ProCurve Best Practices PDF

HP ProCurve
Networking
Andy Gallacher
Nov, 2009
2008 Hewlett-Packard Development Company, L.P.

The information contained herein is subject to change without notice.
Agenda
Product Overview & Whats New
Physical Infrastructure (Cabling, 10 GbE)
Link technologies (Auto MDIX, Negotiation)
Design methodologies (Link aggregation,
VLANs, STP)
Server Teaming
Router Redundancy (VRRP)
ProCurve Manager
HP ProCurve: Quick Facts
Price/Performance
(ProCurve is often 20-30% less than the
competition)
Lifetime Warranty
(ALL hubs and switches/routing switches to 8200zl)
Technical Phone Support / Firmware Upgrades
Industry Standards
ProCurve Manager SW
(Network Management Software shipped with each switch)
Magic Quadrant:
Enterprise LAN (Global), 2009
ProCurve
Positioned
in Gartners
Leaders
Quadrant
The Gartner Magic Quadrant is copyrighted April 2009 by Gartner, Inc.,
and is reused with permission. The Magic Quadrant is a graphical
representation of a marketplace at and for a specific time period. It depicts
Gartners analysis of how certain vendors measure against criteria for that
marketplace, as defined by Gartner. Gartner does not endorse any
vendor, product or service depicted in the Magic Quadrant, and does not
advise technology users to select only those vendors placed in the
Leaders quadrant. The Magic Quadrant is intended solely as a research
tool, and is not meant to be a specific guide to action. Gartner disclaims
all warranties, express or implied, with respect to this research, including
any warranties of merchantability or fitness for a particular purpose.
The Magic Quadrant graphic was published by Gartner, Inc., as part of a
larger research note and should be evaluated in the context of the entire
report. The Gartner report is available upon request from HP ProCurve.
Magic Quadrant for Enterprise LAN (Global), 2009,

Mark Fabbi, Tim Zimmerman,
30 April 2009.
4
Why HP ProCurve Networking?
Customer Value
Reduced complexity Proactive networking

Focused on innovation and ease of use
Secure solutions
Security and Trust Trusted partner
Highly available
Reliability HP quality and industry-best warranty
Price/performance leadership
Superior return on IT Engineered for affordability
HP ProCurve product categories
Switches Wireless LAN WAN
Core & Edge Switches
Secure Router
Access Point & Controller
Scalable core-to-edge switches 802.11n wireless solutions WAN solutions provide

based on open standards unify provide networking access, adaptable, unified edge-to-edge
the network & reduce complexity management and security. network connectivity.
Data Center Network Management Network Security
DCM Controller
DC solutions provide policy- Device handling capabilities such Security features embedded
based, automated provisioning of as mapping, configuration and throughout the network that detect
network and server resources. monitoring across the network. and respond to threats.
ProCurve Switching Portfolio
Core/ Distribution
Data
Center Core
&
Distribution /
LAN Enterprise Aggregation
Data Center
Traditional Specific Design
Full Layer 3+,
Edge High- Layer 4, HA
Layers 2 & 3,
Established Function Automated
Edge (AEA) provisioning
Technology Basic & 8200,
6200
Enterprise Core/Distribution
6600, 6120
Edge DC Connection
Simple, Full Layer 3
Manager
Cost
Effective Layer 3 lite,
Security, 5400,
Connectivity
Sflow 3500,
WAN
Layer 2, 4200, 2800,
Web managed, 2610,2910
Unmanaged
2810, 2510,
1800, 1700,
1400
Small Business Enterprise

Networks Networks
Portfolio Overview
LAN Enterprise
Switches
2910al/2910al-PoE:
High performance gigabit access switch 2910al-PoE
Traditional Four optional 10-Gigabit ports (CX4 and/or SFP+)
IEEE 802.3af/802.3at functionality (PoE/PoE+) 2910al
Edge Layer 2 switching with static and RIP IP routing
Lifetime Warranty, sFlow, ACLs and rate limiting
2610/2610-PWR:
Access layer 10/100 switch
Static IP routes enable routing between VLANs
2610-PWR
Robust and granular security and QoS policies 2610
Redundancy with RPS support Lite Layer 3
Managed
Functionality
2810:
2810 Managed Layer 2 feature set with 24 or 48 Gig ports
sFlow, source port filtering, enhanced security
GA Nov. 1 2009 Redundancy with RPS support

Four SFP ports for fiber connectivity
More robust/granular QoS
Established 2520G-PoE 2520G/2520:

Managed layer 2 PoE switch family
Technology 2520-PoE 8 or 24 10/100 or Gigabit ports
Ability to prioritize traffic using QoS for reliable VoIP deployments
Quiet operation and small form-factor for open space deployment
2510G/2510:
2510G Managed layer 2 feature set
24 or 48 10/100 or Gigabit ports Layer 2
2510 Two SFP ports for fiber connectivity
Quiet operation for open space deployment
Managed
1810G/1700:
1810G Plug and play connectivity
Basic network configuration capabilities
Excellent migration from unmanaged switches
Layer 2
1700 Silent operation for open space deployment
Web Managed
Price/Performance
LAN Enterprise Switches
(Same ASIC and features)
8212zl
8206zl
5406zl PoE/PoE+
5412zl PoE/PoE+
3500yl 1G PoE/PoE+
3500 10/100 PoE/PoE+
3500 10/100 Non-PoE
Expanding The ProVision

Family
9
Whats New

Introducing the ProCurve 2520/2520G
Switch Series (Established Technology)
HP ProCurve 2520-24-PoE Switch (J9138A)

HP ProCurve 2520-8-PoE Switch (J9137A)
HP ProCurve 2520G-24-PoE Switch (J9280A)

HP ProCurve 2520G-8-PoE Switch (J9279A)
2520-8-PoE - 8 10/100-T ports + 2520-24-PoE - 24 10/100-T ports +

two shared 10/100/1000-T SFP 2 10/100/1000-T ports + two shared
ports for fiber connectivity 10/100/1000-T or SFP ports for fiber
connectivity
2520G-8-PoE - 8 10/100/1000-
T ports + two shared 2520G-24-PoE - 22 10/100/1000-T
10/100/1000-T SFP ports for fiber ports + four shared 10/100/1000-T or SFP
connectivity ports for fiber connectivity
3500 10/100 Portfolio (LAN Enterprise)
J Number Official Product Description
J9470A HP ProCurve 3500-24 Switch
J9472A HP ProCurve 3500-48 Switch
J9471A HP ProCurve 3500-24-PoE Switch
J9473A HP ProCurve 3500-48-PoE Switch
These switches have no expansion slots for the ProCurve Switch yl Module,
so they do not have the yl designation.
12
8206zl Base SystemJ9475A
(LAN Enterprise/Core)
Rear:
Fan Tray, Power Supplies
Includes:
Mgmt Modules
1x chassis
1x management
module
6 RU 2x fabric modules
Interface/Service 1x system support
Module Slots module
1x fan tray
6 interface/services
Fabric Modules
module slots
8206zl Front View
13
8206zl vs. 8212zl
8206zl 8212zl
Moderate-port-count network
Target Market Higher port-count network deployments
deployments
Up to 144 10/100/1000 Up to 288 10/100/1000
Port Density
Up to 24 10GbE Up to 48 10GbE
Rack Units Occupied 6 RU 9 RU
Performance 322.8 Gbps 646 Gbps
Throughput 240.2 mpps 428 mpps
L3 services when running at L2; L3 L3 services when running at L2; L3
L2/L3
routing with Premium License routing with Premium License
Optimized Port
GbE 10 GbE GbE 10 GbE
Environment
Dual/slotted mgmt/fabric; passive Dual/slotted mgmt/fabric; passive
High Availability
backplane; redundant power backplane; redundant power
PoE/PoE+ Yes, standard Yes, standard
Interface/Services
6 supported 12 supported
Modules
Internal 2 supported: up to 1800 watts 4 supported: up to 3600 watts
Power Supplies PoE/PoE+ power PoE/PoE+ power
*The price reflects the new 8212zl base system, J8715B, which does not include the premium license.
14
Known zl Interface Modules
J8702A: 24-Port 10/100/1000 PoE zl Module
J8705A: 20-Port 10/100/1000 PoE + 4-Port Mini-GBIC/SFP zl

Module
LH-LC, LX-LC, SX-LC, BX, 1000Base-T Mini-GBIC/SFP support
100-Meg xcvrs (100-FX) for SFP slots
J8706A: 24-Port Mini-GBIC zl Module

LH-LC, LX-LC, SX-LC, BX, 1000Base-T Mini-GBIC support
J8707A: 4-Port 10GbE X2 zl Module

CX4, SR, LR, J8707A - zl 4-Port LRM, or ER optics support
J8708A - 4-Port 10GbE CX4 zl Module

CX4, SR, LR, J8707A - zl 4-Port LRM, or ER optics support
Used with both the 8200zl and 5400zl switches

15
HP ProCurve zl Power Supplies
Chassis PoE PoE+ 8212zl/5412zl:
Power Power Power Up to 4 power
supplies, 3600W
875W Power PoE/PoE+
Supply J8712A
600W 273W
(110-127/ (5400 watts with
200-240 VAC) Power Supply
Shelf)
1500W Power
Supply J8713A 600W 900W
(220 VAC only)
8206zl/5406zl:
1500W Power Up to 2 power
Supply J9306A 300W/ 300W/ supplies, 1800W
New! 600W
(110-127/ 900W 900W PoE/PoE+
200-240 VAC)
(3600W with
Power Supply Shelf Up to Up to Power Supply
0
J8714A 1800W 1800W Shelf)
Used with both 8200zl and 5400zl

16
HP ProCurve zl Power Supply Specs
Electrical Characteristics
New!
875W 1500W 1500W PoE+
zl Power
zl Power Supply Supply zl Power Supply
(J8712A) (J8713A) (J9306A)

Input 110127 VAC 200240 VAC 200220 VAC 110127 VAC 200240 VAC
Voltage
Input 11.5 A 5.7 A 10 A 13 A 10 A
Current
PoE Power 273 W 273 W 900 W 300 W 900 W
Frequency 50/60 Hz 50/60 Hz 50/60 Hz 50/60 HZ 50/60 Hz
PoE/PoE+ PoE PoE PoE PoE+ PoE+

HP ProCurve 6600 Switch Series (Data Center)
Product # Description
J9263A HP ProCurve 6600-24G
(24) 1G ports
J9264A HP ProCurve 6600-24G-4XG

(24) 1G ports, (4) 10G ports
J9265A HP ProCurve 6600-24XG Switch

(24) 10G ports
J9451A HP ProCurve 6600-48G Switch

(48) 1G ports
J9452A HP ProCurve 6600-48G-4XG

Switch
(48) 1G ports and (4) 10G ports
ProCurve ONE Services zl Module
SKU: J9289A
Intel T7500 Core 2 Duo, 4G Main Memory, 4G
Flash, 250GB 7200RPM SATA HDD
2 x 10G Ethernet connections to backplane
Warranty: Industry-Leading Lifetime, HDD
exception: Five years*
Supported in zl series chassis

5400zl for edge and branch (4U/7U)
8200 with high availability for core and
distribution (9U)
Data
Center
Core
Edge
Branch
19 Striking a Balance
ProCurve ONE Alliance Partners (1/26/09)
20 Striking a Balance
Services Modules
J9289A HP ProCurve ONE Services zl Module
J9155A- HP ProCurve TMS zl Module
J9370A - HP ProCurve MSM765zl Mobility Controller
J9371A - HP ProCurve MSM760/765 40 AP License
21
HP ProCurve Manager 3.0 (HP PCM
3.0) Overview
9 HP PCM 3.0 Overview
HP PCM 3.0 Enhancements
New Architecture (10 Agents)
Enhanced Custom Group Management
Granular User Profiles
Support For Cisco Devices
PCM 3.0 Licensing
Plug-in Applications for PCM 3.0
PCM 3.0 Use Models
Upgrade PCM 2.3 to PCM 3.0
Maintenance and Troubleshooting
c-Class BladeSystem Interconnect Types
Pass-thru module
For scenarios where one-to-one server to
network connections are required
Equivalent to a patch panel
Virtual Connect module
Simplest, and most flexible connectivity to a
network
Appears as a L2 bridge to the network
Ethernet switch
Interconnect aggregation and cable
reduction using a managed switch
Provides typical L2 switching feature set and
may offer L3 routing capabilities
6120G/XG Hardware Overview:
Front Panel
16x 1GbE internal ports for server/storage blade access

