Release Notes:
Version K.13.49 Software
for the ProCurve Series 3500yl, 6200yl, 5400zl, and 8212zl Switches
These release notes include information on the following:
■ Downloading switch software and documentation from the Web (page 2)
■ Best practices for major software updates, including contingency procedures for rolling back
to previous software versions and configurations. Please read before updating software
versions from K.12.xx to K.13.xx (page 7).
■ Notes for ROM updates required for all yl and zl switches running K.13.45 or earlier (page 17)
■ Clarifications for certain software features (page 20)
■ A listing of software enhancements in recent releases (page 26)
■ A listing of software fixes included in releases K.11.11 through K.13.49 (page 145)
■ Support Notes and Known Issues in releases K.11.11 through K.13.49 (page 17)—includes
"Security notes about SNMP access to the hpSwitchAuth MIB objects" and other topics.
Support Notices:
WARNING. Updating to Version K.13.xx: . It is important that you update to K.13.xx from a
configuration that has not been previously converted from a pre-K.13.xx format (e.g. a K.11.xx or
K.12.xx configuration). If you have previously updated to K.13.xx and rolled back to K.12.xx to
workaround an issue, you should load a saved K.12.xx configuration to the switch and boot to it prior
to updating to K.13 again.
Performing major software updates: Before updating your software version from K.12.xx to
K.13.xx, read the recommended best practices for performing major software updates (page 7).
Restriction in number of ACL mirror destinations: The K.13.01 software introduced a new
restriction to a single ACL mirror destination. For more information, see "Restriction in number of
ACL mirror destinations (page 24) .
PIM-SM: PIM-SM users should make sure ProCurve switches that run K software should all be on
the either pre-K.13.21 or post-K.13.21 versions of software due to a bug fix in K.13.21 that changes
the way a rendezvous point is chosen.
© Copyright 2006-2008 Hewlett-Packard Development
Company, LP. The information contained herein is subject
to change without notice.
Publication Number
5991-4720
January 2009
Applicable Products
ProCurve Switch 3500yl-24G-PWR Intelligent Edge (J8692A)
ProCurve Switch 3500yl-48G-PWR Intelligent Edge (J8693A)
ProCurve Switch 6200yl-24G-mGBIC (J8992A)
ProCurve Switch 5406zl (J8697A)
ProCurve Switch 5412zl (J8698A)
ProCurve Switch 5406zl-48G (J8699A)
P r o C u r v e S w i t c h 5 4 1 2 z l - 9 6 G ( J 8 7 0 0 A )
P r o C u r v e S w i t c h 8 2 1 2 z l ( J 8 7 1 5 A )
Trademark Credits
Microsoft®, Windows®, and Windows NT® are US
registered trademarks of Microsoft Corporation.
Adobe® and Acrobat® are trademarks of Adobe Systems
Incorporated. Java™ is a US trademark of Sun
Microsystems, Inc.
Disclaimer
HEWLETT-PACKARD COMPANY MAKES NO WARRANTY
OF ANY KIND WITH REGARD TO THIS MATERIAL,
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. Hewlett-Packard shall not
be liable for errors contained herein or for incidental or
consequential damages in connection with the furnishing,
performance, or use of this material.
The only warranties for HP products and services are set
forth in the express warranty statements accompanying
such products and services. Nothing herein should be
construed as constituting an additional warranty. HP shall
not be liable for technical or editorial errors or omissions
contained herein.
Hewlett-Packard assumes no responsibility for the use or
reliability of its software on equipment that is not furnished
by Hewlett-Packard.
Warranty
See the Customer Support/Warranty booklet included with
the product.
A copy of the specific warranty terms applicable to your
Hewlett-Packard products and replacement parts can be
obtained from your HP Sales and Service Office or
authorized dealer.
Software Credits
SSH on ProCurve Switches is based on the OpenSSH software toolkit. This product includes software developed by
the OpenSSH Project for use in the OpenSSH Toolkit. For
more information on OpenSSH, visit
www.openssh.com
SSL on ProCurve Switches is based on the OpenSSL software toolkit. This product includes software developed by
the OpenSSL Project for use in the OpenSSL Toolkit. For
more information on OpenSSL, visit
www.openssl.org.
This product includes cryptographic software written by
Eric Young (eay@cryptsoft.com). This product includes
software written by Tim Hudson (tjh@cryptsoft.com)
.
Hewlett-Packard Company
8000 Foothills Boulevard, m/s 5551
Roseville, California 95747-5551
www.procurve.com
Contents
Software Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1
Premium License Switch Software Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Software Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Download Switch Documentation and Software from the Web . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
View or Download the Software Manual Set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Downloading Software to the Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
TFTP Download from a Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Xmodem Download From a PC or Unix Workstation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Using USB to Download Switch Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Saving Configurations While Using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Best Practices for Major Software Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Updating the Switch: Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Updating the Switch: Detailed Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Rolling Back Switch Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Viewing or Transferring Alternate Configuration Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
ProCurve Switch, Routing Switch, and Router Software Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
OS/Web/Java Compatibility Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Minimum Software Versions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Support Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17
ROM Update Required! . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Using SNMP To View and Configure Switch Authentication Features . . . . . . . . . . . . . . . . . . . . 17
Support for the Wireless Edge Services zl Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
CAUTION: Updating to Version K.13.xx . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Clarifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20
Known Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22
Release K.13.02 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Release K.13.01 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
i
Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26
Release K.11.12 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Release K.11.13 through K.11.32 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Release K.11.33 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Release K.11.34 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Release K.11.35 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Release K.11.36 through K.11.39 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Release K.11.40 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Release K.11.41 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Release K.11.42 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Release K.11.43 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Release K.11.44 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Release K.11.45 Through K.11.47 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Release K.11.48 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Release K.11.49 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Release K.11.60 through K.11.63 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Release K.11.64 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Release K.11.68 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Release K.11.69 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Release K.12.01 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Release K.12.02 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Release K.12.03 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Release K.12.04 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Configuring MSTP Port Connectivity Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Release K.12.05 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
How RADIUS-Based Authentication Affects VLAN Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Release K.12.06 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Saving Security Credentials in a Configuration File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Release K.12.07 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Release K.12.08 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Configuring a System Contact and Location for the Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Release K.12.09 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
ii
Release K.12.10 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Show VLAN ports CLI Command Enhancement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Release K.12.11 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Release K.12.12 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Release K.12.13 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Release K.12.14 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Release K.12.15 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Send SNMP v2c Informs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Release K.12.16 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Release K.12.17 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Release K.12.18 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Release K.12.19 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Release K.12.20 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Release K.12.21 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Release K.12.22 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
Release K.12.23 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
Release K.12.24 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
Release K.12.26 through K.12.29 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
Release K.12.30 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
Release K.12.31 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
Release K.12.32 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
Release K.12.33 through K.12.40 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Release K.12.41 through K.12.42 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Release K.12.43 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Release K.12.44 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Release K.12.45 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Release K.12.46 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Release K.12.47 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Release K.12.48 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Release K.12.49 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Release K.12.50 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
iii
Release K.12.51 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Release K.12.52 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Release K.12.53 through K.12.55 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Release K.12.56 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Release K.12.57 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Release K.13.01 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Release K.13.02 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
VRRP Pre-Emptive Delay Timer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Release K.13.03 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
New CLI Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Release K.13.04 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Clear Module Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
VRRP—Dynamic Priority Change . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
DHCP Option 66 Automatic Configuration Update . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
BOOTP/DHCP Relay Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Inbound Rate-Limiting for Broadcast and Multicast Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
DNS Capabilities for Telnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Show Module Enhancement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
VRRP Option with Debug Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Copy Command with Show Tech Option . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
Release K.13.05 through K.13.15 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
Release K.13.16 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
Console/Telnet Inactivity Timer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
Management Access Security Enhancement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Show Interfaces Custom . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
Mirror Port VLAN Tagging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
Concurrent Web and MAC Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
SSH Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
Release K.13.17 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
Release K.13.18 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
Release K.13.19 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
Using a Command Alias . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
Configure Logging via SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
Customizing Web Authentication HTML Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
iv
Enabling Customized Web Authentication Pages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
Dynamic IP Lockdown . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
Operating Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
Release K.13.20 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
Release K.13.21 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
Release K.13.22 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
Release K.13.23 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
Release K.13.24 through K.13.25 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
Release K.13.26 through K.13.39 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
Release K.13.40 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
LACP and Link Traps Global Disable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
Clear Statistics Without Reboot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
Increase MAC Lockout to 64 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
Configure Logging via SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
Operating Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
Release K.13.41 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
Release K.13.42 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
Release K.13.43 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
Release K.13.44 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
Release K.13.45 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
Release K.13.46 through K.13.48 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
Release K.13.49 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
Software Fixes in Release K.11.12 - K.13.49 . . . . . . . . . . . . . . . . . . . . . . .145
Release K.11.12 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
Release K.11.13 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
Release K.11.14 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
Release K.11.15 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
Release K.11.16 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
Release K.11.17 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
Release K.11.32 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
Release K.11.33 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
v
Release K.11.34 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
Release K.11.35 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
Release K.11.36 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
Release K.11.37 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
Release K.11.38 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
Release K.11.39 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
Release K.11.40 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
Release K.11.41 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
Release K.11.43 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
Release K.11.44 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
Release K.11.46 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
Release K.11.47 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
Release K.11.48 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
Release K.11.49 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
Release K.11.61 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
Release K.11.62 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
Release K.11.63 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
Release K.11.64 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
Release K.11.65 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
Release K.11.66 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
Release K.11.67 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
Release K.11.68 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
Release K.11.69 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
Release K.12.01 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
Release K.12.02 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
Release K.12.03 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
Release K.12.04 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
Release K.12.05 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
Release K.12.06 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
Release K.12.07 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
Release K.12.08 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
vi
Release K.12.09 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
Release K.12.10 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
Release K.12.11 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
Release K.12.12 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
Release K.12.13 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
Release K.12.14 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
Release K.12.15 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
Release K.12.16 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
Release K.12.17 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
Release K.12.18 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
Release K.12.19 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
Release K.12.20 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
Release K.12.21 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
Release K.12.22 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
Release K.12.23 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
Release K.12.24 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
Release K.12.25 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
Release K.12.26 through K.12.29 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
Release K.12.30 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
Release K.12.31 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
Release K.12.32 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
Release K.12.33 through K.12.40 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
Release K.12.41 through K.12.42 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
Release K.12.43 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
Release K.12.44 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
Release K.12.45 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
Release K.12.46 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
Release K.12.47 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
Release K.12.48 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
Release K.12.49 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
Release K.12.50 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
vii
Release K.12.51 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
Release K.12.52 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
Release K.12.53 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
Release K.12.54 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
Release K.12.55 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
Release K.12.56 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
Release K.12.57 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
Release K.13.02 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
Release K.13.03 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
Release K.13.04 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
Release K.13.05 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
Release K.13.06 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
Release K.13.07 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
Release K.13.08 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
Release K.13.09 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
Release K.13.10 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
Release K.13.11 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
Release K.13.12 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
Release K.13.13 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
Release K.13.14 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
Release K.13.15 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
Release K.13.16 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
Release K.13.17 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
Release K.13.18 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
Release K.13.19 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196
Release K.13.20 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196
Release K.13.21 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
Release K.13.22 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
Release K.13.23 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
Release K.13.24 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
Release K.13.25 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
viii
Release K.13.26 through K.13.39 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200
Release K.13.40 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200
Release K.13.41 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
Release K.13.42 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
Release K.13.43 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
Release K.13.44 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
Release K.13.45 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
Release K.13.46 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
Release K.13.47 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
Release K.13.48 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
Release K.13.49 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207
ix
Software Management
Premium License Switch Software Features
Software Management
Premium License Switch Software Features
The ProCurve 3500yl and 5400zl switches ship with the ProCurve Intelligent Edge software feature
set. The additional Premium License switch software features for the 3500yl and 5400zl switches can
be acquired by purchasing the optional Premium License and installing it on the Intelligent Edge
version of these switches. As of February 2008, the Premium License features include the following:
• OSPF
• PIM Dense mode
• PIM Sparse mode
• VRRP
•QinQ
Part numbers for the Premium Licenses are:
• 3500yl switches: J8993A
• 5400zl switches: J8994A
All software features are automatically included on the ProCurve 6200yl and 8212zl switches without
the need for a Premium License.
To purchase a Premium License for the 3500yl or 5400zl switches, go to the following Web page and
click on How To Buy.
www.hp.com/rnd/accessories/J8994A/accessory.htm
To view or download a listing of Intelligent Edge and Premium License features, refer to the Software
Features Index available for download on the product documentation page for your switch model.
Note:
Switch software Version K.11.33 software or newer is required for proper functioning of Intelligent
Edge features on ProCurve Switch 3500yl series, and ProCurve Switch 5400zl series
Software Updates
Check the ProCurve Networking Web site frequently for free software updates for the various
ProCurve switches you may have in your network.
1
Download Switch Documentation and Software from the Web
Software Management
Download Switch Documentation and Software from the Web
You can download software updates and the corresponding product documentation from the
ProCurve Networking Web site as described below.
View or Download the Software Manual Set
Go to: www.procurve.com/manuals
You may want to bookmark this Web page for easy access in the future.
You can also register on the My ProCurve portal to receive a set of ProCurve switch manuals on
CD-ROM. To register and request a CD, go to www.procurve.com and click on My ProCurve Sign In.
After registering and entering the portal, click on My Manuals.
Downloading Software to the Switch
ProCurve Networking periodically provides switch software updates through the ProCurve
Networking Web site (www.procurve.com). After you acquire the new software file, you can use one
of the following methods for downloading it to the switch:
■ For a TFTP transfer from a server, do either of the following:
• Select Download OS in the Main Menu of the switch’s menu interface and use the (default)
TFTP option.
•Use the copy tftp command in the switch’s CLI (see below).
■ For an Xmodem transfer from a PC or Unix workstation, do either of the following:
• Select Download OS in the Main Menu of the switch’s menu interface and select the
Xmodem option.
•Use the copy xmodem command in the switch’s CLI (page 3).
■ Use the USB port to download a software file from a USB flash drive (page 5).
■ Use the download utility in ProCurve Manager Plus.
Note
Downloading new software does not change the current switch configuration. The switch configuration is contained in a separate file that can also be transferred, for example, for archive purposes
or to be used in another switch of the same model.
This section describes how to use the CLI to download software to the switch. You can also use the
menu interface for software downloads. For more information, refer to the Management and
Configuration Guide for your switch.
2
Software Management
Download Switch Documentation and Software from the Web
TFTP Download from a Server
Syntax:copy tftp flash <ip-address> <remote-os-file> [ < primary | secondary > ]
Note that if you do not specify the flash destination, the TFTP download defaults to the primary flash.
For example, to download a software file named K_11_1x.swi from a TFTP server with the IP address
of 10.28.227.103:
1. Execute the copy command as shown below:
ProCurve # copy tftp flash 10.28.227.103 K_11_1x.swi
The primary OS image will be deleted. continue [y/n]? Y
03125K
2. When the switch finishes downloading the software file from the server, it displays the progress
message
Validating and Writing System Software to FLASH...
3. When the CLI prompt re-appears, the switch is ready to reboot to activate the downloaded
software:
a. Use the show flash command to verify that the new software version is in the expected flash
area (primary or secondary)
b. Reboot the switch from the flash area that holds the new software (primary or secondary),
using the following command:
Syntax: boot system flash [ < primary | secondary > ]
After the switch reboots, it displays the CLI or Main Menu, depending on the Logon Default setting
last configured in the menu’s Switch Setup screen.
4. Verify the software version by displaying the system information for the switch (for example,
through the show system-information command), and viewing the Software revision field.
Xmodem Download From a PC or Unix Workstation
This procedure assumes that:
■ The switch is connected via the Console RS-232 port to a PC operating as a terminal. (Refer
to the Installation and Getting Started Guide you received with the switch for information
on connecting a PC as a terminal and running the switch console interface.)
■ The switch software is stored on a disk drive in the PC.
■ The terminal emulator you are using includes the Xmodem binary transfer feature. (For
example, in the HyperTerminal application included with Windows NT, you would use the
Send File option in the Transfer drop-down menu.)
Using Xmodem and a terminal emulator, you can download a switch software file to either primary
or secondary flash using the CLI.
3
Download Switch Documentation and Software from the Web
Software Management
Syntax: copy xmodem flash [< primary | secondary >]
1. To reduce the download time, you may want to increase the baud rate in your terminal emulator
and in the switch to a value such as 115200 bits per second. (The baud rate must be the same
in both devices.) For example, to change the baud rate in the switch to 115200, execute this
command:
ProCurve(config)# console baud-rate 115200
(If you use this option, be sure to set your terminal emulator to the same baud rate.)
Changing the console baud-rate requires saving to the Startup Config with the “write memory”
command. Alternatively, you can logout of the switch and change your terminal emulator speed
and allow the switch to AutoDetect your new higher baud rate (i.e. 115200 bps)
2. Execute the following command in the CLI:
ProCurve # copy xmodem flash primary
The primary OS image will be deleted. continue [y/n]? Y
Press ‘Enter’ and start XMODEM on your host...
3. Execute the terminal emulator commands to begin the Xmodem transfer. For example, using
HyperTerminal:
a. Click on Transfer, then Send File.
b. Type the file path and name in the Filename field.
c. In the Protocol field, select Xmodem.
d. Click on the Send button.
The download can take several minutes, depending on the baud rate used in the transfer.
4. If you increased the baud rate on the switch (step 1), use the same command to return it to its
previous setting. (ProCurve recommends a baud rate of 9600 bits per second for most applications.) Remember to return your terminal emulator to the same baud rate as the switch.)
5. Use the show flash command to verify that the new software version is in the expected flash
area (primary or secondary)
6. Reboot the switch from the flash area that holds the new software (primary or secondary).
After the switch reboots, it displays the CLI or Main Menu, depending on the Logon Default setting
last configured in the menu’s Switch Setup screen.
4
Software Management
Download Switch Documentation and Software from the Web
Using USB to Download Switch Software
To use the USB port on the switch to download a software version from a USB flash drive:
■ The software version must be stored on the USB flash drive, and you must know the file
name (such as K_12_10.swi).
■ The USB flash drive must be properly installed in the USB port on the switch.
Note
Some USB flash drives may not be supported on your switch. For information on USB device
compatibility, refer to the HP ProCurve support Website:
http://www.hp.com/rnd/support/faqs/index.htm
Syntax: copy usb flash <filename> [ < primary | secondary > ]
For example, to download a software file named K_12_10.swi from a USB flash drive:
1. Execute the copy command as shown below:
ProCurve # copy usb flash K_12_10.swi secondary
The secondary OS image will be deleted. continue [y/n]? Y
03125K
.
2. When the switch finishes downloading the software file from the server, it displays the progress
message
Validating and Writing System Software to FLASH...
3. When the CLI prompt re-appears, the switch is ready to reboot to activate the downloaded
software:
a. Use the show flash command to verify that the new software version is in the expected flash
area (primary or secondary)
b. Reboot the switch from the flash area that holds the new software (primary or secondary),
using the following command:
Syntax: boot system flash [ < primary | secondary > ]
After the switch reboots, it displays the CLI or Main Menu, depending on the Logon Default setting
last configured in the menu’s Switch Setup screen.
