HEWLETT-PACKARD COMPANY MAKES NO WARRANTY
OF ANY KIND WITH REGARD TO THIS MATERIAL,
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. Hewlett-Packard shall not
be liable for errors contained herein or for incidental or
consequential damages in connection with the furnishing,
performance, or use of this material.
The only warranties for HP products and services are set
forth in the express warranty statements accompanying
such products and services. Nothing herein should be
construed as constituting an additional warranty. HP shall
not be liable for technical or editorial errors or omissions
contained herein.
Hewlett-Packard assumes no responsibility for the use or
reliability of its software on equipment that is not furnished
by Hewlett-Packard.
Trademark Credits
Microsoft®, Windows®, and Windows NT® are US
registered trademarks of Microsoft Corporation.
Adobe® and Acrobat® are trademarks of Adobe Systems
Incorporated. Java™ is a US trademark of Sun
Microsystems, Inc.
Software Credits
SSH on ProCurve Switches is based on the OpenSSH software toolkit. This product includes software developed by
the OpenSSH Project for use in the OpenSSH Toolkit. For
more information on OpenSSH, visit
http:// www.openssh.com
SSL on ProCurve Switches is based on the OpenSSL software toolkit. This product includes software developed by
the OpenSSL Project for use in the OpenSSL Toolkit. For
more information on OpenSSL, visit
http://www.openssl.org.
This product includes cryptographic software written by
Eric Young (eay@cryptsoft.com). This product includes
software written by Tim Hudson (tjh@cryptsoft.com)
.
Warranty
See the Customer Support/Warranty booklet included with
the product.
A copy of the specific warranty terms applicable to your
Hewlett-Packard products and replacement parts can be
obtained from your HP Sales and Service Office or
authorized dealer.
Hewlett-Packard Company
8000 Foothills Boulevard, m/s 5551
Roseville, California 95747-5551
Check the ProCurve Networking Web site frequently for free software updates for the various
ProCurve switches you may have in your network.
Downloading Switch Documentation and Software from the Web
You can download software updates and the corresponding product documentation from HP’s
ProCurve web site as described below.
To Download a Software Version:
1.Go to the ProCurve Networking Web site at:
2.Click on Switches.
To Download Product Documentation: You will need the Adobe® Acrobat® Reader to view,
print, and/or copy the product documentation.
1.Go to HP’s ProCurve web site at:
2.Click on the name of the product for which you want documentation.
3.On the resulting web page, double-click on a document you want.
4.When the document file opens, click on the disk icon in the Acrobat® toolbar and save a
copy of the file.
http://www.procurve.com/manuals.
http://www.procurve.com/software.
1
Downloading Software to the Switch
Downloading Software to the Switch
Caution
The startup-config file generated by the latest software release may not be backward-compatible with
the same file generated by earlier software releases.
HP periodically provides switch software updates through the ProCurve Networking Web site
http://www.procurve.com/software. After you acquire the new software file, you can use one of the
following methods for downloading it to the switch:
■For a TFTP transfer from a server, do either of the following:
•Click on Download OS in the Main Menu of the switch’s menu interface and use the
(default) TFTP option.
•Use the copy tftp command in the switch’s CLI (see below).
■For an Xmodem transfer from a PC or Unix workstation, do either of the following:
•Click on Download OS in the Main Menu of the switch’s menu interface and select the
Xmodem option.
•Use the copy xmodem command in the switch’s CLI (page 4).
■Use the download utility in ProCurve Manager Plus.
■A switch-to-switch file transfer
Note
Downloading new software does not change the current switch configuration. The switch configuration is contained in a separate file that can also be transferred, for example, for archive purposes
or to be used in another switch of the same model.
This section describes how to use the CLI to download software to the switch. You can also use the
menu interface for software downloads.
Note that if you do not specify the flash destination, the TFTP download defaults to the primary flash.
For example, to download a software file named R_11_0 4.swi from a TFTP server with the IP address
of 10.28.227.103:
1.Execute the copy command as shown below:
ProCurve # copy tftp flash 10.28.227.103 R_11_04.swi
The primary OS image will be deleted. continue [y/n]? Y
03125K
2.When the switch finishes downloading the software file from the server, it displays the progress
message:
Validating and Writing System Software to FLASH.
