integrando cisco y procurve
TRANSCRIPT
1
© 2008 Hewlett-Packard Development Company, L.P.
The information contained herein is subject to change without notice.
ProCurve – Cisco Interoperability
Holger HasenaugHP ProCurve Technical ConsultantCCIE# 6343
Objectives
• Explain the interoperability between Cisco and ProCurve equipments in the same network
• Compare the differences and similarities in features and in configuration
• Interoperability in detail:• At Layer 2: VLANs, Spanning-Tree, Link Aggregation• At Layer 3: IP, VRRP-HSRP, OSPF
• Configure QOS at L2 and L3
2
Content
1. Migrating from a Cisco Infrastructure to a ProCurve Infrastructure
2. VLANs Interoperability3. Spanning-Tree Interoperability4. Hardening Spanning-Tree5. L2 Discovery Protocols LLDP - CDP 6. Gateway redundancy HSRP - VRRP7. POE, IP Phones and QOS8. Network Access Control 9. Layer 2 – layer 3 interfaces10. IP Routing11. Access Control Lists
Conclusion
3
1- Migrating from a Cisco infrastructure to a ProCurve infrastructure
Enterprise Starting Point
5
First Step of Integration
6
Multivlan Uplink
Spanning-Tree
IP Phone SetupQOS
Interoperability
Second Step of Integration
7
OSPF
Link Aggregation
Interoperability
Third Step of Integration
8
Fourth Step of Integration
9
2- VLANs Interoperability
11
VLAN configuration comparisonSwitch-to-Switch connection
ProCurve Cisco
vlan 1untagged a1
vlan 2tagged a1
vlan 3tagged a1
interface GigabitEthernet 1/20switchport switchport trunk encapsulation dot1qswitchport trunk native vlan 1switchport trunk allowed vlan 1-3switchport mode trunkswitchport nonegotiate
11
default
a1 G1/20
Default on access switches
disable Cisco DTP
ProCurve Cisco
Default
For a switch to switch connection between a ProCurve and a Cisco switch carrying multiple VLANs (1-3 in our case) you have to configure the following.
On the ProCurve side you configure for every VLAN port a1 to be a member of. For VLAN 1 we configure port a1 to be an untagged member which corresponds with the native VLAN on the Cisco side.
On the Cisco switch you configure it on the interface instead:
Configure the interface as a switchport, set the encapsulation to 802.1q (dot1q) as Cisco also support a proprietary VLAN encapsulation called ISL. Configure the interface as a switchport trunk. That will automatically allow all configured VLAN’s to pass the interface. Therefore you have to restrict the VLANs with the command “switchport trunk allowed vlan 1-3”. As the switch is sending by default Cisco proprietary Desktop Trunking Protocol (DTP) frames out you may disable this with the command “switchport nonegotiate”. By default the Cisco native VLAN is “1” which basically means that the frames for VLAN 1 are sent out untagged.
12
VLAN configuration comparisonSwitch-to-End Node connection
12
ProCurve Cisco
vlan 2untagged a1
interface GigabitEthernet 1/20 switchportswitchport access vlan 2switchport mode access
a1 G1/20
ProCurve Cisco
The following show how to configure a port for an end-node like a PC or notebook.
On the ProCurve side you configure on the corresponding VLAN port a1 to be an untagged member.
On the Cisco side you configure the interface as a switchport with the mode access. Now you assign the VLAN id to this interface with the command „switchport access vlan 2“.
13
VLAN configuration comparisonSwitch-to-IP-phone connection with PC
13
ProCurve Cisco
vlan 2untagged a1
vlan 3voicetagged a1
interface GigabitEthernet 1/20 switchportswitchport access vlan 2switchport mode access switchport voice vlan 3
a1 G1/20LLDP-MED:Voice VLAN ID=3Mode: tagged
CDPv2:Voice VLAN ID=3Mode: taggedProCurve Cisco
LLDP-MED support has started on Cisco Catalyst switches 3760, 3750, 2960, 2970 switches running 12.2(37)SE and on Cisco Catalyst 6500 running 12.2(33)SXH
LLDP-MED:Voice VLAN ID=3Mode: tagged
Here it is shown how you configure the switch to connect an IP phone (hard phone) with a PC cascaded.
On the ProCurve side you configure the port a1 to be an untagged member of VLAN 2. This is the VLAN for the PC. And you need to configure port a1 to be a tagged member of VLAN 3 which is the id the IP phone may use to send and receive the traffic. That the phone can learn the VLAN id it has to use, you can configure VLAN 3 as a voice VLAN which will start sending out LLDP-MED frames if an IP phone with LLDP-MED support is detected.
On the Cisco side you need to configure on the interface an access VLAN 2 for the PC and a voice VLAN 3 for the IP phone. On older IOS versions this enabled the switch to send out Cisco proprietary CDPv2 information with the voice VLAN id included. Current IOS versions will also send out LLDP-MED frames.
14
VLAN propagation with GVRP or VTP
GVRP Cisco VTP
GARP VLAN Registration Protocol
IEEE Standard
Supported by most switch Vendors and on Cisco CatOS, not on Cisco IOS.
Propagates VLAN Creation
All GVRP nodes are the same
Automatic VLAN tagging based on Edge ports in VLAN
GVRP VLAN learning can be disabled on per port basis
802.1X can trigger VLAN creation
Not Password protected
VLAN Trunking Protocol
Cisco Proprietary protocol
Supported by Cisco and ???. Not supported by ProCurve
Propagates VLAN creation in VTP Domain
Server, Client and Transparent VTP Modes
Allowed VLANs automatically controlled on Cisco “trunks” by VTP Pruning
VLANs filtered on Cisco trunks by VTP pruning
VTP Pruning
Password protected
Dynamic VLAN advertisement in a mixed environment with Cisco Catalyst and HP ProCurve switches.
GVRP provides 802.1Q-compliant VLAN pruning and dynamic VLAN creation. With GVRP, theswitch can exchange VLAN configuration information with other GVRP switches, prune unnecessary broadcast and unknown unicast traffic, and dynamically create and manage VLANs on switches connected through 802.1Q trunk ports.
GVRP is an IEEE standard.
GVRP can also be used to by end stations to advertise the VLAN they would like to join. Currently there are no implementations known to me where this is implemented, e.g. Microsoft, Linux, Apple.
VTP is a Cisco proprietary Layer 2 messaging protocol that maintains VLAN configuration consistency by managing the addition, deletion, and renaming of VLANs on a network-wide basis. VTP is a client-server protocol. On a VTP servers you can create, modify, and delete VLANs. VTP servers advertise their VLAN configuration to other switches and synchronize their VLAN configuration with other switches based on advertisements received over trunk links.
VTP clients behave the same way as VTP servers, but you cannot create, change, or delete VLANs on a VTP client.
VTP-GVRP interaction is possible on Cisco switches running CatOS 5.3 or higher. These Catalyst switches can be configured to distribute the VTP learned or configured VLANs via GVRP to HP ProCurve switches.
