Table of Contents
Modul 1
HP ProVision ASIC
- E8200zl - modular chasis(6 or 12 slots); redundant management, fabric and power modules
- E5400zl - modular chasis(6 or 12 slots); redundant power modules
- E3500 - fixed config; 24 or 48 ports
- E6200-24G-mGBIC yl - sfp aggregator
- E6600
Users,Permissions,CLI modes
HP E-Series—Management users
- Operator - read-only přístup
- Manager - read-write přístup
HP E-Series—CLI structure
Switch> // Operator Switch# // Manager Switch (config)# // Global Configuration Switch (vlan-1)# // Context Configuration
Initial Configuration
Čistý switch si umí líznout IP z DHCP pro int.VLAN1
Nast.terminalu:
terminal lenght 50
Výpis běžící konfigurace:
show running-config
Smazání startovací konfigurace:
erase startup-config
Úrovně v CLI:
Switch> = Operator level
Switch> enable
Switch# = Manager level
Switch# config
Switch(config)# = Global configuration
Hostname:
Switch(config)# hostname <name>
VLAN1 IP:
Switch(config)# vlan 1
Switch(vlan-1)# ip address x.x.x.x/yy
Ulozeni konfigurace:
Switch(config)# write memory
Konfigurace portu:
Switch(config)# interface <port>
Switch(int-id)# enable
Switch(int-id)# disable
Switch(int-id)# speed-duplex [10-half|10-full|…|auto|auto-half|auto-full|…]
Switch(int-id)# mdix-mode [mdi|mdix|automdix]
Switch(int-id)# name <name>
Historie prikazu:
show history
Switch(config)# repeat <index>
Switch(config)# repeat <index> count <number>
Menu interface:
Switch(config)# menu
ProCurve Switch 3500yl-24G 29-Feb-2012 10:06:15
==========================- CONSOLE - MANAGER MODE -============================
Main Menu
1. Status and Counters...
2. Switch Configuration...
3. Console Passwords...
4. Event Log
5. Command Line (CLI)
6. Reboot Switch
7. Download OS
8. Run Setup
9. Stacking...
0. Logout
Provides the menu to display configuration, status, and counters.
To select menu item, press item number, or highlight item and press <Enter>.
Show prikazy:
show running-config
show ip
show vlans
show lldp info remote-device
show lldp info remote-device <port>
show interface
show interface brief
show interface <port-list>
show interface display
show history
LLDP
- IEEE 802.1AB
- Link Layer Discovery Protocol
Zobrazení všech sousedů:
show lldp info remote-device
Podrobné info i sousedech na portu:
show lldp info remote-device <int-id>
Vypnutí LLDP na portu:
lldp admin-status <int-id> disable
Modul 2
Software image architecture
- Dvě oblasti v paměti primary a secondary
- V každé oblasti může být jiný firmware a jiný config, je pak možné volit, který nabootuje
Restart switche:
reload =warm boot
boot =cold boot(+diagnostics)
Boot s rucne definovanym imagem:
boot system flash <flash-image>
Nastaveni def.image pro boot:
boot set-default flash <image>
show flash
show version
Copy new image from USB Flash:
Switch# dir
Switch# copy usb flash K_14_65.swi secondary
Configuration file architecture
- running configuration - RAM
- startup configuration - flash
show running-config
show running-config status
write memory
Vymazani hesel:
no password
nebo
podrzet min.1s tlacitko Clear
Factory reset:
erase startup-config
nebo
- zmacknout Clear a drzet
- zmacknout Reset, stale drzet Clear
- jakmile zacne blikat “Self Test LED” pustit Clear
Kopirovani konfigurace:
Switch# copy [startup-config|running-config] usb <filename>
Switch# copy usb startup-config <filename>
Multiple config files:
show config files
copy config <config-1> config <config-2>
startup default [primary|secondary] config <filename>
erase config <filename>
show config <filename>
boot system flash [primary|secondary]
Logging
show logging
show logging -a - vypis vseho
show logging -r - vypis v opacnem poradi
show logging -w - warning
show logging -m - major
show logging -i - info
show logging -d - debug
show logging <string> - vipis obsahujici definovany string
clear log
Port status
show interfaces <int-id>
show interfaces brief
Modul 3
VLANy
Switch(config)# vlan <id>
Switch(vlan-id)# tag <port>
Switch(vlan-id)# untag <port>
show vlans
show vlans <vlan-id>
show vlans port <port-id> detail
show mac-address vlan 1
Test# show vlans 1
Status and Counters - VLAN Information - VLAN 1
VLAN ID : 1
Name : DEFAULT_VLAN
Status : Port-based
Voice : No
Jumbo : No
Port Information Mode Unknown VLAN Status
---------------- -------- ------------ ----------
25 Untagged Learn Down
26 Untagged Learn Down
27 Untagged Learn Down
28 Untagged Learn Down