When the CLI prompt re-appears, the switch is ready to reboot to activate the downloaded
software
3.Reboot the switch.
After the switch reboots, it displays the CLI or Main Menu, depending on the Logon Default setting
last configured in the menu’s Switch Setup screen.
3
Downloading Software to the Switch
Xmodem Download From a PC or Unix Workstation
This procedure assumes that:
■The switch is connected via the Console RS-232 port on a PC operating as a terminal. (Refer to
the Installation Guide you received with the switch for information on connecting a PC as a
terminal and running the switch console interface.)
■The switch software is stored on a disk drive in the PC.
■The terminal emulator you are using includes the Xmodem binary transfer feature. (For example,
in the Microsoft Windows NT® terminal emulator, you would use the Send File option in the
T
ransfer drop-down menu.)
Syntax:copy xmodem flash < unix | pc >
For example, to download a software file from a PC:
1.To reduce the download time, you may want to increase the baud rate in your terminal emulator
and in the switch to a value such as 57600 bits per second. (The baud rate must be the same in
both devices.) For example, to change the baud rate in the switch to 57600, execute this
command:
ProCurve(config)# console baud-rate 57600
(If you use this option, be sure to set your terminal emulator to the same baud rate.)
2.Execute the following command in the CLI:
ProCurve # copy xmodem flash primary
The primary OS image will be deleted. continue [y/n]? Y
Press ‘enter’ and start XMODEM on your host . . .
3.Execute the terminal emulator commands to begin the Xmodem transfer. The download can take
several minutes, depending on the baud rate used in the transfer.
4.Reboot the switch.
After the switch reboots, it displays the CLI or Main Menu, depending on the Logon Default setting
last configured in the menu’s Switch Setup screen.
5.Use the following command to confirm that the software downloaded correctly:
ProCurve> show system
Check the Firmware revision line to verify that the switch downloaded the new software.
6.If you increased the baud rate on the switch (step 1), use the same command to return it to its
previous setting. (HP recommends a baud rate of 9600 bits per second for most applications.)
Remember to return your terminal emulator to the same baud rate as the switch.
4
Downloading Software to the Switch
Saving Configurations While Using the CLI
Saving Configurations While Using the CLI
The switch operates with two configuration files:
■Running-Config File: Exists in volatile memory and controls switch operation. Rebooting
the switch erases the current running-config file and replaces it with an exact copy of the
current startup-config file. To save a configuration change, you must save the running
configuration to the startup-config file.
■Startup-Config File: Exists in flash (non-volatile) memory and preserves the most recently-
saved configuration as the “permanent” configuration. When the switch reboots for any
reason, an exact copy of the current startup-config file becomes the new running-config file
in volatile memory.
When you use the CLI to make a configuration change, the switch places the change in the runningconfig file. If you want to preserve the change across reboots, you must save the change to the startupconfig file. Otherwise, the next time the switch reboots, the change will be lost. There are two ways
to save configuration changes while using the CLI:
■Execute write memory from the Manager, Global, or Context configuration level.
■When exiting from the CLI to the Main Menu, press [Y] (for Yes) when you see the “Do you
want to save current configuration [y/n]?” prompt.
5
ProCurve Switch, Routing Switch, and Router Software Keys
Downloading Software to the Switch
ProCurve Switch, Routing Switch, and Router Software Keys
Software
Letter
CYSwitch 8100fl Series (8108fl and 8116fl)
ProCurve Networking Products
C1600M, 2400M, 2424M, 4000M, and 8000M
ESwitch 5300xl Series (5304xl, 5308xl, 5348xl, and 5372xl)
FSwitch 2500 Series (2512 and 2524), Switch 2312, and Switch 2324
GSwitch 4100gl Series (4104gl, 4108gl, and 4148gl)
HSwitch 2600 Series, Switch 2600-PWR Series: H.07.81 and earlier, or H.08.55 and greater,
Switch 2600-8-PWR requires H.08.80 or greater.
