HP ProCure Network Configuration Guide (5308xl / 2650

Wednesday, 28 May 2008 21:27 Chris Bradford

HP Procurve Network Hardware Configuration Guide, Part One


1. General Switch Information 2. Software Update HOWTO 3. VLAN Information & CIDR Subnet Mask Notation 4. VLAN Configuration - HP 5308 XL Switches 5. VLAN Configuration - HP 2650 Switches

General Switch Information

As part of a complete redeisgn of the company network I have had to setup and deploy two HP 5308xl core-switches and 10 2650 48 port edge-switches. The aims of the project were simple:

y y y y y

Increase manageability of network resources. Division of the network into VLAN's. Provide fault tolerance in the event of a core switch failure. Increase security of network resources. Increase speed / data throughput.

In my first article for the site I thought I would share my experiences of setting up this hardware, and provide a refernce so that if you're planning to upgrade your network at least you can find some in-depth information on these products and how to configure them.

This article covers the setup of RSTP, XRRP, Routing, VLANS, ACL's and TRUNKS on these switches, and tries to shed light on what exactly each of these functions has to offer for your network.

Firstly the switches themselves. We recieved two HP5308xl J4819A 8 module core switches:

We have 5 low-contention xl Mini-GBIC Modules (J4878B), each with 4 hot-swap connectors (these can be 1000T / 1000SX / 1000LX / 1000 LH connectors) and 3 ProCurve Switch xl 16-port 10/100/1000 Modules (J4907A) (as shown in the picture above) installed in both of our 5308xl's.

Also in the shipment were 10 2650 J4899A edge-switches:

The switches came with all the usual attire; serial cables for console based configuration, AC power cable, and documentation on CD, note, there was no printed documentation with the 2650 switches, and the 5308xl's came with a quick setup guide, all other documentation in on the CD's that are in the pack. This was as expected though as the complete manual for the products is well over 500 pages!

First of all I'd like to take a look at the 5308xl switches, these will be at the very core of our network and thus are mission critical. They need to be feature rich and fast. Device Specifications for 5308xl Switch as supplied by HP:


Specification 8 open module slots.


Supports a maximum of 192 10/100 ports or 128 Gigabit ports.

Physical Characteristics - Dimensions 15.3 x 17.4 x 8.75 in. (38.86 x 44.2 x 22.23 cm) 5U height 26.65 lb (11.99 kg) fully loaded

- Weight Memory And Processor - Fabric module:

Motorola PowerPC @ 200 MHz 12 MB flash 32 MB SDRAM

- Flash ROM's: - Packet Buffer Size: Performance - Latency - Throughput

Dual Flash 36MB <6 µs (FIFO) up to 48 million pps 76.8 Gbps

- Switch Fabric Speed - Routing Table Size Environment - Operating Temperature: - Operating Relative Humidity: - Non-Operating/Storage Temperature: - Non-Operating/Storage Relative Humidty: - Altitude: Electrical Characteristics - Maximum BTUs: - Voltage: - Current: - Power: - Frequency:

10000 entries

32 °F to 104 °F (0 °C to 40 °C) 15 % to 95 % at 104 °F (40 °C), noncondensing -40 °F to 158 °F (-40 °C to 70 °C) 15 % to 95 % at 149 °F (65 °C), noncondensing Up to 15091 ft (4.6 km)

2152 BTU/hr 100-127 VAC/200-240 VAC 8.2 A /3.8 A 630 W 50/60 Hz

There is an incredible list of features and protocols that the 5308xl switches support, making them exteremly good value for money, and an excellent choice for your network.

y Layer 3 IP routing y Router redundancy protocol XRRP y OSPF-ECMP y IP multicast routing (PIM dense) y IP multicast (data-driven IGMPv3) y Virus throttling y ICMP Throttleing y Mesh configuration y 802.1s Multiple Spanning Tree

y 802.1v protocol VLANs y GVRP y Port security y MAC address lockout y Source port filtering y TACACS+ y Secure Shell (SSHv2) y Secure Sockets Layer (SSL) y Secure FTP

1p) All in all not a bad setup at all! A theoretical maximum of 76. and y UDP helper function (IP Helper) y Link Layer Discovery Protocol y LLDP-MED (Media Endpoint Discovery) y Friendly port names yProCurve/IEEE Auto-MDIX y Hot-swappable modules y Dual flash images y Multiple authentication methods: IEEE 802. sFlow. I also like the 'xl modules' as they provide a great deal of flexibility for network infastructure.1w RSTP y VLAN support and tagging y 802. Hot-Swap Mini-GBIC Modules for 1000SX / 1000T / 1000LX / 1000LH and even an Access Control Module. certainly a lot faster than what we had in place previously. XRMON. The 5308xl can house up to 8 XL modules. the 5304xl can house up to 4.1X Authentication y Traffic prioritization (802. The modules come in several different flavours.8Gb/secis quick.y 802.3ad LACP y Access control lists (ACLs) y Identity-driven per-port ACL y Switch management logon security y Layer 4 prioritization y Bandwidth shaping: Rate limiting Guaranteed minimums y RMON. for more details on XL modules see the links below: ProCurve Switch xl Access Controller Module (J8162A) ProCurve Switch xl 10/100-TX PoE Module (J8161A ) ProCurve Switch xl 16-port 10/100/1000 Module (J4907A) ProCurve Switch xl Mini-GBIC Module (J4878B) ProCurve Switch xl 100-FX MTRJ Module (J4852A) ProCurve Switch xl 100/1000-T Module (J4821B) .1X users (LLDP) per port Concurrent 802. providing Power Over Ethernet.1X SMON Web-based MAC address based y Authentication flexibility: Multiple 802.

78 lb (4.3 µs (LIFO)(FIFO) up to 10.3 Type 10Base-T. IEEE 802.ProCurve Switch xl 10/100-TX Module (J4820B) Now I'll take a look at the features of our edge-switches.3u Type 100Base-TX.45 cm) 1U height .3ab 1000Base-T Gigabit Ethernet) or an open miniGBIC slot (for use with mini-GBIC transceivers) Physical Characteristics . 266 MHz 32MB 36MB < 13.8 x 17.1 million pps 9.Latency Motorola PowerPC MPC8245.Processor: .Dimensions 12.SDRAM: Performance .4 kg) fully loaded .3u Type 100Base-T) Ports 1 RS-232C DB-9 console port 2 Dual Personality Ports each port can be used as either an RJ-45 10/100/1000 port (IEEE 802.99 x 4.75 in.51 x 43. the 2650 switches. 802. (32. 802. Device specifications for 2650 switch as suppiled by HP: Part Specification 48 RJ-45 10/100 ports (IEEE 802.3 Type 10Base-T.Weight Memory And Processor .32 x 1.Flash Capacity: .

