View hotkeys No help option display hotkey

Both HP ProVision and Comware CLIs offer help features to assist you in
navigating the interface. The table shows the common help commands for
both.

1 –42 Rev. 13.31


HP Switch Overview

Module 1: HP Switch Overview

ProVision switches: CLI compatibility

display commands

Frequently used commands

Fundamental commands

Introduction
Because many companies have both ProVision and Comware switches, HP
has been focusing on providing CLI compatibility within the ProVision
software. Specifically, HP has been adding support for certain Comware
commands within the ProVision CLI. This effort is designed to help network
administrators who are familiar with Comware commands to use the
ProVision CLI more easily.

The following switches provide this CLI compatibility:

 HP 8200 zl Switch Series


 HP 6600 Switch Series
 HP 6200 yl Switch Series
 HP 5400 zl Switch Series
 HP 3500 Switch Series
 HP 3800 Switch Series
 HP 2910al Switch Series
 HP 2915 Switch Series
 HP 2615 Switch Series
 HP 2620 Switch Series

Note that this course outlines the CLI compatibility support available at the
time the course was published. Check your ProVision switch documentation
to learn more about the switches and the software versions that support this

Rev. 13.31 1 –43


Getting Started with HP Switching and Routing

feature and to determine the exact Comware commands that are


supported.

display commands
Many HP switches that run the ProVision software support more than 200
Comware display commands, which allow you to view information about
the switch and its configuration. (Natively, ProVision switches support show
commands, which provide similar functionality as display commands.)

Frequently used commands


To help network administrators who are familiar with Comware switches to
easily manage ProVision switches, HP has also added support for common
Comware commands that allow you to move within the CLI hierarchy,
reverse (or undo) a command, and save a configuration (as shown in the
examples provided).

Fundamental commands
To help network administrators who are familiar with Comware switches
manage ProVision switches more easily, HP has also added support for
fundamental Comware configuration commands, such as the file
management commands shown here.

Extended help
HP has also added extended help messages to the ProVision help feature.
These messages will help network administrators who are familiar with
Comware identify the equivalent command on the ProVision switch. When
this feature is enabled, these network administrators can simply type the
first part of the Comware configuration command and press the [tab] key.
The help feature then will provide a reference to the correct ProVision
command. It may also provide guidance on the next action for those
configuration items that may not be intuitive due to naming or concept
differences between Comware and ProVision software.

Of course, not all Comware configuration commands require the new help
feature: Some configuration commands are identical, or very similar, to
ProVision commands. Using these commands is self-explanatory.

1 –44 Rev. 13.31


HP Switch Overview

Module 1: HP Switch Overview

Summary

In this module you have learned about :

The benefits of HP switches

The different ways in which switches are categorized

In-band and out-of-band management access

CLI structure of HP ProVision and Comware switches

In this module you have learned about:

 The benefits of HP switches


 The different ways in which switches are categorized
 In-band and out-of-band management access
 CLI structure of HP ProVision and Comware switches

Rev. 13.31 1 –45


Getting Started with HP Switching and Routing

PAGE INTENTIONALLY LEFT BLANK

1 –46 Rev. 13.31


Security
Module 2

Module 2: Security

Objectives

This module introduces you to the basics of network security. You will
learn about today’s security landscape and evolving threats. You will
also learn the basics of securing HP networking infrastructure devices
from improper access.

Describe ways in which attackers gain unauthorized access to


a network

After completing this


module, you should be Explain factors that make a network vulnerable to
able to: unauthorized access

Take the proper measures to physically secure infrastructure


devices for unauthorized access

This module introduces you to the basics of network security. You will learn
about today’s security landscape and evolving threats. You will also learn
the basics of securing HP networking infrastructure devices from improper
access.

After completing this module, you should be able to:

• Describe ways in which attackers gain unauthorized access to a network


• Explain factors that make a network vulnerable to unauthorized access
• Take the proper measures to physically secure infrastructure devices for
unauthorized access

Rev. 13.31 2 –1
Getting Started with HP Switching and Routing

Module 2: Security

Introduction

As soon as you connect a switch or router to a


network, it becomes part of the network’s
security environment. It can be either a secure
or a weak link in the network’s defenses.

To ensure that you deploy a switch securely,


you must understand the types of threats that
travel through the network infrastructure or
even target the network infrastructure itself.

As soon as you connect a switch or router to a network, it becomes part of


the network’s security environment. It can be either a secure or a weak link
in the network’s defenses.

To ensure that you deploy a switch securely, you must understand the types
of threats that travel through the network infrastructure or even target the
network infrastructure itself.

2 –2 Rev. 13.31
Security

Module 2: Security

Overview of attacks

First, consider the source of threats and attacks.


Originally, security solutions were designed to protect a
trusted network from external threats. Although external
threats still exist, attacks often originate within the network.
Some authorized users might intentionally launch attacks.
Malicious employees, former employees, contractors, or
guests could access data inappropriately, misuse resources, or
launch attacks.
Authorized users can also unintentionally introduce threats:
connecting insecure or infected devices to the network,
opening infected files, downloading applications with hidden
malware, using weak passwords, or leaking passwords.

First, consider the source of threats and attacks.

Originally, security solutions were designed to protect a trusted network


from external threats. Although external threats still exist, attacks often
originate within the network.

Some authorized users might intentionally launch attacks. Malicious


employees, former employees, contractors, or guests could access data
inappropriately, misuse resources, or launch attacks.

Authorized users can also unintentionally introduce threats: connecting


insecure or infected devices to the network, opening infected files,
downloading applications with hidden malware, using weak passwords, or
leaking passwords.

Rev. 13.31 2 –3
Getting Started with HP Switching and Routing

Module 2: Security

Common attacks
Unauthorized access
Denial of Service (DoS)

Impersonation

Reconnaissance

Malware

Viruses and Worms

Introduction
You should be aware of several broad categories of threats, which might
originate externally or internally.

Unauthorized Access
Unauthorized attacks occur when an unauthorized user accesses your
network either by guessing, stealing, or cracking a password or by finding
insecure network access points. Hackers might be able to crack passwords
by trying many different dictionary words or by wiretapping and
eavesdropping on communications. Hackers can also trick users into
revealing passwords or find passwords that are stored insecurely.

Denial of Service (DoS)


DoS attacks occur when hackers are able to overwhelm a network’s
resources. For example, hackers might generate enough traffic to consume
available bandwidth or send a server or infrastructure device so much traffic
that the device’s processor is continually at 100 percent utilization. By tying
up these resources, hackers prevent valid users from accessing network
services.

Hackers also use Distributed DoS (DDoS) attacks, transforming many


computers into “zombies” that launch the attack and magnify the power of
the attack while concealing the source. In a variation, called a reflective
DDoS attack, the “zombie” computers send spoofed requests to Internet
2 –4 Rev. 13.31
Security

reflectors (Web servers and so forth). The reflectors then flood the spoofed
address, which is the target of the attack.

Impersonation
Impersonation attacks occur when attackers masquerade as legitimate
resource providers to steal private information or install malware on a
workstation. Two common types of impersonation attacks are man-in-the-
middle (MITM) attacks and phishing attacks:

• In an MITM attack, hackers intercept communications between two


endpoints that believe they are communicating with each other and
replace the contents of the communication.
• In a phishing attack, the hacker poses as a trusted server and tricks
users into sending passwords or other sensitive data.

Reconnaissance
Reconnaissance attacks are used to gather information about a network
and to discover potential vulnerabilities a hacker can exploit. Hackers often
use tools that can be legitimately used as troubleshooting tools such as:

• Port scanners, to find open TCP or UDP ports


• Network mapping software, which discovers information about all
available endpoints and applications on a network

Malware
Malware describes any software designed to use network resources or
infiltrate network devices without the knowledge or consent of the device
owner. Types of malware include:

• Adware, which displays unwanted pop-up ads on infected systems


• Spyware, which records Web sites visited, keystrokes, and other
personal information, which can be used for identity theft or unauthorized
network access
• Rootkits, which allow a hacker to hijack the system, using it as a
backdoor to access other resources or turning it into a “zombie” to
launch attacks
• Trojan horses, which are programs that users intentionally install without
knowing the program contains malware
• Viruses and worms, which are malicious bits of code. (Viruses and worms
are covered as their own topic in this section.)

Viruses and Worms


Viruses and worms are small, malicious bits of code that self-replicate and
propagate. The terms virus and worm are often used interchangeably, but
there is a difference between the two. Viruses spread through files, which
users must open, while worms propagate using network connections.

Rev. 13.31 2 –5
Getting Started with HP Switching and Routing

Viruses and worms are often polymorphic/metamorphic. They use self-


encryption and self-alteration to disguise themselves and avoid detection by
anti-virus software.

Unchecked, viruses and worms can spread rampant through an


unprotected network and cause enormous amounts of damage to vital files
and network resources.

2 –6 Rev. 13.31
Security

Module 2: Security

Need for physical security

Introduction
As you have learned, internal users can unwittingly allow their endpoints to
become compromised, and hackers can then use the endpoints to launch
harmful attacks. Consider what can happen if hackers compromise a
network infrastructure device, which supports hundreds or even thousands
of users’ traffic.

Protecting your infrastructure begins by controlling who has physical access


to these devices.

Modules or the switch


With physical access to the switch, malicious users can remove modules
from modular switches or steal the entire switch.

Console port
If a hacker has physical access to the switch and no one has restricted
access to the console port, the hacker can easily establish a terminal
session to the command-line interface (CLI) of the switch through that
console port. Hackers that gain management access can hijack the switch
and gain unauthorized access, perform network reconnaissance attacks,
initiate DoS attacks, and disable security features. By default, both HP
Comware and ProVision switches are not configured with a password for
console port access.

Rev. 13.31 2 –7
Getting Started with HP Switching and Routing

Reset and Clear buttons


ProVision switches have Reset and Clear buttons. Some Comware
switches have Reset buttons. These buttons are provided to help
troubleshoot problems and allow you to reboot the switch, reset the switch
to factory default settings, and clear management passwords. However, an
unauthorized user could use these functions to disable a switch or gain
management access to it.

Ports
Users with physical access to a switch can disconnect or move Ethernet
cables, causing a DoS attack for users or other services connected through
that link.

Power cord
Users with physical access to a switch can unplug the power, causing a
DoS for users or other services connected through the switch.

2 –8 Rev. 13.31
Security

Module 2: Security

Defense in depth

To confront these threats, organizations require Defense in


Depth. This layered approach to security employs multiple
solutions to guard against the same threat. For example:

A switch is locked away from unauthorized access,


and a password also protects its management
interfaces.

Switches enforce authentication to prevent most


users who would maliciously release a virus from
ever connecting. An Intrusion Prevention System
(IPS) blocks viruses introduced by devices owned by
legitimate users who do not know their devices are
infected.

To confront these threats, organizations require Defense in Depth. This


layered approach to security employs multiple solutions to guard against
the same threat. For example:

• A switch is locked away from unauthorized access, and a password also


protects its management interfaces.
• Switches enforce authentication to prevent most users who would
maliciously release a virus from ever connecting. An Intrusion Prevention
System (IPS) blocks viruses introduced by devices owned by legitimate
users who do not know their devices are infected.

Rev. 13.31 2 –9
Getting Started with HP Switching and Routing

Module 2: Security

HP Security and Risk Management—Principles

Protect what matters

Build it in

Make it intelligent

Introduction
Managing multiple layers of security can be challenging, particularly as
valuable data proliferates and becomes dispersed in Bring Your Own
Device (BYOD) and cloud solutions. HP Security and Risk Management
solutions help companies integrate security across the enterprise.

Build it in
Rather than bolt on security as an after-thought, HP solutions build security
into every component and also ensure that each component participates in
the integrated, business-level strategy.

Make it intelligent
HP security solutions collect information from end-to-end. By combining and
correlating information from many areas, including endpoints, applications,
and network infrastructure devices, security solutions can make intelligent
choices that protect the company and prove regulatory compliance without
interfering with productivity.

Protect what matters


HP helps to maximize the value of security solutions by ensuring that these
solutions protect the data that is most valuable to the business.

2 –10 Rev. 13.31


Security

Module 2: Security

Security and Risk Management—Areas

The HP Security and Risk Management portfolio includes solutions in six areas.

Security governance, risk, and compliance Endpoint security

Operations security Network security

Application security Data center security

Introduction
The HP Security and Risk Management portfolio includes solutions in six
areas.

Security governance, risk, and compliance


The HP Information Security Management (ISM) service replaces disparate
security processes with an integrated service that governs security for the
entire enterprise from endpoint to network to application to the cloud.

Operations security
HP operations security solutions integrate security solutions and processes
with overarching business orchestration solutions and processes.

Application security
From the earliest stages of application architecture, whether for in-house
applications or cloud services, HP helps you to design the appropriate
security measures and build them into the application.

Endpoint security
HP provides a wide portfolio of solutions for securing servers, desktops,
laptops, printers, and other endpoints—as well as solutions for ensuring
proper access control and data protection for BYOD.

Rev. 13.31 2 –11


Getting Started with HP Switching and Routing

Network security
Each component of the network infrastructure supports secure data
transmission with built-in protections against exploits and unauthorized
network traffic. In addition, HP provides industry-leading network security
solutions such as next-generation firewalls and HP TippingPoint IPSs.

Data center security


Several HP services help you to design a complete, integrated security
solution for all components of your data center or private cloud, including
both physical and virtual components of servers and the network
infrastructure.

2 –12 Rev. 13.31


Security

Module 2: Security

Security built into the network infrastructure

Introduction
Although this course does not cover specific security services and
solutions, HP network infrastructure devices do play a role in an overall
security solution.

The HP network infrastructure provides a solid foundation for secure


communications.

Secure device management


HP switches enable you to implement best practices for managing them
securely. You will delve into the details later in this module.

Built-in protection against DHCP attacks


Used on most networks today, Dynamic Host Configuration Protocol
(DHCP) is vulnerable to attacks such as address spoofing and address
exhaustion. With address spoofing, a rogue DHCP server assigns invalid
addresses to network devices so these devices cannot operate on the
network. With address exhaustion, an attacker requests IP addresses from
a legitimate DHCP server until the DHCP server’s supply of available IP
addresses (pool) is exhausted. When a DHCP server’s IP pool is
exhausted, valid network hosts cannot receive an IP address and cannot
access the network.

HP switches can provide protection against these attacks by setting trusted


ports for particular DHCP messages.

Rev. 13.31 2 –13


Getting Started with HP Switching and Routing

Built-in protection against STP attacks


Spanning Tree Protocol (STP), which you will learn more about in “Module
6: Redundancy,” enables redundant network links. Devices running STP
exchange Bridge Protocol Data Units (BPDUs) to determine active network
links; other links are disabled. In an STP attack, a rogue device sends
spoofed BPDUs, joins the spanning tree, and affects link selection, which
wreaks havoc on the network.

HP switches offer BPDU protection and guard features, which ensure that
untrusted BPDUs are dropped. Some switches have additional features for
ignoring unauthorized STP messages.

Built-in protection against ARP attacks


Switches and other devices use Address Resolution Protocol (ARP) to
resolve IP addresses to MAC addresses. Switches maintain a table of
known IP addresses and the associated MAC addresses. Rogue devices
use ARP attacks to “poison” these tables, so that network IP addresses are
associated with the MAC addresses of rogue devices. When traffic is sent
to these rogue devices, attackers can gather confidential information.

HP switches can protect against ARP poisoning. They use DHCP snooping
to build tables that specify the expected ports for particular MAC addresses
and, based on those expectations, reject suspicious ARP messages.

2 –14 Rev. 13.31


Security

Module 2: Security

Intelligent decisions supported by the network infrastructure

Introduction
The HP network infrastructure devices also help to collect information and
enforce intelligent security decisions.

Basic access control


Basic access control ensures that only authorized users, as defined by
business policies, are allowed to connect to the network and use network
resources. Basic access control ensures that a stranger cannot connect a
laptop to an open network port in your office and join the company network
without first passing an authentication test. Basic access control also
protects wireless LANs (WLANs), checking the credentials of wireless users
and devices as they initially connect and roam across the campus. This
access control also manages the rights of authorized users after they
connect to the network, according to business policies.

Endpoint integrity
Endpoint integrity forms a key element of a BYOD solution. Authorized
users may still endanger the network if they use insecure devices. An
insecure device is not properly protected: It might not have a firewall or anti-
virus software, or its anti-virus software might be out of date. It might be
running unauthorized software or be infected by malware. Endpoint integrity
isolates such devices until they are brought into compliance.

Rev. 13.31 2 –15


Getting Started with HP Switching and Routing

For example, an authorized user connects to the network with a device that
has outdated anti-virus software. Endpoint integrity ensures that the device
is quarantined and the user is notified of the problem. The device is not
allowed out of quarantine and allowed normal access to the network until
the user updates the antivirus software.

Security policy enforcement


HP switches can take a number of actions to support policies configured
centrally, including blocking all traffic, applying VLAN assignments, and so
on.

In addition, a number of HP switches support OpenFlow, an emerging


network virtualization technology. As one of the mechanisms delivering
Software-Defined Networking (SDN), OpenFlow forms the foundation for
complete abstraction and centralization of the network control plane,
promising to extend network virtualization in many innovative ways.

OpenFlow works by replacing a network infrastructure device’s own


processing and forwarding decisions with decisions programmed on an
ongoing basis by centralized controllers. In addition, switches that support
OpenFlow will be able to collect information and enforce decisions for a
security solution that interfaces with the SDN controller.

Integration with centralized logging and management solutions


HP switches can send logs and SNMP traps to centralized solutions that
archive and manage logs and events across the enterprise.

2 –16 Rev. 13.31


Security

Module 2: Security

Ensuring physical security

Introduction
While implementing a complete security solution might lie beyond your
realm of responsibility, you can do your part by ensuring that you deploy
infrastructure devices securely.

Earlier you learned about vulnerabilities that can arise when a switch lacks
physical security.

Modules or the switch


Whenever possible, you should store switches in a secure, locked, and
preferably camera-monitored room. If this is not possible, you should bolt
the switch in place.

Console port
To protect management access to the switch’s console port, you should
store the switch in a secure, locked, and preferably camera-monitored
room. If you cannot secure the switch physically, you should disable the
console port.

You should consider setting a secure password for console access even on
physically secure switches.

Rev. 13.31 2 –17


Getting Started with HP Switching and Routing

Reset and Clear buttons


You should do one of the following:

• Store the switch in a secure, locked, and preferably camera-monitored


room so that only authorized staff can use the buttons.
• Configure the switch to disable the buttons. (The Building SMB Networks
with HP Technologies course will teach you how.)

Ports
The only way to protect against a user disconnecting cables is to store the
switch in a secure, locked, and preferably camera-monitored room.

Power cord
The only way to protect against a user removing the switch power is to
store the switch in a secure, locked, and preferably camera-monitored
room.

2 –18 Rev. 13.31


Security

Module 2: Security

Authenticating management users

You will now focus on securing your network infrastructure


devices by authenticating management users. Specifically,
you will learn how to:

•Ensure that only authorized users have access to


a switch
•Distinguish between the levels of access
provided to management users

You should generally set up authentication for all


forms of management access:

•Console port (might not be necessary if the


device is physically secure)
•Telnet
•Secure Shell (SSH)
•HTTP and HTTP over Secure Sockets Layer
(HTTPS)

You will now focus on securing your network infrastructure devices by


authenticating management users. Specifically, you will learn how to:

• Ensure that only authorized users have access to a switch


• Distinguish between the levels of access provided to management users

You should generally set up authentication for all forms of management


access:

• Console port (might not be necessary if the device is physically secure)


• Telnet
• Secure Shell (SSH)
• HTTP and HTTP over Secure Sockets Layer (HTTPS)

Rev. 13.31 2 –19


Getting Started with HP Switching and Routing

Module 2: Security

Authentication on Comware switches

Introduction
As you learned previously, Comware switches have several user interfaces,
which control various forms of management access. For each interface, you
can select one of the following authentication methods:

• None: No authentication is required (not recommended).


• Password: All users who log in through the same interface use the same
password and receive the same level of access.
• Authentication, Authorization, and Accounting (AAA): Users
authenticate to either a local list or to an external server (usually a
RADIUS server). They are authorized for the level of management
access associated with their account.

The figure shows the AAA authentication process.

Step 1
When a user attempts to establish a management session, the switch
prompts the user for his or her credentials.

Step 2
The user supplies the credentials: a user name and password.

2 –20 Rev. 13.31


Security

Step 3
The switch forwards the login credentials to a RADIUS or TACACS server
for validation. (Alternatively, the switch could have a local record of user
accounts and validate the credentials itself.)

Step 4
The server validates the login credentials and notifies the switch whether or
not to grant the user access. If the user is granted access, the server also
tells the switch what level of access the user receives. The switch enforces
the decision.

Rev. 13.31 2 –21


Getting Started with HP Switching and Routing

Module 2: Security

Authentication on ProVision switches

Introduction
HP ProVision switches also support multiple authentication methods. You
can select a primary and backup method for each access method: Telnet,
SSH, console, or Web.

• None: No authentication is required (not recommended).