Test# show vlans ports 26 detail
Status and Counters - VLAN Information - for ports 26
VLAN ID Name | Status Voice Jumbo Mode
------- -------------------- + ---------- ----- ----- --------
1 DEFAULT_VLAN | Port-based No No Untagged
20 Testovaci | Port-based No No Tagged
Test(vlan-1)# show mac-address vlan 1
Status and Counters - Address Table - VLAN 1
MAC Address Port
------------- -----
00a0ba-06ea39 13
L3 interface
Switch(vlan-id)# ip address x.x.x.x/yy
Switch(config)# ip routing
show ip
show ip route
Test# show ip
Internet (IP) Service
IP Routing : Disabled
Default Gateway : 192.168.100.1
Default TTL : 64
Arp Age : 20
Domain Suffix :
DNS server :
VLAN | IP Config IP Address Subnet Mask Proxy ARP
-------------------- + ---------- --------------- --------------- ---------
DEFAULT_VLAN | Manual 192.168.100.100 255.255.255.0 No
Testovaci | Disabled
DHCP Relay / Helper
Switch(vlan-id)# ip helper-address x.x.x.x
Gateway
Switch(config)# ip default-gateway x.x.x.x
Syslog
Switch(config)# logging x.x.x.x
SNTP
Switch(config)# timesync sntp
Switch(config)# sntp *[*unicast|broadcast]
Switch(config)# sntp server priority 1 x.x.x.x
Switch(config)# time timezone <+/→
DNS
Switch(config)# ip dns server-address priority 1 x.x.x.x
Switch(config)# ip dns domain-name domain.tld
Using TFTP
Switch# write memory
Switch# copy startup-config tftp x.x.x.x <filename>
Switch# copy tftp startup-config tftp x.x.x.x <filename>
Switch# copy command-output 'show tech' tftp x.x.x.x <filename>
show tech - totalni debugovaci vypis
Troubleshooting tools
ping x.x.x.x
traceroute x.x.x.x
show arp
show mac
Modul 4
Local authentication
Switch(config)# password manger
Switch(config)# no password manager
Switch(config)# password operator
Switch(config)# no password operator
Switch(config)# no password all
Switch(config)# password [ manager | operator | port-access ] user-name <username> [ plaintext | sha1 ] <password>
Remote authentication
Switch(config)# aaa authentication [telnet|console|web|ssh] [enable|login <privilege-mode>] [radius|tacacs|local]
Switch(config)# radius-server host <radius-ip-address> key <string>
Switch(config)# tacacs host <tacacs-ip-address> key <string>
Disable the Clear and Reset buttons
Switch(config)# no front-panel-security password-clear
Switch(config)# no front-panel-security factory-reset
Switch(config)# no usb-port
Switch# show front-panel-security
Security settings in config file
Switch(config)# include-credentials
Limit managers by IP
Switch(config)# ip authorized-managers x.x.x.x y.y.y.y access [manager|operator]
Management VLAN
- switch povoli MANAG pristup jen ze subnetu dane vlany
- izoluje uzivatelske vlany od manag vlany (na L3)
- z manag vlany lze pristupovat do uzivatelskych
- nedoporucuje se pouzivat vlan 1
> Switch(config)# management-vlan <vlan-id>
SSH
Switch(config)# crypto key generate ssh rsa bits <size>
Switch(config)# ip ssh
Switch(config)# no telnet-server
Switch(config)# show ip ssh
Switch(config)# show crypto host-public-key
Vymazani klice:
Switch(config)# crypto key zeroize ssh
SSL
Switch(config)# crypto key generate cert [rsa] <512|768|1024>
Switch(config)# crypto host-cert generate self-signed
Switch(config)# web-management ssl
Switch(config)# no web-management plaintext
Vymazani certifikatu:
Switch(config)# crypto key zeroize cert
Switch(config)# crypto host-cert zeroize
STFP
- podminkou je nakonfigurovane SSH
> Switch(config)# ip ssh filetransfer
SNMPv2
Read-only:
Switch(config)# snmp-server community <community-string> [operator|manager] restricted
Read-write:
Switch(config)# snmp-server community <community-string> [operator|manager] unrestricted
Trap:
Switch(config)# snmp-server host x.x.x.x <community-name>
SNMPv3
Switch(config)# snmpv3 enable
Switch(config)# snmpv3 user <username> auth [md5|sha] <auth-password> priv [des|aes] <priv-password>
Switch(config)# snmpv3 group <group-name> user <username> secmodel ver3
Group-name:
- managerpriv - uzivatel musi mit auth-pass i priv-pass, ma RW pristup
- managerauth - uzivatel musi mit auth-pass, ma RW pristup
- operatorauth - uzivatel musi mit auth-pass, ma RO pristup (krome RW pristupu k discovery objektum MIB)
- operatornoauth - uzivatel se neautentikuje, ma RO pristup (krome RW pristupu k discovery objektum MIB)
Agregace linek - Port Trunking
Staticka agregace linek
- POZOR trunk po vytvoreni spadne do jako netagovany do default VLAN (vlan 1)!!!