Switch 6108: H.07.xx and earlier
ISwitch 2800 Series (2824 and 2848)
JSecure Router 7000dl Series (7102dl and 7203dl)
KSwitch 3500yl Series (3500yl-24G-PWR and 3500yl-48G-PWR), Switch 6200yl-24G, and
5400zl Series (5406zl, 5406zl-48G, 5412zl, and 5412zl-96G) and Switch 8212zl.
LSwitch 4200vl Series (4204vl, 4208vl, 4202vl-72, and 4202vl-48G)
MSwitch 3400cl Series (3400-24G and 3400-48G): M.08.51 though M.08.97, or M.10.01 and greater;
Series 6400cl (6400cl-6XG CX4, and 6410cl-6XG X2 ): M.08.51 though M.08.95, or M.08.99 to M.08.100 and
greater.
RSwitch 2610 Series (2610-24, 2610-24/12PWR, 2610-24-PWR, 2610-48 and 2610-48-PWR)
TSwitch 2900 Series (2900-24G, and 2900-48G)
USwitch 2510-48
VA/VBSwitch 1700 Series (Switch 1700-8 - VA and 1700-24 - VB)
WAProCurve Access Point 530
WSProCurve Wireless Edge Services xl Module and the ProCurve Redundant Wireless Services xl Module
WTProCurve Wireless Edge Services zl Module and the ProCurve Redundant Wireless Services zl Module
YSwitch 2510G Series (2510G-24 and 2510G-48)
numericSwitch 9408sl, Switch 9300 Series (9304M, 9308M, and 9315M), Switch 6208M-SX and Switch 6308M-SX
(Uses software version number only; no alphabetic prefix. For example 07.6.04.)
6
Downloading Software to the Switch
OS/Web/Java Compatibility Table
OS/Web/Java Compatibility Table
The switch web agent supports the following combinations of OS browsers and Java Virtual
Machines:
Operating SystemInternet ExplorerJava
Windows NT 4.0 SP6a5.00, 5.01
5.01, SP1
6.0, SP1
Windows 2000 Pro SP45.05, SP2
6.0, SP1
Windows XP Pro SP26.0, SP2
Windows Server SE 2003
SP2
Windows Vista
and 7.0
Sun Java 2 Runtime Environment:
– Version 1.3.1.12
– Version 1.4.2.05
Sun Java 2 Runtime Environment:
– Version 1.5.0_11, Version 1.6.0
Minimum Software Versions
For ProCurve Series 2610 Switches and Hardware Features
ProCurve DeviceProduct NumberMinimum Supported
ProCurve 100-BX-D SFP-LC TransceiverJ9099BR.11.22
ProCurve 100-BX-U SFP-LC TransceiverJ9100BR.11.22
ProCurve 1000-BX-D SFP-LC Mini-GBICJ9142BR.11.22
ProCurve 1000-BX-U SFP-LC Mini-GBICJ9143BR.11.22
Software Version
7
Switch Management Access Security
Enforcing Switch Security
Enforcing Switch Security
ProCurve switches are designed as “plug and play” devices, allowing quick and easy installation in
your network. However, when preparing the switch for network operation, ProCurve strongly
recommends that you enforce a security policy to help ensure that the ease in getting started is not
used by unauthorized persons as an opportunity for access and possible malicious actions. Since
security incidents can originate with sources inside as well as outside of an organization, your switch
and network access security provisions must protect against internal and external threats while
preserving the necessary network access for authorized clients and uses.
This section provides an overview of switch management and network access security features and
applications. However, the features and applications supported by your switch depend on your particular switch model. For information on specific features supported, refer to the software
manuals provided for your switch model.
Caution:
In its default configuration, the switch is open to unauthorized access of various types. ProCurve
recommends that you review this section to help ensure that you recognize the potential for
unauthorized switch and network access and are aware of the features available to help prevent such
access.
Switch Management Access Security
This section outlines provisions for protecting access to the switch’s status information configuration
settings. For more detailed information on these features, refer to the indicated manuals.