• Local authentication: All operators log in with a single operator account,
and all managers log in with a single manager account.
• Remote RADIUS or TACACS+ authentication: The switch sends a
request to an authentication sever (usually a RADIUS server). Each
management user has a unique user account, and when a user logs in
successfully, the authentication server assigns each user an attribute for
either operator or manager access.

The figure illustrates the steps in the local authentication process.

Step 1
When a user attempts to open a management session, the switch prompts
the user for a password.

Step 2
The user submits a password. If the password matches the manager or
operator password, the user receives manager or operator privilege,
respectively. If the user does not enter valid credentials, he or she cannot
access the switch.

2 –22 Rev. 13.31


Security

Module 2: Security

Secure management protocols 1 The out-of-band console connection


does not provide encryption but is
When you manage a switch, you send free from snooping.
vital information over the connection.
For out-of-band management, such as
with a connection to the console port of
the switch, you can be certain that no
one can intercept the data.

With in-band management, however, Access the CLI with SSHv2 to encrypt
the vital data crosses the shared 2
in-band management traffic.
network. Hackers might be able to
intercept and read data sent in clear-
text and then use that data to obtain Access the Web interface with
unauthorized access to your switches or
3
HTTPS to encrypt in-band
to impersonate network servers.
management traffic.

You must protect the data’s privacy by


using secure management protocols
that support encryption.

When you manage a switch, you send vital information over the connection.
For out-of-band management, such as with a connection to the console port
of the switch, you can be certain that no one can intercept the data.

With in-band management, however, the vital data crosses the shared
network. Hackers might be able to intercept and read data sent in clear-text
and then use that data to obtain unauthorized access to your switches or to
impersonate network servers.

You must protect the data’s privacy by using secure management protocols
that support encryption.

Rev. 13.31 2 –23


Getting Started with HP Switching and Routing

Module 2: Security

SSHv2

Introduction
SSHv2 ensures the privacy and integrity of management traffic by:

• Securing authentication
• Encrypting management traffic

SSH establishes a secure tunnel between your management station and


the switch. The figure shows the process of establishing the tunnel and
logging the user in.

Step 1
The management station establishes a secure tunnel on the SSHv2
Transport Layer. The station and the switch agree on shared encryption and
hash keys using the secure Diffie-Hellman exchange. Using these keys, the
station and switch can transform data so that hackers cannot tamper with it
(hash keys) or read it (encryption keys). When establishing the tunnel, the
switch also uses a public-private key pair to prove its identity, which
ensures that the management station does not send credentials to an
imposter.

For more information about hashing and the Diffie-Hellman exchange, refer
to the HP Network Infrastructure Security Technologies WBT.

2 –24 Rev. 13.31


Security

Step 2
The switch requests the management user’s credentials. The credentials
are passed to the switch through the secure tunnel. The switch can then
authenticate the user locally or to a remote server, as previously discussed.

Step 3
The management station and switch establish communication channels to
transmit the management session data within the secure tunnel.

Rev. 13.31 2 –25


Getting Started with HP Switching and Routing

Module 2: Security

HTTPS

Introduction
HTTPS uses the Secure Sockets Layer (SSL) protocol. Like SSHv2, SSL
creates a secure tunnel using encryption and hashing keys generated in a
Diffie-Hellman exchange.

The figure illustrates the process.

Step 1
Your management station and the switch establish a secure tunnel using
the SSL protocol. When establishing the tunnel, the switch authenticates
itself using a digital certificate.

Step 2
All further communications run securely over the encrypted SSL connection.
These communications include your authentication credentials and all
management traffic after you log in successfully.

2 –26 Rev. 13.31


Security

Module 2: Security

SSH and HTTP requirements

How do I set up HTTPS on HP Comware switches? How do I set up HTTPS on HP ProVision switches?

How do I set up SSH on HP Comware switches? How do I set up SSH on HP ProVision switches?

Introduction
Read the following questions to learn how to use the secure management
protocols.

How do I set up HTTPS on HP Comware switches?


On Comware switches, you need to generate and export a certificate
request, which you then have signed by a certificate authority (CA). A CA is
a trusted third-party company that certifies identities.

You must then install the signed certificate and enable the HTTPS server on
the switch.

If you have software version 5.20 F2218P01-US or later, you can simply
enable HTTPS, which automatically generates a self-signed certificate.

In addition, the Comware switches require user accounts for HTTPS


access, so you must configure at least one VTY user interface that uses
AAA (scheme) authentication, either to the local list or to a RADIUS server.
The user’s account must specify a service type of “web.”

How do I set up HTTPS on HP ProVision switches?


On ProVision switches, you need to generate and export a certificate
request, which you then have signed by a certificate authority (CA). A CA is
a trusted third-party company that certifies identities. You must then install
the signed certificate and enable HTTPS on the switch.

Rev. 13.31 2 –27


Getting Started with HP Switching and Routing

You can alternatively generate a self-signed certificate and enable HTTPS.

You can choose any option that you learned about earlier for authenticating
operators and managers.

How do I set up SSH on HP Comware switches?


On Comware switches, you must generate a public/private key pair for
SSH. You can install the public key on management stations’ SSH clients
manually or trust the key the first time you connect.

You must also enable the SSH server, which is disabled by default.

The Comware switches require user accounts for SSH access, so you must
configure at least one VTY user interface that uses AAA (scheme)
authentication, either to the local list or to a RADIUS server. You must
create an SSH user on the switch for each local or RADIUS user who is
allowed SSH access. The SSH user settings indicate whether this user
authenticates with a password or uses public-key authentication.

Password authentication allows SSH users to log in with the password in


their accounts. If you select public-key authentication, you must generate a
public/private key pair on each authorized manager’s SSH client and install
the public keys on the switch.

How do I set up SSH on HP ProVision switches?


On ProVision switches, you must generate a public/private key pair for
SSH. You can install the public key on management stations’ SSH clients
manually or trust the key the first time you connect.

You can also use SSH keys to authorize managers. Generate a


public/private key pair on each authorized manager’s SSH client. Then
install those keys on the switch as authorized client keys. Alternatively,
operators and managers can just authenticate with usernames and
passwords, using the options that you learned about earlier.

2 –28 Rev. 13.31


Security

Module 2: Security

Summary

In this module, you learned about network threats and the


measures you can take to protect against these threats.
Specifically, you learned about:

Threats originating from inside and outside a


company’s network

HP’s defense strategy that helps protect against


threats, no matter where they originate

Methods for securing your infrastructure, both


from physical tampering and unauthorized access

In this module, you learned about network threats and the measures you
can take to protect against these threats. Specifically, you learned about:

• Threats originating from inside and outside a company’s network


• HP’s defense strategy that helps protect against threats, no matter where
they originate
• Methods for securing your infrastructure, both from physical tampering
and unauthorized access

Rev. 13.31 2 –29


Getting Started with HP Switching and Routing

PAGE INTENTIONALLY LEFT BLANK

2 –30 Rev. 13.31


VLANs
Module 3

Module 3: VLANS

Objectives
This module explains one of the most fundamental aspects of managing today’s networks, virtual LANs (VLANs).
After completing this module, you should be able to:

Describe how VLANs are used in today’s Explain how to configure VLANs on HP
networks Comware and ProVision switches

Explain how the 802.1Q standard enables Explain the terms tagged, untagged, access
network infrastructure devices to transmit port, trunk port, and hybrid port as they
and receive traffic from multiple network relate to VLANs
segments

This module explains one of the most fundamental aspects of managing


today’s networks, virtual LANs (VLANs).

After completing this module, you should be able to:

• Describe how VLANs are used in today’s networks


• Explain how the 802.1Q standard enables network infrastructure devices
to transmit and receive traffic from multiple network segments
• Explain how to configure VLANs on HP Comware and ProVision switches
• Explain the terms tagged, untagged, access port, trunk port, and hybrid
port as they relate to VLANs

Rev. 13.31 3 –1
Getting Started with HP Switching and Routing

Module 3: VLANS

Definition of a VLAN

A LAN is typically defined as a group of connected devices in close physical proximity. A virtual LAN (VLAN), on the other
hand, is not defined by physical proximity. A VLAN is a logical group of devices that has been assigned to a particular
subnet.
VLANs can span multiple switches and can be used to segment the otherwise flat structure of a LAN.
This course focuses on port-based VLANs, which are defined on switch ports.
In this example network, some switch ports
have been assigned to VLAN 10, some to VLAN 20, and others to VLAN 30.

A LAN is typically defined as a group of connected devices in close physical


proximity. A virtual LAN (VLAN), on the other hand, is not defined by
physical proximity. A VLAN is a logical group of devices that has been
assigned to a particular subnet.

VLANs can span multiple switches and can be used to segment the
otherwise flat structure of a LAN.

This course focuses on port-based VLANs, which are defined on switch


ports. In this example network, some switch ports have been assigned to
VLAN 10, some to VLAN 20, and others to VLAN 30.

3 –2 Rev. 13.31
VLANs

Module 3: VLANS

IP addressing for VLANs

Each VLAN is associated with an IP subnet. In the example network, VLAN 10 is associated with 10.1.10.0/24, VLAN
20 with 10.1.20.0/24, and VLAN 30 with 10.1.30.0/24.
All VLANs are located within the larger 10.1.0.0/16 subnet.

NOTE: In this course, Classless Inter-Domain Routing (CIDR) is used to express network IP
addresses. In place of the subnet mask, CIDR uses a prefix length, which indicates how
many bits are in the network portion of the address. For more information about CIDR, see
Request for Comments (RFC) 1519 (http://www.ietf.org/rfc/rfc1519.txt).

Each VLAN is associated with an IP subnet. In the example network, VLAN


10 is associated with 10.1.10.0/24, VLAN 20 with 10.1.20.0/24, and VLAN
30 with 10.1.30.0/24.

All VLANs are located within the larger 10.1.0.0/16 subnet.

Note: In this course, Classless Inter-Domain Routing (CIDR) is used to


express network IP addresses. In place of the subnet mask, CIDR uses a
prefix length, which indicates how many bits are in the network portion of
the address. For more information about CIDR, see Request for Comments
(RFC) 1519 (http://www.ietf.org/rfc/rfc1519.txt).

Rev. 13.31 3 –3
Getting Started with HP Switching and Routing

Module 3: VLANS

Need for VLANs on today’s network

Introduction
Now that you have a basic understanding of what VLANs are, you should
consider why companies use them.

Security
Today’s networks provide services for different groups of users, such as
employees, partners, and visitors. If all of these users are on the same
subnet, it is easier for users to compromise security. For example, visitors
might be able to view employees’ data as that data is transmitted across
the network. They might try to access data center servers when they should
only access the Internet. You can (and should) implement security to
prevent unauthorized users from accessing these servers. However, users
might still be able to launch scans, use a protocol analyzer to view traffic on
the wire, or launch attacks.
Companies can use VLANs to isolate traffic and help to ensure users only
have access to the resources to which they should be granted access,
increasing security.

Broadcast domain
An Ethernet network is, by definition, a broadcast domain. Devices on
Ethernet networks send broadcasts to discover other devices or to provide
information about themselves.
3 –4 Rev. 13.31
VLANs

Broadcasts are forwarded to all devices in the broadcast domain, which


defines the portion of the network to which devices can send traffic at the
Data Link layer. A routing switch or router is required to route data between
broadcast domains.

In a large broadcast domain, broadcasts can negatively affect the endpoints


that must process them and consume bandwidth.

VLANs improve network performance. They break large broadcast domains


into smaller broadcast domains, ensuring that every device’s broadcasts do
not flood the entire network infrastructure.

Rev. 13.31 3 –5
Getting Started with HP Switching and Routing

Module 3: VLANS

Example of network segmentation with VLANs

Introduction
Now you will look at an example of how a network designer might use
VLANs to segment a company network. In this example, the company is
using subnet 10.1.0.0/16. The network designer must plan the VLANs and
IP addresses in tandem. Each VLAN will be associated with a unique IP
subnet, and each department will be assigned to one or more VLANs.

Phase 1: Design
For the IP addressing scheme, each subnet will have a subnet mask of
255.255.255.0 (/24), which means that the network address uses the first
three octets:

• The first octet for all subnets is “10” because the company is using
private addresses in the 10.0.0.0/8 block.
• The second octet is being used as a site identifier. In the scenario above,
“1” has been assigned to identify this building. For other buildings, the
company uses different values in the second octet.
• The third octet includes the VLAN ID. Each department or type of user
will be assigned a different VLAN ID.
• The fourth octet is the host portion of the IP address. Certain addresses
are reserved; 1 to 30 are used for servers, printers, and other shared
network devices.

3 –6 Rev. 13.31
VLANs

Users’ workstations can receive IP addresses in the 30 to 180 range. The


remaining host numbers are reserved for future expansion.

Phase 2: Guests
The network designer knows that guests will need to access the network,
primarily so that they can connect to the Internet while they are on-site. The
network designer assigns VLAN 10 and subnet 10.1.10.0/24 to guests.

Phase 3: IT
The network designer assigns the IT group VLANs 1 and 5. VLAN 1 is
associated with 10.1.1.0/24, and VLAN 5 is associated with 10.1.5.0/24.

Phase 4 : Administration
The network designer assigns the Administration group VLAN 20, and
VLAN 20 is associated with the 10.1.20.0/24 subnet.

Phase 5: Customer service


The network designer assigns the Customer Service group VLAN 30, and
VLAN 30 is associated with the 10.1.30.0/24 subnet.

Phase 6: Accounting
Finally, the network designer assigns the Accounting group to VLAN 40,
and VLAN 40 is associated with the 10.1.40.0/24 subnet.

Each department is segmented into a logical group, independent of the


users’ location in the building. The VLAN boundaries ensure that users
have access only to those resources to which they are allowed. The VLANs
also create separate broadcast domains. For example, the broadcast traffic
for the Accounting VLAN is not sent to the Customer Service VLAN.

Rev. 13.31 3 –7
Getting Started with HP Switching and Routing

Module 3: VLANS

VLANs and the IEEE 802.1Q standard

Introduction
An Ethernet link might support multiple VLANs, so a mechanism is required
to identify the VLAN to which particular traffic belongs.

The Institute of Electrical and Electronics Engineers (IEEE) 802.1Q


standard defines a 4-byte field that can be inserted into an Ethernet frame.
Often referred to as the 802.1Q “tag,” this field allows each Ethernet frame
to be identified as part of a particular VLAN.

802.1Q-compliant switches can add this tag to an Ethernet frame. These


switches also use the information in the tag to make decisions about how to
transmit traffic on the network.

TPID
The Tag Protocol ID (TPID) subfield identifies the frame as an 802.1Q
frame.

TCI
The Tag Control Information (TCI) field contains three components,
including the VLAN ID.

3 –8 Rev. 13.31
VLANs

User Priority
The 802.1p standard, User Priority, allows devices to apply quality of
service (QoS) to traffic. That is, 802.1p-compliant devices can classify and
mark frames with the priorities from 0-7. The current IEEE
recommendations for the priority associated with each value are:

7 (highest): Network control


6: Internetwork control
5: Voice
4: Video
3: Critical applications
2: Excellent effort
0 (normal traffic): Best effort
1 (lowest): Background

Formerly, the recommendations were slightly different:

7 (highest): Network management


6: Voice
5: Video
4: Controlled load
3: Excellent effort
0 (normal traffic): Best effort
2: Undefined
1 (lowest): Background

You should check your switch documentation to determine how it handles


the values.

Switches that support 802.1p handle the traffic based on the setting
configured. For example, they will transmit frames with the 7 value before
they transmit frames with 3 value. 802.1p is one way to ensure that delay-
sensitive applications (such as voice over IP, or VoIP) receive priority
handling.

CFI
The Canonical Format Indicator (CFI) indicates whether the information in
the frame’s MAC address is included in canonical format, which is
sometimes called the “standard notation.” This format establishes the order
in which bits are submitted. If a device uses the Canonical format, it orders
the least important bit first. If a device uses the non-canonical format (which
is also called bit-reversed order), it orders the most important bit first.

If the value is 0, the MAC address is in canonical format. If the value is 1, it


is not.

Rev. 13.31 3 –9
Getting Started with HP Switching and Routing

VLAN ID
The VLAN ID associates the frame with a specific VLAN. This is the VLAN
ID or VLAN number. If this field is empty or set to a value of 0, the frame is
not identified as belonging to a specific VLAN. Frames that do not have the
VLAN ID tag set are often referred to as “untagged” frames.

The VLAN ID field has 12 bits, providing up to 4096 IDs (212 = 4096). IDs 0
and 4095 are reserved, so a network can support up to 4094 VLANs.

3 –10 Rev. 13.31


VLANs

Module 3: VLANS

Example Ethernet frame with 802.1Q tag

Introduction
This graphic provides an example of an Ethernet frame that contains an
802.1Q VLAN tag.

Devices that are not 802.1Q-compliant cannot add or act on these tags.
Because they do not recognize the 802.1Q tag and may consider the
802.1Q tag data illegal, these devices may even drop frames that contain
an 802.1Q tag.

Devices that do not support 802.1Q can still be part of a VLAN. However,
you must configure their connected switch ports to strip away the 802.1Q
tag—you will learn how later.

Ethernet header
This part of the Ethernet frame header contains the destination and source
MAC addresses for the frame. The destination MAC address indicates the
Ethernet interface, whether a switch port or endpoint NIC, that should
receive the Ethernet frame. For example, this frame is addressed to a
device with the MAC address 0004e1-e1100. A broadcast frame—that is, a
frame that is sent out to everyone on the network segment—has the
destination MAC address set to FFFFFF-FFFFFF.

Rev. 13.31 3 –11


Getting Started with HP Switching and Routing

The source MAC address is the hardware address of the device that sent
the Ethernet frame. In this case, the frame was sent by a device with MAC
address 080046-44f11ca.

802.1Q field
This part of the Ethernet frame header contains the 802.1Q tag information.
As you learned in the previous frame, the first 2 bytes are the Tag Protocol
ID (TPID) field. In this frame, TPID is set to 8100. Note that this is the
hexadecimal representation of the value for the 2-byte field, and it indicates
that this is an 802.1Q-tagged frame.

When a switch receives a frame with a TPID of 8100, it interprets the next
two bytes as Tag Control Information (TCI) for 802.1Q. The first three bits of
the TCI data are the user priority. In this frame, these three bits are set to 0,
so the user priority is set to 0 or best effort.

The fourth bit of the TCI data is the Canonical Format Indicator (CFI). This
bit is set to 0 (turned off), which indicates that the MAC address in the
Ethernet frame is in canonical format.

The last 12 bits are the VLAN tag or the VLAN ID to which the frame
belongs. In this example, the VLAN ID is set to a hexadecimal value of 014,
which when converted to decimal notation is 20. So this frame belongs to
VLAN 20.

Type field
The next part of the Ethernet header is a type identifier, which indicates the
type of data that follows (the payload). In this example, the type field is set
to the hexadecimal value of 0800, which is the type identifier for IP data.
Notice that the next part of the Ethernet frame contains an IP header that
includes two IP addresses.

Payload
Here you see the payload of the Ethernet frame, beginning with the Layer 3
header, an IP header in this case. Note that the IP header is distinct or
separate from the Ethernet header. The IP header contains information that
a Layer 3 switch or router would use to forward traffic. You will learn about
Layer 3 switches and routers later in this course.

Right now, just notice that the IP header contains a source IP and a
destination IP, which are the IP address of the device that sent the data and
the IP address for which the data is intended.

3 –12 Rev. 13.31


VLANs

Module 3: VLANS

VLAN membership on HP ProVision switches

Introduction
You will now examine how HP switches implement VLANs, beginning with
ProVision switches.

To allow a ProVision switch port to carry traffic in a particular VLAN, you


must configure the port as a member of that VLAN. On ProVision switches,
you can configure the port as an untagged or tagged member of that VLAN.

Untagged VLAN membership


When you configure a port as an untagged member of a VLAN, the switch
must ensure that the traffic it transmits and receives for that VLAN on that
port does not include the 802.1Q tag. The specific behavior of the switch is
outlined below.

• Transmit—The switch does not apply the 802.1Q tag to traffic that it
transmits in its untagged VLAN on that port.
• Receive—The switch assigns all untagged traffic that it receives on that
port to this VLAN.

Devices that do not support 802.1Q must be connected to switch ports that
are untagged members of a VLAN.

Rev. 13.31 3 –13


Getting Started with HP Switching and Routing

Tagged VLAN membership


When you configure a port as a tagged member of a VLAN, the switch must
ensure that the traffic it transmits and receives for that VLAN on that port
contains the 802.1Q tag. Furthermore, the 802.1Q tag must contain the
proper VLAN ID. The specific behavior of the switch is outlined below.

• Transmit—The switch adds an 802.1Q tag (with the proper VLAN ID) to
all frames that it transmits in this VLAN.
• Receive—The switch accepts frames with an 802.1Q tag for this VLAN. If
the switch receives a frame with an 802.1Q tag for a VLAN for which it has
an untagged membership or no membership, it drops the frame. For
example, if the port is a tagged member of only VLAN 10 and it receives a
frame with an 802.1Q tag that has a VLAN ID of 20, the switch will drop
the frame.

