Release Notes: Version R.11.25 Software for the ProCurve Series 2610 Switches Release R.11.
© Copyright 2001, 2008, 2009 Hewlett-Packard Development Company, LP. The information contained herein is subject to change without notice.
Contents Software Management Software Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Downloading Switch Documentation and Software from the Web . . . . . . . . . . . . . . . . . . . . . . . . 1 Downloading Software to the Switch TFTP Download from a Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Xmodem Download From a PC or Unix Workstation . . .
Known Issues Release R.11.12 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Release R.11.22 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Enhancements Release R.11.04 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 Release R.11.
Release R.11.08 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 Release R.11.09 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 Release R.11.10 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 Release R.11.11 . . . . . . . . . .
Software Management Software Management Software Updates Check the ProCurve Networking Web site frequently for free software updates for the various ProCurve switches you may have in your network. Downloading Switch Documentation and Software from the Web You can download software updates and the corresponding product documentation from HP’s ProCurve web site as described below. To Download a Software Version: 1. Go to the ProCurve Networking Web site at: http://www.procurve.com/software. 2.
Downloading Software to the Switch Downloading Software to the Switch Caution The startup-config file generated by the latest software release may not be backward-compatible with the same file generated by earlier software releases. HP periodically provides switch software updates through the ProCurve Networking Web site http://www.procurve.com/software.
Downloading Software to the Switch TFTP Download from a Server Syntax: copy tftp flash [< primary | secondary >] Note that if you do not specify the flash destination, the TFTP download defaults to the primary flash. For example, to download a software file named R_11_0 4 .swi from a TFTP server with the IP address of 10.28.227.103: 1. Execute the copy command as shown below: ProCurve # copy tftp flash 10.28.227.103 R_11_04.swi The primary OS image will be deleted.
Downloading Software to the Switch Xmodem Download From a PC or Unix Workstation This procedure assumes that: ■ The switch is connected via the Console RS-232 port on a PC operating as a terminal. (Refer to the Installation Guide you received with the switch for information on connecting a PC as a terminal and running the switch console interface.) ■ The switch software is stored on a disk drive in the PC. ■ The terminal emulator you are using includes the Xmodem binary transfer feature.
Downloading Software to the Switch Saving Configurations While Using the CLI Saving Configurations While Using the CLI The switch operates with two configuration files: ■ Running-Config File: Exists in volatile memory and controls switch operation. Rebooting the switch erases the current running-config file and replaces it with an exact copy of the current startup-config file. To save a configuration change, you must save the running configuration to the startup-config file.
Downloading Software to the Switch ProCurve Switch, Routing Switch, and Router Software Keys ProCurve Switch, Routing Switch, and Router Software Keys Software Letter ProCurve Networking Products C 1600M, 2400M, 2424M, 4000M, and 8000M CY Switch 8100fl Series (8108fl and 8116fl) E Switch 5300xl Series (5304xl, 5308xl, 5348xl, and 5372xl) F Switch 2500 Series (2512 and 2524), Switch 2312, and Switch 2324 G Switch 4100gl Series (4104gl, 4108gl, and 4148gl) H Switch 2600 Series, Switch 2600-PWR S
Downloading Software to the Switch OS/Web/Java Compatibility Table OS/Web/Java Compatibility Table The switch web agent supports the following combinations of OS browsers and Java Virtual Machines: Operating System Internet Explorer Windows NT 4.0 SP6a 5.00, 5.01 5.01, SP1 6.0, SP1 Windows 2000 Pro SP4 5.05, SP2 6.0, SP1 Windows XP Pro SP2 6.0, SP2 and 7.0 Windows Server SE 2003 SP2 Java Sun Java 2 Runtime Environment: – Version 1.3.1.12 – Version 1.4.2.
Enforcing Switch Security Switch Management Access Security Enforcing Switch Security ProCurve switches are designed as “plug and play” devices, allowing quick and easy installation in your network. However, when preparing the switch for network operation, ProCurve strongly recommends that you enforce a security policy to help ensure that the ease in getting started is not used by unauthorized persons as an opportunity for access and possible malicious actions.