4. Verify the software version by displaying the system information for the switch (for example,
through the show system-information command), and viewing the Software revision field.
5
Saving Configurations While Using the CLI
Software Management
Saving Configurations While Using the CLI
The switch operates with two configuration files:
■ Running-Config File: Exists in volatile memory and controls switch operation. Rebooting
the switch erases the current running-config file and replaces it with an exact copy of the
current startup-config file. To save a configuration change, you must save the running
configuration to the startup-config file.
■ Startup-Config File: Exists in flash (non-volatile) memory and preserves the most
recently-saved configuration as the “permanent” configuration. When the switch reboots for
any reason, an exact copy of the current startup-config file becomes the new running-config
file in volatile memory.
When you use the CLI to make a configuration change, the switch places the change in the
running-config file. If you want to preserve the change across reboots, you must save the change to
the startup-config file. Otherwise, the next time the switch reboots, the change will be lost. There are
two ways to save configuration changes while using the CLI:
■ Execute write memory from the Manager, Global, or Context configuration level.
■ When exiting from the CLI to the Main Menu, press [Y] (for Yes) when you see the “save
configuration” prompt:
Do you want to save current configuration [y/n]?
6
Software Management
Best Practices for Major Software Updates
Best Practices for Major Software Updates
Major software updates contain new features and enhancements, and are designated by an increment
to the major release version number. That is, K.12.xx represents a major update to software version(s)
K.11.xx, and K.13.xx represents a major update to K.12.xx, and so forth. To mitigate against potential
migration issues when performing such an update, this section documents best practices for updating
the switch, including contingency procedures for rolling back to previous software versions and
saved configurations.
Caution
Before you update the switch software to a major new version, ProCurve strongly recommends that
you save off a copy of your config file to an external location. ProCurve advises against rolling back
(going from a newer software version to an older software version) without copying on a backup
config file to the device.
Updating the Switch: Overview
To perform a major update to your switch software, follow the steps below (see page 8 for details):
1. Download the image to your TFTP server.
2. Save your current configuration (Config1) to a backup configuration file (Config2).
3. Save your current configuration to an external tftp server.
4. Backup your current running image (Primary) to the secondary image.
5. Set your secondary image to boot with Config2.
6. Download the new image to the switch’s primary image.
7. Verify that your images and configuration are set correctly.
8. Reload the switch.
After following these steps, you should end up with the following results:
■ Primary image will hold the new software image you want to install (for example, K.13.06)
■ Secondary image will hold the image you are currently running (for example, K.12.57)
■ Primary image will boot with config1 (config file corresponding to new software version—in
this example, K.13.06)
■ Secondary image will boot with config2* (config file corresponding to previous software
version—in this example, K.12.57)
* The current config file must be copied to config2, or you will be unable to revert if the need arises.
7
Best Practices for Major Software Updates
Software Management
Note:
You might opt to use a different methodology in which the new software will be installed as the
secondary and not the primary image, in which case you would use the commands boot system flash
secondary, and/or boot set-default flash secondary to change the location of the default boot. However,
since you will still need to take precautions to allow you to revert to your previous configuration,
ProCurve strongly recommends you follow the methods that are proposed in our update process.
This will ensure that you can use our proposed roll back procedures should the need arise.
Updating the Switch: Detailed Steps
The following detailed steps shows how to update the switch software from an existing version to a
major new release (in the example provided here, from version K.12.57 to version K.13.06).
1. Download the latest release software image to your TFTP server from the ProCurve Web site.:
http://www.hp.com/rnd/software/switches.htm
2. Save your current configuration (Config1) to backup configuration file (Config2).
a. Before copying the config, verify the current state of your system using the show version,
show flash, and show config files commands. For example:
Switch1# show version
Image stamp: /sw/code/build/btm(t2g)
Dec 7 2007 14:54:57
K.12.57
2415
Boot Image: Primary
Switch1# show flash
Image Size(Bytes) Date Version
----- ---------- -------- ------Primary Image : 6782942 12/07/07 K.12.57
Secondary Image : 6765066 08/24/07 K.12.43
Boot Rom Version: K.12.12
Default Boot : Primary
Switch1# show config files
Configuration files:
id | act pri sec | name
---+-------------+--------------------------------------------- 1 | * * * | config1
2 | |
3 | |
8
Software Management
Best Practices for Major Software Updates
b. Create a backup configuration file and verify the change.
Switch1# copy config config1 config config2
Switch1# show config files
Configuration files:
id | act pri sec | name
---+-------------+--------------------------------------------- 1 | * * * | config1
2 | | config2
3 | |
3. Save the current config to a tftp server using the copy tftp command. For example:
Switch1# copy startup-config tftp 10.1.1.60 Switch1_config_K_12_57.cfg
Note
This step is necessary because ProCurve does not support roll back (going from a newer software
version to an older software version) without the ability to copy a backup config file onto the device.
4. Backup your current running image (primary) to the secondary image.
Switch1# copy flash flash secondary
Switch1# show flash
Image Size(Bytes) Date Version
----- ---------- -------- ------Primary Image : 6782942 12/07/07 K.12.57
Secondary Image : 6782942 12/07/07 K.12.57
Boot Rom Version: K.12.12
Default Boot : Primary
5. Set your secondary image to boot with Config2.
Switch1# startup-default secondary config config2
Switch1# show config files
Configuration files:
id | act pri sec | name
---+-------------+----------------------------------------------- 1 | * * | config1
2 | * | config2
3 | |
9
Best Practices for Major Software Updates
Software Management
Note
This step will enable you to revert from K_13_05 to your previous image with your previous
configuration just by invoking the command boot system flash secondary.
6. Download the new primary image.
Switch1# copy tftp flash 192.168.1.60 K_13_06.swi primary
The Primary OS Image will be deleted, continue [y/n]?
At the prompt, answer y, for yes, and the new image will be downloaded and written to the File
system. Once tftp download has been completed you will see the following message:
Validating and Writing System Software to the Filesystem ...
7. Verify that your images and configuration are set correctly. For example, if you updated from
K.12.57 to K.13.06, you should see the following outputs from the switch show commands:
Switch1# show version
Image stamp: /sw/code/build/btm(t2g)
Mar 14 2008 09:59:53
K.12.57
2415
Boot Image: Primary
Switch1# show flash
Image Size(Bytes) Date Version
----- ---------- -------- ------Primary Image : 7350018 03/14/08 K.13.06
Secondary Image : 6782942 12/07/07 K.12.57
Boot Rom Version: K.12.12
Default Boot : Primary
Switch1# show config files
Configuration files:
id | act pri sec | name
---+-------------+----------------------------------------------- 1 | * * | config1
2 | * | config2
3 | |
10
Software Management
Best Practices for Major Software Updates
8. Reload the new switch image.
Switch1# reload
System will be rebooted from primary image. Do you want to continue [y/n]? y
At the prompt, answer y, for yes, and the switch will boot with the new image.
Note:
As an additional step, ProCurve advises saving the startup-config to a tftp server using the copy tftp
command. For example:
Switch1# copy startup-config tftp 10.1.1.60 Switch1_config_K_13_06.cfg
Rolling Back Switch Software
If you have followed the update procedures documented in the previous section, you should be able
to revert to your previous configuration and software version using the steps below.
To roll back your switch from K.13.06 to K.12.57, for example, follow the steps below:
1. Verify that your images and configuration are set correctly using the show version, show flash,
and show config files commands.
11
Switch1# show version
Image stamp: /sw/code/build/btm(t2g)
Mar 14 2008 09:59:53
K.13.06
211
Boot Image: Primary
Switch1# show flash
Image Size(Bytes) Date Version
----- ---------- -------- ------Primary Image : 7350018 03/14/08 K.13.06
Secondary Image : 6782942 12/07/07 K.12.57
Boot Rom Version: K.12.12
Default Boot : Primary
Switch1# show config files
Configuration files:
id | act pri sec | name
---+-------------+------------------------------------------------
Best Practices for Major Software Updates
1 | * * | config1
2 | * | config2
3 | |
Software Management
2. Boot the switch using the secondary image (with config2).
Switch1# boot system flash secondary
System will be rebooted from secondary image. Do you want to continue [y/n]? y
Answer y, for yes, and the switch will boot from the secondary image (K.12.57, in this
example) with the corresponding configuration for that software version (Config2).
Viewing or Transferring Alternate Configuration Files
Viewing or copying an alternate configuration saved to the switch will always be accomplished
through the software currently running on the switch. This may result in a misleading portrayal of
the configuration. For example, if a configuration is created on K.12.57 and saved as config2, and if
it is then viewed or transferred while the switch is running K.13.06, it will appear as though K.13.06
has converted the configuration. However, the alternate configuration file, config2, will still be intact
on the switch and load properly when the switch is booted into the same software version from which
the configuration file originated.
When an enhancement introduces a feature that did not previously exist in the switch, it may present
several challenges to the user.
Backwards compatibility of the configuration created with a version of software that supports a new
feature or parameter is not guaranteed. Software versions that did not recognize or support a
particular command or parameter will not be able to interpret that line in the configuration. For this
reason, it is strongly recommended that network administrators always save their configuration
while still running the switch with the original software version, and with a notation indicating
the software version on which the configuration was saved. For example, a user might save a
configuration for a switch running K.12.57 to a TFTP server with an IP address of 10.10.10.15 as
follows:
ProCurve5406zl-onK1257# copy running-config tftp 10.10.10.15
5406onK1257
If, for example, the user deems it necessary to revert to the use of K.12.57, she can boot into it and
then restore the saved config from the TFTP server.
Viewing or copying an alternate configuration that is saved to the switch flash can be accomplished
only with the software that is currently running on the switch.
Here, for example, a configuration is created on K.12.57 and then saved to flash:
ProCurve5406zl-onK1257# copy config config2 config K1257config <cr>
12
Software Management
Best Practices for Major Software Updates
And later, the configuration that was created on K.12.57 is viewed while the switch is running K.13.06:
ProCurve5406zl-onK1306# show config K1257config <cr>
The command output will show how the K.12.57 config would be interpreted, if it were to be used
by the K.13.06 software. Copying the K1257config to a TFTP server would similarly trigger an
interpretation by the software performing the file transfer. Note, however, that this does not actually
change the configuration. If the version is rolled back from K.13.06 to K.12.57 with a command like
the following (given that K.12.57 is stored in secondary flash), the K.12.xx formatted config is still
intact and valid.
ProCurve5406zl# boot system flash secondary config K1257config
This “interpretation” during a TFTP or show command execution is inherent in the architecture of
the switch. When switch features change significantly (e.g. the move from IPv4 support to IPv6
support), there may be configuration parameters from the previous config that cannot be translated
by the switch for viewing while it is running the new software. This necessitates storing configurations for each version of software to an external location, if the user would like to view the stored
config prior to reloading it.
13
ProCurve Switch, Routing Switch, and Router Software Keys
Software Management
ProCurve Switch, Routing Switch, and Router Software Keys
Software
Letter
CY Switch 8100fl Series (8108fl and 8116fl)
ProCurve Networking Products
C 1600M, 2400M, 2424M, 4000M, and 8000M
E Switch 5300xl Series (5304xl, 5308xl, 5348xl, and 5372xl)
F Switch 2500 Series (2512 and 2524), Switch 2312, and Switch 2324
G Switch 4100gl Series (4104gl, 4108gl, and 4148gl)
H Switch 2600 Series, Switch 2600-PWR Series: H.07.81 and earlier, or H.08.55 and greater,
Switch 2600-8-PWR requires H.08.80 or greater.
Switch 6108: H.07.xx and earlier
I Switch 2800 Series (2824 and 2848)
J Secure Router 7000dl Series (7102dl and 7203dl)
K Switch 3500yl Series (3500yl-24G-PWR and 3500yl-48G-PWR), Switch 6200yl-24G, 5400zl Series (5406zl,
5406zl-48G, 5412zl, 5412zl-96G) and Switch 8212zl.
L Switch 4200vl Series (4204vl, 4208vl, 4202vl-72, and 4202vl-48G)
M Switch 3400cl Series (3400-24G and 3400-48G): M.08.51 though M.08.97, or M.10.01 and greater;
Series 6400cl (6400cl-6XG CX4, and 6410cl-6XG X2 ): M.08.51 though M.08.95, or M.08.99 to M.08.100 and
greater.
N Switch 2810 Series (2810-24G and 2810-48G)
PA/PB Switch 1800 Series (Switch 1800-8G – PA.xx; Switch 1800-24G – PB.xx)
Q Switch 2510 Series (2510-24)
R Switch 2610 Series (2610-24, 2610-24/12PWR, 2610-24-PWR, 2610-48 and 2610-48-PWR)
T Switch 2900 Series (2900-24G, and 2900-48G)
U Switch 2510-48
VA/VB Switch 1700 Series (Switch 1700-8 - VA and 1700-24 - VB)
WA ProCurve Access Point 530
WS ProCurve Wireless Edge Services xl Module and the ProCurve Redundant Wireless Services xl Module
WT ProCurve Wireless Edge Services zl Module and the ProCurve Redundant Wireless Services zl Module
Y Switch 2510G Series (2510G-24 and 2510G-48)
numeric Switch 9408sl, Switch 9300 Series (9304M, 9308M, and 9315M), Switch 6208M-SX and Switch 6308M-SX
(Uses software version number only; no alphabetic prefix. For example 07.6.04.)
14
Software Management
OS/Web/Java Compatibility Table
OS/Web/Java Compatibility Table
The switch Web agent supports the following combinations of OS browsers and Java Virtual
Machines:
Operating System Internet Explorer Java
Windows NT 4.0 SP6a 5.00, 5.01
5.01, SP1
6.0, SP1
Windows 2000 Pro SP4 5.05, SP2
Sun Java 2 Runtime Environment:
– Version 1.3.1.12
– Version 1.4.2.05
6.0, SP1
Windows XP Pro SP2 6.0, SP2
Windows Server SE 2003
and 7.0
Sun Java 2 Runtime Environment:
– Version 1.5.0_11, Version 1.6.0
SP2
Windows Vista
Minimum Software Versions
For ProCurve Series 3500yl, 6200yl, 5400zl, and 8212zl Switches and Hardware
Features
ProCurve Device Product Number Minimum Supported
Software Version
ProCurve 100-BX-D SFP-LC Transceiver J9099B K.13.45
ProCurve 100-BX-U SFP-LC Transceiver J9100B K.13.45
ProCurve 1000-BX-D SFP-LC Mini-GBIC J9142B K.13.45
ProCurve 1000-BX-U SFP-LC Mini-GBIC J9143B K.13.45
ProCurve 10-GbE X2-SC LRM Optic
ProCurve Wireless Edge Services zl Module and the
J9144A K.13.20
J9051A and J9052A K.12.43
ProCurve Redundant Wireless Services zl Module
Switch 8212zl Base System J8715A K.12.31
100-FX SFP-LC Transceiver J9054B K.12.01
Premium Features on Series 3500yl and 5400zl
J8993A and J8994A K.11.33
Switches
Switch 5400zl 24p Mini-GBIC Module J8706A K.11.33
15
Software Management
Minimum Software Versions
ProCurve Device Product Number Minimum Supported
Software Version
Switch 5400zl 4p 10-GbE CX4 Module J8708A K.11.33
Switch 6200yl-24G-mGBIC J8992A K.11.33
Switch 3500yl 2p 10GbE X2 + 2p CX4 Module J8694A K.11.17
16
Support Notes
Minimum Software Versions
Support Notes
ROM Update Required!
All yl and zl switches running K.12.45 system software or earlier, will have the BootROM updated by
this new version of system software. This software download will boot the switch twice, first to
update the BootROM to version K.12.14, and then to load the system software. Following file copy
to the switch flash and initiation of the reload, no additional user intervention is needed. Do not
interrupt power to the switch during this important update.
To confirm that the boot ROM and system software have updated successfully following a reload into
software version K.13.49 or newer, follow the process below at your switch CLI.
ProCurve_zl_yl_Switch# show flash
Image Size(Bytes) Date Version
----- ---------- -------- -------
Primary Image : 7497667 12/10/08 K.13.49 <--Indicates that system software is
updated
Secondary Image : 7497667 12/10/08 K.13.49
Boot Rom Version: K.12.14 <-- Indicates the boot ROM is updated
Default Boot : Primary
Using SNMP To View and Configure Switch Authentication Features
Beginning with software release K.12.01, manager read/write access is available for a subset of the
SNMP MIB objects for switch authentication (hpSwitchAuth) features. That is, in the default state,
a device with management access to the switch can view the configuration for several authentication
features, and using SNMP sets, can change elements of the authentication configuration.
Security Note
In the default configuration for SNMP MIB object access, SNMP sets can be used to reconfigure
password and key MIB objects. This means that a device operating as a management station with
access to the switch can be used to change the SNMP MIB settings. This can pose a security risk if
the feature is used to incorrectly configure authentication features or to reconfigure authentication
features to unauthorized settings.
If you want to block the SNMP MIB object access described above, use the following command to
disable the feature:
17
Minimum Software Versions
ProCurve(config)# snmp-server mib hpswitchauthmib excluded
For more information on the above topic, refer to "Using SNMP To View and Configure Switch
Authentication Features" in the "RADIUS Authentication and Accounting" chapter of the Access
Security Guide for your switch. For an overview of the security features available on the switch,
refer to chapter 1, "Security Overview", in the Access Security Guide for your switch.
Security:
Downloading and booting software release K.12.01 or greater for the first time automatically
enables SNMP access to the hpSwitchAuth MIB objects. If this is not desirable for your network,
ProCurve recommends that you disable it after downloading and rebooting with the latest switch
software.
ACL numbering restrictions:
The K.12.01 release enforces ACL numbering restrictions.
See the Note under Version K.12.01 Software Fixes on page 160 (PR_1000389442) for details.
OSPF virtual link:
OSPF virtual links configurations will be lost with the update to K.12.01.
Support Notes
See the Note under Version K.12.01 Software Fixes on page 161 (PR_1000374003) for details.
MSTP auto-edge-port support and default settings:
With version K.12.04 (page 33), automatic detection of edge ports is supported, along with revised
command options and default settings.
Resources (PR_1000388697):
When the switch is writing large files to flash (for example, a transfer of a very large configuration
or a software update), switch resources may be impacted during the write operation, causing
some potential loss of hello packets. This may impact VRRP, OSPF or spanning tree protocol. In
order to mitigate potentially undesirable affects, updates to the switch software should be made
during a scheduled downtime. Increasing the hello interval of time sensitive protocols may also
assist with mitigation of this issue.
Support for the Wireless Edge Services zl Module
The addition of support for the zl Wireless Edge Services Module will change the way in which radio
ports are treated by the zl and yl Series Switches. If the default setting of LLDP auto-provisioning is
left intact, LLDP information from the ProCurve Radio Ports (J9004A, J9005A, J9006A) will trigger
these devices to be placed into VLAN 2100 or the first available VLAN not already configured above
that (see the section entitled Using Auto-Provisioning to Establish a Radio Port VLAN in the
18
Support Notes
Minimum Software Versions
Management and Configuration Guide for ProCurve Wireless Edge Services zl Module here:
ftp://ftp.hp.com/pub/networking/software/WESM-zl-MgmtCfg-Aug2007-59918626.pdf
administrators who do not wish to have the radio ports moved to the auto-provisioned VLAN should
disable this feature with the command "no lldp auto-proision" at the CLI.