Frequency: 13. and a sound investment for your network. we have made use of this feature in our network with 2 of these switches having fitted 1000SX Gbic modules to these ports.Throughput . The modules couldn't be any simpler to fit.5A 100 W 50/60 Hz The flexibility provided by the dual-personality ports is very useful.Routing Table Size Environment .Operating Temperature: .Maximum BTUs: . noncondensing Up to 15091 ft (4. y 13.6 Gbps Backplane y Group VLAN Registration Protocol .Non-Operating/Storage Temperature: .Non-Operating/Storage Relative Humidty: .Voltage: .' Examples of these modules can be seen below: There's a long list of features for an edge-switch..Current: . making them excellent vlaue for money. The light on the port will change from 'T' to 'M.Switch Fabric Speed . and can be done when the switch is on or off: Simply take off the dust cover and slide the module into place firmly. noncondensing -40 °F to 158 °F (-40 °C to 70 °C) 15 % to 95 % at 149 °F (65 °C).Power: .Altitude: Electrical Characteristics . This versatility means that these switches can go into virtually any pre-setup enviroment.Operating Relative Humidity: .6 Gbps 8000 entries 32 °F to 131 °F (0 °C to 55 °C) 15 % to 95 % at 104 °F (40 °C).6 km) 341 BTU/hr 100-120 VAC/200-240 VAC 1.

1w RSTP y 802. VLAN Configuration .3ad LACP y Remote Monitoring y 802.1X and RADIUS network login y TACACS+: y Secure Shell (SSHv2) y Secure Sockets Layer (SSL) y VLAN support and tagging y Group VLAN Registration Protocol (GVRP) y 802.1s Multiple Spanning Tree yProCurve/IEEE Auto-MDIX y Friendly port names y Dual flash images y Source port filtering y Web-based authenticationv y MAC address lockout y Secure FTP y Port security y IP Lockdown y Layer 4 prioritization y Class of Service (CoS) y Traffic prioritization (802.HP 2650 Switches . 100/1000T/LX/LH/SX y Basic IP routing y IP multicast (IGMPv3 snooping) y 802. VLAN Information & CIDR Subnet Mask Notation 4. Contents: 1.1p) y Troubleshooting y Stacking capability Now you're a least fairly familiar with the switches and what they can do. VLAN Configuration . General Switch Information 2.1w RSTP y 802..y Dual-personality ports. so we'll start to configure them.1s Multiple Spanning Tree y VLAN support and tagging y Group VLAN Registration Protocol (GVRP) y VLAN support and tagging (GVRP) y 802.HP 5308 XL Switches 5. Software Update HOWTO 3..

RESTRICTED RIGHTS LEGEND Use. Next you'll need to load HyperTerminal. we'll start with the 5308xl first. The first job was to check that all software was up-to-date on the switches. A few things you'll need if you have to do this.ProCurve. HEWLETT-PACKARD COMPANY.10.com .. We need to check that the BOOT ROM on your switch is recent enough to take the software update. CA 94303 We'd like to keep you up to date about: * Software feature updates * New product announcements * Special events Please register your products now at: www.04.' you'll be using this a lot so be sure to save it. Palo Alto.04 or newer for the current software release 10. duplication. and neither were the 2650's.Software Update HOWTO. To check your BOOT ROM version you'll need to connect your switch to your PC / Laptop with a serial cable and turn the switch on. The 5308xl's weren't up to date. or disclosure by the Government is subject to restrictions as set forth in subdivision (b) (3) (ii) of the Rights in Technical Data and Computer Software clause at 52. (under Start>Programs>Accessories>Communications) select the COM port you attached the camble to and the proceed to setup a new connection called 'HP. All Rights Reserved. Connection settings are as follows: Bits per sec: 9600 Data bits: 8 Parity: None Stop bits: 1 Flow control: None Once this is done press enter twice and you should see the HP welcome screen: HP J4819A ProCurve Switch 5308xl Firmware revision E.227-7013. it needs to be version 5.04 Copyright (C) 1991-2005 Hewlett-Packard Co. 3000 Hanover St.

Now load the SolarWinds TFTP server application. if it's 5. so if you type vlan 2.) When this has been downloaded install the application. If its not you'll need to update your software to version 7.0. and go to configure. Select the security tab and then click the 'Transmit and Recieve Files' option. port B1 becomes part of vlan 2. I will discuss VLAN's shortly.2.0.1/24' and hit enter again. The next thing you'll need is a TFTP (Trivial File Transfer Protocol) server. Your TFTP server is ready to go. Type 'vlan 1' and hit enter. which will enable you to upload files to or from the switch from a computer.0.04. Don't worry about DNS settings Once this is done you should be able to ping the switch. If you type the command 'config' then hit enter you'll be in admin mode for the switch.40 Click Here to download Software Version 10. subnet to 255.Press any key to continue Press Enter.255.04 The next thing you want to do is set an temporary IP up so you can update the software.0. You'll now be able to transfer them to the switch.0. Extract the contents of the zip files downloaded from this site and place the files into this folder.0. You'll find in the root of your system drive (normally c:\\\\) there is a new folder called TFTP-Root. Then you'll be able to upgrade to version 10.this will disply current switch and software version information.1. The command 'untag' makes the port that you untag a part of the vlan in which you run the command. and then untag B1.40 first as this version includes the BOOT ROM upgrade. If you then type 'untag A1' this will enable you to connect a computer to port A1 in the same IP range (ie 10.0 (/24) and set the gateway as 10. so don't worry about what they are if you don't know.2/24) and communicate with the switch. The switch now has a temprorary IP which we can use to upload the new software.0.255. Any machine you connect to the untagged port must be in the same IP range as the vlan IP address you set. Click Here to download Solar Winds TFTP server (external site will load in another window. Then type 'IP address 10. Click Here to download Software Version 7. The switch can have one IP per vlan. Connect your computer up to the switch in the port you 'untagged' and set the IP address to 10. ROM Version is your BOOT ROM. You're looking for ROM Version. and Firmware Version. Click on file on the menu.04 you're good to update to software version 10.0.04. then type 'sh system-information' . .

HP 2650 Switches VLAN information and VLAN Information & CIDR Subnet Mask Notation What is a VLAN? Virtual LAN's (VLAN) are a means for you to break down your network into smaller manageable chunks. application or by building. This is very useful in larger network enviroments. you'll have to press 'Enter' twice to bring up the main screen again. How you divide your network is down to you. and enter. Software Update HOWTO 3. Note: If your BOOT ROM is not version 5. You can seperate it by physical location. The image above depicts a simple VLAN setup.HP 5308 XL Switches 5. Type 'boot and 'y' to continue.04 you should install sowftare version 7. When the unit comes back up. Using the hardware reviewed in this article all machines in the network can communicate.swi' the press 'y' to continue. enter the command 'show system-information' your firmware version should read 10. now you should repaet the process with the 10. Type 'copy tftp flash 10. you'll be able to transfer files.0.2 E_10_04. I deployed 6 VLANS: . ie Ground Floor. This makes managing the network easier. which it should be. This is where VLAN's come in. VLAN Configuration . E_10_04. unless the load on the network is reduced. This is explained later on this page. and configuration of the switches easier too. If there are 5 departments on one floor. despite the fact they are in seperate broadcast domains.04 (or 7. click here for the next page. there is simply no point in making 5 VLAN's. Each VLAN is an independent broadcast domain defined within a set of switches. First Floor etc.40 if you've upgraded your BOOT ROM first. to check the update worked.2 is the IP address of the machine running the TFTP server software. even though they all connect into the same switch. At this level network speed will decrease.swi is the name of the file on the server. you may as well have just a single VLAN.40 first. this way other members of the IT team will understand your setup.0.04 software. but only 50 machines. The network infastructure I deployed was divided by physical location. So long as this is successful. 10. by department.Go back to the hyperterminal window you have open and ping the IP address of your machine from the switch. if so. where network useage has reached around 200 or more nodes. and then. and the by device type.. When this processes has finished you'll need to reboot the switch.0. Remeber simplicity is key. VLAN Configuration .) Now we move on to the configuration of the switch. General Switch Information 2.04. VLAN Information & CIDR Subnet Mask Notation 4. and then 10. Contents: 1.0. They key to deploying a successful VLAN infastructure is that you don't overcomplicate things.

