Integrando Cisco y Procurve

1

© 2008 Hewlett-Packard Development Company, L.P.

The information contained herein is subject to change without notice.

ProCurve – Cisco Interoperability

Holger HasenaugHP ProCurve Technical ConsultantCCIE# 6343

Objectives

• Explain the interoperability between Cisco and ProCurve equipments in the same network

• Compare the differences and similarities in features and in configuration

• Interoperability in detail:• At Layer 2: VLANs, Spanning-Tree, Link Aggregation• At Layer 3: IP, VRRP-HSRP, OSPF

• Configure QOS at L2 and L3

2

Content

1. Migrating from a Cisco Infrastructure to a ProCurve Infrastructure

2. VLANs Interoperability3. Spanning-Tree Interoperability4. Hardening Spanning-Tree5. L2 Discovery Protocols LLDP - CDP 6. Gateway redundancy HSRP - VRRP7. POE, IP Phones and QOS8. Network Access Control 9. Layer 2 – layer 3 interfaces10. IP Routing11. Access Control Lists

Conclusion

3

1- Migrating from a Cisco infrastructure to a ProCurve infrastructure

Enterprise Starting Point

5

First Step of Integration

6

Multivlan Uplink

Spanning-Tree

IP Phone SetupQOS

Interoperability

Second Step of Integration

7

OSPF

Link Aggregation

Interoperability

Third Step of Integration

8

Fourth Step of Integration

9

2- VLANs Interoperability

11

VLAN configuration comparisonSwitch-to-Switch connection

ProCurve Cisco

vlan 1untagged a1

vlan 2tagged a1

vlan 3tagged a1

interface GigabitEthernet 1/20switchport switchport trunk encapsulation dot1qswitchport trunk native vlan 1switchport trunk allowed vlan 1-3switchport mode trunkswitchport nonegotiate

11

default

a1 G1/20

Default on access switches

disable Cisco DTP

ProCurve Cisco

Default

For a switch to switch connection between a ProCurve and a Cisco switch carrying multiple VLANs (1-3 in our case) you have to configure the following.

On the ProCurve side you configure for every VLAN port a1 to be a member of. For VLAN 1 we configure port a1 to be an untagged member which corresponds with the native VLAN on the Cisco side.

On the Cisco switch you configure it on the interface instead:

Configure the interface as a switchport, set the encapsulation to 802.1q (dot1q) as Cisco also support a proprietary VLAN encapsulation called ISL. Configure the interface as a switchport trunk. That will automatically allow all configured VLAN’s to pass the interface. Therefore you have to restrict the VLANs with the command “switchport trunk allowed vlan 1-3”. As the switch is sending by default Cisco proprietary Desktop Trunking Protocol (DTP) frames out you may disable this with the command “switchport nonegotiate”. By default the Cisco native VLAN is “1” which basically means that the frames for VLAN 1 are sent out untagged.

12

VLAN configuration comparisonSwitch-to-End Node connection

12

ProCurve Cisco

vlan 2untagged a1

interface GigabitEthernet 1/20 switchportswitchport access vlan 2switchport mode access

a1 G1/20

ProCurve Cisco

The following show how to configure a port for an end-node like a PC or notebook.

On the ProCurve side you configure on the corresponding VLAN port a1 to be an untagged member.

On the Cisco side you configure the interface as a switchport with the mode access. Now you assign the VLAN id to this interface with the command „switchport access vlan 2“.

13

VLAN configuration comparisonSwitch-to-IP-phone connection with PC

13

ProCurve Cisco

vlan 2untagged a1

vlan 3voicetagged a1

interface GigabitEthernet 1/20 switchportswitchport access vlan 2switchport mode access switchport voice vlan 3

a1 G1/20LLDP-MED:Voice VLAN ID=3Mode: tagged

CDPv2:Voice VLAN ID=3Mode: taggedProCurve Cisco

LLDP-MED support has started on Cisco Catalyst switches 3760, 3750, 2960, 2970 switches running 12.2(37)SE and on Cisco Catalyst 6500 running 12.2(33)SXH

LLDP-MED:Voice VLAN ID=3Mode: tagged

Here it is shown how you configure the switch to connect an IP phone (hard phone) with a PC cascaded.

On the ProCurve side you configure the port a1 to be an untagged member of VLAN 2. This is the VLAN for the PC. And you need to configure port a1 to be a tagged member of VLAN 3 which is the id the IP phone may use to send and receive the traffic. That the phone can learn the VLAN id it has to use, you can configure VLAN 3 as a voice VLAN which will start sending out LLDP-MED frames if an IP phone with LLDP-MED support is detected.

On the Cisco side you need to configure on the interface an access VLAN 2 for the PC and a voice VLAN 3 for the IP phone. On older IOS versions this enabled the switch to send out Cisco proprietary CDPv2 information with the voice VLAN id included. Current IOS versions will also send out LLDP-MED frames.

14

VLAN propagation with GVRP or VTP

GVRP Cisco VTP

GARP VLAN Registration Protocol

IEEE Standard

Supported by most switch Vendors and on Cisco CatOS, not on Cisco IOS.

Propagates VLAN Creation

All GVRP nodes are the same

Automatic VLAN tagging based on Edge ports in VLAN

GVRP VLAN learning can be disabled on per port basis

802.1X can trigger VLAN creation

Not Password protected

VLAN Trunking Protocol

Cisco Proprietary protocol

Supported by Cisco and ???. Not supported by ProCurve

Propagates VLAN creation in VTP Domain

Server, Client and Transparent VTP Modes

Allowed VLANs automatically controlled on Cisco “trunks” by VTP Pruning

VLANs filtered on Cisco trunks by VTP pruning

VTP Pruning

Password protected

Dynamic VLAN advertisement in a mixed environment with Cisco Catalyst and HP ProCurve switches.

GVRP provides 802.1Q-compliant VLAN pruning and dynamic VLAN creation. With GVRP, theswitch can exchange VLAN configuration information with other GVRP switches, prune unnecessary broadcast and unknown unicast traffic, and dynamically create and manage VLANs on switches connected through 802.1Q trunk ports.

GVRP is an IEEE standard.

GVRP can also be used to by end stations to advertise the VLAN they would like to join. Currently there are no implementations known to me where this is implemented, e.g. Microsoft, Linux, Apple.

VTP is a Cisco proprietary Layer 2 messaging protocol that maintains VLAN configuration consistency by managing the addition, deletion, and renaming of VLANs on a network-wide basis. VTP is a client-server protocol. On a VTP servers you can create, modify, and delete VLANs. VTP servers advertise their VLAN configuration to other switches and synchronize their VLAN configuration with other switches based on advertisements received over trunk links.