). Network
CAUTION: Updating to Version K.13.xx
It is important that you update to K.13.xx from a configuration that has not been previously converted
from a pre-K.13.xx format (e.g. a K.11.xx or K.12.xx configuration). If you have previously updated
to K.13.xx and rolled back to K.12.xx to workaround an issue, you should load a saved K.12.xx
configuration to the switch and boot to it prior to updating to K.13 again.
19
Minimum Software Versions
Clarifications
Clarifications
The following clarification or updates apply to documentation for the ProCurve Series 3500yl, 6200yl,
5400zl, and 8212zl Switches as of July 2008.
■ Maximum Number of VLANs Supported in Hardware for PIM-S — Page 4-5 in
the Multicast and Routing Guide dated January 2008 for switches running version K
software incorrectly states that up to 2048 flows are supported in hardware across a
maximum of 512 VLANs. Up to 2048 flows are supported across a maximum of 128 VLANs.
■ Maximum Number of Flows in the MRT — Page 4-41 in the Multicast and Routing Guide
dated January 2008 for switches running version K software incorrectly states that up to 1023
flows are supported. Up to 2048 flows are supported.
■ Enabling Jumbo Frames and Flow Control:
The Series 3500yl, 6200yl, 5400zl, and 8212zl switches support simultaneous use of Jumbo
Frames and Flow Control. (An earlier version of the Management and Configuration Guide
had incorrectly stated that these features could not be enabled at the same time.)
■ Clarification for the Number of IP addresses and maximum VLANs that can be
configured on the switch:
You can configure a maximum of 512 routed VLANs per switch. A VLAN can be configured with
up to 32 IP addresses. However, the maximum number of IP addresses that can be configured
on the switch is 2048, so it is not possible to configure up to the maximum number of routed
VLANs (512) with 32 IP addresses each. For example, if you wanted to use all available IP
addresses for the switch and utilize all 512 possible routed VLANS with as many assigned IP
addresses as possible, the configuration is calculated as follows:
512 routed VLANs x 4 IP addresses per VLAN = 2048 total IP addresses.
Refer to the Advanced Traffic Management Guide for further details.
■ TACACS+ Encryption Key Exclusion from TFTP Copies
When using the copy command to transfer a configuration to a TFTP server, any
server-specific or global encryption keys in the TACACS+ configuration will not be included
in the transferred file. Otherwise, a security breach could occur, allowing access to the
TACACS+ user name/password information.
■ RIP and OSPF Redistribution:
RIP operation supports static, connected, and OSPF route redistribution. OSPF operation
supports static, connected, and RIP route redistribution. (The earlier version of the Advanced
Traffic Management Guide omitted RIP and OSPF route redistribution.)
20
Clarifications
Minimum Software Versions
■ Maximum UDP Broadcast Forwarding Entries:
The number of UDP broadcast entries and IP helper addresses combined can be up to 16 per
VLAN, with an overall maximum of 2048 on the switch. An earlier version of the Multicast
and Routing Guide (page 5-142) had incorrectly stated that the overall maximum is 256.
■ Reload Command Description
Syntax: Reload
This command boots the switch from the currently active flash image and startup-config file.
Because reload bypasses some subsystem self-tests, the switch boots faster than if you use a
boot command. Note: To identify the currently active startup-config file, use the show config files
command. (This is a clarification of Syntax: Reload (page 6.33) in the Management and
Configuration Guide.)
Using Reload
The reload command reboots the switch from the flash image on which you are currently booted
(primary or secondary) or the flash image that was set either by the boot set-default command or
by the last executed boot system flash <primary | secondary> command. Because reload bypasses
some subsystem self-tests, the switch reboots faster than when you use either of the boot
command options. If you are using redundant management and redundancy is enabled when
using reload, the switch will failover to the other management module. (This is a clarification of
Using Reload (page 6.24) in the Management and Configuration Guide.)
■ MSTP mCheck:
Unlike other MSTP parameters, 'mCheck' is not a configurable option. It is a flag that tells
MSTP to initiate transmission of RST/MST BPDUs for a MigrateTime (3 secs) period, to test
whether all STP Bridges on the attached LAN have been removed and the Port can migrate
to the native MSTP mode and use RST/MST BPDUs for transmission. The 'mCheck' is always
cleared (set FALSE) prior to port initialization.
V i r u s - T h r o t t l i n g ( C o n n e c t i o n - r a t e f i l t e r i n g ) :
As of release K.12.01, this feature enables notification of worm-like behavior detected on all
inbound IP traffic. (The Advanced Traffic Management Guide retains some incorrect references
to filtering on IP routed traffic only.)
Some of the earlier ProCurve MSTP implementations allowed the 'mCheck' option to be a configurable parameter. It was stored in the config. That was corrected beginning with version K.12.04.
21
Minimum Software Versions
Known Issues
Known Issues
Release K.13.25
The following problems are known issues as of release K.13.25.
SFTP/SCP (PR_0000008270) — An SFTP or SCP client session may not close after a config
download session ends. The work-around is to close the client manually.
Release K.13.23
The following problems are known issues in release K.13.23 or newer.
■ MAC Authentication (PR_0000007477) — When large numbers of MAC authentications
are attempted immediately after the switch (re)boots, some of the MAC authentications may
fail when they should succeed. Workaround: Increase the RADIUS server delay.
Release K.13.08
The following problems are known issues in release K.13.08 or newer.
■ CLI (PR_0000001893) — The copy flash CLI command does not function in ProCurve
8212zl switches running K.13.05 or later. Workaround: use the CLI command copy tftp flash.
■ Config/TFTP (PR_1000748292) — The switch allows conflicting configuration
parameters to be loaded via TFTP transfer to the startup-config (ip address
<x.x.x.x> and
no ip address).
■ Port Security (PR_1000777162) — When Port Security is configured for static MAC
address learning, prolonged flooding of unicast traffic may occur under certain conditions.
■ Certificate (PR_1000416167) — The Web Management interface submission form limits
CA-signed certificates to 1800 bytes.
■ CLI (PR_1000760929) — The CLI output from the command show name int <x-x> does not
display the port number beyond the ninth port.
■ RADIUS/Jumbo (PR_ 1000779048) — When an 802.1X enabled port belongs to a VLAN
that is jumbo enabled, the Access-Request will specify a value of Framed-MTU of 9182 bytes.
When the RADIUS server replies with a large frame, the switch does not respond, causing
the authentication process to halt.
■ SNMP Trap (PR_1000772026) — The ProCurve 3500yl Switches do not send the proper
OID value for a Redundant Power Supply (RPS) failure.
22
Known Issues
Minimum Software Versions
■ Web (PR_1000761014) — The Web interface truncates 16 character passwords to 15
characters. Workaround: configure 16 character passwords via the CLI.
■ ICMP (PR_1000764033) — ICMP TTL expired messages are being sent with a source
address of the interface the message leaves from rather than the interface that receives the
expired packet.
■ Auto-TFTP/Config (PR_0000001410) — Auto-TFTP configuration is lost during the
update from K.12.xx to K.13.03.
■ Web Authentication (PR_0000000968) — Web authentication to IAS over PEAP may
trigger a software exception crash with a message similar to the following.
Software exception at exception.c:501 -- in 'mWebAuth', task ID =
0x843c2b0 -> internal error
■ DHCP Snooping (PR_1000469934) — When DHCP Snooping is enabled and configured,
and a client sends a “DHCPINFORM” after receiving address information, the DHCP Server
response is not forwarded to the client by the switch.
■ CLI (PR_1000745509) — There are multiple issues with respect to the output from the
CLI
command show ipv6 neighbor vlan <x>.
■ Module Selftest (PR_0000001273) — After reboot, ports 1-24 or ports 25-48 on the
ProCurve 3500yl or ports 1-24 on the 6200yl Switches may become unresponsive followed
by green and amber port LEDs remaining lit. Ports recover automatically. The log file will
show the following messages.
chassis: Ports 1-24: Slave ROM Tombstone: 0x13000601
chassis: Ports 1-24: Lost Communications detected - Heart Beat Lost(4A)
chassis: Ports 1-24 Downloading
chassis: Ports 1-24 Download Complete
chassis: Ports 1-24 Ready
■ ECMP (PR_1000798467) — A switch using OSPF ECMP may mis-route traffic for routes
with long prefixes (/31 or /32).
■ CLI (PR_1000782972) — The CLI command show system power provides incorrect output
for those regions that use a 220 volt standard.
■ CLI (PR_1000430534) — Output from the show port-access mac-based CLI command may
omit connected clients.
■ CLI (PR_1000776583) — The output for CLI command show access-list resources does not
accurately display the number of QoS/ACL masks available.
■ Config Transfer (PR_1000781015) — A config file transfer will fail with a “corrupted
configuration”
message, if the config file specifies MDIX-mode for a dual-personality port.
23
Known Issues
Release K.13.02
■ Config Transfer (PR_1000781004) — The switch allows a config file transfer to set an
invalid speed-duplex setting on a 100FX SFP.
■ Config Transfer (PR_1000781031) — When the valid port setting 'auto-1000' is configured
for a 10/100/1000 interface and the configuration gets copied to the switch, the port setting
is altered to 'auto.'
■ Config Transfer (PR_1000781011) — A config file copied to the switch allows an entry
to enable flow control on a half-duplex interface. However, flow control on a half-duplex
interface is disabled, as specified by IEEE 802.3 Annex 31B.
■ CLI (PR_1000775644) — When flow control is enabled, the output from a show int brief
CLI command inaccurately indicates that flow control is off.
Release K.13.02
The following are known issues in release K.13.02 or newer.
■ ACL Mirrors: Beginning with K.13.02 software, ACLs can only be mirrored to a single
destination.
Release K.13.01
The following are known issues in release K.13.01 or newer.
■ Rate-Limiting: The "bps" mode for Ingress/Egress Rate-Limiting has been removed from
the MIB, from the config, and as a CLI option (help-text also updated). Bandwidth is now
measured in KBPS. Configurations which have rate-limiting configured in bps units will be
successfully converted to the updated unit of measurement as the software is updated from
K.11.xx or K.12.xx to K.13.xx.
■ PCM+ USB Autorun (PR_1000767612) — Issuing the command copy startup-config usb
test may crash the switch when executed in a PCM+ Autorun cmd file. The crash message
is similar to:
PPC Data Storage (Bus Error) exception vector 0x300:
■ Restriction in number of ACL mirror destinations — The K.13.01 software introduced
a new restriction to a single ACL mirror destination. K.12 versions of software allowed up
to 4 ACL mirror destinations. Users with multiple ACL mirror sessions must edit their
configurations so that they contain only a single mirror destination prior to updating to
K.13.01 or newer software. If a switch with multiple ACL mirror destinations is updated from
K.12.xx to K.13.01 or newer, only the first destination will function. The additional mirror
sessions will have to be edited out of the configuration offline, and the valid configuration
then loaded onto the switch.
24
Known Issues
Release K.13.01
25
Release K.11.12 Enhancements
Enhancements
Enhancements
Unless otherwise noted, each new release includes the enhancements added in all previous releases.
Enhancements are listed in chronological order, oldest to newest software release. To review a
summary of enhancements included since the last general release that was published, begin with
“Release K.13.01 Enhancements” on page 69.
Descriptions and detailed instructions for enhancements included in Release K.13.01 or earlier are
included in the latest release of manuals for the ProCurve Series 3500yl, 6200yl, 5400zl, and 8212zl
switches (January 2008), available on the Web at w
Release K.11.11 was the first production software release for the ProCurve 3500yl, 6200yl, and 5400zl
Series switches. Release K.12.31 was the first production software release for the ProCurve 8212zl
switch. Release K.12.57 is the last public release of the K.12.xx software. The 3500yl, 6200yl, 5400zl,
and 8212zl software code was rolled to the K.13.0x code branch with no intervening releases.
Release K.11.12 Enhancements
Release K.11.12 includes the following enhancement:
■ MSTP Enhancement Implementation of legacy path cost MIB and CLI option for MSTP.
ww.hp.com/rnd/support/manuals.
Release K.11.13 through K.11.32 Enhancements
No enhancements, software fixes only.
Release K.11.33 Enhancements
■ With the K.11.33 software release, support for the following ProCurve products was added:
• J8698A / J8700A(bundle) for the ProCurve switch 5412zl
• J8706A - ProCurve Switch 5400zl 24p Mini-GBIC Module
• J8708A - ProCurve Switch 5400zl 4p 10-GbE CX4 Module
• J8992A - ProCurve Switch 6200yl-24G-mGBIC
Release K.11.34 Enhancements
Release K.11.34 includes the following enhancements:
■ Increased number of Telnet/SSH sessions: The maximum number of simultaneous
Telnet/SSH sessions has been increased from three to five. The CLI commands show telnet
and show ip ssh now report on five sessions rather than just three.
26
Enhancements
Release K.11.35 Enhancements
■ CLI-configured sFlow with multiple instances: In earlier software releases, the only
method for configuring sFlow on the switch was via SNMP using only a single sFlow instance.
Beginning with software release K.11.34, sFlow can also be configured via the CLI for up to
three distinct sFlow instances. For more information, refer to the section on “CLI-Configured
sFlow with Multiple Instances” in the chapter titled “Configuring for Network Management
Applications” in the Management and Configuration Guide for your switch.
■ Event log display options: Two new options have been added to provide greater flexibility
in viewing event log entries via the CLI. The show logging command now includes an option
to reverse the standard display, and a clear logging command has been added to remove all
event log entries from the show logging display output. For more information, refer to the
section on “Using the Event Log To Identify Problem Sources” in the Appendix titled
“Troubleshooting” in the Management and Configuration Guide for your switch.
■ Scheduled reload: Additional parameters have been added to the reload command to allow
for a scheduled reboot of the switch via the CLI. For more information, refer to the section
on “Rebooting your Switch” in the Chapter titled “Switch Memory and Configuration” in the
Management and Configuration Guide for your switch.
■ Real-time rate display: The show interface port-utilization command provides a real-time
rate display for all ports on the switch.
Release K.11.35 Enhancements
Release K.11.35 includes the following enhancement:
■ Added support for STP Per-Port BPDU Filtering and SNMP Traps.
■ Added an option to configure the switch to use the management VLAN IP address in the
Option 82 field for all DHCP requests received from various VLANs.
Release K.11.36 through K.11.39 Enhancements
No new enhancements, software fixes only.
Release K.11.40 Enhancements
Release K.11.40 includes the following enhancement:
■ RSTP/MSTP BPDU Protection: When this feature is enabled on a port, the switch will
disable (drop the link) of a port that receives a spanning tree BPDU, log a message, and
optionally, send an SNMP trap.
27
Release K.11.41 Enhancements
Enhancements
Release K.11.41 Enhancements
Release K.11.43 includes the following enhancement:
■ Added support for Unidirectional Fiber Break Detection (UDLD).
Release K.11.42 Enhancements
No enhancements, software fixes only.
Release K.11.43 Enhancements
Release K.11.43 includes the following enhancement:
■ 802.1X Controlled Directions enhancement. With this change, Administrators can use
“Wake-on-LAN” with computers that are connected to ports configured for 802.1X
authentication.
Release K.11.44 Enhancements
Release K.11.44 includes the following enhancement:
■ Loop Protection enhancement allows STP to detect and block network topology loops on a
single port.
Release K.11.45 Through K.11.47 Enhancements
No enhancements, software fixes only.
Release K.11.48 Enhancements
Release K.11.48 includes the following enhancement:
■ The show tech transceiver CLI command output now contains the HP part number and
revision information for all transceivers (mGBICs) on the switch.
Release K.11.49 Enhancements
Release K.11.49 includes the following enhancement:
■ DHCP Protection (Snooping) enhancement.
28
Enhancements
Release K.11.60 through K.11.63 Enhancements
Release K.11.60 through K.11.63 Enhancements
No enhancements, software fixes only.
■ Versions K.11.50 through K.11.59 were never built.
■ Version K.11.60 was never released.
Release K.11.64 Enhancements
Release K.11.64 includes the following enhancement:
■ Loop Protection feature additions, including packet authentication, loop detected trap, and
receiver port configuration.
■ Historical information about MAC addresses that have been moved has been added to the
"show tech" command output.
Release K.11.68 Enhancements
Release K.11.68 includes the following enhancement:
■ Improved SFlow function to accommodate bursty traffic.
Release K.11.69 Enhancements
No new enhancements, software fixes only.
Release K.11.69 is the last release of the K.11.xx software. The 3500yl, 6200yl, and 5400zl switch series
software code was rolled to the K.12.0x code branch with no intervening releases.
29
Release K.12.01 Enhancements
Enhancements
Release K.12.01 Enhancements
Release K.12.01 is a major software update containing many new features and enhancements to
existing features. The following updates have been documented in the latest revisions to the manuals
(February 2007). Refer to the manuals for additional details.
Software Manual/
Enhancements
Management and Configuration Guide
Bi-directional Rate Limiting: In earlier releases, all traffic rate-limiting applied to inbound traffic only,
and was specified as a percentage of total bandwidth. This enhancement
allows you to configure outbound rate-limiting for all traffic on a port, and
specify bandwidth usage in terms of bits per second (bps).
Loopback Interface: A virtual interface that is always up and reachable as long as at least one
of the IP interfaces on the switch is operational. By default, each switch
has an internal loopback interface (lo0). You can configure up to seven
other loopback interfaces on the switch.
USB Support Provides an option for using a USB device as a source or destination for
file transfers. Refer to "Using USB To Download Switch Software" in the
"File Transfers" appendix of the Management and Configuration Guide for
your switch (February 2007 or newer). For information on USB device
compatibility on the 3500yl, 5400zl, and 6200yl switches, refer to the HP
ProCurve support Website:
http://www.hp.com/rnd/support/faqs/index.htm
Intelligent Mirroring Enables copying of network traffic from a network interface to a local or
remote exit port where a host such as a traffic analyzer or intrusion
detection system (IDS) is connected.
DNS Resolver Used in local network domains to enable the use of a hostname or
fully-qualified domain name to perform ping and t raceroute operations from
the switch.
Description
.
SNMP-Server Source IP
Commands:
SNMPv3 AES Support: Authentication and privacy for SNMPv3 users has been enhanced to
Multicast and Routing Guide
OSPF NSAA: Support for Not-So-Stubby-Areas (NSAA).
DHCP Relay: Enhancements to the DHCP Relay feature allow you to disable the hop
Provides added security by allowing you to send SNMP replies from the
same IP address as the one on which the corresponding SNMP request
was received.
support AES 128-bit encryption as a privacy protocol in SNMPv3 messages
in compliance with RFC 3826.
count in DHCP requests, and enable support for up to 2048 IP helper
addresses of DHCP servers.
30
Enhancements
Release K.12.01 Enhancements
Software Manual/
Description
Enhancements
Advanced Traffic Management Guide
Qos Queue Config: Allows you to reduce the number of outbound queues that all switch ports
will use to buffer packets for 802.1p user priorities.
Number of Default VLANs: In the factory default state, support has been increased from 8 VLANs to
256 VLANs. (You can reconfigure the switch to support up to 2048 (vids up
to 4094) VLANs.)