The following needs to be configured on the Cisco switch apart from the VTP configuration:
enable GVRP globallyset gvrp enable
enable GVRP on the port connected to an HP Procurve switchset port gvrp enable mod_num/port_num
The following needs to be configured on the HP ProCurve Switch:
Enable GVRP globallygvrp
You may disable GVRP on ports connected to clients:interface <port-list> unknown-vlans disable
The GVRP protocol do not support advertising of VLAN names, therefore you will not see the VTP assigned names on HP ProCurve switches.
Useful show commands
Description ProCurve Cisco
Port status show interface brief show interfaces status
Port counters / utilization show interface <port> show interface <port>
What VLAN are configured?
show vlan show vlan brief
Specific information about a single VLAN.
show vlan <vlan-id> show vlan id <vlan-id>
Which untagged VLAN does a port belong to?
show vlan ports <port> detail
show interfaces status
Is the port a Cisco layer-2 port?
show interfaces <port> switchport
Which VLANs are configured on a port?
show vlan ports <port> detail
show interfaces <port> trunk
Which ports exist with more than one VLAN
show interfaces trunk
15
16
Static Aggregated Ports
16
ProCurve Cisco
trunk a1-a2 trk1 trunk interface Port-channel1
interface GigabitEthernet 1/20channel-group 1 mode on
interface GigabitEthernet 1/21channel-group 1 mode on
a1 G1/20
a2 G1/21
trk1 po1
Here we do not use a dynamic aggregation protocol like LACP
Here we do not use dynamic aggregation protocols like LACP or FEC
Automatically created
ProCurve Cisco
How to configure a static link aggregate between a ProCurve and Cisco switch?
Remember that the naming for a link aggregation is different between ProCurve and Cisco switches.
On the ProCurve side you have to configure a trunk port on which you have to specify the member ports. When you configure the above command „trunk a1-a2 trk1 trunk” you created a trunk port called trk1 in static mode where port a1 and a2 belong to.
On the Cisco side you need to configure the physical interfaces G1/20 and G1/21 to belong to the same channel-group. With the “mode on” command you specifry a static channel. Once you have done this a new interface is created called “port-channel 1”.
17
Dynamic Aggregated Ports using LACP (IEEE 802.3ad)
ProCurve Cisco
trunk a1-a2 trk1 lacp interface Port-channel1
interface GigabitEthernet 1/20channel-group 1 mode <active | passive>
interface GigabitEthernet 1/21channel-group 1 mode <active | passive>
17
Sent LACP frame actively or just respond passively
Use LACP on the trunk interface
Automatically created
17
a1 G1/20
a2 G1/21
trk1 po1ProCurve Cisco
Here is the same setup with using the dynamic link aggregation control protocol LACP.
On the ProCuve side you just specify lacp instead of trunk.
On the Cisco side you configure the mode to either active or passive which corresponds to LACP spoken actively or just passively responding to LACP frames.
Link aggregation to a Cisco Stack or VSS
18
Cisco Virtual Switching System 1440
Standard trunk or LACP trunk
trunk a1-a2 trk1 trunktrunk a1-a2 trk1 lacpProCurve switch
Cisco VSS appears as one switch to which a link aggregation can be set without requiring Spanning-Tree
19
VLAN Interoperability planning
Pay attention to MultiVLAN Ports.1. Make sure Native VLAN on Cisco Trunk = Untagged
VLAN on Tagged port2. Ensure same VLANs are allowed and configured
Note: BPDUs (Spanning Tree, LLDP, LACP) are not attached to the untagged or any VLAN on ProCurve contrarily to Cisco.
19
3- Spanning-Tree Interoperability
21
Spanning-Tree Interoperability
• Introduction to the different STP modes
• MSTP on Cisco and ProCurve• Without 1 MST instance• With load balancing between Instances
• PVST+ on Cisco and MSTP ProCurve
21
We have to distinguish switch configurations for different kind of connections.
- End User ports (PCs, Printer,…)
- IP phone ports
- End User + IP phone ports
- Server ports for one VLAN
- Server ports for multiple VLANs
- Switch-to-Switch ports for one VLANs
- Switch-to-Switch ports for multiple VLANs
- Aggregated ports
22
Support of STP
22
ProCurve Cisco Notes
STP (802.1D) PVST+ PVST BPDUs are STP compatible in VLAN 1
RSTP (802.1w) Rapid PVST Rapid PVST BPDUs are RSTP compatible in VLAN 1
MSTP (802.1s) MSTP (802.1s) The best choice for Interoperability.Caution with pre-implementation of MSTP on Cisco
STP: IEEE 802.1D Standard Spanning TreePVST: Per Vlan Spanning-Tree (Proprietary based on STP 802.1D )Rapid PVST: Proprietary based on RSTP 802.1w)RSTP: Rapid Spanning Tree (802.1w IEEE standard)MSTP: Multi Instance Spanning-Tree (802.1s IEEE standard)
23
IEEE 802.1D and 802.1w
23
Previously there was only one STP for many VLANs
802.1D and 802.1w This left links unused since all
VLANs took the same physical topology.
Before (with STP)
VLANs 1VLANs 2
VLANs 1VLANs 2
Root
VLANs 3
VLANs 3
VLANs 1VLANs 2
VLANs 3
24
MSTP=MST(IEEE 802.1s)
24
In a response to a need to allow standards compliant 802.1D/w/Q switches have multiple logical paths for redundancy, 802.1s, Multiple Spanning Tree Protocol (MSTP), was ratified.
802.1s enhances 802.1Q allowing groups of VLANs to be assigned to different spanning tree instances Instances chosen to match
number of possible logical paths through the layer 2 network. Often times this is only 2 or 3 that are required instead of 100s with PVST.