Midplane
1x 10GbE internal port for switch-to-switch access
Clear Reset
1x 10GbE CX4 port 2x 10GbE XFP ports Console port button button
CX4 cable DAC, SR and LR optics Type A (recessed)
mini-USB
2x 1GbE SFP ports
Copper, and SX and 4x 10/100/1000 RJ-45 ports
Module status LED
LX optics Link status LED
Greennormal,
Amberfault Greenconnected, Amberfault
For 10GbE & 1GbE ports:
Link activity LED
Link status LED
Module locator LED Green flashing10/100 activity
Greenconnected,
Blueselected Amber flashing1000 activity
Amberfault
Link activity LED
Green flashingactivity
6120XG Hardware Overview:
Front Panel
16x 10GbE internal ports for server/storage blade access

Midplane
2x 10GbE internal port for switch-to-switch access
shared
port dedicated ports individually
Clear (18, 19, 20, 21, 22)
Reset
(17) shared ports
button (23, 24) button
Console port 5x 10GbE SFP+ ports

2x 10GbE SFP+ ports
Type A DAC, and SR, LR,
mini-USB and LRM optics DAC, and SR, LR,
and LRM optics
-- or --
Module status LED 1x 10GbE CX4 port 2x 10GbE internal
Greennormal, CX4 cable S2S ports
Amberfault
-- or --
10GbE SFP+ ports also support use of
1x 10GbE SFP+ port
Module locator LED 1GbE SFP (SX, LX, Gig-T) transceivers
DAC, and SR, LR,
Blueselected and LRM optics
Blade Switch Comparisons
ProCurve
ProCurve HP 1:10Gb Cisco Cisco Cisco
a 6120G/X
6120XG Ethernet BL-c 3020 3120G 3120X
G
External 2 SFP
None 1 4 RJ-45
4 SFP/RJ-45 4 SFP/RJ-45
4 RJ-45
1GbE ports 4 RJ-45 4 RJ-45 4 RJ-45
External 1 SFP+/CX4
1 CX4 1 CX4 4 SFP or
10GbE 2 XFP
5 SFP+
2 XFP
None None
2 X2
2 SFP+/S2S
ports
512 MB RAM 512 MB RAM 256 MB RAM 128 MB RAM 256 MB RAM
Memory 256 MB flash 640 MB flash 64 MB flash 32 MB Flash 64 MB flash
Manageme LLDP-MED HTTPS

SNMPv3 SNMPv3
nt SNMPv3 SNMPv3
Access 802.1X, Web, MAC auth

ACLs, SSH, RADIUS ACLs, 802.1X, ACLs, 802.1X, Web, MAC
Security & TACACS+ auth Web, MAC auth auth
IGMP 256 groups 1K groups 1K groups 1K groups

Multicast
Forwarding L2, IPv6 host,
16K MAC ,
L2, IPv6 host,
32K MAC ,
L2, L3, VRRP, 16K L2+, 8K MAC, L2 (upgradeable to L3 &
/ Routing 256 VLANs 256 VLANs
MAC , 1K VLANs 1K VLANs IPv6), 8K MAC, 1K VLANs
Rate Extensive, highly

Extensive, highly granular
granular with rate
Limiting/ Ingress, L3/L4 prioritization QoS and 802.1p
limiting & traffic
with rate limiting & traffic
shaping
QoS shaping
Stacking No No No Stackwise
Warranty Lifetime 1 year 1 year 1 year
1 1GbE SFP optics (SX and LX) and Gig-T transceivers can be installed in any of the external 10GbE ports.
Software Features
General Networking Features IP Multicast
IEEE 802.1D MAC Bridges IGMPv1, v2 & v3 (Data Driven)
IEEE 802.1p Priority Device Management
IEEE 802.1Q VLANs
IEEE 802.1v VLAN classification by Protocol CLI Access Using Console, Telnet, or SSH
and Port HTTP and HTTPS Web Management Access
SSHv1/SSHv2 Management Access
QOS (COS, TOS, DSCP) HP Onboard Administrator Integration
IEEE 802.1D RSTP (formerly 802.1w) OOBM (with DHCP client default)
IEEE 802.1Q MSTP (formerly 802.1s) Authorized Managers List
BPDU Protection and STP root guard
IEEE 802.3ad LACP Security
IEEE 802.3x Flow Control Concurrent Port-Based 802.1X, Web and MAC
RFC 792 ICMP Authentication
Broadcast Throttling RADIUS & TACACS+
RFC 951 BOOTP and RFC 1542 Extensions Port Security
MAC Address Lockout
RFC 2030 SNTP
RFC 2131 DHCP Information Option with DHCP Monitor and Diagnostics
Protection Port Mirroring
TFTP, SFTP, FTP RMON v1/v2
Uni-Directional Link Detection
IPv6 Host Network Management
ICMP Rate-limiting LLDP-MED
Syslog Protocol
SNMPv1/v2c/v3
Parts Information
Description Part No.
HP ProCurve 6120G/XG Blade Switch 498358-B21 Two
Two blade
blade
HP ProCurve 6120XG Blade Switch 516733-B21 switches
switches
HP SFP+ SR Transceiver 455883-B21
HP SFP+ LR Transceiver 455886-B21
HP SFP+ LRM Transceiver 455889-B21
HP 10GbE SFP+ .5m Direct Attach Cable 487649-B21
HP 10GbE SFP+ 1m Direct Attach Cable 487652-B21
HP
HP ISS
ISS parts
parts
HP 1Gb SX SFP Option Kit 453151-B21
HP 1Gb RJ-45 SFP Option Kit 453154-B21
HP XFP 850nm SR Module 443756-B21
HP XFP 1310nm LR Module 443757-B21
Parts Information (cont.)
Description Part No.
HP ProCurve SFP+ SR Transceiver J9150A
HP ProCurve SFP+ LR Transceiver J9151A
HP ProCurve SFP+ LRM Transceiver J9152A
HP ProCurve 10-GbE SFP+ 1m Direct Attach Cable J9281A/B Only
Only version
version
B
B DACs
DACs can
can
HP ProCurve 10-GbE SFP+ 3m Direct Attach Cable J9283A/B
be
be purchased
purchased
HP ProCurve 10-GbE SFP+ 7m Direct Attach Cable J9285A/B going
going forward
forward
HP ProCurve 10-GbE XFP-SFP+ 1m Direct Attach Cable J9300A
XFP
XFP connector
connector on
on one
one end,
end,
SFP+
SFP+ connector
connector on
on the
the other
other
Applicable
Applicable to
to 6120G/XG
6120G/XG
Cable Infrastructure

Cable specifications for full-duplex
Ethernet
Interface type Cable supported Maximum distance
1000Base-SX Multimode (62.5 micron) 275 meters
1000Base-SX Multimode (50 micron) 500 meters
1000Base-LX Single-mode (9 micron) 10 kilometers
1000Base-LX ** Multimode (62.5 or 50 micron) 550 meters
100/1000Base-T Category 5e UTP 100 meters
1000-BX Single-mode (9 micron) 10 kilometers
100-BX Single-mode (9 micron) 10 kilometers

Cable specifications for full-duplex
Ethernet
Interface type Cable supported Maximum distance
10G-CX4 4X Twinax (Infiniband-style) 15 meters
10GBASE-SR Multimode (62.5 micron) 2-33 meters
10GBASE-SR Multimode (50 micron/2000 Mhz) 300 meters
10GBASE-LR Single-mode (9 micron) 10 kilometers
10GBASE-ER Single-mode (9 micron) 40 kilometers
10GBASE-LRM Multimode (62.5 micron) 220 meters
http://www.hp.com/rnd/support/faqs/10-GbE-trans.htm
Connector Types
HP ProCurve Mini GBIC / Transceivers
J4858C 1000Base-SX port Type 1000Base-SX
Connector: LC maximum distance 220 meters
J4859C 1000Base-LX port Type 1000Base-LX

Connector: LC maximum distance 10 km
J4860C 1000Base-LH port Type 1000Base-LH
J8177B 1000BT SPF;Connector RJ45 100 meters
J9142B 1000-BX-D SFP-LC

J9143B 1000-BX-U SFP-LC

J9054B 100FX SPF;Connector RJ45 100 meters
J9099B 100-BX-D SFP-LC

J9100B 100-BX-U SFP-LC

Transceiver Packaging Comparison
Xenpak X2 GBIC mGBIC
(or SFP+)
9300 3400cl & 6400cl PNB doesnt

support
GBICs in any
of our
products
10Gig only 10Gig only Gigabit only Gigabit/10 GbE

SFP+ 10G Technology
Next gen technology enables lower cost per
10G port
Supports Direct Attach Cable (DAC) for very low cost
over short ranges
Smaller form factor than X2 or XFP
Provides higher port density
Same form factor as Gig SFP
Provides thermal benefits leading to power
savings
SFP+ consumes 1W per port
X2 consumes 4W per port
Supports 10G SR, LR, LRM
36
HP ProCurve Switch Accessories
SFP+
A new form-factor (size & shape) for 10-Gigabit modular transceivers
Same size & shape as a "mini-GBIC" (SFP)
Supports three existing 10-Gigabit technologies:

SR, LRM, LR
10G SFP+ Transceivers
Product Description US List

#
J9150A ProCurve 10-GbE SFP+ SR
Transceiver
J9151A ProCurve 10-GbE SFP+ LR
Transceiver
J9152A ProCurve 10-GbE SFP+ LRM
Transceiver
37
HP ProCurve Switch Accessories
What is a Direct Attach cable?
A one-piece unit consisting of an SFP+ form-factor transceiver at each
end with permanently-attached cabling between
Delivers the 10-Gigabit signal from end to end
Initial length offerings:
1m, 3m, 7m
10G SFP+ Direct Attach Cables
Product Description US List

#
J9281B ProCurve 10-GbE SFP+ 1m
Direct Attach Cable
Direct Attach Cable
Direct Attach Cable
38
Power over Ethernet (PoE)
9802.3af ieee standard (48 volts , 15.4 watts)
9Existing cable plant (Cat 3,5,5e,6)
9Either data pairs or non data pairs (1/2 & 3/6) & (4/5
& 7/8)
915.4 watts maximum at end-span device
9Phones draws from 3 watts and higher
9PoE+ for PTZ cameras, 802.11n (Future PC battery)
9End-span refers to an Ethernet switch with embedded
Power
9Mid-span devices are placed between legacy switches
and the powered devices.
9Centralized Power
Why Support PoE+?

