HiddenOne

Recently I ran into an issue when the need arose to provide temporary wireless connectivity for a single room in one of our buildings.

 

The task was easy enough: use one of our spare HP MSM422 access points along with a 1-port power injector since this building has older (non-PoE) switching equipment. Against my better judgement I told my boss I was going to run and install the AP after one of our meetings, because it “wouldn’t take more then a few minutes”. Past experiences have told me never to put a short time limit on any task (not matter how simple). I had already tested and provisioned the AP at my desk and I was confident in my ability to properly connect a few cables.

The problem was an interesting one as the AP was getting power from the power injector but it was not able to communicate with the controller to grab it’s config and other needed information. After 10 minutes of troubleshooting the AP at the remote building, I decided to bring the equipment back to the lab and see what was causing this issue. After working in the lab for a few minutes, the cause was clear and painfully simple.

The power injector I was using was one that we purchased from HP Procurve three or four years back. I could not locate the old part number, however when you order a 1-port power injector from HP they ship injectors made by PowerDsine. The particular model all of my testing was performed with was a 3001.

It turns out that this particular power injector has trouble with 1Gbps switchports. If you look at the switchport that the injector’s data port connects to, you will notice that link is never established. The way around this is to manually set the switchport that is being used with the injector to 100Mbps or 10Mbps.

Additionally, the current HP Procurve 1-port power injector (HP Part # J9407A) uses PowerDsine model number 3001G, which according to the documentation does support 1Gbps ports.

Over the long weekend, I caught up on some much needed network maintenance at several of our buildings. I was able to upgrade most of the switch software without any trouble, but there is only that one bad apple!

The culprit switch started acting odd after I copied the current software image (which was stable for months) from primary to secondary flash. After doing so, the option to download a new image from TFTP was not available. A reboot left me with a switch that was still moving traffic and showed as “Up” in our NMS, but I was unable to remotely manage the switch via SSH or Telnet.

On my way home, I stopped by the building where the trouble switch was located thinking I could fix the issue quickly. After about 15 minutes of trying various methods of transferring a new image onto the switch (including TFTP and USB), I resulted to using Xmodem.

Xmodem is a last resort method of bringing a switch back from a usually inoperable state. The process below details a few ways to use Xmodem with an HP Procurve 5400zl switch.

The first topic you need to know is baud rate, and what type of impact it has on your transfer speeds when using Xmodem. The console port on most network equipment is set to a baud rate of 9600. This is fine for most normal console management needs. However, if you try to transfer an image using that standard baud rate, you are going to be waiting for a while!

In both scenarios below, I set the baud on the console port of the switch to 115200 (the maximum in this case of the switch I was using). The difference it made was clear by the transfer time estimates. At 9600 baud, it was estimated that the 10MB image would take 3.5 hours to transfer. At 115200 baud the same image only took 40 minutes. 40 minutes is still a long time compared to the transfer times of TFTP or SCP, but it is the lesser of two evils in this case.

Xmodem within Software

Your first option for transferring a software image is to use Xmodem after the switch has fully booted the current software image. The image on my switch was in a broken but semi-functional state, so I was able to attempt this.

First enter configuration mode and set the baud rate on the console port.

configure terminal

console baud-rate 115200

Save the configuration and reboot the switch (This is required for the baud rate change to take effect).

write memory

reload

While the switch begins to reboot, terminate your current console session and start a new one using the new baud rate (115200 in this case). Don’t be alarmed if you do not see the usual information scrolling across the screen as your switch boots. Eventually you will again be presented with your usual login prompt.

Once you have logged into the switch issue the copy command. The command below tells the switch to download the image from Xmodem and write it to the primary flash storage.

copy xmodem flash primary

If this is successful, reboot your switch and ensure it boots the new image properly. To ensure your switch boots from primary flash storage, issue the following command:

boot system flash primary

After you are done, be sure to reset the baud rate on the console to 9600 and then reboot the switch again.

configure terminal

console baud-rate 9600

write memory

reload

Xmodem from RoMon

In my case, I was not able to successfully transfer an image using the previous method because of the broken state of the software image. For this reason, I resorted to using RoMon.