Now with 802.1s
MSTI-1 Root MSTI-2 Root
VLANs 1,2…VLAN 3,4…
VLANs 1,2…VLAN 3,4…
VLANs 1,2…VLAN 3,4…
Before (with PVST)
Root of 1
VLANs 1VLANs 2
VLANs 3
VLANs 1VLANs 2
VLANs 3
Root of 2
Root of 3
VLANs 1VLANs 2
VLANs 3
3.1- MSTP Interoperability
Cisco – ProCurve Design 1: MSTP and one instance
26
STP backup root
MSTP
XSTP blocked for all VLANs
MSTP
STP root
Pros: simple, all switches speak the same standard protocolCons: no load balancing
Cisco Cisco
ProCurve
Cisco – ProCurve Design 2: MSTP and load balancing between instances
27
STP root for instance 2
MSTPInstance 2: VLAN 4,5,6
X
STP blocked for instance 2
MSTP
STP root for instance 1
MSTPInstance 1: VLAN 1,2,3
X
STP blocked for instance 1
MSTP
Pros: load balancingCons: more complex to configure and troubleshoot
STP backup rootfor instance 1
STP backup rootfor instance 2
Cisco Cisco
ProCurve
CiscoCisco
ProCurve
Cisco MST 802.1s-2002 compliance
28
To support the compliant IEEE 802.1s-2002 standard, Cisco switches must run at least the following firmware versions :
Cisco Catalyst 2950, 3550, 3560, 3750: IOS 12.2(25)SECCisco Catalyst 4000: native IOS 12.2(25)SGCisco Catalyst 6000: native IOS 12.2(18)SXF or CatOS 8.3
MST concepts
Switches belong to the same MST region if they share the same configuration parameters:1- MST Config Name (32 Bytes, case sensitive)2- MST Revision Number (2 bytes)3- MST Instances which are set by assignment of VLANs
Example of an MST Configuration:
29
Config Name = “building-1"
Revision Number = 1
Instance 1 = VLANs 1, 2, 3
Instance 2 = VLANs 4, 5, 6
Configuring MSTP (802.1s)on ProCurve Switches
Enable MSTP globally:ProCurve(config)# spanning-tree protocol-version mstp
(only required on older switch series)
ProCurve(config)# spanning-tree
Configure your MSTP on all switches equally:ProCurve(config)# spanning-tree config-name building-1ProCurve(config)# spanning-tree config-revision 1ProCurve(config)# spanning-tree instance 1 vlan 1-3ProCurve(config)# spanning-tree instance 2 vlan 4-6
30
Configuring MSTP (802.1s)on Cisco Switches
31
Enable MSTP globally:Cisco(config)# spanning-tree mode mst
Configure your MSTP on all switches equally:Cisco(config)# spanning-tree mst configurationCisco(config-mst)# instance 1 vlan 1-3Cisco(config-mst)# instance 2 vlan 4-6Cisco(config-mst)# name building-1Cisco(config-mst)# revision 1
Configuring MSTP (802.1s)on ProCurve and Cisco Switches
Modify bridge priority to tweak the STP root selection per instance:
ProCurve:ProCurve(config)# spanning-tree <instance-id> priority <priority>
Cisco:Cisco(config)# spanning-tree mst instance-id priority <priority>
32
Configuring MSTP (802.1s)on ProCurve and Cisco Switches
Enable STP edge-port where desired (End User interfaces):
ProCurve:ProCurve(config)# spanning-tree a1 admin-edge-port
The default is auto-edge, where the port role is automatically discovered in between 3 sec.
Cisco:Cisco(config)# interface gigabitethernet0/2Cisco(config-if)# spanning-tree portfast
33
Cisco MSTPWhat BPDUs are sent out of trunk ports?
34
interface GigabitEthernet 1/20switchport trunk encapsulation dot1qswitchport trunk native vlan 1switchport trunk allowed vlan 1-3switchport mode trunk
interface GigabitEthernet 1/20switchport trunk encapsulation dot1qswitchport trunk native vlan 1switchport trunk allowed vlan 2-3switchport mode trunk
IEEE 802.1s BPDU
IEEE 802.1s BPDU
MSTP802.1sBPDU CST Information IST Info.
MSTI Info.
…. additional MSTI Info.
MSTP Specific Parameters RSTP and MSTP CommonUntaggedIEEE Destination MAC:01:80:c2:00:00:00
Cisco MSTWhat BPDUs are sent out of access ports?
35
Use trunk ports configuration on inter-switch links and always check that you have “switchport mode trunk“ configured! If you use access ports you create MST region
boundaries.
interface GigabitEthernet 1/20switchport access vlan 10switchport mode access
interface GigabitEthernet 1/20switchport access vlan 10switchport mode accessSwitchport voice vlan 20
IEEE 802.1s BPDU without add. MST instance information
IEEE 802.1s BPDU without add. MST instance information
MSTP802.1sBPDU CST Information IST Info.
MSTI Info.
…. additional MSTI Info.
MSTP Specific Parameters RSTP and MSTP CommonUntaggedIEEE Destination MAC:01:80:c2:00:00:00
36
MSTP Interoperability planning
1) To get standard MSTP BPDU, use Trunk ports on Cisco uplinks.If an Untagged uplink is required, do not use Access port but define Cisco port as a Trunk and allow only the native VLAN!
2) On Cisco: pay attention at the IOS version.Cisco supports a Pre-Version of MSTP which looks like MSTP. You cannot see the difference in commands. It just do not interoperate with standard MSTP
3) Set the MSTP Configuration parameters identical:Name, Revision#, Mapping between VLANs and Instances
36
3.2- PVST - MSTP Interoperability
38
Various Spanning-Tree BPDUs
38
802.1D
PVST+ on Cisco Trunk
ports
UntaggedIEEE Destination MAC:01:80:c2:00:00:00
TaggedCisco Destination MAC:01:00:0c:cc:cc:cd
RSTP802.1w
MSTP802.1s
CST Information IST Info.MSTI Info.
…. additional MSTI Info.
MSTP Specific Parameters RSTP and MSTP Common
UntaggedIEEE Destination MAC:01:80:c2:00:00:00
UntaggedIEEE Destination MAC:01:80:c2:00:00:00
VLAN 1 allowed on trunkIEEE Destination MAC:01:80:c2:00:00:00
Untagged for native VLANCisco Destination MAC:01:00:0c:cc:cc:cd
Cisco – ProCurve Design #1 with PVST+
39
PVST+or
RapidPVST+
X STP blocked port
802.1D, 802.1w or 802.1s
STP root for VLAN 1,2,3,4,5,6
Pros: simple and still use PVST+ for backboneCons: no load balancing
STP backup root for VLAN 1,2,3,4,5,6
Cisco Cisco
ProCurve
Cisco – ProCurve Design #1Cisco PVST+ view for VLAN 1
40
IEEE BPDUs are exchanged between all switches
PVST+or
RapidPVST+
X STP blocked port
802.1D, 802.1w or 802.1s
STP root for VLAN 1
STP backup root for VLAN 1
Cisco Cisco
ProCurve
Cisco – ProCurve Design #1Cisco PVST+ view for all other VLANs
41
PVST+or
RapidPVST+
STP root for VLAN 2,3,4,5,6
The ProCurve switch will also block the PVST+ BPDUs as the whole port is blocked. Therefore the right Cisco switch will not receive any PVST+ BPDUthrough the ProCurve switch.
Cisco Cisco
STP backup root for VLAN 2,3,4,5,6
Configuring Rapid PVST+on Cisco Switches
Enable PVST+ globally:Cisco(config)# spanning-tree mode rapid-pvstCisco(config)# spanning-tree extend system-idCisco(config)# spanning-tree pathcost method long
Modify bridge priority to tweak the STP root selection per VLANCisco(config)# spanning-tree vlan 1-2 priority 4096
Modify the interface cost if necessary per VLANCisco(config)# interface gigabitethernet0/2Cisco(config-if)# spanning-tree vlan 1-2 cost 10000
Modify the interface priority if necessary per VLANCisco(config)# interface gigabitethernet0/2Cisco(config-if)#spanning-tree vlan 1-2 port-priority 4
42
Configuring Rapid PVST+on Cisco Switches cont.
