E.09.xx software update for the ProCurve 5300 series switch products

© 2004 Hewlett-Packard Development Company, L.P.The information contained herein is subject to change without notice.

Technical Training

E.09.xx software update for the ProCurve 5300 series switch products

Dec 2004

2

E.09.xx firmware update for the ProCurve 5300 series switch products New Features• Connection Rate Filtering (Virus Throttling)

3

E.09.xx firmware update for the ProCurve 5300 series switch products New Features• Connection Rate Filtering (Virus Throttling)• Multiple 802.1X users per port• Concurrent 802.1X and MAC Auth or Web Auth• 802.1X Guest Vlan• Radius authentication for switch manager login

4

E.09.xx firmware update for the ProCurve 5300 series switch products New Features• Connection Rate Filtering (Virus Throttling)• Multiple 802.1X users per port• Concurrent 802.1X and MAC Auth or Web Auth• 802.1X Guest Vlan• Radius authentication for switch manager login• UDP directed broadcast forwarding

5

E.09.xx firmware update for the ProCurve 5300 series switch products New Features• Connection Rate Filtering (Virus Throttling)• Multiple 802.1X users per port• Concurrent 802.1X and MAC Auth or Web Auth• 802.1X Guest Vlan• Radius authentication for switch manager login• UDP directed broadcast forwarding• 802.1ab Link Layer Discovery Protocol (LLDP)

6

E.09.xx firmware update for the ProCurve 5300 series switch products New Features• Connection Rate Filtering (Virus Throttling)• Multiple 802.1X users per port• Concurrent 802.1X and MAC Auth or Web Auth• 802.1X Guest Vlan• Radius authentication for switch manager login• 802.1ab Link Layer Discovery Protocol (LLDP)• UDP directed broadcast forwarding• Multiple configuration files

The Geek Translation

hp


Cold Raw Dead Fish

hp


Cold Raw Dead Fish

hp


Connection Rate

FilteringCold Raw Dead Fish

hp

11

Connection Rate Filtering Most anti-virus software works by preventing infection

Works well but occasionally fails

When it fails, the virus can spread very rapidly and cause lots of damage• Many infected machines• Clogged networks

Example – SQLSlammer, MS-Blaster, SASSER

12





05:29 Jan 25 ‘03 – 0 infected

13





05:29 Jan 25 ‘03 – 0 infected

06:00 Jan 25 ‘03 – 74855 infected

17

Connection Rate Filtering

What does CRF do to reduce the threat?

18


What does CRF do to reduce the threat?• Filter function based on connection rate

only

19


What does CRF do to reduce the threat?• Filter function based on connection rate only• Does not look inside packets for signatures

20


What does CRF do to reduce the threat?• Filter function based on connection rate only• Does not look inside packets for signatures• Functions only on routed traffic (NOT on

switched traffic)

21


What does CRF do to reduce the threat?• Filter function based on connection rate only• Does not look inside packets for signatures• Functions only on routed traffic (NOT on switched

traffic)• Many valid nodes will create false positives

22



traffic)• Many valid nodes will create false positives• Must be manually configured

23



traffic)• Many valid nodes will create false positives• Must be manually configured• Must configure Sensitivity and Response

24

Connection Rate FilteringSensitivity

25


Connection Rate Filtering Sensitivity

Max interval between new IP connection requests from same source

Number of New connections without exceeding max interval Penalty Period

Low 0.1 Second 54 <30 Seconds

Medium 1.0 second 37 30 - 60 Seconds

High 1.0 second 22 60 - 90 Seconds

Aggressive 1.0 second 15 90 - 120 Seconds

26


Connection Rate Filtering Sensitivity

Max interval between new IP connection requests from same source

Number of New connections without exceeding max interval Penalty Period

Low 0.1 Second 54 <30 Seconds

Medium 1.0 second 37 30 - 60 Seconds

High 1.0 second 22 60 - 90 Seconds

Aggressive 1.0 second 15 90 - 120 Seconds

Example: At medium sensitivity, a host may be trigger the filter by issuing 37 new outbound connections in a 36 second period if the gap between any two new connections does not exceed 1 second. When there is a gap that exceeds 1 second, the counter is reset.