Tagged memberships are required to allow a port to carry traffic in multiple


VLANs. Generally, you use tagged VLAN memberships for ports that
connect to other switches.

3 –14 Rev. 13.31


VLANs

Module 3: VLANS

HP ProVision VLAN guidelines

• By default all ports are members of the default VLAN.


• A port must be a member of at least one VLAN.
• A port can be an untagged member of only one VLAN.
• A port can be a tagged member of multiple VLANs.
• Untagged and tagged memberships on connected ports must match.

Introduction
Now that you understand tagged and untagged VLAN memberships, you
will review some basic guidelines for configuring VLANs on ProVision
switches.

By default all ports are members of the default VLAN.


At factory default settings, ProVision switches have one VLAN, which is
called the default VLAN, or VLAN 1. All switch ports are untagged members
of this VLAN, until you assign them to other VLANs.

The switch also uses this VLAN for its control traffic so it is recommended
that you configure users’ ports as members of other VLANs.

A port must be a member of at least one VLAN.


A port must be a tagged or untagged member of at least one VLAN.
(Remember that by default, all ports are untagged members of VLAN 1.) If
you attempt to remove a port’s last VLAN membership, the switch applies
an untagged membership in the default VLAN
(VLAN 1).

Rev. 13.31 3 –15


Getting Started with HP Switching and Routing

A port can be an untagged member of only one VLAN.


A port can be a member of only one untagged VLAN. This makes sense
because, as you learned, the switch assigns all untagged traffic it receives
on that port to this VLAN. If the port had multiple untagged assignments,
the switch would not be able to distinguish among them.

A port can be a tagged member of multiple VLANs.


A port can be a tagged member of multiple VLANs. Tagged VLAN
memberships are required for ports that carry traffic in multiple VLANs. For
example, a port that connects to another switch would probably need to
carry traffic in multiple VLANs.

Untagged and tagged memberships on connected ports must match.


Connected ports must have matching VLAN memberships in both ID and
type. For example, if VLAN 20 is tagged on switch 1’s port, it should not be
untagged on the connected port on switch 2.

3 –16 Rev. 13.31


VLANs

Module 3: VLANS

Configuring untagged VLAN memberships


Now that you know how ProVision switches handle VLAN 20 VLAN 30
VLANs, you will take a quick look at the basic
commands for configuring VLANs on HP ProVision
switches. For example, if you wanted to create VLAN
20 and make several contiguous ports untagged
members of this VLAN, you would enter:

Edge_1(config)# vlan 20
Edge_1(vlan-20)# untagged a1-a6

As shown in the next command, you can use commas to


list non-contiguous ports in the untagged command:

Edge_1(vlan-20)# vlan 30
Edge_1(vlan-30)# untagged a22,a24,b1-b5

Now that you know how ProVision switches handle VLANs, you will take a
quick look at the basic commands for configuring VLANs on HP ProVision
switches. For example, if you wanted to create VLAN 20 and make several
contiguous ports untagged members of this VLAN, you would enter:

Edge_1(config)# vlan 20
Edge_1(vlan-20)# untagged a1-a6

As shown in the next command, you can use commas to list non-
contiguous ports in the untagged command:

Edge_1(vlan-20)# vlan 30
Edge_1(vlan-30)# untagged a22,a24,b1-b5

Rev. 13.31 3 –17


Getting Started with HP Switching and Routing

Module 3: VLANS

Configuring tagged VLAN memberships

As mentioned earlier, switch-to-switch ports typically need to support traffic for multiple VLANs. In this example, the
uplink port of an edge switch is defined as a tagged member of VLANs 20 and 30. The uplink port is also an untagged
member of VLAN 1, which it uses for control traffic and also to allow management access.
Because switch ports are untagged members of VLAN 1 by default, you do not have to configure this VLAN membership
on the uplink port. To configure the uplink port as a tagged member of VLANs 20 and 30, you would enter the following
commands:
Edge_1(config)# vlan 20
Edge_1(vlan-20)# tagged b24
Edge_1(vlan-20)# vlan 30
Edge_1(vlan-30)# tagged b24

VLAN 20 VLAN 30
6 users 7 users VLAN 1,
20, 30

Uplink

As mentioned earlier, switch-to-switch ports typically need to support traffic


for multiple VLANs. In this example, the uplink port of an edge switch is
defined as a tagged member of VLANs 20 and 30. The uplink port is also
an untagged member of VLAN 1, which it uses for control traffic and also to
allow management access.

Because switch ports are untagged members of VLAN 1 by default, you do


not have to configure this VLAN membership on the uplink port. To
configure the uplink port as a tagged member of VLANs 20 and 30, you
would enter the following commands:

Edge_1(config)# vlan 20
Edge_1(vlan-20)# tagged b24
Edge_1(vlan-20)# vlan 30
Edge_1(vlan-30)# tagged b24

3 –18 Rev. 13.31


VLANs

Module 3: VLANS

Processing traffic on a switch port that supports multiple VLANs

VLAN 20 VLAN 30
6 users 7 users VLAN 1,
20, 30

Uplink

The uplink port now supports VLANs 1, 20, and 30. The frames the uplink port transmits for VLAN 1 remain untagged.
However, the frames for VLAN 20 and VLAN 30 are tagged.
When the switch receives untagged traffic on the uplink port, it assumes that traffic belongs to VLAN 1. If the port receives
frames that contain tags for VLAN 20 or VLAN 30, the switch processes those frames. If the port receives frames with tags
for a different VLAN (such as VLAN 40 or VLAN 50), the switch drops them.

The uplink port now supports VLANs 1, 20, and 30. The frames the uplink
port transmits for VLAN 1 remain untagged. However, the frames for VLAN
20 and VLAN 30 are tagged.

When the switch receives untagged traffic on the uplink port, it assumes
that traffic belongs to VLAN 1. If the port receives frames that contain tags
for VLAN 20 or VLAN 30, the switch processes those frames. If the port
receives frames with tags for a different VLAN (such as VLAN 40 or VLAN
50), the switch drops them.

Rev. 13.31 3 –19


Getting Started with HP Switching and Routing

Module 3: VLANS

Configuring VLAN IP addresses on ProVision switches


As you recall, each VLAN is associated with an IP subnet. You must assign the switch an IP address in that VLAN’s subnet if
you want the switch to send and receive IP traffic on a VLAN. In this case, the switch is routing traffic for endpoints in that
VLAN. (You will learn more about this function inModule 4: Routing.)
You may also want to assign the switch an IP address for a VLAN if you want to manage the switch on that VLAN.
In this example, you want the switch to route traffic in VLAN 20, which is assigned the IP address 10.1.20.1 in the IP subnet
10.1.20.0/24.
You can assign an IP address to a VLAN in one of the following ways:

DHCP—A VLAN can receive an IP address from a Static—You can manually configure the IP
DHCP server. By default, the default VLAN, address using this command:
VLAN 1, is configured to receive an IP address Edge_1(config)# vlan 20
from a DHCP server. Edge_1(vlan-20)# ip address 10.1.20.1/24

VLAN 20
6 users

Uplink

As you recall, each VLAN is associated with an IP subnet. You must assign
the switch an IP address in that VLAN’s subnet if you want the switch to
send and receive IP traffic on a VLAN. In this case, the switch is routing
traffic for endpoints in that VLAN. (You will learn more about this function in
Module 4: Routing.)

You may also want to assign the switch an IP address for a VLAN if you
want to manage the switch on that VLAN.

In this example, you want the switch to route traffic in VLAN 20, which is
assigned the IP address 10.1.20.1 in the IP subnet 10.1.20.0/24.
You can assign an IP address to a VLAN in one of the following ways:

• DHCP—A VLAN can receive an IP address from a DHCP server. By


default, the default VLAN, VLAN 1, is configured to receive an IP address
from a DHCP server.
• Static—You can manually configure the IP address using this command:

Edge_1(config)# vlan 20
Edge_1(vlan-20)# ip address 10.1.20.1/24

3 –20 Rev. 13.31


VLANs

Module 3: VLANS

Viewing VLAN port status on ProVision switches


You can use the show vlans command to learn which switch ports are members of a given VLAN.

Edge_1# show vlans 20


Status and Counters – VLAN Information – Ports – VLAN 20
802.1Q VLAN ID : 20
Name : VLAN20
Status : Static
Port Information Mode Unknown VLAN Status
A1 Untagged Learn Up
A2 Untagged Learn Up
A3 Untagged Learn Up
A4 Untagged Learn Up
A5 Untagged Learn Up
A6 Untagged Learn Up
B24 Tagged Learn Up
.
.
.

You can use a similar command to determine which VLANs are associated with a particular port. For instance, to view the
VLANs associated with port d4, use the command show vlans port d4 detail.

You can use the show vlans command to learn which switch ports are
members of a given VLAN.

Edge_1# show vlans 20


Status and Counters – VLAN Information – Ports – VLAN
20
802.1Q VLAN ID : 20
Name : VLAN20
Status : Static
Port Information Mode Unknown VLAN Status
A1 Untagged Learn Up
A2 Untagged Learn Up
A3 Untagged Learn Up
A4 Untagged Learn Up
A5 Untagged Learn Up
A6 Untagged Learn Up
B24 Tagged Learn Up
.
.
.

You can use a similar command to determine which VLANs are associated
with a particular port. For instance, to view the VLANs associated with port
d4, use the command show vlans port d4 detail.
Rev. 13.31 3 –21
Getting Started with HP Switching and Routing

Module 3: VLANS

HP Comware switch VLAN support

• An access port belongs to one VLAN and sends and receives untagged traffic only.
• A trunk port can belong to multiple VLANs and can send and receive untagged frames for one VLAN and tagged frames
for multiple VLANs.
• A hybrid port can belong to multiple VLANs. It can assign a frame to a VLAN based on information other than the
802.1Q field.

Introduction
HP Comware switches also support VLANs and 802.1Q tagging. However,
Comware switches use slightly different terminology and have different
configuration commands than ProVision switches. On Comware switches,
you configure VLAN support by first determining the type of port that should
be used.

Access port
An access port belongs to one VLAN and sends and receives untagged
traffic only. Generally, you use an access port to connect workstations or
endpoints.

Trunk port
A trunk port can belong to multiple VLANs and can send and receive
untagged frames for one VLAN and tagged frames for multiple VLANs.
Trunk ports are used for switch-to-switch links, allowing you to extend VLAN
boundaries across switches.

3 –22 Rev. 13.31


VLANs

Hybrid port
A hybrid port can belong to multiple VLANs. It can assign a frame to a
VLAN based on information other than the 802.1Q field. For example, a
hybrid port can look at the MAC address, the protocol, or the IP subnet of
frames to determine VLAN membership. Hybrid ports are used for
specialized functions, which are not covered in this course. For more
information, see the Building SMB Networks with HP Technologies course.

Rev. 13.31 3 –23


Getting Started with HP Switching and Routing

Module 3: VLANS

Guidelines for configuring VLANs on HP Comware switches

• By default all ports are configured as access ports that support the default VLAN.
• You must create a VLAN on the switch before assigning it to an access or trunk port.
• An access port can support only one untagged VLAN.
• A trunk port can support one untagged VLAN and multiple tagged VLANs.
• The PVID and permitted VLANs on connected trunk ports must match.

Introduction
Before you learn how to configure access and trunk ports on Comware
switches, you should review some basic guidelines.

By default all ports are configured as access ports that support the
default VLAN.
Like ProVision switches, Comware switches have a default VLAN, which is
VLAN 1. In addition, all ports are configured as access ports that support
VLAN 1.

With these settings, each port will accept frames that do not contain an
802.1Q tag and that have a source IP address in VLAN 1.

You must create a VLAN on the switch before assigning it to an


access or trunk port.
If you want an access port or a trunk port to support a VLAN, you must first
create that VLAN on the switch.

An access port can support only one untagged VLAN.


Once you create a VLAN on the switch, you can configure an access port to
support that VLAN. An access port can support only one VLAN and that
VLAN is untagged.

3 –24 Rev. 13.31


VLANs

A trunk port can support one untagged VLAN and multiple tagged
VLANs.
Just like an access port, a trunk port can support only one untagged VLAN.
However, a trunk port can support any number of tagged VLANs. This
allows the trunk port to function as a switch-to-switch connection.

The trunk port’s port VLAN ID (PVID) determines the port’s untagged
VLAN. By default, all trunk ports’ PVID is the default VLAN, VLAN 1.

The trunk port’s permitted VLANs list determines the VLANs for which the
port carries traffic. Any VLAN in the permitted VLAN list that is not the PVID
is tagged.

By default, a trunk port has only VLAN 1 in its permitted VLANs list, so it
carries only untagged traffic. To add the tagged VLANs, you simply specify
them as permitted.

Often you keep the default PVID, but if you change it, the new PVID is not
automatically added to the permitted VLANs list, nor is VLAN 1 removed
from the permitted VLANs list. Therefore, the trunk port will not transmit or
accept any untagged traffic, and it will accept frames that are tagged for
VLAN 1. To allow the port to send and receive untagged traffic again,
remember to add the new PVID to the permitted list. Also remember to
remove VLAN 1, if you do not want it on the port. Of course, the PVID and
permitted VLANs on directly connected trunk ports must match.

The PVID and permitted VLANs on connected trunk ports must match.
When you connect two trunk ports to establish a switch-to-switch
connection, you must ensure that their VLAN settings match, or traffic will
be dropped. They must have the same PVID and permitted VLANs.

Rev. 13.31 3 –25


Getting Started with HP Switching and Routing

Module 3: VLANS

Configuring VLANs on HP Comware switches

• Creating VLANs
• Configuring access ports
• Configuring trunk ports
• Adding permitted VLANs to trunk ports
• Changing the trunk port’s PVID
• Configuring IP addresses

Introduction
Now that you understand the guidelines for configuring VLANs on Comware
switches, you can examine the commands.

Creating VLANs
Use the command shown here to create the VLAN so that you can assign
access or trunk ports to it.

Syntax:
[Switch] vlan <VLAN ID>
Example:
[Switch] vlan 10

Configuring access ports


Use the commands shown here to:

• Access the VLAN, moving to the Layer 2 VLAN context


• Add the port to the VLAN

3 –26 Rev. 13.31


VLANs

Syntax:
[Switch] vlan <VLAN ID>
[Switch-vlan<ID>] port <interface-list>
Example:
[Switch] vlan 10
[Switch-vlan10] port gigabitethernet 1/0/1

Configuring trunk ports


Use the commands shown here to:

• Move to the trunk port’s interface context


• Change the port’s type to trunk

Syntax:
[Switch] interface <interface type> <ID>
[Switch-<interface type><ID>] port link-type trunk
Example:
[Switch] interface g1/0/6
[Switch-GigabitEthernet1/0/6] port link-type trunk

Adding permitted VLANs to trunk ports


You must configure the trunk port to permit the VLANs you want it to
support. All VLANs that are not the PVID are tagged. You will receive an
error if you have not already created the VLANs. Separate the VLAN IDs by
a space to indicate those individual VLANs. Use a – to indicate a range.

Remember that connected trunk ports must support the same VLANs, or
traffic will be dropped.

Syntax:
[Switch-<interface type><ID>] port trunk permit vlan
<VLAN ID list>
Example:
[Switch-GigabitEthernet1/0/6]port trunk permit vlan 10
20

Changing the trunk port’s PVID


As you learned earlier, the trunk port’s PVID defines its untagged VLAN
and is, by default, VLAN 1. Note that PVID on connected trunk ports must
match.
Use these commands to:

• Change the PVID


• Permit the new PVID (if you want the port to support untagged traffic)

Syntax:
[Switch-<interface type><ID>] port trunk pvid vlan
<VLAN ID>

Rev. 13.31 3 –27


Getting Started with HP Switching and Routing

[Switch-<interface type><ID>] port trunk permit vlan


<VLAN ID>
Example:
[Switch-<interface type><ID>] port trunk pvid vlan 2
[Switch-<interface type><ID>] port trunk permit vlan 2

Configuring IP addresses
As you learned earlier, you must configure an IP address on a VLAN if you
want the switch to send and receive its own IP traffic on that VLAN. Use the
commands shown here to:

• Create a Layer 3 VLAN interface


• Assign the VLAN interface an IP address

In this example, the switch has an IP address on the three VLANs


supported on its trunk port. Each VLAN is associated with a /24 subnet, and
the switch has host address 1 for each.

Syntax:
[Switch] interface vlan-interface <VLAN ID>
[Switch-vlan-interfaceID] ip address <IP address> <mask
| prefix length>
Example:
[Switch] interface vlan-interface 1
[Switch-vlan-interface1] ip address 10.1.1.1
255.255.255.0
[Switch-vlan-interface1] interface vlan-interface 10
[Switch-vlan-interface10] ip address 10.1.10.1
255.255.255.0
[Switch-vlan-interface10] interface vlan-interface 20
[Switch-vlan-interface20] ip address 10.1.20.1
255.255.255.0

3 –28 Rev. 13.31


VLANs

Module 3: VLANS

GVRP

In this module, you have learned how to manually configure VLAN memberships on ProVision and Comware switches.
Rather than manually configuring VLAN settings on switch ports, however, you can use the GARP VLAN Registration
Protocol (GVRP) to dynamically create VLANs on ports that are connected to other GVRP-aware switches. (Generic Attribute
Registration Protocol [GARP] is a protocol that defines procedures by which end stations and switches can register
attributes with each other.)
When GVRP is enabled on a switch, it advertises any configured static VLANs on all its ports. If a GVRP-aware switch port
receives the advertisement, it can dynamically join the advertised VLAN. This dynamic VLAN is tagged on the port.
Both ProVision and Comware switches support GVRP. (GVRP configuration and management is not covered in this course.
For more information, see your switch documentation.)

In this module, you have learned how to manually configure VLAN


memberships on ProVision and Comware switches. Rather than manually
configuring VLAN settings on switch ports, however, you can use the GARP
VLAN Registration Protocol (GVRP) to dynamically create VLANs on ports
that are connected to other GVRP-aware switches. (Generic Attribute
Registration Protocol [GARP] is a protocol that defines procedures by which
end stations and switches can register attributes with each other.)
When GVRP is enabled on a switch, it advertises any configured static
VLANs on all its ports. If a GVRP-aware switch port receives the
advertisement, it can dynamically join the advertised VLAN. This dynamic
VLAN is tagged on the port.

Both ProVision and Comware switches support GVRP. (GVRP configuration


and management is not covered in this course. For more information, see
your switch documentation.)

Rev. 13.31 3 –29


Getting Started with HP Switching and Routing

Module 3: VLANS

Example: Discovering a device’s destination address

Introduction
You now know how to configure VLANs on switch ports. Next, you will look
at an example of how switches use Layer 2 forwarding to enable two
devices within the same VLAN to communicate. In this example, a
workstation wants to communicate with a database server, and both
devices are in the same VLAN. However, as you can see, there are several
switches between them.

Step 1
Before the workstation can send a frame to the server, it must know the
server’s MAC address so that it can place the correct destination address in
the frame. The application on the workstation knows or is configured with
the server’s IP address. Therefore, the workstation sends an Address
Resolution Protocol (ARP) request, which is a broadcast to the entire
VLAN, requesting the MAC address associated with the server’s IP
address. In this instance, the Ethernet frame that the workstation sends has
a destination MAC address of FFFFFF:FFFFFF, which is the broadcast
address.

Step 2
The switch to which the workstation is connected receives the ARP request.
Because this frame is a broadcast, the switch sends it out all of its ports that
are members of VLAN 30. (This is sometimes called flooding.)

3 –30 Rev. 13.31


VLANs

Step 3
When other switches along the path to the database server receive the
broadcast, they also flood the frame out all of their ports that belong to
VLAN 30.

Step 4
The database server finally receives the ARP request. It responds to the
request by sending a directed frame (not a broadcast) to the workstation’s
MAC address, wherein it conveys its hardware or MAC address.

Rev. 13.31 3 –31


Getting Started with HP Switching and Routing

Module 3: VLANS

Example: Layer 2 forwarding

Introduction
Now that the workstation knows the MAC address of the database server, it
can send Ethernet frames directly to the server.

Step 1
The workstation addresses a frame to the database server’s MAC address.

Step 2
The Edge_1 switch operates as a Layer 2 switch. It checks its Layer 2
forwarding table and forwards the frame through port B2 to the IT switch.

(If the switch did not know the port for this MAC address, it would flood the
frame like a broadcast. But all the switches in this example learned the port
for the server’s MAC address when they received the server’s ARP
response on its way back to the workstation.)

Step 3
The IT_switch is a Layer 3 switch. You do not need to understand its Layer
3 functions now but simply know that it acts as a Layer 2 switch for all
frames that are not destined to its own MAC address.

In this case, the destination MAC address is different from its own MAC
address, so the switch checks its MAC forwarding table. The switch
forwards the frame through port C9.
3 –32 Rev. 13.31
VLANs

Step 4
The Edge_2 switch receives the frame through port B24, submits it to its
Layer 2 forwarding table lookup, and forwards it through port B1 to the
database server.