Migrating Layer 3 VLANs Using
VLAN MAC Configuration:
Allows you to upgrade to ProCurve routing switches without stopping the
operation of attached hosts that use existing routers as their default
gateway to route traffic between VLANs.
Access Security Guide
RADIUS AAA: Provides client-level security that allows LAN access to individual 802.1X
clients (up to 32 per port), where each client gains access to the LAN by
entering valid user credentials. This operation improves security by
opening a given port only to individually authenticated clients, while simultaneously blocking access to the same port for clients that cannot be
authenticated.
SNMP Access to Switch
Authentication features:
Enables manager read/write access for a subset of the SNMP MIB objects
for switch authentication features.
Security Note: Downloading and booting software release K.12.01 or
greater for the first time automatically enables SNMP access to the
hpSwitchAuth MIB objects. For more information, or to disable this feature
see“Support Notes” on page 17 for details.
Password Set via SNMP: Allows configuration of username and password via SNMP.
Client-based Access Control: In earlier releases, all traffic rate-limiting applied to inbound traffic only,
and was specified as a percentage of total bandwidth. This enhancement
allows you to configure outbound rate-limiting for all traffic on a port, and
specify bandwidth usage in terms of bits per second (bps).
Virus Throttling
on Bridged Traffic:
ACLs on Port Traffic and Bridged
Traffic:
This enhancement allows connection-rate filtering on all IP traffic (not just
routed traffic as in earlier releases).
Allows configuration of ACLs to filter traffic entering the switch on a VLAN
or port.
Dynamic ARP Protection: Protects your network from ARP cache poisoning by dropping packets, with
an invalid IP-to-MAC address binding, that are received on untrusted ports.
Instrumentation Monitor: Protects your network from a variety of common attacks by generating
alerts for detected anomalies on the switch.
31
Release K.12.02 Enhancements
Enhancements
Software Manual/
Description
Enhancements
Controlled Directions
Web/MAC Auth:
Allows you to use the aaa port-access controlled-directions command to
configure how a port transmits traffic before it successfully authenticates
a client and enters the authenticated state. This feature is available for both
802.1X and Web/MAC authorization.
Note on Manual Updates: In addition to the above updates to the manuals, the chapter on ACLs has been
moved from the Advanced Traffic Management Guide to the Access Security Guide. The Access Security
Guide also provides a new introductory “Security Overview” chapter, plus a new chapter on “Advanced
Threat Protection” covering topics such as DHCP Snooping and Dynamic Arp Protection.
In addition to the updates listed above, K.12.01 also provides the following enhancements:
■ Enhancement (PR_1000298920) — A ping request issued to a VLAN which is down will
now return a more specific message; instead of "request timed out," the message "The
destination address is unreachable" will be displayed.
■ Enhancement (PR_1000373226) — Support was added for the ProCurve 100-FX SFP-LC
Transceiver (J9054B).
■ Enhancement (PR_1000376626) — Enhance CLI qos dscp-map help and show dscp-map
text to warn the user that inbound classification based on DSCP code points only occurs if
qos type-of-service diff-services is also configured.
Release K.12.02 Enhancements
No enhancements, software fixes only.
Release K.12.03 Enhancements
Release K.12.03 includes the following enhancements:
■ Enhancement (PR_1000379804) — Historical information about MAC addresses that
have been moved has been added to the show tech command output.
■ Enhancement (PR_1000398393) — For the interface <port-list> speed-duplex command,
added the auto-10-100 configuration option to constrain a link to 10/100 Mbps speed and allow
a more rapid linkup process when 1000 Mbps operation is not possible.
■ Enhancement (PR_1000404544) — Provides TCP/UDP port range prioritization in the qos
command; the range option assigns an 802.1p priority to (IPv4) TCP or UDP packets
associated with a range of TCP/UDP ports.
qos <udp-port | tcp-port> < tcp/udp port number | range <tcp/udp port number > <tcp/udp port
number > > priority < 0 - 7>
32
Enhancements
Release K.12.04 Enhancements
For more information, refer to “QoS TCP/UDP Priority” in the Advanced Traffic Management
Guide.
Release K.12.04 Enhancements
Release K.12.04 includes the following enhancement:
■ Enhancement MSTP (PR_1000369492) — Update of MSTP implementation to the latest
IEEE P802.1Q-REV/D5.0 specification to stay in compliance with the protocol evolution. For
more information on selected configuration options and updated MSTP port parameters, see
“Configuring MSTP Port Connectivity Parameters” below.
Configuring MSTP Port Connectivity Parameters
With release K.12.04, all ports are configured as auto-edge-ports by default, and the spanning tree
edge-port option has been removed. This section describes selected spanning-tree <port-list> command
parameters for enhanced operation.
Basic port connectivity parameters affect spanning-tree links at the global level. Therefore, in most
cases, ProCurve recommends that you use the revised default settings for these parameters and apply
changes on a per-port basis only where a non-default setting is clearly indicated by the circumstances
of individual links (for example, see the root-guard option below).
To display the spanning-tree settings for each port, use the show spanning-tree config command.
Syntax: [no] spanning-tree < port-list > < auto-edge-port | admin-edge-port | mcheck | root-guard |
tcn-guard >
[auto-edge-port]
Enables auto-edge-port operation for MSTP, and supports the automatic detection
of edge ports. (Default: Yes , enabled)
The port will look for BPDUs for 3 seconds; if there are none it begins forwarding
packets. If admin-edge-port is enabled for a port, the setting for auto-edge-port is
ignored whether set to yes or no. If admin-edge-port is disabled, and auto-edge-port
has not been disabled, then the auto-edge-port setting controls the behavior of the
port.
The no spanning-tree < port-list > auto-edge-port command disables auto-edge-port
operation on the specified ports.
33
[admin-edge-port]
Enables admin-edge-port for RSTP/MSTP. If a bridge or switch is detected on the
segment, the port automatically operates as non-edge, not enabled. (Default: No
- disabled)
If admin-edge-port is disabled on a port and auto-edge-port has not been disabled,
the auto-edge-port setting controls the behavior of the port.
The no spanning-tree < port-list > admin-edge-port command disables
admin-edge-port operation on the specified ports.
[mcheck]
Forces a port to send RSTP/MSTP BPDUs for 3 seconds. This allows for another
switch connected to the port and running RSTP to establish its connection
quickly and for identifying switches running 802.1D STP. If the whole-switch
force-version parameter is set to stp-compatible, the switch ignores the mcheck
setting and sends 802.1D STP BPDUs out all ports.
[root-guard]
MSTP only. When a port is enabled as root-guard, it cannot be selected as the root
port even if it receives superior STP BPDUs. The port is assigned an “alternate”
port role and enters a blocking state if it receives superior STP BPDUs. The
BPDUs received on a root-guard port are ignored. All other BPDUs are accepted
and the external devices may belong to the spanning tree as long as they do not
claim to be the Root device. (Default: No - disabled)
Note: In standard Spanning Tree Protocol operation, the calculation of active
network topologies may be an issue when switches outside the core region of a
network are under shared or limited administrative control. Such a switch may
become a Root Bridge for the entire network and create non-optimal forwarding
paths. By enabling the root-guard feature on ports that face outside the core
network, external boundaries for the core network are created to ensure the Root
Bridge is located within the core network.
[tcn-guard]
When tcn-guard is enabled for a port, it causes the port to stop propagating
received topology change notifications and topology changes to other ports.
(Default: No - disabled)
Release K.12.04 Enhancements
Enhancements
34
Enhancements
Release K.12.04 Enhancements
Syntax: spanning-tree < port-list > < hello-time | path-cost | point-to-point-mac | priority >
[hello-time < global | 1 - 10 >
When the switch is the CIST root, this parameter specifies the interval (in
seconds) between periodic BPDU transmissions by the designated ports. This
interval also applies to all ports in all switches downstream from each port in
the < port-list >. A setting of global indicates that the ports in < port-list > on the
CIST root are using the value set by the global spanning-tree hello-time value.
When a given switch “X” is not the CIST root, the per-port hello-time for all active
ports on switch “X” is propagated from the CIST root, and is the same as the
hello-time in use on the CIST root port in the currently active path from switch
“X” to the CIST root. (That is, when switch “X” is not the CIST root, then the
upstream CIST root’s port hello-time setting overrides the hello-time setting
configured on switch “X”. (Default Per-Port setting: Use Global. Default Global
Hello-Time: 2.)
[path-cost < auto | 1.200000000 >]
Assigns an individual port cost that the switch uses to determine which ports
are forwarding ports in a given spanning tree. In the default configuration
(auto) the switch determines a port’s path cost by the port’s type:
– 10 Mbps: 2000000
– 100 Mbps: 200000
– 1 Gbps: 20000
35
point-to-point-mac <true | false | auto >
This parameter informs the switch of the type of device to which a specific port
connects.
True (default): Indicates a point-to-point link to a device such as a switch,
bridge, or end-node.
False: Indicates a connection to a hub (which is a shared LAN segment).
Auto: Causes the switch to set False on the port if it is not running at full duplex.
(Connections to hubs are half-duplex.)
priority < 0.15 >
MSTP uses this parameter to determine the port(s) to use for forwarding. The
port with the lowest assigned value has the highest priority. While the actual
priority range is 0 to 240, this command specifies the priority as a multiplier
(0-15) of 16. That is, when you specify a priority multiplier of 0-15, the actual
priority assigned to the switch is:
(priority-multiplier) x 16 = priority
The default priority-multiplier value is 8.
For example, if you configure “2” as the priority multiplier for a given port,
then the actual priority is 32. Thus, after you specify the port priority
multiplier, the switch displays the actual port priority (and not the multiplier)
in the show spanning-tree config display. You can view the actual multiplier
setting for ports by executing show running and looking for an entry in this form:
spanning-tree <port-list> priority <priority-multiplier>
For example, configuring port 2 with a priority multiplier of “3” results in this
line in the
show running-config output:
spanning-tree B2 priority 3
Release K.12.05 Enhancements
Release K.12.05 Enhancements
Enhancements
Release K.12.05 includes the following enhancement:
■ Enhancement (PR_1000408960) — RADIUS-Assigned GVRP VLANs enhancement. For
more information, see “How RADIUS-Based Authentication Affects VLAN Operation” below.
How RADIUS-Based Authentication Affects VLAN Operation
Using a RADIUS server to authenticate clients, you can provide port-level security protection from
unauthorized network access for the following authentication methods:
■ 802.1X: Port-based or client-based access control to open a port for client access after
authenticating valid user credentials.
■ MAC address: Authenticates a device’s MAC address to grant access to the network.
■ Web-browser interface: Authenticates clients for network access using a Web page for user
login.
36
Enhancements
Release K.12.05 Enhancements
Note
You can use 802.1X (port-based or client-based) authentication and either Web or MAC authentication
at the same time on a port, with a maximum of 32 clients allowed on the port. (The default is one
client.) Web authentication and MAC authentication are mutually exclusive on the same port. Also,
you must disable LACP on ports configured for any of these authentication methods. For more
information, refer to the “Configuring Port-Based and User-Based Access Control (802.1X)” and “Web
and MAC Authentication” chapters of the Access Security Guide.
VLAN Assignment on a ProCurve Port
Following client authentication, VLAN configurations on a ProCurve port are managed as follows
when you use 802.1X, MAC, or Web authentication:
■ The port resumes membership in any tagged VLANs for which it is already assigned in the
switch configuration. Tagged VLAN membership allows a port to be a member of multiple
VLANs simultaneously.
■ The port is temporarily assigned as a member of an untagged (static or dynamic) VLAN for
use during the client session according to the following order of options.
a. The port joins the VLAN to which it has been assigned by a RADIUS server during client
authentication.
b. If RADIUS authentication does not include assigning the port to a VLAN, then the switch
assigns the port to the authorized-client VLAN configured for the authentication method.
c. If the port does not have an authorized-client VLAN configured, but is configured for
membership in an untagged VLAN, the switch assigns the port to this untagged VLAN.
Operating Notes
■ During client authentication, a port assigned to a VLAN by a RADIUS server or an
authorized-client VLAN configuration is an untagged member of the VLAN for the duration
of the authenticated session. This applies even if the port is also configured in the switch as
a tagged member of the same VLAN. The following restrictions apply:
• If the port is assigned as a member of an untagged static VLAN, the VLAN must already
be configured on the switch. If the static VLAN configuration does not exist, the
authentication fails.
• If the port is assigned as a member of an untagged dynamic VLAN that was learned
through GVRP, the dynamic VLAN configuration must exist on the switch at the time of
authentication and GVRP-learned dynamic VLANs for port-access authentication must
be enabled
37
Release K.12.05 Enhancements
Enhancements
If the dynamic VLAN does not exist or if you have not enabled the use of a dynamic VLAN
for authentication sessions on the switch, the authentication fails.
■ To enable the use of a GVRP-learned (dynamic) VLAN as the untagged VLAN used in an
authentication session, enter the aaa port-access gvrp-vlans command, as described in
“Enabling the Use of GVRP-Learned Dynamic VLANs in Authentication Sessions” on page 42.
■ Enabling the use of dynamic VLANs in an authentication session offers the following benefits:
• You avoid the need of having static VLANs pre-configured on the switch.
• You can centralize the administration of user accounts (including user VLAN IDs) on a
RADIUS server.
For information on how to enable the switch to dynamically create 802.1Q-compliant VLANs on
links to other devices using the GARP VLAN Registration Protocol (GVRP), refer to the “GVRP”
chapter in the Advanced Traffic Management Guide.
■ For an authentication session to proceed, a ProCurve port must be an untagged member of
the (static or dynamic) VLAN assigned by the RADIUS server (or an authorized-client VLAN
configuration). The port temporarily drops any current untagged VLAN membership.
If the port is not already a member of the RADIUS-assigned (static or dynamic) untagged VLAN,
the switch temporarily reassigns the port as an untagged member of the required VLAN (for the
duration of the session). At the same time, if the ProCurve port is already configured as an
untagged member of a different VLAN, the port loses access to the other VLAN for the duration
of the session. (A port can be an untagged member of only one VLAN at a time.)
When the authentication session ends, the switch removes the temporary untagged VLAN
assignment and re-activates the temporarily disabled, untagged VLAN assignment.
■ If GVRP is already enabled on the switch, the temporary untagged (static or dynamic) VLAN
created on the port for the authentication session is advertised as an existing VLAN.
If this temporary VLAN assignment causes the switch to disable a different untagged static or
dynamic VLAN configured on the port (as described in the preceding bullet and in “Example of
Untagged VLAN Assignment in a RADIUS-Based Authentication Session” on page 39), the
disabled VLAN assignment is not advertised. When the authentication session ends, the switch:
• Removes the temporary untagged VLAN assignment and stops advertising it.
• Re-activates and resumes advertising the temporarily disabled, untagged VLAN assign-
ment.
■ If you modify a VLAN ID configuration on a port during an 802.1X, MAC, or Web
authentication session, the changes do not take effect until the session ends.
■ When a switch port is configured with RADIUS-based authentication to accept multiple
802.1X and/or MAC or Web authentication client sessions, all authenticated clients must use
the same port-based, untagged VLAN membership assigned for the earliest, currently active
client session.
38
Enhancements
Release K.12.05 Enhancements
Therefore, on a port where one or more authenticated client sessions are already running, all
such clients are on the same untagged VLAN. If a RADIUS server subsequently authenticates a
new client, but attempts to re-assign the port to a different, untagged VLAN than the one already
in use for the previously existing, authenticated client sessions, the connection for the new client
will fail. For more on this topic, refer to “802.1X Open VLAN Mode” in the “Configuring Port-Based
and Client-Based Access Control (802.1X)” chapter in the Access Security Guide.
Example of Untagged VLAN Assignment in a RADIUS-Based Authentication Session
The following example shows how an untagged static VLAN is temporarily assigned to a port for use
during an 802.1X authentication session. In the example, an 802.1X-aware client on port A2 has been
authenticated by a RADIUS server for access to VLAN 22. However, port A2 is not configured as a
member of VLAN 22 but as a member of untagged VLAN 33 as shown in Figure 1.
Scenario: An authorized
802.1X client requires
access to VLAN 22 from
port A2. However,
access to VLAN 22 is
blocked (not untagged
or tagged) on port A2
and VLAN 33 is untagged
on port A2.
Figure 1. Example of an Active VLAN Configuration in the Menu Interface View
In Figure 1, if RADIUS authorizes an 802.1X client on port A2 with the requirement that the client
use VLAN 22, then:
■ VLAN 22 becomes available as Untagged on port A2 for the duration of the session.
■ VLAN 33 becomes unavailable to port A2 for the duration of the session (because there can
be only one untagged VLAN on any port).
To view the temporary VLAN assignment as a change in the active configuration, use the show vlan
<vlan-id> command as shown in Figure 2, where <vlan-id> is the (static or dynamic) VLAN used in the
authenticated client session.
39
Release K.12.05 Enhancements
Enhancements
In the show command output, port A2 is temporarily
configured as untagged on VLAN 22 for an 802.1X session.
This temporary configuration change is necessary to
accommodate an 802.1X c lient’s access, authenticated by
a RADIUS server, in which the server included an
instruction to assign the client session to VLAN 22.
Note: In the current VLAN configuration ( Figure 1), port
A2 is only listed as a member of VLAN 22 in show vlan 22
output when an 802.1X session with an authenticated
client is active. Otherwise, port A2 is not listed.
Figure 2. Active Configuration for VLAN 22 Temporarily Changes for the 802.1X Session
However, as shown in Figure 1, because VLAN 33 is configured as untagged on port A2 and because
a port can be untagged on only one VLAN, port A2 loses access to VLAN 33 for the duration of the
802.1X session on VLAN 22.
You can verify the temporary loss of access to VLAN 33 by entering the show vlan 33 command as
shown in Figure 3.
Although port A2 is
configured as Untagged on
VLAN 33 (Figure Figure 1),
port A2 is not listed in show
vlan 33 output during the
802.1X session that uses
VLAN 22 in Untagged mode.
However, when the 802.1X
session on VLAN 22 ends,
the active configuration
restores port A2 as an
untagged member of
VLAN 33.
Figure 3. Active Configuration for VLAN 33 Temporarily Drops Port 22 for the 802.1X Session
40
Enhancements
Release K.12.05 Enhancements
When the 802.1X client session on port A2 ends, the port removes the temporary untagged VLAN
membership. The static VLAN (VLAN 33) that is “permanently” configured as untagged on the
port becomes available again. Therefore, when the RADIUS-authenticated 802.1X session on
port A2 ends, VLAN 22 access on port A2 also ends, and the untagged VLAN 33 access on port
A2 is restored as shown in Figure 4.
When the 802.1X session
on VLAN 22 ends, the
active configuration
restores VLAN 33 on
port A2.
Figure 4. The Active Configuration for VLAN 33 Restores Port A2 After the 802.1X Session Ends
41
Release K.12.05 Enhancements
Enabling the Use of GVRP-Learned Dynamic VLANs in Authentication Sessions
Syntax: aaa port-access gvrp-vlans
Enables the use of dynamic VLANs (learned through GVRP) in the temporary
untagged VLAN assigned by a RADIUS server on an authenticated port in an
802.1X, MAC, or Web authentication session.
Enter the no form of this command to disable the use of GVRP-learned VLANs in
an authentication session.