Enforcing Switch Security Switch Management Access Security It is important to evaluate the level of management access vulnerability existing in your network and take steps to ensure that all reasonable security precautions are in place. This includes both configurable security options and physical access to the switch hardware. Local Manager Password In the default configuration, there is no password protection.
Enforcing Switch Security Switch Management Access Security SNMP Access (Simple Network Management Protocol) In the default configuration, the switch is open to access by management stations running SNMP management applications capable of viewing or changing usernames, passwords, configuration, and status data in the switch’s MIB (Management Information Base). Thus, controlling SNMP access to the switch and preventing unauthorized SNMP access should be a key element of your network security strategy.
Enforcing Switch Security Switch Management Access Security N o t e o n S N MP A c c e s s t o L o c a l A ut h e nt i c a t i o n M I B O b j ec t s Downloading and booting R.11.04 or later software versions for the first time enables SNMP access to the switch’s local authentication configuration MIB objects (the default action).
Enforcing Switch Security Network Security Features Other Provisions for Management Access Security Authorized IP Managers. This feature uses IP addresses and masks to determine whether to allow management access to the switch through the network, and covers access through the following: ■ Telnet and other terminal emulation applications ■ The switch’s Web browser interface ■ SNMP (with a correct community name) Secure Management VLAN.
Enforcing Switch Security Network Security Features ■ switch SSH and user password authentication: this option is a subset of the client publickey authentication, and is used if the switch has SSH enabled without a login access configured to authenticate the client’s key. In this case, the switch authenticates itself to clients, and users on SSH clients then authenticate themselves to the switch by providing passwords stored on a RADIUS or TACACS+ server, or locally on the switch.
Clarifications General Switch Traffic Security Guideline Clarifications General Switch Traffic Security Guideline Where the switch is running multiple security options, it implements network traffic security based on the OSI (Open Systems Interconnection model) precedence of the individual options, from the lowest to the highest. The following list shows the order in which the switch implements configured security features on traffic moving through a given port. 1. Disabled/Enabled physical port 2.
Clarifications Access Security Guide ■ The Management and Configuration Guide, dated December 2007, in pages 10-25, 10-26, and 10-27 incorrectly indicates that the QoS Passthrough Mode is disabled by default. The factory default for QoS Passthrough Mode is enabled. ■ The Management and Configuration Guide, dated November 2008, beginning on page B20, describes the loop protection features.
Known Issues Release R.11.12 Known Issues Release R.11.12 The following problems are known issues in release R.11.12. SSH (PR_0000003592) — Repeatedly performing crypto key generation tasks, and then connecting to the switch via SSH and executing a show ip ssh command may trigger a switch crash with a message similar to the following.
Enhancements Release R.11.04 Enhancements Enhancements Unless otherwise noted, each new release includes the features added in all previous releases. Enhancements are listed in chronological order, oldest to newest software release. Release R.11.04 Enhancements No new enhancements. Initial Release. Release R.11.07 Enhancements Release R.11.07 includes the following enhancement: ■ Enhancement (PR_1000462847) — Mini-GBIC slots can be configured before one is inserted. Release R.11.08 through R.11.
Enhancements Release R.11.12 Enhancements DHCP Snooping Overview You can use DHCP snooping to help avoid the Denial of Service attacks that result from unauthorized users adding a DHCP server to the network that then provides invalid configuration data to other DHCP clients on the network. DHCP snooping accomplishes this by allowing you to distinguish between trusted ports connected to a DHCP server or switch and untrusted ports connected to endusers.
Enhancements Release R.11.12 Enhancements database: To configure a location for the lease database, enter a URL in the format tftp://ip-addr/ascii-string. The maximum number of characters for the URL is 63. option: Add relay information option (Option 82) to DHCP client packets that are being forwarded out trusted ports. The default is yes, add relay information. trust: Configure trusted ports. Only server packets received on trusted ports are forwarded. Default: untrusted.