This is however limited to a few select protocols.33 .0.31. It is important that from the number you can make the link as to what the VLAN is in place for.35. MAC Address Based . (IP Range starts with 10.0 .hence 135) VLAN136: Covers IP Range 10.Nodes are granted VLAN membership based upon MAC address. The number of machines in the M1 building is fewer than (IP Range starts 10.254 (IP Range starts 10. The distance between them is roughly 250 Meters.36 . 132.33.hence 132) VLAN133: Covers IP Range 10.0 .0.0 .35 . Types of VLAN available on the 5308xl and 2650 switches In the case of these switches there are three type of VLAN that can be deployed: y y y Port Based .10.10. in large quantities can hinder network performance for all devices. Broadcast packets are NOT routed by the switches to other VLAN's.0 .36. 134.10.0. My VLAN's are named 100.hence 134) VLAN135: Covers IP Range This guide will cover the setup of port based VLAN's.0.0 .34 . Protocol Based .0. M1 and M2 are seperate buildings linked by fibre pairs.32. 135 and 136 because of the IP range they cover: y y y y y y VLAN 100: Covers IP range 10. Why setup VLAN's? .10.34.y y y y y y VLAN100: Server VLAN VLAN132: Apple Macintosh VLAN VLAN133: Downstairs M2 VLAN134: Upstairs M2 VLAN135: IT Management VLAN VLAN136: M1 I placed the apple nodes in a seperate VLAN due to their useage of appletalk protocol. By seperating the apple nodes into a seperate VLAN the broadcast packets are restricted to that VLAN alone.254 (IP Range starts 10.0.0.hence 136) Using this naming structure I can easily make the connection to the IP range from the VLAN number.35.254 (IP Range starts 10.individual ports on switches are assigned to VLAN's.0. 133.0.10. This single VLAN has plenty of scope to accomodate any future growth of the IT infastructure in this building. I suggest you use a similar naming routine. despite there being several departments.hence 100) VLAN132: Covers IP Range 10.0. VLAN Names / Numbers The switches refer to each VLAN by a number or name. This protocol is a broadcast protocol.0 .32 . which.36.10.0 . but keep your numbers below 1000. therefore I have created a single VLAN.0.hence 133) VLAN134: Covers IP Range 10.0.254 (IP Range starts 10.

If you're still lost I reccomend you look up 'bits. no traffic will pass between them.'IP addresses and subnet masks on google! Subnet Mask CIDR Prefix Total IP's 1 2 4 Usable IP's 1 0 2 Number of Class C networks 1/256th 1/128th 1/64th 255.255.255. as long as there is a router in place. With IP Routing disabled VLAN's are treulyseperate networks.0. it is possible for machines or devices in one VLAN to communicate with machines or devices in another. A mask of 255.Simple: y y y VLAN's allow Network administrator to control traffic flow and reduce uneccesary broadcast traffic. or four groups of eight bits.255. The switches discussed in this article include IP Routing features that enable VLANS to communicate with one another. work this out before continuing.0 mask. Why? Well this is becuase an IP address is made up of four octets. VLAN's are reffered to by number in the switches. however this is not the standard used in the networking industry.0.255 /32 255. VLAN's allow for nodes to be moved with ease as indiciudal ports on switches. and what it represents. The setup of IP Routing is discussed in the 5308xl VLAN configuration guide. the table below explains how the CIDR notation works. CIDR notation is very simple.255.0.255. It is easy to see why VLAN's are now industry standard in large network infastructures. If this is not the case.255. thus /8 represents a 255.255.255. You should have an idea as to what you're going to call each of the VLANS.0 only 8 bits are set to one. No doubt you are familiar with subnets being written as '255. therefore nodes. In a 255. CIDR Subnet Mask Notation Before we continue to configure the units I would reccomend you familiarise yourself with CIDR subnet mask notation. VLAN's allow for increased security as access between them can be limited through Access Control Lists.0. 24 bits are set to '1'. In a 255.255. the level of control and security over resources attainable is unlike any flat network.0' or similar.255.0 mask. With IP routing turned on machines on one VLAN will communicate with machines on another as if they were on the same network. At this point you should have an idea as to how you're going to divide your network up. can be assigned to VLAN's.255.0 can be written as '/24' in CIDR notation.255.252 /30 . VLAN Inter-Communication As mentioned above.254 /31 255.

608 16.048.388. 255.576 /27 255.192.777.0 255.255.606 16.388. 255.0 /24 /23 /22 /21 /20 /19 /18 /17 /16 /15 /14 /13 /12 /11 /10 /9 /8 /7 .255.0.536 131.0.554.255.768 65.248.768 65.777.248 /29 255.0 255.144 524.072 262.288 1.766 65.384 32.070 262.252.192 /26 /28 255.0 255.302 8.0.0 255.0 254.128 /25 255.224.536 131.254.0 255.255.152 4.382 32.255.0 255.0 255.432 Usable IP's 6 14 30 62 126 254 510 1022 2046 4094 8190 16.254.430 Number of Class C networks 1/32nd 1/16th 1/8th 1/4th 1 half 1 2 4 8 16 32 64 128 256 512 1024 2048 4096 8192 16.0 255.0 255.255.214 33.142 524.255.574 2.0 255.0.150 4.224.Subnet Mask CIDR Prefix Total IP's 8 16 32 64 128 256 512 1024 2048 4096 8192 16.534 32.240.286 1.216 33.255.0 255.304 8.554.

456 536. Contents: 1. Software Update HOWTO 3.097.608 2.777. Throughout this guide I will focus on using the CLI.741.728 268. All ports you use should be assigned to a VLAN which you have created. VLAN Configuration .870. You can configure VLAN's on these switches through both the command line interface (CLI).454 536.108.0.The only ports which remain a member of this VLAN are TRUNKS.216 4. you may wish to print it for future reference for when we come to setup our VLAN's on the switches.576 2.967.144 1.0.HP5308xl Switches Use this section to configure the 5308xl switches ONLY.0. or by the web-interface. An important note: VLAN 1.304 1.864 134.741. or the default VLAN should not be used for anything at all.0. and access to several features unavailable in the web-interface.0.0.0. With that said we can now move on to configuring the 5308XL switches.217.0.822 8.646 16.0.862 134.435. Usable IP's 67.0 CIDR Prefix /6 /5 /4 /3 /2 /1 /0 Total IP's 67.HP 2650 Switches VLAN Configuration .388.073.296 4.0. I tend to think of the web-interface as a monitoring-tool rather than a configuration utility.HP 5308 XL Switches 5.910 Number of Class C networks 262. .432 The table is provided for refernce. VLAN Information & CIDR Subnet Mask Notation 4.0 268.0. General Switch Information 2.554.483.147.Subnet Mask 252.0 0.0 224.483. 192.0 128.152 4.648 2.194.435.294 33. VLAN Configuration . which will be discussed later on in this article.0 240.824 1.294. This interface offers more control.