VTP clients behave the same way as VTP servers, but you cannot create, change, or delete VLANs on a VTP client.

VTP-GVRP interaction is possible on Cisco switches running CatOS 5.3 or higher. These Catalyst switches can be configured to distribute the VTP learned or configured VLANs via GVRP to HP ProCurve switches.

The following needs to be configured on the Cisco switch apart from the VTP configuration:

enable GVRP globallyset gvrp enable

enable GVRP on the port connected to an HP Procurve switchset port gvrp enable mod_num/port_num

The following needs to be configured on the HP ProCurve Switch:

Enable GVRP globallygvrp

You may disable GVRP on ports connected to clients:interface <port-list> unknown-vlans disable

The GVRP protocol do not support advertising of VLAN names, therefore you will not see the VTP assigned names on HP ProCurve switches.

Useful show commands

Description ProCurve Cisco

Port status show interface brief show interfaces status

Port counters / utilization show interface <port> show interface <port>

What VLAN are configured?

show vlan show vlan brief

Specific information about a single VLAN.

show vlan <vlan-id> show vlan id <vlan-id>

Which untagged VLAN does a port belong to?

show vlan ports <port> detail

show interfaces status

Is the port a Cisco layer-2 port?

show interfaces <port> switchport

Which VLANs are configured on a port?

show vlan ports <port> detail

show interfaces <port> trunk

Which ports exist with more than one VLAN

show interfaces trunk

15

16

Static Aggregated Ports

16

ProCurve Cisco

trunk a1-a2 trk1 trunk interface Port-channel1

interface GigabitEthernet 1/20channel-group 1 mode on

interface GigabitEthernet 1/21channel-group 1 mode on

a1 G1/20

a2 G1/21

trk1 po1

Here we do not use a dynamic aggregation protocol like LACP

Here we do not use dynamic aggregation protocols like LACP or FEC

Automatically created

ProCurve Cisco

How to configure a static link aggregate between a ProCurve and Cisco switch?

Remember that the naming for a link aggregation is different between ProCurve and Cisco switches.

On the ProCurve side you have to configure a trunk port on which you have to specify the member ports. When you configure the above command „trunk a1-a2 trk1 trunk” you created a trunk port called trk1 in static mode where port a1 and a2 belong to.

On the Cisco side you need to configure the physical interfaces G1/20 and G1/21 to belong to the same channel-group. With the “mode on” command you specifry a static channel. Once you have done this a new interface is created called “port-channel 1”.

17

Dynamic Aggregated Ports using LACP (IEEE 802.3ad)

ProCurve Cisco

trunk a1-a2 trk1 lacp interface Port-channel1

interface GigabitEthernet 1/20channel-group 1 mode <active | passive>

interface GigabitEthernet 1/21channel-group 1 mode <active | passive>

17

Sent LACP frame actively or just respond passively

Use LACP on the trunk interface

Automatically created

17

a1 G1/20

a2 G1/21

trk1 po1ProCurve Cisco

Here is the same setup with using the dynamic link aggregation control protocol LACP.

On the ProCuve side you just specify lacp instead of trunk.

On the Cisco side you configure the mode to either active or passive which corresponds to LACP spoken actively or just passively responding to LACP frames.

Link aggregation to a Cisco Stack or VSS

18

Cisco Virtual Switching System 1440

Standard trunk or LACP trunk

trunk a1-a2 trk1 trunktrunk a1-a2 trk1 lacpProCurve switch

Cisco VSS appears as one switch to which a link aggregation can be set without requiring Spanning-Tree

19

VLAN Interoperability planning

Pay attention to MultiVLAN Ports.1. Make sure Native VLAN on Cisco Trunk = Untagged

VLAN on Tagged port2. Ensure same VLANs are allowed and configured

Note: BPDUs (Spanning Tree, LLDP, LACP) are not attached to the untagged or any VLAN on ProCurve contrarily to Cisco.

19

3- Spanning-Tree Interoperability

21

Spanning-Tree Interoperability

• Introduction to the different STP modes

• MSTP on Cisco and ProCurve• Without 1 MST instance• With load balancing between Instances

• PVST+ on Cisco and MSTP ProCurve

21

We have to distinguish switch configurations for different kind of connections.

- End User ports (PCs, Printer,…)

- IP phone ports

- End User + IP phone ports

- Server ports for one VLAN

- Server ports for multiple VLANs

- Switch-to-Switch ports for one VLANs

- Switch-to-Switch ports for multiple VLANs

- Aggregated ports

22

Support of STP

22

ProCurve Cisco Notes

STP (802.1D) PVST+ PVST BPDUs are STP compatible in VLAN 1

RSTP (802.1w) Rapid PVST Rapid PVST BPDUs are RSTP compatible in VLAN 1

MSTP (802.1s) MSTP (802.1s) The best choice for Interoperability.Caution with pre-implementation of MSTP on Cisco

STP: IEEE 802.1D Standard Spanning TreePVST: Per Vlan Spanning-Tree (Proprietary based on STP 802.1D )Rapid PVST: Proprietary based on RSTP 802.1w)RSTP: Rapid Spanning Tree (802.1w IEEE standard)MSTP: Multi Instance Spanning-Tree (802.1s IEEE standard)

23

IEEE 802.1D and 802.1w

23

Previously there was only one STP for many VLANs

802.1D and 802.1w This left links unused since all

VLANs took the same physical topology.

Before (with STP)

VLANs 1VLANs 2

VLANs 1VLANs 2

Root

VLANs 3

VLANs 3

VLANs 1VLANs 2

VLANs 3

24

MSTP=MST(IEEE 802.1s)

24

In a response to a need to allow standards compliant 802.1D/w/Q switches have multiple logical paths for redundancy, 802.1s, Multiple Spanning Tree Protocol (MSTP), was ratified.

802.1s enhances 802.1Q allowing groups of VLANs to be assigned to different spanning tree instances Instances chosen to match

number of possible logical paths through the layer 2 network. Often times this is only 2 or 3 that are required instead of 100s with PVST.