Rev. 13.31 3 –33


Getting Started with HP Switching and Routing

Module 3: VLANS

Layer 2 or Layer 3 forwarding

You now understand how switches


forward traffic at Layer 2. They make
forwarding decisions based on
information in the Ethernet header of
a frame such as the destination MAC
address and the 802.1Q VLAN tag.

When devices that are in separate VLANs or subnets need to


communicate, the traffic must be routed. Switches that support
routing use Layer 3 information, such as the IP address, to
make forwarding switches. Switches that support routing are
sometimes called routing switches or Layer 3 switches.
For example, if the workstations in VLAN 20 want to
communicate with the servers in VLAN 30, the switch must use
Layer 3 data to route the traffic between the VLANs. You will
learn more about this process in Module 4: Routing.

You now understand how switches forward traffic at Layer 2. They make
forwarding decisions based on information in the Ethernet header of a
frame such as the destination MAC address and the 802.1Q VLAN tag.

When devices that are in separate VLANs or subnets need to


communicate, the traffic must be routed. Switches that support routing use
Layer 3 information, such as the IP address, to make forwarding switches.
Switches that support routing are sometimes called routing switches or
Layer 3 switches.

For example, if the workstations in VLAN 20 want to communicate with the


servers in VLAN 30, the switch must use Layer 3 data to route the traffic
between the VLANs. You will learn more about this process in Module 4:
Routing.

3 –34 Rev. 13.31


VLANs

Module 3: VLANS

Summary

This module described the fundamentals of VLANs:

VLANs are used to segment the network to limit broadcast


domains.

VLANs separate user traffic into different subnets,


increasing network security.

The 802.1Q field allows an Ethernet frame to be tagged for


VLAN membership.

VLANs are configured differently on HP Comware and


ProVision switches, but the underlying principles are the
same.

This module described the fundamentals of VLANs:

• VLANs are used to segment the network to limit broadcast domains.


• VLANs separate user traffic into different subnets, increasing network
security.
• The 802.1Q field allows an Ethernet frame to be tagged for VLAN
membership.
• VLANs are configured differently on HP Comware and ProVision
switches, but the underlying principles are the same.

Rev. 13.31 3 –35


Getting Started with HP Switching and Routing

PAGE INTENTIONALLY LEFT BLANK

3 –36 Rev. 13.31


Routing
Module 4

Module 4: Routing

Objectives

This module explains when a Layer 3 switch or router is required to route traffic to its destination. It also guides you
through the process of enabling routing and configuring a static route on HP Comware and ProVision switches.

Explain when a Layer 3 switch or router is required to route


traffic

After completing this


module, you should be List the basic components of routing tables and explain the
able to: purpose of each component

Describe how Layer 3 switches use static and default routes


to ensure that traffic reaches its final destination

This module explains when a Layer 3 switch or router is required to route


traffic to its destination. It also guides you through the process of enabling
routing and configuring a static route on HP Comware and ProVision
switches.

After completing this module, you should be able to:

• Explain when a Layer 3 switch or router is required to route traffic


• List the basic components of routing tables and explain the purpose of
each component
• Describe how Layer 3 switches use static and default routes to ensure
that traffic reaches its final destination

Rev. 13.31 4 –1
Getting Started with HP Switching and Routing

Module 4: Routing

Layer 2 switching and Layer 3 routing

Introduction
When a device needs to communicate with another device in the same
VLAN or subnet, the switch (or switches) can forward traffic between the
two devices at Layer 2.

If a device needs to communicate with a device in a different VLAN,


however, a Layer 3 switch or router must route the traffic at Layer 3.
Although the traffic can be routed by a Layer 3 switch or a router, the
examples in this course focus on Layer 3 switches.

Layer 2 forwarding
Switches acting at Layer 2 use information in the Ethernet header to
forward traffic, specifically the destination Media Access Control (MAC)
address and perhaps an 802.1Q tag. The switch does not process the
frame past the Ethernet header, ignoring the IP or other Layer 3 header.

The switch follows two simple rules. First, it looks up the port for the
destination MAC address in its MAC forwarding table and forwards the
frame on that port. Second, if the switch does not know the MAC address, it
floods the frame out all ports that belong to the frame’s VLAN.

In this example, if a workstation in VLAN 20 that is connected to Switch A


needs to send data to a workstation in VLAN 20 that is connected to switch
B, the traffic can be forwarded at Layer 2. As the data travels from Switch A

4 –2 Rev. 13.31
Routing

through Switch C and onto Switch B, all of the switches forward the traffic
by looking up the destination MAC address in their forwarding tables.

Layer 3 forwarding
To route traffic, a Layer 3 switch uses information in the packet’s Layer 3
header. IP is by far the most common Layer 3 protocol, and this course
focuses on IP routing. Specifically, therefore, the Layer 3 switch relies on
the packet’s destination IP address to make routing decisions. (For the
purposes of this course, the IP header is a version 4 IP header.)

In this example, when a workstation in VLAN 20 that is connected to Switch


B needs to send data to a server in VLAN 30 with IP address
10.1.30.101/24, the workstation knows that the server is in a different
network. The workstation sends its traffic to the Layer 3 switch, and the
Layer 3 switch routes the traffic to the server. The rest of this module
explains how this process works.

Rev. 13.31 4 –3
Getting Started with HP Switching and Routing

Module 4: Routing

Routing overview

Introduction
Before you consider how a switch learns how to route traffic to specific
subnets, you should understand at a high level how a packet is transmitted
from a device in one subnet to a device in another subnet.

1. Send traffic to default gateway


A typical device is connected to one subnet. If that device needs to send
traffic to a device in a different VLAN or subnet, it sends that traffic to its
default gateway.

In the example network, the default gateway for devices in VLAN 20 (which
is associated with subnet 10.1.20.0/24) is Switch B (which has the IP
address 10.1.20.1).

The default gateway is responsible for knowing where to send traffic so that
it will reach its final destination. (You will learn how the default gateway
gathers and stores this information later in this module.)

2. Route traffic to next hop


In this example network, Switch B does not support VLAN 30 (which is
associated with subnet 10.1.30.0/24). To route traffic to VLAN 30, therefore,
Switch B must know the route, or pathway, to the destination network.
Actually, it is more accurate to say that Switch B must know the next hop in
the route, meaning the next device that can send the packet onto its final
destination.
4 –4 Rev. 13.31
Routing

In the example network, Switch C is the next hop. To be more specific,


because Switch B and Switch C connect on VLAN 2, switch C’s VLAN 2 IP
address, 10.1.2.1, is the next hop.

3. Forward traffic at Layer 2


Switch C supports VLAN 30 (with subnet 10.1.30.0/24) and the servers are
attached directly to it. Therefore, Switch C forwards the traffic destined to
the server at Layer 2.

4. Return traffic
If the destination device, in this case a server, wants to send traffic to the
originating device, it must send the traffic to its default gateway. In this case,
Switch C is the default gateway for VLAN 30 (which is subnet 10.1.30.0/24).

Switch C does not support VLAN 20 (subnet 10.1.20.0/24). To route traffic


from VLAN 30 back to VLAN 20, Switch C must know the next hop address
in the path. In this example, Switch B is the next hop. Again, more precisely,
the next hop is switch B’s IP address in VLAN 2, 10.1.2.2.

Rev. 13.31 4 –5
Getting Started with HP Switching and Routing

Module 4: Routing

Types of routes

Layer 3 switches and routers learn the next hop for


destination networks through routes. There are two
types of routes:

Direct routes are for local networks, which are those


networks directly connected to the switch.

Indirect routes are for remote networks, which are


those networks not directly connected to the switch.

Layer 3 switches and routers learn the next hop for destination networks
through routes. There are two types of routes:

• Direct routes are for local networks, which are those networks directly
connected to the switch.
• Indirect routes are for remote networks, which are those networks not
directly connected to the switch.

4 –6 Rev. 13.31
Routing

Module 4: Routing

Direct routes

Introduction
A switch or router has direct routes to the subnets assigned to its own Layer
3 interfaces:

• On a Layer 3 switch, Layer 3 interfaces are typically VLAN interfaces


configured with IP addresses.
• Routers and some Layer 3 switches allow you to assign IP addresses
directly to ports or aggregated links. In that case, these physical
interfaces are also Layer 3 interfaces.

Typically, when you enable IP routing on a switch, the switch automatically


creates a direct route for all active Layer 3 interfaces that have an IP
address.

1. Adding direct routes


Switch C has been assigned the IP address 10.1.10.1/24 for VLAN 10. IP
routing is enabled, allowing the switch to function as a Layer 3 switch. As
soon as Switch C has one active port in VLAN 10 (which is the link
between Switch C and Switch A in this example), VLAN 10 is “up,” and the
switch adds a direct route to 10.1.10.0/24.

Similarly, as VLAN 20 comes up, Switch C adds a direct route to


10.1.20.0/24.

Rev. 13.31 4 –7
Getting Started with HP Switching and Routing

The direct route to subnet 10.1.10.0/24 lets Switch C route traffic that it
receives on VLAN 20 to any destination in VLAN 10. Similarly, the direct
route to subnet 10.1.20.0/24 would let Switch C route traffic received on
VLAN 10 back to a destination in VLAN 20.

2. Forwarding traffic at Layer 2


Because Switch C has a direct route to VLAN 10, it forwards all traffic
destined to devices in VLAN 10 at Layer 2. When a switch routes traffic
using a direct route, it is responsible for discovering the MAC address of the
final destination IP address. To discover the MAC address, the switch floods
an Address Resolution Protocol (ARP) request to all the ports in VLAN 2.
When the switch receives an ARP response with the MAC address, it
forwards the traffic on the appropriate port for that MAC address. In this
example, Switch C forwards the traffic on the port that connects to switch A.

3. Layer 2 switch
Switch A does not have IP routing enabled. Therefore, it forwards the traffic
at Layer 2 and does not have direct (or indirect) routes.

4 –8 Rev. 13.31
Routing

Module 4: Routing

Indirect routes

Default route

Introduction
An indirect route enables a switch to communicate with “non-local”
destinations using one or more intermediate hops. Indirect routes must be
entered manually or learned through a routing protocol.

Static route
A static route is a route to a specific remote network. A network
administrator must manually enter a static route.

Default route
A default route is a special type of indirect route that tells a Layer 3 switch
how to forward a packet when it does not know a specific route to the
destination address. Default routes may be static or dynamic. On the
example network, Switch C has a default route to WAN router A, which
connects to the Internet.

Dynamic route
A switch learns a dynamic route through a routing protocol. Routing
protocols allow switches and routers to exchange routing information to
determine the best paths between networks. (This course does not focus on
routing protocols. The Building SMB Networks with HP Technologies course
covers routing protocols in more detail.)

Rev. 13.31 4 –9
Getting Started with HP Switching and Routing

Module 4: Routing

Static routes

Introduction
In the example network, Switch B does not support subnet 10.1.30.1/24
(VLAN 30). To route traffic to this subnet, therefore, the switch needs a
route, which would include the information shown in the graphic: the next
hop, which would be 10.1.2.1, and the forwarding interface, which would be
VLAN 2.

The switch could have a static route or a dynamic route to this network. As
mentioned earlier, this course focuses on static routes. Click each tab to
learn about the advantages and disadvantages of using a static route.

Advantages
Static routes work best for networks with simple topologies. When a
network does not have many paths for traffic to traverse, you might find it
easier to configure a couple of static routes manually rather than implement
a routing protocol. With static routes, you also have complete control over
which next hop each Layer 3 switch uses for each destination subnet.

Disadvantages
The larger a network is and the more VLANs and subnets it supports, the
more tedious and difficult it is to configure every route on every Layer 3
switch and router manually.

4 –10 Rev. 13.31


Routing

In addition, static routes might not adapt well to network topology changes.
For example, if you added another path to VLAN 30 for Switch B (perhaps
by adding another switch), you would need to reconfigure the route. In
addition, although there are ways to configure backup static routes, these
routes might not respond to changing conditions several hops away. Thus if
a hop in the path to a destination becomes unavailable, the destination may
become unreachable. Dynamic routing protocols, on the other hand, allow
Layer 3 switches and routers to adapt to network changes.

Rev. 13.31 4 –11


Getting Started with HP Switching and Routing

Module 4: Routing

Default route
The default route is the route of last
resort. When a Layer 3 switch or router
cannot match traffic to a specific route, it
will use the default route.
Often, the default route is used to enable
connectivity to the Internet. A Layer 3
switch is configured with the IP
address of an Internet-accessible
router. Any traffic for which
the Layer 3 switch does not
have a route it forwards to the
router to resolve.
A default route usually shows as
0.0.0.0/0 in a routing table. This notation
tells the router to forward any traffic that
cannot be specifically matched out the
interface associated with the default
route.

The default route is the route of last resort. When a Layer 3 switch or router
cannot match traffic to a specific route, it will use the default route.

Often, the default route is used to enable connectivity to the Internet. A


Layer 3 switch is configured with the IP address of an Internet-accessible
router. Any traffic for which
the Layer 3 switch does not have a route it forwards to the router to resolve.

A default route usually shows as 0.0.0.0/0 in a routing table. This notation


tells the router to forward any traffic that cannot be specifically matched out
the interface associated with the default route.

4 –12 Rev. 13.31


Routing

Module 4: Routing

Routing tables

• Because switches sometimes have more than one route to the same destination, they must be able to prioritize
routes.
• Comware and ProVision switches use the following to prioritize routes:
• Administrative distance or preference
• Metric or cost

Introduction
At a minimum, a Layer 3 switch requires the following information about
each IP route, which the switch stores in its routing table:

• Destination network and subnet mask


• Next hop (which is sometimes called gateway)
• Route prioritization methods
• Administrative distance or preference
• Metric or cost

You have already learned about the destination network and the next hop.
Because switches sometimes have more than one route to the same
destination, they must be able to prioritize routes.

Administrative distance or preference


Switches need a method for comparing routes to the same destination that
are learned by different routing protocols or methods. ProVision switches
use administrative distance, while Comware switches use preferences.

On ProVision switches, each route is assigned an administrative, which


defines the reliability of the routing protocol or method of discovery. The
lower the distance, the more reliable the route is deemed, and the more

Rev. 13.31 4 –13


Getting Started with HP Switching and Routing

likely for the route to be selected. Directly connected routes always have an
administrative distance of 0.

For example, an 8212 zl switch might have a static route to 10.1.30.0/24


with administrative distance 1. The switch might also have a route learned
by Routing Information Protocol (RIP) to 10.1.30.0/24 with administrative
distance 120. (RIP is a routing protocol.) The switch selects the static route
because this route has the lower administrative distance. The switch still
knows the other route and will add it to its routing table if the next hop for
the selected (static) route becomes unreachable. The non-selected route
acts as a backup.
Similarly, Comware switches use the preference option to compare routes
to the same destination that were learned with different routing protocols or
methods. Routes with the lower preference value are selected.

Metric or cost
Switches also need a way to compare routes that are learned by the same
routing protocol or method.

ProVision switches use the route metric to compare routes learned by the
same routing protocol or method. For example, when a routing protocol
discovers more than one route to a destination, the switch selects the route
with the lowest metric as its best route.

Comware switches use the route cost to compare routes learned from the
same protocol or method. Lowest cost routes are preferred. However, when
a routing protocol discovers multiple routes to the same destination with the
same cost, Comware switches can load balance traffic over all of the same-
cost routes.

Note that the Layer 3 switch does not compare the metric or cost between
routes acquired through different methods. Each routing protocol selects
one lowest metric or cost route to each destination (or, in the case of
Comware switches, several load-balanced routes). For example, Routing
Information Protocol (RIP) might select one lowest-cost route to
10.1.30.0/24, and Open Shortest Path First (OSPF) might do the same. The
switch then must choose between the RIP route and the OSPF route, and it
uses administrative distance or preference to do so. (Both RIP and OSPF
are routing protocols.)

4 –14 Rev. 13.31


Routing

Module 4: Routing

HP Comware routing table

Each Layer 3 switch or router stores its selected routes in a routing table. The example
below shows a routing table from a Comware switch.

Introduction
Each Layer 3 switch or router stores its selected routes in a routing table.
The example shows a routing table from a Comware switch.

Destination/Mask
The Destination/Mask field specifies the network address and subnet mask
for the destination. Note that an IP address might match multiple routes,
which means the Layer 3 switch knows more than one route to the same IP
address. In this case, the Layer 3 switch uses the most specific route (the
route with the longest mask) to route the packet.

Proto
The Proto field indicates the protocol or method by which the route was
discovered. Possible values include Static (a static route), Direct (a direct
connection), or a routing protocol such as RIP or OSPF.

Pre
The Pre field indicates the administrative preference. The switch uses
administrative preference to choose between two or more routes to the
same destination that were discovered through different protocols or
methods. For example, one route might be a static route while another
route might be an OSPF route. (OSPF is a routing protocol.)

Rev. 13.31 4 –15


Getting Started with HP Switching and Routing

Cost
The Cost field indicates the cost of the route. The switch uses the cost to
choose between routes to the same destination that are learned through the
same protocol or method. For example, the routes might both be OSPF
routes.

NextHop
The NextHop field indicates the next hop for each route.

Interface
The Interface field indicates the switch interface that will be used to forward
traffic to or toward the destination. As you recall, on all Layer 3 switches,
the interface is usually a VLAN interface. However, for routers, the interface
might be a physical port that has been assigned an IP address.

4 –16 Rev. 13.31


Routing

Module 4: Routing

HP Comware indirect routes

For indirect routes, the next hop is always another Layer 3 switch or router that knows how to route the packet toward the
destination. For a route to remain in the routing table, the Layer 3 switch must be able to reach the next hop.
In this example, the next hop for the default route (0.0.0.0/0) is 10.1.4.2, which is in the 10.1.4.0/24 subnet. The switch
knows a route to 10.1.4.0/24, which is directly connected on VLAN 500, so it can reach the next hop.
For an indirect route, the forwarding interface is the interface on which the local device reaches the next hop. In this case,
it is VLAN 500.

Routing Tables: Public


Destinations : 5 Routes : 5
Destination/Mask Proto Pre Cost NextHop Interface
0.0.0.0/0 Static 60 0 1.1.4.2 Vlan500
10.1.2.0/24 Direct 0 0 10.1.2.3 Vlan300
10.1.2.3/32 Direct 0 0 127.0.0.1 InLoop0
10.1.4.0/30 Direct 0 0 10.1.4.1 Vlan500
10.1.4.1/32 Direct 0 0 127.0.0.1 InLoop0

For indirect routes, the next hop is always another Layer 3 switch or router
that knows how to route the packet toward the destination. For a route to
remain in the routing table, the Layer 3 switch must be able to reach the
next hop.

In this example, the next hop for the default route (0.0.0.0/0) is 10.1.4.2,
which is in the 10.1.4.0/24 subnet. The switch knows a route to 10.1.4.0/24,
which is directly connected on VLAN 500, so it can reach the next hop.

For an indirect route, the forwarding interface is the interface on which the
local device reaches the next hop. In this case, it is VLAN 500.

Rev. 13.31 4 –17


Getting Started with HP Switching and Routing

Module 4: Routing

HP Comware direct routes

For direct routes, Comware switches display the following information in the routing
table:

Introduction
Comware switches handle direct routes as outlined below.

Next Hop
When a Layer 3 switch has a direct route to a subnet, the next hop is the IP
address of the switch on that subnet. For direct routes to the IP address of
the Comware switch itself, the next hop is the loopback address.

In this example, the Comware switch has IP address 10.1.2.3/24 on VLAN


300. The next hop for the route to 10.1.2.0/24 is 10.1.2.3, the IP address of
the switch on this subnet. The next hop for 10.1.2.3/32 is the loopback
address.

Interface
The forwarding interface for a direct route is the VLAN interface (or Layer 3
physical interface) associated with that subnet. The forwarding interface for
a direct route to the IP address of the switch is the loopback interface.

As you can see, if the packet is destined to the IP address of the switch, the
switch processes the packet locally. If the packet is destined to another IP
address on the directly connected subnet, the switch forwards the packet
on the associated interface.

4 –18 Rev. 13.31


Routing

Module 4: Routing

HP ProVision routing table

HP ProVision switches display routing information in a slightly different order, as shown in this example.

Introduction
HP ProVision switches display routing information in a slightly different
order, as shown in this example.

Destination
The Destination field contains the destination network and subnet mask,
which the switch uses to match a packet’s destination IP address to a
route.

Gateway
The Gateway field indicates the gateway (or next hop) for the route. For
indirect routes, the gateway is the next hop’s IP address, just as in
Comware switches. However, on ProVision switches, the gateway for a
direct, or “connected,” route is the name of the VLAN associated with the
connected subnet.

VLAN
The VLAN field indicates the forwarding interface for the route.

Type
The Type field indicates the type of route. ProVision switches use the term
“connected” to indicate a direct route. The example routing table displays
only connected and static routes, but ProVision switches also support
routing protocols such as RIP and OSPF, which are listed by these names.

Rev. 13.31 4 –19


Getting Started with HP Switching and Routing

Sub-Type
The Sub-Type field is used when routes have been discovered through the
OSPF protocol.

Metric
As you learned, ProVision switches use metrics to choose between routes
that were discovered in the same way (such as two OSPF routes or two
RIP routes).