Advantages of PoE+ over PoE:
Increases maximum power to PDs
Dynamic and granular power negotiation
Enables support for additional devices:
802.11n access points
Video IP phones
Thin clients
Pan-Tilt-Zoom cameras
Backwards compatible with PoE
PoE+ Specifications
PoE+ (IEEE 802.3at) sets new specifications for:
1. Wattage
Maximum delivered to PD increased to 24W
Maximum at switch port increased to 30W
2. Voltage levels
Minimum increased to 50V
3. Current
Maximum increased to 600mA
4. Cabling
Supports only Cat5E and newer
Typical VoIP Infrastructure Mitel 3300
IP PBX
PSTN
Typical VoIP Infrastructure
Two port switch built into phone
Single UTP cable to phone
PC/Workstation connected to phone
Two VLANs to phone ( VoIP tagged, Data untagged)
Voice VLAN tagged with 802.1p priority set

Tricks & Tips The interface-connector-cable
combination can have a
significant impact on the
performance of the network.
Be careful and note that a
particular type of connector
does not ensure a particular
type of cable.
An LC could be connecting
either multimode or single
mode. The
mini-GBICs look the same.
Read the label!
Auto MDIX

HP / IEEE Auto MDIX
Automaticallyadjusts for straight-through or
crossover cables on all 10/100 and
10/100/1000 ports
1000T (Cross-Over)
100T (Straight-Thru)
Tricks & Tips It may be necessary in some
environments to disable auto
MDIX.
Auto MDIX Manual Mode:
interface
< port-list > mdix-mode <
automdix | mdi | mdix>
Theoptions include auto-

MDIX (the default), MDI, and
MDI-X.
Benefits:
Minimizes auto-MDIX
capability when connecting
switch to switch links.

Auto Negotiation

Ethernet Transmission modes
Half Duplex:
Data transmission over a Ethernet link capable of
transmitting in either direction, but not
simultaneously. For Ethernet, the CSMA/CD
method is a half duplex protocol. If it receives
traffic while transmitting, it reports a collision
Full Duplex:
Data transmission over a circuit capable of
transmitting in both directions simultaneously.
Auto Negotiation
The auto-negotiation mechanism allows the two interfaces
on a link to select the best common mode automatically,
the moment a cable is plugged in.
The problem is that it looks great on paper, but it doesn't
always work as intended. Although the final Fast Ethernet
standard did contain a section on auto-negotiating, that
section was one of the last things put into the standard and
many vendors had already implemented their own auto-
sensing systems and deployed them before the standard
was ratified.
If this wasn't bad enough, there is no standard for
detecting modes at 10Mb.
Ethernet Errors
In a shared environment, collisions may result in:
Giants due to the concatenation of frames that were
transmitted at the same time
Runts due to the fragmentation of frames that were
transmitted at the same time
In a fully switched environment:
Collisions indicate a mode mismatch, i.e. half- vs. full-
duplex
CRC errors
Detected when the value in the appended 4-byte Frame
Check Sequence does not match the CRC calculated by
the receiving station
May be present in either shared or switched environment
Set system wide network
Tricks & Tips resources to the maximum fix
speed and duplex mode.
Speed and duplex command:
interface < port-list > speed-duplex

100-full
Benefits:
Minimizes auto-negotiation
switch to servers links.
Interface Status
show interface brief

Tricks & Tips Speed and duplex command:
interface < port-list > speed-duplex

auto 100
Benefits:
Minimizes auto-negotiation
switch to servers links.

Virtual LANs

Interconnecting IP networks (LAN)
Router: connection
point for wiring closets Every host in an IP network has
a unique IP address
In this example, hosts in the
same wiring closet are in the
same
Broadcast domain
IP network
Traffic between hosts in the
same IP network is forwarded
by switches using destination
IP Network 1 IP Network 2 IP Network 3
Layer 2 (MAC) address
Traffic between hosts in different
IP networks is forwarded by the
router using destination Layer 3
(IP) address
Interconnecting networks (VLANs)
Router: connection Layer 3 Switch: connection
point for wiring closets point for wiring closets
Every host in an IP network has a
unique IP address
In this example, hosts in the same
wiring closet are in different
VLANs
Broadcast domain
IP network
Traffic between hosts in the same
IP VLAN is forwarded by switches
using destination Layer 2 (MAC)
All Networks All Networks All Networks address
Traffic between hosts in different
IP networks is forwarded by the
switch using destination Layer 3
(IP) address
VLAN = broadcast domain = IP network address = IP Subnet
VLAN ID assignments
Users should be arranged into VLANs (and thus IP

address ranges) based on:
Internal Departments; Engineering, Administration Accounting

Resource Requirements
Should have access to all of the hosts in the suite
Should have access to the Internet, email hosting, and remote
backup depending on whether they have subscribed to those
services
Should not have access to resources in other tenants suites
End user customers for ISPs
VLAN ID assignments
A network should have a minimum of 3 VLANs:
A Server VLAN
Network Management VLAN
User/Data VLAN
Network Design
Methodology

Steps for design and deployment
Regardless of the size of the project, the basic steps
in the design process are:
Assess customer needs and requirements

Develop and propose a solution
Logical
Physical
Implement and document the solution
Assessing customer needs
In assessing the needs of the network, plan for the
following requirements:
Port types and quantities
Cabling to support specified ports
Amount and type of data anticipated
User resource needs
Anticipategrowth in the enterprise and its network
Examine existing network infrastructure
Can the requirements be met within customers
budget?
Plan for port types and quantities
To determine the number and type of switches,
consider:
Number of edge ports
One user per port
Often determined by existing cabling
Number of wiring closets
Using modular edge switches can minimize the total number of
switches (7 slots x 24 ports = 168 edge ports)
Stackable switches support up to 48 edge ports
Distribution and/or core switches
Number of edge switch uplinks may determine whether all edge
switches will terminate at a common core switch or be aggregated
at intermediate level distribution switches
Plan for cabling to support specified
bandwidth requirements
Use existing cabling whenever possible
Distances between edge ports and cubicles must be 100 meters or
less for 100TX/1000T
Category 5 or better for 100Base-TX
Category 5e or better for 1000Base-T
For existing copper cabling with runs longer than 100
meters, the choices are:
Statically configure interface level speed-duplex parameter to auto-10 to
assure reliable connections
Install new cabling (may be cost-prohibitive for some customers)
Use fiber for switch-to-switch distances greater than 100
meters
1000Base-LX, 1000Base-SX, 1000Base-LH
100Base-FX
Plan for amount and type of traffic
Determine characteristics of the traffic to be carried over
links between switches:
Location of high traffic hosts and anticipated volume
Servers
Applications that generate high volume
Applications requiring prioritization
Voice
Video
Multicast support
Distance learning
Meetings
Traffic
requirements can indicate a need for higher speed
edge ports and/or higher capacity uplinks
Understand user resource requirements
Determine resources to be made available to users
and whether availability of those resources is critical
Identify users with common resource requirements

This information may be used to defined VLAN boundaries
Identify resources whose availability is critical
Provide redundant links and/or redundant switches
Balance high availability needs with customers budget constraints
Addressing and Protocols
Private address range versus Public (NAT)
Version IP4 versus IP6
Protocols IP, IPX, Appletalk, SNA, Decnet
Do protocols need to be routable
Routing protocols RIPv1, RIPv2, OSPF, BGP or
proprietary
Define VLAN's
By Protocol
By security compartment
Physical location
Hierarchical Address Scheme
Network 10.0.0.0 Site (2nd Octet) VLAN (3rd Octet) IPX Address
Wide Area Network 10.0.0.0 10.0.0-254.0 0A00xx
(WAN)
District Office 10.10.0.0 10.10.0-254.0 0A0Axx
Campus 1 10.20.0.0 10.20.0-254.0 0A14xx
Campus 2 10.30.0.0 10.30.0-254.0 0A1Exx
Campus 3 10.40.0.0 10.40.0-254.0 0A28xx
Campus 4 10.50.0.0 10.50.0-254.0 0A32xx
Each 256 Host Subnet will be broken down into sub categories as follows:
Decimal Value Range Meaning/Usage # of devices

0 Reserved 0
1 VRRP Primary 1 This breakdown of the address
space allows for a maximum of
2 VRRP Secondary 1
170 DHCP addressable devices
3-6 Router Interfaces 4 and 30 servers/printers per
7 Firewall 1 subnet or VLAN.
8-20 Reserved for Networking 13
Devices
21-50 Static addresses for hosts 30
and printers
51-220 Primary DHCP Range 170
221-255 Backup DHCP Range 35
Security
Physical Access
Network Access (802.1x)
Server Access
Network Management passwords
Firewalls, ACLs
Internet, DMZ
Wireless
Develop and propose a solution
Based on the information gathered during the
assessment phase:
Diagram the physical connectivity
Switches, including any modular accessories
Port counts, types, and speeds
Produce a list of required equipment
Implement and document the solution
Based on the information you gathered in the
assessment phase, create configurations
Create passwords to prevent unauthorized access

Create VLANs specified in the design
Enable high availability features where specified by the
design
Create any prioritization policies
Enable remote management if required
Create VLANs and port members
Create VLANs
Assign access ports as untagged members of the
appropriate VLAN for hosts with non-Q-compliant network
adapters
Define tagged VLAN membership for switch-to-switch links
as necessary
Enable high-availability features
Enable high-availability features as specified by the
design
All versions of Spanning Tree interoperate
with HP Switch Meshing
Router Redundancy (XRRP,VRRP, HSRP)
Server Teaming
Your design may require more than one
high-availability feature
Be sure to include switch-to-switch links as tagged
members of all VLANs whose traffic might be carried in
the event of link failure
Enable prioritization
For hosts that require the edge switch to set and mark
priority, define the policies or port level priorities that will
accomplish the goals of the design
For Q-compatible hosts that are capable of setting
priorities on their own behalf:
Set policies that override illegitimate 802.1p priority settings
Avoid setting user-defined policies that override legitimate 802.1p
priority settings
Links that will carry prioritized traffic must be tagged
members of relevant VLANs or the tags will be stripped,
eliminating end-to-end prioritization
Hierarchical network design
the Core Layer
Internet (no end stations
connect here L2)
Distribution
Layer
(interconnects
edge switches L3)
Access Layer
(edge switches -
all end stations
connect here L2)
Hierarchical network design
the
Internet
Core / Distribution
Layer
Access Layer
(edge switches -
all end stations
connect here)
Design Terminology
Access Layer:
Sometimes referred to as the edge. It is the bottom layer of a
hierarchical model, it provides users with network access. Usually
layer 2 connectivity (non routed)
Distribution Layer:
Middle layer of a hierarchical model. The distribution layer interconnects
the core and access layers. This is where routing is performed.
Usually layer 3 with filtering.
Core Layer:
The top layer of a hierarchical model. Traditionally passes packets to
the distribution layer only. Usually layer 2 for performance.
2 Tier Architecture 3 Tier Architecture
Advantage Disadvantage Advantage Disadvantage
Network Less Complex Centralized Better More complex.