For information on how to enable a switch to dynamically create
802.1Q-compliant VLANs, refer to the “GVRP” chapter in the Access Security
Guide.
Notes:
1. If a port is assigned as a member of an untagged dynamic VLAN, the dynamic
VLAN configuration must exist at the time of authentication and GVRP for
port-access authentication must be enabled on the switch.
If the dynamic VLAN does not exist or if you have not enabled the use of a dynamic
VLAN for authentication sessions on the switch, the authentication fails.
2. After you enable dynamic VLAN assignment in an authentication session, it
is recommended that you use the interface unknown-vlans command on a per-port
basis to prevent denial-of-service attacks. The interface unknown-vlans command
allows you to:
• Disable the port from sending advertisements of existing GVRP-created VLANs
on the switch.
• Drop all GVRP advertisements received on the port.
For more information, refer to the “GVRP” chapter in the Advanced Traffic
Management Guide.
3. If you disable the use of dynamic VLANs in an authentication session using
the no aaa port-access gvrp-vlans command, client sessions that were authenticated
with a dynamic VLAN continue and are not deauthenticated.
(This behavior differs form how static VLAN assignment is handled in an
authentication session. If you remove the configuration of the static VLAN used
to create a temporary client session, the 802.1X, MAC, or Web authenticated client
is deauthenticated.)
However, if a RADIUS-configured dynamic VLAN used for an authentication
session is deleted from the switch through normal GVRP operation (for example,
if no GVRP advertisements for the VLAN are received on any switch port),
authenticated clients using this VLAN are deauthenticated.
For information on how static and dynamic VLANs are assigned in a
RADIUS-based 802.1X, MAC, or Web authentication session, refer to the “How
RADIUS-Based Authentication Affects VLAN Operation” section in the “RADIUS
Authentication and Accounting” chapter of the Access Security Guide.
Enhancements
42
Enhancements
Release K.12.06 Enhancements
Release K.12.06 Enhancements
Release K.12.06 includes the following enhancement:
■ Enhancement (PR_1000308332) — Passwords (hashed) can be saved to the configuration
file.
Saving Security Credentials in a Configuration File
In software release K.12.06 and greater, you can store and view the following security settings in the
running-config file associated with the current software image by entering the include-credentials
command. Earlier software releases store these security configuration settings only in internal flash
memory and do not allow you to include and view them in the running-config file.
■ Local manager and operator passwords and (optional) user names that control access to a
management session on the switch through the CLI, menu interface, or Web browser
interface
■ SNMP security credentials used by network management stations to access a switch,
including authentication and privacy passwords
■ Port-access passwords and usernames used as 802.1X authentication credentials for access
to the switch
■ TACACS+ encryption keys used to encrypt packets and secure authentication sessions with
TACACS+ servers
■ RADIUS shared secret (encryption) keys used to encrypt packets and secure authentication
sessions with RADIUS servers
■ Secure Shell (SSH) public keys used to authenticate SSH clients that try to connect to the
switch.
Benefits of Saving Security Credentials
The benefits of including and saving security credentials in a configuration file are as follows:
■ After making changes to security parameters in the running configuration, you can
experiment with the new configuration and, if necessary, view the new security settings
during the session. After verifying the configuration, you can then save it permanently by
writing the settings to the startup-config file.
■ By permanently saving a switch’s security credentials in a configuration file, you can upload
the file to a TFTP server or Xmodem host, and later download the file to the ProCurve
switches on which you want to use the same security settings without having to manually
configure the settings (except for SNMPv3 user parameters) on each switch.
43
Release K.12.06 Enhancements
Enhancements
■ By storing different security settings in different files, you can test different security
configurations when you first download a new software version that supports multiple
configuration files by changing the configuration file used when you reboot the switch.
For more information about how to experiment with, upload, download, and use configuration files
with different software versions, refer to the following chapters:
■ “Switch Memory and Configuration” and “File Transfers” in the Management and
Configuration Guide
■ “Configuring Username and Password Security” in the Access Security Guide
Security Settings that Can Be Saved
This section describes the security settings that can be saved to a configuration file in software release
K.12.06 and greater:
■ Local manager and operator passwords and user names
■ SNMP security credentials, including SNMPv1 community names and SNMPv3 usernames,
authentication, and privacy settings
■ 802.1X port-access passwords and usernames
■ TACACS+ encryption keys
■ RADIUS shared secret (encryption) keys
■ Public keys of SSH-enabled management stations that are used by the switch to authenticate
SSH clients that try to connect to the switch
Local Manager and Operator Passwords
In software releases earlier than K.12.06, the manager and operator passwords and user names used
to start a management session on the switch are treated as follows:
■ You set the passwords and (optional) user names using the CLI or menu interface as
described in “Configuring Local Password Security” in the Access Security Guide.
■ Only the following information is saved to the running configuration:
password manager [user-name <name>]
password operator [user-name <name>]
44
Enhancements
Release K.12.06 Enhancements
In software release K.12.06 and greater, you cannot view the configured local password settings in
plain text. However, by entering the include-credentials command described later, you can view a
hash of the local password settings in the running-config file, in the format:
password manager [user-name <name>] <hash-type> <pass-hash>
password operator [user-name <name>] <hash-type> <pass-hash>
Where:
<name> is an alphanumeric string for the user name assigned to the manager or operator.
<hash-type> indicates the type of hash algorithm used: SHA-1.
<pass-hash> is the SHA-1 authentication protocol’s hash of the password.
For example, a manager username and password may be stored in a running-config file as follows:
password manager user-name Spock SHA1
2fd4e1c67a2d28fced849ee1bb76e7391b93eb12
If you permanently save password configurations in the startup-config file by entering the write
memory command, the passwords take effect when a switch boots with the software version
associated with the configuration file.
Caution
If a startup configuration file does not contain a manager or operator password, the switch will not
have password protection and can be accessed through Telnet, the serial port, or Web interface with
full manager privileges.
Password Command
In software release K.12.06 and greater, the password command in the CLI is enhanced to support the
following syntax:
Syntax: [no] password <manager | operator | port-access> [user-name <name>] <hash-type> <password>
Where:
■ manager configures access to the switch with manager-level privileges.
■ operator configures access to the switch with operator-level privileges.
■ port-access configures access to the switch through 802.1X authentication with
operator-level privileges.
■ user-name <name> is the (optional) text string of the user name associated with the password.
45
Release K.12.06 Enhancements
■ The <hash-type> parameter specifies the type of algorithm (if any) used to hash the password.
Enhancements
Valid values are plaintext or sha-1.
■ The <password> parameter is the clear ASCII text string or SHA-1 hash of the password.
You can enter a manager/operator password in clear ASCII text or hashed format, while the
port-access password must be clear ASCII text only. Manager and operator passwords are
displayed and saved in a configuration file only in hashed format; port-access passwords are
displayed and saved only as plain ASCII text.
After you enter the complete command syntax that includes the password, the password is set and
you are not prompted to enter the password a second time.
This command enhancement allows you to configure manager, operator, and 802.1X port-access
passwords using the CLI in only one step (instead of entering the password command and then being
prompted twice to enter the actual password, as in software releases earlier than K.12.06).
■ For more information about configuring local manager and operator passwords, refer to the
“Configuring Username and Password Security” chapter in the Access Security Guide.
■ For more information about configuring a port-access password for 802.1X client
authentication, see “802.1X Port-Access Credentials” on page 47.
SNMP Security Credentials
In software releases earlier than K.12.06, SNMP security credentials are saved in a configuration file
as follows:
■ SNMPv1 community names and write-access settings are saved as shown in the following
example:
snmp-server community "vulcan" Unrestricted
■ SNMPv3 authorization and privacy protocols and passwords used with each SNMPv3 user
are not saved. However, SNMPv3 user names are saved; for example:
snmpv3 user "initial"
In software release K.12.06 and greater, SNMPv1 community names and write-access settings, and
SNMPv3 usernames are still saved in the running configuration when you enter the include-credentials
command.
In addition, the following SNMPv3 security parameters are also saved:
snmpv3 user “<name>" [auth <md5|sha> “<auth-pass>”] [priv “<priv-pass>"]
Where:
<name> is the name of an SNMPv3 management station.
auth <md5 | sha> is the (optional) authentication method used for the management station.
46
Enhancements
Release K.12.06 Enhancements
<auth-pass> is the hashed authentication password used with the configured authentication method.
priv “<priv-pass>” is the (optional) hashed privacy password used by a privacy protocol to encrypt
SNMPv3 messages between the switch and the station.
The following example shows the additional security credentials for SNMPv3 users that can be saved
in a running-config file:
snmpv3 user boris \
auth md5 “9e4cfef901f21cf9d21079debeca453” \
priv “82ca4dc99e782db1a1e914f5d8f16824”
snmpv3 user alan \
auth sha “8db06202b8f293e9bc0c00ac98cf91099708ecdf” \
priv “5bc4313e9fd7c2953aaea9406764fe8bb629a538”
Figure 5. Security Credentials for SNMPv3
Although you can enter an SNMPv3 authentication or privacy password in either clear ASCII text or
the SHA-1 hash of the password, the password is displayed and saved in a configuration file only in
hashed format, as shown in the preceding example.
For more information about the configuration of SNMP security parameters, refer to the “Configuring
for Network Management Applications” chapter in the Management and Configuration Guide.
802.1X Port-Access Credentials
In software release K.12.06 and greater, 802.1X authenticator (port-access) credentials can be stored
in a configuration file.
802.1X authenticator credentials are used by a port to authenticate supplicants requesting a
point-to-point connection to the switch. 802.1X supplicant credentials are used by the switch to
establish a point-to-point connection to a port on another 802.1X-aware switch. Only 802.1X authenticator credentials are stored in a configuration file. For information about how to use 802.1X on the
switch both as an authenticator and a supplicant, refer to the “Configuring Port-Based and
Client-Based Access Control (802.1X)” chapter in the Access Security Guide.
In software release K.12.06 and greater, the local password configured with the password command
is no longer accepted as an 802.1X authenticator credential. A new configuration command (password
port-access) is introduced to configure the local operator username and password used as 802.1X
authentication credentials for access to the switch.
The password port-access values are now configured separately from the manager and operator
passwords configured with the password manager and password operator commands and used for
management access to the switch. For information on the new password command syntax, see
“Password Command” on page 45.
47
Release K.12.06 Enhancements
Enhancements
After you enter the complete password port-access command syntax, the password is set. You are not
prompted to enter the password a second time.
TACACS+ Encryption Key Authentication
You can use TACACS+ servers to authenticate users who request access to a switch through Telnet
(remote) or console (local) sessions. TACACS+ uses an authentication hierarchy consisting of:
■ Remote passwords assigned in a TACACS+ server
■ Local manager and operator passwords configured on the switch.
When you configure TACACS+, the switch first tries to contact a designated TACACS+ server for
authentication services. If the switch fails to connect to any TACACS+ server, it defaults to its own
locally assigned passwords for authentication control if it has been configured to do so.
For improved security, you can configure a global or server-specific encryption key that encrypts
data in TACACS+ packets transmitted between a switch and a RADIUS server during authentication
sessions. The key configured on the switch must match the encryption key configured in each
TACACS+ server application. (The encryption key is sometimes referred to as “shared secret” or
“secret” key.) For more information, refer to the “TACACS+ Authentication” chapter in the Access
Security Guide.
In software releases earlier than K.12.06, the global and server-specific TACACS+ encryption keys
cannot be saved in a configuration file that can be copied from the switch. These keys are stored only
in flash memory and can be viewed by using the show tacacs command.
In software release K.12.06 and greater, TACACS+ shared secret (encryption) keys can be saved in
a configuration file with the following syntax:
tacacs-server key <keystring>
Where:
<keystring> is the encryption key (in clear text) used for secure communication with all or a specific
TACACS+ server.
RADIUS Shared-Secret Key Authentication
You can use RADIUS servers as the primary authentication method for users who request access to
a switch through Telnet, SSH, Web interface, console, or port-access (802.1X). The shared secret key
is a text string used to encrypt data in RADIUS packets transmitted between a switch and a RADIUS
server during authentication sessions. Both the switch and the server have a copy of the key; the key
is never transmitted across the network. For more information, refer to the “RADIUS Authentication
and Accounting” chapter in the Access Security Guide.
In software releases earlier than K.12.06, the global and server-specific RADIUS encryption keys
cannot be saved in a configuration file that can be copied from the switch. These keys are stored only
in flash memory and can be viewed by using the show radius command.
48
Enhancements
Release K.12.06 Enhancements
In software release K.12.06 and greater, RADIUS shared secret (encryption) keys can be saved in a
configuration file with the following syntax:
radius-server key <keystring>
Where:
<keystring> is the encryption key (in clear text) used for secure communication with all or a specific
RADIUS server.
SSH Client Public-Key Authentication
Secure Shell version 2 (SSHv2) is used by ProCurve switches to provide remote access to
SSH-enabled management stations. Although SSH provides Telnet-like functions, unlike Telnet, SSH
provides encrypted, two-way authenticated transactions. SSH client public-key authentication is one
of the types of authentication used.
Client public-key authentication uses one or more public keys (from clients) that must be stored on
the switch. Only a client with a private key that matches a public key stored on the switch can gain
access at the manager or operator level. For more information about how to configure and use SSH
public keys to authenticate SSH clients that try to connect to the switch, refer to the “Configuring
Secure Shell” chapter in the Access Security Guide.
In software releases earlier than K.12.06, client public-keys that are used to authenticate SSH clients
are only stored in flash memory, not in the running-config file. You can view the SSH public keys
stored on a switch by entering the show crypto client-public-key command. The only SSH security
credential that is stored in the running configuration are the following commands:
aaa authentication ssh login public-key
aaa authentication ssh enable public-key
■ The aaa authentication ssh login public-key command allows operator access using SSH
public-key authentication.
■ The aaa authentication ssh enable public-key command allows manager access using SSH
public-key authentication.
In software release K.12.06 and greater, the SSH security credential that is stored in the running
configuration is the syntax of the ip ssh public-key command used to authenticate SSH clients for
manager or operator access, along with the hashed content of each SSH client public-key. The syntax
of the ip ssh public-key command is as follows:
ip ssh public-key <manager|operator> <keystring>
Where:
manager allows manager-level access using SSH public-key authentication.
operator allows operator-level access using SSH public-key authentication.
<keystring> is a legal SSHv2 (RSA or DSA) public key. The text string for the public key must be a
single quoted token.
49
Release K.12.06 Enhancements
Enhancements
If the keystring contains double-quotes, it can be quoted with single quotes ('keystring'). The following
restrictions for a keystring apply:
■ A keystring cannot contain both single and double quotes.
■ A keystring cannot have extra characters, such as a blank space or a new line. However, to
improve readability, you can add a backlash at the end of each line.
Note
In software release K.12.01 and earlier, you can add up to ten SSH client public-keys to the switch
only by using the copy command; for example:
$ copy tftp public-key ip-addr filename <manager|operator> [append]
If you enter the optional append keyword, the transmitted public-keys are added to existing SSH
public-key configurations. If you omit the append keyword, the transmitted keys overwrite existing
SSH public-key configurations.
In software release K.12.06 and greater, the ip ssh public-key command allows you to configure only
one SSH client public-key at a time. (This command behavior differs from the copy command, which
in earlier software releases allows you to load up to ten SSH client public-key configurations at once
if they are stored in a single file on a TFTP server.) Therefore, the ip ssh public-key command behavior
includes an implicit append that never overwrites existing public-key configurations on a running
switch.
In all software releases, if you download a software configuration file that contains SSH client
public-key configurations, the downloaded public-keys overwrite any existing keys, as happens with
any other configured values.
To display the SSH public-key configurations (72 characters per line) stored in a configuration file,
enter the show config or show running-config command. The following example shows the SSH public
keys configured for manager access, along with the hashed content of each SSH client public-key,
that are stored in a configuration file:
50
Enhancements
Release K.12.06 Enhancements
...
include-credentials
ip ssh public-key manager “ssh-dss \
AAAAB3NzaC1kc3MAAACBAPwJHSJmTRtpZ9BUNC+ZrsxhMuZEXQhaDME1vc/ \
EvYnTKxQ31bWvr/bT7W58NX/YJ1ZKTV2GZ2QJCicUUZVWjNFJCsa0v03XS4 \
BhkXjtHhz6gD701otgizUOO6/Xzf4/J9XkJHkOCnbHIqtB1sbRYBTxj3NzA \
K1ymvIaU09X5TDAAAAFQCPwKxnbwFfTPasXnxfvDuLSxaC7wAAAIASBwxUP \
pv2scqPPXQghgaTkdPwGGtdFW/+K4xRskAnIaxuG0qLbnekohi+ND4TkKZd \
EeidgDh7qHusBhOFXM2g73RpE2rNqQnSf/QV95kdNwWIbxuusBAzvfaJptd \
gca6cYR4xS4TuBcaKiorYj60kk144E1fkDWieQx8zABQAAAIEAu7/1kVOdS \
G0vE0eJD23TLXvu94plXhRKCUAvyv2UyK+piG+Q1el1w9zsMaxPA1XJzSY/ \
imEp4p6WXEMcl0lpXMRnkhnuMMpaPMaQUT8NJTNu6hqf/LdQ2kqZjUuIyV9 \
LWyLg5ybS1kFLeOt0oo2Jbpy+U2e4jh2Bb77sX3G5C0= spock@sfc.gov” \
ip ssh public-key manager ‘ssh-rsa \
AAAAB3NzaC1yc2EAAAADAQABAAAAgQDyO9RDD52JZP8k2F2YZXubgwRAN0R \
JRs1Eov6y1RK3XkmgVatzl+mspiEmPS4wNK7bX/IoXNdGrGkoE8tPkxlZOZ \
oqGCf5Zs50P1nkxXvAidFs55AWqOf4MhfCqvtQCe1nt6LFh4ZMig+YewgQG \
M6H1geCSLUbXXSCipdPHysakw== "TectiaClientKey [1024-bit rsa, \
nobody@testmachine, Mon Aug 15 2005 14:47:34]”’
ip ssh public-key manager “ssh-rsa \
AAAAB3NzaC1yc2EAAABIwAAAIEA1Kk9sVQ9LJOR6XO/hCMPxbiMNOK8C/ay \
+SQ10qGw+K9m3w3TmCfjh0ud9hivgbFT4F99AgnQkvm2eVsgoTtLRnfF7uw \
NmpzqOqpHjD9YzItUgSK1uPuFwXMCHKUGKa+G46A+EWxDAIypwVIZ697QmM \
qPFj1zdI4sIo5bDett2d0= joe@hp.com”
...
Figure 6. Example of Hashed Content of an SSH Client Public Key
If a switch configuration contains multiple SSH client public keys, each public key is saved as a
separate entry in the configuration file. You can configure up to ten SSH client public-keys on a switch.
51
Release K.12.06 Enhancements
Enhancements
Enabling the Storage and Display of Security Credentials
To enable the security settings described in “Security Settings that Can Be Saved” on page 44 to be
included and viewed in the running configuration on the switch, enter the include-credentials
command.
Syntax: [no] include-credentials
Enables the inclusion and display of the currently configured manager and operator
usernames and passwords, RADIUS shared secret keys, SNMP and 802.1X authenticator
(port-access) security credentials, and SSH client public-keys in the running
configuration. (Earlier software releases store these security configuration settings only
in internal flash memory and do not allow you to include and view them in the
running-config file.)