RoMon mode must be selected before your switch begins to boot the software image. In the case of the 5400zl RoMon mode is option “0” on the boot screen.

Once you enter RoMon mode, you will be presented with a prompt. The first thing you want to do is set the baud rate on the console port using the sp command.

sp 115200

After doing this, you will need to restart your console session using the new baud rate.

Now, issue the “do” command to initiate the download utility (you will be prompted to confirm).

do to start download utility

After you confirm, you can initiate the Xmodem transfer using your console program of choice. Since I was using SecureCRT used the “Transfer” menu to select “Send Xmodem”. After doing so, the transfer process will begin. Once the transfer completes, the image will be verified and then saved to the flash location you choose. If everything works, the switch will reboot using the new image.

The first thing I would like to do is clarify that this article discusses how to configure an 802.1q VLAN trunk between a Cisco switch and an HP Procurve switch. From here on out any references to trunking refer to an 802.1q tagged VLAN trunk. I am making that distinction now because in the Procurve world trunking refers to a feature similar to Cisco’s Etherchannel.

In a mixed vendor network, consisting of both Cisco and HP Procurve switches, it is important to keep traffic to and from multiple VLANs flowing. In any environment trunks, or tagged VLAN links, are an integral part of keeping that traffic moving. This can be a source of confusion since Cisco and HP handle the tagging of VLANs a bit differently. In my opinion Cisco handles 802.1q trunks in an easier to manage way; however the method used by Procurve switches is simple once you are familiar with the process.

The trunk between a Cisco and HP Procurve switch must be of the 802.1q variety. ISL trunks will not work because it is a Cisco proprietary encapsulation. I rarely see ISL in use these days, and I personally consider 802.1q the preferred method of encapsulation if for no other reason than its interoperability.

I will focus on the configuration of the trunks on each switch; if you need a refresher on how to configure VLANs on Cisco or Procurve switches consult the documentation for your switches. Once you have configured all of the needed VLANs it is time to configure the trunk on the Cisco switch using the following commands:

3550-02(config)#interface fa0/48
3550-02(config-if)#switchport mode trunk
3550-02(config-if)#switchport trunk allowed vlan all
3550-02(config-if)#no shutdown
3550-02(config-if)#exit

Here interface number 48 is the trunk port on the Cisco switch. After entering interface sub-configuration mode, the port mode is changed to “trunk” (the default is access). Next, it’s a good idea to set what VLANs you want to allow across the trunk. Here I used the “all” option, but for security reasons you may wish to specifically list the VLANs you use in your environment. Finally, you want to make sure the interface is not in a shutdown state because that would not allow the traffic to flow (ask me how I know)!

Procurve switches, much like their Cisco counterparts, can have a VLAN either tagged or untagged on any particular port. The configuration of this tagging varies a bit as shown in the configuration below.

HP ProCurve Switch 3400cl-24G(config)# vlan 4
HP ProCurve Switch 3400cl-24G(vlan-4)# tagged 24
HP ProCurve Switch 3400cl-24G(vlan-4)# exit

The “vlan 4” command drops you into VLAN sub-configuration mode. Here the “tagged 24” command is used to tell the switch to encapsulate any packets on port 24 that originate from VLAN 4. As may already be obvious, port 24 will be the trunk port on the HP switch. Below is the command that is used to accomplish the same for VLAN 5.

HP ProCurve Switch 3400cl-24G(config)# vlan 5
HP ProCurve Switch 3400cl-24G(vlan-5)# tagged 24
HP ProCurve Switch 3400cl-24G(vlan-5)# exit

The next step is to connect the trunk ports on each switch using the appropriate network cable. Issue the “show interfaces fa0/48 trunk” command on the Cisco switch to verify the trunk has been established. You should see output similar to what is displayed below.