27

Connection Rate Filtering Response

• notify-only– Generates event log entry and trap event when

sensitivity threshold exceeded

28


• notify-only– Generates event log entry and trap event when

sensitivity threshold exceeded• throttle

– Generates event log and trap and then blocks routing of traffic from offending host for penalty period defined by sensitivity

– After penalty period the function is reset and routing resumes

29


• notify-only– Generates event log entry and trap event when sensitivity

threshold exceeded• throttle

– Generates event log and trap and then blocks routing of traffic from offending host for penalty period defined by sensitivity

– After penalty period the function is reset and routing resumes

• block– Generates event log and trap and then blocks

routing of traffic from offending host until manually reset by administrator

30

Connection Rate Filtering Typical deployment scenario (not set and forget)

31

Connection Rate Filtering Typical deployment scenario (not set and forget)• Deploy in notify-only mode

32

Connection Rate Filtering Typical deployment scenario (not set and forget)• Deploy in notify-only mode• Set sensitivity to low

33

Connection Rate Filtering Typical deployment scenario (not set and forget)• Deploy in notify-only mode• Set sensitivity to low• Monitor the nodes that are triggering

34

Connection Rate Filtering Typical deployment scenario (not set and forget)• Deploy in notify-only mode• Set sensitivity to low• Monitor the nodes that are triggering• Determine the characteristic of valid traffic

from those nodes

35

Connection Rate Filtering Typical deployment scenario (not set and forget)• Deploy in notify-only mode• Set sensitivity to low• Monitor the nodes that are triggering• Determine the characteristic of valid traffic from

those nodes• Increase sensitivity, or create an exception

ACL for nodes generating false positives

36


those nodes• Increase sensitivity, or create an exception ACL

for nodes generating false positives• Activate throttling or blocking

37


those nodes• Increase sensitivity, or create an exception ACL

for nodes generating false positives• Activate throttling or blocking• Monitor and adjust

38

Connection Rate Filtering What to do with nodes generating legitimate traffic that triggers the CRF?

Use of connection-rate ACLs provides the option to apply exceptions to the configured connection-rate filtering policy.

■ A trusted server exhibiting a relatively high IP connection rate due to heavy demand

■ A trusted traffic source on the same port as other, untrusted traffic sources.

39

Connection Rate Filtering Basic CLI commands [no] connection-rate-filter sensitivity < low | medium | high | aggressive >

Global enable/disable and global sensitivity

40

Connection Rate Filtering Basic CLI commands [no] connection-rate-filter sensitivity < low | medium | high | aggressive >

Global enable/disable and global sensitivity

Reboot the switch after running this command to enable/disable or change CRF sensitivity!

41

Connection Rate Filtering Basic CLI commands [no] filter connection-rate [eth] port-list <notify-only | throttle | block>

Port based configuration of the response

42

Connection Rate Filtering Basic CLI commands [no] ip access-list connection-rate-filter name-str

< ignore | filter > ip < any | host src-ip-addr | src-ip-addr src-ip-mask | src-ip-addr/mask

>< ignore | filter > < udp | tcp >< any | host src-ip-addr | src-ip-addr src-ip-mask | src-ip-addr/mask

>< source-port | destination-port | all-ports >

43

Connection Rate Filtering Basic CLI commands [no] ip access-list connection-rate-filter name-str

< ignore | filter > ip < any | host src-ip-addr | src-ip-addr src-ip-mask | src-ip-addr/mask

>< ignore | filter > < udp | tcp >< any | host src-ip-addr | src-ip-addr src-ip-mask | src-ip-addr/mask