Enable STP edge-port where desired (End User interfaces):
Either globally which will affect all non-trunking ports:Cisco(config)# spanning-tree portfast default
Or on per interface basis:Cisco(config)# interface gigabitethernet0/2Cisco(config-if)# spanning-tree portfast
43
Cisco Rapid-PVST+What BPDUs are sent out of trunk ports?
44
If the VLAN 1 is not allowed on a trunk port no IEEE BPDU is sent out !!!
interface GigabitEthernet 1/20switchport trunk encapsulation dot1qswitchport trunk native vlan 1switchport trunk allowed vlan 1-3switchport mode trunk
interface GigabitEthernet 1/20switchport trunk encapsulation dot1qswitchport trunk native vlan 1switchport trunk allowed vlan 2-3switchport mode trunk
IEEE 802.1w BPDUuntagged PVST BPDU for VLAN 1
PVST BPDU for all tagged VLANS
PVST BPDU for all tagged VLANS (VLAN 2,3)
Cisco Rapid-PVST+What BPDUs are sent out of access ports?
45
Use trunk port configuration on all interswitch links !
interface GigabitEthernet 1/20switchport access vlan 10switchport mode access
interface GigabitEthernet 1/20switchport access vlan 10switchport mode accessSwitchport voice vlan 20
IEEE 802.1w BPDU
untagged PVST BPDU for VLAN 10
PVST BPDU for tagged voice VLAN 20
Cisco – ProCurve Design #1 Cisco RapidPVST+
46
RapidPVST+
XMSTP
STP root for VLAN 1,2,3,4,5,6
Gig2/x Gig2/x
po1po1
a24b24
ProCurve 5406zl configuration:
vlan 1 name managementuntag a24,b24ip address 10.1.1.1/24
vlan 2 tagged a24,b24
vlan 3tagged a24,b24
vlan 4tagged a24,b24
vlan 5tagged a24,b24
vlan 6tagged a24,b24
spanning-tree a1-a20,b1-b20,c1-c24,d1-d24
STP backup root for VLAN 1,2,3,4,5,6
CiscoCisco
ProCurve
Cisco – ProCurve Design #1 Cisco RapidPVST+
47
RapidPVST+STP root for VLAN 1,2,3,4,5,6
Cisco 6506_left configuration:
spanning-tree mode rapid-pvstspanning-tree extend system-idspanning-tree pathcost method longspanning-tree vlan 1-4094 priority 0
interface Port-channel1no ip addressswitchportswitchport trunk encapsulation dot1qswitchport trunk allowed vlan 1-6switchport mode trunk
interface GigabitEthernet2/xno ip addressswitchportswitchport trunk encapsulation dot1qswitchport trunk allowed vlan 1-6switchport mode trunk
STP backup root for VLAN 1,2,3,4,5,6
X
Gig2/x Gig2/x
po1po1
a24b24
a1-a20,b1-b20,c1-c24,d1-d24
CiscoCisco
ProCurve
MSTP
Cisco – ProCurve Design #1 Cisco RapidPVST+
48
Cisco 6509_right configuration:
spanning-tree mode rapid-pvstspanning-tree extend system-idspanning-tree pathcost method longspanning-tree vlan 1-4094 priority 4096
interface Port-channel1no ip addressswitchportswitchport trunk encapsulation dot1qswitchport trunk allowed vlan 1-6switchport mode trunk
interface GigabitEthernet2/xno ip addressswitchportswitchport trunk encapsulation dot1qswitchport trunk allowed vlan 1-6switchport mode trunk
RapidPVST+STP root for VLAN 1,2,3,4,5,6
STP backup root for VLAN 1,2,3,4,5,6
X
Gig2/x Gig2/x
po1po1
a24b24
a1-a20,b1-b20,c1-c24,d1-d24
CiscoCisco
ProCurve
MSTP
49
PVST - MSTP Interoperability planning
1) On Cisco Trunk inter-switch links, make sure that VLAN 1 is allowed (otherwise only non-standard BPDU’s will be sent)
2) Take special care of the Root and secondary Root setup on VLAN 1 as Cisco and ProCurve switches will interoperate through the standard BPDUs.
3) To get faster convergence, set Rapid-PVST instead of PVST+ on Cisco Switches.
4) On Cisco switches make sure to use the “path cost long” method.
49
Cisco – ProCurve Design #2PVST+ with load balancing
50
STP root for VLAN 4,5,6
PVST+or
RapidPVST+
X STP blocked for VLAN 4,5,6
802.1D, 802.1w or 802.1s
STP root for VLAN 1,2,3
PVST+or
RapidPVST+
XSTP blocked for VLAN 1,2,3
802.1D, 802.1w or 802.1s
Pros: load balancing and PVST+ for backboneCons: more complex to configure and troubleshoot
Be sure to tweak STP that blocking occurs on the Cisco
switches !!!
STP backup root for VLAN 1,2,3
STP backup root for VLAN 4,5,6
Cisco Cisco
ProCurve
Cisco Cisco
ProCurve
Cisco – ProCurve Design #2 Cisco PVST+ view for VLAN 1
51
STP root
Gig2/1Gig2/8
Gig2/1
Gig2/8
po1po1
a24
a24
b24
b24
a1-a20,b1-b20,c1-c24,d1-d24
.
.
.1. Why are the ports b24 on the ProCurve switches in the blocking state and not the ports Gig 2/1 to Gig 2/8 on the right Cisco switch?
STP backup rootsecond lowest Bridge-ID
IEEE BPDUs are exchanged between all switches
X
X
CiscoCisco
ProCurve
ProCurve
Cisco – ProCurve Design #2 Cisco PVST+ view for VLAN 1
52
STP root
Gig2/1Gig2/8
Gig2/1
Gig2/8
po1po1
a24
a24
b24
b24
a1-a20,b1-b20,c1-c24,d1-d24
.
.
.
STP backup rootsecond lowest Bridge-ID
IEEE BPDUs are exchanged between all switches
CiscoCisco
ProCurve
ProCurve 2. What do you have to change to block the ports Gig 2/1 and Gig 2/8 on the right Cisco switch?
X X
Cisco – ProCurve Design #2 Cisco PVST+ view for VLAN 1
53
STP
port
cost 20000
STP
port
cost 20000S
TP
por
t co
st 2
0000
ST
P p
ort
cost
200
00
STP port cost 20000STP root
Gig2/1Gig2/8
Gig2/1
Gig2/8
po1po1
a24
a24
b24
b24
a1-a20,b1-b20,c1-c24,d1-d24
.
.
.2. What do you have to change to block the ports Gig 2/1 and Gig 2/8 on the right Cisco switch?
