Friday, March 27, 2015

ProCurve Switches - Configuring a Failover Link in OSPF


In the above example, switch ProCurve A has two connections to network 10.10.13.0/24. Switch ProCurve A needs to be configured in such a way that when both connections are up, the traffic to and from network 10.10.13.0/24 will pass through ProCurve B (the main link). If the main link is down then the backup link through ProCurve C will carry that traffic. All three ProCurve switches run OSPF for routing.

The method described below also works in the scenario where the main link is connected to the Internet via ISP 1 (the preferred ISP) and the backup link is connected to the Internet via ISP 2. Just replace the remote network address (10.10.13.0/24 in this example) by 0.0.0.0/0.

Using static routes with different administrative distances, then redistribute them into OSPF:

In ProCurve A, configure two static routes as follows:

HP-5406zl(config)# ip route 10.10.13.0/24 192.168.200.2 distance 10
HP-5406zl(config)# ip route 10.10.13.0/24 192.168.300.2 distance 20
HP-5406zl(config)# router ospf redistribute static

The link through ProCurve B has a lower distance than the backup link, so it will be chosen to carry traffic to and from network 10.10.13.0/24 under normal conditions. When this link fails, the link through ProCurve C will kick in as backup. The last command makes sure that these static routes be redistributed throughout the OSPF domain.

In the first two commands, the parameter metric can be modified instead of distance. The effect will be the same.
Posted by at 2 comments:
Labels: , , , , , , ,

Monday, March 23, 2015

Creating a Trunk between an HP ProCurve Switch and VMware ESX/ESXi

According to VMware documentation, ESX/ESXi currently does not support LACP. Therefore, the only link aggregation mode in the ProCurve that works with ESX/ESXi is the static trunk mode.

On the ProCurve side, configure the trunk as a static trunk:

HP-5406zl(config)# trunk a1-a3 trk1 trunk

On the VMWare side, use NIC Teaming and the Load Balancing option of “Route based on IP hash”:

- Click the ESX/ESXi host
- Click the Configuration tab
- Click the Networking link
- Click Properties
- Click the Virtual Switch in the Ports tab, then click Edit
- Click the NIC Teaming tab
- From the Load Balancing dropdown menu, select Route based on ip hash
- Verify that there are two or more network adapters listed under Active Adapters.

Reference: http://kb.vmware.com/selfservice/search.do?cmd=displayKC&docType=kc&docTypeID=DT_KB_1_1&externalId=1004048
Posted by at No comments:
Labels: , , , , , ,

Thursday, March 5, 2015

Configuring DHCP Server in ProCurve Switches (K/KA/KB.15.16)

From K/KA/KB.15.16, DHCP servers can be configured in the ProCurve switch itself, eliminating the need for a separate DHCP server. The following steps will set up a DHCP server in the ProCurve:

- Configuring DHCP pools with the minimum settings (pool name, default router, network, and IP range).
- Putting the DHCP in one VLAN. Other VLANs will need the IP helper address configured.
- Globally activating the DHCP server.

Below is an example. The DHCP server is put in VLAN 2, so an IP helper address has to be configured in VLAN 3:

HP-5406zl(config)# dhcp-server pool vlan2-pool
HP-5406zl(vlan2-pool)# default-router 192.168.2.1
HP-5406zl(vlan2-pool)# network 192.168.2.0/24
HP-5406zl(vlan2-pool)# range 192.168.2.10 192.168.2.50
HP-5406zl(vlan2-pool)# exit

HP-5406zl(config)# dhcp-server pool vlan3-pool
HP-5406zl(vlan3-pool)# default-router 192.168.3.1
HP-5406zl(vlan2-pool)# network 192.168.3.0/24
HP-5406zl(vlan2-pool)# range 192.168.3.10 192.168.3.50
HP-5406zl(vlan2-pool)# exit

HP-5406zl(config)# vlan 2
HP-5406zl(vlan-2)# untag a1,a2
HP-5406zl(vlan-2)# ip address 192.168.2.1/24
HP-5406zl(vlan-2)# dhcp-server
HP-5406zl(vlan-2)# exit

HP-5406zl(config)# vlan 3
HP-5406zl(vlan-3)# untag a3
HP-5406zl(vlan-3)# ip address 192.168.3.1/24
HP-5406zl(vlan-3)# ip helper-address 192.168.2.1
HP-5406zl(vlan-3)# exit

HP-5406zl(config)# dhcp-server enable
Posted by at 8 comments:
Labels: , , ,

Local MAC Authentication in HP ProCurve Switches (K/KA.15.14)

Local MAC Authentication (LMA) locally performs MAC address-based authentication (as opposed to MAC authentication using a RADIUS server). Based on this authentication, devices can be assigned to appropriate VLANs and, optionally, CoS values. The usage of MAC OUI and MAC mask allows to group multiple devices under one single policy.