Default Settings Affecting Security
In the default configuration, switch management access is available through the following methods:
■Telnet
■Web-browser interface (including the ability to launch Telnet access)
■SNMP access
■Front-Panel access (serial port access to the console, plus resets and clearing the
password(s) or current configuration)
8
Enforcing Switch Security
Switch Management Access Security
It is important to evaluate the level of management access vulnerability existing in your network and
take steps to ensure that all reasonable security precautions are in place. This includes both
configurable security options and physical access to the switch hardware.
Local Manager Password
In the default configuration, there is no password protection. Configuring a local Manager password
is a fundamental step in reducing the possibility of unauthorized access through the switch’s web
browser and console (CLI and Menu) interfaces. The Manager password can easily be set using the
CLI password manager command, the Menu interface Console Passwords option, or the password
options under the Security tab in the web browser interface.
Inbound Telnet Access and Web Browser Access
The default remote management protocols enabled on the switch, such as Telnet or HTTP, are plain
text protocols, which transfer passwords in open or plain text that is easily captured. To reduce the
chances of unauthorized users capturing your passwords, secure and encrypted protocols such as
SSH and SSL must be used for remote access. This enables you to employ increased access security
while still retaining remote client access.
■SSHv2 provides Telnet-like connections through encrypted and authenticated transactions
■SSLv3/TLSv1 provides remote web browser access to the switch via encrypted paths
between the switch and management station clients capable of SSL/TLS operation.
Also, access security on the switch is incomplete without disabling Telnet and the standard web
browser access.Among the methods for blocking unauthorized access attempts using Telnet or the
Web browser are the following two commands:
■no telnet-server: This CLI command blocks inbound Telnet access.
■no web-management: This CLI command prevents use of the web browser interface through
http (port 80) server access.
If you choose not to disable Telnet and web browser access, you may want to consider using RADIUS
accounting to maintain a record of password-protected access to the switch.
Secure File Transfers
Secure Copy and SFTP provide a secure alternative to TFTP and auto-TFTP for transferring sensitive
information such as configuration files and log information between the switch and other devices.
9
Switch Management Access Security
Enforcing Switch Security
SNMP Access(Simple Network Management Protocol)
In the default configuration, the switch is open to access by management stations running SNMP
management applications capable of viewing or changing usernames, passwords, configuration, and
status data in the switch’s MIB (Management Information Base). Thus, controlling SNMP access to
the switch and preventing unauthorized SNMP access should be a key element of your network
security strategy.
General SNMP Access to the Switch. The switch supports SNMP versions 1, 2c, and 3, including
SNMP community and trap configuration. The default configuration supports versions 1 and 2c
compatibility, which uses plain text and does not provide security options. ProCurve recommends
that you enable SNMP version 3 for improved security. SNMPv3 includes the ability to configure
restricted access and to block all non-version 3 messages (which blocks version 1 and 2c unprotected
operation). SNMPv3 security options include:
•configuring device communities as a means for excluding management access by
unauthorized stations
•configuring for access authentication and privacy
•reporting events to the switch CLI and to SNMP trap receivers
•restricting non-SNMPv3 agents to either read-only access or no access
•co-existing with SNMPv1 and v2c if necessary
SNMP Access to the Switch’s Local Username and Password Authentication MIB Objects.
A management station running an SNMP networked device management application such as
ProCurve Manager Plus (PCM+) or HP OpenView can access the switch’s management information
base (MIB) for write access to the switch’s local username and password configuration. In earlier
software versions, SNMP access to the switch’s local authentication configuration (hpSwitchAuth)
MIB objects was not allowed. However, beginning with software release R.11.04, the switch’s default
configuration allows SNMP access to the local username and password MIB objects in hpSwitchAuth.
If SNMP access to these MIB objects is considered a security risk in your network, then you should
implement the following security precautions when downloading and booting from software release
R.11.04 or greater:
1.If SNMP write access to the switch’s local username and password authentication configuration
(hpSwitchAuth) MIB (described above is not desirable for your network, then immediately after
downloading and booting from the R.11.04 or greater software for the first time, use the
following CLI command to disable this feature:
snmp-server mib hpswitchauthmib excluded
10
Enforcing Switch Security
Switch Management Access Security
Note on SNMP Access to Local Authentication MIB Objects
Downloading and booting R.11.04 or later software versions for the first time enables SNMP access
to the switch’s local authentication configuration MIB objects (the default action). If SNMPv3 and
other security safeguards are not in place, the local username and password MIB objects are exposed
to unprotected SNMP access and you should use the preceding command to disable this access.