STP backup rootsecond lowest Bridge-ID
X X
STP port cost 30000
IEEE BPDUs are exchanged between all switches
CiscoCisco
ProCurve
ProCurve
Cisco – ProCurve Design #2Cisco PVST+ view for all other VLANs
54
All tagged Cisco PVST BPDUs which are sent to the Cisco specificmulticast MAC address 01:00:0c:cc:cc:cd are forwarded unchanged
by ProCurve switches as any other frame !!!
STP port cost 20000
STP port cost 20000
STP port cost 20000
X
STP root
Gig2/1Gig2/8 Gig2/1 Gig2/8
po1po1
.
.
1. Why might Spannging-Tree block the ports on po1 for the other VLANs?
2. How do you make sure that the ports Gig2/1 to Gig2/8 of the right Cisco switch are blocking and not po1?
XX
lowest port ID wins
Cisco Cisco
Cisco – ProCurve Design #2Cisco PVST+ view for all other VLANs
55
All tagged Cisco PVST BPDUs which are sent to the Cisco specificmulticast MAC address 01:00:0c:cc:cc:cd are forwarded unchanged
by ProCurve switches as any other frame !!!
STP port cost 20000
STP port cost 20000
STP port cost 20000STP root
Gig2/1Gig2/8 Gig2/1 Gig2/8
po1po1
.
.2. How do you make sure that the ports Gig2/1 to Gig2/8 of the right Cisco switch are blocking and not po1?
STP port cost 10000
XXX
Cisco Cisco
Cisco – ProCurve Design #2 Design with RapidPVST+
56
RapidPVST+
MSTP
STP root for VLAN 1,2,3
Gig2/x Gig2/x
po1po1
a24 b24
Cisco 6506_left configuration:
spanning-tree mode rapid-pvstspanning-tree extend system-idspanning-tree pathcost method longspanning-tree vlan 1-3 priority 0spanning-tree vlan 4-6 priority 4096
interface Port-channel1no ip addressswitchportswitchport trunk encapsulation dot1qswitchport trunk allowed vlan 1-6switchport mode trunkspanning-tree vlan 1 cost 30000spanning-tree vlan 2-6 cost 10000
interface GigabitEthernet2/xno ip addressswitchportswitchport trunk encapsulation dot1qswitchport trunk allowed vlan 1-6switchport mode trunk
a1-a20,b1-b20,c1-c24,d1-d24
X
STP root for VLAN 4,5,6
XSTP blocked for vlans 4-6
STP blocked for vlans 1-3
Cisco
Cisco
ProCurve
Cisco – ProCurve Design #2 Design with RapidPVST+
57
RapidPVST+STP root for VLAN 1,2,3
Cisco 6509_right configuration:
spanning-tree mode rapid-pvstspanning-tree extend system-idspanning-tree pathcost method longspanning-tree vlan 1-3 priority 4096spanning-tree vlan 4-6 priority 0
interface Port-channel1no ip addressswitchportswitchport trunk encapsulation dot1qswitchport trunk allowed vlan 1-6switchport mode trunkspanning-tree vlan 1 cost 30000spanning-tree vlan 2-6 cost 10000
interface GigabitEthernet2/xno ip addressswitchportswitchport trunk encapsulation dot1qswitchport trunk allowed vlan 1-6switchport mode trunk
STP root for VLAN 4,5,6
MSTP
Gig2/x Gig2/x
po1po1
a24 b24
a1-a20,b1-b20,c1-c24,d1-d24
XXSTP blocked for vlans 4-6
STP blocked for vlans 1-3
Cisco
Cisco
ProCurve
58
PVST - MSTP Interoperability planningwith load balancing
1) Start setup as in previous scenario
2) If Cisco switches are in the Core, to get PVST load balancing
– Increase Cost of Inter-Core link in VLAN 1 (E.g.: 30000)
– Reduce Cost of Inter-Core link in other VLANs (E.g.: 10000)
3) Set priorities on Root and Secondary root to get load balancing between VLANs
58
4- Hardening Spanning-Tree
Spanning-Tree problems
Unstable STP can be caused by: Uni-directional links Rogue devices talking STP Permanent STP topology changes due to flapping ports
or End User ports not set to edge mode (portfast) Loops not detected by STP
60
61
Spanning-Tree Hardening Features
Remote-Fault Notification (RFN) using Autonegotiation
Remote-Fault Notification (RFN) using Autonegotiation
Uni-directional Link Detection (UDLD) Uni-directional Link Detection (UDLD)
BPDU-protection BPDU-Guard
Loop-protect Keepalive
Root-Guard Root-Guard
- Loop-Guard
61
ProCurve Cisco
Why do Uni-directional Links cause Problems
• Root transmits BPDUs• Neighbor doesn‘t receive
them and thinks the root is dead now claims it‘s the new root
• Bottom switch opens up ist blocked port loop in the network
• Network goes down, troubleshooting very difficult
62
TX
TX
TX
TX
TX
TX
Uni-directional Link
RX
RX
RX
RX
RX
RX
RX
Root
Remote-Fault Notification (RFN) in the Auto-negotiation against Uni-directional Links
63
RFN is optional but enabled by default on 1000BaseX on Cisco and ProCurve switches when Auto-negotiation is used.
Recommendation: always use Autoneg on 1000BaseX connection
This feature works on Layer-1.
Uni-directional Link Detection (UDLD)
64
UDLD works by exchanging protocol packets between the neighboring devices. In order for UDLD to work, both devices on the link must support UDLD and have it enabled on respective ports.This feature works on Layer-2.
Hello I am switch xyz, port abc
Does not work as Cisco and ProCurve have a different implementation.
Acknowledge hello.
Hello I am switch xyz, port abc
Acknowledge hello.
Cisco
Cisco
Cisco
ProCurve
ProCurve
ProCurve
Uni-directional Link Detection (UDLD)
ProCurve Cisco
Global for all fiber ports:Cisco(config)# udld aggressive
Interface specific:ProCurve(config)# interface a1 ProCurve(eth-a1)# link-keepalive
Or interface specific:Cisco(config)# interface gig0/2Cisco(config-if)# udld port aggressive
Recovery is done automatically Recovery configured globally:Cisco(config)#errdisable recovery cause udld errdisable recovery interval 300(default)
65
UDLD performs tasks that autonegotiation cannot perform, such asdetecting the identities of neighbors and shutting down misconnected ports.
BPDU-Guard, BPDU-protection
ProCurve CiscoGlobal for all ports:Cisco(config)#spanning-tree portfast bpduguard default
Interface specific on global config:ProCurve(config)# spanning-tree a1 bpdu-protection
Or interface specific:Cisco(config)# interface gig0/2Cisco(config-if)#
spanning-tree bpduguard enable
Recovery configured globally:ProCurve(config)# spanning-tree
bpdu-protection-timeout 300
Recovery configured globally:Cisco(config)#errdisable recovery cause bpduguard errdisable recovery interval 300(default)
66
You should not allow STP BPDUs to be received on an end user port. Therefore enable this feature on all End User ports. If a BPDU is received the port is put in an errordisable state (Cisco) or the port is disabled (ProCurve).