To view the currently configured security settings in the running configuration, enter
one of the following commands:
• show running-config: Displays the configuration settings in the current running-config
file.
• write terminal: Displays the configuration settings in the current running-config file.
For more information, refer to the “Switch Memory and Configuration” chapter in the
Management and Configuration Guide.
To copy the contents of the running-config file from the switch to a USB flash memory
device, enter the copy running-config usb command. For more information, refer to the
“File Transfers” appendix in the Management and Configuration Guide.
The “no” form of the command disables only the display and copying of these security
parameters from the running configuration, while the security settings remain active
in the running configuration.
Default: The security credentials described in “Security Settings that Can Be Saved” on
page 44 are not stored in the running configuration.
52
Enhancements
Release K.12.06 Enhancements
Operating Notes
Caution
■ When you first enter the include-credentials command to save the additional security
credentials to the running configuration, these settings are moved from internal storage on
the switch to the running-config file.
You are prompted by a warning message to perform a write memory operation to save the security
credentials to the startup configuration. The message reminds you that if you do not save the
current values of these security settings from the running configuration, they will be lost the next
time you boot the switch and will revert to the values stored in the startup configuration.
■ When you boot a switch with a startup configuration file that contains the include-credentials
command, any security credentials that are stored in internal flash memory are ignored and
erased. The switch will load only the security settings in the startup configuration file, if any.
■ In software releases earlier than K.12.06, configuration changes to some security credentials
(described in “Security Settings that Can Be Saved” on page 44) are applied immediately and
saved in internal storage (flash memory) on the switch. They do not require you to enter the
write memory command to permanently save them in the startup configuration.
However, in software release K.12.06 and greater, this switch behavior changes. Security settings
are no longer automatically saved internally in flash memory and loaded with the startup
configuration when a switch boots up. The configuration of all security credentials requires that
you use the write memory command to save them in the startup configuration in order for them
to not be lost when you log off or reboot the switch. A warning message reminds you to
permanently save a security setting, which was formerly automatically saved in internal flash,
after you configure it.
■ After you enter the include-credentials command, the currently configured manager and
operator usernames and passwords, RADIUS shared secret keys, SNMP and 802.1X
authenticator (port-access) security credentials, and SSH client public-keys are saved in the
running configuration.
Use the no include-credentials command to disable the display and copying of these security
parameters from the running configuration (using the show running-config and copy running-config
commands), without disabling the configured security settings on the switch.
After you enter the include-credentials command, you can toggle between the non-display and
display of security credentials in show and copy command output by alternately entering the no
include-credentials and include-credentials commands.
53
Release K.12.06 Enhancements
■ After you permanently save security configurations to the current startup-config file using
Enhancements
the write memory command, you can view and manage security settings with the following
commands:
• show config: Displays the configuration settings in the current startup-config file.
• copy config <source-filename> config <target-filename>: Makes a local copy of an existing
startup-config file by copying the contents of the startup-config file in one memory slot
to a new startup-config file in another, empty memory slot.
• copy config tftp: Uploads a configuration file from the switch to a TFTP server.
• copy tftp config: Downloads a configuration file from a TFTP server to the switch.
• copy config xmodem: Uploads a configuration file from the switch to an Xmodem host.
• copy xmodem config: Downloads a configuration file from an Xmodem host to the switch.
For more information, refer to the “Switch Memory and Configuration” chapter in the Manage-
ment and Configuration Guide.
■ The switch supports the storage of up to three configuration files. Each configuration file
contains its own security credentials and these security configurations may differ. It is the
responsibility of the system administrator to ensure that the appropriate security credentials
are contained in the configuration file that is loaded with each software image.
• When you load a configuration file associated with a software release earlier than K.12.06
on a switch running software release K.12.06 or greater, all security credentials in the
configuration file are supported.
• When you load a configuration file associated with a software release K.12.06 or greater
on a switch running a software release earlier than K.12.06, all security credentials saved
with the include-credentials command are rejected as invalid configurations by the earlier
software.
■ If you have already enabled the storage of security credentials (including local manager and
operator passwords) by entering the include-credentials command, the Reset-on-clear option
is disabled. When you press the Clear button on the front panel, the manager and operator
usernames and passwords are deleted from the running configuration. However, the switch
does not reboot after the local passwords are erased. (The reset-on-clear option normally
reboots the switch when you press the Clear button.)
For more information about the Reset-on-clear option and other front-panel security features,
refer to the “Configuring Username and Password Security” chapter in the Access Security
Guide.
54
Enhancements
Release K.12.06 Enhancements
■ If you upgrade ProCurve software on a switch from an earlier software release to software
release K.12.06 or greater and then enter the include-credentials command, security
passwords are managed as follows:
• The manager password (if any) in the earlier software version is copied into the running
configuration. The other two configuration files, if configured, will not have a manager
password configured.
• The operator password (if any) in the earlier software version is copied into the running
configuration. The other two configuration files, if configured, will not have an operator
password configured.
• No port-access password for 802.1X authentication is configured. The operator password in the earlier software version is not automatically copied as the new port-access
password. To configure password access to the switch through 802.1X authentication,
use the password port-access command as described in “Password Command” on page
45. (It is not recommended that you use the same password for operator console access
and for 802.1X port-access authentication.)
• The SSH client public-keys for manager and operator access are copied from flash
memory into the running configuration.
• The RADIUS shared secret and TACACS+ encryption keys for access to authentication
servers are already included in the running configuration.
• SNMPv3 user credentials are already included in the running configuration.
■ If you downgrade ProCurve software on a switch and use a software release earlier than
K.12.06, security passwords are managed as follows:
• Because SNMPv3 user credentials, RADIUS shared secret keys, and TACACS+ encryption keys are already included in the startup configuration, these security credentials
are not lost. They continue to be used in the earlier software version.
• The local manager and operator passwords are not recognized by an earlier software
version and are not saved in the running configuration. However, passwords in inactive
configuration files remain stored there. Although they are not displayed in show config
command output, they are not automatically erased.
• Although the hashed SSH client public-keys (for manager and operator access) are not
recognized by an earlier software version, they remain stored so that they are immediately reloaded if you upgrade back to software release K.12.06 or greater.
• As in a software upgrade, no port-access (operator) password for 802.1X authentication
is saved from software release K.12.06 or greater.
55
Release K.12.06 Enhancements
Enhancements
Restrictions
The following restrictions apply when you enable security credentials to be stored in the running
configuration with the include-credentials command:
■ The private keys of an SSH host cannot be stored in the running configuration. Only the
public keys used to authenticate SSH clients can be stored. An SSH host’s private key is only
stored internally; for example, on the switch or on an SSH client device.
■ SNMPv3 security credentials saved to a configuration file on a switch cannot be used after
downloading the file on a different switch. The SNMPv3 security parameters in the file are
only supported when loaded on the same switch for which they were configured.
The reason is that when SNMPv3 security credentials are saved to a configuration file, they are
saved with the engine ID of the switch as shown here:
snmpv3 engine-id 00:00:00:0b:00:00:08:00:09:01:10:01
If you download a configuration file with saved SNMPv3 security credentials on a switch, when
the switch loads the file with the current software version, the SNMPv3 engine ID value in the
downloaded file must match the engine ID of the switch in order for the SNMPv3 users to be
configured with the authentication and privacy passwords in the file. (To display the engine ID
of a switch, enter the show snmpv3 engine-id command. To configure authentication and privacy
passwords for SNMPv3 users, enter the snmpv3 user command.)
If the engine ID in the saved SNMPv3 security settings in a downloaded configuration file does
not match the engine ID of the switch:
• The SNMPv3 users are configured, but without the authentication and privacy passwords. You must manually configure these passwords on the switch before the users
can have SNMPv3 access with the privileges you want.
•Only the snmpv3 user <user_name> credentials from the SNMPv3 settings in a downloaded
configuration file are loaded on the switch; for example:
snmpv3 user boris
snmpv3 user alan
■ In software release K.12.06 and greater, you can store 802.1X authenticator (port-access)
credentials in a configuration file. However, 802.1X supplicant credentials cannot be stored.
■ In software release K.12.06 and greater, the local operator password configured with the
password command is no longer accepted as an 802.1X authenticator credential. A new
configuration command (password port-access) is introduced to configure the username and
password used as 802.1X authentication credentials for access to the switch. You can store
the password port-access values in the running configuration by using the include-credentials
command.
56
Enhancements
Release K.12.07 Enhancements
Note that the password port-access values are configured separately from local operator username and passwords that are configured with the password operator command and used for
management access to the switch. For more information about how to use the password
port-access command to configure operator passwords and usernames for 802.1X authentication,
refer to the “Configuring Port-Based and Client-Based Access Control (802.1X)” chapter in the
Access Security Guide.
Release K.12.07 Enhancements
No enhancements, software fixes only.
Release K.12.08 Enhancements
Release K.12.08 includes the following enhancement:
■ Enhancement (PR_1000413764) — Increase the size of the sysLocation and sysContact
entries from 48 to 255 characters.
Configuring a System Contact and Location for the Switch
Both the system-contact and the system-location fields allow up to 255 characters when configured
through the CLI or the Web browser interface.
CLI Command
Syntax: snmp-server [contact <system-contact>] [location <system-location>]
where < system-contact > and <system-location > are ASCII strings up to 255 characters each.
Web Browser Interface
Using the Web browser interface for the switch, click the Configuration tab, and select System Info to
access the System Location and System Contact fields. In each field, you can enter ASCII strings up to
255 characters each. You can view all the characters by using the cursor to scroll through the field.
Menu Interface
Unlike the CLI command and the Web browser interface, the Menu interface will only allow
configuration of System Contact and System Location strings of up to 48 characters. However, if a
System Contact or System Location string length configured through the CLI command or Web
browser interface exceeds 48 characters, the Menu fields will display “+” followed by the last 47
characters of the string. Use the CLI show running, show config, or show system-information commands
to see the complete text string.
57
Release K.12.09 Enhancements
Enhancements
Release K.12.09 Enhancements
No enhancements, software fixes only.
Release K.12.10 Enhancements
Release K.12.10 includes the following enhancement:
■ Enhancement (PR_1000419653) — The show vlan ports command was enhanced to
display each port in the VLAN separately, display the friendly port name (if configured), and
display the VLAN mode (tagged/untagged) for each port. See “Show VLAN ports CLI
Command Enhancement” below.
Show VLAN ports CLI Command Enhancement
The show vlan ports command has been enhanced with an option (detail) to display VLAN memberships on a per-port basis when a range of ports is specified in the command. In addition, user-specified
port names will be displayed (if assigned), along with tagged or untagged membership modes.
Displaying the VLAN Membership of One or More Ports
This command shows VLAN memberships associated with a port or a group of ports.
Syntax show vlan ports < port-list > [detail]
Displays VLAN information for an individual port or a group of ports, either
cumulatively or on a detailed per-port basis.
port-list: Specify a single port number, a range of ports (for example, a1-a16), or all.
detail: Displays detailed VLAN membership information on a per-port basis.
Descriptions of items displayed by the command are provided below.
Port name: The user-specified port name, if one has been assigned.
VLAN ID: The VLAN identification number, or VID.
Name: The default or specified name assigned to the VLAN. For a static VLAN, the
default name consists of VLAN-x where “x” matches the VID assigned to that VLAN.
For a dynamic VLAN, the name consists of GVRP_x where “x” matches the
applicable VID.
Status:
Port-Based: Port-Based, static VLAN
Protocol: Protocol-Based, static VLAN
Dynamic: Port-Based, temporary VLAN learned through GVRP.
58
Enhancements
Release K.12.10 Enhancements
Voice: Indicates whether a (port-based) VLAN is configured as a voice VLAN.
Jumbo: Indicates whether a VLAN is configured for Jumbo packets. For more on
jumbos, refer to the chapter titled “Port Traffic Controls” in the Management and
Configuration Guide for your switch.
Mode: Indicates whether a VLAN is tagged or untagged.
The following examples illustrate the displayed output depending on whether the detail option is
used.
ProCurve# show vlan ports a1-a33
Status and Counters - VLAN Information - for ports A1-A33
VLAN ID Name | Status Voice Jumbo
------- ----------------- + ---------- ----- ---- 1 DEFAULT_VLAN | Port-based No No
10 VLAN_10 | Port-based Yes No
20 VLAN_20 | Protocol No No
33 GVRP_33 | Dynamic No No
ProCurve#
Figure 7. Example of “Show VLAN Ports” Cumulative Listing
ProCurve# show vlan ports a1-a4 detail
Status and Counters - VLAN Information - for ports A1
Port name: Voice_Port
VLAN ID Name | Status Voice Jumbo Mode
------- ----------------- + ---------- ----- ----- ----- 1 DEFAULT_VLAN | Port-based No No Untagged
10 VLAN_10 | Port-based Yes No Tagged
Status and Counters - VLAN Information - for ports A2
Port name: Uplink_Port
VLAN ID Name | Status Voice Jumbo Mode
------- ----------------- + ---------- ----- ----- ----- 1 DEFAULT_VLAN | Port-based No No Untagged
20 VLAN_20 | Protocol No No Tagged
33 GVRP_33 | Dynamic No No Tagged
Status and Counters - VLAN Information - for ports A3
VLAN ID Name | Status Voice Jumbo Mode
Figure 8. Example of “Show VLAN Ports” Detail Listing
59
Release K.12.11 Enhancements
No enhancements, software never released.
Release K.12.12 Enhancements
No enhancements, software fixes only.
Release K.12.13 Enhancements
No enhancements, software never released.
Release K.12.14 Enhancements
No enhancements, software fixes only.
Release K.12.15 Enhancements
Release K.12.11 Enhancements
Enhancements
Release K.12.15 includes the following enhancement:
■ Enhancement (PR_1000427592) — This enhancement adds the client’s IP address to the
RADIUS accounting packets sent to the RADIUS server by the switch.
The IP address of the client is included in the RADIUS accounting packet sent by the switch to
the RADIUS server. The client obtains the IP address through DHCP, so DHCP snooping must
be enabled for the VLAN of which the client is a member.
■ Enhancement (PR_1000428642) — The SNMP v2c describes two different
notification-type PDUs: traps and informs. Prior to this software release, only the trap’s
sub-type was supported. This enhancement adds support for informs.
Send SNMP v2c Informs
Enabling and Configuring SNMP Informs
You can use the snmp-server informs command (SNMPv2c and SNMPv3 versions) to send notifications
when certain events occur. When an SNMP Manager receives an informs request, it can send an SNMP
response back to the sending agent. This lets the agent know that the informs request reached its
destination and that traps can be sent successfully to that destination.
Informs requests can be sent several times until a response is received from the SNMP manager or
the configured retry limits are reached. The request may also timeout.
60
Enhancements
Release K.12.15 Enhancements
To enable SNMP informs, enter this command:
Syntax: [no] snmp-server enable informs
Enables or disables the informs option for SNMP.
Default: Disabled
To configure SNMP informs request options, use the following commands.
Syntax: [no] snmp-server informs [retries<retries>] [timeout<seconds>] [pending <pending>]
Allows you to configure options for SNMP informs requests.
retries: Maximum number of times to resend an informs request. Default: 3
timeout: Number of seconds to wait for an acknowledgement before resending the
informs request. Default: 30 seconds
pending: Maximum number of informs waiting for acknowledgement at any one
time. When the maximum configured number is reached, older pending informs
are discarded. Default: 25
To specify the manager that receives the informs request, use the snmp-server host command.
Syntax: snmp-server host < ip-address >[<traps | informs>] [version <1 | 2c | 3>]< community-string >
Using community name and destination IP address, this command
designates a destination network-management station for receiving SNMP
event log messages from the switch. If you do not specify the event level,
then the switch does not send event log messages as traps. You can specify
up to 10 trap receivers (network management stations).
Note: In all cases, the switch sends any threshold trap(s) or informs to the
network management station(s) that explicitly set the threshold(s).
[traps | informs>]
Select whether SNMP traps or informs are sent to this management station.
[version <1 | 2c | 3>]
Select the version of SNMP being used.
Note: SNMP informs are supported on version 2c or 3 only.
[<none | all | non-info | critical | debug>]
Options for sending switch Event Log messages to a trap receiver. The levels
specified with these options apply only to Event Log messages, and not to
threshold traps.
61
Release K.12.16 Enhancements
You can see if informs are enabled or disabled with the show snmp-server command as shown in Figure
9.
ProCurve(config)# show snmp-server
SNMP Communities
Community Name MIB View Write Access
---------------- -------- ----------- public Manager Unrestricted
Trap Receivers
Link-Change Traps Enabled on Ports [All] : All
Send Authentication Traps [No] : No
Informs [Yes] : Yes
Address | Community Events Sent in Trap
---------------------- ----------------
------------------ Excluded MIBs
Snmp Response Pdu Source-IP Information
Selection Policy : Default rfc1517
Trap Pdu Source-IP Information
Selection Policy : Default rfc1517
Enhancements
Figure 9. Example Showing SNMP Informs Option Enabled
Release K.12.16 Enhancements
No enhancements, software fixes only.
Release K.12.17 Enhancements
No enhancements, software fixes only.
Release K.12.18 Enhancements
Release K.12.18 includes the following enhancement:
62
Enhancements
Release K.12.19 Enhancements
■ Enhancement (PR_1000428213) — This software enhancement adds the ability to
configure a secondary authentication method to be used when the RADIUS server is
unavailable for the primary port access method. For more information, see the ProCurve
Access Security Guide.
■ Enhancement (PR_1000415155) — The ARP age timer was enhanced from the previous
limit of 240 minutes to allow for configuration of values up to 1440 minutes (24 hours) or
"infinite" (99,999,999 seconds or 3.2 years). For more information, see the ProCurve
Multicast and Routing Guide.
■ Enhancement (PR_1000438015) — The banner message of the day (MOTD) size has been
increased to support up to 3070 characters.
Release K.12.19 Enhancements
No enhancements, software fixes only.
Release K.12.20 Enhancements
No enhancements, software fixes only.
Release K.12.21 Enhancements
Release K.12.21 includes the following enhancement:
■ Enhancement (PR_1000440049) — Classifier-Based Rate Limiting capability was added.
Classifier-Based Rate Limiting (also known as Rate Limit Port ACLs or RL-PACLs) allows
you to create an ACL and apply it on a per-port basis to rate-limit network traffic. For more
information, see the ProCurve Access Security Guide.
■ Enhancement (PR_1000374051) — The 5400zl switches are not detecting packets from
an Avaya G700 PBX or Cajun switch due to irregular Ethernet packets sent by those devices.
This is a workaround that will alter the 5400zl software to allow 100Mb operation on the
upcoming "C" revision of the 1000 Base-T Mini-GBICs (J8177C) that fit in the J8705A module.
The port containing the 1000 Base-T Mini-GBIC can be configured with new speed options
of "auto-100," "100-full," and "100-half."
■ Enhancement (PR_1000443349) — This enhancement is to allow the concurrent use of
SFTP with TACACS+ authentication for SSH connections. For more information, see the
ProCurve Access Security Guide.
63
Release K.12.22 Enhancements
Enhancements
Release K.12.22 Enhancements
Release K.12.22 includes the following enhancement:
■ Enhancement (PR_1000443026) — Support for the new revision "C" Mini-GBICs was
added to the CLI and the "show tech" command.