3550-02#show interfaces fa0/48 trunk

Port        Mode             Encapsulation  Status        Native vlan
Fa0/48      on               802.1q                trunking   1

Port            Vlans allowed on trunk
Fa0/48      1-4094

Port            Vlans allowed and active in management domain
Fa0/48      1,4-5

Port            Vlans in spanning tree forwarding state and not pruned
Fa0/48      1,4-5

The key here is that you want the status to read “trunking”. This will indicate that the trunk has been successfully established.

Next test connectivity between two hosts that are in the same VLAN, but on different switches. In this case I assigned IP addresses directly to the VLAN interface on each switch. Here is the IP address layout I used.

Cisco 3550

• VLAN 4: 172.16.1.1/24
• VLAN 5: 172.16.2.1/24

HP 3400

• VLAN 4: 172.16.1.2/24
• VLAN 5: 172.16.2.2/24

Below is ping output from the Cisco switch  after issuing a ping command to both VLAN interfaces on the HP switch:

3550-02#ping 172.16.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

3550-02#ping 172.16.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/202/1000 ms

Now, here is the ping output from the HP switch after issuing a ping command to both of the VLAN interfaces on the Cisco switch.

HP ProCurve Switch 3400cl-24G# ping 172.16.1.1
172.16.1.1 is alive, time = 1 ms

HP ProCurve Switch 3400cl-24G# ping 172.16.2.1
172.16.2.1 is alive, time = 1 ms

As you can see, configuration of 802.1q trunks between Cisco and HP Procurve switches is not overly complicated. The key is to test connectivity to ensure that traffic is flowing as it should. In larger environments it could be a bit cumbersome to manage a large number of tagged VLANs on a Procurve switch. If things are not working, double check your config on both ends. Many times I find that it is easy to forget a tagged command on the HP side of things.

The underlying goal at work this month is to get some much needed insight and auditing abilities into our network. I have looked at Rancid before, and after doing some research I finally decided to take the plunge and implement it into our network.

The steps below assume that you are running Ubuntu Server 8.04.3 LTS i386 with a standard LAMP installation. They may work with other Debian based distributions, but your mileage may vary. For this installation I will be using Rancid version 2.3.2, which is the current stable release at the time that I wrote this article. I encourage you to check the Shrubbery web site and get the latest release that is available. Additionally, this article will go into a bit more detail about using Rancid with various HP Procurve equipment.

It would be a lie to say I figured out all of these steps on my own. Some of it was trial and error, other information I found in various places on the Internet. Tweets from Jeremy over at Evil Routers gave me the needed insight on editing the hrancid file to support some of the newer Procurve equipment.

Rancid Installation

After your base LAMP system is installed, you need to install some packages that are required to install and run rancid. You can combine these commands into one line, but I broke them out into two lines to show that the second line begins the actual Rancid dependencies.

apt-get install gcc make libc6-dev
apt-get install expect cvs

Next, create a user that will run Rancid. This user’s home directory will be used as the install path and CVS repository for Rancid. For simplicity’s sake I have used the user name “rancid”, but you can use anything.

adduser –home /home/rancid rancid

Download the latest rancid source archive using wget.

wget ftp://ftp.shrubbery.net/pub/rancid/rancid-2.3.2.tar.gz

Copy the archive to /usr/src and extract the contents.

cp rancid-2.3.2.tar.gz /usr/src
cd /usr/src
tar xvfz rancid-2.3.2.tar.gz
cd rancid-2.3.2

Configure and install Rancid. Note that we are providing arguments for specific installation directories.