Now with 802.1s

MSTI-1 Root MSTI-2 Root

VLANs 1,2…VLAN 3,4…



Before (with PVST)

Root of 1

VLANs 1VLANs 2

VLANs 3

VLANs 1VLANs 2

VLANs 3

Root of 2

Root of 3

VLANs 1VLANs 2

VLANs 3

3.1- MSTP Interoperability

Cisco – ProCurve Design 1: MSTP and one instance

26

STP backup root

MSTP

XSTP blocked for all VLANs

MSTP

STP root

Pros: simple, all switches speak the same standard protocolCons: no load balancing

Cisco Cisco

ProCurve

Cisco – ProCurve Design 2: MSTP and load balancing between instances

27

STP root for instance 2

MSTPInstance 2: VLAN 4,5,6

X

STP blocked for instance 2

MSTP

STP root for instance 1

MSTPInstance 1: VLAN 1,2,3

X

STP blocked for instance 1

MSTP

Pros: load balancingCons: more complex to configure and troubleshoot

STP backup rootfor instance 1

STP backup rootfor instance 2

Cisco Cisco

ProCurve

CiscoCisco

ProCurve

Cisco MST 802.1s-2002 compliance

28

To support the compliant IEEE 802.1s-2002 standard, Cisco switches must run at least the following firmware versions :

Cisco Catalyst 2950, 3550, 3560, 3750: IOS 12.2(25)SECCisco Catalyst 4000: native IOS 12.2(25)SGCisco Catalyst 6000: native IOS 12.2(18)SXF or CatOS 8.3

MST concepts

Switches belong to the same MST region if they share the same configuration parameters:1- MST Config Name (32 Bytes, case sensitive)2- MST Revision Number (2 bytes)3- MST Instances which are set by assignment of VLANs

Example of an MST Configuration:

29

Config Name = “building-1"

Revision Number = 1

Instance 1 = VLANs 1, 2, 3

Instance 2 = VLANs 4, 5, 6

Configuring MSTP (802.1s)on ProCurve Switches

Enable MSTP globally:ProCurve(config)# spanning-tree protocol-version mstp

(only required on older switch series)

ProCurve(config)# spanning-tree

Configure your MSTP on all switches equally:ProCurve(config)# spanning-tree config-name building-1ProCurve(config)# spanning-tree config-revision 1ProCurve(config)# spanning-tree instance 1 vlan 1-3ProCurve(config)# spanning-tree instance 2 vlan 4-6

30

Configuring MSTP (802.1s)on Cisco Switches

31

Enable MSTP globally:Cisco(config)# spanning-tree mode mst

Configure your MSTP on all switches equally:Cisco(config)# spanning-tree mst configurationCisco(config-mst)# instance 1 vlan 1-3Cisco(config-mst)# instance 2 vlan 4-6Cisco(config-mst)# name building-1Cisco(config-mst)# revision 1

Configuring MSTP (802.1s)on ProCurve and Cisco Switches

Modify bridge priority to tweak the STP root selection per instance:

ProCurve:ProCurve(config)# spanning-tree <instance-id> priority <priority>

Cisco:Cisco(config)# spanning-tree mst instance-id priority <priority>

32

Configuring MSTP (802.1s)on ProCurve and Cisco Switches

Enable STP edge-port where desired (End User interfaces):

ProCurve:ProCurve(config)# spanning-tree a1 admin-edge-port

The default is auto-edge, where the port role is automatically discovered in between 3 sec.

Cisco:Cisco(config)# interface gigabitethernet0/2Cisco(config-if)# spanning-tree portfast

33

Cisco MSTPWhat BPDUs are sent out of trunk ports?

34

interface GigabitEthernet 1/20switchport trunk encapsulation dot1qswitchport trunk native vlan 1switchport trunk allowed vlan 1-3switchport mode trunk


IEEE 802.1s BPDU

IEEE 802.1s BPDU

MSTP802.1sBPDU CST Information IST Info.

MSTI Info.

…. additional MSTI Info.

MSTP Specific Parameters RSTP and MSTP CommonUntaggedIEEE Destination MAC:01:80:c2:00:00:00

Cisco MSTWhat BPDUs are sent out of access ports?

35

Use trunk ports configuration on inter-switch links and always check that you have “switchport mode trunk“ configured! If you use access ports you create MST region

boundaries.

interface GigabitEthernet 1/20switchport access vlan 10switchport mode access

interface GigabitEthernet 1/20switchport access vlan 10switchport mode accessSwitchport voice vlan 20

IEEE 802.1s BPDU without add. MST instance information

IEEE 802.1s BPDU without add. MST instance information

MSTP802.1sBPDU CST Information IST Info.

MSTI Info.


MSTP Specific Parameters RSTP and MSTP CommonUntaggedIEEE Destination MAC:01:80:c2:00:00:00

36

MSTP Interoperability planning

1) To get standard MSTP BPDU, use Trunk ports on Cisco uplinks.If an Untagged uplink is required, do not use Access port but define Cisco port as a Trunk and allow only the native VLAN!

2) On Cisco: pay attention at the IOS version.Cisco supports a Pre-Version of MSTP which looks like MSTP. You cannot see the difference in commands. It just do not interoperate with standard MSTP

3) Set the MSTP Configuration parameters identical:Name, Revision#, Mapping between VLANs and Instances

36

3.2- PVST - MSTP Interoperability

38

Various Spanning-Tree BPDUs

38

802.1D

PVST+ on Cisco Trunk

ports

UntaggedIEEE Destination MAC:01:80:c2:00:00:00

TaggedCisco Destination MAC:01:00:0c:cc:cc:cd

RSTP802.1w

MSTP802.1s

CST Information IST Info.MSTI Info.


MSTP Specific Parameters RSTP and MSTP Common



VLAN 1 allowed on trunkIEEE Destination MAC:01:80:c2:00:00:00

Untagged for native VLANCisco Destination MAC:01:00:0c:cc:cc:cd

Cisco – ProCurve Design #1 with PVST+

39

PVST+or

RapidPVST+

X STP blocked port

802.1D, 802.1w or 802.1s

STP root for VLAN 1,2,3,4,5,6

Pros: simple and still use PVST+ for backboneCons: no load balancing

STP backup root for VLAN 1,2,3,4,5,6

Cisco Cisco

ProCurve

Cisco – ProCurve Design #1Cisco PVST+ view for VLAN 1

40

IEEE BPDUs are exchanged between all switches

PVST+or

RapidPVST+

X STP blocked port

802.1D, 802.1w or 802.1s

STP root for VLAN 1

STP backup root for VLAN 1

Cisco Cisco

ProCurve

Cisco – ProCurve Design #1Cisco PVST+ view for all other VLANs

41

PVST+or

RapidPVST+

STP root for VLAN 2,3,4,5,6

The ProCurve switch will also block the PVST+ BPDUs as the whole port is blocked. Therefore the right Cisco switch will not receive any PVST+ BPDUthrough the ProCurve switch.