Complexity (Single pair of control. Traffic distributed Requires routing
routing switches) bottlenecks traffic control switches per
via. distribution layer
Layer 2 L2 issues can Isolates L2
Problem affect the core issues within the
each distribution
Isolation layer
Cost Lowest cost per Not suitable for More advanced Requires
port large number of feature sets addtional layer
distribution 3
uplinks to core. switches/routers
Spanning Tree
Protocol (STP)

Spanning Tree Protocol
The Spanning Tree

Protocol automatically
detects loops in the network
topology and blocks the links
that lead to less desirable
paths.
Three Versions
IEEE 802.1d (Original STP)
IEEE 802.1w (Rapid STP)
IEEE 802.1s (Multi instance STP)
Spanning Tree Protocol Defaults
STP is NOT enabled by

default.
Rapid STP is the default
version when enabled
spanning-tree
Multi-instance STP is the
default version for newer
ProCurve switches.
Spanning Tree is a standard method for enabling automatic network

redundancy and high availability at layer 2. Used in multivendor
environments
STP Step 1: Block ports
Switch_A B B Switch_B
B B B B B
B
B B
B B B B
Forwarding due
to Fast mode
Forwarding due
to Fast mode Forwarding due
to Fast mode
The first step in defining a loop-free topology is to place all normal STP ports into
Blocking state
This prevents user traffic from being forwarded until loops are resolved
Fast ports transition to Forwarding immediately (RSTP)
STP Step 2: Generate BPDUs
and elect Root switch
Root B B
B B B B B
B
B B
B B B B
Forwarding Forwarding
Forwarding
Every STP switch generates BPDUs and sends them through all ports
BPDUs are updated and forwarded by all switches through all ports
Within about 30 seconds, one of the switches becomes the Root of the
Spanning Tree
Only the Root continues sending BPDUs
Other switches continue to update and forward BPDUs
STP Step 3: Calculate path costs to Root
In this network, each

Root 5
link has a cost of 5
10
10 10
5 10
10 5 10 5
Forwarding
As each switch updates the BPDUs, the result is a cumulative

path cost to the root
This enables each switch to determine which of its ports leads to
the lowest cost path to the root
STP Step 4: Change some port states
to Forwarding
Root
port
Designated
ports
Root F F
F F
Root F F F
port F
F Root B
B port F B F
Root
port
Forwarding
Every port on the Root Bridge transitions to the Forwarding state

The root port on each switch transitions to the Forwarding state
For each backup link, the designated port transitions to
the Forwarding state
The port on the other side of the backup link remains in the Blocking
state
Spanning Tree Edge Ports
Enable admin-edge on ports connected to end
nodes. During spanning tree establishment, ports
with admin-edge enabled transition immediately to
the forwarding state. Disable this feature on any
switch port that is connected to another switch,
bridge, or hub.
spanning-tree < port-list > admin-edge-port
Adapting to changes in port state
Root
port
Switch_A
Root F F Switch_B
Root F F F F
port F
F Failed Root B
B link port F
Switch_C F Switch_E
Switch_D Root
port
Forwarding
When a link fails, the constant nature of the hello messages

causes another port to become the root port
If the Root switch fails, all of the switches will block their ports until
another switch is established as the Root and the appropriate
ports transition to Forwarding state
STP Root Bridge Selection
00045A The Linksys Group
In this network, each 000625 The Linksys Group
15 15 000a57 Hewlett Packard

link has a cost of 5 000d9d Hewlett Packard
20 20
10 20 10 000e7f Hewlett Packard
20
15 10
15 15 10
15
Forwarding
Instant Wireless Series

Ne twork Acce ss Point
TM
I nsta nt Wireless P ower A CT LI NK
Mode l W AP1 1
Linksys (WET54GS5)
Not configuring the Root bridge may not give you the desired effect 5 port switch (802.1d)
Higher speed links can be blocked in favor of a lower path cost to the Root Bridge
STP Root Bridge Selection
00045A The Linksys Group
In this network, each 000625 The Linksys Group
B F 000a57 Hewlett Packard

link has a cost of 5 000d9d Hewlett Packard
F F
F F F 000e7f Hewlett Packard
F
F F Root
B F F port
B
Forwarding
Root TM
Instant Wirele ss P ower ACT LI NK
Ne twork Access Point
Mode l WAP1 1

If Bridge Priority is not administratively-defined, which of these

Linksys (WET54GS5)
switches will become the Root Bridge? 5 port switch (802.1d)
All things being equal the switch with the lowest MAC address
becomes the Root Bridge.
STP Root Bridge
Server
User

Ne twork Access Point
TM
Instant Wirele ss P ower ACT LI NK
Mode l WAP1 1
Root
Connecting devices in default mode with STP enabled can change

network paths
End to end connect path may not be best path to the network resource
Mis-configure Root Bridge can cause network performance issue
STP Root Bridge
DEMO
Rapid Spanning
VRRP
Tree VRRP
VLAN 1= 10.10.1.1 HP DL360 VLAN 1= 10.10.1.2
VLAN 2 = 10.10.2.1 Server Teaming VLAN 2 = 10.10.2.2
VLAN 3 =10.10.3.1 (TLB) VLAN 3 =10.10.3.2
VLAN 4 =10.10.4.1 IP= 10.10.50.10 VLAN 4 =10.10.4.2
VLAN 5 =10.10.5.1 VLAN 5 =10.10.5.2
VLAN 6 =10.10.6.1 VLAN 6 =10.10.6.2
VLAN 7 =10.10.7.1 VLAN 7 =10.10.7.2
VLAN 8 =10.10.8.1 Port 2 Port 1 VLAN 8 =10.10.8.2
VLAN 9 =10.10.9.1 VLAN 9 =10.10.9.2
VLAN 10=10.10.10.1 VLAN 10=10.10.10.2
VLAN 50=10.10.50.1 VLAN 50=10.10.50.2
Port A1 Port A1
Root
Bridge 10 Gigabit
F4
HP 5406_#1 Port B24 Port B24 HP 5406_#2

IP= 10.10.1.1 IP= 10.10.1.2
Port 49 Port 50
HP 2650 Port 1
IP= 10.10.1.3
1000SX 1000LX
(Multimode patch cord) (Mode conditioning patch cord)
HP nc6000
VLAN 5
IP= 10.10.5.100
DG= 10.10.5.1
STP and RSTP
IEEE 802.1D STP and IEEE
802.1w RSTP address loop STP and RSTP
protection for link
redundancy in networks VLAN 1 VLAN 1
regardless of the use of VLAN 11 VLAN 11
VLAN 12 VLAN 12
VLANs
Links can be left unused
since all VLANs must use the root VLAN 1
same physical topology bridge VLAN 11
VLAN 12
Original STP:
IEEE 802.1D-1998
Rapid STP (RSTP):

IEEE 802.1w-2001 IEEE 802.1D-2006
Change to link cost and

bridge priority values:
IEEE 802.1t-2001
3
Multi-Instance Spanning Tree Protocol
MSTP (802.1s)
Odd VLANs
Even VLANs
Multi-Instance Spanning Tree is an multiple instances of STP.

Redundant links carry different VLANs. Used in multivendor
environments
Cisco PVST+ and Rapid-PVST+
PVST supports a spanning tree root for
instance for each configured VLAN VLAN 11
Yields a 1-to-1 mapping of VLANs VLAN 1 VLAN 1

to STP instances and therefore VLAN 11 VLAN 11
VLAN 12
separate processes VLAN 12
VLAN-specific BPDUs are used for

each VLAN
root for VLAN 1 root for
Uses ISL trunking and allows a VLAN 1 VLAN 11 VLAN 12
VLAN trunk to be forwarding for VLAN 12
some VLANs while blocking others

PVST+ provides the same functionality as PVST, but
supports 802.1Q trunking
Rapid-PVST+ incorporates convergence time improvements
similar in concept to RSTP
6
Comparing PVST+ and MSTP
root for
PVST+
In response to a need to allow VLAN 11
standards compliant 802.1D/w/Q VLAN 1 VLAN 1
switches to have multiple logical paths VLAN 11
VLAN 12
VLAN 11
VLAN 12
for redundancy, IEEE 802.1s MSTP
was developed
root for VLAN 1 root for

802.1s enhanced 802.1Q by allowing VLAN 1 VLAN 11 VLAN 12
groups of VLANs to be assigned to VLAN 12
different spanning trees

Instances may be chosen to match MSTP
number of possible logical paths VLANs VLANs
1,12 1,12
through the layer 2 network
VLAN VLAN
Often, only a few instances are 11 11
required instead of 1-to-1 ratio of
VLANs to instances with PVST+
VLANs
root VLAN root
1,12
MSTI 1 11 MSTI 2
7
CiscoProCurve Scenario 1:
Rapid-PVST+
Cisco environment running PVST+ or Rapid-PVST+
root for backup root for

VLANs 1, 11, 12, 13 VLANs 1, 11, 12, 13
Cisco Cisco
Switch_A Switch_B
blocked port
ProCurve
Switch_C
Configured for STP,
RSTP, or MSTP
Pro: Simple and you can still use PVST+ or Rapid-PVST+

for the backbone
Con: There is no load balancing
10
CiscoProCurve Scenario 2:
MSTP (802.1s)
Cisco environment running MSTP (IEEE 802.1s)
root for backup root for

VLANs 1, 11, 12, 13 VLANs 1, 11, 12, 13
Cisco Cisco
Switch_A Switch_B
ProCurve
Switch_C
Configured for MSTP
Pro: VLAN load balancing

Con: More configuration required
10
Spanning Tree Problems
Unstable Spanning-Tree operation can be caused by factors and
conditions that include:
Uni-directional links
Rogue devices talking STP
Continuous STP topology changes due to flapping ports or end-user
ports not set to edge mode (portfast)
Loops not detected by STP
Blocked
gigabit link
Rogue switch
root bridge
70
Spanning Tree Hardening Features
ProCurve Cisco
Remote-Fault Notification Remote-Fault Notification
(RFN) using Auto-negotiation (RFN) using Auto-negotiation
Uni-directional Link Detection Uni-directional Link Detection
(UDLD) (UDLD)
BPDU Protection BPDU-Guard
Loop Protection Keepalive
Root-Guard Root-Guard
72
RFN Operation
TX idle or frames fiber loss of signal
Switch_A break Switch_B
MAC/RS MAC/RS
RX idle or frames TX idle or frames

MAC/RS MAC/RS
RX idle or frames TX remote fault RFN
RFN
operates
operates
at
at Layer
Layer 11
MAC/RS MAC/RS
RX remote fault TX remote fault
TX idle fiber loss of signal

MAC/RS MAC/RS
RX remote fault TX remote fault
RFN is optional but enabled by default on 1000BaseX ports

on Cisco and ProCurve switches when auto-negotiation is
used. Always use auto-negotiation on 1000BaseX ports.
74
UDLD Operation
UDLD involves an exchange of protocol packets
between neighboring devices
Both devices on the link must support UDLD and have it
enabled on the respective ports
hello I am switch A, port 1/1
UDLD
UDLD
acknowledge hello operates
operates
at
at Layer
Layer 22
Cisco Cisco
Does not work since Cisco and ProCurve

have different implementations
Cisco ProCurve
hello I am switch A, port a1
acknowledge hello
ProCurve ProCurve
76
UDLD Configuration Comparison
UDLD performs tasks that auto-negotiation cannot perform,
such as detecting the identities of neighbors and shutting
down misconnected ports
ProCurve Cisco
UDLD UDLD
Global for all fiber ports
Switch(config)# udld aggressive
Or interface specific
Interface specific:
Switch(config)# interface
Switch(config)#
gig1/1
interface a1 Switch(eth-
Switch(config-if)# udld port
a1)# link-keepalive
aggressive
Recovery configured globally:
Recovery is done automatically Switch(config)# errdisable
recovery udld interval 300
78
BPDU Protection (security enhancement )
SpanningTree Protocol operation is not protected
in any way from rogue STP devices or malicious
attacks.
BPDU Protection is configurable on a per port

basis and allows explicitly determine the legal
boundary of STP domain.
BPDU Protection should be applied to the edge

ports that are connected to the end user devices.,
which normally do not run STP.
BPDU Protection and BPDU-Guard Configuration Comparison
These respective features should be enabled on end-user ports
STP BPDUs should not be allowed to be received on those ports
If a BPDU is received, the port is put in an errdisable state (Cisco) or the port is
disabled (ProCurve)
ProCurve Cisco
BPDU Protection BPDU-Guard
Global for all fiber ports
Switch(config)# spanning-tree
portfast bpduguard default
Interface specific: Or interface specific
Switch(config)# interface Switch(config)# interface
a1 Switch(eth-a1)# gig1/1
spanning-tree bpdu- Switch(config-if)# spanning-
protection tree bpduguard enable
Recovery configured globally: Recovery configured globally:
Switch(config)# spanning-
Switch(config)# errdisable
tree bpdu-protection-
recovery bpduguard interval 300
timeout 300
79
Loop Protection
Additional
protection for networks from L2
forwarding loops.
Anundetectable loop can be formed if an

unmanaged device attached to the network
consumes and does not forward Spanning Tree
packets.
Tricks & Tips Loop protection operates by
periodically sending out a
special multicast packet. If the
switch receives its own packet
back then a loop has been
detected and the receiving port
will be disabled.
loop-protect <PORT-LIST>