Dist.
The Dist. field indicates the administrative distance, a route prioritization
method used to choose between routes of different types.

4 –20 Rev. 13.31


Routing

Module 4: Routing

Routing example: Step 1

Introduction
You now understand that a Layer 3 switch uses its routing table and a
packet’s IP address to discover the packet’s next hop and forwarding
interface.

You will take a close look at this process by following a packet as it is routed
from a source workstation at 10.1.20.53/24 to a database server at
10.1.30.101/24.

Step 1
The workstation knows the IP address of the server (10.1.30.101) and
recognizes that this address is on a different network. Because the packet
must be routed, the workstation sends the traffic to its default gateway,
Switch C, which has the IP address of 10.1.20.1.

If the workstation does not know the MAC address for 10.1.20.1 (because it
has not recently communicated with its default gateway), it sends an ARP
request to find the MAC address. The ARP response resolves the IP
address 10.1.20.1 to Switch C’s MAC address (00-1D-B3-F1-EF-40).

The workstation then sends an Ethernet frame, which has the MAC
destination address for Switch C, to its directly attached switch, Switch B.
However, the packet’s IP destination address is 10.1.30.101, which is the
server’s IP address.

Rev. 13.31 4 –21


Getting Started with HP Switching and Routing

Module 4: Routing

Routing example: Step 2

Step 2
When Switch B receives the frame, it uses the destination MAC address to
forward the frame at Layer 2. The switch looks up the destination MAC
address in its MAC forwarding table and forwards the frame out the correct
port. (If the switch does not know the MAC address, it can flood the frame
out on VLAN 20.)

4 –22 Rev. 13.31


Routing

Module 4: Routing

Routing example: Step 3

Step 3
When Switch C receives the frame, it recognizes its address in the
destination MAC address field and removes the Ethernet header. Switch C
examines the IP header and realizes that it needs to route the packet since
the destination IP address is not its own IP address.
Switch C looks up the most specific route that matches the destination
address in its routing table. The routing table shows that the destination IP
address is a directly connected route on the VLAN 30 interface.

Switch C determines that it must forward the packet on VLAN 30.

Rev. 13.31 4 –23


Getting Started with HP Switching and Routing

Module 4: Routing

Routing example: Step 4

Step 4
Switch C has determined that it must forward the packet on the VLAN 30
interface. To do so, it must add a new Ethernet header.

When using a direct route, the switch forwards the frame directly to the
destination, which is the server’s MAC address. Switch C uses ARP to
resolve the server’s IP address to a MAC address and to determine the
physical forwarding port.

Note that if Switch C were using an indirect route, it would use ARP to
resolve the next hop router’s IP address to a MAC address. It would then
specify that MAC address instead of the actual destination device’s MAC
address.

4 –24 Rev. 13.31


Routing

Module 4: Routing

Routing example: Step 5

Step 5
When Switch D receives the frame, it uses its MAC (Layer 2) forwarding
table to find the correct port for the destination MAC address. (If Switch D
does not know the port, it floods the frame.)

The traffic has now reached its destination, the database server with IP
address 10.1.30.101/24 and MAC address 00-E0-52-F0-4C-0F.

Rev. 13.31 4 –25


Getting Started with HP Switching and Routing

Module 4: Routing

VLAN tagging on HP ProVision switches: Step 1

Introduction
Now that you understand how traffic is routed between VLANs, you will now
examine how HP ProVision switches handle VLAN assignments and 802.Q
tagging as they forward and route the traffic. You will examine this topic
using the same scenario as before: you will trace an IP packet sent from a
workstation to a database server.

Step 1
Before you look at the flow of traffic and how frames are tagged, you must
understand port VLAN membership. In this example, switches support
multiple VLANs on their switch-to-switch ports. All of the switch-to-switch
ports are untagged members of VLAN 1 and tagged members of one or
more other VLANs. VLANs on this network include:

• Faculty VLAN, which is VLAN 10


• Student VLAN, which is VLAN 20
• Data Center VLAN, which is VLAN 30

The source workstation and destination database server, on the other hand,
do not support 802.1Q, and the ports are untagged members of their
respective VLANs:

• The workstation is a member of the Student VLAN, VLAN 20.


• The database server is a member of the Data Center VLAN, VLAN 30.

4 –26 Rev. 13.31


Routing

Module 4: Routing

VLAN tagging on HP ProVision switches: Step 2

Step 2
When the source workstation sends the frame (containing the packet
destined for the database server), Switch B receives the frame on a port
that is an untagged member of VLAN 20.

The workstation does not support 802.1Q. The frame does not include an
802.1Q tag at this point.

Rev. 13.31 4 –27


Getting Started with HP Switching and Routing

Module 4: Routing

VLAN tagging on HP ProVision switches: Step 3

Step 3
Switch B forwards the frame to Switch C on a port that is tagged for VLAN
20. Because the port is tagged for VLAN 20, the switch inserts the 802.1Q
tag into the Ethernet frame.

4 –28 Rev. 13.31


Routing

Module 4: Routing

VLAN tagging on HP ProVision switches: Step 4

Step 4
Switch C routes the packet to VLAN 30. Because the link between Switch C
and Switch D is tagged, Switch C removes the VLAN 20 802.1Q tag from
the Ethernet frame and then inserts the VLAN 30 802.1Q VLAN tag into the
Ethernet frame.

Rev. 13.31 4 –29


Getting Started with HP Switching and Routing

Module 4: Routing

VLAN tagging on HP ProVision switches: Step 5

Step 5
Switch D receives the frame on a port that is a tagged member of VLAN 30.
However, because the server is connected to Switch D on an untagged port
that is a member of VLAN 30, Switch D removes the 802.1Q tag before
forwarding the frame to the switch.

4 –30 Rev. 13.31


Routing

Module 4: Routing

Access and trunk ports on HP Comware switches

Introduction
You will now trace a packet on a similar network that includes Comware
switches instead of ProVision switches. Again, all switches on this network
must support multiple VLANs, including the default VLAN, VLAN 1.

Step 1
The source workstation and destination database server do not support
802.1Q. Consequently, the workstation is connected to an access port
assigned to VLAN 20, and the server is connected to an access port in
VLAN 30. The workstation sends an untagged frame (containing the packet
destined for the database server) to its directly connected switch, Switch B.

Step 2
Switch B must send VLAN 20 traffic to Switch C, the default gateway for
that VLAN. The Switch B port that connects to Switch C must also support
VLAN 1 traffic, so the port is a trunk port, which supports multiple VLANs.
The trunk port must be configured to support VLAN 20. (If VLAN 20 is not
permitted, the trunk port will discard the frame.)

Switch B inserts the 802.1Q tag into the Ethernet frame and sends it to
Switch C.

Step 3
Switch C receives the frame on a trunk port that permits VLAN 20. Switch C
then checks its routing table and determines that it must route the packet to

Rev. 13.31 4 –31


Getting Started with HP Switching and Routing

VLAN 30 and forward it to Switch D. The Switch C port that connects to


Switch D is configured as a trunk port that permits VLAN 30. Switch C adds
a new Ethernet header and inserts the 802.1Q tag in the frame.

Step 4
Switch D receives the frame on a trunk port that permits VLAN 30. Switch D
checks its MAC table and determines it must forward the frame to the
access port that connects to the destination database server. (If this entry
was not in the switch’s MAC table, the switch would flood an ARP request
in VLAN 30 to resolve the IP address.) Switch D removes the 802.1Q field
from the frame and forwards it to the server.

4 –32 Rev. 13.31


Routing

Module 4: Routing

VLANs on HP ProVision and Comware switches

The table below summarizes how port-based VLANs are supported on ProVision and Comware switches. (Both ProVision
and Comware switches support advanced VLANs. To learn more about VLANs, attend the Building SMB Networks with HP
Technologies course.)

Type of connection ProVision switches Comware switches


Switch-to-switch links • Maximum of one • Trunk port, which is
(carry traffic in multiple untagged VLAN configured to “permit”
VLANs) membership (which is by multiple VLANs
default VLAN 1) • PVID, which is the
• Multiple tagged VLAN untagged VLAN, and
memberships multiple tagged VLANs
Connection to devices Untagged VLAN Access port (in the
that do not support membership (in the appropriate VLAN)
802.1Q appropriate VLAN)

The table summarizes how port-based VLANs are supported on ProVision


and Comware switches. (Both ProVision and Comware switches support
advanced VLANs. To learn more about VLANs, attend the Building SMB
Networks with HP Technologies course.)

Rev. 13.31 4 –33


Getting Started with HP Switching and Routing

Module 4: Routing

Summary
In this module, you learned about the following:

When a Layer 3 switch or router is required to route traffic

What information a Layer 3 switch requires to route traffic

How routing information is displayed in HP Comware and


ProVision switches

How static and default routes are used to ensure traffic


reaches its destination

How VLAN tagging works with Layer 3 routing

In this module, you learned about the following:

• When a Layer 3 switch or router is required to route traffic


• What information a Layer 3 switch requires to route traffic
• How routing information is displayed in HP Comware and ProVision
switches
• How static and default routes are used to ensure traffic reaches its
destination
• How VLAN tagging works with Layer 3 routing

4 –34 Rev. 13.31


Link Aggregation
Module 5

Module 5: Link Aggregation

Module objectives

This module explains how to use link aggregation to increase bandwidth on selected network links. You will first learn
about Link Aggregation Control Protocol (LACP), the industry-standard protocol for establishing aggregated links. You will
then learn how link aggregation is implemented on HP ProVision and Comware switches.

Explain how dynamic and static aggregated links are


implemented on HP switches
After completing this
module, you will be Explain how aggregated links support VLANs on HP switches
able to:
Describe the basic similarities and differences between Link
Aggregation Control Protocol (LACP) and HP port trunking

This module explains how to use link aggregation to increase bandwidth on


selected network links. You will first learn about Link Aggregation Control
Protocol (LACP), the industry-standard protocol for establishing aggregated
links. You will then learn how link aggregation is implemented on HP
ProVision and Comware switches.

After completing this module, you will be able to:

• Explain how dynamic and static aggregated links are implemented on HP


switches
• Explain how aggregated links support VLANs on HP switches
• Describe the basic similarities and differences between Link Aggregation
Control Protocol (LACP) and HP port trunking

Rev. 13.31 5 –1
Getting Started with HP Switching and Routing

Module 5: Link Aggregation

Ever-increasing bandwidth requirements

Business networks deliver critical services for both employees


and customers. With both employees and customers accessing
bandwidth-intensive and delay-sensitive applications,
network bandwidth must increase to keep pace with demand.
Also, as businesses move toward a converged infrastructure,
network bandwidth must be sufficient to deliver all the
services the network supports.

Business networks deliver critical services for both employees and


customers. With both employees and customers accessing bandwidth-
intensive and delay-sensitive applications, network bandwidth must
increase to keep pace with demand. Also, as businesses move toward a
converged infrastructure, network bandwidth must be sufficient to deliver all
the services the network supports.

5 –2 Rev. 13.31
Link Aggregation

Module 5: Link Aggregation

Benefits of link aggregation

Link aggregation allows multiple physical links to function


as a single logical link, increasing the available bandwidth
for the devices using that link. Link aggregation provides a
scalable, cost-effective way to increase bandwidth.
For example, a company may be using 1-GbE links. If the
switches provide enough ports, the company can
aggregate some of these 1-GbE links to increase the
available bandwidth between particular switches. This
solution offers a cost-effective alternative to purchasing
10-GbE links.
In addition to increasing bandwidth, link aggregation adds
resiliency to the link. If one link in the aggregated group
fails, the remaining links can still carry traffic.

Link aggregation allows multiple physical links to function as a single logical


link, increasing the available bandwidth for the devices using that link. Link
aggregation provides a scalable, cost-effective way to increase bandwidth.

For example, a company may be using 1-GbE links. If the switches provide
enough ports, the company can aggregate some of these 1-GbE links to
increase the available bandwidth between particular switches. This solution
offers a cost-effective alternative to purchasing 10-GbE links.

In addition to increasing bandwidth, link aggregation adds resiliency to the


link. If one link in the aggregated group fails, the remaining links can still
carry traffic.

Rev. 13.31 5 –3
Getting Started with HP Switching and Routing

Module 5: Link Aggregation

LACP: the industry standard

• Static LACP
• Dynamic LACP

Introduction
As is often the case, individual vendors saw the need to provide more
bandwidth and developed proprietary technologies to aggregate links. To
standardize aggregated links for multivendor environments, IEEE
developed the Link Aggregation Control Protocol (LACP). The original
standard is known as 802.3ad, but it has been subsequently updated to
802.1AX-2008. However, LACP is still frequently referred to as the 802.3ad
standard.

LACP allows you to create aggregated links between any two devices that
support the standard. For example, you can create links between any two
switches that support LACP or between a server and a switch.

LACP defines two types of aggregated links: static (or manual) or dynamic.

Static
With static LACP, aggregated links are established or configured manually.
If one of the connections in the aggregated links fails, the LACP-enabled
devices detect the failure but continue forwarding traffic on the remaining
connections.

Dynamic
With dynamic LACP, aggregated links are established automatically, using
the negotiation process outlined in the LACP standard. (You will learn about
5 –4 Rev. 13.31
Link Aggregation

this negotiation process later in this module.) If one of the connections in


the aggregated links fails, the LACP-enabled devices can automatically add
a standby connection, if one has been configured. If a standby connection
has not been configured, the devices continue forwarding traffic on the
remaining connections in the aggregated link.

Rev. 13.31 5 –5
Getting Started with HP Switching and Routing

Module 5: Link Aggregation

LACP requirements

The LACP standard outlines some requirements for physical


links that will be part of the aggregated link:

All links must operate in full duplex (FDx) mode.

All links must be the same media type (such as


10/100/1000Base-T or 100FX) and speed.

The links must be established between two devices.

Once the aggregated link is established, LACP ensures the


physical links continue using the same speed and duplex
settings.

The LACP standard outlines some requirements for physical links that will
be part of the aggregated link:

• All links must operate in full duplex (FDx) mode.


• All links must be the same media type (such as 10/100/1000Base-T or
100FX) and speed.
• The links must be established between two devices.

Once the aggregated link is established, LACP ensures the physical links
continue using the same speed and duplex settings.

5 –6 Rev. 13.31
Link Aggregation

Module 5: Link Aggregation

Dynamic LACP link negotiation

Switches configured to use dynamic LACP exchange LACPDUs, which include:


• Source MAC address
• System identifier
• Port priority

Introduction
When configured to use dynamic LACP, switches use LACP data units
(LACPDUs) to exchange information and establish a dynamic aggregated
link. Exchanging LACPDUs allows devices to determine if links can be
aggregated. For example, the devices determine if all of the links are the
same media type and speed. LACPDUs also allow devices to manage the
aggregated link, including handling failovers and adding or removing
physical links.

Source MAC
Like all Ethernet frames, the LACPDU contains the MAC address of the
sending device.

System identifier
The system identifier is the concatenation of a MAC address and the LACP
system priority. The LACP standard allows the switch to use its own MAC
address or a MAC address that is assigned to one of the ports in the
aggregated link. The system priority is a user-configurable number, which is
used to determine which switch will select the ports that are active in the
aggregated link. The switch that has the lower system priority will select the
active ports.

Rev. 13.31 5 –7
Getting Started with HP Switching and Routing

Port priority
The port priority is a user-configurable number that is used to determine
which ports are active and which are standby. Ports that have lower port
priority numbers will be used for active links before those with higher port
priority numbers.

5 –8 Rev. 13.31
Link Aggregation

Module 5: Link Aggregation

Dynamic LACP: active and passive

Introduction
A dynamic LACP port can operate in one of two states: active or passive.

Passive
Passive ports listen for LACPDUs. If passive ports receive an LACPDU
from an active port, they respond with their own LACPDU.

Active
Active ports transmit LACPDUs to advertise that they can create
aggregated links.

Establishing the link


Two directly connected dynamic LACP ports exchange LACPDUs and
establish a link only if at least one port is active. If both ports are in a
passive state, no LACPDUs are exchanged because both ports listen for
LACPDUs and do not send LACPDUs until they receive one.

Both ports can be active, however. In this configuration, both ports will
advertise that they support LACP, respond to the other port’s
advertisement, and establish the aggregated link.

Rev. 13.31 5 –9
Getting Started with HP Switching and Routing

Module 5: Link Aggregation

Conversations

Introduction
LACP provides guidelines for managing traffic transmitted over the
aggregated link, based on what it defines as a conversation. Simply put, a
conversation is a one-way communication between a source device and a
destination device.

Select a physical link


An LACP-enabled device identifies a conversation using the destination
MAC address and the source MAC address in the Ethernet frame and then
assigns the conversation to a particular physical connection in the
aggregated link. In the example shown here, the conversation between the
workstation and the server has been assigned to Link 2. All of the frames
that the workstation sends to the server in this communication session will
be sent over Link 2 unless, of course, Link 2 fails.

If the server responds to the workstation, a new conversation begins. The


server’s directly connected switch will assign that conversation to one of the
physical connections in the aggregated link. It does not have to assign that
conversation to Link 2.

Manage a conversation
The LACP standard stipulates that an LACP-enabled device should
transmit all the frames in a given conversation over the same physical
connection within the aggregated link. If it is necessary to move a
5 –10 Rev. 13.31
Link Aggregation

conversation (if the physical connection becomes unavailable, for example),


the LACP-enabled device must ensure that the destination device has
successfully received all of the frames already transmitted in that
conversation.

Recognize when the conversation ends


When a source devices stops sending frames to the destination device, the
conversation ends. The next time the workstation starts sending frames to
the server, the switch considers it a new conversation and assigns it to a
link, which may or may not be Link 2.

Rev. 13.31 5 –11


Getting Started with HP Switching and Routing

Module 5: Link Aggregation

Link aggregation terminology

Before you begin learning how to implement link aggregation on HP Comware and ProVision switches, you should be aware
of some differences in terminology.

On HP Comware switches, link aggregation is referred to as


bridge aggregation. The logical interface is called an
aggregate interface.

On HP ProVision switches, link aggregation has traditionally


been referred to as port trunking. The logical interface is
called a trunk. (Be careful to distinguish this term from the
Comware term trunk port, which carries traffic for multiple
VLANs.)

On Cisco switches, an aggregated link is called an


EtherChannel.

Before you begin learning how to implement link aggregation on HP


Comware and ProVision switches, you should be aware of some
differences in terminology.

• On HP Comware switches, link aggregation is referred to as bridge


aggregation. The logical interface is called an aggregate interface.
• On HP ProVision switches, link aggregation has traditionally been
referred to as port trunking. The logical interface is called a trunk. (Be
careful to distinguish this term from the Comware term trunk port, which
carries traffic for multiple VLANs.)
• On Cisco switches, an aggregated link is called an EtherChannel.

5 –12 Rev. 13.31


Link Aggregation

Module 5: Link Aggregation

HP ProVision switches: LACP or port trunking

• Static aggregated link


• Dynamic aggregated link

Introduction
ProVision switches support two methods for creating aggregated links:

• LACP, which can be used to create static or dynamic aggregated links


• Port trunking, which can be used to create static aggregated links

Port trunking has been an option on HP switches since the mid-1990s. With
port trunking, HP recommends that all links in the same trunk group use the
same speed, duplex, and flow control settings. In addition, the physical links
establishing the aggregated link must start and end on the same switch.
(Later in this module, you will learn about distributed trunking, which allows
one switch to establish a trunk with two remote devices.)

Static aggregated link


A static aggregated link created through LACP or port trunking is configured
and maintained manually. It recognizes only those ports that you configure
as part of the link; you cannot configure standby ports (which could become
active if one of the ports in the aggregated link failed).

Dynamic aggregated link


A dynamic aggregated link is automatically established and maintained by
LACP. (Port trunking does not support dynamic links.)

Rev. 13.31 5 –13


Getting Started with HP Switching and Routing

A dynamic aggregated link also supports standby physical links, which


provide additional failover if a functioning physical link within the aggregated
link becomes unavailable. Standby physical links are typically not counted
in the maximum allowed number of physical links for an aggregated link.
This allows you to set up an aggregated link with the maximum number of
physical links allowed by the switch (a number that varies from switch to
switch) and designate standby links, thereby providing maximum bandwidth
and redundancy.

5 –14 Rev. 13.31


Link Aggregation

Module 5: Link Aggregation

HP ProVision switches: configuring static aggregated links

• Command syntax
• LACP example
• Port trunking example

Introduction
You will now take a quick look at the process of configuring a static
aggregated link on ProVision switches.

When creating a trunk, you should configure the trunk on the switch before
connecting the cables. If you connect the cables first, you will create a
network loop, unless you have enabled Spanning Tree Protocol (STP) or
another protocol for managing redundant links.

You should also complete the static trunk configuration on both switches
before the redundant links are connected.

Command syntax
When you configure static aggregated links on ProVision switches, you use
the trunk command:

Switch(config)# trunk <port numbers> <trunk name> <lacp


| trunk>

Rev. 13.31 5 –15


Getting Started with HP Switching and Routing

You specify the following options:

• Port numbers: If you are making non-contiguous ports part of the link,
use commas to separate the ports. For a range of ports, use a hyphen.
For example :
a1,b1,c1
a3-a10
• Trunk name: To name the trunk, you include a number after trk. For
example, you might create trk1 or trk5.
• LACP or trunk: Specify if you want to use LACP or trunk (for port
trunking) to create the static trunk.