Configuring LMA using MAC groups:


Creating MAC groups and assign MAC addresses to each group. In the following example:

The first MAC group (“admin-pc-grp”) is assigned one single MAC address.
The second MAC group (“corp-pcs-grp”) is assigned 2 groups of addresses, each group is determined by the first 32 bits in the addresses.
The third MAC group (“corp-phones-grp”) is assigned all addresses carrying the same 24-bit OUI part of the MAC addresses.

HP-5406zl(config)# aaa port-access local-mac mac-group “admin-pc-grp” mac-addr 005056840161
HP-5406zl(config)# aaa port-access local-mac mac-group “corp-pcs-grp” mac-mask 002622bb/32 002622bc/32
HP-5406zl(config)# aaa port-access local-mac mac-group “corp-phones-grp” mac-oui 008011

Creating LMA profiles. In each profile, attributes such as VLAN (tagged or untagged) and QoS setting (CoS priority, aka 802.1p value) can be assigned.

HP-5406zl(config)# aaa port-access local-mac profile “admin-pc-prof” vlan untagged 2 cos 5
HP-5406zl(config)# aaa port-access local-mac profile “corp-pcs-prof” vlan untagged 3
HP-5406zl(config)# aaa port-access local-mac profile “corp-phones-prof” vlan tagged 5 cos 6

Linking profiles to MAC groups:

HP-5406zl(config)# aaa port-access local mac apply profile admin-pc-prof mac-group admin-pc-grp
HP-5406zl(config)# aaa port-access local mac apply profile corp-pcs-prof mac-group corp-pcs-grp
HP-5406zl(config)# aaa port-access local mac apply profile corp-phones-prof mac-group corp-phones-grp

Enabling LMA on ports:

HP-5406zl(config)# aaa port-access local-mac a1

Configuring LMA without MAC groups:


Creating LMA profiles just like in the previous section (using MAC groups). Again, in each profile attributes such as VLAN (tagged or untagged) and QoS setting (CoS priority, aka 802.1p value) can be assigned.

HP-5406zl(config)# aaa port-access local-mac profile “admin-pc-prof” vlan untagged 2 cos 5
HP-5406zl(config)# aaa port-access local-mac profile “corp-pcs-prof” vlan untagged 3
HP-5406zl(config)# aaa port-access local-mac profile “corp-phones-prof” vlan tagged 5 cos 6

Linking MAC addresses directly to profiles:

HP-5406zl(config)# aaa port-access local mac apply profile admin-pc-prof mac-addr 005056840161
HP-5406zl(config)# aaa port-access local mac apply profile corp-pcs-prof mac-mask 002622bb/32
HP-5406zl(config)# aaa port-access local mac apply profile corp-pcs-prof mac-mask 002622bc/32
HP-5406zl(config)# aaa port-access local mac apply profile corp-phones-prof mac-oui 008011

Enabling LMA on ports:

HP-5406zl(config)# aaa port-access local-mac a1

Question: What is the difference between LMA configuration using MAC groups and not using MAC groups?
Answer: LMA configuration not using MAC groups is a shortcut, useful when one has just a few MAC addresses for the same profile. When there is a lot of MAC addresses to be put under the same profile, MAC groups are recommended to avoid confusion.

LMA Monitoring:

After the LMA configuration shown above, when the client with the MAC address of 005056840161 accesses the switch at the specified port, it will be granted access. For monitoring LMA, enter the following command:

HP-5406zl(config)# show port-access local-mac active

The output will look like below. Notice that the authenticated client was put into VLAN 2 as untagged with CoS priority value of 5, just like what has been configured in the profile associated with that MAC address.


Other Features:

- The default MAC address format is “no delimiter”, for example "002622bba7ac" as shown in previous examples. To change the MAC address format, use the command:

HP-5406zl(config)# aaa port-access mac-based addr-format

MAC address format options include: no-delimiter (default), single-dash, multi-dash, multi-colon, no-delimiter-uppercase, single-dash-uppercase, multi-dash-uppercase, multi-colon-uppercase.

- By default, clients that cannot be authenticated will be dropped. However, an unauthenticated VLAN can be configured for these clients to access limited services. The administrator must implement measures to isolate the unauthenticated VLAN from restricted resources.

HP-5406zl(config)# aaa port-access local-mac unauth-vid 99

- On the other hand, if a client is successfully authenticated yet does not have a VLAN assignment in its profile, then it will be moved to an authorized VLAN which can be configured as below:

HP-5406zl(config)# aaa port-access local-mac auth-vid 10

- There are also a number of per-port parameters such as addr-limit (maximum number of authenticated local MAC addresses), logoff-period (period of time of inactivity that the switch considers an implicit logoff), quiet-period (period of time the switch does not try to authenticate), unauth-period (period of time the switch waits before moving the port to the VLAN for unauthenticated clients), which can be changed from their default values. For example:

HP-5406zl(config)# aaa port-access local-mac unauth-period 320

- When multiple authentication methods are configured concurrently on a single port, the order of precedence is: 802.1X, LMA, and Web Authentication / MAC Authentication.
Posted by at 2 comments:
Labels: , , , , , , , , , , ,
Subscribe to: Posts (Atom)