>< source-port | destination-port | all-ports >

ACLs are ONLY required as exceptions to the CRF policy

44

Connection Rate Filtering Config Example

45

Connection Rate Filtering Config example Connection Rate ACL

46

Connection Rate Filtering - Summary CRF is not set and forget

47

Connection Rate Filtering - Summary CRF is not set and forget Operates ONLY on routed traffic

48

Connection Rate Filtering - Summary CRF is not set and forget Operates ONLY on routed traffic Requires a switch reboot after enabling, disabling or changing sensitivity of CRF

49


Once a host has been blocked, it remains in this state regardless of the port setting – must unblock explicitly

50



CRF is host based (host is blocked, not port)

51



CRF is host based (host is blocked, not port) Sensitivity is set globally, response is set per port, filtering is host based

52

Connection Rate Filtering - Benefits Behavior based

53

Connection Rate Filtering - Benefits Behavior based Handles unknown worms

54

Connection Rate Filtering - Benefits Behavior based Handles unknown worms No signature file

55

Connection Rate Filtering - Benefits Behavior based Handles unknown worms No signature file Slows or stops routing of suspect traffic

56

Connection Rate Filtering - Benefits Behavior based Handles unknown worms No signature file Slows or stops routing of suspect traffic Allows switch to continue to operate during attack

57

Connection Rate Filtering - Benefits Behavior based Handles unknown worms No signature file Slows or stops routing of suspect traffic Allows switch to continue to operate during attack Event log and traps help identify the attacker

58

Connection Rate Filtering - Benefits Behavior based Handles unknown worms No signature file Slows or stops routing of suspect traffic Allows switch to continue to operate during attack Event log and traps help identify the attacker Notifies IT and allows time to respond

59

Connection Rate Filtering lab• Requires any 5300 switch and one windows PC with traffic

generation tool installed– Configure routable vlans– Set various sensitivities and responses– Generate traffic to be routed– Observe behavior

www.hp.com/go/hpprocurve

Q&AConnection Rate Filtering

61

Multiple 802.1X users per port – Current Situation

- one client per one 802.1X enabled switch port

62


- one client per one 802.1X enabled switch port- protocol uses multicast address

63


- one client per one 802.1X enabled switch port- protocol uses multicast address- port based authentication

64



- successful authentication by a client opens the port for all traffic

65



- successful authentication by a client opens the port for all traffic

- piggy back attack relatively easy

66

Multiple 802.1X users per port – E.09.xx- Supports up to 32 802.1X clients per port

67

Multiple 802.1X users per port – E.09.xx- Supports up to 32 802.1X clients per port- All authenticated clients must use the same UNTAGGED Vlan

68

Multiple 802.1X users per port – E.09.xx- Supports up to 32 802.1X clients per port- All authenticated clients must use the same UNTAGGED Vlan- Each instance must be associated with a particular source MAC address

69

Multiple 802.1X users per port – E.09.xx- Supports up to 32 802.1X clients per port- All authenticated clients must use the same UNTAGGED Vlan- Each instance must be associated with a particular source MAC address- Associated instance must use only its associated source MAC address as dest. address for 802.1X packets (will prevent confusion of other 802.1X clients connected to the same port)

70

Multiple 802.1X users per port – E.09.xx- Supports up to 32 802.1X clients per port- All authenticated clients must use the same UNTAGGED Vlan- Each instance must be associated with a particular source MAC address- Associated instance must use only its associated source MAC address as dest address for 802.1X packets (will prevent confusion of other 802.1X clients connected to the same port)

- An 802.1X protocol instance must be able to receive unicast 802.1X packets

71


- An 802.1X protocol instance must be able to receive unicast 802.1X packets - Authentication is client based

72


- An 802.1X protocol instance must be able to receive unicast 802.1X packets - Authentication is client based

- successful authentication by a client opens port to traffic with the authenticators SA only

73

Multiple 802.1X users per port – E.09.xx[no] aaa port-access authenticator < [ethernet] <port-list>[control | client-limit |quiet-period | tx-period | supplicant-timeout | server-timeout | max-requests | reauth-period | auth-vid | unauth-vid | initialize | reauthenticate | clear-statistics | logoff-period]

74


Default client limit is 1. Need to explicitly enter value >1 to enable multiple authenticated clients per port

75


Default client limit is 1. Need to explicitly enter value >1 to enable multiple authenticated clients per port

There is no port-based authentication with E.09.xx! All 802.1x authentication in this revision is client based

76


Default client limit is 1. Need to explicitly enter value >1 to enable multiple authenticated clients per port.