255.' Hopefully by this point you'll get the idea.2. So for my VLAN.You'll need your serial cable again. To assign an IP address use the command 'ip address x.' Once this command is enetered you will again enter the context menu for this VLAN.e 255.0.255. Type 'exit' and hit enter.x /x' For VLAN100. denoted by (vlan-132) after the name of the switch.0.2. To setup a new VLAN from this point simply enter the command 'VLAN XXX' where 'XXX' is the number for your VLAN.x. The '24' means 24 bits used in the subnet. Type the command 'erase startupconfig' agree to the reboot and wait until the switch comes back on-line.x. this should shed some light on the matter. and will be able to set an IP address for this VLAN as well as configure many other features such as XRRP which are covered later on in this guide. do the same for all the other VLAN's you want to setup.' Show VLAN's will produce the following information on screen: Show IP will produce the following output: . This is a way of writing the subnet mask. This will take you back into the 'config' menu. Lets set another VLAN. I would reccomend using the first or last IP in the range. Through this you can once again set an IP address for this VLAN. the command would look like this 'ip address 10.255.255. enter the command 'config' The.255.32.0 after the IP address. as shown in the image below: Having setup VLAN 100 we'll assign an IP address to it and then make some of the ports on the switch members of this VLAN.1 255. Firstly we need to come out of the context menu for VLAN100.1 /24 I would use the command 'ip address 10. I will use 'VLAN 132.1 /24' Not familiar with the terminology '/24' then have a look at the table below. if I wanted to assign the IP address 10. to check that no current IP addresses are assign to any of the VLAN in the switch we'll erase the startup-config. referred to as CIDR Subnet Mask Notation.0'. Ensure that the only cables connected at this time are the power cables and serial cable. hook it up and start the hyperterminal connection as discussed here. Once in. When you think you're done you can check what VLAN's are configured on the switch and which IP's are assigned to the switch by using the commands 'show vlans' and 'show ip. enter the 'config' command. Obviously this must be within the IP range you have selected.0.' You will then enter the context menu for this VLAN. Once the switch has come back on-line and you're in the CLI. No network cables should be attached to the switches at this point. I enetered the command ip address 10.255.1 /24. 24 is equivalent to '255. You can also use a standard subnet mask (i.0.2. Lets say we've used the command 'VLAN 100. then we need to look at the second 5308xl. From here type the comand 'VLAN' followed by the number of the next VLAN you want to setup.0. This context menu is donated by '(vlan-100)' after the name of the switch.

Contents: 1. The configuration process for the second switch is identicle.0. it's worth naming the switches at this stage so that when you are connected to them it is obvious which one you are configuring.33. All traffic is sent back to the switch for routing.32. or independent networks. or any of the other VLAN's. Both the 5308xl and 2650 switches are capable of IP routing. Software Update HOWTO 3.2/24 for switch two and so on. then 10.HP 2650 Switches VLAN configuration on the 2650 units is much the same as before with the 5308xl Switches. For VLAN133 I would use 10. however ensure that the IP address you set for the VLAN's is different from the address set in the first switch. Routing needs to take place in order for two or more VLAN's to inter-communicate.HP 5308 XL Switches 5.33.1/24 for switch one. The reason for this is that the . VLAN Configuration .32. simply type the command 'ip routing. IP Routing Setup This is the simplist part of this setup... However. IP routing is not enabled on the switches.From the above we can determin that I have sucessfully setup all VLAN's on the switch and assigned the correct IP addresses and subnet masks. For example.0. but with a few important differences. Click here to continue. For example: hostname HP5308XLSwitch1 Now we can move on to configuring the HP 2650 Switches to ensure they are compatible with the VLAN configuartion we have setup on the 5308xl units. VLAN Configuration . Without this machines on VLAN 100 wouldn't be able to see machines on VLAN132 or VLAN133. General Switch Information 2. VLAN Information & CIDR Subnet Mask Notation 4.' This will turn on routing between VLAN's.HP 2650 Switches VLAN Configuration . then type hostname followed by the name which you intend to give the switch. then hit enter. in setting up VLAN132 in my configuration I would use the settings: 10. we will only turn IP routing 'on' on the 5308xl switches.0. In order to do this type config and press enter.2/24 for switch 2.0. Naming your switch One final note.1/24 for switch one and 10. This is becuase VLAN's are seperate subnets.

'n'. and all 2650 units have a single IP address on this VLAN only. `article_reads`. But rather than declare an IP for all VLAN's we simply enter the command 'VLAN XXX' where XXX is the number for your VLAN and then enter the next 'VLAN XXX' command until all VLAN's have been assigned. This part of this guide explores the more technical features of these units and explains what benifits they offer for your network aswell as how to confgurethem step by step. 1. Access Control List (ACL) configuration Firstly welcome back to the second part of this guide. `article_snippet`. `article_article`. XL Router Redundancy Protocol (XRRP) Configuration 3. Each switch has only a single IP address on your management VLAN. `article_allow_ratings`) VALUES (3. `article_allow_comments`. So in the case of our network all of the 2650 units have an IP address on VLAN135 but no IP addresses on any other VLAN. XRRP.'. `article_subject`. `article_breaks`. For VLAN 135 in my network I would enter the command: config VLAN 135 ip address 10.X /24 This is because VLAN 135 is the management VLAN. `article_datestamp`. and covers the configuration such as VLAN trunks. This ensures security of the switch configuration as end-users outside of VLAN135 are literally unaware of the 2650 units as they cannot ping or gain access to the switches on their set IP addresses. `article_name`. 1. VLAN's are setup as before. RSTP and static routes on these units. For example. Part Two of this guide can bee seen here. INSERT INTO `fusion_articles` (`article_id`. by enetring the switches configuration context menu. as you'll have seen from the specifiactions on the first page of this article. 'HP Procurve Network Hardware Configuration. Part Two Contents: 1.5308xl core switch is far more effective at routing these packets. . 1). `article_cat`. 1. VLAN Membership. 1511. to setup VLAN100 and 132 on a 2650 switch I would enter the commands: config VLAN100 VLAN132 That is all that is needed. Linking Switches and Trunks 2.0. 'Part Two of the configuration guide / HOWTO'.35.Rapid Spanning-Tree Protocol (RSTP) Configuration 4. The end product as seen with show vlans: And with show ip: Having configured the switches for basic VLAN networking we now move on to the more technical confguration of these units. 1137333735. Part Two'. 'HP Procurve 5308XL / 2650 Network Hardware Configuration.