Cisco Cisco

STP backup root for VLAN 2,3,4,5,6

Configuring Rapid PVST+on Cisco Switches

Enable PVST+ globally:Cisco(config)# spanning-tree mode rapid-pvstCisco(config)# spanning-tree extend system-idCisco(config)# spanning-tree pathcost method long

Modify bridge priority to tweak the STP root selection per VLANCisco(config)# spanning-tree vlan 1-2 priority 4096

Modify the interface cost if necessary per VLANCisco(config)# interface gigabitethernet0/2Cisco(config-if)# spanning-tree vlan 1-2 cost 10000

Modify the interface priority if necessary per VLANCisco(config)# interface gigabitethernet0/2Cisco(config-if)#spanning-tree vlan 1-2 port-priority 4

42

Configuring Rapid PVST+on Cisco Switches cont.

Enable STP edge-port where desired (End User interfaces):

Either globally which will affect all non-trunking ports:Cisco(config)# spanning-tree portfast default

Or on per interface basis:Cisco(config)# interface gigabitethernet0/2Cisco(config-if)# spanning-tree portfast

43

Cisco Rapid-PVST+What BPDUs are sent out of trunk ports?

44

If the VLAN 1 is not allowed on a trunk port no IEEE BPDU is sent out !!!



IEEE 802.1w BPDUuntagged PVST BPDU for VLAN 1

PVST BPDU for all tagged VLANS

PVST BPDU for all tagged VLANS (VLAN 2,3)

Cisco Rapid-PVST+What BPDUs are sent out of access ports?

45

Use trunk port configuration on all interswitch links !

interface GigabitEthernet 1/20switchport access vlan 10switchport mode access

interface GigabitEthernet 1/20switchport access vlan 10switchport mode accessSwitchport voice vlan 20

IEEE 802.1w BPDU

untagged PVST BPDU for VLAN 10

PVST BPDU for tagged voice VLAN 20

Cisco – ProCurve Design #1 Cisco RapidPVST+

46

RapidPVST+

XMSTP

STP root for VLAN 1,2,3,4,5,6

Gig2/x Gig2/x

po1po1

a24b24

ProCurve 5406zl configuration:

vlan 1 name managementuntag a24,b24ip address 10.1.1.1/24

vlan 2 tagged a24,b24

vlan 3tagged a24,b24




spanning-tree a1-a20,b1-b20,c1-c24,d1-d24


CiscoCisco

ProCurve


47

RapidPVST+STP root for VLAN 1,2,3,4,5,6

Cisco 6506_left configuration:

spanning-tree mode rapid-pvstspanning-tree extend system-idspanning-tree pathcost method longspanning-tree vlan 1-4094 priority 0

interface Port-channel1no ip addressswitchportswitchport trunk encapsulation dot1qswitchport trunk allowed vlan 1-6switchport mode trunk

interface GigabitEthernet2/xno ip addressswitchportswitchport trunk encapsulation dot1qswitchport trunk allowed vlan 1-6switchport mode trunk


X

Gig2/x Gig2/x

po1po1

a24b24

a1-a20,b1-b20,c1-c24,d1-d24

CiscoCisco

ProCurve

MSTP


48

Cisco 6509_right configuration:

spanning-tree mode rapid-pvstspanning-tree extend system-idspanning-tree pathcost method longspanning-tree vlan 1-4094 priority 4096

interface Port-channel1no ip addressswitchportswitchport trunk encapsulation dot1qswitchport trunk allowed vlan 1-6switchport mode trunk




X

Gig2/x Gig2/x

po1po1

a24b24

a1-a20,b1-b20,c1-c24,d1-d24

CiscoCisco

ProCurve

MSTP

49

PVST - MSTP Interoperability planning

1) On Cisco Trunk inter-switch links, make sure that VLAN 1 is allowed (otherwise only non-standard BPDU’s will be sent)

2) Take special care of the Root and secondary Root setup on VLAN 1 as Cisco and ProCurve switches will interoperate through the standard BPDUs.

3) To get faster convergence, set Rapid-PVST instead of PVST+ on Cisco Switches.

4) On Cisco switches make sure to use the “path cost long” method.

49

Cisco – ProCurve Design #2PVST+ with load balancing

50

STP root for VLAN 4,5,6

PVST+or

RapidPVST+

X STP blocked for VLAN 4,5,6

802.1D, 802.1w or 802.1s


PVST+or

RapidPVST+

XSTP blocked for VLAN 1,2,3

802.1D, 802.1w or 802.1s

Pros: load balancing and PVST+ for backboneCons: more complex to configure and troubleshoot

Be sure to tweak STP that blocking occurs on the Cisco

switches !!!

STP backup root for VLAN 1,2,3

STP backup root for VLAN 4,5,6

Cisco Cisco

ProCurve

Cisco Cisco

ProCurve

Cisco – ProCurve Design #2 Cisco PVST+ view for VLAN 1

51

STP root

Gig2/1Gig2/8

Gig2/1

Gig2/8

po1po1

a24

a24

b24

b24

a1-a20,b1-b20,c1-c24,d1-d24

.

.

.1. Why are the ports b24 on the ProCurve switches in the blocking state and not the ports Gig 2/1 to Gig 2/8 on the right Cisco switch?

STP backup rootsecond lowest Bridge-ID


X

X

CiscoCisco

ProCurve

ProCurve


52

STP root

Gig2/1Gig2/8

Gig2/1

Gig2/8

po1po1

a24

a24

b24

b24

a1-a20,b1-b20,c1-c24,d1-d24

.

.

.



CiscoCisco

ProCurve

ProCurve 2. What do you have to change to block the ports Gig 2/1 and Gig 2/8 on the right Cisco switch?

X X


53

STP

port

cost 20000

STP

port

cost 20000S

TP

por

t co

st 2

0000

ST

P p

ort

cost

200

00

STP port cost 20000STP root

Gig2/1Gig2/8

Gig2/1

Gig2/8

po1po1

a24

a24

b24

b24

a1-a20,b1-b20,c1-c24,d1-d24

.

.

.2. What do you have to change to block the ports Gig 2/1 and Gig 2/8 on the right Cisco switch?


X X

STP port cost 30000


CiscoCisco

ProCurve

ProCurve


54

All tagged Cisco PVST BPDUs which are sent to the Cisco specificmulticast MAC address 01:00:0c:cc:cc:cd are forwarded unchanged

by ProCurve switches as any other frame !!!

STP port cost 20000

STP port cost 20000

STP port cost 20000

X

STP root

Gig2/1Gig2/8 Gig2/1 Gig2/8

po1po1

.

.