There is no port-based authentication with E.09.xx! All 802.1x authentication in this revision is client based

#show config (no port based show command for client limit)..aaa port-access authenticator B2aaa port-access authenticator B2 client-limit 18aaa port-access authenticator active.

77

Multiple 802.1X users per port – E.09.xx

5300

5300

uplink

Is this a valid configuration?

78


5300

5300

uplink

Is this a valid configuration?With 802.1X authentication on uplink?

supplicant

authenticator

79


5300

5300

uplink

Is this a valid configuration?With 802.1X authentication on uplink?What about mixed revisions?

supplicant

authenticator

E.08.xx

E.09.xx

80


5300

5300

uplink

Is this a valid configuration?With 802.1X authentication on uplink?What about mixed revisions?Conclusion?

E.08.xx

E.09.xx

supplicant

authenticator

81


5300

5300

uplink

Is this a valid configuration?With 802.1X authentication on uplink?What about mixed revisions?Conclusion?

E.08.xx

E.09.xx

supplicant

authenticator

Do not enable 802.1X authentication on uplinks!

82

Multiple 802.1X users per port – E.09.xx Summary

•Prior to E.09.xx, 802.1X was port based•E.09.xx is client based

•Possible to run into supplicant incompatibilities or cases where implementation relied on port based behavior

•Not appropriate for switch uplink ports•Maximum of 32 authenticated clients per port•Default client-limit is 1

83

Concurrent 802.1X and web or MAC auth Prior to E.09.xx, 802.1X and Web/MAC auth were mutually exclusive features

84


E.09.xx allows the simultaneous operation of 802.1X and Web/MAC Auth on the same port

85



Concurrent 802.1X and Web Auth operation OR concurrent 802.1X and MAC Auth operation. The ability to run all three (802.1X, Web Auth, MAC Auth) concurrently does not exist

86




Useful for migration where all clients do not have supplicant

87




Useful for migration where all clients do not have supplicant Popular example is the Mitel configuration

88




Useful for migration where all clients do not have supplicant Popular example is the Mitel configuration Total number of clients; 802.1x, web auth, MAC auth, must not exceed 32 on a port

89

Concurrent 802.1X and web or MAC auth802.1x Port Control State

Web or MAC Auth State

Action

Auto Disabled 802.1X performs authentication

Auto Enabled Hybrid authentication, 802.1X authentication result takes precedence to Web or MAC Auth authentication result

Force Authorized Disabled All clients granted access

Force Authorized Enabled Web or MAC auth perform authentication

Force Unauthorized

Don’t Care All clients denied access

90

Concurrent 802.1X and web or MAC auth and Multiple 802.1X users per port

aaa port-access authenticator <port-list> [control <authorized | auto | unauthorized>][client-limit]

91



AND aaa port-access web-based [e] < port-list >

92



AND aaa port-access web-based [e] < port-list > OR aaa port-access mac-based [e] < port-list >

93



AND aaa port-access web-based [e] < port-list > OR aaa port-access mac-based [e] < port-list >

show config..aaa port-access authenticator B2aaa port-access authenticator B2 client-limit 18aaa port-access authenticator activeaaa port-access mac-based B2..

94


The Competition: Enterasys has addressed the problem by allowing multiple 802.1X sessions to concurrently run on a port, with client traffic ultimately filtered by authorized client

Enterasys allows concurrency between their 802.1X and Mac authentication features, however not between their 802.1x and Web Auth features.

Extreme Networks allows concurrency between their 802.1X and Web Auth features. They don’t have MAC auth feature.