./configure -prefix=/home/rancid -localstatedir=/home/rancid/var/rancid
make install

Since the previous commands were issued by the root user, we need to change ownership of /home/rancid back to the rancid user.

chown -R rancid:rancid /home/rancid

Rancid Configuration

Edit /home/rancid/etc/rancid.conf and look for the following line (which is probably commented out):

LIST_OF_GROUPS=”"

There will probably be text between the quotes which you will delete. The group names you provide will be your CVS groups, and will translate into folders when viewing the repository with CVSweb. In my case I choose to create a group for each building I manage. Once everything is running, each building’s folder will contain the network devices in that building as well as their configuration files. Below is an example of a list of groups. Each group is seperated from the previous group name with a space.

LIST_OF_GROUPS=”Philadelphia Boston Miami Burbank”

Edit the /home/rancid/.cloginrc file. This contains the login information for your switches. If you use AAA/Radius to authenticate users that manager network equipment, your job is easy. All you have to do is provide a username and password for every device like so:

add user * {ranciduser}
add password * {ranciduserpassword}
add autoenable * 1

The first two lines are self-explanatory. The asterisk is a wild card meaning all or every device. The last line tells Rancid that the authentication information provided automatically drops the user into enable mode.

Since the cloginrc file contains passwords, you want to change its permissions to ensure only the rancid user can access this file.

chmod 600 .cloginrc
chown rancid:rancid .cloginrc

Now we run the rancid-cvs command, which will create the CVS groups based on the “LIST_OF_GROUPS” we created earlier. It is important that you run this command as the rancid user.

su – rancid
/home/rancid/bin/rancid-cvs

Next, edit the router.db files for each group. There is a seperate router.db file for each group. The groups are located in the /home/rancid/var/rancid directory (each group has its own folder). The router.db files tell rancid the IP address or hostname of the device, the device manufacturer, and the status of the device. For example

192.168.1.2:hp:up

If you use a hostname instead of an IP address, be sure the server running Rancid is able to resolve the hostnames. For newer HP Procurve devices, you will set the manufacturer to “hp”. This works for 5400zl and 8200zl models as well as older model stackables (3400, 2524, etc). If you have a switch that was manufactured by Foundry, such as the Procurve 9308, set the manufacturer to “foundry”. Rancid will only process the device if the status is set to “up”. Any other status will cause the device to be skipped.

Edit hrancid File

The newer Procurve models no longer support the “show system-information” command, instead this command has been changed to “show system”. Luckily this command is specific enough that when it is issued on older switches that still use “show system-information”, it translates properly. In order to support the newer switches, we need to edit the “hrancid” file located in /home/rancid/bin. Once you have the file open, look for the following block of code:

@commandtable = (
{‘show version’                 => ‘ShowVersion’},
{‘show flash’                   => ‘ShowFlash’},
{‘show system-information’      => ‘ShowSystem’},
{‘show system information’      => ‘ShowSystem’},
{‘show module’                  => ‘ShowModule’},
{‘show stack’                   => ‘ShowStack’},
{‘write term’                   => ‘WriteTerm’}
);

You need to change “show system-information” to “show system”. The “show system information” line does not need to be modified.

Run Rancid

Now we will run Rancid for the first time. Again, we are going to need to do this as the rancid user. Be patient, as this command can take some time to complete if you have a large number of devices.

su – rancid
/home/rancid/bin/rancid-run

Install & Configure CVSweb

CVSweb will provide a web interface where you can view the configuration files for your network devices in addition to performing diffs on the files to see what has changed. Installing CVSweb is simple.

apt-get install cvsweb

After the installation is complete, edit the /etc/cvsweb/cvsweb.conf file to point CVSweb to your Rancid CVS repository.

@CVSrepositories = (
#’local’ => ['Local Repository', '/var/lib/cvs'],
‘MNSD’ => ['MNSD Devices', '/home/rancid/var/rancid/CVS'],
);

I usually comment out the “local” line with a pound, just to make navigation a bit easier (since in my case the local repository is not used.

