====== Modul 1 ====== ===== HP ProVision ASIC ===== * E8200zl - modular chasis(6 or 12 slots); redundant management, fabric and power modules {{:wiki:site:hp:hp8206.jpeg|}}{{:wiki:site:hp:hp8212.jpeg|}} * E5400zl - modular chasis(6 or 12 slots); redundant power modules {{:wiki:site:hp:hp5406.jpeg|}}{{:wiki:site:hp:hp5412.jpeg|}} * E3500 - fixed config; 24 or 48 ports {{:wiki:site:hp:hp3500.jpeg|}} * E6200-24G-mGBIC yl - sfp aggregator {{:wiki:site:hp:hp6200.jpeg|}} * E6600 {{:wiki:site:hp:hp6600.jpeg|}} ===== Users,Permissions,CLI modes ===== HP E-Series—Management users * Operator - read-only přístup * Manager - read-write přístup HP E-Series—CLI structure Switch> // Operator Switch# // Manager Switch (config)# // Global Configuration Switch (vlan-1)# // Context Configuration ===== Initial Configuration ===== Čistý switch si umí líznout IP z DHCP pro int.VLAN1 Nast.terminalu: > **terminal lenght** 50 Výpis běžící konfigurace: > **show running-config** Smazání startovací konfigurace: > **erase startup-config** Úrovně v CLI: > Switch> //= Operator level// > Switch> **enable** > Switch# //= Manager level// > Switch# **config** > Switch(config)# //= Global configuration// Hostname: > Switch(config)# **hostname** VLAN1 IP: > Switch(config)# **vlan 1** > Switch(vlan-1)# **ip address x.x.x.x/yy** Ulozeni konfigurace: > Switch(config)# **write memory** Konfigurace portu: > Switch(config)# **interfac**e > Switch(int-id)# **enable** > Switch(int-id)# **disable** > Switch(int-id)# **speed-duplex** [**10-half**|**10-full**|...|**auto**|**auto-half**|**auto-full**|...] > Switch(int-id)# **mdix-mode** [**mdi**|**mdix**|**automdix**] > Switch(int-id)# **name** Historie prikazu: > show history > Switch(config)# **repeat** > Switch(config)# **repeat** **count** Menu interface: > Switch(config)# **menu** ProCurve Switch 3500yl-24G 29-Feb-2012 10:06:15 ==========================- CONSOLE - MANAGER MODE -============================ Main Menu 1. Status and Counters... 2. Switch Configuration... 3. Console Passwords... 4. Event Log 5. Command Line (CLI) 6. Reboot Switch 7. Download OS 8. Run Setup 9. Stacking... 0. Logout Provides the menu to display configuration, status, and counters. To select menu item, press item number, or highlight item and press . Show prikazy: > **show running-config** > **show ip** > **show vlans** > **show lldp info remote-device** > **show lldp info remote-device** > **show interface** > **show interface brief** > **show interface** > **show interface display** > **show history** ===== LLDP ===== * IEEE 802.1AB * Link Layer Discovery Protocol Zobrazení všech sousedů: > **show lldp info remote-device** Podrobné info i sousedech na portu: > **show lldp info remote-device** Vypnutí LLDP na portu: > **lldp admin-status** **disable** ====== Modul 2 ====== ===== Software image architecture ===== * Dvě oblasti v paměti **primary** a **secondary** * V každé oblasti může být jiný firmware a jiný config, je pak možné volit, který nabootuje Restart switche: > **reload** //=warm boot// > **boot** //=cold boot(+diagnostics)// Boot s rucne definovanym imagem: > **boot system flash** Nastaveni def.image pro boot: > **boot set-default flash** > **show flash** > **show version** Copy new image from USB Flash: >Switch# **dir** >Switch# **copy usb flash** //K_14_65.swi// **secondary** ===== Configuration file architecture ===== * running configuration - RAM * startup configuration - flash > **show running-config** > **show running-config status** > **write memory** Vymazani hesel: > **no password** nebo > podrzet min.1s tlacitko **Clear** Factory reset: > **erase startup-config** nebo - zmacknout **Clear** a drzet - zmacknout **Reset**, stale drzet **Clear** - jakmile zacne blikat "Self Test LED" pustit **Clear** Kopirovani konfigurace: >Switch# **copy** [**startup-config**|**running-config**] **usb** >Switch# **copy usb startup-config** ===== Multiple config files: ===== > **show config files** > **copy config** **config** > **startup default** [**primary**|**secondary**] **config** > **erase config** > **show config** > **boot system flash** [**primary**|**secondary**] ===== Logging ===== > **show logging** > **show logging -a** // - vypis vseho// > **show logging -r** // - vypis v opacnem poradi// > **show logging -w** // - warning// > **show logging -m** // - major// > **show logging -i** // - info// > **show logging -d** // - debug// > **show logging** // - vipis obsahujici definovany string// > **clear log** ===== Port status ===== > **show