95

Concurrent MAC/802.1X example

PC

Configured to use 802.1X authentication

Data vlan = 2 (untagged)

IP Phone

Configured to use MAC authentication

Voice vlan = 50 (tagged)

5300 switch running E.09.xx code

Authenticates phone with MAC auth

Authenticates PC via 802.1X

96

802.1X Guest VLAN In earlier releases, a “friendly” client computer not running 802.1X supplicant software could not be authenticated on a port protected by 802.1X access security

As a result, the port would become blocked and the client could not access the network

97

802.1X Guest VLAN In earlier releases, a “friendly” client computer not running 802.1X supplicant software could not be authenticated on a port protected by 802.1X access security


This prevented the client from: ■ Acquiring IP addressing from a DHCP server ■ Downloading the 802.1X supplicant software necessary for an authentication session

98

802.1X Guest VLAN In earlier releases, a “friendly” client computer not running 802.1X supplicant software could not be authenticated on a port protected by 802.1x access security


This prevented the client from: ■ Acquiring IP addressing from a DHCP server ■ Downloading the 802.1X supplicant software necessary for an authentication session

Configuring the 802.1X Open VLAN mode on a port changes how the port responds when it detects a new client

99

802.1X Guest VLAN The 802.1X Open VLAN mode solves this problem by temporarily suspending the port’s static VLAN memberships and placing the port in a designated Unauthorized-Client VLAN

100


In this state the client can proceed with initialization services, such as acquiring IP addressing and 802.1X client software, and starting the authentication process

101



May want to set up DHCP server and a server that can download 802.1X supplicant on the guest VLAN

102



May want to set up DHCP server and a server that can download 802.1X supplicant on the guest VLAN

Still want to keep the radius server on a protected VLAN

103

802.1X Guest VLAN Use Models for 802.1X Open VLAN Modes; Unauthorized-Client VLAN Configure this VLAN when unauthenticated, friendly clients will need access to some services before being authenticated

104

802.1X Guest VLAN Use Models for 802.1X Open VLAN Modes; Unauthorized-Client VLAN Configure this VLAN when unauthenticated, friendly clients will need access to some services before being authenticated

Authorized-Client VLAN Configure this VLAN for authenticated clients to control the untagged VLAN membership

105

802.1X Guest VLAN summary Avoid using authorized client VLAN on ports with client-limit >1 unless all clients can operate on same untagged VLAN

106


All unauthenticated clients on an unauthorized client VLAN can communicate

107



With 802.1X authentication enabled:aaa port-access authenticator <port-list> [auth-vid <vlan-

id>]

108



With 802.1X authentication enabled:aaa port-access authenticator <port-list> [auth-vid <vlan-id>]

aaa port-access authenticator <port-list> [unauth-vid <vlan-id>]

109



With 802.1X authentication enabled:aaa port-access authenticator <port-list> [auth-vid <vlan-id>]

aaa port-access authenticator <port-list> [unauth-vid <vlan-id>]

Show config..aaa port-access authenticator B2 auth-vid 123..

110

Radius authorization for switch mgr login-Same feature as released in E.08.53

Eliminates login – enable – login again to gain mgr privilege• "[no] aaa authentication login privilege-mode" • Visible by "show running-config" and "show authentication" when

enabled• Radius server service-attribute type Administrative (6) is the

manager privilege level• Radius server service-attribute type NAS-prompt (7) is just the

operator level• Applies to attempts to login via serial console, telnet, or ssh


Q&A802.1X

112

UDP Directed Broadcast Forwarding

113

UDP Directed Broadcast ForwardingRouters don’t forward broadcasts generally, however it

may be desirable for example for DHCP, SNTP etc

114

UDP Directed Broadcast ForwardingRouters don’t forward broadcasts generally, however it may be

desirable for example for DHCP, SNTP etcOnly applies when routing is enabled

115


desirable for example for DHCP, SNTP etcOnly applies when routing is enabledIdentifies broadcast packet to be forwarded by UDP port number