Cisco Keepalive Operation
ProCurve
Switch 408
Cisco
Cisco keepalive
keepalive feature
feature may
may
Will
Will cause
cause all
all frames
frames detect
including detect this condition and put
this condition and put
including BPDUs to
BPDUs to the port in errdisable state
the port in errdisable state
be
be looped
looped back
back (enabled
(enabled by by default)
default)
But,
But, ifif BPDU-Guard
BPDU-Guard is is
configured, it will detect itit
configured, it will detect
Cisco
switch Cisco
Cisco keepalive
keepalive feature
feature may
may
detect
detect this condition and put
this condition and put
Will (enabled
(enabled byby default)
default)
Will cause
cause all
all frames
frames
excluding
excluding BPDUs to
BPDUs to be
be But,
But, BPDU-Guard
BPDU-Guard is is not
not able
able
looped back even if
looped back even if STP STP to detect it
to detect it
is
is not
not supported
supported on on the
the
switch
switch
NetGear FS105
80
ProCurve Loop Protect Operation
ProCurve
Switch 408
Will
Will cause
cause all
all frames
frames
including ProCurve
ProCurve Spanning
Spanning Tree
Tree will
including BPDUs to
BPDUs to will
be detect
detect this condition and block
this condition and
be looped
looped back
back block
the
the port
port ifif STP
STP is
is enabled
enabled
ProCurve
switch
If
If enabled,
enabled, the
the ProCurve
ProCurve Loop
Loop
Protect
Protect feature will detect this
feature will detect this
Will
Will cause
cause all
all frames
frames condition and disable the port
condition and disable the port
excluding
excluding BPDUs to
BPDUs to be
be
looped back even if
looped back even if STP STP
is
is not
not supported
supported on on the
the
switch
switch
NetGear FS105
82
Spanning Tree Root Guard
Configuration Comparison
ProCurve Cisco
Root Guard Root Guard
Interface specific:
Interface specific: Switch(config)# interface
Switch(config)# spanning- gig1/1
tree a1 root-guard Switch(config-if)# spanning-
tree guard root
Recovery is done automatically Recovery is done automatically
85
Version of Spanning Tree
needs to be enabled
Tricks & Tips
spanning-tree (Default ?)
A root bridge should be

configured
spanning-tree priority 1 or 0
Switch to switch links need to

be configured for transitioning
or learning (802.1w)
no spanning-tree <port> admin-edge-

port

Tricks & Tips
Compatibility mode for 802.1d
devices (Cisco)
no spanning-tree < port-list > mcheck
Spanning tree status and

information
show spanning-tree

Edge-port Defaults
Switch Edge-port Edge-port Command
enabled disabled
2500 Default Disable edge-port on switch links
no spanning-tree <ports> edge-port
2510 Default Enable edge-port on node ports

spanning-tree <ports> edge-port










Tricks & Tips BPDU Protection should be
enabled on ALL edge ports to
determine the legal boundary
of STP domain.
spanning-tree <port-list> bpdu-

protection
Spanning tree traps
spanning-tree traps errant-bpdu

BPDU Filter
BPDU Filter Passively preventing the switch from
receiving and transmitting BPDU frames on a
specific port. Locks the port into STP forwarding
state
Used to interconnect STP domains
Example:
LAN Extension service
Tricks & Tips BPDU Filter should be enabled
on edge ports to lock the port
into STP forwarding state.
spanning-tree <port-list> bpdu-filter

Spanning Tree
Internet
Configure root bridge

Spanning-tree priority 0
CORE-A CORE-B
EdgeFeatures (End
Device) DATA & MGMT VOIP
Admin-edge-port
Loop-protect
Bpdu-protection DATA & MGMT VOIP
Separate STP Domains

Bpdu-filter
Spanning Tree Protocol Summary
Requires Planning, Design and Implementation
Version mismatches (Cisco versus ieee)
Root bridge
Define STP edge ports (admin-edge or auto-edge)
Define STP boundary (BPDU protection)
Identify ports for STP filtering (LAN extension)
Self Pace Training
http://www.procurve.com/training/training/technical/n
pi/MSTP.htm
Link Aggregation or
Trunking

Link aggregation
Link aggregation
Increasing capacity between switches and
Servers
Load sharing
Static vs. dynamic
Challenge: Increasing switch link
capacity
full-duplex gigabit
fiber links
Six 1000Base-T Six 1000Base-T

full-duplex servers full-duplex servers
((6 x 1000Mb) x 2) ((6 x 1000Mb) x 2)
The full-duplex gigabit link provisioned between each 2600 switch and the
5304xl core switch carries traffic to and from six full-duplex gigabit servers
To increase the capacity of the connection between the core and the 2600
switches, a second link may be aggregated with the existing link
Terminology (Trunking)
HP, Foundry, 3Com
Trunking = Link aggregation= LACP
Cisco
Trunking = Vlan trunking = VLAN tagging (ISL,802.1q)
Nortel
Trunking = TDM voice
Trunking = Split Multi-link trunking
Requirements for link aggregation
Linkaggregation is also known as port trunking
in HP ProCurve documentation
Requirements for port trunking:
HP ProCurve 2500, 2600, 2800, and 4100gl series, and
6108 switches allow up to eight links to be aggregated
The links in a port trunk must:
Be coterminous, i.e., they must begin together
and end together
Support the same mode and flow control options
Link Aggregation Methods
HP Port Trunking
Does not use a protocol to set up the trunk
Port trunking is compatible with other trunking methods because it is
statically defined
Fast EtherChannel (FEC) ** No longer Supported
FEC is a Cisco standard with widespread compatibility with other
switches and multiple-adapter servers
Link Aggregation Control Protocol (LACP)
LACP is defined by IEEE standard 802.3ad
Both sides may be statically defined; however, LACP also supports a
dynamic method for recognizing aggregated links
Allthree methods use both source and destination
addresses for load sharing
HP ProCurve Supported Trucks
Switch # of trunks
Families
2500 1 trunk
4 port trunk
2510 2 trunks
4 port trunk
2600 6 trunks
4 ports per trunk
2800 24 trunks
8 ports per trunk
2810 24 trunks
8 ports per trunk
2900 24 trunks
8 ports per trunk
3500 60 trunks
8 ports per trunk
4200 36 trunks
8 ports per trunk
5300 36 trunks
8 ports per trunk
5400 60 trunks
8 ports per trunk
6200 60 trunks
8 ports per trunk
6400 4 trunks
4 ports per trunk
Interoperability FEC, LACP, and HP
Trunk
ProCurve Cisco Nortel Foundry 3com
ProCurve LACP or LACP LACP LACP LACP

HP Trunk
(LACP,HP Trunk)
Configure trunks before
connecting cables:
Tricks & Tips trunk 25-26 trk1 <trunk,LACP>
Unless dynamic LACP is

utilized, disabled LACP on all
interfaces:
interface < port-list >

no lacp
Ensure server trunks (teaming)

are coterminous and switch
ports are configured correctly.
Intel
Broadcom
AIX
HP
Link Aggregation
DEMO
HP Switch Meshing

HP Switch Meshing
HP Switch Meshing is another option for providing

Layer 2 redundancy. Switch meshing is a load-
balancing technology that enhances reliability and
performance
HP Switch Meshing
Switch Meshing is an HP proprietary method for enabling automatic

network redundancy and high availability at layer 2. Used in HP
ProCurve environments
Terminology (Switch Meshing)
A group of meshed switch ports exchanging
meshing protocol packets is called a switch mesh
domain
A switch mesh domain can contain up to 12

switches. Each switch can have up to 24 meshed
ports
An edge switch has some mesh ports and some

non-meshed ports. Switches 1-5 are edge switches
HP Switch Meshing
Switch meshing is a load-balancing technology that enhances reliability and
performance in these ways:
Provides significantly better bandwidth utilization than either Spanning

Tree Protocol (STP) or standard port trunking.
Uses redundant links that remain open to carry traffic, removing any
single point of failure for disabling the network, and allowing quick
responses to individual link failures. This also helps to maximize investments
in ports and cabling.
Unlike trunked ports, the ports in a switch mesh can be of different types
and speeds. For example, a 10Base-FL port and a 1GB port can be
included
in the same switch mesh.
Switch Meshing compatibility with STP and
RSTP
To interoperate with non-meshing switches within the Layer 2
domain, enable STP or RSTP on meshed switches
The mesh appears to non-meshing switches STP/RSTP
switches as a single switch
Non-meshing switch
configured with STP
5 Port Trunk
1 2
Blocking
State
6 Meshing and
RSTP enabled
on all switches
3 4
Non-meshing switch
configured with STP
Conversation-based load balancing
Determining lowest cost path
When the mesh is fully initialized, each path through the
mesh is assigned a cost based on link speed, outbound
and inbound queue depths, and packet drop counts
Costs are recalculated every 30 seconds
At any given moment, one path is considered the lowest cost path
Forwarding decisions
Frames that are part of a new conversation are forwarded
over the current lowest cost path
Frames that are part of an established conversation are
forwarded through the same port as the first frame in that
conversation
HP Switch Meshing design guidelines
A mesh consists of up to 12 HP ProCurve series switches
A switch can have up to 24 meshed ports using any combination
of media types and link speeds
Meshing and IP routing cannot simultaneously be enabled on the
same switch
Meshing is enabled per port

Enable only on ports that directly connect to other meshed ports
HP Switch Meshing supports full mesh and partial mesh

topologies
Summary: HP Switch Meshing
HP Switch Meshing can be used to improve availability
while increasing capacity within a Layer 2 switched
network
HP Switch Meshing is similar to the Spanning Tree

Protocol in that it allows designers to create topologies
that contain redundant paths
HP Switch Meshing deals with redundant links in a more intelligent
way than STP or RSTP
Instead of placing redundant links in the Blocking state, switches
using HP Switch Meshing can use all available links to forward
traffic
The operation of HP Switch Meshing is transparent

to non-meshing devices
Switch Meshing Supported Families
Switch Meshing
Families
3400
3500
5300
5400
6200
6400
8200
Tricks & Tips When meshing is added to or
removed from ports, switches
must be rebooted
The Mesh is automatically

made a tagged member of all
user-defined VLANs on the
switch, immediately enabling
the included links to carry
traffic for all VLANs
A meshed switch cannot

perform IP forwarding between
VLANs. Can not route and
mesh simultaneously
Meshing
DEMO
Server Adapter
Teaming

Server Adapter Teaming
Multiple Adapters function as single Virtual Adapter (VA)
Devices communicate with VA: can not tell multiple
physical adapters
IEEE compliant for L2 and L3 identities
Other network devices Must see single MAC and Protocol
(1 entry in ARP cache)
When Team initializes Driver reads BIA (Burned In
Address or MAC) for each physical adapter
Pick one MAC as Primary Adapter
ARP replies Team provides for server is Primary
Adapter MAC
Team Failover and MAC/IP
Management
Failover:
MAC of Primary (PA) and one Non-Primary (NPA)
swapped, Non-Primary becomes Primary
Swap MACs: Results in Team always known by one
MAC/one Protocol (IP)
When Team Transmits: PA transmits using teams MAC and
IP
Non-Primaries: always transmit own MAC and Teams IP
NFT and TLB: MAC address used to transmit always
different than PA
SLB: Additional switch intelligence allows all Teamed
adapters use same Team MAC
Teaming Modes
Network Fault Tolerance (NFT)
Transmit Load Balancing (TLB)
Switch-assisted Load Balancing (SLB)
Distributed Trunking (K.14.xx)

Simple redundancy
Two to eight ports in a fault-tolerant team
One defined primary adapter (PA)
Any speed, any media
Team can be split across switches
Remaining adapters are Standby: Non-Primary