Keepalive (Cisco) –Loop-protect (ProCurve)
ProCurve Cisco
Interface specific on global config:ProCurve(config)# loop-protect a1
By default enabled on all copper ports
Recovery configured globally:ProCurve(config)# loop-protect disable-timer 300
Recovery configured globally:Cisco(config)#errdisable recovery cause loopback errdisable recovery interval 300(default)
67
The ProCurve loop-protect feature is an edge-port featureand therefore not intended for interswitch links.
Spanning-Tree Root-Guard
ProCurve Cisco
Interface specific on global config:ProCurve(config)#
spanning-tree a1 root-guard
Interface specific:Cisco(config)# interface gig0/2Cisco(config-if)#
spanning-tree guard root
Recovery is done automatically Recovery is done automatically
68
ProCurve 5406zl configuration:
vlan 1name managementuntag a24,b24ip address 10.1.1.1 255.255.255.0
vlan 2 tagged a24,b24
vlan 3tagged a24,b24
vlan 4tagged a24,b24
vlan 5tagged a24,b24
vlan 6tagged a24,b24
spanning-treespanning-tree a1-a20,b1-b20,c1-c24,d1-d24 admin-edge-portspanning-tree a1-a20,b1-b20,c1-c24,d1-d24 bpdu-protection spanning-tree bpdu-protection-timeout 300
loop-protect a1-a20,b1-b20,c1-c24,d1-d24loop-protect disable-timer 300
Hardening Spanning-Tree on ProCurve switches
69
RapidPVST+STP root for VLAN 1,2,3,4,5,6
XMSTP
Gig2/x Gig2/x
po1po1
a24 b24
a1-a20,b1-b20,c1-c24,d1-d24
CiscoCisco
ProCurve
STP Root Guard
5- Layer-2 Discovery ProtocolsCDP and LLDP
CDP and LLDP
ProCurve Cisco
CDP by default enabled on all ports in receive mode only. Transmitting of CDP packets is no longer supported.
CDP by default enabled on all ports
LLDP by default enabled on all ports Support on LLDP has started on Cisco Catalyst switches series 2960, 3760, 3750 switches running 12.2(37)SE without SNMP MIB support and on Cisco Catalyst 6500 running 12.2(33)SXH
71
CDP TXLLDP TX
LLDP, CDP RX CDP RX
CiscoProCurve
CDP table, CDP MIB
LLDP table, LLDP MIB A Cisco switch is
visible in the LLDP and CDP
table as entries are cross populated
CDP table, CDP MIB
LLDP table Procurve switch visible
Procurve switch NOT visible
LLDP MIB not yet supported
71
6- Gateway Redundancy ProtocolsHSRP - VRRP
Hot Standby Routing Protocol (HSRP)Cisco informational RFC 2281 (March 1998)
73
IP: 10.1.1.2MAC: 0000.0c12.3456vIP: 10.1.1.1vMAC: 0000-0c07.ac00
IP: 10.1.1.3MAC: 0000.0c78.9abcvIP: vMAC:
IP: 10.1.1.21MAC: aaaa.aaaa.aaaaGW: 10.1.1.1ARP: 0000-0c07.ac00
• A group of routers function as one virtual router by sharing ONE virtual IP address and ONE virtual MAC address.
• One active router performs packet forwarding of local hosts
• The rest of the routers provide „hot standby“ in case the local router fails.
• Standby routers stay idle as far as packet forwarding from the client side is concerned.
• Virtual IP address is always pingable and answering to SNMP requests
Client
Active HSRP Router Standby HSRP Router
Cisco Cisco
HSRP configuration example on Cisco Switches
74
active HSRP router:
interface vlan1ip address 10.1.1.2 255.255.255.0standby 1 ip 10.1.1.1standby 1 priority 200standby 1 preempt
standby HSRP router:
interface vlan1ip address 10.1.1.3 255.255.255.0standby 1 ip 10.1.1.1standby 1 priority 190standby 1 preempt
Virtual Router Redundancy Protocol (VRRP)IETF Standard RFC 2338, 3768 (April 1998, April 2004)
75
IP: 10.1.1.1MAC: 0000.0c12.3456vIP: 10.1.1.1vMAC: 0000.5e00.0101
IP: 10.1.1.2MAC: 0000.0c78.9abcvIP: vMAC:
IP: 10.1.1.21MAC: aaaa.aaaa.aaaaGW: 10.1.1.1ARP: 0000.5e00.0101
• A group of routers function as one virtual router by sharing ONE virtual IP address and ONE virtual MAC address.
• One master router performs packet forwarding of local hosts
• The rest of the routers provide backup in case the local router fails.
• Backup routers stay idle as far as packet forwarding from the client side is concerned.
• Virtual IP address is only ping-able and answering SNMP requests on the VRRP owner
Client
Master VRRP RouterOwner of vIP address
Backup VRRP RouterNon-Owner of vIP address
ProCurve ProCurve
VRRP configuration example on ProCurve Switches 3500zl, 5400zl, 6200yl
76
VRRP master router:
router vrrp
vlan1
ip address 10.1.1.1 255.255.255.0
vrrp vrid 1
owner
virtual-ip-address 10.1.1.1
priority 255
enable
exit
exit
VRRP backup router:
router vrrp
vlan1
ip address 10.1.1.2 255.255.255.0
vrrp vrid 1
backup
virtual-ip-address 10.1.1.1
priority 100
enable
exit
exit
7- POE, QOS and IP phones
78
Multi-Vendor SupportShared connections for PC and IP-phone
78
How does IP phone auto-configure the voice VLAN and QoS?1. Auto-config “voice” VLAN and L2/L3 QoS using LLDP-MED (ProCurve switches)
or CDPv2 (Cisco switches)
2. Many phones support “vendor specific” DHCP process for auto-config– Avaya, Alcatel, Mitel, Siemens, ShoreTel etc…
– DHCP server on data VLAN advertises voice VLAN ID and QoS
3. One-time manual configuration– For Cisco, set the admin VLAN ID via the Network Configuration setup when
connecting to a Cisco network
IP phone PC
Untagged data VLAN
tagged voice VLAN
Untagged
data VLAN
DHCPserver
IP PBX
IP network
79
VLAN configuration comparisonSwitch-to-IP-phone connection with PC
79
ProCurve Cisco
vlan 2untagged a1
vlan 3voicetagged a1
interface GigabitEthernet 1/20 switchportswitchport access vlan 2switchport mode access switchport voice vlan 3
a1 G1/20LLDP-MED:Voice VLAN ID=3Mode: tagged
CDPv2:Voice VLAN ID=3Mode: taggedProCurve Cisco
LLDP-MED support has started on Cisco Catalyst switches 3760, 3750, 2960, 2970 switches running 12.2(37)SE and on Cisco Catalyst 6500 running 12.2(33)SXH
LLDP-MED:Voice VLAN ID=3Mode: tagged
Here it is shown how you configure the switch to connect an IP phone (hard phone) with a PC cascaded.