116


desirable for example for DHCP, SNTP etcOnly applies when routing is enabledIdentifies broadcast packet to be forwarded by UDP port number Configured on a per-VLAN basis

117


desirable for example for DHCP, SNTP etcOnly applies when routing is enabledIdentifies broadcast packet to be forwarded by UDP port number Configured on a per-VLAN basisThe UDP forwarder contains a server address table for each configured VLAN. Each server entry contains an IP address and an associated UDP port. A broadcast packet received on the switch will be forwarded based on this configured table

118


desirable for example for DHCP, SNTP etcOnly applies when routing is enabledIdentifies broadcast packet to be forwarded by UDP port number Configured on a per-VLAN basisThe UDP forwarder contains a server address table for each configured VLAN. Each server entry contains an IP address and an associated UDP port. A broadcast packet received on the switch will be forwarded based on this configured tablePacket can be unicast forwarded to a specific host, or bcast forwarded to a destination subnet

119

UDP Directed Broadcast ForwardingPacket processing

A packet received on the switch will get forwarded if the following conditions are met

120


A packet received on the switch will get forwarded if the following conditions are met The received packet is a broadcast packet

121


A packet received on the switch will get forwarded if the following conditions are metThe received packet is a broadcast packetThe destination UDP port of the packet is present in the configured server table

122


A packet received on the switch will get forwarded if the following conditions are metThe received packet is a broadcast packetThe destination UDP port of the packet is present in the configured server tableThe configured server address is either a unicast or a subnet broadcast address

123


A packet received on the switch will get forwarded if the following conditions are metThe received packet is a broadcast packetThe destination UDP port of the packet is present in the configured server tableThe configured server address is either a unicast or a subnet broadcast address

*DHCP forwarding is enabled by default on the 5300 with E.09.xx since this was the behavior in previous releases

124

UDP Directed Broadcast Forwarding[no] ip udp-bcast-forward

Enables broadcast forwarding on the switch

125

UDP Directed Broadcast Forwarding[no] ip udp-bcast-forwardEnables broadcast forwarding on the switch

[no] ip forward-protocol udp <IP-ADDR> <port-num>| <port-name>Configures a forwarding address for specific bcast type

126

UDP Directed Broadcast Forwarding[no] ip udp-bcast-forward

Enables broadcast forwarding on the switch

[no] ip forward-protocol udp <IP-ADDR> <port-num>| <port-name>Configures a forwarding address for specific bcast type

show ip forward-protocol [vlan <VLAN-ID>]Shows bcast forwarding configuration

127

802.1ab Link Layer Discovery Protocol (LLDP)

128

802.1ab Link Layer Discovery Protocol (LLDP) Standards based discovery protocol roughly

equivalent to the proprietary Cisco Discovery Protocol (CDP)

129



5300xl supports CDPv1 and LLDP with E.09.xx code

130



5300xl supports CDPv1 and LLDP with E.09.xx code 3400cl is the first ProCurve product to support only

LLDP

131



5300xl supports CDPv1 and LLDP with E.09.xx code 3400cl is the first ProCurve product to support only LLDP LLDP sent and received

132



5300xl supports CDPv1 and LLDP with E.09.xx code 3400cl is the first ProCurve product to support only LLDP LLDP sent and received LLDP can be disabled (default enabled) not sent,

received, info not stored

133



5300xl supports CDPv1 and LLDP with E.09.xx code 3400cl is the first ProCurve product to support only LLDP LLDP sent and received LLDP can be disabled (default enabled) not sent, received,

info not stored ProCurve Manager today queries the CDP MIB via

SNMP (Later versions will read both CDP & LLDP MIBs (Version 2.0)

134



5300xl supports CDPv1 and LLDP with E.09.xx code 3400cl is the first ProCurve product to support only LLDP LLDP sent and received LLDP can be disabled (default enabled) not sent, received

info not stored ProCurve Manager today queries the CDP MIB via SNMP

(Later versions will read both CDP & LLDP MIBs (Version 2.0) 3400cl will NOT be discovered by any other PNB

product today• It will when LLDP ships on other products (incl.