1. Why might Spannging-Tree block the ports on po1 for the other VLANs?

2. How do you make sure that the ports Gig2/1 to Gig2/8 of the right Cisco switch are blocking and not po1?

XX

lowest port ID wins

Cisco Cisco


55

All tagged Cisco PVST BPDUs which are sent to the Cisco specificmulticast MAC address 01:00:0c:cc:cc:cd are forwarded unchanged

by ProCurve switches as any other frame !!!

STP port cost 20000

STP port cost 20000

STP port cost 20000STP root

Gig2/1Gig2/8 Gig2/1 Gig2/8

po1po1

.

.2. How do you make sure that the ports Gig2/1 to Gig2/8 of the right Cisco switch are blocking and not po1?

STP port cost 10000

XXX

Cisco Cisco

Cisco – ProCurve Design #2 Design with RapidPVST+

56

RapidPVST+

MSTP


Gig2/x Gig2/x

po1po1

a24 b24

Cisco 6506_left configuration:

spanning-tree mode rapid-pvstspanning-tree extend system-idspanning-tree pathcost method longspanning-tree vlan 1-3 priority 0spanning-tree vlan 4-6 priority 4096

interface Port-channel1no ip addressswitchportswitchport trunk encapsulation dot1qswitchport trunk allowed vlan 1-6switchport mode trunkspanning-tree vlan 1 cost 30000spanning-tree vlan 2-6 cost 10000


a1-a20,b1-b20,c1-c24,d1-d24

X


XSTP blocked for vlans 4-6

STP blocked for vlans 1-3

Cisco

Cisco

ProCurve

Cisco – ProCurve Design #2 Design with RapidPVST+

57

RapidPVST+STP root for VLAN 1,2,3

Cisco 6509_right configuration:

spanning-tree mode rapid-pvstspanning-tree extend system-idspanning-tree pathcost method longspanning-tree vlan 1-3 priority 4096spanning-tree vlan 4-6 priority 0

interface Port-channel1no ip addressswitchportswitchport trunk encapsulation dot1qswitchport trunk allowed vlan 1-6switchport mode trunkspanning-tree vlan 1 cost 30000spanning-tree vlan 2-6 cost 10000



MSTP

Gig2/x Gig2/x

po1po1

a24 b24

a1-a20,b1-b20,c1-c24,d1-d24

XXSTP blocked for vlans 4-6

STP blocked for vlans 1-3

Cisco

Cisco

ProCurve

58

PVST - MSTP Interoperability planningwith load balancing

1) Start setup as in previous scenario

2) If Cisco switches are in the Core, to get PVST load balancing

– Increase Cost of Inter-Core link in VLAN 1 (E.g.: 30000)

– Reduce Cost of Inter-Core link in other VLANs (E.g.: 10000)

3) Set priorities on Root and Secondary root to get load balancing between VLANs

58

4- Hardening Spanning-Tree

Spanning-Tree problems

Unstable STP can be caused by: Uni-directional links Rogue devices talking STP Permanent STP topology changes due to flapping ports

or End User ports not set to edge mode (portfast) Loops not detected by STP

60

61

Spanning-Tree Hardening Features

Remote-Fault Notification (RFN) using Autonegotiation

Remote-Fault Notification (RFN) using Autonegotiation

Uni-directional Link Detection (UDLD) Uni-directional Link Detection (UDLD)

BPDU-protection BPDU-Guard

Loop-protect Keepalive

Root-Guard Root-Guard

- Loop-Guard

61

ProCurve Cisco

Why do Uni-directional Links cause Problems

• Root transmits BPDUs• Neighbor doesn‘t receive

them and thinks the root is dead now claims it‘s the new root

• Bottom switch opens up ist blocked port loop in the network

• Network goes down, troubleshooting very difficult

62

TX

TX

TX

TX

TX

TX

Uni-directional Link

RX

RX

RX

RX

RX

RX

RX

Root

Remote-Fault Notification (RFN) in the Auto-negotiation against Uni-directional Links

63

RFN is optional but enabled by default on 1000BaseX on Cisco and ProCurve switches when Auto-negotiation is used.

Recommendation: always use Autoneg on 1000BaseX connection

This feature works on Layer-1.

Uni-directional Link Detection (UDLD)

64

UDLD works by exchanging protocol packets between the neighboring devices. In order for UDLD to work, both devices on the link must support UDLD and have it enabled on respective ports.This feature works on Layer-2.

Hello I am switch xyz, port abc

Does not work as Cisco and ProCurve have a different implementation.

Acknowledge hello.

Hello I am switch xyz, port abc

Acknowledge hello.

Cisco

Cisco

Cisco

ProCurve

ProCurve

ProCurve

Uni-directional Link Detection (UDLD)

ProCurve Cisco

Global for all fiber ports:Cisco(config)# udld aggressive

Interface specific:ProCurve(config)# interface a1 ProCurve(eth-a1)# link-keepalive

Or interface specific:Cisco(config)# interface gig0/2Cisco(config-if)# udld port aggressive

Recovery is done automatically Recovery configured globally:Cisco(config)#errdisable recovery cause udld errdisable recovery interval 300(default)

65

UDLD performs tasks that autonegotiation cannot perform, such asdetecting the identities of neighbors and shutting down misconnected ports.

BPDU-Guard, BPDU-protection

ProCurve CiscoGlobal for all ports:Cisco(config)#spanning-tree portfast bpduguard default

Interface specific on global config:ProCurve(config)# spanning-tree a1 bpdu-protection

Or interface specific:Cisco(config)# interface gig0/2Cisco(config-if)#

spanning-tree bpduguard enable

Recovery configured globally:ProCurve(config)# spanning-tree

bpdu-protection-timeout 300

Recovery configured globally:Cisco(config)#errdisable recovery cause bpduguard errdisable recovery interval 300(default)

66

You should not allow STP BPDUs to be received on an end user port. Therefore enable this feature on all End User ports. If a BPDU is received the port is put in an errordisable state (Cisco) or the port is disabled (ProCurve).

Keepalive (Cisco) –Loop-protect (ProCurve)

ProCurve Cisco

Interface specific on global config:ProCurve(config)# loop-protect a1

By default enabled on all copper ports

Recovery configured globally:ProCurve(config)# loop-protect disable-timer 300

Recovery configured globally:Cisco(config)#errdisable recovery cause loopback errdisable recovery interval 300(default)

67

The ProCurve loop-protect feature is an edge-port featureand therefore not intended for interswitch links.