■ Enhancement (PR_1000444415) — OSPF Passive Interface support was added. For more
information, see the ProCurve Multicast and Routing Guide.
Release K.12.23 Enhancements
Release K.12.23 includes the following enhancement:
■ Enhancement (PR_1000449129) — This enhancement allows MAC or Web-based
authentication to use PEAP/MS-CHAPv2 protocols in addition to the default setting of CHAP.
For more information, see the ProCurve Access Security Guide.
Release K.12.24 Enhancements
No enhancements, software fixes only.
Release K.12.26 through K.12.29 Enhancements
No enhancements; Never built.
Release K.12.30 Enhancements
No enhancements; Never released.
Release K.12.31 Enhancements
Release K.12.31 includes the following enhancement:
■ Enhancement — Support for the following ProCurve product was added.
J9091A / J8715A (bundle) for the ProCurve switch 8212zl
Release K.12.32 Enhancements
Never released. Build K.12.32 includes the following enhancement:
64
Enhancements
Release K.12.33 through K.12.40 Enhancements
■ Enhancement — Merged all of the K.12.24 and earlier software fixes and enhancements
with the ProCurve switch 8212zl support.
Release K.12.33 through K.12.40 Enhancements
No enhancements; Never built.
Release K.12.41 through K.12.42 Enhancements
No enhancements; Never released.
Release K.12.43 Enhancements
Release K.12.43 includes the following enhancement:
■ Enhancement — Support for the following ProCurve products was added.
J9051A ProCurve Wireless Edge Services zl Module
J9052A ProCurve Redundant Wireless Edge Services zl Module
For more information, see “Support for the Wireless Edge Services zl Module” on page 18.
Release K.12.44 Enhancements
Release K.12.44 includes the following enhancement:
■ Enhancement (PR_1000457691) — This enhancement allows the mapping of all
theoretically available VLAN IDs (1-4094) to an MSTP instance, even if some of the VLANs
are not currently configured on the switch. (This enhancement was subsequently improved,
see “Release K.12.51 Enhancements” on page 66.) For more information on MSTP VLANs,
see the ProCurve Advanced Traffic Management Guide.
■ Enhancement (PR_1000457868) — Local Proxy ARP enhancement. For more
information, see the ProCurve Multicast and Routing Guide.
■ Enhancement (PR_1000456271) — PC attached to telephone. (This enhancement was
subsequently removed, see “Release K.12.47 Enhancements” on page 66.) For more
information on endpoint device discovery, see the sections on LLDP-MED in the ProCurve
Management and Configuration Guide. This enhancement was added back with Release
K.12.51 (see “Release K.12.51 Enhancements” on page 66).
65
Release K.12.45 Enhancements
Enhancements
Release K.12.45 Enhancements
No enhancements; Never released.
Release K.12.46 Enhancements
No enhancements; Never released.
Release K.12.47 Enhancements
Release K.12.47 includes the following enhancement:
■ Enhancement Removed (PR_1000468258) — The PC attached to IP telephone
enhancement was removed.
Release K.12.48 Enhancements
Release K.12.48 includes the following enhancement:
■ Enhancement Removed (PR_1000470136) — Removal of the enhancement that allows
the mapping of all theoretically available VLAN IDs (1-4094) to an MSTP instance, even if
some of the VLANs are not currently configured on the switch. The initial implementation
of this enhancement did not allow smooth migration of pre-existing MSTP configurations.
(For information on the initial implementation, see “Release K.12.44 Enhancements” on page
65. This enhancement was subsequently improved and re-introduced, see “Release K.12.51
Enhancements” on page 66.).
Release K.12.49 Enhancements
No enhancements; Bug fixes only.
Release K.12.50 Enhancements
No enhancements; Bug fixes only.
Release K.12.51 Enhancements
Release K.12.51 includes the following enhancements:
66
Enhancements
Release K.12.52 Enhancements
■ Enhancement (PR_10004570598) — An improved version of the MSTP-VLAN mapping
enhancement referenced in PR_1000457691 was added. This enhancement allows the
mapping of all theoretically available VLAN IDs (1-4094) to an MSTP instance, even if some
of the VLANs are not currently configured on the switch. For more information, see the
ProCurve Management and Configuration Guide.
■ Enhancement (PR_1000471015) — Reintroduction of the feature referenced in
PR_1000456271, that will allow a PC to connect with its RADIUS-assigned VLAN after an
attached IP phone has authenticated on the authenticating port. For information on the initial
implementation, see “Release K.12.44 Enhancements” on page 65.
Release K.12.52 Enhancements
Release K.12.52 includes the following enhancement (Never Released.):
■ Enhancement (PR_1000458484) — This enhancement allows the user to set a maximum
frame size for jumbo frames at the global level. For more information, see the ProCurve
Management and Configuration Guide.
■ Enhancement (PR_1000461576) — This enhancement introduces PVST Protection and
Filtering. For more information, see the ProCurve Advanced Traffic Management Guide.
■ Enhancement (PR_1000462841) — This enhancement changes the re-authentication
process to allow an authenticated client to remain authenticated during re-authentication.
For more information, see the ProCurve Access Security Guide.
■ Enhancement (PR_1000462104) — This enhancement allows the configuration of
modules not currently inserted in the switch. For more information, see the ProCurve
Management and Configuration Guide.
■ Enhancement (PR_1000462847) — This enhancement allows the configuration of
transceivers not currently inserted in the switch. For more information, see the ProCurve
Management and Configuration Guide.
Release K.12.53 through K.12.55 Enhancements
No enhancements; Bug fixes only.
Release K.12.56 Enhancements
Release K.12.56 includes the following enhancement:
67
Release K.12.57 Enhancements
■ Enhancement (PR_1000464170) — This feature provides support for adding the LLDP
Enhancements
VLAN Name TLV to LLDP advertisements generated by ProCurve switches. For more
information, see the ProCurve Management and Configuration Guide.
Release K.12.57 Enhancements
Release K.12.57 includes the following enhancement:
■ Enhancement (PR_1000713394) — Adjustable IGMP Querier interval. For more
information, see the ProCurve Management and Configuration Guide.
Release K.12.57 is the last public release of the K.12.xx software. The series 3500yl, 6200yl, 5400zl,
and 8212zl switches software code was rolled to the K.13.0x code branch with no intervening releases.
68
Enhancements
Release K.13.01 Enhancements
Release K.13.01 Enhancements
Release K.13.01 is a major software update containing many new features and enhancements to
existing features, including IPv6 host and application layer features (see “IPv6 Configuration Guide
for 2900/3500/5400/6200/8200” on page 71 for details).
The following enhancements have been documented in the latest revisions to the manuals (January
2008). Refer to the indicated manuals for additional details.
Software Manual/
Enhancements
Management and Configuration Guide
PoE Power Allocation Methods: Allows you to manually alloca te the amount of PoE power for a port by either
its class or a defined value.
USB Secure Autorun: Helps ease the configuration of ProCurve switches by providing a way to
auto-execute CLI commands from a USB flash drive. Note that the ability
to create a valid AutoRun file also requires ProCurve Manager. For details,
see the section on “USB Autorun” in the Appendix on “File Transfers”.
SNMP Traps: Allow you to configure the switch to send n etwork security and link-change
notifications to configured trap receivers. More error conditions can be
reported and logged to help resolve security threats and network issues.
MAC-based Remote Mirroring: Allows you to use MAC as a criteria in selecting traffic that needs to be
monitored in addition to current port, ACL, and direction criteria.
Show Command Changes: The show power-management CLI command has been changed to show
power-over-ethernet. You can use this command and the show power slot
<slot-id> to display information about PoE power.
The show system-information CLI command syntax has been changed to
show system with additional options to display details of system components: fans, information, power-supply, and temperature.
Scalability: Increased max trunks (60); and increased helper address (4k). For scal-
ability values for VLANs, hardware, ARP, and routing, see the new Append ix
titled “Scalability: IP Address, VLAN, and Routing Maximum Values”.
Description
Advanced Traffic Management Guide
STP Root Guard: STP root guard allows user to prevent changes to the root bridge and thus
preventing malicious attackers from modifying the root switch and
ensuring that the STP topology maintain the optimal setting.
QinQ: QinQ (provider bridging) has been added to allow frames from multiple
customers to be forwarded through another topology (provider network)
using service VLANs or S-VLANs. For more information, see the new “QinQ
Provider Bridging” chapter.
69
Release K.13.01 Enhancements
Enhancements
Software Manual/
Description
Enhancements
STP Diagnostics: Adds more diagnostic functions to resolve STP issues. See the section on
“Troubleshooting an MSTP configuration” in the chapter on Multiple
Instance Spanning-Tree Operation.
Routing and Multicast Guide
Host-based OSPF-ECMP: Allows OSPF to add routes with multiple next-hop addresses and with equ al
costs to a given destination IP address.
Access and Security Guide
Dynamic Configuration Arbiter: ProCurve provides different methods (for example, CLI, SNMP, or
IDM/RADIUS) to configure network and security parameters and respond
to threats. This feature allows you to determine the client-specific parameters that are assigned in an authentication session by applying or
removing them as needed in a specified hierarchy of precedence.
RADIUS Attributes: Additional RADIUS attributes included with this release:
• Change of authorization: allows changes to user service without
re-authentication
• Vendor-ID: allows Microsoft RADIUS servers to use vendor ID as part of
the policy
• Capability advertisement: allows the switch to advertise its capability to
the RADIUS server
• Session termination: allows the switch to report to the RADIUS server
the reason a session is terminated
For more information, see the section on “Additional RADIUS Attributes”
in the chapter on “RADIUS Authentication and Accounting”.
RADIUS VLAN Support: Supports RADIUS-assigned tagged and untagged VLAN configuration on
an authenticated port. This allows you, for example, to use IDM to dynamically configure tagged and untagged VLANs as required for different client
devices, such as PCs and IP phones, that share the same switch port. See
the section on “VLAN Assignment in an Authentication Session” in the
chapter on “RADIUS Authentication and Accounting”.
PoE Planning and Implementation Guide
Power Redundancy: Support has been added for PoE redundancy. When PoE redundancy is
enabled, PoE redundancy occurs automatically. The switch keeps track of
power use and won’t supply PoE power to additional PoE devices trying to
connect if that results in the switch not having enough power in reserve for
redundancy if one of the power supplies should fail.
70
Enhancements
Release K.13.02 Enhancements
Software Manual/
Description
Enhancements
Note on Manual Updates:
In addition to the above updates to the manuals, with this release the 8212zl software manuals and
3500/5400/6200 software manuals have been combined into a single manual set. Where features
apply only to a specific model or models, this will be indicated in the chapter or heading for that
feature; for example, "Redundancy (Switch 8212zl)" or "Stack Management for the Series 3500yl
Switches and the 6200yl Switch."
New Product Documentation:
IPv6 Configuration Guide for 2900/3500/5400/6200/8200. Provides background information on
IPv6 technologies and concepts, plus complete coverage of ProCurve's implementation of CLI
commands for configuring IPv6 host and application layer features, including IPv6 addressing, auto
configuration, dual stack support (IPv4/IPv6), Multicast Listener Discovery (MLD), IPv6 management and diagnostics.
The Master Index is a new feature to help find information more readily, providing clickable links
from a combined Master Index PDF to the per Chapter PDF files from all five software manuals. To
locate and access topics across the combined manual set using the index, download the Master
Index zip file from the Web to a directory on your computer.
Release K.13.02 Enhancements
Release K.13.02 includes the following enhancements.
■ Enhancement: Beginning with K.13.02, DHCP can now be enabled on a Management VLAN.
Since, by definition, there is no routing to or from a VLAN configured as a management VLAN,
DHCP relay is still prohibited so the DHCP server must be attached to the management VLAN
for that VLAN to acquire an address. All DHCP options will be supported.
■ Enhancement (PR_1000458124) — VRRP Preemptive Delay Timer. For more
information, see “VRRP Pre-Emptive Delay Timer” on page 71 below.
VRRP Pre-Emptive Delay Timer
In order to maintain availability of the default gateway router, the Virtual Router Redundancy
Protocol (VRRP) advertises a “virtual” router to the hosts. At least two other physical routers are
configured to be virtual routers, but only one router provides the default router functionality at any
given time. If the Owner router or its VLAN goes down, the Backup router takes over. When the Owner
Router comes back on line (Fail-back), it takes control of the virtual IP address that has been assigned
to it. It begins sending out VRRP advertisement packets at regular intervals. The Backup router
receives the VRRP advertisement packet and transitions to the Backup state.
71
Release K.13.02 Enhancements
When OSPF is Also Enabled on the VRRP Routers
When OSPF is enabled on the routers and a Fail-back event occurs, the Owner router immediately
takes control of the virtual IP address and provides the default gateway functionality. If OSPF has
not converged, the route table in the Owner router may not be completely populated. When the hosts
send packets to the default gateway, the Owner router may not know where to send them and packets
may be dropped.
Enhancements
Caution
While you can run OSPF and VRRP concurrently on a router, it is best not to run VRRP with other
routing protocols such as RIP or OSPF on the same interface or VLAN as this can create operational
issues.
Configuring the Preempt Delay Timer
The VRRP Pre-empt Delay Timer (PDT) allows you to configure a period of time before the Owner
router takes back control of the virtual IP address. It does not transition to the Master state until the
timer period expires. The timer value configured should be long enough to allow OSPF convergence
following OSPF updates.
The PDT is applied only during initialization of the router, that is, when the router is rebooting with
the VRRP parameters present in the startup config file.
Syntax: [no] preempt-delay-time <1-600 >
Allows you to specify a time in seconds that the Owner router will wait before taking
control of the virtual IP address and beginning to route packets. You can configure
the timer on VRRP Owner and Backup routers.
Note: If you have configured the Preempt Delay Timer with a non-zero value, you
must use the no form of the command to change it to 0 (zero).
Default: 0 (zero) seconds.
Note
If the PDT is active for a virtual router, you cannot change the router’s mode from Owner to Backup
or Backup to Owner. To change the mode, make the PDT inactive and then reconfigure the mode.
For example:
ProCurve(config)# no vlan 16 vrrp vrid 23 preempt-delay time 12
72
Enhancements
Release K.13.02 Enhancements
where
VID = 16
VRID = 23
PDT = 12 seconds
VRRP Preempt Mode with LACP and Older ProCurve Devices
There can be an issue with VRRP Preempt Mode if an older ProCurve device (2524, 2650, 2848, 3400cl,
or 5300) is the intermediate device connecting to a VRRP router and has LACP set in “enable, passive”
mode. This mode is set by default on older ProCurve devices, whereas it is disabled by default on
later models such as the ProCurve Series 5400zl. ProCurve recommends that you use compatible
LACP settings on devices that connect with VRRP routers on VRRP VLANs.
What Occurs at Startup
When the Owner router comes online, it will wait for the configured amount of time before taking
control of the virtual IP address. This period of time is calculated as follows:
If the value of the Master down time (3 * advertisement interval) is less than or equal to the preempt delay
time, then the Owner router will wait until the Master down time (3 * advertisement interval) has expired.
During this waiting period, if the Owner router receives a VRRP packet for its virtual IP address from
the Backup router, it will wait until the PDT expires before taking control of its virtual IP address. If
the Owner router does not receive any VRRP packets and the Master down time expires, the Owner
router can take control of its virtual IP address immediately.
If the value of the Master down time (3 * advertisement interval) is greater than the preempt delay time,
then the Owner Router will wait until the PDT expires before taking control of its virtual IP address.
Selecting a Value for the PDT
You should select the value for the PDT carefully to allow time for OSPF to populate the Owner
router’s route tables. The choice depends on the following:
■ The OFPF router dead interval—the number of seconds the OSPF router waits to receive a
hello packet before assuming its neighbor is down.
■ The number of router interfaces that participate in OSPF
■ The time it may take from reception of the OSPF packets to when the population of the route
table is completed.
73
Release K.13.02 Enhancements
Enhancements
There are trade-offs between selecting a small advertisement value and a large preempt delay time.
A small advertisement value results in a faster failover to the Backup router. A larger PDT value
allows OSPF to converge before the Owner router takes back control of its virtual IP address.
Choosing a large PDT value (greater than the Master down time) may result in an unnecessary failover
to the Backup router when the VRRP routers (Owner and Backup) start up together. Choosing a large
advertisement interval and thereby a large Master down time results in a slower failover to the Backup
router when the Owner router fails.
Possible Configuration Scenarios
Preempt Delay Time = Zero Seconds. This is the default behavior. It works in the same way that
VRRP works currently.
Preempt Delay Time is Greater Than or Equal to the Master Down Time (3 times the
advertisement interval).
a. An Owner Virtual Router after reboot—waits for the Master Down Time. If the Owner router
does not receive a packet during this time, it becomes the Master. If it receives a VRRP
advertisement from its peer during this time, it waits until the expiration of the preempt
delay time before becoming the Master.
b. A Backup Virtual Router after reboot—waits for the Master Down Time. If the Backup router
does not receive a packet during this time, it becomes the Master. If it receives a VRRP
advertisement from its peer during this time, it waits until the expiration of the preempt
delay time before becoming the Backup.
Preempt Delay Time is Less Than the Master Down Time.
a. Owner router—becomes the Master after expiration of the preempt delay time.
b. Backup router—becomes the Backup after expiration of the preempt delay time.
When the Preempt Delay Time is not Applicable
Once the router has rebooted and is in steady state VRRP operation, the PDT is not applicable if:
■ The VRRP VLAN goes down and comes back up
■ The Virtual Router is disabled and re-enabled
■ VRRP is globally disabled and then re-enabled
Backward Compatibility
If a VRRP router functions with an older version that does not have the pre-empt delay timer
enhancement, it will take over virtual IP address control immediately on start-up or when there is a
fail-back event. There should be no backward compatibility issues.
74
Enhancements
Release K.13.03 Enhancements
Error Messages
Error Error Message
Attempting to assign the preempt delay time to the
Virtual Router before declaring it as an Owner or
Backup
Attempting to assign an out of range preempt delay time
to the Virtual Router instance.
Attempting to change the preempt delay time value
when the Virtual Router is active.
The Virtual Router must be defined as an Owner or Backup
router first.
Invalid input: <out of range value>
VR operation must be “down” prior to modifying VR’s parameters
Release K.13.03 Enhancements
Release K.13.03 includes the following enhancements.
■ Enhancement (PR_1000400991) — The 802.1X Controlled Directions feature now
functions independently of the STP configuration, allowing you to run STP and 802.1X
separately. For more information, see “New CLI Commands” below.
New CLI Commands
These three commands show the administrative state of the controlled-directions:
show port-access authenticator config
show port-access mac-based config
show port-access web-based config
These three commands show the operational state of the controlled-directions:
show port-access authenticator
show port-access mac-based
show port-access web-based
75
Release K.13.04 Enhancements
Enhancements
Release K.13.04 Enhancements
Release K.13.04 includes the following enhancements.
■ Enhancement (PR_ 0000000081) — The CLI clear module command allows you to remove
module configuration information from the configuration file.
Clear Module Configuration
Overview
Because of the hot-swap capabilities of the modules, when a module is removed from the chassis of
a ProCurve series 5400 switch, the module configuration remains in the configuration file. This
enhancement allows you to remove the module configuration information from the configuration file.