although it is possible to use the web interface. This also applies if I plug in a non-VLAN aware switch. A port can only be 'untagged' on a single VLAN.in the caseof VLAN 100. This is the command used for edge-ports (ports your machines / servers plug into.0. Adding ports to a VLAN Once a port has become a member. VLAN Membership. In this capter I will focus upon port based membership. So if I make port 'G1' on my switch a member of 'VLAN 100. When making a port a member of a particular VLAN we can use one of two commands.Explanations of these commands are below: y 'Untag': An 'untagged' port is a member of the VLAN to which it is untagged. which means our VLAN's will not function.1. 'Tagged' ports are discussed further down this page. Linking Switches and Trunks VLAN Membership Machine VLAN membership can be based upon one three different factors as discussed in the previous chapter: (i) port based (ii) MAC address based (iii) protocol based. They are also used with servers and workstations that have VLAN aware network cards. or has been 'untagged' in a particluar VLAN any device you plug into this port is automatically a member of this same VLAN.0. Every port on the switch would be a part of the VLANthat the switch has its uplink cable plugged into. Until this is done all ports are by default a member of VLAN1. I will use the command line throughout this section to configure the VLAN's onboth the 2650 and 5308xl switches. 'tag' or 'untag.) y 'Tag': Tagged ports are primariliy used to make trunks or links between switches. The commands below illustrate how to untag ports g1-g4 to make them part of VLAN 100: config vlan 100 untag g1-g4 write mem . 10. the server will then be a part of VLAN 100. as this type of VLAN is extremely easy to setup. the 'default VLAN'.' and then I plug a server into this port. If its IP is not DHCP it will need to be configured so that it is an IP compatible with this VLAN .0 / 24.' These commands are executed under the context menu for the VLAN you wish to add the port to. now we need to assign ports to them. We have already setup our VLAN's on the switches. but can be 'tagged' on several VLAN's.

8-12. Once you're done you can check that you have configured your ports correctly by using the command 'show vlan xxx' where 'xxx' is the VLAN number you want to check the port configurationfor. A single HP 5308xl switch is more than fast enough for most networks. This is simple to remember.my server VLAN. ie 'untag G1-G14'. the other to the secondary. This link is trunked with multiple cablesso . Therefore all the ports in thesemodules were 'untagged' to VLAN 100 . C1-C4'. ie 'untag A1-A4. There are actually two uplink cables for the 2650 units:one going to the primary 5308xl switch one. You can also use this to group sets of numbered ports. I used the 16 port XL modules (J4907A) in the 5308xl switches for direct connectivity of servers.' There are further considerations to take into account if you chose the high-bandwidth route which are discussed below. all traffic is blocked accross this cable.This should make port configuration on your edge-switches. And if you want to configure multiple modules in your 5308xl's you can use a comma to seperate groups. The second point to consider is that there is little point in having a slow link accross the two 5308xl switches. and requires no configuration at a later dateif another server is plugged into a vacant port. 16-20'. Even if you were to setup an 8Gb link it is still 70gb/sec slower! Therefore I opted for a single switch enviroment. This commandwoulduntag all foutrteen ports. This command will produce a similar output as illustrated in the image below: Linking Switches This can be done one of two ways. B1-B4. By having one switch do all the work. As a reliable failover-link I created a four port trunk between the two 5308xl units. Either method requires VLAN's to be 'tagged' on the uplink port / trunk. I opted for the single-port gigabit-link between the edge-switches and core-switches. with the second switch as backup. high-speed connection between switches. This is very simple for others in you department to understand. Why have I done this? Well I wanted a completely redundant system. However the secondary link is setup as failover only. If you opt for the higher bandwith option you can skip this section and go to the heading 'Trunk Information and Configuration. Remember simplicity is key.or you can use a single 1000T (or equivalent) uplink port. This was done using 'spanning-tree' which is discussed here. If departments move. if it fails the second switch can easily take overall switching duties. Your selection will vary depending on the speed and redundancy requirements of your network. You can use trunks. and core switches very simple and quick. unless the primary link fails. ie 'untag 1-4.You can untag multiple ports by simply using a hyphen. rather than change patch cables round you can simply re-assign patch cables to different VLAN's in the switch configuration. For the 2650 edge-switches configuration varied depending on location. groups of multiple ports acting as a single.

B1-B4. B1-B4. B1-B4. D1-D4. just that they are setup with thesame VLAN configuration. B1-B4. D1-D4. E1-E4 vlan 132 tag trk1. E1-E4 vlan 136 tag trk1. This meant that any of these ports could be used as an uplink to the 2650 switches. E1-E4 vlan 135 tag trk1. D1-D4. If both are connected before spanningtree is configured and enabled a network loop will exist and the switches will fail to respond. D and E on both units. C1-C4. Switch '1' has port X and port Y configured with VLAN 1 untagged and VLAN 132 tagged. D1-D4. Trunks are discuessed in detail after this section. D1-D4. C1-C4. These have a lower contention ratio in comparison to the 16 port modules. Switch '2' has port A and port Bconfigured in exactly the same manor.These modules are in slots A.that if xrrp (discussed here. meaning they are more effective as uplink ports. B1-B4.) is enablesthe switches will not failover in the event of a cable being taken out by mistake.Taken From Advanced Traffic Management Guide As you can see in the above image. C. and to create the trunk between the two 5308switches. With this in mind the setup for my system looks like this: config trunk A1-A4 trk1 vlan 100 tag trk1. The essential thing to remember when setting up any link between switches is that the ports in the switches at the both ends are setupexactly the same: Image © HP . D1-D4. I used the four port XL modules (J4878B) in the 5308xl switches for uplink cables to the 2650 edge-switches. C1-C4. It does not matter that they are different ports. NOTE: At this point only one uplink cable should be connected to your 2650 units. E1-E4 write mem Both of the 5308xl switches were configured in the same manor. C1-C4. Therefore you would need to 'tag' the VLAN's in the same fashion on the 2650 switches as you did on the 5308xl switches. C1-C4. Trunk Information and Configuration . E1-E4 vlan 134 tag trk1. B. E1-E4 vlan 133 tag trk1. B1-B4. or any spare ports could be used in the future for further expansion of the network infastructure. C1-C4.

You can use up to 8 ports in a single trunk with the 5308xl switches. high speed connection. or if you have to link core-switches together. and up to 4 ports on the 2650 switches. thus eliminating any bottle-necks. Note that a trunk connecting two switchesmust have the same VLAN 'tagging' configuration on both switches in order for the trunk to work.A Trunk is a group of 'tagged' ports used in linking switches together.Taken From Advanced Traffic Management Guide VLAN aware hardware adds an VLAN ID to each packet sent. These 'trunked' ports will act as a single.you don't have to use G1-G3.132 and 133 only travel across it. slower VLAN's could travel across a 1 Gb/sec link I used a single trunk in my design to link the two 5308xl units.Therefore when you plan your network you must ensure that servers are placed on the same core-switch as the client devices that will be usingthem. You could then setup trunk2 (trk2) and set it up so that traffic from VLAN 134. 135 and 136 only travel accross it. It is important to note cross-switch bandwidth restrictions at this point. the only way this can be identified from other VLAN traffic is this VLAN ID.it is not possible for us to create a link that is as fast as this between two of them.8Gb/sec. if you know a particular VLAN needs a high-bandwidth link between switches then you could potentially create up to a 8 Gb/sec link for that individual VLAN. VLAN traffic can also be spread accross different trunks. thus increasing available bandwidth substantially. For instance. The fastest 'trunk' we can create is 8 Gb/sec. This is particlullay useful when linking your edge-switches to your coreswitches. By tagging ports on VLAN's you allow the tagged VLAN's to send traffic accross the port. this ID will be the number you use for your VLAN's. There is great scope for flexibilty with trunks. ports need not be sequential. Whilst all the other.all VLAN's were tagged on this trunk. The 5308xl units have an internal bandwidth of up to 76. If you plan your network properly there will be littleneed for cross core-switch traffic. What this means is you can use ports G1. G4 and H16 to create a single trunk. The commands below illustrate how to create a trunk and tag VLAN's to it: config trunk A1-A4 trk1 vlan 100 tag trk1 vlan 132 tag trk1 . There would be little point in plugging a server into one of the 5308xl switches and having the edge-switch that serves all of the client devicesconnected up to the second 5308xl unit. When creating a VLAN trunk. This is illustrated in the image below: Image © HP . For instance you could create trunk1 (trk1) and set it up so that traffic from VLAN 100. This link was a failover link. This would create a bottle-neck in between the switches.