Spanning-Tree Root-Guard

ProCurve Cisco

Interface specific on global config:ProCurve(config)#

spanning-tree a1 root-guard

Interface specific:Cisco(config)# interface gig0/2Cisco(config-if)#

spanning-tree guard root

Recovery is done automatically Recovery is done automatically

68

ProCurve 5406zl configuration:

vlan 1name managementuntag a24,b24ip address 10.1.1.1 255.255.255.0

vlan 2 tagged a24,b24





spanning-treespanning-tree a1-a20,b1-b20,c1-c24,d1-d24 admin-edge-portspanning-tree a1-a20,b1-b20,c1-c24,d1-d24 bpdu-protection spanning-tree bpdu-protection-timeout 300

loop-protect a1-a20,b1-b20,c1-c24,d1-d24loop-protect disable-timer 300

Hardening Spanning-Tree on ProCurve switches

69


XMSTP

Gig2/x Gig2/x

po1po1

a24 b24

a1-a20,b1-b20,c1-c24,d1-d24

CiscoCisco

ProCurve

STP Root Guard

5- Layer-2 Discovery ProtocolsCDP and LLDP

CDP and LLDP

ProCurve Cisco

CDP by default enabled on all ports in receive mode only. Transmitting of CDP packets is no longer supported.

CDP by default enabled on all ports

LLDP by default enabled on all ports Support on LLDP has started on Cisco Catalyst switches series 2960, 3760, 3750 switches running 12.2(37)SE without SNMP MIB support and on Cisco Catalyst 6500 running 12.2(33)SXH

71

CDP TXLLDP TX

LLDP, CDP RX CDP RX

CiscoProCurve

CDP table, CDP MIB

LLDP table, LLDP MIB A Cisco switch is

visible in the LLDP and CDP

table as entries are cross populated

CDP table, CDP MIB

LLDP table Procurve switch visible

Procurve switch NOT visible

LLDP MIB not yet supported

71

6- Gateway Redundancy ProtocolsHSRP - VRRP

Hot Standby Routing Protocol (HSRP)Cisco informational RFC 2281 (March 1998)

73

IP: 10.1.1.2MAC: 0000.0c12.3456vIP: 10.1.1.1vMAC: 0000-0c07.ac00

IP: 10.1.1.3MAC: 0000.0c78.9abcvIP: vMAC:

IP: 10.1.1.21MAC: aaaa.aaaa.aaaaGW: 10.1.1.1ARP: 0000-0c07.ac00

• A group of routers function as one virtual router by sharing ONE virtual IP address and ONE virtual MAC address.

• One active router performs packet forwarding of local hosts

• The rest of the routers provide „hot standby“ in case the local router fails.

• Standby routers stay idle as far as packet forwarding from the client side is concerned.

• Virtual IP address is always pingable and answering to SNMP requests

Client

Active HSRP Router Standby HSRP Router

Cisco Cisco

HSRP configuration example on Cisco Switches

74

active HSRP router:

interface vlan1ip address 10.1.1.2 255.255.255.0standby 1 ip 10.1.1.1standby 1 priority 200standby 1 preempt

standby HSRP router:

interface vlan1ip address 10.1.1.3 255.255.255.0standby 1 ip 10.1.1.1standby 1 priority 190standby 1 preempt

Virtual Router Redundancy Protocol (VRRP)IETF Standard RFC 2338, 3768 (April 1998, April 2004)

75

IP: 10.1.1.1MAC: 0000.0c12.3456vIP: 10.1.1.1vMAC: 0000.5e00.0101

IP: 10.1.1.2MAC: 0000.0c78.9abcvIP: vMAC:

IP: 10.1.1.21MAC: aaaa.aaaa.aaaaGW: 10.1.1.1ARP: 0000.5e00.0101

• A group of routers function as one virtual router by sharing ONE virtual IP address and ONE virtual MAC address.

• One master router performs packet forwarding of local hosts

• The rest of the routers provide backup in case the local router fails.

• Backup routers stay idle as far as packet forwarding from the client side is concerned.

• Virtual IP address is only ping-able and answering SNMP requests on the VRRP owner

Client

Master VRRP RouterOwner of vIP address

Backup VRRP RouterNon-Owner of vIP address

ProCurve ProCurve

VRRP configuration example on ProCurve Switches 3500zl, 5400zl, 6200yl

76

VRRP master router:

router vrrp

vlan1

ip address 10.1.1.1 255.255.255.0

vrrp vrid 1

owner

virtual-ip-address 10.1.1.1

priority 255

enable

exit

exit

VRRP backup router:

router vrrp

vlan1

ip address 10.1.1.2 255.255.255.0

vrrp vrid 1

backup

virtual-ip-address 10.1.1.1

priority 100

enable

exit

exit

7- POE, QOS and IP phones

78

Multi-Vendor SupportShared connections for PC and IP-phone

78

How does IP phone auto-configure the voice VLAN and QoS?1. Auto-config “voice” VLAN and L2/L3 QoS using LLDP-MED (ProCurve switches)

or CDPv2 (Cisco switches)

2. Many phones support “vendor specific” DHCP process for auto-config– Avaya, Alcatel, Mitel, Siemens, ShoreTel etc…

– DHCP server on data VLAN advertises voice VLAN ID and QoS

3. One-time manual configuration– For Cisco, set the admin VLAN ID via the Network Configuration setup when

connecting to a Cisco network

IP phone PC

Untagged data VLAN

tagged voice VLAN

Untagged

data VLAN

DHCPserver

IP PBX

IP network

79

VLAN configuration comparisonSwitch-to-IP-phone connection with PC

79

ProCurve Cisco

vlan 2untagged a1

vlan 3voicetagged a1

interface GigabitEthernet 1/20 switchportswitchport access vlan 2switchport mode access switchport voice vlan 3

a1 G1/20LLDP-MED:Voice VLAN ID=3Mode: tagged

CDPv2:Voice VLAN ID=3Mode: taggedProCurve Cisco

LLDP-MED support has started on Cisco Catalyst switches 3760, 3750, 2960, 2970 switches running 12.2(37)SE and on Cisco Catalyst 6500 running 12.2(33)SXH

LLDP-MED:Voice VLAN ID=3Mode: tagged

Here it is shown how you configure the switch to connect an IP phone (hard phone) with a PC cascaded.

On the ProCurve side you configure the port a1 to be an untagged member of VLAN 2. This is the VLAN for the PC. And you need to configure port a1 to be a tagged member of VLAN 3 which is the id the IP phone may use to send and receive the traffic. That the phone can learn the VLAN id it has to use, you can configure VLAN 3 as a voice VLAN which will start sending out LLDP-MED frames if an IP phone with LLDP-MED support is detected.