2.If you choose to leave the local authentication configuration MIB objects accessible, then you
should do the following to help ensure that unauthorized workstations cannot use SNMP tools
to change the settings:
•Configure SNMP version 3 management and access security on the switch.
•Disable SNMP version 2c on the switch.
Front-Panel Access and Physical Security
Physical access to the switch allows the following:
■use of the console serial port (CLI and Menu interface) for viewing and changing the current
configuration and for reading status, statistics, and log messages.
■use of the switch’s Clear and Reset buttons for these actions:
•clearing (removing) local password protection
•rebooting the switch
•restoring the switch to the factory default configuration (and erasing any non-default
configuration settings)
Keeping the switch in a locked wiring closet or other secure space helps to prevent unauthorized
physical access. As additional precautions, you can do the following:
■Disable or re-enable the password-clearing function of the Clear button.
■Configure the Clear button to reboot the switch after clearing any local usernames and
passwords.
■Modify the operation of the Reset+Clear button combination so that the switch reboots, but
does not restore the switch’s factory default settings.
■Disable or re-enable password recovery.
11
Enforcing Switch Security
Network Security Features
Other Provisions for Management Access Security
Authorized IP Managers. This feature uses IP addresses and masks to determine whether to allow
management access to the switch through the network, and covers access through the following:
■Telnet and other terminal emulation applications
■The switch’s Web browser interface
■SNMP (with a correct community name)
Secure Management VLAN. This feature creates an isolated network for managing the ProCurve
switches that offer this feature. When a secure management VLAN is enabled, CLI, Menu interface,
and web browser interface access is restricted to ports configured as members of the VLAN.
Network Security Features
This section outlines provisions for protecting access through the switch to the network. For more
detailed information on these features, refer to the indicated manuals.
Web and MAC Authentication
These options are designed for application on the edge of a network to provide port-based security
measures for protecting private networks and the switch itself from unauthorized access. Because
neither method requires clients to run any special supplicant software, both are suitable for legacy
systems and temporary access situations where introducing supplicant software is not an attractive
option. Both methods rely on using a RADIUS server for authentication. This simplifies access
security management by allowing you to control access from a master database in a single server. It
also means the same credentials can be used for authentication, regardless of which switch or switch
port is the current access point into the LAN. Web authentication uses a web page login to
authenticate users for access to the network. MAC authentication grants access to a secure network
by authenticating device MAC address for access to the network.
Secure Shell (SSH)
SSH provides Telnet-like functions through encrypted, authenticated transactions of the following
types:
■client public-key authentication: uses one or more public keys (from clients) that must
be stored on the switch. Only a client with a private key that matches a stored public key
can gain access to the switch.
12
Enforcing Switch Security
Network Security Features
■switch SSH and user password authentication: this option is a subset of the client public-
key authentication, and is used if the switch has SSH enabled without a login access
configured to authenticate the client’s key. In this case, the switch authenticates itself to
clients, and users on SSH clients then authenticate themselves to the switch by providing
passwords stored on a RADIUS or TACACS+ server, or locally on the switch.
■secure copy (SC) and secure FTP (SFTP): By opening a secure, encrypted SSH session,
you can take advantage of SC and SFTP to provide a secure alternative to TFTP for
transferring sensitive switch information.
Secure Socket Layer (SSLv3/TLSv1)
This feature includes use of Transport Layer Security (TLSv1) to provide remote web access to the
switch via authenticated transactions and encrypted paths between the switch and management
station clients capable of SSL/TLS operation. The authenticated type includes server certificate
authentication with user password authentication.
13
General Switch Traffic Security Guideline
Clarifications
Clarifications
General Switch Traffic Security Guideline
Where the switch is running multiple security options, it implements network traffic security based
on the OSI (Open Systems Interconnection model) precedence of the individual options, from the
lowest to the highest. The following list shows the order in which the switch implements configured
security features on traffic moving through a given port.