- varianta bez LACP je bezprotokolovy trunk
- trunky se v sytemu jmenuji trk1, trk2, …, na puvodni porty se jiz v konfiguraci nelze odkazovat
Switch(config)# trunk <port-list> trk1 [lacp]
Switch(config)# vlan <vlan-id> [tagged|untaged] trk1
show trunk
show interface display
Dynamicka agregace linek
- Nevyhoda - lze pouzit jen pro vlan 1., seznam VLAN jinak obstarava GVRP
- Vyhoda - stand-by linky
Porty
- Active - posílají LACPDUs
- Pasive - přijímají LACPDUs
Switch(config)# interface <port numbers> lacp [active|passive]
Switch(config)# interface a1,b7 lacp active
Spanning Tree protocols
STP
- loop-protection - ochrana proti smyckam na zakaznickych switchich.
- Default STP = MSTP
- Priority = násobky čísla 4096 (1=4096, 8=32768, 15=61440)
Switch(config)# spanning-tree priority <0-15>
Switch(config)# spanning-tree
Switch(config)# show spanning-tree
MSTP
Tyto údaje musí být na všech SW v MST doméně stejné:
- config-name (region name)
- config-revision
- VLAN to MST instance mapping (na některých switchíc lze mapovat i neexistujicí vlany)
Switch(config)# spanning-tree config-name <name>
Switch(config)# spanning-tree config-revision <number>
Switch(config)# spanning-tree instance 1 priority 1
Switch(config)# spanning-tree instance 1 vlan 10 20
show spanning-tree mst-config
show spanning-tree instance 1
IP Routing
Static routing
Switch(config)# ip route x.x.x.x/xx y.y.y.y
# Default route
Switch(config)# ip route 0.0.0.0/0 y.y.y.y
nebo
Switch(config)# ip defaut-gateway y.y.y.y
show ip route
RIP
# Redistribuce(connected se def.redistribuji)
Switch(rip)# redistribute [static|ospf]
Switch(rip)# no redistribute connected
Switch(config)# router rip
Switch(rip)# vlan <id> ip rip
show ip rip
show ip rip general
show ip route
Port mirroring
Switch(config)# mirror <sessionID> port <port-id>
Switch(config)# interface <port-list> monitor all [in|out|both] mirror <sessionID>
PCM ProCurve Manager
- “PCM” - zdarma (spi jen pro dohled)
- “PCM+” - Placena verze (SNMPv3, syslog, automaticky management, config.templaty)
- Pracuje se SNMP/ICMP/CDP/LLDP/ARP
- Umi automaticky zjistit topologii site (discovery)
- Lze odtud zarizeni primo spravovat
PCM+ Plug-ins
- PMM ProCurve Mobility Manager - podpora MSM bezdratu
- IDM Identity Driven Manager - resi uzivatelsky pristup do site ve spolupraci s radius serverem (prostrednictvim agenta umi nastavovat politiky na radiusu)
- NIM Network Imunity Manager - IDS system (pracuje s sFlow vzorky)
Licencni politika:
- PCM+ licence na pocet zarizeni (zaklad 50, pak po 100)
- PMM licence na pocet zarizeni (AP)
- IDM licence na pocet koncovych uzivatelu
- NIM licence na pocet zarizeni
Discovery metody:
- neighbor discovery (cte MIB lldp,cdp,fdp)
- ARP discovery (cte MIB ARP tabulky)
- Ping sweep (propingava IP ve zjistenych subnetech)
Zjistene subnety deli na:
- Managed subnet - urcuje se dle seed device
- Unmanaged subnet - vse ostatni (msim rucne prehodit do managed)
Uzivatelske role:
- Administrator - user management
- Operator - muze monitorovat a konfigurovat zarizeni
- Viewer - muze monitorovat
PoE
# Zap./Vyp. PoE - defaultně zapnuto
Switch(config)# [no] interface <port-list> power-over-ethernet
# Port PoE Priority
Switch(config)# interface <port-list> power-over-ethernet [critical|high|low]