On the Cisco side you need to configure on the interface an access VLAN 2 for the PC and a voice VLAN 3 for the IP phone. On older IOS versions this enabled the switch to send out Cisco proprietary CDPv2 information with the voice VLAN id included. Current IOS versions will also send out LLDP-MED frames.

Cisco IP phone boot processCDPv2 and pre-standard PoE

80

Cisco pre-standard PoE: Fast Link Pulse

Reflected Fast Link Pulse

CDP: Power requirement

CDP: voice VLAN ID

DHCP request in voice VLAN

DHCP response: IP add., Gateway, TFTP server

TFTP request for configuration

TFTP request of configuration

SCCP or SIP registration with Callmanager

Cisco7960G

Cisco7940G

Switch

DHCP Server

Cisco Callmanager

Cisco IP phone boot processLLDP-MED and 802.3af PoE

81

IEEE 802.3af: Apply voltage and classify device

Return current

LLDP-MED: PoE requirement, firmware, serial#

LLDP-MED: voice VLAN ID, etc …

DHCP request in voice VLAN

DHCP response: IP add., Gateway, TFTP server

TFTP request for configuration

TFTP request of configuration

SCCP or SIP registration with Callmanager

Cisco7941/42/61/62G

Cisco7970/71/75G

Switch

DHCP Server

Cisco Callmanager

LLDP-MED is supported in the following models since release 8.3(3):

7906G, 7911G, 7931G, 7941G/7941G-GE, 7942G, 7945G, 7961G/7961G-GE, 7962G, 7965G, 7970G/7971G-GE, 7975G

Cisco7945/65G

(CDPv2 is still supported)

LLDP example

82

ProCurve Switch 5406zl# show run

vlan 3name "data"untag a1, ...exit

vlan 6name "IP phone"qos priority 6tagged a1, ...voiceexit

a1LLDP-MED:Voice VLAN ID=3Mode: tagged

ProCurve

Cisco IP phone

ProCurve Switch 5406zl# show vlan port a1 detailed

Status and Counters - VLAN Information - for ports A1

VLAN ID Name | Status Voice Jumbo Mode ------- -------------------- + ---------- ----- ----- --------3 data | Port-based No No Untagged6 IP phone | Port-based Yes No Tagged

ProCurve Switch 5406zl# show lldp info remote-device

LLDP Remote Devices Information

LocalPort | ChassisId PortId PortDescr SysName--------- + ------------------------- ------ --------- ----------------------A1 | 192.168.0.33 000... SW PORT SEP000F2322DDAA.cis...

Display detailed LLDP information

Footer text 83HP ProCurve Confidential

ProCurve Switch 3500yl-24G# show lldp info remote-device a1

LLDP Remote Device Information Detail

Local Port : A1ChassisType : network-addressChassisId : 192.168.0.33PortType : localPortId : 000F2322DDAA:P1SysName : SEP000F2322DDAA.cisco.comSystem Descr : Cisco IP Phone CP-7970G,V, SIP70.8-3-3SPortDescr : SW PORT

System Capabilities Supported : bridge, telephoneSystem Capabilities Enabled : bridge, telephone

Remote Management AddressType : ipv4Address : 192.168.0.33

MED Information DetailEndpointClass :Class3Media Policy Vlan id :6Media Policy Priority :6Media Policy Dscp :0Media Policy Tagged :TruePoe Device Type :PDPower Requested :63Power Source :From PSEPower Priority :Unknown

Enabling QoS in the Access LayerCongestion Scenario: Data + VoIP

84

P1 P0

During Data Traffic Bursts, Buffers can become congested, causing voice packets to be dropped

P0

P1P2

Data max 100 Mbps

IP phone integrated 3-port switchVoice

max.

80 Kbps

Potential Congestion Points

Access switch PC

Different traffic need different prioritization

85

Voice StreamRTP

IP Phone B

IP Phone A

Signali

ng

SIP, H

.323,

Skinny (

SCCP)

Signaling

SIP, H.323, Skinny (SCCP)

PC PC

data data

IP network

PC withSoftphone

IP PBX

86

QOS Default on ProCurve

L2 QOS (802.1p) is trusted by default

If Phone send tagged frames with 802.1p priority, it is trusted

No additional setup is needed

L3 QOS (DSCP) is trusted

It has to be enabled

qos type-of-service diff-services

A mapping between dscp and 802.1p has to exist

show qos dscp-map

QoS classification #1 for hard phones (no trust)

87

qos type-of-service diff-services

vlan 1name datauntagged a1-a20,b1-b20,c1-c24,d1-d24,e1-e24,f1-f24tagged a24,b24qos dscp 000000

vlan 2name voicetagged a1-a20,a24,b1-b20,b24,c1-c24,d1-d24 ,e1-e24,f1-f24qos dscp 101110

qos dscp-map 000000 priority 0 name BEqos dscp-map 101110 priority 7 name EF

Classification based on VLANs and overriding DSCP bits (Marking)

Mapping of DSCP values for the queues

(46)

(0)

Enabling recognition of L3 QOS / DSCP code points

8- Network Access Control

89

Deep Dive on NAC 89

Multi-user authentication on the same port802.1X - MAC auth.– WEB auth.

89

1. Secure authentication of IP phone and PC with a single connection 802.1x – Mac - Web

2. LLDP-MED to auto-provision phone with voice VLAN and QoS

3. LLDP-MED for detailed topology, phone inventory management, and location...

4. Dynamic assignment of untagged data and tagged voice VLAN accoreding to RFC 4675

LDAP, AD, Flat File

VLAN, QoS, ACL, Rate-limit

IDM

UserDatabase

LLDP-MED

RADIUS

multi-user authentication

RFC 4675

IEEE 802.3af

More interest across EMEA support provision location info

-In phones, for use in E-112 emergency calls.