Create a link to in the www directory that points to the location of the CVSweb icons.

ln -s /usr/share/cvsweb /var/www/cvsweb

You can now access your repository using the following URL: http://YOUR_SERVER/cgi-bin/cvsweb

Rancid Automation

Now that everything is working properly, we want to make sure Rancid runs automatically every so often. We will do this by editing the /etc/crontab file and adding the following lines.

1 12,23 * * *    rancid    /home/rancid/bin/rancid-run
50 23 * * *    rancid    /usr/bin/find /home/rancid/var/rancid/logs -type f -mtime +2 -exec rm {} \;

The first line runs Rancid at 12:00 PM and 12:00 AM. Carefully choose your intervals, because the number of devices you are running Rancid against and the size of the config on each device will increase the run time. The second line periodically clears the configuration differ log files.

There you have it! You should now have a working version of Rancid!

IP Telephony is something that every network administrator is going to run into at some point in time. Its many features really do help reduce costs across the board. Having a unified network that carries voice and other data services reduces cabling, equipment, and maintenance costs just to name a few. Even with the popularity of IP telephony there are many organizations out there they have yet to take the plunge. This further increases chances that you will find yourself working as part of a telephony project at some point.

If your company has a network with all Cisco devices and a Cisco IP telephony system has been chosen, everything seems straightforward. Cisco is going to make sure their products work well together; otherwise they’re going to have a tough time marketing their telephony system to current Cisco customers. Concerns arise when you have a mixed vendor environment. Will it work? How do the switches need to be configured?

If you have an HP Procurve based network, Procurve has you covered with their interoperability guides. These guides detail how to get phones from various vendors to work with Procurve networking equipment. The guides are very detailed covering configuration of the phones, the switching equipment, and even Call Manager (In the case of Cisco). Each section of the guide includes screen shots of any web interfaces as well as command prompt output you may encounter along the way.

If you are planning to run an IP telephony system on top of HP Procurve gear, these guides will be your source of knowledge more than a few times!

Thanks to “procurvehelp” on Twitter for posting a link to these documents!

In some cases you can use a RADIUS server to perform port authentication based on the MAC address of the connecting device. In other cases the port usage may remain static, but you still may want to lock down the ports without going through the process of configuring a RADIUS server. The ‘port-security’ command can be used to lock down ports without the need for a RADIUS server or even knowing the MAC address of the computers that will connect to the port.

Where would this be useful? At work I use this to secure ports in our computer labs. In the labs the desktops stay in one place. In this situation, seeing multiple MAC addresses through any port (except for the uplink port) would indicate that either someone setup a rouge switch/hub or a game of musical computers is being played. This particular command allows me to set the maximum amount of MAC addresses allowed though a port to one.

The command that makes all of this happen is ‘port-security’. Here is an example of a command that I use in our computer labs at work:

port-security 1-20 address-limit 1 learn-mode static action send-disable

Breaking the command down into sections makes it easier to understand:

‘port-security 1-20’ – Apply the command and all of the following options to ports 1 thru 20. A single port or group of ports can be specified in addition to a range.

‘address-limit 1’ – Set the amount of MAC addresses that can gain access through the switch port(s). Most HP switches support an address limit of up to about 38.

‘learn-mode static’ – This configures how the switch will learn or know the MAC addresses that are allowed to gain access through the port(s).

‘action send-disable’ – This sets the action to be taken once the threshold defined by ‘address-limit’ is crossed. ‘send-disable’ sends an error message and disables the port.

My preferred option for ‘learn-mode’ is static. In this case I do not predefine any MAC addresses, which leaves many people wondering how the switch knows which MAC addresses to allow though which ports. When the above command is first issued, the switch doesn’t know that information. With the ‘learn-mode static’ option the switch will take the first source MAC address is sees on a port and assign that MAC address as an authorized MAC address for that particular port. This process is repeated for each port in this case. The picture below illustrates this process so that it is easier to understand.