PCM+)• Receives CDP packets and uses them to update

LLDP information

135

802.1ab Link Layer Discovery Protocol (LLDP) Operating Rules Port Trunking: LLDP manages trunked ports

individually

136

802.1ab Link Layer Discovery Protocol (LLDP) Operating Rules Port Trunking LLDP manages trunked ports individually Spanning-Tree Blocking: Spanning tree does not

prevent LLDP packet transmission or receipt on STP-blocked links

137

802.1ab Link Layer Discovery Protocol (LLDP) Operating Rules Port Trunking LLDP manages trunked ports individually Spanning-Tree Blocking Spanning tree does not prevent

LLDP packet transmission or receipt on STP-blocked links 802.1X Blocking: Ports blocked by 802.1X operation

do not allow transmission or receipt of LLDP packets

138

802.1ab Link Layer Discovery Protocol (LLDP) Operating Rules Port Trunking LLDP manages trunked ports individually Spanning-Tree Blocking Spanning tree does not prevent

LLDP packet transmission or receipt on STP-blocked links 802.1X Blocking Ports blocked by 802.1X operation do not

allow transmission or receipt of LLDP packets IP Address Advertisements: In the default operation,

if a port belongs to only one static VLAN, then the port advertises the lowest-order IP address configured on that VLAN. If a port belongs to multiple VLANs, then the port advertises the lowest-order IP address configured on the VLAN with the lowest VID. If the qualifying VLAN does not have an IP address, the port advertises 127.0.0.1 as its IP address

139

802.1ab Link Layer Discovery Protocol (LLDP)[no] lldp enable <PORT-LIST>

Configures ports to send/rec LLDP :default all enabled[no] lldp run

Starts sending and receiving LLDP :default on lldp interval <seconds>

LLDP transmit interval in seconds :default 30lldp holdtime-multiplier <integer>

Multiples of interval to keep an entry valid :default 4lldp clear

Flushes remote device informationshow lldp [<local-device|remote-devices> [<PORT_LIST>]

[detail] ]

140

802.1ab Link Layer Discovery Protocol (LLDP)

CDP and LLDP do not interact, they are configured independently, transmit and receive their own packets, and maintain separate neighbor tables

141

Multiple Configuration Files Allows storing of three configuration files

• Useful for saving a configuration file for pri/sec flash images• Commands should be familiar with addition of “filename”• # boot [system [flash <primary|secondary>] [config FILENAME]]• # copy config FILENAME tftp ... (tftp options)• # copy config FILENAME-1 config FILENAME-2• # copy tftp config FILENAME ... (tftp options)• # erase startup-config (no change)• # erase config FILENAME• # reload (no change)• # rename config FILENAME-1 FILENAME-2• # startup-default [<primary|secondary>] config FILENAME• # show config files

142

Multiple Configuration Files

Reboot command

Secondary boot path

Running config

Primary boot path

Startup config

Prior to E.09.xx, the same startup config wouldBe used regardless of whether you booted fromPrimary or secondary

143

Multiple Configuration Files

Reboot command

Secondary boot path

Running config

Primary boot path Startup configOptions

File1File2file3

With E.09.xx and newer code, it is possible to Store multiple config files on the switch and chooseWhich version to use for a image specific reboot policy:(# startup-default [<primary|secondary>] config FILENAME)

144

Multiple Configuration FilesHP ProCurve Switch 5304XL(config)# show config files

Configuration files:

id | act pri sec | name --+-------------+----------------------------------------- 1 | * | E0803 2 | * | crf_test 3 | * | E0901

Example shows that there is a config file named “E0803” associated with the primary boot path (pri flash), “E0901”Associated with the secondary boot path, and “crf_test” which is the active config file.


Q&A

Documents

E.09.xx software update for the ProCurve 5300 series switch products