On the ProCurve side you configure the port a1 to be an untagged member of VLAN 2. This is the VLAN for the PC. And you need to configure port a1 to be a tagged member of VLAN 3 which is the id the IP phone may use to send and receive the traffic. That the phone can learn the VLAN id it has to use, you can configure VLAN 3 as a voice VLAN which will start sending out LLDP-MED frames if an IP phone with LLDP-MED support is detected.
On the Cisco side you need to configure on the interface an access VLAN 2 for the PC and a voice VLAN 3 for the IP phone. On older IOS versions this enabled the switch to send out Cisco proprietary CDPv2 information with the voice VLAN id included. Current IOS versions will also send out LLDP-MED frames.
Cisco IP phone boot processCDPv2 and pre-standard PoE
80
Cisco pre-standard PoE: Fast Link Pulse
Reflected Fast Link Pulse
CDP: Power requirement
CDP: voice VLAN ID
DHCP request in voice VLAN
DHCP response: IP add., Gateway, TFTP server
TFTP request for configuration
TFTP request of configuration
SCCP or SIP registration with Callmanager
Cisco7960G
Cisco7940G
Switch
DHCP Server
Cisco Callmanager
Cisco IP phone boot processLLDP-MED and 802.3af PoE
81
IEEE 802.3af: Apply voltage and classify device
Return current
LLDP-MED: PoE requirement, firmware, serial#
LLDP-MED: voice VLAN ID, etc …
DHCP request in voice VLAN
DHCP response: IP add., Gateway, TFTP server
TFTP request for configuration
TFTP request of configuration
SCCP or SIP registration with Callmanager
Cisco7941/42/61/62G
Cisco7970/71/75G
Switch
DHCP Server
Cisco Callmanager
LLDP-MED is supported in the following models since release 8.3(3):
7906G, 7911G, 7931G, 7941G/7941G-GE, 7942G, 7945G, 7961G/7961G-GE, 7962G, 7965G, 7970G/7971G-GE, 7975G
Cisco7945/65G
(CDPv2 is still supported)
LLDP example
82
ProCurve Switch 5406zl# show run
vlan 3name "data"untag a1, ...exit
vlan 6name "IP phone"qos priority 6tagged a1, ...voiceexit
a1LLDP-MED:Voice VLAN ID=3Mode: tagged
ProCurve
Cisco IP phone
ProCurve Switch 5406zl# show vlan port a1 detailed
Status and Counters - VLAN Information - for ports A1
VLAN ID Name | Status Voice Jumbo Mode ------- -------------------- + ---------- ----- ----- --------3 data | Port-based No No Untagged6 IP phone | Port-based Yes No Tagged
ProCurve Switch 5406zl# show lldp info remote-device
LLDP Remote Devices Information
LocalPort | ChassisId PortId PortDescr SysName--------- + ------------------------- ------ --------- ----------------------A1 | 192.168.0.33 000... SW PORT SEP000F2322DDAA.cis...
Display detailed LLDP information
Footer text 83HP ProCurve Confidential
ProCurve Switch 3500yl-24G# show lldp info remote-device a1
LLDP Remote Device Information Detail
Local Port : A1ChassisType : network-addressChassisId : 192.168.0.33PortType : localPortId : 000F2322DDAA:P1SysName : SEP000F2322DDAA.cisco.comSystem Descr : Cisco IP Phone CP-7970G,V, SIP70.8-3-3SPortDescr : SW PORT
System Capabilities Supported : bridge, telephoneSystem Capabilities Enabled : bridge, telephone
Remote Management AddressType : ipv4Address : 192.168.0.33
MED Information DetailEndpointClass :Class3Media Policy Vlan id :6Media Policy Priority :6Media Policy Dscp :0Media Policy Tagged :TruePoe Device Type :PDPower Requested :63Power Source :From PSEPower Priority :Unknown
Enabling QoS in the Access LayerCongestion Scenario: Data + VoIP
84
P1 P0
During Data Traffic Bursts, Buffers can become congested, causing voice packets to be dropped
P0
P1P2
Data max 100 Mbps
IP phone integrated 3-port switchVoice
max.
80 Kbps
Potential Congestion Points
Access switch PC
Different traffic need different prioritization
85
Voice StreamRTP
IP Phone B
IP Phone A
Signali
ng
SIP, H
.323,
Skinny (
SCCP)
Signaling
SIP, H.323, Skinny (SCCP)
PC PC
data data
IP network
PC withSoftphone
IP PBX
86
QOS Default on ProCurve
L2 QOS (802.1p) is trusted by default
If Phone send tagged frames with 802.1p priority, it is trusted
No additional setup is needed
L3 QOS (DSCP) is trusted
It has to be enabled
qos type-of-service diff-services
A mapping between dscp and 802.1p has to exist
show qos dscp-map
QoS classification #1 for hard phones (no trust)
87
qos type-of-service diff-services
vlan 1name datauntagged a1-a20,b1-b20,c1-c24,d1-d24,e1-e24,f1-f24tagged a24,b24qos dscp 000000
vlan 2name voicetagged a1-a20,a24,b1-b20,b24,c1-c24,d1-d24 ,e1-e24,f1-f24qos dscp 101110
qos dscp-map 000000 priority 0 name BEqos dscp-map 101110 priority 7 name EF
Classification based on VLANs and overriding DSCP bits (Marking)
Mapping of DSCP values for the queues
(46)
(0)
Enabling recognition of L3 QOS / DSCP code points
8- Network Access Control
89
Deep Dive on NAC 89
Multi-user authentication on the same port802.1X - MAC auth.– WEB auth.
89
1. Secure authentication of IP phone and PC with a single connection 802.1x – Mac - Web
2. LLDP-MED to auto-provision phone with voice VLAN and QoS
3. LLDP-MED for detailed topology, phone inventory management, and location...
4. Dynamic assignment of untagged data and tagged voice VLAN accoreding to RFC 4675
LDAP, AD, Flat File
VLAN, QoS, ACL, Rate-limit
IDM
UserDatabase
LLDP-MED
RADIUS
multi-user authentication
RFC 4675
IEEE 802.3af
More interest across EMEA support provision location info
-In phones, for use in E-112 emergency calls.