Adapters
Remain idle unless PA fails
All adapters can transmit and receive heartbeats
Server
Primary Backup
Adapter Adapter
User User
logical view Team Members
NFT before failure

CAN be split across >1 switch for
switch redundancy
NIC 1 transmit / receive data
switch
MUST be in same broadcast
NIC 2 not active / dead domain (VLAN)
Connect ALL team members to the

same VLAN
NFT after failure
If Switch Redundancy Required:
NIC 1 not active / dead
switch
HP recommends redundant links

between Switches with
NIC 2 transmit / receive data Spanning Tree enabled
STP fastmode or RSTP
Two to eight ports in a team as 1 Virtual Adapter
A single common speed
Team can be split across switches
All NFT features plus TLB
TCP/IP protocol only
Previously called Adaptive Load Balancing (ALB)
Allows server to load balance transmitted traffic from server

Received traffic NOT load balanced
Primary Adapter receives ALL traffic to server, also
transmits
Non-Primary only transmit frames
Server
Primary Backup
Adapter Adapter
User User
logical view Team Members
TLB before failure CAN be split across >1 switch for

switch redundancy
switch
NIC 2 transmit data, only MUST be in same broadcast
domain (VLAN)
NIC 3 transmit data, only
Connect ALL team members to the

same VLAN
TLB after failure
If Switch Redundancy Required:
NIC 1
HP recommends redundant links
switch
between Switches with

NIC 2 transmit / receive data Spanning Tree enabled
NIC 3 transmit data, only STP fastmode or RSTP
Switch Assisted Load Balancing (SLB)
Incorporates all features of NFT and TLB
Adds load Balancing Receive Traffic
2-8 adapters act as single virtual adapter
Load balances all traffic regardless of protocol
Compatible with
HP ProCurve Port Trunking
IEEE 802.3ad Link Aggregation Control Protocol (Static LACP)
Cisco EtherChannel (Static Mode Only, No PAgP)
Others (Extreme, Intel, Bay/Nortel, etc.)
SLB is NOT Server Load Balancing (works with Server Load Balancing)
All adapters in SLB Team equal
All adapters transmit & receive at same speed
All ports must be connected to the SAME switch

Switch must be configured for SAME mode (LACP)!!!
Server Teaming (SLB)
Server
User User
Switch Assisted Load Balancing (SLB)
logical view
SLB before failure Team Members

All adapters transmit & receive
switch
NIC 2 transmit / receive data Adapters must support a
common speed
Must be used with an intelligent
switch that supports this type of
SLB after failure teaming
NIC 1
All ports must be part of the
same switch trunk (LACP)
switch

Distributed Trunking (Server to Switch)
Server (LACP team)
DT Switch DT Switch
K.14.xx K.14.xx
User User
Distributed Trunking is a link aggregation technique,
where two or more links across two switches are
aggregated together to form a trunk.
This feature uses a new protocol DTIP to overcome
this limitation and support link aggregation for the
links spanning across the switches. DT provides
node-level L2 resiliency in an L2 network, when one
of the switches fails.
Distributed Trunking is included in switch software
starting with version K.14. In this initial release,
only Server-to-Switch Distributed Trunking is
supported.
Limitations/Restrictions
Meshing and Distributed trunking features are mutually exclusive
Routing and Distributed trunking feature are mutually exclusive.
IGMP and DHCP snooping, arp-protect, STP are not supported on DT trunks.
QinQ in mixed VLAN mode and DT are mutually exclusive.
ISC ports will be part of all VLANs i.e. it will become member of a VLAN once
that VLAN configured.
ISC Port can be an individual port or manual LACP trunk but dynamic LACP
trunk cant be configured as ISC port.
Maximum of 8 links in a DT trunk across two switches is supported with max of
4 links per DT switch.
The current limitation of 60 manual trunks in a switch, will now include DT
manual trunks too
Only one ISC (inter-switch connect) link is supported per switch for max of 60 DT
trunks supported in the switch
Spanning Tree Protocol is disabled (PDUs are filtered) on DT ports.
Supported team types summary
Operating
system NFT TLB SLB
Windows 2000 3 3 3
Windows 2003 3 3 3
Novell NetWare 4-6 3 3 3
Linux 3 3 3
Caldera OpenUnix
8 3
Caldera Open
Server 5 3
Enable RSTP or STP with
fastmode
Tricks & Tips Ensure SLB server trunks are
coterminous and switch ports
are configured correctly.
Mixing adapters with different

hardware features in TLB and
SLB teams
lowest common
denominator of features
every team member must
support the feature for it to
be used
Using adapters with mixed

speeds in TLB teams
higher speed adapters may
be under utilized
Tricks & Tips Different Network Interfaces
(NICs) manufactures use
different terms.
Intel
Broadcom
AIX

VRRP VRRP
Teaming
VLAN 1= 10.10.1.1 HP DL360 VLAN 1= 10.10.1.2
VLAN 3 =10.10.3.1 (TLB) VLAN 3 =10.10.3.2
VLAN 4 =10.10.4.1
VLAN 5 =10.10.5.1
IP= 10.10.50.10
with TLB VLAN 4 =10.10.4.2
VLAN 5 =10.10.5.2
VLAN 6 =10.10.6.1 VLAN 6 =10.10.6.2
VLAN 7 =10.10.7.1 VLAN 7 =10.10.7.2
VLAN 9 =10.10.9.1 VLAN 9 =10.10.9.2
VLAN 10=10.10.10.1 VLAN 10=10.10.10.2
VLAN 50=10.10.50.1 VLAN 50=10.10.50.2
Port A1 Port A1
Po
r C u vr e
S w itc h 5 4 0 6 z l
ProCurveNetworking P ro C u v
r e S witc h 5 4 0 0 zl
Ma n a g e me n tMo d u e l Po
E
S ta
us
A B G H
Ac
t
Po
r C u vr e
S w itc h 5 4 0 6 z l
ProCurve Networking Po
r Cu vr e S witc h 5 4 0 0 zl
Ma n a g e m e n tMo d u el Po
E
S ta
us
A B G H
Ac
t
J 8 6 9 9 A J8726A J 8 6 9 9 A J8726A
Po E HPInnovat ion Us e
Mg
mt F
h
s
la mp
e
T 3 4 1 C D I J Dx P E
F o PoE HPInnovat o
in Us e
Mg
mt F
h
s
la mp
e
T 3 4 1 C D I J Dx P o
F E
Re
t
s C le
r
a t
s
e
T Ch
s
a D IM M F
n
a 1 2 2 E F K L Sp
d Us
r Re
t
s C le
r
a t
s
e
T Ch
s
a D IM M F
n
a 1 2 2 E F K L Sd
pUs
r
P o we r z lMo d u e
l s In e
rn
t la P o E Mo d u e
s
l E D Mo
L e
d Co n s o e
l Au x
P o tr
ry
ila P o we r z lMo d u e
l s In e
rn
t la P o E Mo d u e
s
l E D Mo
L e
d Co n s o e
l A u ila
P
ry
x o tr
ony l P o we r P wr ony l P o we r P wr
F a u tl F a u tl
1 3 5 7 9 11 13 15 17 19 21 23 1 3 5 7 9 11 13 15 17 19 21 23 1 3 5 7 9 11 13 15 17 19 21 23 1 3 5 7 9 11 13 15 17 19 21 23
Loc ao
t r
A B L o c a to r
A B
Po C r rveu Po C r rveu Po C r rveu Po C r rveu

G ig
24p
zlM o
J8702A
-T
le
u
d 2 4 6 8 10 12 14 16 18 20 22 24 zl G ig
24p
zlM o
J8702A
-T
le
u
d 2 4 6 8 1 0 12 14 16 18 20 22 24 zl G ig
24p
zlM o
J8702A
-T
le
u
d 2 4 6 8 10 12 14 16 18 20 22 24 zl G ig
24p
zlM o
J8702A
-T
le
u
d 2 4 6 8 10 12 14 16 18 20 22 24 zl
P o E In
- e
g
t a
d
te
r 1
/B a
0 -T P o ts
e
s )P
4
-2
(1
r o ts
IE E E A u o
re
a t MD I/M D I-X P o E In
- e
g
t a
d
te
r 1
/B a
0 -T P o ts
e
s )P
4
-2
(1
r o ts
IE E E A u to MD I/M D I-X
re
a P o E In
- e
g
t a
d
te
r 1
/B a
0 -T P o ts
e
s )P
4
-2
(1
r o ts
re
a P o E In
- e
g
t a
d
te
r 1
/B a
0 -T P o ts
e
s )P
4
-2
(1
r o ts
IE E E A u o
re
a t MD I/M D I-X
C D C D
10 Gigabit
E F F4 E F
HP 5406_#1 Port B24 Port B24 HP 5406_#2

IP= 10.10.1.1 IP= 10.10.1.2
h p P r o Cu r v e 1 2 3 4 5 6 13 14 15 16 17 18 25 26 27 28 29 30 37 38 39 40 41 42
7 8 9 10 11 12 19 20 21 22 23 24 31 32 33 34 35 36 43 44 45 46 47 48
S w tic h 2 6 5 0 -p w r G gi -T
J8165A P o tsr
PoE
Sa
s
tu
RP S Ac
t 49 TM 50 T
M
ED
L
P o we r E P S Moe
d Dx
F M ni -i
n
a
F Spd G B IC
t
s
e
T Po
E P o rts
F a u tl Po
E -R e
/B se
0
y1
d
a -T
a X Po
)
8
-4
rts(1 1 0 /1 0 0 B a se -T X P o rtsa re H P A u to -M D I-X Gi
, g -T p o rtsa re IE E E A u to MD
rM)I/M
Us(T
ly
n
o
e rGiD
fo r I-X
o
itp
b
a
g
Port 49 Port 50
Re
t
s C le
r
a Mo
d
p
S e
d Mb
0
1
f=
o s
p a
fl b
M
0
1
=
sh s
p o
Mp
0
1
=
n sb
HP 2650 Port 1
IP= 10.10.1.3
1000SX 1000LX
HP nc6000
VLAN 5
IP= 10.10.5.100
DG= 10.10.5.1
Server Teaming
(TLB)
DEMO
Virtual Router
Redundancy Protocol
(VRRP)

Virtual Router Redundancy Protocol (VRRP)
VRRP (Virtual Router Redundancy Protocol) is the feature

used by the HP ProCurve Series 3500yl, 5400zl, &
6200yl family of switches to provide router redundancy, or
fail-over, to one or more backup routers in case one fails.
XRRP (XL Router Redundancy Protocol) is the feature used

by the HP ProCurve Series 5300XL & 3400 family of
switches to provide router redundancy, or fail-over, to a
backup router in case one fails.
Allows you to configure one or more switches to behave

as backup routers for each other.
Terminology (VRRP)
Virtual Router A Virtual Router (VR) instance consists
of one Owner router and one or more Backup routers
belonging to the same network. Any VR instance exists
within a specific VLAN, and all members of a given VR
must belong to the same subnet. In a multinetted VLAN,
multiple VRs can be configured. The Owner operates as the
VRs Master unless it becomes unavailable, in which case
the highest-priority backup becomes the VRs Master.
Master The physical router that is currently providing

the virtual router interface to the host computers.
Advertisement Interval The time interval at which the

Master router sends out VRRP packets on each virtual router
interface.
Virtual Router Redundancy Protocol (VRRP)
Default Gateway Server

10.0.1.1
10.0.2.1
Protective
Domain
Default Gateway Default Gateway

10.0.1.1 10.0.2.1
User User
VRRP Normal Operation
On a given VLAN, a VR includes two or more
member routers configured with a virtual IP
address that is also configured as a real IP address
on one of the routers, plus a virtual router MAC
address. The router that owns the IP address is
configured to operate as the Owner of the VR for
traffic-forwarding purposes, and by default has the
highest VRRP priority in the VR. The other router(s)
in the VR have a lower priority and are configured
to operate as Backups in case the Owner router
becomes unavailable.
The configuration is done for each VLAN