B1-B4. B1-B4. 4 cables can be connected from ports A1-A4 on switch 1 to A1-A4 on switch 2 without causing any looping problems. I would configure both 5308xl siwtchesin the same way. After doing so. B1-B4. C1-C4. E1-E4 tag trk1. C1-C4. C1-C4. C1-C4. H1-H16 tag trk1. E1-E4 vlan 133 tag 49-50 vlan 132 vlan 133 tag trk1. D1-D4.vlan 133 tag trk1 vlan 134 tag trk1 vlan 135 tag trk1 vlan 136 tag trk1 write mem This would create a trunk named 'trk1' consisting of ports A1-A4. All VLAN's are tagged on this trunk. D1-D4. D1-D4. H1-H16 vlan 132 tag 49-50 vlan 132 tag trk1. E1-E4 tag trk1. The commands I used to configure the switches in my network for this section are as follows: HP 5308xl Primary: config trunk A1-A4 trk1 vlan 100 untag G1-G16. E1-E4 vlan 134 tag 49-50 vlan 133 vlan 135 . C1-C4. D1-D4. D1-D4. E1-E4 HP 5308xl Secondary: HP 2650 Switches: config vlan 100 trunk A1-A4 trk1 tag 49-50 vlan 100 untag G1-G16. B1-B4. B1-B4.

E1-E4 tag 49-50 vlan 136 vlan 134 tag 49-50 vlan 135 tag trk1. B1-B4.vlan 134 tag trk1. B1-B4. C1-C4. Contents: 1. E1-E4 vlan 136 write mem tag trk1. E1-E4 tag trk1. B1-B4. C1-C4. C1-C4. Access Control List (ACL) configuration XL Redundant Routing Protocol (XRRP) Overview & Configuration XRRP Overview XRRP. D1-D4. C1-C4. B1-B4. E1-E4 tag trk1. B1-B4. D1-D4. Linking Switches and Trunks 2. Pairs of switches are configured to behave as backup routers for one-another. B1-B4. C1-C4. C1-C4. D1-D4. D1-D4. E1-E4 vlan 135 vlan 136 tag trk1. B1-B4. each pair is referred to as a \\"Protection . E1-E4 tag trk1. It is worth noting at this point that the 2650 units do not support XRRP.Rapid Spanning-Tree Protocol (RSTP) Configuration 4. E1-E4 write mem Having configured the switches for VLAN's its not time to setup XRRP. D1-D4. C1-C4. VLAN Membership. or XL Router Redundancy Protocol in order to providerouting failover in the event of a core-switch failure. XL Router Redundancy Protocol (XRRP) Configuration 3. D1-D4. This section of the configuration is for the 5308xl units only. D1-D4. or XL Router Redundancy Protocol allows for failover in the event of a router failing and is similar in function to Cisco's VRRP.

Domain.IP Range 10.a time interval at which XRRP packets are sent out on each virtual router interface.34.1/24 VLAN 134 .0.0.33. If a switch fails. This is for the sole purpose of management and .32. A protection domain is monitored using \\"Advertisement Intervals\\" . This means that XRRP will function correctly.I have 6 VLAN's. they must have access to the same VLAN subnets and client nodes without having to pass through each other.0.0.10. A Virtual Interface exists for each router on every VLAN. Certain perquisites exists in order for XRRP to function correctly: Both routers must have identical network access.IP Range 10.0.10.IP Range 10. the transfer of these duties is transparent to end users.33. because in the event of a switch failure the remaining switch has access to all areas of the network.0/24 VLAN 136 . Each switch in a \\"Protection Domain\\" functions as a \\"Virtual Router\\" interface. VLAN 136 . VLAN 134 .0.10.IP Range All of the 2650 Units have an IP address on VLAN 135 ONLY. If a switch in a Protection Domain fails to receive the Advertisement packets from its paired switch it will take over the routing duties until the Advertisement packets are detected again. the remaining switch uses these Virtual Router interfaces to take control of the routing duties for the failed switch.0.0.1/24 VLAN 135 . VLAN 100 . VLAN 135 .0.0/24 VLAN 133 .0/19 VLAN 132 .36. XRRP Configuration Before we begin.2/24 VLAN 133 .33. A good example of this configuration is illustrated below: Image © HP Advanced Traffic Management Guide As you can see each switch has access to the servers and layer 2 switch independently.35.0.IP Range 10.1/24 5308xl Switch Two is configured with the following IP addresses: VLAN 100 .1/19 VLAN 132 . let me recap on my current setup.0.IP Range 10.1/24 VLAN 133 . Most importantly.\\" If a router fails in a Protection Domain the other router takes over all routing duties of the failed router. These packets are used to confirm that the switch is functioning correctly.2/19 VLAN 132 .0.0/24 5308xl Switch One is configured with the following IP addresses: VLAN 100 .33.2/24 VLAN 135 .33.1/24 VLAN 136 .0/24 VLAN 134 .33.10.

2/24 XRRP instance 1 135XRRP instance 2 135 IP 10. the virtual router address will be the address of the secondary switch so that the primary switch can identify which packets need to be routed in the event of the second switch failing.12.2/24 XRRP instance 1 133 XRRP instance 2 133 IP 10.33. "XRRP instance 2 100 IP 10. The primary router interface will be the current switch address. As our network consists of only two 5308xl Core Switches I will create only a single XRRP Protection Domain.0. and I will ensure that XRRP is configured to server each of these in the event of a switch / router failure. giga-bit network cards on each server. Now.0.2/19.0. router in the protection domain.0. Firstly we create the XRRP protection domain using the command "XRRP Domain 1" Now we establish this switch as the first. The commands to complete this configuration are listed below: XRRP instance 1 132 XRRP instance 2 132 IP 10. We'll start with the primary switch. \\"100\\" represents the VLAN number to which the rule is applied to. but without an IP remote management is not possible. In both cases.32. router interface. "IP 10. or primary.0.0. Next. the configuration for VLAN 100 on 5308xl Switch One is complete.2/19" represents the second core-switch IP address on VLAN 100. With that done. These range from 10. or vice versa. enter the "config" command.0.35. which is discussed in depth later on in this article. Lets begin with VLAN 100. using the command "XRRP Router 1" For each VLAN we must establish a physical router and a virtual router interface.36. or virtual." The "2" indicates that it is the secondary. Configuration of XRRP on the 5308xl units is quite simple.0.35. Now we must establish the virtual router interface. a cable runs form each of the 5308xl units into dual-port. the same steps must be completed for the remaining five VLANS on this switch. primary. I have configured 6 VLAN's on these switches.2.2. "XRRP instance 1 100" The "1" indicates that it is the primary instance. \\"100\\" represents the VLAN number to which this XRRP rule is to be applied. It is not necessary however for these switches to have any IP address. interface. Each edge-switch has been cabled so that it has a direct link to both core-switches. start a telnet session with this switch.34.configuration.2/24 .0. the second link is not always active and is controlled by Spanning Tree Protocol.2/24 XRRP instance 1 136XRRP instance 2 136 IP 10.35.3 to 10. First we establish the physical.2/24 XRRP instance 1 134XRRP instance 2 134 IP 10. I have bi-cabled all of our servers.