Switch port is fixed when provisioned (unlike phone/user) – best place
Then LLDP-MED communicates info to phone
Esp true - consider VoWiFi / PDA – best way - wireless network controller
•ProCurve working to extend LLDP-MED to support physical location suitable for use by WLAN and other wireless standards
------------------------
Legacy PBX
•E911 physical location corresponded to phone number (static)
•Moving phone required manual re-provisioning
IP Telephony Challenge
•Users can pick-up phones and simply move them (just like a PC)
•Every Access Network, without exception, must provide means to obtain location
•Self reported location is notoriously inaccurate, especially forroaming or nomadic users
•LLDP-MED can enable automatic physical location acquisition, but 89
90
90
802.1X Multi-user Authentication with Cisco IP Phone and Windows PC
5406zl# show port-access authenticator a1 clients
Port Access Authenticator Client StatusPort Client Name MAC Address IP Address Session Status----- ----------------------- ------------- ------------- --------------a1 CP-7970G-SEP000F2322... 000f23-22ddaa n/a Opena1 PROCURVE\aeinstein 0010a4-a75fc5 n/a Open
5406zl# show port-access authenticator a1 clients detailed
Port Access Authenticator Client Status DetailedClient Base Details :Port : a1Session Status : Open Session Time(sec) : 0Frames In : 0 Frames Out : 0Username : CP-7970G-SEP000F2322... MAC Address : 000f23-22ddaaIP : n/aAccess Policy Details :COS Map : 00000000 In Limit % : 0Tagged VLANs : 6 Out Limit % : 0RADIUS-ACL List : No Radius ACL List
Client Base Details :Port : a1Session Status : Open Session Time(sec) : 0Frames In : 0 Frames Out : 0Username : PROCURVE\aeinstein MAC Address : 0010a4-a75fc5IP : n/aAccess Policy Details :COS Map : 00000000 In Limit % : 0Untagged VLAN : 3 Out Limit % : 0RADIUS-ACL List : No Radius ACL List
9- Layer 2 and Layer 3 interfaces
Layer-2 Interfaces
ProCurve Cisco
Layer-2 port configuration:
vlan 1untagged a1
Enabled layer-2 protocols by default:
- HP stacking (on most switches)- LACP passive (on some switches)- LLDP
Layer-2 port configuration:
interface GigabitEthernet 1/20switchport
Enabled layer-2 protocols by default:
- Cisco DTP protocol - Cisco VTP protocol- Cisco PVST+ protocol- Cisco CDP protocol- Keepalive (on copper ports)
92
93
Layer-3 Interfaces
Vlan100:1.1.1.2
Network 1.1.1.0/30
int g1/201.1.1.1
Network 2.2.2.0/24 Network 3.3.3.0/24
User Network 1 Transfer Network User Network 2
CiscoProCurve
Layer-3 Interfaces
94
ProCurve Cisco
Layer-3 port configuration:vlan 100untagged a1ip address 1.1.1.2 255.255.255.252
Enabled layer-2 protocols by default:
- HP stacking (on most switches)- LLDP
Layer-2 protocols to be disabled per port if globally enabled:
Spanning-tree:(config)# spanning-tree a1 bpdu-filter
GVRP: (config)# no interface a1(config-eth-a1)#unknown-vlans disable
Layer-3 port configuration:interface GigabitEthernet 1/20no switchportip address 1.1.1.1 255.255.255.252
Enabled layer-2 protocols by default:
- Cisco CDP protocol- Keepalive (on copper ports)
A separate VLAN for transfer layer-3 subnet needs to be created
10- IP Routing
OSPF
96
int Vlan1:1.1.1.2
Network 1.1.1.0/30
Network 2.2.2.0/24 Network 3.3.3.0/24
User Network 1 Transfer Network User Network 2
CiscoProCurve
OSPF area 0
Vlan1:1.1.1.1
OSPF
ProCurve Ciscorouter ospf
area 0
interface loopback 1
ip address 99.99.99.1
ip ospf 99.99.99.1 area 0
vlan 1
ip address 1.1.1.1 255.255.255.0
ip ospf 1.1.1.1 area 0
ip ospf cost 10
vlan 2
ip address 2.2.2.1 255.255.255.0
ip ospf 2.2.2.1 passive
ip ospf 2.2.2.1 area 0
ip ospf cost 10
router ospf 1
passive-interface Vlan3
network 1.1.1.2 0.0.0.0 area 0
network 3.3.3.1 0.0.0.0 area 0
network 99.99.99.2 0.0.0.0 area 0
interface Loopback1
ip address 99.99.99.2 255.255.255.255
ip ospf cost 10
interface Vlan1
ip address 1.1.1.2 255.255.255.0
ip ospf cost 10
interface Vlan3
ip address 3.3.3.1 255.255.255.0
ip ospf cost 10
97
OSPF differences
Cisco to be enabled with network statement globally ProCurve to be enabled on the VLAN Redistribution differences ProCurve: always NBMA Cisco: highest loopback IP used as router ID ProCurve: lowest loopback IP used as router ID ProCurve: loopback always /32 mask ProCurve: OSPF link cost is “1” by default (same on
Cisco VLAN interfaces)
98
ACL on ProCurve
ProCurve OS supports• Standard & Extended ACL• Numbered (1-99, 100-200) & Named ACLs• Routed ACL (applied to Inbound and Outbound routed traffic)• VLAN ACL (applied to inbound switched traffic)• Static and Dynamic Port ACL (applied to inbound switches traffic)
99
VLAN ACL
Port ACL
Routed ACLL3
L2 L2
ACL on ProCurve
ACL exampleProCurve(config)# ip access-list extended visitorsProCurve(config-acl)# deny ip any 10.0.0.0/8ProCurve(config-acl)# permit udp any any eq dnsProCurve(config-acl)# permit tcp any any eq httpProCurve(config-acl)# deny ip any any logProCurve(config-acl)# exitProCurve(config)# vlan 100 ip access-group visitors in
100
Manage ACL on ProCurve
ACL entries are numbered. ProCurve(config)# show access-list configip access-list extended “visitors"10 deny ip 0.0.0.0 255.255.255.255 10.0.0.0 0.0.0.255 20 permit udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq dns30 permit tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq http40 deny ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 logexit
Sequence number can be changed and used for insertion and removal.E.g.: Insert an entry (numbered are assigned by range of 10)ProCurve(config-acl)# 5 permit ip any host 10.1.234.172ProCurve(config-acl)# 25 remark “permit dns and http”
E.g: Remove an entryProCurve(config-acl)# no 20
101
Create ACL Offline and load it to Running config
For a large ACL use offline method to edit your ACL1. move your existing ACL if any to a TFTP serverProCurve# copy command-output 'show access-list config' tftp
10.1.1.100 acl02.txt pc
2. Edit ACL offline using a text (.txt) file format 3. use TFTP to load an offline ACL into the switch’s running-config
ProCurve(config)# copy tftp command-file 10.10.10.1 acl02.txt pcRunning configuration may change, do you want to continue [y/n]? Y
102
Conclusion
Conclusion
Interoperability works! VLAN interoperability is quite easy to manage For link aggregation use no protocols or LACP Pay special attention to Spanning-Tree
– Prefer MSTP whenever possible– Or Rapid-PVST on Cisco with RSTP/MSTP on
ProCurve– Make sure VLAN 1 is allowed on Cisco trunks
IP Routing protocols interoperates
104
For further interoperability questions
For further questions about Cisco to ProCurve interoperability projects, please contact:
-in every EMEA country: the ProCurve EMEA Technical Consultants
-In EMEA: Jean-Maurice Mérel, CCIE #[email protected]+33 6 86 46 64 90
105