Enhancements Release R.11.
Enhancements Release R.11.12 Enhancements Configuring DHCP Snooping Trusted Ports By default, all ports are untrusted. To configure a port or range of ports as trusted, enter this command: ProCurve(config)# dhcp-snooping trust You can also use this command in the interface context, in which case you are not able to enter a list of ports. DHCP server packets are forwarded only if received on a trusted port; DHCP server packets received on an untrusted port are dropped.
Enhancements Release R.11.12 Enhancements To configure a DHCP authorized server address, enter this command in the global configuration context: ProCurve(config)# dhcp-snooping authorized-server ProCurve(config)# show dhcp-snooping DHCP Snooping Information DHCP Snooping : Yes Enabled Vlans : 4 Verify MAC : No Option 82 untrusted policy : drop Option 82 Insertion : Yes Option 82 remote-id : subnet-ip Authorized Servers --------------------111.222.3.
Enhancements Release R.11.12 Enhancements If DHCP snooping is enabled on a switch where an edge switch is also using DHCP snooping, it is desirable to have the packets forwarded so the DHCP bindings are learned. To configure the policy for DHCP packets from untrusted ports that already have Option 82 present, enter this command in the global configuration context.
Enhancements Release R.11.
Enhancements Release R.11.12 Enhancements ■ Port number ■ VLAN identifier ■ Leased IP address ■ Lease time The switch can be configured to store the bindings at a specific URL so they will not be lost if the switch is rebooted. If the switch is rebooted, it will read its binding database from the specified location. To configure this location use this command.
Enhancements Release R.11.12 Enhancements Operational Notes ■ DHCP is not configurable from the web management interface or menu interface. ■ If packets are received at too high a rate, some may be dropped and need to be re-transmitted. ■ ProCurve recommends running a time synchronization protocol such as SNTP in order to track lease times accurately. ■ A remote server must be used to save lease information or there may be a loss of connectivity after a switch reboot.
Enhancements Release R.11.12 Enhancements Ceasing untrusted relay information logs for . More than one DHCP client packet received on an untrusted port with a relay information field was dropped. To avoid filling the log file with repeated attempts, untrusted relay information packets will not be logged for the specified . Client address not equal to source MAC detected on port .
Enhancements Release R.11.12 Enhancements Dynamic ARP Protection Introduction On the VLAN interfaces of a routing switch, dynamic ARP protection ensures that only valid ARP requests and responses are relayed or used to update the local ARP cache. ARP packets with invalid IP-to-MAC address bindings advertised in the source protocol address and source physical address fields are discarded. ARP requests are ordinarily broadcast and received by all devices in a broadcast domain.
Enhancements Release R.11.12 Enhancements ■ Supports additional checks to verify source MAC address, destination MAC address, and IP address. ARP packets that contain invalid IP addresses or MAC addresses in their body that do not match the addresses in the Ethernet header are dropped. When dynamic ARP protection is enabled, only ARP request and reply packets with valid IP-to-MAC address bindings in their packet header are relayed and used to update the ARP cache.
Enhancements Release R.11.12 Enhancements You must configure trusted ports carefully. For example, in the topology in Figure 1, Switch B may not see the leased IP address that Host 1 receives from the DHCP server. If the port on Switch B that is connected to Switch A is untrusted and if Switch B has dynamic ARP protection enabled, it will see ARP packets from Host 1 as invalid, resulting in a loss of connectivity.
Enhancements Release R.11.12 Enhancements ProCurve(config)# arp protect trust b1-b4, d1 Adding an IP-to-MAC Binding to the DHCP Database A routing switch maintains a DHCP binding database, which is used for DHCP and ARP packet validation. Both the DHCP snooping and DHCP Option 82 insertion features maintain the lease database by learning the IP-to-MAC bindings on untrusted ports. Each binding consists of the client MAC address, port number, VLAN identifier, leased IP address, and lease time.