Our basic training has told us that when you first take a switch out of the box it is a blank slate. For the sake of explanation we are going to assume this for our scenario. We are also going to assume that the previously discussed ‘port-security’ command has been applied to interfaces one thru twenty. You connect Computer A to interface one of the switch. Soon after that Computer A sends a packet which enters the switch through interface one. The switch reviews the packet and one of the steps it takes is to add the source MAC address (AAAAAA-AAAAAA) to its MAC address table. This accomplishes multiple things at once. First it now tells the switch which interface Computer A is attached to, which allows more efficient forwarding of packets destined for Computer A. This MAC address table is also used by the ‘port-security’ command to determine if another computer should be allowed to gain access to the network through that port.

If some black hat comes by and connects their laptop to interface one, the switch will now see a new source MAC address attached to the packets. In this case the ‘address-limit’ was set to one, and the switch already has one MAC address associated with port one in its MAC address table. This means that the switch will take the ‘send-disable’ action, disabling the interface.

There you have it! This is a quick and easy way to add another layer of security to your network! I caution to use this command wisely as using it in the wrong situation could make you one unpopular network administrator!

As always consult the manual for your HP Procurve switch for the exact command syntax.

Port/Traffic mirroring is a tool that you will quickly learn to love as a network administrator. The process of port mirroring copies the traffic from the source port to the destination/exit port. Usually the source port has the traffic of interest, and the exit port usually has some sort of network monitoring tool attached (such as a laptop running Wireshark).

Today I am going to detail the process of configuring local port mirroring on a switch. The act of local port mirroring copies the traffic from one port to another port on the same switch. It is possible to redirect the traffic from the source port to a port on another switch (This is called remote mirroring), but this will be covered in another article.

Local port mirroring can be configured with two commands. The first command defines the mirroring session (you can have up to four per switch), as well as the exit port (the port to which the traffic should be mirrored). The following is an example of this command:

mirror 1 port A2

The mirror session number can be any number from one to four. Obviously the exit port can be any port on the switch, as long as it’s not the same as the source port.

Next the interface command is used to configure the source interface. Below is an example command:

interface A1 monitor all both mirror 1

The interface that is specified is the source interface. Next, the “monitor all both” command specifies to monitor all traffic in both directions (in and outbound). You have the option to change “both” to just “in” or “out”. Finally, you specify the mirror session that the traffic should be copied to. The session number should be the same number that you used in the previous “mirror” command.

This covers basic configuration of local port mirroring. With these commands you will be able to quickly configure a local mirroring session for troubleshooting. As with anything, refer to the manual for your switch for further configuration options.

Future articles will cover applying ACLs to mirroring sessions, as well as configuring remote mirroring sessions.

The lack of updates here recently has been compounded by a number of issues. The first of these issues is my “9-5″, which can be anything from an “8-4″, a “7-7″ or anything in between. Many times going home simply means I go home only to VPN in and complete some tasks I didn’t get to during the day.

Over the past few weeks we have been having some issues with our tape backups. Back in December of 2008 I inherited the duties of Backup Administrator since I had some experience at a previous employer. The first issue was that our tape library was appearing as offline in BackupExec. This was related to SCSI cable which was an easy fix. After we resolved that issue, we noticed that the “Job Rate” on our backups drastically dropped. Drastically means the job rates went from about 1,200 MB/Min to 190 MB/Min! This meant that the 100 GB Exchange database backup went from a little over two hours start to finish to over 26 hours! After some troubleshooting it was discovered that the tape library had been changed to use the HP drivers while I was troubleshooting the previous issue with our vendor. After changing the drivers back to the ones provided by BackupExec the job rates have returned to normal.

On the network front, I have been doing some work to bring the management of our network up to par. First I have deployed RADIUS authentication on our switches in order to better control and monitor access. Additionally I have deployed a banner or message of the day (MOTD) on each switch. This is the message you see before you are prompted to provide your login credentials. On HP Procurve switches HP provides a boring canned message asking you to register the switch. Deploying a banner is accomplished with one command:

banner motd #
This is my custom banner!