LACP example
For example, to create a static LACP trunk with ports A1, B7, and C3 and
name it Trk1, enter:

Switch(config)# trunk a1,b7,c3 trkl lacp

Port trunking example


For example, to create a static trunk (using port trunking) with ports A1 to
A7 and name it Trk2, enter:

Switch(config)# trunk a1-a7 trk2 trunk

5 –16 Rev. 13.31


Link Aggregation

Module 5: Link Aggregation

HP ProVision switches: configuring dynamic aggregated links

To configure a dynamic LACP aggregated link on ProVision switches, you use the interface command.
Switch(config)# interface <port numbers> lacp [active | passive]

Remember that you use commas to separate non-contiguous ports and a hyphen for a range of contiguous ports. Then,
specify if you want this port to be active or passive. For example:

Switch(config)# interface a1,b7 lacp active

After you create a dynamic LACP aggregated link, the switch automatically names it Dynx, replacing x with the next
available number. For example, the first dynamic LACP aggregated link is called Dyn1.

To configure a dynamic LACP aggregated link on ProVision switches, you


use the interface command.

Switch(config)# interface <port numbers> lacp [active |


passive]

Remember that you use commas to separate non-contiguous ports and a


hyphen for a range of contiguous ports. Then, specify if you want this port
to be active or passive. For example:

Switch(config)# interface a1,b7 lacp active

After you create a dynamic LACP aggregated link, the switch automatically
names it Dynx, replacing x with the next available number. For example, the
first dynamic LACP aggregated link is called Dyn1.

Rev. 13.31 5 –17


Getting Started with HP Switching and Routing

Module 5: Link Aggregation

HP ProVision switches: VLANS and aggregated links

• Configuring VLANs on static aggregated links


• Using GVRP to provide VLAN support on dynamic aggregated links

Introduction
Creating an aggregated link affects any existing VLAN memberships on the
ports that you assign to the aggregated link. Specifically, all VLAN
memberships are removed from the port. For example, suppose port 24 is a
tagged member of VLANs 10, 20, and 30. If you make port 24 a member of
an aggregated link, all those VLAN memberships are removed.

When the aggregated link is configured, it automatically becomes an


untagged member of the switch’s default VLAN, VLAN 1.

Typically, you want an aggregated link to carry traffic from more than one
VLAN. The steps you take to allow the aggregated link to support multiple
VLANs vary, depending on whether the link is static or dynamic.

Static aggregated link


With static aggregated links, you can simply make the aggregated link a
member of a VLAN. You configure the aggregated link just as you would a
port. For example, if you wanted to make Trk1 a tagged member of VLAN
10, you would enter:

Switch(config)# vlan 10 tagged trk1

You can check VLAN membership by using the show run command. As
you can see, the port will be listed under the VLANs to which it belongs.
5 –18 Rev. 13.31
Link Aggregation

Dynamic aggregated link


On ProVision switches, you cannot manually assign a dynamic aggregated
link to a VLAN. Instead, you must use GARP VLAN Registration Protocol
(GVRP) to allow the aggregated link to carry traffic from multiple VLANs.

To view information about the link, use the show lacp command.

Rev. 13.31 5 –19


Getting Started with HP Switching and Routing

Module 5: Link Aggregation

HP ProVision switches: load distribution

Introduction
One of the benefits of using link aggregation is that switches can distribute
conversations across the physical connections within the aggregated link.
Because the LACP standard does not require devices to use a specific
algorithm to distribute conversations, each switch vendor uses its own
algorithm.

Distributing conversations
When you implement an aggregated link on a ProVision switch, it identifies
each conversation that is transmitted across the link. Earlier in this module
you learned that a conversation is a one-way communication between a
source device and a destination device. By default, the HP 3500, 3800,
5400 zl, 6200 yl, 6600, and 8200 zl Switch Series use Layer 3 or Layer 2
information to identify a conversation and then apply an algorithm to
distribute the conversations across the connections in the aggregated link.
If a Layer 3 IP address is available, the switch's calculation will include the
last five bits of the IP source address and IP destination address. For other
traffic, the switch will use the source and destination MAC addresses.
Rather than use the default setting, you can configure the switch to use
Layer 4 information-UDP or TCP ports-for load balancing. (A detailed
discussion of using Layer 4 information for load balancing is beyond the
scope of this course. Check your switch documentation for more
information.)

5 –20 Rev. 13.31


Link Aggregation

The number of possible outcomes of the hashing operation used in the


algorithm is equal to the number of links in the trunk. On a ProVision switch,
load distribution becomes more evenly balanced as the number of
conversations and links increases.

As shown in this example, when a workstation sends a frame to the server,


that frame and all subsequent frames that the workstation sends to the
server during that communication session constitute a conversation and will
be assigned to the same link.

Building a table of conversations


As the switch assigns a conversation to a link, it adds information about the
conversation to its internal table. The two switches that have established
the aggregated link build their tables independently of one another. That is,
each switch is unaware of the other switch’s table and does not take this
into account when making link assignments.

In this example, the switch directly connected to the workstation assigned


the conversation to link 4. The switch directly connected to the server,
however, assigned the return traffic (which is a different conversation) to
link 2.

Rev. 13.31 5 –21


Getting Started with HP Switching and Routing

Module 5: Link Aggregation

HP ProVision switches: distributed trunking

Introduction
In addition to static and dynamic aggregated links, some ProVision switches
support distributed trunking, which provides high availability and load
sharing for server-to-switch connections or switch-to-switch connections.

Server-to-switch distributed trunking


Distributed trunking allows you to establish multiple connections between
two switches, which work together to form one side of the aggregated link,
and a device (such as a switch or a server), which forms the other side of
the connection. If the connection between one distributed trunking (DT)
switch and the server fails or if a DT switch becomes unavailable, the
server sends all traffic to the remaining DT switch.

When HP introduced server-to-switch distributed trunking, it supported only


LACP. With subsequent software updates on the switches that support this
feature, these server-to-switch distributed trunks can also be created using
HP port trunking.

Switch-to-switch distributed trunking


Distributed trunking also allows you to connect two distributed trunking (DT)
switches to another switch, which is called the distributed trunking device.
The trunk appears to the distributed trunking device—in this example,
switch 3—as if it is connected to a single device. The distributed trunking

5 –22 Rev. 13.31


Link Aggregation

device must support LACP or be able to form a trunk with a switch that is
using HP port trunking.

Benefits of distributed trunking


Like traditional aggregated links, distributed trunking increases bandwidth,
thereby improving performance. It also improves performance because the
distributed trunking (DT) switches load share traffic across the physical
connections in the distributed trunk. Performance is enhanced even more
because the traffic can be handled by one of two DT switches.

In addition to increasing bandwidth, distributed trunking provides device-


level redundancy and link-failure protection. If one of the DT switches
becomes unavailable, the distributed trunking device continues to send and
receive traffic through its connection to the other DT switch. Likewise, if one
of the links in the distributed trunk becomes unavailable, the distributed
trunking device (the switch or server connected to the two DT switches)
simply sends and receives traffic over the other links in the distributed trunk.

Support for distributed trunking


The following HP ProVision switches support distributed trunking:

• HP 3500 Switch Series


• HP 5400 zl Switch Series
• HP 6200-24G-mGBIC yl Switch
• HP 6600 Switch Series
• HP 8200 zl Switch Series
• HP 3800 Switch Series

With the exception of the 3800 Switch Series, these switches run the K.XX
software. Distributed trunking for server-to-switch connections was
introduced in the K.14 software release. The K.15.03 software release
allowed you to use port trunking to create server-to-switch distributed
trunks, and the K.15.05 software added support for switch-to-switch
distributed trunking.

The 3800 Switch Series runs the KA.XX software and supported server-to-
switch distributed trunking in the initial release. The KA.15.09 software
release provided support for switch-to-switch distributed trunking.

Rev. 13.31 5 –23


Getting Started with HP Switching and Routing

Module 5: Link Aggregation

HP Comware switches: static and dynamic bridge aggregation

As you learned earlier, link aggregation is called bridge aggregation on Comware


switches. Comware switches support two types of bridge aggregation:

Static bridge aggregation—The Comware switches do not use


LACP for static bridge aggregation.

Dynamic bridge aggregation—The Comware switches exchange


LACPDUs to set up dynamic bridge aggregation. Because the
switches are using a protocol for the bridge aggregation, the term
“dynamic” is used to describe the configuration. Based on the
LACP standard, however, the switches are actually using the static
LACP operational mode.

As you learned earlier, link aggregation is called bridge aggregation on


Comware switches. Comware switches support two types of bridge
aggregation:

• Static bridge aggregation—The Comware switches do not use LACP


for static bridge aggregation.
• Dynamic bridge aggregation—The Comware switches exchange
LACPDUs to set up dynamic bridge aggregation. Because the switches
are using a protocol for the bridge aggregation, the term “dynamic” is
used to describe the configuration. Based on the LACP standard,
however, the switches are actually using the static LACP operational
mode.

5 –24 Rev. 13.31


Link Aggregation

Module 5: Link Aggregation

HP Comware switches: aggregation groups

Configuration Example Settings Affects Aggregation


State?
Port Port rate Yes
Duplex mode
Link status (up/down)
Class-one GVRP VLANs No
MSTP settings
Class-two Port type (trunk or access) Yes
Default VLAN (for port)
Permitted VLANs*
Due to space constraints, this course lists only some of the class
settings.

Introduction
To configure bridge aggregation on Comware switches, you create an
aggregation group and assign ports to that group. When you add a port to
an aggregation group, that port can have one of two states:

• Selected: A selected port forwards traffic for the link aggregation group.
• Unselected: An unselected port cannot forward traffic for the link
aggregation group.

Settings that affect aggregation state


Certain settings affect a port’s aggregation state (whether it’s selected or
unselected). For the purposes of aggregation, configuration settings are
grouped into classes. The table shows that the class one settings do not
affect a port’s aggregation state, but port settings and class two settings do
affect this state.

HP recommends that before you create a link aggregation group, you


ensure that all ports that will be added to the group have the same port and
class two configuration settings.

After you add ports to a link aggregation group, any additional class two
configurations made to a link aggregation group are automatically
synchronized to all of its member ports. These configurations are retained

Rev. 13.31 5 –25


Getting Started with HP Switching and Routing

on the member ports after they are removed from the link aggregation
group.

Reference ports
For each link aggregation group, Comware switches select a reference port.
The switches use the reference port to help determine the aggregation state
of each port. Simply put, the switches compare the port attributes and
class-two configurations of other member ports to those of the reference
port. The ports with settings that match the reference port can be selected
(if they meet other criteria as well).

The process for selecting this reference port differs slightly, depending on if
the link aggregation group is static or dynamic.

5 –26 Rev. 13.31


Link Aggregation

Module 5: Link Aggregation

HP Comware switches: selecting a reference port for static aggregation groups

Criteria used for selecting a port in the static aggregation groups

Introduction
Now let’s take a look at how the switches select a reference port for static
link aggregation groups.

Initial selection criteria


For static link aggregation groups, a Comware switch selects a reference
port from member ports that:

• Are in the up state


• Have the same class two configuration settings as the aggregate
interface

Next selection criteria


After the switch identifies the ports that are up and have the same class two
configuration settings, it then applies the following selection criteria in the
order listed:

• Full-duplex, high-speed
• Full-duplex, low-speed
• Half-duplex, high-speed
• Half-duplex, low-speed

Rev. 13.31 5 –27


Getting Started with HP Switching and Routing

In other words, the switch will select a port operating in full-duplex, whether
it is a high-speed or low-speed port, before it will select a port operating in
half-duplex.

Final selection criteria


If two or more ports have the same duplex mode and speed, the switch
selects the port with the lower port number.

5 –28 Rev. 13.31


Link Aggregation

Module 5: Link Aggregation

HP Comware switches: aggregation state of static port members

Introduction
Once the switch selects the reference port, it determines the aggregation
state of each member port in the static link aggregation group.

Does the port support the reference port’s line speed and duplex
mode?
If the answer is yes, the switch applies the next criterion.

If the answer is no, the port’s aggregation state is set to unselected.

Is the port up or down?


If the answer is up, the switch applies the next criterion.

If the answer is down, the port’s aggregation state is set to unselected.

Do the port attributes and class two configurations match those of the
reference port?
If the answer is yes, the switch applies the next criterion.

If the answer is no, the port’s aggregation state is set to unselected.

Has the link aggregation group reached the maximum number of


links?
If the answer is yes, the port’s aggregation state is set to unselected.
Rev. 13.31 5 –29
Getting Started with HP Switching and Routing

If the answer is no, the port’s aggregation state is set to selected.

Depending on why the ports have been set to unselected, they might be
used as standby links in case the selected links become unavailable. For
example, if a port is unselected because the link aggregation group reached
its maximum number of ports, the port’s state could be changed to selected
if another selected port fails.

5 –30 Rev. 13.31


Link Aggregation

Module 5: Link Aggregation

HP Comware switches: reference port for dynamic link aggregation groups

For dynamic link aggregation groups, Comware switches use a two-step process:

1. They select the switch on which the reference port will reside.
2. The selected switch determines the reference port.

Introduction
For dynamic aggregation groups, the Comware switches use a different
process for selecting the reference port. The two switches setting up a
dynamic link use a two-step process:

• They select the switch on which the reference port will reside.
• The selected switch determines the reference port.

Selecting the switch


To select which switch will host the reference port, the two switches
compare their LACP system priority. The switch with the lower priority
number is selected. If the switches have the same LACP priority, the switch
with the lowest MAC address is selected.

Selecting the reference port


The selected switch determines the reference port based on which port in
its link aggregation group has the lowest LACP port priority. If two ports
have the same port priority, the switch will select the port with the lowest
port number.

Rev. 13.31 5 –31


Getting Started with HP Switching and Routing

Module 5: Link Aggregation

HP Comware switches: aggregation state of dynamic member ports

During the process of selecting a reference port, the two switches


forming a dynamic aggregated link identified which switch has the
lower LACP system priority. In addition to selecting the reference
port, this switch effectively determines the aggregation state
(selected or unselected) for member ports on both switches.
The switch uses the same criteria to determine the aggregation
state for dynamic aggregate ports as it does for static aggregate
ports. For dynamic link aggregation, however, the switch adds
another criterion: it checks that the port attributes and class two
configuration settings of each peer port match those of the peer
port that connects to the reference port.

During the process of selecting a reference port, the two switches forming a
dynamic aggregated link identified which switch has the lower LACP system
priority. In addition to selecting the reference port, this switch effectively
determines the aggregation state (selected or unselected) for member ports
on both switches.

The switch uses the same criteria to determine the aggregation state for
dynamic aggregate ports as it does for static aggregate ports. For dynamic
link aggregation, however, the switch adds another criterion: it checks that
the port attributes and class two configuration settings of each peer port
match those of the peer port that connects to the reference port.

5 –32 Rev. 13.31


Link Aggregation

Module 5: Link Aggregation

HP Comware switches: static versus dynamic aggregation links

This table summarizes the advantages and disadvantages of each type of link aggregation on Comware switches. Please
note that for dynamic link aggregation groups, a port’s state depends on the peer port’s state.

Type Advantages Disadvantages


Static Aggregation is stable. A port’s You must manually manage the
aggregation state is not affected aggregation state. The switch
by other ports within the group. cannot change the aggregation
state of ports to match their peers’
aggregation state.
Dynamic Linked switches automatically Depending on the network
maintain link aggregation. environment, aggregation can be
unstable. A port’s aggregation
state is affected by the network
environment.

This table summarizes the advantages and disadvantages of each type of


link aggregation on Comware switches. Please note that for dynamic link
aggregation groups, a port’s state depends on the peer port’s state.

Rev. 13.31 5 –33


Getting Started with HP Switching and Routing

Module 5: Link Aggregation

HP Comware switches: load sharing

You can configure load sharing:


• Globally
• Aggregation group

Introduction
For both static and dynamic aggregation groups, Comware switches
provide flexibility in how traffic is distributed across the physical links in the
group. You can configure load sharing globally or per aggregation group.

Global
For the global setting, you can configure the switch to load share based on:

• Source IP address
• Destination IP address
• Source MAC address
• Destination MAC address
• Source IP address and destination IP address
• Source IP address and source port
• Destination IP address and destination port
• Source IP address, source port, destination IP address, and destination
port
• Any combination of incoming port, source MAC address, and destination
MAC address

5 –34 Rev. 13.31


Link Aggregation

Per aggregation group


If load sharing has been defined both globally and for a particular
aggregation group, the switch will apply the settings for the aggregation
group. For each aggregation group, you can configure the switch to load
share based on:

• Source IP address
• Destination IP address
• Source MAC address
• Destination MAC address
• Layer 1 Multiprotocol Labe Switching (MPLS) label (which is used on
networks that support telecommunications)
• Destination IP address and source IP address
• Destination MAC address and source MAC address
• Layer 1MPLS label and Layer 2MPLS label

Rev. 13.31 5 –35


Getting Started with HP Switching and Routing

Module 5: Link Aggregation

HP Comware switches: configuring static aggregation groups

To create a static link aggregation group on a Comware switch, you must be at the system view command level. Enter the
following command. Note that the default mode for aggregated links is static, so you do not have to include an option to
ensure that the link aggregation group is static.

[Switch] interface bridge-aggregation <number>


[Switch-Bridge-Aggregation1] quit

After you have created the static link aggregation group, you must move to a port interface view to add the port to the link
aggregation group.

[Switch] interface <interface name> <interface number>


[Switch-GigabitEthernet1/0/1] port link-aggregation group <number>

Repeat this step for each port interface that will be part of the link aggregation group.

To create a static link aggregation group on a Comware switch, you must be


at the system view command level. Enter the following command. Note that
the default mode for aggregated links is static, so you do not have to
include an option to ensure that the link aggregation group is static.

[Switch] interface bridge-aggregation <number>


[Switch-Bridge-Aggregation1] quit

After you have created the static link aggregation group, you must move to
a port interface view to add the port to the link aggregation group.

[Switch] interface <interface name> <interface number>


[Switch-GigabitEthernet1/0/1] port link-aggregation
group <number>

Repeat this step for each port interface that will be part of the link
aggregation group.

5 –36 Rev. 13.31


Link Aggregation

Module 5: Link Aggregation

HP Comware switches: configuring dynamic link aggregation groups

Just as you would for a static aggregate interface, you must first create a link aggregation group and assign it a number.

[Switch] interface bridge-aggregation 2

Because the default mode for link aggregation on Comware switches is static, you must set the mode to dynamic.

[Switch-Bridge-Aggregation2] link-aggregation mode dynamic


[Switch-Bridge-Aggregation2] quit

You then assign ports to the dynamic aggregate interface by accessing each port interface and entering the port link-
aggregation group command.
[Switch] interface g1/0/22
[Switch-GigabitEthernet1/0/22] port link-aggregation group 2

You can also configure LACP options such as system priority and port priority. As you learned, system priority is used to
determine which switch will select the reference port and the aggregation state of all the ports in the link aggregation
group. Port priority is used in the process of determine which port is the reference port. Again, smaller numbers have a
higher priority.

Just as you would for a static aggregate interface, you must first create a
link aggregation group and assign it a number.

[Switch] interface bridge-aggregation 2

Because the default mode for link aggregation on Comware switches is


static, you must set the mode to dynamic.

[Switch-Bridge-Aggregation2] link-aggregation mode


dynamic
[Switch-Bridge-Aggregation2] quit

You then assign ports to the dynamic aggregate interface by accessing


each port interface and entering the port link-aggregation group command.

[Switch] interface g1/0/22


[Switch-GigabitEthernet1/0/22] port link-aggregation
group 2

Rev. 13.31 5 –37


Getting Started with HP Switching and Routing

You can also configure LACP options such as system priority and port
priority. As you learned, system priority is used to determine which switch
will select the reference port and the aggregation state of all the ports in the
link aggregation group. Port priority is used in the process of determine
which port is the reference port. Again, smaller numbers have a higher
priority.

5 –38 Rev. 13.31


Link Aggregation

Module 5: Link Aggregation

HP Comware switches: configuring VLANs on aggregate interfaces

You can configure VLANs for both static and dynamic aggregation groups. You use the same commands that you use to
configure VLANs for any interface on a Comware switch. For example, you can make an aggregation group a trunk port and
add permitted VLANs using these commands.

[Switch] interface bridge-aggregation 1


[Switch-Bridge-Aggregation1] port link-type trunk
[Switch-Bridge-Aggregation1] port trunk permit vlan 100 200

You can configure VLANs for both static and dynamic aggregation groups.
You use the same commands that you use to configure VLANs for any
interface on a Comware switch. For example, you can make an aggregation
group a trunk port and add permitted VLANs using these commands.