Enhancements Release R.11.12 Enhancements Configuring Additional Validation Checks on ARP Packets Dynamic ARP protection can be configured to perform additional validation checks on ARP packets. By default, no additional checks are performed. To configure additional validation checks, enter the arp protect validate command at the global configuration level.
Enhancements Release R.11.12 Enhancements Verifying the Configuration of Dynamic ARP Protection To display the current configuration of dynamic ARP protection, including the additional validation checks and the trusted ports that are configured, enter the show arp protect command: ProCurve(config)# show arp protect ARP Protection Information Enabled Vlans : 1-4094 Validate : dst-mac, src-mac Port ----B1 B2 B3 B4 B5 Trust ----Yes Yes No No No Figure 2.
Enhancements Release R.11.13 Enhancements Monitoring Dynamic ARP Protection When dynamic ARP protection is enabled, you can monitor and troubleshoot the validation of ARP packets with the debug arp protect command. Use this command when you want to debug the following conditions: ■ The switch is dropping valid ARP packets that should be allowed. ■ The switch is allowing invalid ARP packets that should be dropped. ProCurve(config)# debug arp protect 1.
Enhancements Release R.11.14 Enhancements DHCP Option 66 Automatic Configuration Update Overview ProCurve switches are initially booted up with the factory-shipped configuration file. This enhancement provides a way to automatically download a different configuration file from a TFTP server using DHCP Option 66. The prerequisites for this to function correctly are: ■ One or more DHCP servers with Option 66 are enabled ■ One or more TFTP servers has the desired configuration file.
Enhancements Release R.11.14 Enhancements Possible Scenarios for Updating the Configuration File The following table shows various network configurations and how Option 66 is handled. Scenario Behavior Single Server serving Multiple VLANs • Each DHCP-enabled VLAN interface initiates DHCPDISCOVER message, receives DHCPOFFER from the server, and send DHCPREQUEST to obtain the offered parameters.
Enhancements Release R.11.14 Enhancements • DHCP is preferred over BootP • If two BootP offers are received, the first one is selected • For two DHCP offers: – The offer from an authoritative server is selected – If there is no authoritative server, the offer with the longest lease is selected Log Messages The file transfer is implemented by the existing TFTP module.
Enhancements Release R.11.14 Enhancements Syntax: [no] ip ssh [cipher ] Cipher types that can be used for connection by clients. Valid types are: • aes128-cbc • 3des-cbc • aes192-cbc • aes256-cbc • rijndael-cbc@lysator.liu.se • aes128-ctr • aes192-ctr • aes256-ctr Default: All cipher types are available. Use the no form of the command to disable a cipher type. ProCurve(config)# no ip ssh cipher 3des-cbc Figure 2.
Enhancements Release R.11.14 Enhancements Table 5. RSA/DSA Values for Various ProCurve Switches Platform Maximum RSA Key Size (in bits) DSA Key Size (in bits) 2610 1024, 2048 Default: 1024 1024 Message Authentication Code (MAC) Support This enhancement allows configuration of the set of MACs that are available for selection. Syntax: [no] ip ssh [mac ] Allows configuration of the set of MACs that can be selected.
Enhancements Release R.11.14 Enhancements Displaying the SSH Information The show ip ssh command has been enhanced to display information about ciphers, MACs, and key types and sizes. ProCurve(config)# show ip ssh SSH Enabled TCP Port Number IP Version Host Key Type : : : : No 22 IPv4orIPv6 RSA Secure Copy Enabled : No Timeout (sec) : 120 Host Key Size : 1024 Ciphers : aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc, rijndael-cbc@lysator.liu.
Enhancements Release R.11.15 Enhancements • info • verbose • debug • debug2 • debug3 Release R.11.15 Enhancements No enhancements, software fixes only. (Not a public release) Release R.11.16 Enhancements No enhancements, software fixes only. Release R.11.17 Enhancements Release R.11.17 includes the following enhancement (Not a public release): ■ Enhancement (PR_0000003180) — QoS TCP/UDP Port Ranges may now be configured. For more information, see “QoS UDP/TCP Priority” on page 41.