Don't mess with my network gear!
#

Once I get some additional copper modules installed in some of our switches, I will be enabling BPDU protection on the edge ports (Port that end-users connect into). Evil Routers has an article that covers configuring BPDU protection on HP Procurve switches.

BPDU protection prevents a rouge switch from changing your spanning tree topology. If the switch sees a BPDU on a port that has BPDU protection enabled, it can react in a number of different ways. My personal choice is to have the port disabled permanently. This requires the invention of a network administrator for the Port to be enabled me again. This gives me a chance to talk to the user, explain what happened, and why it happened.

My CCNA studies are still progressing slowly. I am hoping to begin the final preparation for the exam in the coming weeks.

Continuing with my Procurve articles, my current article will detail how to use a RADIUS server to handle authentication on a switch. This article will cover using a RADIUS server to handle authentication for the following methods of access on a Procurve switch:

• Web Interface
• Console
• Telnet
• SSH

This configuration was tested on an HP Procurve 5412zl switch running K.13.25 software. Configuration on other switches with different software versions may vary. Consult the Access Security Guide for your switch for further details.

Configuring your RADIUS server is beyond the scope of this article, particularly since there are many options for RADIUS servers out there. Free Radius is one popular option. I can personally confirm that this configuration works with Microsoft’s IAS which was setup to authenticate against Active Directory.

Once your RADIUS server has been properly configured, you need to configure your switch so that it knows how to communicate with the server. This is done using the command:

radius-server host IP Address key 'MyKey01'

This command accomplishes a few tasks. First, it tells the switch at what IP address to reach the RADIUS server. You should substitute IP Address with the IP address of your server. The second part establishes the password or key that has been set for this switch. This key is used by the RADIUS server to verify the identity of the switch. On your RADIUS server, you can set a unique key for each switch (which are usually called RAIDUS clients).

With the connection to the RADIUS server established, you are now ready to configure authentication for each of the modes of access. This will be accomplished using the aaa authentication command. Below is an example of the format of the command.

aaa authentication method enable/login auth1 auth2

The first option is the access method for which you would like to apply the authentication. Your options here are: console, telnet, ssh, and web. The enable/login options specify when authentication should be attempted. Login specifies that authentication should be attempted when a user first attempts to login. Enable specifies that authentication should be attempted when a user enters the “enable” command. The enable option will not apply to web access.

The last two options specify the means of authentication. Auth1 is the primary means of authentication, which in this case you should set to radius. Auth2 is optional as it is a backup means of authentication. However, it is a good idea to set this to local, just in case the switch cannot communicate with the RADIUS server. Local specifies that the passwords set locally will be used for authentication.

Here are some of the various commands that could be used to enable RADIUS authentication.

aaa authentication console login radius local
aaa authentication console enable radius local
aaa authentication web login radius local
aaa authentication telnet login radius local
aaa authentication telnet enable radius local
aaa authentication ssh login radius local
aaa authentication ssh enable radius local

One final command to note is something that many network administrators may find useful. That command is:

aaa authentication login privilege-mode

This command tells the switch to expect additional parameters from the RADIUS server upon successful authentication. These parameters tell the switch which mode the user can gain access into. You can configure the RADIUS server to send the Administrative-User service type for users that are granted access to enable/configuration modes. On the other hand, you can configure the server to return the NAS-Prompt-User service type for users that you only want to grant access to operator mode.

This is very useful if you have a group of users that you only wish to have minimal access to your switches. If these limited access users attempt to enter manager mode with the enable command, they will be prompted to login again but they will then be presented with an “Access Denied” error message.