[Switch] interface bridge-aggregation 1


[Switch-Bridge-Aggregation1] port link-type trunk
[Switch-Bridge-Aggregation1] port trunk permit vlan
100 200

Rev. 13.31 5 –39


Getting Started with HP Switching and Routing

Module 5: Link Aggregation

Summary

In this module you learned about the different link aggregation technologies supported on HP ProVision and Comware
switches. You should now have a solid understanding of the following:

Link aggregation is a cost-effective way to increase bandwidth


and add resiliency.

LACP is the industry standard for link aggregation.

HP ProVision switches support static aggregated links (which


are implemented through LACP or port trunking) or dynamic
aggregated links (which are implemented through LACP).

Comware switches support static aggregated interfaces


(which are not implemented through LACP) and dynamic
aggregated interfaces (which are implemented through LACP).

In this module you learned about the different link aggregation technologies
supported on HP ProVision and Comware switches. You should now have
a solid understanding of the following:

• Link aggregation is a cost-effective way to increase bandwidth and add


resiliency.
• LACP is the industry standard for link aggregation.
• HP ProVision switches support static aggregated links (which are
implemented through LACP or port trunking) or dynamic aggregated links
(which are implemented through LACP).
• Comware switches support static aggregated interfaces (which are not
implemented through LACP) and dynamic aggregated interfaces (which
are implemented through LACP).

5 –40 Rev. 13.31


Redundancy
Module 6

Module 6: Redundancy

Module Objectives

HP Comware and ProVision switches support a number of technologies that provide redundancy and increase network
uptime. This module focuses on two:
Spanning Tree Protocol (STP)

HP Intelligent Resilient Framework (IRF)

After completing this module, you should be able to:

Explain how spanning tree technologies are


used in today’s networks

Compare STP, Rapid Spanning Tree


Protocol (RSTP), and Multiple Spanning
Tree Protocol (MSTP)

Describe the advantages of using HP IRF to


provide network redundancy

HP Comware and ProVision switches support a number of technologies that


provide redundancy and increase network uptime. This module focuses on
two:

• Spanning Tree Protocol (STP)


• HP Intelligent Resilient Framework (IRF)

After completing this module, you should be able to:

• Explain how spanning tree technologies are used in today’s networks


• Compare STP, Rapid Spanning Tree Protocol (RSTP), and Multiple
Spanning Tree Protocol (MSTP)
• Describe the advantages of using HP IRF to provide network redundancy

Rev. 13.31
6–1
Getting Started with HP Switching and Routing

Module 6: Redundancy

Need for network redundancy

Networks deliver critical services to users. If a network is not designed to provide redundancy, a network link failure could
prevent users from accessing essential network services.
To protect against failures, you need to add redundant network links. However, simply adding links creates network
loops, which result in broadcast storms that make the network inaccessible. To function properly, an Ethernet network
must have only one active pathway between two devices.

Networks deliver critical services to users. If a network is not designed to


provide redundancy, a network link failure could prevent users from
accessing essential network services.

To protect against failures, you need to add redundant network links.


However, simply adding links creates network loops, which result in
broadcast storms that make the network inaccessible. To function properly,
an Ethernet network must have only one active pathway between two
devices.

6–2 Rev. 13.31


Redundancy

Module 6: Redundancy

Lesson 1

This lesson describes the basics of spanning tree, explaining how it


enables network redundancy and eliminates network loops. It first
focuses on the original standard, Spanning Tree Protocol (STP),
and then describes the enhancements provided by Rapid Spanning
Tree Protocol (RSTP) and Multiple Spanning Tree Protocol (MSTP).

This lesson describes the basics of spanning tree, explaining how it enables
network redundancy and eliminates network loops. It first focuses on the
original standard, Spanning Tree Protocol (STP), and then describes the
enhancements provided by Rapid Spanning Tree Protocol (RSTP) and
Multiple Spanning Tree Protocol (MSTP).

Rev. 13.31
6–3
Getting Started with HP Switching and Routing

Module 6: Redundancy

STP overview

STP is an industry-standard link management protocol


that supports path redundancy while preventing network
loops. STP automatically detects redundant links,
calculates the lowest cost path (or preferred path) through
the network, and then blocks all other redundant links.

STP is an industry-standard link management protocol that supports path


redundancy while preventing network loops. STP automatically detects
redundant links, calculates the lowest cost path (or preferred path) through
the network, and then blocks all other redundant links.

6–4 Rev. 13.31


Redundancy

Module 6: Redundancy

STP overview

If a link in the preferred path fails, STP automatically


opens a new preferred path so the traffic can be forwarded
and will continue to reach its destination. When creating
this new path, STP changes the status of any previously
blocked links from “blocking” to “forwarding.”

If a link in the preferred path fails, STP automatically opens a new preferred
path so the traffic can be forwarded and will continue to reach its
destination. When creating this new path, STP changes the status of any
previously blocked links from “blocking” to “forwarding.”

Rev. 13.31
6–5
Getting Started with HP Switching and Routing

Module 6: Redundancy

STP convergence

Introduction
In spanning-tree terminology, the process of detecting redundant links and
calculating a preferred network path is called convergence. The first step in
the convergence process is to elect a root bridge, which serves as the
central point (or root) of the STP network. The root bridge is also
responsible for notifying other switches of any STP changes.

To elect a root bridge, the switches in an STP network exchange Bridge


Priority Data Units (BPDUs).

Bridge ID
To elect a root bridge, switches in the same STP network compare bridge
IDs in BPDUs. The switch with the lowest bridge ID is elected the root
bridge.

Bridge priority and MAC address


A bridge ID has two parts:

• Bridge priority
• Media Access Control (MAC )address

You can configure the bridge ID on most STP-compliant devices, thereby


determining which device is elected the root bridge. By default, the bridge
priority for each switch is typically 32768.
6–6 Rev. 13.31
Redundancy

Module 6: Redundancy

Bridge ID

As you have learned, each switch has a default bridge priority. If all switches in an STP network are using the same bridge
priority—such as the default bridge priority—the switches must compare the other part of the bridge ID—their MAC
addresses.
If such an environment, the switch with the lowest MAC address is elected root bridge. However, the switch with the lowest
MAC address may not be the best candidate for root bridge. For example, it might be oldest or slowest device.
Rather than leave the election of the root bridge to chance, you should select the switch you want to function as the root
bridge and change its bridge priority so that it is the lowest on the network. (You will learn how to configure the bridge ID
on a switch later in this module.)

As you have learned, each switch has a default bridge priority. If all
switches in an STP network are using the same bridge priority—such as the
default bridge priority—the switches must compare the other part of the
bridge ID—their MAC addresses.

If such an environment, the switch with the lowest MAC address is elected
root bridge. However, the switch with the lowest MAC address may not be
the best candidate for root bridge. For example, it might be oldest or
slowest device.

Rather than leave the election of the root bridge to chance, you should
select the switch you want to function as the root bridge and change its
bridge priority so that it is the lowest on the network. (You will learn how to
configure the bridge ID on a switch later in this module.)

Rev. 13.31
6–7
Getting Started with HP Switching and Routing

Module 6: Redundancy

Breaking down the election process

At the beginning of the convergence process, each switch sends a BPDU frame with its own bridge ID in the root ID field.

Each switch also analyzes the BPDUs it receives to determine if there is a bridge ID or root ID lower than its own. If a switch
finds a lower bridge ID or root ID value than what it has in its root ID field, it substitutes the lower value in its BPDU and
considers the switch with that bridge ID to be the root bridge.

At the end of the election process, all switches in the STP convergence recognize the switch with the lowest bridge ID to be
the root bridge and insert the root bridge’s bridge ID into the root ID field of their BPDUs.

Switches constantly exchange BPDUs in an STP network. If switches stop receiving BPDUs from the root bridge for a set
period of time, they assume the root bridge has failed and begin a new election process.

At the beginning of the convergence process, each switch sends a BPDU


frame with its own bridge ID in the root ID field.

Each switch also analyzes the BPDUs it receives to determine if there is a


bridge ID or root ID lower than its own. If a switch finds a lower bridge ID or
root ID value than what it has in its root ID field, it substitutes the lower
value in its BPDU and considers the switch with that bridge ID to be the root
bridge.

At the end of the election process, all switches in the STP convergence
recognize the switch with the lowest bridge ID to be the root bridge and
insert the root bridge’s bridge ID into the root ID field of their BPDUs.

Switches constantly exchange BPDUs in an STP network. If switches stop


receiving BPDUs from the root bridge for a set period of time, they assume
the root bridge has failed and begin a new election process.

6–8 Rev. 13.31


Redundancy

Module 6: Redundancy

Root path and root cost

After electing a root bridge, switches continue


exchanging BPDUs to determine the lowest cost
path to the root bridge. This path is the preferred
path for traffic and is also called the root path.
To calculate a path cost, switches add the cost of all
the links in a particular path. STP assigns a cost for
a link based on port speed: the higher the port
speed, the lower the cost. (Path costs were updated
in RSTP. The costs shown here are the RSTP costs.)
You can configure link costs for each link manually
although this practice is not recommended. 10 Gigabit = 2,000

1 Gigabit = 20,000

100 Mbps = 200,000

10 Mbps = 2,000,000

After electing a root bridge, switches continue exchanging BPDUs to


determine the lowest cost path to the root bridge. This path is the preferred
path for traffic and is also called the root path.

To calculate a path cost, switches add the cost of all the links in a particular
path. STP assigns a cost for a link based on port speed: the higher the port
speed, the lower the cost. (Path costs were updated in RSTP. The costs
shown here are the RSTP costs.)

You can configure link costs for each link manually although this practice is
not recommended.

Rev. 13.31
6–9
Getting Started with HP Switching and Routing

Module 6: Redundancy

Path costs

ProVision Default Comware Default


Connection Type
Path Costs Path Costs
10 Gbps 2,000 2
1 Gbps 20,000 20
100 Mbps 200,000 200
10 Mbps 2,000,000 2,000

Because path costs were updated in the RSTP standard, it is possible that some STP-enabled devices support the STP
standard by default while others support the RSTP standard. Some devices might also use their own path costs by default.
When implementing spanning tree, you should ensure that all devices are using the same path costs so they can accurately
calculate the root path.
For example, by default ProVision switches use the RSTP path costs while Comware switches use the path costs listed in
the table. You can easily configure the Comware switches to use the RSTP path costs, as you will learn later in this module.

Because path costs were updated in the RSTP standard, it is possible that
some STP-enabled devices support the STP standard by default while
others support the RSTP standard. Some devices might also use their own
path costs by default. When implementing spanning tree, you should
ensure that all devices are using the same path costs so they can
accurately calculate the root path.

For example, by default ProVision switches use the RSTP path costs while
Comware switches use the path costs listed in the table. You can easily
configure the Comware switches to use the RSTP path costs, as you will
learn later in this module.

6–10 Rev. 13.31


Redundancy

Module 6: Redundancy

Root path cost

As switches forward BPDUs, they add the cost of each link to the BPDUs’ root path cost field. Switches use this field to
compare the total path costs of each redundant path that leads from the switch to the root bridge.
The path with the lowest cost becomes the root path.

As switches forward BPDUs, they add the cost of each link to the BPDUs’
root path cost field. Switches use this field to compare the total path costs
of each redundant path that leads from the switch to the root bridge.

The path with the lowest cost becomes the root path.

Rev. 13.31
6–11
Getting Started with HP Switching and Routing

Module 6: Redundancy

Root port and designated port

The switch’s port that leads to the root


path is called the root port. In the
example network, the root path for
Switch C leads directly to Switch A.
The Switch C port that connects to
Switch A is the root port.
You may also encounter the term
designated port when working with
STP. A designated port is a port that is
active but is not the root port.
Switches on a spanning tree network
use designated ports to send and
receive frames to a specific segment.
You should also know that on blocked
links only one of the ports is actually
in a blocking state. (You will learn
more about STP port states later in
this module.) This port is called the
alternate port. The other side of the
blocked link is a designated port.

The switch’s port that leads to the root path is called the root port. In the
example network, the root path for Switch C leads directly to Switch A. The
Switch C port that connects to Switch A is the root port.

You may also encounter the term designated port when working with STP. A
designated port is a port that is active but is not the root port. Switches on a
spanning tree network use designated ports to send and receive frames to
a specific segment.

You should also know that on blocked links only one of the ports is actually
in a blocking state. (You will learn more about STP port states later in this
module.) This port is called the alternate port. The other side of the blocked
link is a designated port.

6–12 Rev. 13.31


Redundancy

Module 6: Redundancy

Using the bridge ID as the tie-breaker

After exchanging BPDUs with other switches, a switch might find that two or more paths have the same lowest cost. In
this case, the switch uses the bridge IDs of its STP neighbors as a tie-breaker. That is, the neighbor with the lowest bridge
ID has the lowest-cost path to the root bridge.
In this example network, Switch C has two paths to the root bridge, one path through Switch A and one path through
Switch D. Both paths have the same cost.
To choose the root path, Switch C compares the bridge priority of Switch A and Switch D. Path 1 becomes the root path
because switch A’s bridge priority is lower than switch D’s.

Path Link cost Path cost


Path 1 2,000 + 2,000 4,000
Path 2 2,000 + 2,000 4,000

After exchanging BPDUs with other switches, a switch might find that two or
more paths have the same lowest cost. In this case, the switch uses the
bridge IDs of its STP neighbors as a tie-breaker. That is, the neighbor with
the lowest bridge ID has the lowest-cost path to the root bridge.

In this example network, Switch C has two paths to the root bridge, one
path through Switch A and one path through Switch D. Both paths have the
same cost.

To choose the root path, Switch C compares the bridge priority of Switch A
and Switch D. Path 1 becomes the root path because switch A’s bridge
priority is lower than switch D’s.

Rev. 13.31
6–13
Getting Started with HP Switching and Routing

Module 6: Redundancy

Using the port ID as a tie breaker

If multiple links connect to the same switch, the


bridge ID cannot be used as the tie-breaker to
determine the lowest-cost path.
For example, in the network shown here Switch
B and Switch C are connected with two links.
Because both ports have the same STP
neighbor (with the same bridge ID), the switch
uses the port ID, another field in the BPDU, as
the tie breaker. The port with the lowest port ID
becomes the root port, leading to the lowest
path.
Similar to the bridge ID, the port ID includes a
user-configurable field and a vendor-assigned
field. (The vendor-assigned field is a unique
number assigned to each port, with 256
possible values.)

If multiple links connect to the same switch, the bridge ID cannot be used
as the tie-breaker to determine the lowest-cost path.

For example, in the network shown here Switch B and Switch C are
connected with two links. Because both ports have the same STP neighbor
(with the same bridge ID), the switch uses the port ID, another field in the
BPDU, as the tie breaker. The port with the lowest port ID becomes the root
port, leading to the lowest path.

Similar to the bridge ID, the port ID includes a user-configurable field and a
vendor-assigned field. (The vendor-assigned field is a unique number
assigned to each port, with 256 possible values.)

6–14 Rev. 13.31


Redundancy

Module 6: Redundancy

STP port states

• Listening
• Learning
• Forwarding
• Blocking

Introduction
Switch ports that participate in the STP convergence process can be in one
of several states.

Note that these are the states defined in the original standard. The RSTP
standard changed these states, and you will learn more about these
changes later in this module.

Listening
In the listening state, the port sends and receives BPDUs but discards data
frames. The port typically moves quickly from the listening state to the
learning state.

Learning
In the learning state, the port sends and receives BPDUs and begins
gathering information about the STP network. The switch uses the
information the port gathers to populate its MAC address table. However,
the port does not forward data frames yet.

Forwarding
The port moves to a forwarding state if it is part of a root path. In this state,
the port actively receives and sends data frames as part of a root path. The
port also continues to receive and forward BPDUs.

Rev. 13.31
6–15
Getting Started with HP Switching and Routing

Blocking
The port is in a blocking state when the port is first initialized and spanning
tree is enabled. If the port is configured to support STP, the port will then
move to a listening state and determine if other STP-enabled devices are
functioning on the network.

The port will then go through the listening and learning states. If the port is
not part of a root path, it will move to the blocking state. In this state, the
port does not receive and transmit data frames. The port is essentially in
standby mode. It may continue to receive BPDUs and may change to a
forwarding state if a link fails and it becomes part of a root path.

6–16 Rev. 13.31


Redundancy

Module 6: Redundancy

Edge ports

In an STP network, you do not want all ports to participate


in the convergence process. For example, if a port connects
to an endpoint, you do not want that port to listen for or
send BPDUs.

Such ports should be designated as edge ports. Edge ports


do not participate in the STP convergence or send and
listen for BPDUs.

In an STP network, you do not want all ports to participate in the


convergence process. For example, if a port connects to an endpoint, you
do not want that port to listen for or send BPDUs.

Such ports should be designated as edge ports. Edge ports do not


participate in the STP convergence or send and listen for BPDUs.

Rev. 13.31
6–17
Getting Started with HP Switching and Routing

Module 6: Redundancy

STP limitations and enhancements

Introduction
The original STP standard was released in 1990. As networks evolved, its
limitations became apparent.

Slow convergence
With the original STP standard, convergence could take as long as 30 to 50
seconds. With the services running on networks today, 30 to 50 seconds
hinders network performance. Today’s networks require much faster
convergence times.

In 1998 IEEE 802.1w, an amendment to the STP standard, was released.


Called Rapid Tree Spanning Protocol, or RSTP, this amendment
significantly reduced convergence.

In 2004 802.1w was incorporated into the main STP standard, which is
known as IEEE 802.1D-2004.

Ineffective use of redundant links


With both STP and RSTP, blocked links are idle, functioning solely as
backup links in case the active link becomes unavailable. With users putting
more demands on network bandwidth, companies cannot afford to have idle
links. They want to use redundant links to transmit traffic, while still being
able to rely on the links for redundancy.

6–18 Rev. 13.31


Redundancy

In 1998, an amendment to the 802.1Q (VLAN tagging) standard was


released. Known as 802.1s, Multiple Spanning Tree Protocol, or MSTP,
provided an extension to STP and RSTP, allowing the protocol to use
separate spanning tree instances for groups of VLANs.

In 2003 802.1s was merged into IEEE 802.1Q-2003.

Rev. 13.31
6–19
Getting Started with HP Switching and Routing

Module 6: Redundancy

RSTP enhancements

RSTP uses essentially the same convergence process that STP uses to elect a root bridge and identify the root path.
However, RSTP enables faster convergence and allows faster transition of ports to a forwarding state.
With RSTP, convergence can occur in 1 second or less, but will typically occur within 6 seconds. STP convergence, on the
other hand, can take up to 50 seconds.

RSTP uses essentially the same convergence process that STP uses to
elect a root bridge and identify the root path. However, RSTP enables faster
convergence and allows faster transition of ports to a forwarding state.

With RSTP, convergence can occur in 1 second or less, but will typically
occur within 6 seconds. STP convergence, on the other hand, can take up
to 50 seconds.

6–20 Rev. 13.31


Redundancy

Module 6: Redundancy

RSTP changes

You should be aware of at least two changes in the RSTP standard.


RSTP costs
Port states—The RSTP standard changed the blocking and Link Cost
listening states to the discarding state. However, in most 10 Mbps 2,000,000
discussions of STP, the term blocking is still used.
16 Mbps 1,250,000
Path costs—As mentioned earlier, RSTP uses different 100 Mbps 200,000
path costs than the original spanning tree. When 1 Gbps 20,000
configuring a spanning tree network, you must ensure that
all STP-enabled devices are using the same path costs. 2 Gbps 10,000
10 Gbps 2,000

You should be aware of at least two changes in the RSTP standard.

• Port states—The RSTP standard changed the blocking and listening


states to the discarding state. However, in most discussions of STP, the
term blocking is still used.
• Path costs—As mentioned earlier, RSTP uses different path costs than
the original spanning tree. When configuring a spanning tree network,
you must ensure that all STP-enabled devices are using the same path
costs.

Rev. 13.31
6–21
Getting Started with HP Switching and Routing

Module 6: Redundancy

MSTP enhancements

MSTP enhanced the use of STP on networks that


support multiple VLANs, while still delivering the
fast convergence introduced with RSTP. MSTP
supports multiple spanning tree instances on the
same network, and each instance can include one
or more VLANs. MSTP supports multiple preferred
paths for data traffic, providing load sharing across
redundant network links.
You will now take a closer look at MSTP.

MSTP enhanced the use of STP on networks that support multiple VLANs,
while still delivering the fast convergence introduced with RSTP. MSTP
supports multiple spanning tree instances on the same network, and each
instance can include one or more VLANs. MSTP supports multiple
preferred paths for data traffic, providing load sharing across redundant
network links.

You will now take a closer look at MSTP.

6–22 Rev. 13.31


Redundancy

Module 6: Redundancy

MSTP instances

MSTP allows you to create multiple instances of


STP and assign specific VLANs to each instance.
This example network has two MSTP instances:
Instance 1 supports VLANs 1, 8, 10, 16.
Instance 2 supports VLANs 4, 5, 6.
This frame shows two different views of the same
network, but keep in mind that the switches are
supporting both instances simultaneously.
In the next frame, you will examine this example
in more depth.

MSTP allows you to create multiple instances of STP and assign specific
VLANs to each instance. This example network has two MSTP instances:

Instance 1 supports VLANs 1, 8, 10, 16.