VRRP Fail-Over Operation
The Owner normally operates as the Master for a VR. But if it becomes
unavailable, then a failover to a Backup router belonging to the same
VR occurs, and this Backup becomes the current Master. If the Owner
recovers, a failback occurs, and Master status reverts to the Owner.
(Note that using more than one Backup provides additional
redundancy, meaning that if both the Owner and the highest-priority
Backup fail, then another, lower-priority Backup can take over as
Master.
The current Master router sends periodic advertisements to inform the

other router(s) in the VR of its operational status. If the backup VR(s) fail
to receive a Master advertisement within the timeout interval, the
current Master is assumed to be unavailable and a new Master is
elected from the existing Backups. The timeout interval for a VR is three
times the advertisement interval configured on the VR(s) in the network
or subnet. In the default VRRP configuration, the advertisement interval
is one second and the resulting timeout interval is three seconds.
Router Redundancy Protocol (VRRP)
Default Gateway Server

10.0.1.1
10.0.2.1
Protective
Domain
Default Gateway Default Gateway

10.0.1.1 10.0.2.1
User User
VRRP Supported Families
Switch XRRP VRRP

Families
5300
3400
6400
3500
6200
5400
8200
9300/9400
XRRP Versus Ciscos HSRP
ProCurve Cisco
XRRP HSRP
Single Hot
Standby
Load Balancing
across VLANs
Load Balancing
within VLAN
VRRP uses the following multicast
MAC address for its protocol
Tricks & Tips packets:
00-00-5E-00-01-< VRid >
XRRP uses the following multicast

MAC address for its protocol
packets:
0101-E794-0640
Never set up a default or static route

that points to the peer router as the
path.
Routers must have identical

connectivity. That is, they must have
the same access to all remote
subnets, and the route costs of the
access must be the same.
Router Redundancy
VRRP with VRRP VRRP
VLAN 1= 10.10.1.1 HP DL360 VLAN 1= 10.10.1.2
VLAN 3 =10.10.3.1 (TLB) VLAN 3 =10.10.3.2
VLAN 4 =10.10.4.1 IP= 10.10.50.10 VLAN 4 =10.10.4.2
VLAN 5 =10.10.5.1 VLAN 5 =10.10.5.2
VLAN 6 =10.10.6.1 VLAN 6 =10.10.6.2
VLAN 7 =10.10.7.1 VLAN 7 =10.10.7.2
VLAN 9 =10.10.9.1 VLAN 9 =10.10.9.2
VLAN 10=10.10.10.1 VLAN 10=10.10.10.2
VLAN 50=10.10.50.1 VLAN 50=10.10.50.2
Port A1 Port A1
Po
r C u vr e
S w itc h 5 4 0 6 z l
ProCurveNetworking P ro C u v
r e S witc h 5 4 0 0 zl
Ma n a g e me n tMo d u e l Po
E
S ta
us
A B G H
Ac
t
Po
r C u vr e
S w itc h 5 4 0 6 z l
ProCurve Networking Po
r Cu vr e S witc h 5 4 0 0 zl
Ma n a g e m e n tMo d u el Po
E
S ta
us
A B G H
Ac
t
J 8 6 9 9 A J8726A J 8 6 9 9 A J8726A
Po E HPInnovat ion Us e
Mg
mt F
h
s
la mp
e
T 3 4 1 C D I J Dx P E
F o PoE HPInnovat o
in Us e
Mg
mt F
h
s
la mp
e
T 3 4 1 C D I J Dx P o
F E
Re
t
s C le
r
a t
s
e
T Ch
s
a D IM M F
n
a 1 2 2 E F K L Sp
d Us
r Re
t
s C le
r
a t
s
e
T Ch
s
a D IM M F
n
a 1 2 2 E F K L Sd
pUs
r
P o we r z lMo d u e
l s In e
rn
t la P o E Mo d u e
s
l E D Mo
L e
d Co n s o e
l Au x
P o tr
ry
ila P o we r z lMo d u e
l s In e
rn
t la P o E Mo d u e
s
l E D Mo
L e
d Co n s o e
l A u ila
P
ry
x o tr
Default Gateway
ony l P o we r P wr ony l P o we r P wr
F a u tl F a u tl
1 3 5 7 9 11 13 15 17 19 21 23 1 3 5 7 9 11 13 15 17 19 21 23 1 3 5 7 9 11 13 15 17 19 21 23 1 3 5 7 9 11 13 15 17 19 21 23
Loc ao
t r
A B L o c a to r
A B
10.10.5.1
Po C r rveu Po C r rveu Po C r rveu Po C r rveu
2 ig
G
4p
zlM o
J8702A
-T
le
u
d 2 4 6 8 10 12 14 16 18 20 22 24 zl 2 ig
G
4p
zlM o
J8702A
-T
le
u
d 2 4 6 8 1 0 12 14 16 18 20 22 24 zl 2 ig
G
4p
zlM o
J8702A
-T
le
u
d 2 4 6 8 10 12 14 16 18 20 22 24 zl 2 ig
G
4p
zlM o
J8702A
-T
le
u
d 2 4 6 8 10 12 14 16 18 20 22 24 zl
P o E In
- e
g
t a
d
te
r 1
/B a
0 -T P o ts
e
s )P
4
-2
(1
r o ts
IE E E A u o
re
a t MD I/M D I-X P o E In
- e
g
t a
d
te
r 1
/B a
0 -T P o ts
e
s )P
4
-2
(1
r o ts
re
a P o E In
- e
g
t a
d
te
r 1
/B a
0 -T P o ts
e
s )P
4
-2
(1
r o ts
re
a P o E In
- e
g
t a
d
te
r 1
/B a
0 -T P o ts
e
s )P
4
-2
(1
r o ts
IE E E A u o
re
a t MD I/M D I-X
C D C D
10 Gigabit
E F F4 E F
HP 5406_#1 Port B24 Port B24 HP 5406_#2

IP= 10.10.1.1 IP= 10.10.1.2
h p P r o Cu r v e 1 2 3 4 5 6 13 14 15 16 17 18 25 26 27 28 29 30 37 38 39 40 41 42
7 8 9 10 11 12 19 20 21 22 23 24 31 32 33 34 35 36 43 44 45 46 47 48
S w tic h 2 6 5 0 -p w r G gi -T
J8165A P o tsr
PoE
Sas
tu
RP S Ac
t 49 TM 50 T
M
ED
L
P o we r E P S Moe
d Fx
D M ni -i
n
a
F Spd G B IC
t
s
e
T Po
E P o rts
F a u tl Po
E -R e
/B se
0
y1
d
a -T
a X Po
)
8
-4
rts(1 1 0 /1 0 0 B a se -T X P o rtsa re H P A u to -M D I-X Gi
, g -T p o rtsa re IE E E A u to MD
rM)I/M
Us(T
ly
n
o
e rGiD
fo r I-X
o
itp
b
a
g
Port 49 Port 50
Re
t
s C le
r
a Mo
d
p
S e
d Mb
0
1
f=
o s
p a
fl b
M
0
1
=
sh s
p o
Mp
0
1
=
n sb
HP 2650 Port 1
IP= 10.10.1.3
1000SX 1000LX
HP nc6000
VLAN 5
IP= 10.10.5.100
DG= 10.10.5.1
VRRP
DEMO
Connection Rate
Filtering
(Virus Throttling)

REMEMBER!
No other vendor has added
capabilities like these to their switches
First to the industry!
Cutting edge technology (developed at HP
Labs) for mainstream customers at
affordable prices
Its a free upgrade
The Virus Problem
Most anti-virus software 05:29 Jan 25 0 infected
works by preventing
infection
Works well but
occasionally fails
Anti-virus software fails to
recognize new viruses
Client/server/security 06:00 Jan 25 74855 infected
software not up-to-date
Worms can spread very
rapidly and cause lots of
damage
SQLSlammer
Sasser
Todays Limited Solutions
Signature-based detection (known malicious code)
Targeted at viruses that have been seen before
Have to touch the client since that is where the virus is
actually detected
Ineffective initially with unknown viruses
Could lead to network paralysis with quick spreading viruses
Solving a different virus concern
Assumes all clients entering the networking are
homogeneous
No acceptance for outside clients like other vendors sales reps,
contract employees, etc.
How do you manage the unknown, often the most
Competitions only solution
destructive?
Only a partial solution
For Virus Throttling
ProCurve targets the virus (worm) behavior
Advantages to ProCurve Security Architecture
Virus Throttling
Works without knowing anything about the virus
Handles unknown viruses
Needs no signature updates
Protects network infrastructure
Network and switches will stay up and running, even
when under attack
Notification
When a host is throttled, a SNMP trap and log event is
generated
IT staff have time to react, before the problem escalates
to a crisis
ProCurves Security Advantages
Virus Throttling is unique
Monitors all ports simultaneously
Easy to configure
No periodic updates needed
Some competitors have behavioural detection that
is similar but
Requires an external appliance or special switch module
Extra cost
The Solution: Virus Throttling
As the worm virus tries to spread:

the switch detects the activity and automatically either:
throttles traffic from these nodes at the routed VLAN boundary

greatly slows the virus spread
allows time to react without bringing the network down for the
infected client
or
prevents all traffic from infected client from being routed to other parts
of the network
stops virus spread
but also prevents all traffic from infected client to be routed to the
rest of the network
Virus Throttling Caveats
Throttling
automatically occurs only for traffic
across routed VLANs
Routing is required, no automatic affect in pure L2
environments
Other nodes on the VLAN with the infected client are still
at risk
Traffic from infected clients continues to be forwarded in the L2
environment
BUT
The network manager is notified of virus activity and can take
steps through PCM+ to find and shut down the switch port where
the virus is entering the network.
The Solution: Virus Throttling
In an L2 Environment
If you are running PCM+ 1.6 or later
PCM+ gets the trap from the switch identifying the IP
address of the infected client
Net Mgr can then:
Use PCM+ to find the switch port associated with this IP address
Shut down the switch port preventing the virus from entering the
network at L2 as well.
Net Mgr can now deal with just the client, not the rest of the
network
Virus Throttling in an L2 Environment
1. Switch detects virus activity
2. Alerts PCM+ with IP

addr and MAC addr of
infected client
PCM+
X 3. Net Manager alerted

Virus
4. Manager uses Find
Traffic blocked Switch Port utility
to locate client
switch port
5. Manager shuts
down that
switch port
Virus Throttling
Switch Families Virus Throttling
5300 (L3)
3500
6200
5400
8200
Virus Throttling
Enabled
HP ProCurve Manager
and ProCurve
Manager Plus

HP ProCurve Manager implements
Command from the Center
Windows-based network
management solution
Enables configuration and
monitoring of network
devices from a central
location
Two versions available:
Standard and PLUS
Provides necessary tools to
effectively manage your
network, including:
Auto-discovery
Topology mapping
Device polling
Device configuration
Traffic monitoring
Comparing HP ProCurve Manager
and Manager Plus
HP ProCurve Manager
No cost Replaces HP TopTools for Hubs & Switches
Included with all new ProCurve devices
Available as free download from ProCurve web site
Key features include:
Auto Discovery
Network Status and Monitoring
Alerts and Troubleshooting
Device Management
Network Topology Mapping
HP ProCurve Manager Plus
Free trial for 30 Days
Additional features include:

Advanced VLAN Management
In-depth Traffic Analysis
Group and Policy Management
Device Firmware Updates
Device Configuration Management
Supported operating systems
and system requirements
Client installation
From
From any
any web
web browser:
browser:
You
You can
can access
access thethe PCM
PCM GUIGUI Download
Download PagePage via
via port
port 8040
8040 of
of the
the Management
Management Server.
Server.
There
There are
are 22 steps
steps inin client
client installation:
installation:
1)
1) Install
Install the
the Client
Client Software
Software using
using the
the GUI
GUI Download
Download page
page
2)
2) Authorize
Authorize thethe client
client host
host to
to access
access the
the management
management server
server
HP ProCurve Manager Home Page
Home
Home Page
Page
Dashboard
Dashboard
Navigation
Navigation Pane
Pane
User management
Authentication
is required for all users using the HP
ProCurve Manager Client
The three user types are:
Administrator - full access
Operator - full access with the exception of

adding/modifying/deleting user accounts
Viewer - restricted access; no database

changes allowed
Auto-discovery
HP ProCurve Manager polls the device specified as the
default gateway and all subnets configured on the device
A list of all subnets will be discovered
By default, only devices contained within the subnet of the
specified default gateway will be auto-discovered and managed
Additional managed subnets can be added, and their
devices managed and configured
Automatic discovery can be stopped and started at any
time
Discovery can be performed in a manual mode
Discovery components
Topology discovers devices, using CDP , and creates
Network topology map
ARP reads ARP cache on all active devices
VLAN obtains all VLAN and subnet information on each
discovered device
Creates both VLAN and Subnet topology maps
Ping Sweep discovers all devices sequentially, including
inactive devices
Viewing the Network Map
The
The Network
Network Maps
Maps
window
window provides
provides aa
graphical
graphical view
view of
of the
the
physical
physical layout
layout of
of the
the
managed
managed network.
network.
VLAN Manager
Provides a graphical interface for managing
VLANs
Create VLANs that can span the entire managed network
infrastructure
Select switches from a list to add to the VLAN
View and modify properties and port memberships
Use the Global Discovery Manager to add the VLAN as a
managed subnet
Delete VLANs
Remove all references to the VLAN from all switches that have
port members of the VLAN
All port members of the deleted VLAN will be returned to the
Default VLAN on their respective devices
Policy Manager
Policy Manager allows network administrators to define
and enforce configuration-based parameters for a group
of devices:
Community Names
Trap Receivers
Authorized Managers
Configure multiple devices with a single action
Schedule for automatic enforcement
Configuration management
Configuration management features include:
Scheduled and manual device configuration scans
By default, a configuration scan runs on all discovered devices
at 6AM every day
Comparison and deployment of configurations on multiple devices
A configuration history tab displays a summary of previous
scans
The ability to use CLI commands to deploy a specific configuration
to a single device or multiple devices
Automatic firmware update
Updating firmware automatically
HP provides periodic firmware updates for HP ProCurve
switches via the HP ProCurve Support web site
http://www.hp.com/rnd/software/index.htm
The Configuration management screen on HP ProCurve
Manager provides an interface for downloading the latest
firmware
HP ProCurve Manager Plus offers a Firmware Update
feature that automatically downloads and applies updates
PCM+
DEMO
Things to check when you leave here!
Spanning Tree
Server teaming
Microsoft Clustering
Switch logs
Things to check
when you leave!
Switch Log Issues
>show log
W 02/03/09 00:53:09 00332 FFI: port A10-Excessive Broadcasts. See help.

W 02/03/09 01:12:07 00564 ports: port A1 PD Invalid Signature indication.
I 02/03/09 01:12:10 00076 ports: port A1 is now on-line
W 02/03/09 01:28:53 00329 FFI: port A1-Excessive CRC/alignment errors. See help.
W 02/03/09 01:29:46 00331 FFI: port A1-High collision or drop rate. See help.
I 02/03/09 01:42:58 00077 ports: port A1 is now off-line
W 02/03/09 01:44:28 00564 ports: port A1 PD Invalid Signature indication.
I 02/03/09 01:44:31 00076 ports: port A1 is now on-line
W 02/03/09 01:44:42 00329 FFI: port A1-Excessive CRC/alignment errors. See help.
Spanning-Tree Issue
>show spanning-tree
Multiple Spanning Tree (MST) Information
STP Enabled : Yes

Force Version : MSTP-operation
IST Mapped VLANs : 1
Switch MAC Address : 0019bb-0ae000
Switch Priority : 0
Max Age : 20
Max Hops : 20
Forward Delay : 15
Topology Change Count : 33456

Time Since Last Change : 89 secs
CST Root MAC Address : 0019bb-0ae000

CST Root Priority : 0
CST Root Path Cost : 0
CST Root Port : This switch is root
IST Regional Root MAC Address : 0019bb-0ae000

Server Teaming Issue
>show tech
addrmgrmovelist
mac address vid old port new port timestamp
------------- ---- -------- -------- -----------------
005056-906d8a 1 A12 Trk1 02/03/09 10:15:54
005056-906d8a 1 A10 A12 02/03/09 10:15:57
005056-906d8a 1 A12 Trk1 02/03/09 10:16:00
005056-906d8a 1 A10 A12 02/03/09 10:16:03
005056-906d8a 1 A12 Trk1 02/03/09 10:16:06
005056-906d8a 1 A10 A12 02/03/09 10:16:09
005056-906d8a 1 A12 Trk1 02/03/09 10:16:12
005056-906d8a 1 A10 A12 02/03/09 10:16:15
005056-906d8a 1 A12 Trk1 02/03/09 10:16:18
005056-906d8a 1 A10 A12 02/03/09 10:16:21
005056-906d8a 1 A12 Trk1 02/03/09 10:16:24
005056-906d8a 1 A10 A12 02/03/09 10:16:27
005056-906d8a 1 A12 Trk1 02/03/09 10:16:30
005056-906d8a 1 A10 A12 02/03/09 10:16:33
005056-906d8a 1 A12 Trk1 02/03/09 10:16:36
005056-906d8a 1 A10 A12 02/03/09 10:16:39
005056-906d8a 1 A12 Trk1 02/03/09 10:16:42
005056-906d8a 1 A10 A12 02/03/09 10:16:45
ProVision Software
Features

Optional Premium License
ProCurve 3500/5400/6600/8200 switches ship

with:
Layer 2 + Base Layer 3 routing capabilities (static
IP routing and RIP) standard
Premium License provides advanced Layer 3

features:
OSPFv2
PIM Dense Mode
PIM Sparse Mode
VRRP
QinQ - IEEE 802.1ad
Note:The ProCurve 6200 switch ships with the

Premium License included
21
0
5400/3500 Features
Flexibility Features
Versatile Intelligent Port Operational Flexibility
Every copper port:
24-port stackable to 288-port chassis in
10/100/1000 a single, consistent product family
PoE enabled L3 Services at L2
Has all L3 services applied ACLs, QoS, etc. can use L3 info
8 Hardware queues without the switch routing
All copper ports created equal Jumbo packet support (L2/L3)
Quiet operation
Routing Support Power supply choice for optimum PoE
RIP, static routes power
OSPF, includes ECMP Small chassis size
PIM Sparse Minimizes space requirements
PIM Dense RMON, XRMON, sFlow support
VRRP
5400/3500 Features
Intelligent Edge Features
Security Bandwidth Shaping
Protect, Detect, Respond to Guaranteed minimums
Per port, per queue
Network Threats
Enforced maximums
Fast, flexible ACLs
Limit problem clients
Can use ICMP/IGMP/Protocol bandwidth
fields, IP TOS byte
Set allowable bandwidth
IP & MAC lockdown/lockout levels for specific traffic
Source port filtering Per port
Access control to the network
802.1x, Web-auth, MAC-auth QoS
Virus Throttling for control of QoS based on:
malicious worm agents User
L2/L3 Application
SSH, SSL, TACACS+, Secure FTP for Set outgoing IP Priority, remap
management access DSCP
5400/3500 Features
Operational Excellence Features
Ease of Deployment Long Product Life
Industry-leading ProCurve support value
With broad scalability allows proposition
consistent product experience Lifetime warranty*
Installation - same set-up Includes fans and power supplies
Free software updates**
Operational 2048 VLANs
Same end-user experience 8 Hardware/software priority queues
Same network management view Upgradeable management engine and
CPU
Same front panel info Add-in module capability
Versatile Intelligent Port Programmable ASICs
All copper Gig ports are Availability
equivalent 802.1s MIST
Maintenance Switch Meshing
Same software code level VRRP
Optional redundant power supplies
USB mass memory support
Removable management blade (chassis
Copy to/from for config, products)
debug/crash and cmd output files
Technology for better business outcomes

ProCurve Best Practices PDF

Transféré par

Informations du document

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

ProCurve Best Practices PDF

Transféré par

Droits d'auteur :

Formats disponibles

HP ProCurve

2008 Hewlett-Packard Development Company, L.P.

Technical Phone Support / Firmware Upgrades

Magic Quadrant for Enterprise LAN (Global), 2009,

Reduced complexity Proactive networking

Core & Edge Switches

Scalable core-to-edge switches 802.11n wireless solutions WAN solutions provide

Data Center Network Management Network Security

Small Business Enterprise

GA Nov. 1 2009 Redundancy with RPS support

Established 2520G-PoE 2520G/2520:

3500 10/100 PoE/PoE+

3500 10/100 Non-PoE

Expanding The ProVision

2008 Hewlett-Packard Development Company, L.P.

HP ProCurve 2520-24-PoE Switch (J9138A)

HP ProCurve 2520G-24-PoE Switch (J9280A)

2520-8-PoE - 8 10/100-T ports + 2520-24-PoE - 24 10/100-T ports +

J9472A HP ProCurve 3500-48 Switch

J9471A HP ProCurve 3500-24-PoE Switch

J9473A HP ProCurve 3500-48-PoE Switch

8206zl Front View

J8705A: 20-Port 10/100/1000 PoE + 4-Port Mini-GBIC/SFP zl

J8706A: 24-Port Mini-GBIC zl Module

J8707A: 4-Port 10GbE X2 zl Module

J8708A - 4-Port 10GbE CX4 zl Module

Used with both the 8200zl and 5400zl switches

Used with both 8200zl and 5400zl

(J8712A) (J8713A) (J9306A)

PoE/PoE+ PoE PoE PoE PoE+ PoE+

J9264A HP ProCurve 6600-24G-4XG

J9265A HP ProCurve 6600-24XG Switch

J9451A HP ProCurve 6600-48G Switch

J9452A HP ProCurve 6600-48G-4XG

Supported in zl series chassis

J9289A HP ProCurve ONE Services zl Module

J9155A- HP ProCurve TMS zl Module

J9370A - HP ProCurve MSM765zl Mobility Controller

J9371A - HP ProCurve MSM760/765 40 AP License

16x 1GbE internal ports for server/storage blade access

16x 10GbE internal ports for server/storage blade access

Console port 5x 10GbE SFP+ ports

Manageme LLDP-MED HTTPS

Access 802.1X, Web, MAC auth

IGMP 256 groups 1K groups 1K groups 1K groups

Rate Extensive, highly

Warranty Lifetime 1 year 1 year 1 year

2008 Hewlett-Packard Development Company, L.P.

1000Base-SX Multimode (62.5 micron) 275 meters

1000Base-SX Multimode (50 micron) 500 meters

1000Base-LX Single-mode (9 micron) 10 kilometers

1000Base-LX ** Multimode (62.5 or 50 micron) 550 meters

100/1000Base-T Category 5e UTP 100 meters

1000-BX Single-mode (9 micron) 10 kilometers

100-BX Single-mode (9 micron) 10 kilometers

10G-CX4 4X Twinax (Infiniband-style) 15 meters

10GBASE-SR Multimode (62.5 micron) 2-33 meters

10GBASE-SR Multimode (50 micron/2000 Mhz) 300 meters

10GBASE-LR Single-mode (9 micron) 10 kilometers

10GBASE-ER Single-mode (9 micron) 40 kilometers

10GBASE-LRM Multimode (62.5 micron) 220 meters

J4859C 1000Base-LX port Type 1000Base-LX

J8177B 1000BT SPF;Connector RJ45 100 meters