Enhancements Release R.11.17 Enhancements TCP/UDP Port Number Ranges. There are three ranges: ■ Well-Known Ports: 0 - 1023 ■ Registered Ports: 1024 - 49151 ■ Dynamic and/or Private Ports: 49152 - 65535 For more information, including a listing of UDP/TCP port numbers, go to the Internet Assigned Numbers Authority (IANA) website at: www.iana.org Then click on: Protocol Number Assignment Services P (Under “Directory of General Assigned Numbers” heading) Port Numbers Assigning an 802.
Enhancements Release R.11.17 Enhancements Displays a listing of all TCP and UDP QoS classifiers currently in the running-config file. Operating Notes on Using Port Ranges ■ You can only have 6 concurrent policies when using unique ranges. The number of policies allowed is lower if ACLs are also using port ranges. ■ You cannot have ranges that include any port numbers that have been configured as part of another QoS application port number policy.
Enhancements Release R.11.
Enhancements Release R.11.17 Enhancements 1. Identify the TCP or UDP port-number classifier you want to use for assigning a DSCP policy. 2. Determine the DSCP policy for packets carrying the selected TCP or UDP port number or range of port numbers. 3. a. Determine the DSCP you want to assign to the selected packets. (This codepoint will be used to overwrite (re-mark) the DSCP carried in packets received from upstream devices.) b. Determine the 802.1p priority you want to assign to the DSCP.
Enhancements Release R.11.17 Enhancements Syntax: [no] qos < udp-port | tcp-port > >> < priority < 0 - 7 > | dscp > Assigns a DSCP policy to outbound packets having the specified TCP or UDP application port number or range of port numbers and overwrites the DSCP in these packets with the assigned value. This policy includes an 802.1p priority and determines the packet’s queue in the outbound port to which it is sent.
Enhancements Release R.11.17 Enhancements For example, suppose you wanted to assign these DSCP policies to the packets identified by the indicated UDP and TDP port applications: Port Applications DSCP Policies DSCP 1. Priority 23-UDP 000111 7 80-TCP 000101 5 914-TCP 000010 1 1001-2000 UDP 000010 1 Determine whether the DSCPs already have priority assignments, which could indicate use by existing applications.
Enhancements Release R.11.17 Enhancements 3. Assign the DSCP policies to the selected UDP/TCP port applications and display the result.
Enhancements Release R.11.
Enhancements Release R.11.18 Enhancements Release R.11.18 Enhancements Release R.11.18 includes the following enhancement (Not a public release): ■ Enhancement (PR_0000008960) — This enhancement allows the switch to create SSH host keys by default. Release R.11.19 through R.11.21 Enhancements No enhancements, software fixes only. (Not a public release) Release R.11.22 Enhancements Release R.11.
Enhancements Release R.11.23 Enhancements Sends the hostname option with DHCP packets. Use the no form of the command to not include the hostname in the packet. The maximum size of the hostname is 32 characters. Default: Disabled ProCurve(config)# dhcp host-name-option Figure 9. Example of the DHCP Option 12 Command SNMP Support A MIB object supports enabling and disabling the DHCP Option 12 feature. It is added in the hpicfDhcpclient.mib. The hostname is retrieved from the MIB variable SYSNAME.
Enhancements Release R.11.24 through R.11.25 Enhancements ■ Enhancement (PR_0000011010) — Support is added for Hitless MAC Authentication Reauth. For more information, see “Hitless MAC Authentication Reauth” on page 52. Hitless MAC Authentication Reauth The reauthentication procedure has been changed to allow an authenticated client to remain authenticated while reauthentication occurs.