Syntax: [no] module <slot>
Allows removal of the module configuration in the configuration file after the
module has been removed. Enter an integer between 1 and 12 for <slot>.
For example:
ProCurve(config)# no module 3
Note
This does not change how hot-swap works.
Operating Notes
The following restrictions apply:
■ The slot being cleared must be empty
■ There was no module present in the slot since the last boot
■ If there was a module present after the switch was booted, the switch will have to be rebooted
before any module (new or same) can be used in the slot.
■ This does not clear the configuration of a module still in use by the switch.
76
Enhancements
Release K.13.04 Enhancements
■ Enhancement (PR_ 0000000082) — The CLI track interface command allows you to
configure tracking for a port or list of ports, or a trunk or list of trunks.
VRRP—Dynamic Priority Change
Overview
This enhancement provides the ability to dynamically change the priority of the virtual router (VR)
when certain events occur. The Backup VR releases virtual IP address control by reducing its priority
when tracked entities such as ports, trunks, or VLANs go down. You can also force the Backup to
take ownership of the VR if you have previously caused it to release control.
In normal VRRP operation, one router (Router-1) is in the Master state and one router (Router-2) is
in the Backup state. Router-1 provides the default gateway for the host. If Router-1 goes down for
any reason, the Backup router, Router-2, provides the default gateway for the host.
VR 1
10.10.10.1
Intranet
(Virtual IP Address)
Router-1
VLAN VID: 22
IP: 10.10.10.21
Router 1 Configuration
VRID: 1
Status: Master
Virtual IP Addr: 10.10.10.1
MAC Addr: 00-00-5E-00-01-01
Priority: 150
Switch
VLAN VID: 22
Host “A”
Router-2
VLAN VID: 22
IP: 10.10.10.23
Router 2 Configuration
VRID: 1
Status: Backup
Virtual IP Addr: 10.10.10.1
MAC Addr: 00-00-5E-00-01-01
Priority: 100
Figure 10. Example VRRP Configuration
If all the tracked entities configured on Router-1 go down, Router-1 begins sending advertisements
with a priority of zero. This causes Router-2 to take control of the virtual IP.
Any applications or routing protocols such as RIP or OSPF on Router-1 that were using its IP address
are no longer able to use that IP interface. Router-1 does not respond to any ARP requests for that
IP address. Router-2 takes control of the IP address and responds to ARP requests for it with the
virtual MAC address that corresponds to VRID-1.
77
Release K.13.04 Enhancements
Enhancements
Note
A Backup VR switches to priority zero instead of its configured value when all its tracked entities go
down. An Owner VR always uses priority 255 and never relinquishes control voluntarily.
CLI Commands
The following commands are used for this enhancement.
Note
You can only configure tracked interfaces or VLANs on the Backup router.
Configuring Track Interface
The track interface command allows you to configure tracking for a port or list of ports, or a trunk or
list of trunks.
Note
VR operation must be down before executing this command. Use the no enable command to disable
VR operation.
Syntax: [no] track interface <port-list/trunk-list>
Allows you to specify a port or port list, or trunk or trunk list, that will be tracked
by this virtual router. If the port or trunk is down, the virtual router switches to
the router specified by the priority value. The command is executed in VRID
instance context.
For example:
ProCurve(config)# vlan 25
ProCurve(vlan-25)# vrid 1
ProCurve(vlan-25-vrid-1)# track interface 10-12, Trk1
78
Enhancements
Release K.13.04 Enhancements
Configuring Track VLAN
The track vlan command allows you to specify a VLAN or range of VLANs to be tracked by the VR.
Notes
VR operation must be down before executing this command. Use the no enable command to disable
VR operation.
The VRs operating VLAN can’t be configured as a tracking VLAN for that VR.
Syntax: [no] track vlan <vlan-id range>
Allows you to specify a VLAN or range of VLANs that will be tracked by this virtual
router. If the VLAN is down, or the VLAN or IP address has been deleted, the virtual
router switches to the router specified by the dynamic priority value. The command
is executed in VRID instance context.
For example:
ProCurve(config)# vlan 25
ProCurve(vlan-25)# vrid 1
ProCurve(vlan-25-vrid-1)# track vlan 10 24-26
Note
When the first tracked port or tracked VLAN comes up after being down, the VR waits for the preempt
delay time before it tries to take control back. The VR resumes being a Backup with its configured
priority as soon as the first tracked entity is up.
The behavior of the VR is not affected by any tracked entities until after the expiration of the preempt
delay time. However, if while waiting for the preempt delay time to expire, a Master goes down, the
VR tries to take control of the virtual IP.
Removing all Tracked Entities
Use the no track command to remove all interfaces and vlans from being tracked.
79
Release K.13.04 Enhancements
Enhancements
Syntax: no track
The command allows you to remove tracking for all configured track entities (ports,
trunks, and VLANs). The command is executed in VRID instance context.
For example:
ProCurve(vlan-25-vrid-1)# no track
Failover Operation
Failover operation involves handing off of the VRs control of the virtual IP to another VR. Once a
failover command is issued, the VR begins sending advertisements with priority zero instead of the
configured priority. When the VR detects a peer VR taking control, it releases control of the virtual
IP and ceases VR operation until a failback is executed. Failover only occurs on a Backup VR
operating as Master.
If you specify the with-monitoring option, the VR continues to monitor the virtual IP after ceasing VR
operation. If the Master VR goes down, it then re-takes control of the virtual IP.
Syntax: failover [with-monitoring]
Allows you to force the Backup VR operating as Master to relinquish ownership of
the VR instance. The command is executed in VRID instance context.
Failback Operation
The failback command forces the Backup VR to take ownership of the VR instance. Failback is
disabled on the Owner VR; it can only be executed on the Backup VR. Failback can only occur on a
VR on which failover or failover with-monitoring has been executed.
Syntax: failback
Forces the Backup VR to take ownership of the VR instance. This command only
takes effect if the Backup VR instance has a higher priority than the current Owner,
which is normal VRRP router behavior. The command is executed in VRID instance
context.
80
Enhancements
Release K.13.04 Enhancements
Displaying the VRRP Configuration
You can display the VRRP tracked entities by entering the command shown in Figure 11.
ProCurve(vlan-25-vrid-1)# show vrrp tracked-entities
VRRP Tracked entities
VLAN ID VR ID Type ID
---------- ---------- ---------- ----------------------------- 25 1 port 7
25 1 port 12
25 1 port 13
25 1 port 14
25 1 vlan 1
Figure 11. Example of show vrrp tracked entities Command
You can display the VRRP configuration by entering the command shown in Figure 12.
ProCurve(vlan-25-vrid-1)# show vrrp vlan 25 vrid 1 config
VRRP Virtual Router Configuration Information
Vlan ID : 25
Virtual Router ID : 1
Administrative Status [Disabled] : Enabled
Mode [Uninitialized] : Owner
Priority [100] : 255
Advertisement Interval [1] : 1
Preempt Mode [True] : True
Preempt Delay Time [0] : 0
Primary IP Address : Lowest
IP Address Subnet Mask
--------------- ---------------
10.10.10.1 255.255.255.0
Figure 12. Example Showing the VRRP Configuration
Operating Notes
• There are no backward compatibility issues with this enhancement. If a VRRP router
has an older firmware version that does not have the dynamic priority changeover
feature, it will not have the needed configuration options.
81
Release K.13.04 Enhancements
Enhancements
• The VRs operating VLAN can’t be configured as a tracking VLAN for that VR.
• Ports that are part of a trunk can’t be tracked.
• A port that is tracked can’t be included in a trunk.
• Trunks that are tracked can’t be removed; you are not able to remove the last port from
the trunk.
• LACP (active or passive) cannot be enabled on a port that is being tracked.
• If a VLAN is removed or a port becomes unavailable, the configuration is retained and
they are tracked when they become available again.
• After the Owner VR relinquishes control of its IP address, that IP address becomes
unavailable to all other applications and routing protocols such as RIP and OSPF.
• To avoid operational issues, it is recommended that VRRP is not run on the same
interface/VLAN with other routing protocols, such as RIP and OSPF.
Error Messages
Track Interface
Message Description
VR must be defined as “backup” first You have to declare a VR as Backup before assigning a
Invalid input: <out of range value> You have to assign a valid port or trunk to the VR instance.
VR operation must be “down” prior to modifying VR’s
parameters
Can’t track a port that is part of a trunk You can’t configure tracking on a port that is a member of
Tracking is disabled on owner You can’t configure a track interface on an Owner VR.
Cannot remove trunk being tracked by VRRP You can’t remove a trunk that is being tracked by a VR
Cannot enable LACP on a VRRP tracked port You can’t enable LACP on a port that is being tracked by a
Too many entities to track You have selected too many entities to be tracked by the
Cannot track trunk/LACP member You can’t track the specified trunk or LACP member.
VRRP tracked port is not allowed in trunk You can’t add this tracked port to a trunk.
VRRP tracked port is not allowed in LACP You can’t use LACP with the tracked port.
Operation is not permitted on VR when it is configured as
owner or is uninitialized.
track interface to it.
You cannot change the track interface when the VR is
active. Use the no enable command to disable the VR.
a trunk.
VR.
VR.
The VR must be a Backup and initialized in order to execute
the operation.
82
Enhancements
Release K.13.04 Enhancements
■ Enhancement (PR_ 0000000084) — DHCP Option 66 provides a way to automatically
download and initially boot from a configuration that is different from the factory-shipped
configuration.
DHCP Option 66 Automatic Configuration Update
Overview
ProCurve switches are initially booted up with the factory-shipped configuration file. This enhancement provides a way to automatically download a different configuration file from a TFTP server
using DHCP Option 66. The prerequisites for this to function correctly are:
• One or more DHCP servers with Option 66 are enabled
• One or more TFTP servers has the desired configuration file.
Caution
This feature must use configuration files generated on the switch to function correctly. If you use
configuration files that were not generated on the switch, and then enable this feature, the switch
may reboot continuously.
CLI Command
The command to enable the configuration update using Option 66 is:
Syntax: [no] dhcp config-file-update
Enables configuration file update using Option 66.
Default: Enabled
ProCurve(config)# dhcp config-file-update
Figure 13. Example of Enabling Configuration File Update Using Option 66
83
Release K.13.04 Enhancements
Enhancements
Possible Scenarios for Updating the Configuration File
The following table shows various network configurations and how Option 66 is handled.
Scenario Behavior
Single Server serving Multiple VLANs • Each DHCP-enabled VLAN interface initiates DHCPDISCOVER
Multiple Servers serving a Single VLAN • Each DHCP-enabled VLAN interface initiates one DHCPDISCOVER
Multiple Servers serving Multiple VLANs • Each DHCP-enabled VLAN interface initiates DHCPDISCOVER and
Multi-homed Server serving Multiple VLANs • The switch perceives the multi-homed server as multiple separate
message, receives DHCPOFFER from the server, and send
DHCPREQUEST to obtain the offered parameters.
• If multiple interfaces send DHCPREQUESTs, it’s possible that more
than one DHCPACK is returned with a valid Option 66.
• Evaluating and updating the configuration file occurs only on the
primary VLAN.
• Option 66 is ignored by any interfaces not belonging to the primary
VLAN.
and receives one or more DHCPOFFER messages.
• Each interface accepts the best offer.
• Option 66 is processed only for the interface belonging to the primary
VLAN.
receives one or more DHCPOFFER messages.
• Each interface accepts the best offer.
• Option 66 is processed only for the interface belonging to the primary
VLAN.
servers.
• Each DHCP-enabled VLAN interface initiates DHCPDISCOVER and
receives one DHCPOFFER message.
• Each interface accepts the offer.
• Option 66 is processed only for the interface belonging to the primary
VLAN.
Operating Notes
Replacing the Existing Configuration File: After the DHCP client downloads the configuration
file, the switch compares the contents of that file with the existing configuration file. If the content
is different, the new configuration file replaces the existing file and the switch reboots.
Option 67 and the Configuration File Name: Option 67 includes the name of the configuration
file. If the DHCPACK contains this option, it overrides the default name for the configuration file
(switch.cfg)
Global DHCP Parameters: Global parameters are processed only if received on the primary VLAN.
Best Offer: The “Best Offer” is the best DHCP or BootP offer sent by the DHCP server in response
to the DHCPREQUEST sent by the switch. The criteria for selecting the “Best Offer” are:
84
Enhancements
Release K.13.04 Enhancements
• DHCP is preferred over BootP
• If two BootP offers are received, the first one is selected
• For two DHCP offers:
– The offer from an authoritative server is selected
– If there is no authoritative server, the offer with the longest lease is selected
Log Messages
The file transfer is implemented by the existing TFTP module. The system logs the following message
if an incorrect IP address is received for Option 66:
Invalid IP address <ip-address> received for DHCP Option 66
■ Enhancement (PR_ 0000000085) — The DHCP relay address configuration enhancement
provides a way to configure a gateway address for the DHCP relay agent to use for DHCP
requests, rather than the DHCP relay agent automatically assigning the lowest-numbered IP
address.
BOOTP/DHCP Relay Gateway
Overview
Previously, the DHCP relay agent selected the lowest-numbered IP address on the interface to use
for DHCP messages. The DHCP server then used this IP address when it assigned client addresses.
However, this IP address may not be the same subnet as the one on which the client needs the DHCP
Service.
This enhancement provides a way to configure a gateway address for the DHCP relay agent to use
for DHCP requests, rather than the DHCP relay agent automatically assigning the lowest-numbered
IP address.
You must be in VLAN context to use this command, for example:
ProCurve# config
ProCurve(config)# vlan 1
ProCurve(vlan-1)#
Syntax: ip bootp-gateway <ip-addr>
Allows you to configure an IP address for the DHCP relay agent to use for DHCP
requests. The IP address must have been configured on the interface.
Default: Lowest-numbered IP address
85
Release K.13.04 Enhancements
Enhancements
If the IP address has not already been configured on the interface (VLAN), you will see the message
shown in Figure 14.
ProCurve# config
ProCurve(config)# vlan 1
ProCurve(vlan-1)# ip bootp-gateway 10.10.10.1
The IP address 10.10.10.1 is not configured on this VLAN.
Figure 14. Example of Trying to Configure an IP Address that is not on this Interface (VLAN)
Displaying the BOOTP Gateway
To display the configured BOOTP gateway for an interface (VLAN) or all interfaces, enter this
command. You do not need to be in VLAN context mode.
Syntax: show dhcp-relay bootp-gateway [vlan <vid>]
Displays the configured BOOTP gateway for a specified VLAN (interface). If a
specific VLAN ID is not entered, all VLANs and their configured BOOTP gateways
display.
Figure 15 shows an IP address being assigned to a gateway for VLAN 22, and then displayed using
the show dhcp-relay bootp-gateway command.
ProCurve(vlan-22)ip bootp-gateway 12.16.18.33
ProCurve(vlan-22)# exit
ProCurve(config)# show dhcp-relay bootp-gateway vlan 22
BOOTP Gateway Entries
VLAN BOOTP Gateway
-------------------- -------------- VLAN 22 12.16.18.33
Figure 15. An Example of Assigning a Gateway to an Interface and then Displaying the Information
86
Enhancements
Release K.13.04 Enhancements
Operating Notes
• If the configured BOOTP gateway address becomes invalid, DHCP relay agent returns
to the default behavior (assigning the lowest-numbered IP address).
• If you try to configure an IP address that is not assigned to that interface, the configuration will fail and the previously configured address (if there is one) or the default
address is used.
■ Enhancement (PR_ 0000000086) — This enhancement allows rate-limiting of inbound
broadcast and multicast traffic on the switch.
Inbound Rate-Limiting for Broadcast and Multicast Traffic
This enhancement allows rate-limiting (throttling) of inbound broadcast and multicast traffic on the
switch. The rate-limiting is implemented as a percentage of the total available bandwidth on the port.
Rate-limiting inbound broadcast or multicast traffic helps prevent the switch from being disrupted
by traffic storms if they occur on the rate-limited port.
You can execute the rate-limit command from the global or interface context, for example:
ProCurve(config)# interface 3 rate-limit bcast in percent 10
or
ProCurve(config)# interface 3
ProCurve(eth-3)# rate-limit bcast in percent 10
Syntax: rate-limit < bcast | mcast > in percent <0-100>
no rate-limit <bcast | mcast> in
Enables rate-limiting and sets limits for the specified inbound broadcast or
multicast traffic. Only the amount of traffic specified by the percent is forwarded.
Default: Disabled
For example, if you want to set a limit of 50 percent on inbound broadcast traffic for port 3, you can
first enter interface context for port 3 and then execute the rate-limit command, as shown in
Figure 1. Only 50 percent of the inbound broadcast traffic will be forwarded.
87
Release K.13.04 Enhancements
ProCurve(config)# int 3
ProCurve(eth-3)# rate-limit bcast in percent 50
ProCurve 3500(eth-3)# show rate-limit bcast
Broadcast-Traffic Rate Limit Maximum %
Port | Inbound Limit Mode Radius Override
----- + ------------- --------- -------------- 1 | Disabled Disabled No-override
2 | Disabled Disabled No-override
3 | 50 % No-override
4 | Disabled Disabled No-override
5 | Disabled Disabled No-override
Enhancements
Figure 1. Example of Inbound Broadcast Rate-limiting of 50% on Port 3
If you rate-limit multicast traffic on the same port, the multicast limit is also in effect for that port,
as shown in Figure 2. Only 20 percent of the multicast traffic will be forwarded.
ProCurve(eth-3)# rate-limit mcast in percent 20
ProCurve(eth-3)# show rate-limit mcast
Multicast-Traffic Rate Limit Maximum %
Port | Inbound Limit Mode Radius Override
----- + ------------- --------- -------------- 1 | Disabled Disabled No-override
2 | Disabled Disabled No-override
3 | 20 % No-override
4 | Disabled Disabled No-override
Figure 2. Example of Inbound Multicast Rate-limiting of 20% on Port 3
To disable rate-limiting for a port enter the no form of the command.
88
Enhancements
Release K.13.04 Enhancements
ProCurve(eth-3)# no rate-limit mcast in
ProCurve(eth-3)# show rate-limit mcast
Multicast-Traffic Rate Limit Maximum %
Port | Inbound Limit Mode Radius Override
----- + ------------- --------- -------------- 1 | Disabled Disabled No-override
2 | Disabled Disabled No-override
3 | Disabled Disabled No-override
4 | Disabled Disabled No-override
Figure 3. Example of Disabling Inbound Multicast Rate-limiting for Port 3
Operating Notes
• This rate-limiting feature does not limit unicast traffic.
• This feature does not include outbound multicast rate-limiting.
For more detailed information about rate-limiting, see the Multicast and Routing Guide for your
switch.
■ Enhancement (PR_ 0000000087) — This enhancement enables a Telnet client to use the
histamine in command input.
DNS Capabilities for Telnet
Overview
This enhancement enables a Telnet client to use the hostname in command input.
Syntax: telnet <ipv4-addr | ipv6-addr | hostname | switch-num>
Initiates an outbound telnet session to another network device. The destination can
be specified as:
• IPv4 address
• IPv6 address
•Hostname
• Stack number of a member switch (1-16) if the switch is a commander
in a stack and stacking is enabled
89
Loading...