1.Disabled/Enabled physical port
2.MAC lockout (Applies to all ports on the switch.)
3.MAC Lockdown
4.Port security
5.Authorized IP Managers
6.Application features at higher levels in the OSI model, such as SSH.
(The above list does not address the mutually exclusive relationship that exists among some security
features.)
The Management VLAN IP Address
The optional Management VLAN, if used, must be configured with a manual IP address. It does not
operate with DHCP/Bootp configured for the IP address.
Management and Configuration Guide
■The manual for the Switch 2610 Series contains an error. The Management and Configura-
tion Guide, dated December 2007, page 13-25, states:
For switches covered in this guide, sFlow can be configured via the CLI for up to three
distinct sFlow instances. Once enabled, an sFlow receiver/destination can be independently configured for full flow-sampling and counter-polling. CLI-configured sFlow
instances may be saved to the startup configuration to persist across a switch reboot.
The 2610 only supports a single sFlow collector and can only be configured via SNMP. By design,
when sFlow is configured via SNMP, the sFlow-MIB OIDs that have been set do not survive a
reboot.
14
Clarifications
Access Security Guide
■The Management and Configuration Guide, dated December 2007, in pages 10-25, 10-26,
and 10-27 incorrectly indicates that the QoS Passthrough Mode is disabled by default. The
factory default for QoS Passthrough Mode is enabled.
■The Management and Configuration Guide, dated November 2008, beginning on page B-
20, describes the loop protection features.
In cases where spanning tree cannot be used to prevent loops at the edge of the network, loop
protection may provide a suitable alternative. Unlike spanning tree, however, loop protection is
not a comprehensive loop detection feature and should only be enabled on untagged edge ports,
that is, ports that connect to unmanaged switches and/or clients at the edge of the network.
Access Security Guide
■The Access Security Guide, dated December 2007, contains incorrect references to the
password port-access command. References are made to the password port-access command
on pages 11-4, 11-14, 11-15, 11-16, and 11-24. The password port-access command is NOT
supported on the HP Procurve Switch 2610 for configuring 802.1X authentication credentials.
The local operator password configured with the password command for management access to
the switch continues to be accepted as an 802.1X autheticator credential.
Installation and Getting Started Guide
■The Installation and Getting Started Guide, dated November 2008, on pages 2-3 and 2-4,
describes the new 2610 rail kit, part number 508783-B21. Only the following ProCurve
switches can be mounted with the new rail kit.
•ProCurve Switch 2610-24 (J9085A)
•ProCurve Switch 2610-48 (J9088A)
•ProCurve Switch 2610-24/12PWR (J9086A)
Do not install the switch in an environment where the operating ambient temperature might
exceed 50°C (122°F). This includes a fully-enclosed rack. Ensure the air flow around the sides
and back of the switch is not restricted. Leave at least 7.6 cm (3 inches) for cooling.
15
Known Issues
Release R.11.12
Known Issues
Release R.11.12
The following problems are known issues in release R.11.12.
SSH (PR_0000003592) — Repeatedly performing crypto key generation tasks, and then connecting
to the switch via SSH and executing a show ip ssh command may trigger a switch crash with a message
similar to the following.
SSH (PR_0000004562)— If an SSH client disconnects and reconnects SSH sessions in rapid
succession, this may trigger a switch crash that produces a message like the following.
Workaround: Increase to at least a five-second interval between connections.
Release R.11.22
The following problem is a known issues in release R.11.21. (Never released.)
■Crash (PR_0000003648) — When either source-port filtering or source-port named-
filtering is configured on a trunk port, and that trunk port becomes established within the
trunk, the switch crashes with a message similar to the following.
SubSystem 0 went down: 01/01/90 09:04:37Software exception at
bcmHwFilters.c:403 -- in 'mAdMgrCtrl', task ID= 0x85e26c0
16
Loading...
+ 47 hidden pages
You need points to download manuals.
1 point = 1 manual.
You can buy points or you can get point for every manual you upload.