Instance 2 supports VLANs 4, 5, 6.

This frame shows two different views of the same network, but keep in mind
that the switches are supporting both instances simultaneously.

In the next frame, you will examine this example in more depth.

Rev. 13.31
6–23
Getting Started with HP Switching and Routing

Module 6: Redundancy

Taking a closer look at MSTP instances

Each MSTP instance converges independently of


other instances defined on the network. As a
result, each instance can have a different root
bridge and block different redundant links. In
addition, each STP-enabled link can be part of
more than one instance.
In the example network, Switch B is the root bridge
for instance 1, and Switch A is the root bridge for
instance 2. Each instance has different active
links. For example, the link between Switch A and
Switch C is active for instance 2, yet blocked for
instance 1. For instance 1, the ports are in a
discarding state, but they are in a forwarding state
for instance 2.
MSTP allows for greater network utilization and
capacity because multiple instances mean that
ports have less idle time.

Each MSTP instance converges independently of other instances defined


on the network. As a result, each instance can have a different root bridge
and block different redundant links. In addition, each STP-enabled link can
be part of more than one instance.

In the example network, Switch B is the root bridge for instance 1, and
Switch A is the root bridge for instance 2. Each instance has different active
links. For example, the link between Switch A and Switch C is active for
instance 2, yet blocked for instance 1. For instance 1, the ports are in a
discarding state, but they are in a forwarding state for instance 2.

MSTP allows for greater network utilization and capacity because multiple
instances mean that ports have less idle time.

6–24 Rev. 13.31


Redundancy

Module 6: Redundancy

MSTP regions

Introduction
An MSTP region is a group of switches that collectively defines the same
instances and participates in the same convergence process to elect a root
bridge and identify active paths for each instance. To recognize that they
are in the same region, switches must share certain MSTP attributes.

Configuration name
You must manually configure an MSTP region name, which identifies that
MSTP region.

Configuration revision number


The switches must use the same configuration revision number. You can
leave this field at the default value of 0, or manually configure it.

VLANs and MSTP Instances


You must create the same MSTP instances on all the switches in the same
region. You must also ensure that you assign the same VLANs to each
instance.

Rev. 13.31
6–25
Getting Started with HP Switching and Routing

Module 6: Redundancy

MSTP regions (continued)

In an MSTP network, each switch can belong


to only one MSTP region. To identify all the
switches in a particular region, MSTP-enabled
switches use BPDUs to communicate their
MSTP region attributes. If another switch’s
MSTP region attributes match its own, a
switch knows that the other switch is in the
same MSTP region.
If you misconfigure an MSTP region attribute
on one of the switches that should be in the
same region, it will not join that region.
Instead, its unique attributes will define a
separate region. If this happens, the MSTP
instances defined on the switch will be
logically disconnected from the instances
defined on other switches, eliminating the
MSTP load-sharing benefits.

In an MSTP network, each switch can belong to only one MSTP region. To
identify all the switches in a particular region, MSTP-enabled switches use
BPDUs to communicate their MSTP region attributes. If another switch’s
MSTP region attributes match its own, a switch knows that the other switch
is in the same MSTP region.

If you misconfigure an MSTP region attribute on one of the switches that


should be in the same region, it will not join that region. Instead, its unique
attributes will define a separate region. If this happens, the MSTP instances
defined on the switch will be logically disconnected from the instances
defined on other switches, eliminating the MSTP load-sharing benefits.

6–26 Rev. 13.31


Redundancy

Module 6: Redundancy

Internal Spanning Tree (IST)

When MSTP is enabled, all of the VLANs configured on


the switch are initially assigned to the Internal
Spanning Tree (IST), which is the default MSTP
instance within the MSTP region. Likewise, if you later
create a VLAN on the switch, it is added to the IST.
For example, suppose the network includes VLANs 1,
20, 30, 40, and 50. When you enable MSTP, all these
VLANs are part of the IST.

When you configure the MSTP region, these VLANs


are moved to the instance you specify. For example,
you might configure the MSTP with three instances:
instance 1 includes VLAN 20 and 30, instance 2
includes VLANs 40 and 50, and instance 3 includes
VLAN 60. As you assign these VLANs to an instance,
they are moved from the IST to that instance.
At least one VLAN should remain in the IST to ensure
connectivity in case of a configuration error. Typically,
this is the default VLAN (VLAN 1).

When MSTP is enabled, all of the VLANs configured on the switch are
initially assigned to the Internal Spanning Tree (IST), which is the default
MSTP instance within the MSTP region. Likewise, if you later create a
VLAN on the switch, it is added to the IST.

For example, suppose the network includes VLANs 1, 20, 30, 40, and 50.
When you enable MSTP, all these VLANs are part of the IST.

When you configure the MSTP region, these VLANs are moved to the
instance you specify. For example, you might configure the MSTP with
three instances: instance 1 includes VLAN 20 and 30, instance 2 includes
VLANs 40 and 50, and instance 3 includes VLAN 60. As you assign these
VLANs to an instance, they are moved from the IST to that instance.

At least one VLAN should remain in the IST to ensure connectivity in case
of a configuration error. Typically, this is the default VLAN (VLAN 1).

Rev. 13.31
6–27
Getting Started with HP Switching and Routing

Module 6: Redundancy

MSTP interoperability with RSTP and STP

Because MSTP implements the same basic principles


as the earlier versions of the protocol, it is completely
interoperable and compatible with STP and RSTP.
MSTP will emulate STP and RSTP behaviors when
encountering devices that are running those versions
of the protocol.

Because MSTP implements the same basic principles as the earlier


versions of the protocol, it is completely interoperable and compatible with
STP and RSTP. MSTP will emulate STP and RSTP behaviors when
encountering devices that are running those versions of the protocol.

6–28 Rev. 13.31


Redundancy

Module 6: Redundancy

Common Spanning Tree

Networks that support more than one MSTP region or MSTP and RSTP simultaneously need a mechanism to control
common links. In such environments, Common Spanning Tree, which is automatically enabled with MSTP, determines
whether a link between MSTP regions (or between a region and a legacy RSTP switch) is forwarding traffic or discarding
traffic. Common Spanning Tree ensures that there is only one active path.

Networks that support more than one MSTP region or MSTP and RSTP
simultaneously need a mechanism to control common links. In such
environments, Common Spanning Tree, which is automatically enabled with
MSTP, determines whether a link between MSTP regions (or between a
region and a legacy RSTP switch) is forwarding traffic or discarding traffic.
Common Spanning Tree ensures that there is only one active path.

Rev. 13.31
6–29
Getting Started with HP Switching and Routing

Module 6: Redundancy

Default STP settings on HP switches

ProVision switches Comware switches

HP Comware switches
By default, Comware switches support MSTP although it is disabled. When
you enable STP on Comware switches, they begin using MSTP, and all
ports are configured to participate in the spanning tree network. You must
manually configure ports that connect to endpoints such as workstations,
servers, or printers as edge ports.

If you want a Comware switch to run RSTP, you must specify RSTP as the
STP “mode.”

HP ProVision switches
By default, ProVision switches support MSTP, but it is disabled. When STP
is enabled, switch ports are automatically configured as auto-edge ports.
Auto-edge ports listen for BPDUs for 3 seconds. If the ports do not receive
a BPDU, they transition to a forwarding state and begin to transmit data
frames. Thereafter, these ports will not transmit BPDUs or participate in the
STP convergence process.

6–30 Rev. 13.31


Redundancy

Module 6: Redundancy

Configuring MSTP on HP Comware switches

Step 1: Create the region.


Step 2: Specify the region revision number.
Step 3: Create the MSTP instances and assign VLANs to them.
Step 4: Activate the MSTP region.
Step 5: Configure the root bridge and backup root bridge.
Step 6: Configure the switches to use the standard cost calculations.
Step 7: Enable STP.
Step 8: Save the configuration.

Introduction
You will now review the steps for configuring MSTP on HP Comware
switches.

Step 1
From the system view, enter the command to create the region (called
hplab in this example).
[Switch] stp region-configuration
[Switch-mst-region] region-name hplab1

Step 2
Specify the region revision number.
[Switch-mst-region] revision-level 1

Step 3
Create the instances and assign VLANs to them. In this example, instance
1 will include VLANs 10 and 20, and instance 2 will include VLANs 30 and
40.
[Switch-mst-region] instance 1 vlan 10 20
[Switch-mst-region] instance 2 vlan 30 40

Rev. 13.31
6–31
Getting Started with HP Switching and Routing

Step 4
Activate the MSTP region and return to the system view.
[Switch-mst-region] active region-configuration
[Switch-mst-region] quit

Step 5
Configure the switch as a root bridge or backup root bridge (optional,
depending on if you want this switch to fulfill these roles). In this example,
the switch will function as the root bridge in the IST (designated as instance
0) and instance 1 and as the backup root bridge in instance 2.
[Switch] stp instance 0 root primary
[Switch] stp instance 1 root primary
[Switch] stp instance 2 root secondary

Step 6
By default Comware switches use a non-standard method for calculating
port costs. To ensure that all the switches in a heterogeneous environment
are using the same method for calculating cost, you should configure the
switches to use the standard cost calculations, using the command above.
[Switch] stp pathcost-standard dot1t

Step 7
Enable spanning tree. Because the Comware switches default to MSTP,
you do not have to configure the mode setting.
[Switch] stp enable

Step 8
Save the configuration.
[Switch] save

6–32 Rev. 13.31


Redundancy

Module 6: Redundancy

Configuring MSTP on HP ProVision switches

Step 1: Configure the MSTP region.


Step 2: Create the MSTP instances and assign VLANs to each one.
Step 3: Configure the root bridge and backup root bridge.
Step 4: Enable STP.
Step 5: Save the configuration.

Introduction
You will now review the steps for configuring MSTP on HP ProVision
switches.

Step 1
Configure the MSTP region. In this example, the region name is hplab, and
the revision number is set to 1.
Switch(config)# spanning-tree config-name hplab
Switch(config)# spanning-tree config-revision 1

Step 2
Create the MSTP instances. In this example, the region will have two
instances. Instance 1 will include VLANs 10 and 20, and instance 2 will
include VLANs 30 and 40.
Switch(config)# spanning-tree instance 1 vlan 10 20
Switch(config)# spanning-tree instance 2 vlan 30 40

Step 3
Configure the switch as the root bridge or backup root bridge for IST or the
MSTP instances. This step is optional, depending on if you want the switch
to fulfill these roles. In the example, the switch will be configured as the root
bridge for IST and instance 1 and as the backup root bridge for instance 2.
On ProVision switches, the priority value (0 or 1 in the example) is
multiplied by 4096 to derive the bridge priority. The default priority is 8 (8 x
Rev. 13.31
6–33
Getting Started with HP Switching and Routing

4096 = 32768). By setting a switch’s bridge priority to 0, you ensure that it


has the lowest bridge priority on the MSTP network.
Switch(config)# spanning-tree priority 0
Switch(config)# spanning-tree instance 1 priority 0
Switch(config)# spanning-tree instance 2 priority 1

Step 4
Enable spanning tree.
Switch(config)# spanning-tree

Step 5
Save the configuration.
Switch(config)# write memory

6–34 Rev. 13.31


Redundancy

Module 6: Redundancy

Summary

In this lesson you learned about the basic operations of


STP. You learned how STP-enabled switches elect a root
bridge and then select the preferred path to that root
bridge, blocking all other redundant paths.

You also learned how RSTP and MSTP overcome the


limitations in the original standard. Finally, you reviewed
the steps for configuring MSTP on Comware and ProVision
switches.

In this lesson you learned about the basic operations of STP. You learned
how STP-enabled switches elect a root bridge and then select the preferred
path to that root bridge, blocking all other redundant paths.

You also learned how RSTP and MSTP overcome the limitations in the
original standard. Finally, you reviewed the steps for configuring MSTP on
Comware and ProVision switches.

Rev. 13.31
6–35
Getting Started with HP Switching and Routing

Module 6: Redundancy

Lesson 2

Traditional stacking allows you to connect multiple switches together and manage them from a single interface.
Within the stack, however, each switch continues to operate independently.
HP Intelligent Resilient Framework (IRF) goes beyond simple stacking by combining two or more Comware
switches into one virtual switch. This lesson describes the advantages of using IRF and briefly outlines basic IRF
functionality.

Traditional stacking allows you to connect multiple switches together and


manage them from a single interface. Within the stack, however, each
switch continues to operate independently.

HP Intelligent Resilient Framework (IRF) goes beyond simple stacking by


combining two or more Comware switches into one virtual switch. This
lesson describes the advantages of using IRF and briefly outlines basic IRF
functionality.

6–36 Rev. 13.31


Redundancy

Module 6: Redundancy

Advantages of using IRF

Introduction
IRF simplifies network design and network operations, provides a high level
of reliability, streamlines management, and provides scalability.

Simplified network design


With IRF, you can simplify the network design at both Layer 2 and Layer 3.
In Lesson 1, you learned how to build a resilient network using MSTP.
Instead of implementing a complicated spanning tree topology for Layer 2
redundancy, however, you can use IRF, which provides both device and link
redundancy. When you connect the virtual switch to the network, you can
use aggregated links, which efficiently load-balance traffic across
themselves for full utilization of the bandwidth. If necessary, you can
expand the uplink bandwidth by simply adding another link to the link
aggregation group.

Reliability
IRF provides both link and node redundancy. You can aggregate members’
IRF links and the links between the IRF virtual device and its upper or lower
layer devices.
In addition, the IRF virtual device includes multiple member devices that
operate in 1:N redundancy: If the master fails, the IRF virtual device
immediately elects a new master to prevent service interruption. In addition,
failover is extremely fast—under 2 milliseconds.

Rev. 13.31
6–37
Getting Started with HP Switching and Routing

Streamlined management
Whether you manage the IRF virtual device from the CLI or use a
management platform such as HP Intelligent Management Center, you will
manage it as a single device. You can connect to the IRF device’s
management interfaces through any member’s COM port, or using Telnet,
SSH, HTTP, or HTTPS to the IRF device’s IP address. Configurations are
performed on the master (which you will learn more about on the following
pages) and distributed to all associated switches, greatly simplifying
network setup, operation, and maintenance.

6–38 Rev. 13.31


Redundancy

Module 6: Redundancy

Advantages of using IRF (continued)

Simplified network operations


IRF allows you to simplify the network design at Layer 3. The IRF virtual
device acts as a single router with a single IP address per interface. For
example, the IRF device can act as a redundant default gateway (without
implementing another Layer 3 redundancy mechanism such as Virtual
Router Redundancy Protocol). Routing protocols calculate the routes of the
IRF virtual device instead of calculating the routes of each member. This
design eliminates numerous protocol packet exchanges among the
members, simplifies network operations, and shortens the convergence
time.

In addition, without IRF, routing switches with redundant routes between


each other would need to use Equal-Cost Multipath (ECMP) to load balance
traffic. But with IRF, you can simply create a link aggregation between the
IRF virtual devices and run the desired routing protocol.

Scalability
IRF virtual devices are scalable. You can increase the bandwidth and
processing capability of an IRF virtual device simply by adding member
devices. Each member device has its own CPU, and each one
independently processes and forwards protocol packets.

Rev. 13.31
6–39
Getting Started with HP Switching and Routing

The number of switches you can connect in one IRF virtual device varies,
depending on the switch models you are using. For the stackable switch
models, you can connect up to nine switches in an IRF virtual device. For
the modular switches, you can connect up to four switches.

6–40 Rev. 13.31


Redundancy

Module 6: Redundancy

Master and slaves

Within an IRF virtual device, one of the switches is


elected as the master, which manages and maintains
the system. (You’ll learn more about this election
process later in this lesson.)

The other members act as slaves, which process


services and function as backups. If the master fails,
one of the slaves will be elected master and assume
responsibility for managing the IRF virtual device.

Within an IRF virtual device, one of the switches is elected as the master,
which manages and maintains the system. (You’ll learn more about this
election process later in this lesson.)

The other members act as slaves, which process services and function as
backups. If the master fails, one of the slaves will be elected master and
assume responsibility for managing the IRF virtual device.

Rev. 13.31
6–41
Getting Started with HP Switching and Routing

Module 6: Redundancy

Daisy chain or ring topology

Introduction
When you implement an IRF virtual device, you must decide which topology you
will use: the daisy chain topology or the ring topology.

Daisy chain topology


In the daisy chain topology, each switch is connected to one other switch,
essentially forming a line. This topology is typically used when the switches in the
IRF virtual device are located in separate locations. The daisy chain topology can
be less reliable than the ring topology because if a link fails the IRF virtual device
will separate into two independent virtual switches.

Ring topology
In a ring topology, each switch is connected to two other switches, forming a ring.
Because each switch connects to two other switches, this topology is more reliable
than the daisy chain. If a link in the ring fails, the IRF virtual device will still be
connected in a daisy chain and will continue to function as one virtual switch.

6–42 Rev. 13.31


Redundancy

Module 6: Redundancy

IRF ports

The switches in an IRF virtual device communicate through logical ports called IRF ports, which are bound to the actual
physical ports that connect the switches. Each IRF port can be bound to one or more physical ports.
As shown in the figure, IRF ports are numbered as IRF-port1 and IRF-port2. IRF-port1 on one switch must be connected to
IRF-port2 on its neighbor.

The switches in an IRF virtual device communicate through logical ports


called IRF ports, which are bound to the actual physical ports that connect
the switches. Each IRF port can be bound to one or more physical ports.

As shown in the figure, IRF ports are numbered as IRF-port1 and IRF-port2.
IRF-port1 on one switch must be connected to IRF-port2 on its neighbor.

Rev. 13.31
6–43
Getting Started with HP Switching and Routing

Module 6: Redundancy

Member ID

The IRF virtual device uses member IDs to uniquely


identify and manage the members. If member IDs are not
unique, the IRF virtual device cannot be established.

The IRF virtual device uses member IDs to uniquely identify and manage
the members. If member IDs are not unique, the IRF virtual device cannot
be established.

6–44 Rev. 13.31


Redundancy

Module 6: Redundancy

Electing a primary switch

When a new IRF virtual device is


formed, members undergo an election
process to identify the master, using
the following rules:

The member with the highest priority is elected.


• On the switch you want to be master,
configure a high IRF priority number.

If all members have the same priority:


• Member with the longest system up-time is If an existing IRF virtual device has a topology change,
members use these rules:
elected.
• Member with the lowest bridge address is The current master is elected.
elected.
If the current master is unavailable, the rules for
electing a master for a new IRF device apply.

When a new IRF virtual device is formed, members undergo an election


process to identify the master, using the following rules:

• The member with the highest priority is elected.


• On the switch you want to be master, configure a high IRF priority
number.
• If all members have the same priority:
• Member with the longest system up-time is elected.
• Member with the lowest bridge address is elected.

If an existing IRF virtual device has a topology change, members use these
rules:

• The current master is elected.


• If the current master is unavailable, the rules for electing a master for a
new IRF device apply.

Rev. 13.31
6–45
Getting Started with HP Switching and Routing

Module 6: Redundancy

Establishing and maintaining the IRF virtual device

• Topology discovery
• Role election
• Maintenance

Introduction
IRF members exchange messages to establish and maintain the IRF virtual
device.

Topology discovery
After you connect the members of an IRF virtual device and configure the
IRF settings, the members exchange hello packets with their directly
connected IRF neighbors. These packets provide topology information such
as:

• IRF port connection states


• Member ID
• Priorities
• Bridge MAC addresses

Each member records its known topology information locally. After all
members have obtained complete topology information, the IRF virtual
device enters the next stage: role election.

Role election
Role election occurs when a topology change occurs. For example:

• The IRF virtual device is first established.


• A member is added.
6–46 Rev. 13.31
Redundancy

• The master is unavailable or is removed from the IRF virtual device.

Maintenance
If topology changes occur in the IRF virtual device, members will exchange
messages to communicate these changes. For example, if a member
switch becomes unavailable, its directly connected neighbor broadcasts the
change, immediately sending a leave message to other IRF members. The
members that receive the leave message determine whether a master or a
slave left the IRF virtual device, according to the locally saved IRF topology
information. If the master left the IRF virtual device, a role election is held,
and the local topology is updated. If a slave left the IRF virtual device, the
local IRF topology is updated to ensure fast convergence of the IRF
topology.

Rev. 13.31
6–47
Getting Started with HP Switching and Routing

Module 6: Redundancy

Summary

In this lesson, you learned that IRF creates a single virtual


switch, which provides significant advantages for
management, network design, and network operations.
You also learned that IRF provides a high level of reliability
and resiliency at the link and device level.

You then learned the basic operations of an IRF virtual


device, including the IRF topology, member roles, IRF
virtual ports, and the IRF election process.
To learn more about IRF, attend the Building SMB Networks
with HP Technologies course.

In this lesson, you learned that IRF creates a single virtual switch, which
provides significant advantages for management, network design, and
network operations. You also learned that IRF provides a high level of
reliability and resiliency at the link and device level.

You then learned the basic operations of an IRF virtual device, including the
IRF topology, member roles, IRF virtual ports, and the IRF election process.

To learn more about IRF, attend the Building SMB Networks with HP
Technologies course.

6–48 Rev. 13.31