interfaces** > **show interfaces brief** ====== Modul 3 ====== ===== VLANy ===== > Switch(config)# **vlan** > Switch(vlan-id)# **tag** > Switch(vlan-id)# **untag** > **show vlans** > **show vlans** > **show vlans port** **detail** > **show mac-address vlan 1 ** Test# show vlans 1 Status and Counters - VLAN Information - VLAN 1 VLAN ID : 1 Name : DEFAULT_VLAN Status : Port-based Voice : No Jumbo : No Port Information Mode Unknown VLAN Status ---------------- -------- ------------ ---------- 25 Untagged Learn Down 26 Untagged Learn Down 27 Untagged Learn Down 28 Untagged Learn Down Test# show vlans ports 26 detail Status and Counters - VLAN Information - for ports 26 VLAN ID Name | Status Voice Jumbo Mode ------- -------------------- + ---------- ----- ----- -------- 1 DEFAULT_VLAN | Port-based No No Untagged 20 Testovaci | Port-based No No Tagged Test(vlan-1)# show mac-address vlan 1 Status and Counters - Address Table - VLAN 1 MAC Address Port ------------- ----- 00a0ba-06ea39 13 ===== L3 interface ===== > Switch(vlan-id)# **ip address** x.x.x.x/yy > Switch(config)# **ip routing** > **show ip** > **show ip route** Test# show ip Internet (IP) Service IP Routing : Disabled Default Gateway : 192.168.100.1 Default TTL : 64 Arp Age : 20 Domain Suffix : DNS server : VLAN | IP Config IP Address Subnet Mask Proxy ARP -------------------- + ---------- --------------- --------------- --------- DEFAULT_VLAN | Manual 192.168.100.100 255.255.255.0 No Testovaci | Disabled ===== DHCP Relay / Helper ===== > Switch(vlan-id)# **ip helper-address** x.x.x.x ===== Gateway ===== > Switch(config)# **ip default-gateway** x.x.x.x ===== Syslog ===== > Switch(config)# **logging** x.x.x.x ===== SNTP ===== > Switch(config)# **timesync sntp** > Switch(config)# **sntp *[*unicast**|**broadcast**] > Switch(config)# **sntp server priority** 1 x.x.x.x > Switch(config)# **time timezone** <+/-> ===== DNS ===== > Switch(config)# **ip dns server-address priority** 1 x.x.x.x > Switch(config)# **ip dns domain-name** //domain.tld// ===== Using TFTP ===== > Switch# **write memory** > Switch# **copy startup-config tftp** x.x.x.x > Switch# **copy tftp startup-config tftp** x.x.x.x > Switch# **copy command-output** 'show tech' **tftp** x.x.x.x > **show tech** // - totalni debugovaci vypis// ===== Troubleshooting tools ===== > **ping** x.x.x.x > **traceroute** x.x.x.x > **show arp** > **show mac** ====== Modul 4 ====== ===== Local authentication ===== > Switch(config)# **password manger** > Switch(config)# **no password manager** > Switch(config)# **password operator** > Switch(config)# **no password operator** > Switch(config)# **no password all** > Switch(config)# **password** [ **manager** | **operator** | **port-access** ] **user-name** [ **plaintext** | **sha1** ] ===== Remote authentication ===== > Switch(config)# **aaa authentication** [**telnet**|**console**|**web**|**ssh**] [**enable**|**login** ] [**radius**|**tacacs**|**local**] > Switch(config)# **radius-server host** key > Switch(config)# **tacacs host** key ===== Disable the Clear and Reset buttons ===== > Switch(config)# **no front-panel-security password-clear** > Switch(config)# **no front-panel-security factory-reset** > Switch(config)# **no usb-port** > Switch# **show front-panel-security** ===== Security settings in config file ===== > Switch(config)# **include-credentials** ===== Limit managers by IP ===== > Switch(config)# **ip authorized-managers** x.x.x.x y.y.y.y **access** [**manager**|**operator**] ===== Management VLAN ===== * switch povoli MANAG pristup jen ze subnetu dane vlany * izoluje uzivatelske vlany od manag vlany (na L3) * z manag vlany lze pristupovat do uzivatelskych * nedoporucuje se pouzivat vlan 1 > Switch(config)# **management-vlan** ===== SSH ===== > Switch(config)# **crypto key generate ssh rsa bits** > Switch(config)# **ip ssh** > Switch(config)# **no telnet-server** > Switch(config)# **show ip ssh** > Switch(config)# **show crypto host-public-key** Vymazani klice: > Switch(config)# **crypto key zeroize ssh** ===== SSL ===== > Switch(config)# **crypto key generate cert** [**rsa**] <**512**|**768**|**1024**> > Switch(config)# **crypto host-cert generate self-signed** > Switch(config)# **web-management ssl** > Switch(config)# **no web-management plaintext** Vymazani certifikatu: > Switch(config)# **crypto key zeroize cert** > Switch(config)# **crypto host-cert zeroize** ===== STFP ===== * podminkou je nakonfigurovane SSH > Switch(config)# **ip ssh filetransfer** ===== SNMPv2 ===== Read-only: > Switch(config)# **snmp-server community** [**operator**|**manager**] **restricted** Read-write: > Switch(config)# **snmp-server community** [**operator**|**manager**] **unrestricted** Trap: > Switch(config)# **snmp-server host** x.x.x.x ===== SNMPv3 ===== > Switch(config)# **snmpv3 enable** > Switch(config)# **snmpv3 user** **auth** [**md5**|**sha**] **priv** [**des**|**aes**] > Switch(config)# **snmpv3 group** **user** **secmodel ver3** Group-name: * managerpriv - uzivatel musi mit auth-pass i priv-pass, ma RW pristup * managerauth - uzivatel musi mit auth-pass, ma RW pristup * operatorauth - uzivatel musi mit auth-pass, ma RO pristup (krome RW pristupu k discovery objektum MIB) * operatornoauth - uzivatel se neautentikuje, ma RO pristup (krome RW pristupu k discovery objektum MIB) ====== Agregace linek - Port Trunking ====== ===== Staticka agregace linek ===== * POZOR trunk po vytvoreni spadne do jako netagovany do default VLAN (vlan 1)!!! * varianta bez LACP je bezprotokolovy trunk * trunky se v sytemu jmenuji trk1, trk2, ..., na puvodni porty se jiz v konfiguraci nelze odkazovat > Switch(config)# **trunk** **trk1** [**lacp**] > Switch(config)# **vlan** [**tagged**|**untaged**] **trk1** > **show trunk** > **show interface display** ===== Dynamicka agregace linek ===== * Nevyhoda - lze pouzit jen pro vlan 1., seznam VLAN jinak obstarava GVRP * Vyhoda - stand-by linky Porty * Active - posílají LACPDUs * Pasive - přijímají LACPDUs > Switch(config)# **interface** **lacp** [**active**|**passive**] > Switch(config)# **interface a1,b7 lacp active** ====== Spanning Tree protocols ====== ===== STP ===== * loop-protection - ochrana proti smyckam na zakaznickych switchich. * Default STP = MSTP * Priority = násobky čísla 4096 (1=4096, 8=32768, 15=61440) > Switch(config)# **spanning-tree priority** <0-15> > Switch(config)# **spanning-tree** > Switch(config)# **show spanning-tree** ===== MSTP ===== Tyto údaje musí být na všech SW v MST doméně stejné: * config-name (region name) * config-revision * VLAN to MST instance mapping (na některých switchíc lze mapovat i neexistujicí vlany) > Switch(config)# **spanning-tree config-name** > Switch(config)# **spanning-tree config-revision** > Switch(config)# **spanning-tree instance** 1 **priority** 1 > Switch(config)# **spanning-tree instance** 1 **vlan** 10 20 >**show spanning-tree mst-config** >**show spanning-tree instance 1** ====== IP Routing ====== ===== Static routing ===== > Switch(config)# **ip route** x.x.x.x/xx y.y.y.y > //# Default route// > Switch(config)# **ip route** 0.0.0.0/0 y.y.y.y > //nebo// > Switch(config)# **ip defaut-gateway** y.y.y.y > **show ip route** ===== RIP ===== > //# Redistribuce(connected se def.redistribuji)// > Switch(rip)# **redistribute** [**static**|**ospf**] > Switch(rip)# **no redistribute connected** > Switch(config)# **router rip** > Switch(rip)# **vlan** **ip rip** > **show ip rip** > **show ip rip general** > **show ip route** ====== Port mirroring ====== > Switch(config)# **mirror** **port** > Switch(config)# **interface** **monitor all** [**in**|**out**|**both**] **mirror** ====== PCM ProCurve Manager ====== * "PCM" - zdarma (spi jen pro dohled) * "PCM+" - Placena verze (SNMPv3, syslog, automaticky management, config.templaty) * Pracuje se SNMP/ICMP/CDP/LLDP/ARP * Umi automaticky zjistit topologii site (discovery) * Lze odtud zarizeni primo spravovat PCM+ Plug-ins * PMM ProCurve Mobility Manager - podpora MSM bezdratu * IDM Identity Driven Manager - resi uzivatelsky pristup do site ve spolupraci s radius serverem (prostrednictvim agenta umi nastavovat politiky na radiusu) * NIM Network Imunity Manager - IDS system (pracuje s sFlow vzorky) Licencni politika: * PCM+ licence na pocet zarizeni (zaklad 50, pak po 100) * PMM licence na pocet zarizeni (AP) * IDM licence na pocet koncovych uzivatelu * NIM licence na pocet zarizeni Discovery metody: * neighbor discovery (cte MIB lldp,cdp,fdp) * ARP discovery (cte MIB ARP tabulky) * Ping sweep (propingava IP ve zjistenych subnetech) Zjistene subnety deli na: * Managed subnet - urcuje se dle seed device * Unmanaged subnet - vse ostatni (msim rucne prehodit do managed) Uzivatelske role: * Administrator - user management * Operator - muze monitorovat a konfigurovat zarizeni * Viewer - muze monitorovat ====== PoE ====== > //# Zap./Vyp. PoE - defaultně zapnuto// > Switch(config)# [**no**] **interface** **power-over-ethernet** > //# Port PoE Priority// > Switch(config)# **interface** **power-over-ethernet** [**critical**|**high**|**low**]