Switch port is fixed when provisioned (unlike phone/user) – best place

Then LLDP-MED communicates info to phone

Esp true - consider VoWiFi / PDA – best way - wireless network controller

•ProCurve working to extend LLDP-MED to support physical location suitable for use by WLAN and other wireless standards

------------------------

Legacy PBX

•E911 physical location corresponded to phone number (static)

•Moving phone required manual re-provisioning

IP Telephony Challenge

•Users can pick-up phones and simply move them (just like a PC)

•Every Access Network, without exception, must provide means to obtain location

•Self reported location is notoriously inaccurate, especially forroaming or nomadic users

•LLDP-MED can enable automatic physical location acquisition, but 89

90

90

802.1X Multi-user Authentication with Cisco IP Phone and Windows PC

5406zl# show port-access authenticator a1 clients

Port Access Authenticator Client StatusPort Client Name MAC Address IP Address Session Status----- ----------------------- ------------- ------------- --------------a1 CP-7970G-SEP000F2322... 000f23-22ddaa n/a Opena1 PROCURVE\aeinstein 0010a4-a75fc5 n/a Open

5406zl# show port-access authenticator a1 clients detailed

Port Access Authenticator Client Status DetailedClient Base Details :Port : a1Session Status : Open Session Time(sec) : 0Frames In : 0 Frames Out : 0Username : CP-7970G-SEP000F2322... MAC Address : 000f23-22ddaaIP : n/aAccess Policy Details :COS Map : 00000000 In Limit % : 0Tagged VLANs : 6 Out Limit % : 0RADIUS-ACL List : No Radius ACL List

Client Base Details :Port : a1Session Status : Open Session Time(sec) : 0Frames In : 0 Frames Out : 0Username : PROCURVE\aeinstein MAC Address : 0010a4-a75fc5IP : n/aAccess Policy Details :COS Map : 00000000 In Limit % : 0Untagged VLAN : 3 Out Limit % : 0RADIUS-ACL List : No Radius ACL List

9- Layer 2 and Layer 3 interfaces

Layer-2 Interfaces

ProCurve Cisco

Layer-2 port configuration:

vlan 1untagged a1

Enabled layer-2 protocols by default:

- HP stacking (on most switches)- LACP passive (on some switches)- LLDP

Layer-2 port configuration:

interface GigabitEthernet 1/20switchport


- Cisco DTP protocol - Cisco VTP protocol- Cisco PVST+ protocol- Cisco CDP protocol- Keepalive (on copper ports)

92

93

Layer-3 Interfaces

Vlan100:1.1.1.2

Network 1.1.1.0/30

int g1/201.1.1.1

Network 2.2.2.0/24 Network 3.3.3.0/24

User Network 1 Transfer Network User Network 2

CiscoProCurve

Layer-3 Interfaces

94

ProCurve Cisco

Layer-3 port configuration:vlan 100untagged a1ip address 1.1.1.2 255.255.255.252


- HP stacking (on most switches)- LLDP

Layer-2 protocols to be disabled per port if globally enabled:

Spanning-tree:(config)# spanning-tree a1 bpdu-filter

GVRP: (config)# no interface a1(config-eth-a1)#unknown-vlans disable

Layer-3 port configuration:interface GigabitEthernet 1/20no switchportip address 1.1.1.1 255.255.255.252


- Cisco CDP protocol- Keepalive (on copper ports)

A separate VLAN for transfer layer-3 subnet needs to be created

10- IP Routing

OSPF

96

int Vlan1:1.1.1.2

Network 1.1.1.0/30

Network 2.2.2.0/24 Network 3.3.3.0/24

User Network 1 Transfer Network User Network 2

CiscoProCurve

OSPF area 0

Vlan1:1.1.1.1

OSPF

ProCurve Ciscorouter ospf

area 0

interface loopback 1

ip address 99.99.99.1

ip ospf 99.99.99.1 area 0

vlan 1

ip address 1.1.1.1 255.255.255.0


ip ospf cost 10

vlan 2

ip address 2.2.2.1 255.255.255.0

ip ospf 2.2.2.1 passive


ip ospf cost 10

router ospf 1

passive-interface Vlan3

network 1.1.1.2 0.0.0.0 area 0

network 3.3.3.1 0.0.0.0 area 0

network 99.99.99.2 0.0.0.0 area 0

interface Loopback1

ip address 99.99.99.2 255.255.255.255

ip ospf cost 10

interface Vlan1

ip address 1.1.1.2 255.255.255.0

ip ospf cost 10

interface Vlan3

ip address 3.3.3.1 255.255.255.0

ip ospf cost 10

97

OSPF differences

Cisco to be enabled with network statement globally ProCurve to be enabled on the VLAN Redistribution differences ProCurve: always NBMA Cisco: highest loopback IP used as router ID ProCurve: lowest loopback IP used as router ID ProCurve: loopback always /32 mask ProCurve: OSPF link cost is “1” by default (same on

Cisco VLAN interfaces)

98

ACL on ProCurve

ProCurve OS supports• Standard & Extended ACL• Numbered (1-99, 100-200) & Named ACLs• Routed ACL (applied to Inbound and Outbound routed traffic)• VLAN ACL (applied to inbound switched traffic)• Static and Dynamic Port ACL (applied to inbound switches traffic)

99

VLAN ACL

Port ACL

Routed ACLL3

L2 L2

ACL on ProCurve

ACL exampleProCurve(config)# ip access-list extended visitorsProCurve(config-acl)# deny ip any 10.0.0.0/8ProCurve(config-acl)# permit udp any any eq dnsProCurve(config-acl)# permit tcp any any eq httpProCurve(config-acl)# deny ip any any logProCurve(config-acl)# exitProCurve(config)# vlan 100 ip access-group visitors in

100

Manage ACL on ProCurve

ACL entries are numbered. ProCurve(config)# show access-list configip access-list extended “visitors"10 deny ip 0.0.0.0 255.255.255.255 10.0.0.0 0.0.0.255 20 permit udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq dns30 permit tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq http40 deny ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 logexit

Sequence number can be changed and used for insertion and removal.E.g.: Insert an entry (numbered are assigned by range of 10)ProCurve(config-acl)# 5 permit ip any host 10.1.234.172ProCurve(config-acl)# 25 remark “permit dns and http”

E.g: Remove an entryProCurve(config-acl)# no 20

101

Create ACL Offline and load it to Running config

For a large ACL use offline method to edit your ACL1. move your existing ACL if any to a TFTP serverProCurve# copy command-output 'show access-list config' tftp

10.1.1.100 acl02.txt pc

2. Edit ACL offline using a text (.txt) file format 3. use TFTP to load an offline ACL into the switch’s running-config

ProCurve(config)# copy tftp command-file 10.10.10.1 acl02.txt pcRunning configuration may change, do you want to continue [y/n]? Y

102

Conclusion

Conclusion

Interoperability works! VLAN interoperability is quite easy to manage For link aggregation use no protocols or LACP Pay special attention to Spanning-Tree

– Prefer MSTP whenever possible– Or Rapid-PVST on Cisco with RSTP/MSTP on

ProCurve– Make sure VLAN 1 is allowed on Cisco trunks

IP Routing protocols interoperates

104

For further interoperability questions

For further questions about Cisco to ProCurve interoperability projects, please contact:

-in every EMEA country: the ProCurve EMEA Technical Consultants

-In EMEA: Jean-Maurice Mérel, CCIE #[email protected]+33 6 86 46 64 90

105

Documents

Integrando Cisco y Procurve