After everything has been configured, you can confirm that the proper forms of primary and secondary authentication have been applied with the following command:

show authentication

Below is some output produced by this command:

J8698A-01# show authentication

 Status and Counters - Authentication Information

  Login Attempts : 3
  Respect Privilege : Enabled

              | Login      Login      Enable     Enable
  Access Task | Primary    Secondary  Primary    Secondary
  ----------- + ---------- ---------- ---------- ----------
  Console     | Local      None       Local      None
  Telnet      | Radius     Local      Radius     Local
  Port-Access | Local      None
  Webui       | Radius     None       Local      None
  SSH         | Local      None       Local      None
  Web-Auth    | ChapRadius None
  MAC-Auth    | ChapRadius None

A topic not often covered in the Procurve community is the issue of licensing certain features on a switch. HP does an excellent job of providing a robust feature set on most of their equipment out of the box. However, some applications require additional features that are not included with the switch.

An issue arose at work where we wanted to use a 5406zl to route to an external entity. There was a thought that we could peer with the entity using OSPF. After some quick digging around the command line, I found that our 5406zl only supported RIP with the current license. Upgrading to a premium license would be required to support OSPF. The premium license adds support for the following on 3500 and 5400 series switches.

• OSPFv2
• PIM Dense mode
• PIM Sparse mode
• VRRP
• QinQ (IEEE 802.1ad)

How can you tell what license is currently installed on your switch? If you are running OSPF, that is a good indicator that you switch currently has a premium license installed. A better way to view the installed license is with the show licenses command:

J8698A-01# show licenses

 Feature Group         License Status
 ——————–  ————–
 premium               Not Installed
   OSPF
   PIM-SM/DM
   VRRP
   QinQ

Here you can clearly see that this switch does not have the premium license installed, as is indicated by the “Not Installed” license status.

Installing a premium license is a multi-step process that will require you to use the my.procurve.com web site. Obtaining a premium license is beyond the scope of this article, however I will cover how to obtain the hardware ID for you switch. The hardware ID is required when obtaining a premium license.

Obtaining the Hardware ID

In order to obtain the hardware ID for the switch, you need to enter configuration mode using the configure terminal command. Once you have entered configuration mode, issue the command licenses hardware-id premium. The output of this command is shown below:

J8698A-01(config)# licenses hardware-id premium

The hardware Id for package “premium” is
  XXXXXXXXXX-X-XXXXXXX-XXXXXXX-XXXXX8X-XXXXXXX

There are a few points I would like to note. First, the hardware ID has been sanitized. However, the format above is the same format that you can expect on other switches. Second, the exact command to be used will depend on the model switch in use. Some HP documentation makes use of the licenses hardware-id premium-edge command to retireve the hardware ID. The use of context sensitive help will reveal which command should be used on your switch.

Installing a Premium License

Installing a premium license is strightforward. Again, you need to enter configuration mode using the configure terminal command. Once in configuration mode, issue the following command:

licenses install premium <license-key>

You will replace <license-key> with the key that was provided to you on the my.procurve.com web site. Keep in mind that after the switch installs the license, it will reboot.

Removing a Premium License

At some point, you may need to remove a license from a switch for various reasons. Like the previous commands, you must be in configuration mode to uninstall a license. From configuration mode issue the command:

licenses uninstall premium

This command will issue the following warning:

J8698A-01(config)# licenses uninstall premium
                              **** CAUTION ****

Completion of this operation will remove the functionality that is enabled
in the premium feature group, and will delete the configuration for
those features from the active configuration.

Device will be rebooted, do you want to continue [y/n]?

After you answer yes, the switch will delete the key and issue an uninstall verification number. It is very important that you copy this uninstall verification number, as you will need to enter it into the my.procurve.com website to “release” the license for use on another switch. After this the switch will reboot.

Viewing Uninstalled Licesnes

Should you need to view a license that was uninstalled from a switch you can use the following command:

show licenses uninstalled

This will show the license that was uninstalled, as well as the uninstall verification key. This command comes in handy if you forgot to save the uninstall verification key after removing a license.