First. "XRRP domain 1. "XRRP Router 2." We can now configure the XRRP Rules on this unit.2.33." Next we need to declare this router as the second router in the protection domain.35. Its gateway is set as 10.34.Rapid Spanning-Tree Protocol (RSTP) Configuration instance 2 133 XRRP instance 1 134 IP 10. When enabled.2.0. Access Control List (ACL) configuration Rapid Reconfiguration Spanning Tree Protocol (RSTP) Configuration Howto What is Rapid Reconfiguration Spanning Tree Protocol? Spanning Tree Protocol is a means of maintaining redundant loops or connections in your network. Now we declare this switch a member of the same XRRP Protection Domain as the first switch. Next. XL Router Redundancy Protocol (XRRP) Configuration 3. ensure both 5308xl units are connected and switched on. XRRP instance 1 100 IP 10. Contents: 1. VLAN Membership. The primary switch we be the first instance on all VLAN's. connect a client workstation to the primary 5308xl unit.0. Ensure the client TCP/IP gateway address is set as the IP of the second 5308xl switch on the VLAN to which the port it is connected to is assigned.1/24XRRP instance 2 132 XRRP instance 1 133 IP 10.32.1/24XRRP instance 2 136 With this configured we are now ready to test that XRRP failover is working! XRRP Testing The simplest way to check whether XRRP is working at this stage is as follows. For testing purposes my client workstation is connected to VLAN 100 with an IP of 10. Linking Switches and Trunks 2.3.1/24XRRP instance 2 135 XRRP instance 1 136 IP 10.0.1/19XRRP instance 2 100 XRRP instance 1 132 IP 10. STP .2. Lets move on to configuring the secondary 5308xl switch in our XRRP Protection Domain.1/24XRRP instance 2 134 XRRP instance 1 135 IP 10.0.36. First. this switch will be the secondary instance. establish a telnet session with the second switch and enter the \\"config\\" command.This completes the XRRP Configuration on 5308xl Switch One.2.0.0.

one is active. thus reducing downtime and increasing network robustness when a new path needs to be configured due to failure. would be made active. The standby link would be the secondary link. RSTP also offers increased configuration range for path costs and supports higher connection speeds in comparison to STP. The 802. which in the event of the primary link failing. compatible with STP and as a result it is the HP recommended protocol for deployment. For example.1D STP can take a long time to scan all data paths and determine the most efficient. This makes configuration fairly quick and easy. unlike the other protocols we have setup. RSTP is. The active / standby status of a port is determined upon the data path cost to the root switch. This means you can have two (or more) identical connections between switches.treats your mesh network as a single link. or standby link is automatically brought up. which are automatically brought up in preferential order in the event of the active link failing.000 There is only ever a single active link when spanning tree is enabled.1w RSTP standard significantly reduces this time.000 200. by design. Improvements over Spanning Tree Protocol (STP)? The original 802. An example configuration can be seen below: HP uses default path costs for RSTP as illustrated in the table below: Port Path Speed Path Cost 10 Mbps 100 Mbps 1000 Mbps 2. if a switch had two links to the core switch a direct link with a cost of 200. In the even of the port or module failing that connects the primary or active link the backup link.000. It scans your network for loops and maintains and monitors a single active link across all switches whilst preserving a database of standby links.000 20. First. and a secondary link which went via another switch with a cost of 400 then active link would be the link with a cost of 200. on your designated primary switch set a spanning-tree priority that will make this switch the 'root' switch (thus the highest priority on your network): . is enabled on the switch as a whole rather than on individual VLAN's. Each data path has a cost. the other standby. Implementation / Configuration Spanning-tree. the 'cheaper' the cost the higher the link priority.

but first we will configure all the remaining switches in your network in order to avoid problems with some switches having RSTP configured and others not. The first thing we need to do is set the RSTP priority on these units so that it is lower than noth the primary and secondary switches: spanning-tree priority 6 . These commands are pretty much universal across the Procurve range. login to your secondary core switch. this is because the detect This is only necessary when running RSTP. as per HP's instructions we must ensure RSTP is enabled on all ports that are used as up-links to other switches. This is done by setting a higher value than we used for the primary switch: spanning-tree priority 4 Again. hubs or bridges. no spanning-tree A1 edge-port Lastly we must configure RSTP on your edge switches. Next. For this unit we must set a lower priority so that RSTP knows that this switch is not the root switch. In this example I have used configuration commands for the HP Procurve 2650 switches. or range (use A1-A10 for a range) that you have setup to act as up-link ports.spanning-tree priority 2 Then we must force RSTP to be used over STP: spanning-tree protocol-version rstp Next. This is done using the command: no spanning-tree A1 edge-port Note: Change A1 to the port number. The primary switch is now ready to have RSTP enabled. we must now force RSTP operation on this unit: spanning-tree protocol-version rstp Finally on this unit we must ensure spanning-tree is enabled on all ports that are used as up-links to other switches and trunks.

This can cause a short disconnection in your network. followed by the 5308xl secondary unit and then the 2650 switches.Next. NOTES: The reason for me leaving a free number in between spanning-tree priorities is so that if I add an extra core switch to my network or another device that needs a higher priority than the 2650 or 5308xl units I can configure this unit without having to reconfigure all of my RSTP settings for my network. detailed spanning-tree configuration:sh spanning-tree config Contents: . Your configuration is saved by the 'write mem' command. so do not run this at a mission critical time. The commands that should be executed are as follows: spanning-treewritemem RSTP will now scan every path on your network and setup active and standby paths. we must configure RSTP so that it is enabled on the up-link ports to the core switches: no spanning-tree 49-50 edge-port Finally we set the protocol version to RSTP: spanning-tree protocol-version rstp With the configuration of all the switches complete we can now enable spanning tree on these units commencing with the 5308xl primary unit. Thus if you would prefer your data to take a path that differs from the default it is possible to do this using the command: Switch command cheat sheet To set the STP protocol version to RSTP:spanning-tree protocol-version rstp To set spanning-tree priority on a switch:spanning-tree priority 2 To disable spanning-tree operation on a trunk / switch uplink port:no spanning-tree A1 edge-port To enable spanning-tree:spanning-tree To view the current. I would recommend you do the same thing! It is possible to manually assign a cost to a path.

Linking Switches and Trunks 2. This is better described in the table below: Therefore an ACE mask of all ones means ANY IP address is a match. like a subnet.1. and a mask of all zeros means that a SINGLE IP as defined in the ACE is a match. A mask-bit setting of '1' or on means the corresponding bit in the IP address and ACE do not have to be the same. XL Router Redundancy Protocol (XRRP) Configuration 3.255. How do they work? For a given ACE an IP address and corresponding mask is compared to the IP address and mask carried by the packet. Access Control List (ACL) configuration HP Access Control List Howto: A quick lesson: First things first I recommend you read this brief tutorial on subnetting: Subnet Turotial With that out the way you should have a reasonable understanding of a subnet. or to certain ports on certain IP addresses. In an ACE a mask-bit setting of '0' or off requires the corresponding bit in the packets IP address and the ACE's IP address to be identicle.Rapid Spanning-Tree Protocol (RSTP) Configuration 4.255.which are rules.0.0. VLAN Membership. You can block traffic to certain areas of your network.it In my test enviromentlets say I have 3 VLANS: 10.Think of them like firewalls almost.VLAN101 . be comprised of 1's and / or 0's.255.0 / 255. The ACE mask will.0 / 255. A single ACL consist of a group of Access Control Entry's ACE's . What is an Access Control List? ACL's are a means to further secure you're LAN / VLAN's. However an ACE mask need not be sequential like a subnet mask.VLAN100 10.0.0 .0 .1. This will be important in your quest to setup ACL's on your 5308xl (or any other HP Procurve product) units.255.

0 0.255 The traffic would not be blocked because the first rule declares that any traffic can go to any IP address.0 255.0 255.255 . The order in which rules appear is essential.0.0 255.0.0 255.255.9:81 If I setup an ACL to block traffic to port 81 from all VLAN's other than the IT Admin network then no -one other than administrators will be able to view the configuration / settings of the firewall.0.0.0 / 255.0. Standard ACL's .0.255.255 10.255. This is because the switches use Sequential Comparison and Action.255 10.0/24.0 permit ip permit ip 0.0. An example of a standard ACL: deny 10.0.255.which use numbers 1-99 Allowing for simple IP based access-control and restriction.0 The above rules would block access from a particular VLAN to the IP range 10.255 eq 81 deny tcp 10.0 .0 0.255 The top two rules block access from VLAN 100 and 101 but allow all other traffic.0.255 deny ip 0.0.255 10. The last rule allows all other traffic to pass. eq 81 allow ip This means that when the switch interrogates a packet it works its way down the IP access list until it finds a match.0 0. thus wouldn't affect the ITAdmin VLAN.0. Types of Access Control List and Examples There are two types of access control list: 1.2.0.VLAN102 ± IT Admin VLAN For instance on our network here.0 255.0.0. the main firewall configuration menu can be viewed from the following address: 0.255.0 255.32.255 0. which is one step better.255.255. It will act upon the first match that fits the packet.0 0.0.255 0. For this I would setup the following ACE's (don't worry this is explained later on): deny tcp 255.255.255. however if I were to write the rules in this order: permitip 0.10. Infact they will not even know the web server running on the firewall exists.0 0. For example: deny ip 0.

0.0 to 10.255.0 0.0.This rule set would block ALL traffic from 10. This type of rule is ideal if you want to stop traffic from passing to a particular IP address or set of IP addresses from certain VLAN's or IP addresses.0 0.3 eq 23 deny tcp 10.0.0 eq 81 deny tcp eq 80 .0 eq 81 deny tcp 10.0 255.0 network.255 The above rules would block access to port 81 and 445 at IP address 0. Therefore this type of rule can add an extra layer of security to your network. eq 445 permit ip 0.0. or ssh access to a firewall.0.0.which use numbers from 100-199 Allows for simple IP based access control as well as TCP / UDP port restriction.0.255 10.If I wanted to setup an access-list on VLAN 136 called '136' then I could make the following command -list: no ip access-list extended 136 ip access-list extended 136 deny tcp 10.0 0. Switch command cheat sheet for ACL's: To view an existing access list: sh access-list access_list_number_here To setup a new access list: ip access-list standard new_access-list_number_here ip access-list extended new_access-list_number_here To remove an access list: no ip access-list standard access_list_number_here no ip access-list extended access_list_number_here It is far simpler how ever to use remote command-lists as ACL's can become very long.255 10.0.255 10. 2. This type of rule is useful for blocking telnet access to a switch.3 0. An example of an extended access-list: deny tcp 10.0.0 eq 445 deny tcp 10.0.3 and allow all other traffic top go anywhere from the 10. very quickly.0.0. as mentioned above.3 0.36. Extended ACL's . This type of ACL can also configure access on TCP/IP ports.0.0 0.0 10.3 but would allow all other traffic to pass.255 0.0.255 10.255 10.0 0.0.3 eq 80 deny tcp 10.0.255 10.0.0 0.255.3 eq 80 deny tcp 10.0. This can be executed form the switch using the command-line interface using the following command: opytftp command-list 10.0 0.deny tcp 10.0 10. and there are two ways in which an ACL can be set to a particular VLAN.0. . permit ip In a normal VLAN enviroment this type of filtering is ideal.255 10.255 10.255 10.0. and is what I use on the 6 VLAN's we have at the office.0.3 eq 23 deny tcp 10.3 eq 23 deny tcp 0.36. Once processed by the switch the traffic then leaves the switch.0.36.0 0.0 I would then save the file to my tftp server's root.35.0 0.0 0.0.3 eq 22 deny tcp 0.0.0 deny ip 10.0 0.0 0.0.255 0.0 0.0 0.0 0.255 10.0.3 eq 22 deny tcp 255.34.0 0.0 0.255 permit ip 0.0.0. An ACL can be assigned at this point instead.0.0.255 deny ip 0.0.0 0.3 eq 23 deny tcp eq 22 permit ip 0.0 0. In this example I have a tftp server running on IP address 0.3 eq 23 deny tcp 10.0.255 10.0 0.0 255.0 0.2. as this way the switch does not process the packet to simply drop it as it leaves. 0.3 eq 80 deny tcp eq 22 deny tcp 10.36.3 eq 22 deny tcp 10.0.0. A point worth considering is that it is far more economical to filter at the point where the traffic enters the switch.0.36.255 file_name_with_commands_in Assign an ACL to a VLAN This process is very simple.0.0.0 eq 22 deny tcp 10.255 The key is the direction in which traffic is to flow.0.36.36. Therefore if you want to filter the traffic at this stage you would assign it to the 'in' ACL filter for that particular VLAN.0 255.0 0.255 10.0 0.255 10.0 0.0. headed for its destination.0.0 0.0.255 permit ip 0.35.0 0.0 deny ip eq 80 deny tcp 10.0.0 0.3 eq 80 deny tcp 10.0.0 255. or aswell.0.0. In this case you would assign the ACL to the 'out' ACL filter for that VLAN.0.0.255. When a packet leaves your machine it enters the switch. 10.0 exit *note how I issue the command 'no ip access-list extended 136' first to ensure that the existing access-list is removed and that my changes are written in the correct order.0.255.3 eq 23 deny tcp 10.255 10.0.0 255.0

This can be done using the command: write mem Tags: y y hp network Last Updated on Saturday. In the example below I am assigning an ACL named 136 to VLAN136. 07 June 2008 08:31 .To assign an ACL to a VLAN use the following commands. Finally save your configuration to memory so that in the event of a reboot the configuration is restored. config vlan 136 ipacces-group 136 in We have now successfully assigned the extended ACL '136' to VLAN 136.

Sign up to vote on this title
UsefulNot useful