Software Fixes in Release R.11.04 - R.11.25 Release R.11.04 Software Fixes in Release R.11.04 - R.11.25 Software fixes are listed in chronological order, oldest to newest. Unless otherwise noted, each new release includes the software fixes added in all previous releases. Release R.11.04 was the first software release for the ProCurve Series 2610 Series Switches. Release R.11.04 No problems resolved in release R.11.04. (Initial Release.) Release R.11.07 The following problems were resolved in release R.
Software Fixes in Release R.11.04 - R.11.25 Release R.11.08 ■ Enhancement (PR_1000462847) — Mini-GBIC slots can be configured before one is inserted. ■ DHCP (PR_1000753483) — When issuing the no dhcp-relay op 82 validate command, the option 82 policy incorrectly changes to append. ■ Crash (PR_1000756775) — The switch hangs after updating software and issuing a SNMP reset. Release R.11.08 The following problems were resolved in release R.11.09. (Not a public release.
Software Fixes in Release R.11.04 - R.11.25 Release R.11.10 Release R.11.10 No problems resolved in release R.11.10. (Never released.) Release R.11.11 The following problems were resolved in release R.11.11. (Never Released.) ■ Crash (PR_1000795039) — The switch may crash while uploading the configuration file, if there are extra space(s) in the configuration file header.
Software Fixes in Release R.11.04 - R.11.25 Release R.11.14 TLB Miss: Virtual Addr=0x00263f14 IP=0x00263f14 Task='tHttpd' Task ID=0x85d76e70 fp:0x00000000 sp:0x85d76d30 ra:0x00263f14 sr:0x1000fc01 ■ Configuration (PR_1000786770) — The switch may not reload as it should following an update of the configuration file via SCP. Sometimes, portions of the copied config are written to the running config. Event logs may show messages similar to the following. I 01/01/90 20:49:34 ssh: scp session from 13.28.234.
Software Fixes in Release R.11.04 - R.11.25 Release R.11.16 ■ Dropped Packets (PR_0000004884) — A ProCurve Switch 2610-48 running software version R.11.12 or greater may drop 802.1Q tagged packets with priority 4-7 between port banks. Port banks are as follows: Bank 1: Ports 1-24; Bank 2: Ports 25-50. Workaround: Disable the QoS passthrough feature using the procedure that follows. Switch2610-48(config)# no-qos-pass-through Switch2610-48(config)# reload Release R.11.
Software Fixes in Release R.11.04 - R.11.25 Release R.11.19 ■ 802.1X (PR_0000005358) — The switch is unable to successfully authenticate users using 802.1X. ■ Enhancement (PR_0000008960) — This enhancement allows the switch to create SSH host keys by default. For more information, see “Release R.11.18 Enhancements” on page 50. Release R.11.19 The following problems were resolved in release R.11.19. (Never released.
Software Fixes in Release R.11.04 - R.11.25 Release R.11.21 Release R.11.21 The following problems were resolved in release R.11.21. (Never released.) ■ MDI-X (PR_0000007246) — MDI-X is not working properly; when MDI and MDI-X settings are explicitly configured, the port function is reversed. ■ CLI (PR_0000010942) — The CLI command output for show run does not display aaa portaccess when MAC-based authentication with mixed port access mode is configured.
Software Fixes in Release R.11.04 - R.11.25 Release R.11.22 Release R.11.22 The following problems were resolved in release R.11.22. ■ QoS (PR_0000004576) — Editing a configured QoS TCP-port to a new priority does not take effect until the switch is rebooted. ■ Enhancement (PR_0000010783) — Support is added for the following products.
Software Fixes in Release R.11.04 - R.11.25 Release R.11.24 Workaround: either disable / re-enable ARP protect, or configure ports to be trusted, and then untrusted again. ■ Config (PR_0000002077) — Presence of the valid CLI/configuration parameter spanningtree trap errant-bpdu will trigger failure to upload a configuration, with the switch reporting an error similar to the following (in this example, the problem parameter was on line 16 of the configuration). line: 16. trap: Error setting configuration.
Software Fixes in Release R.11.04 - R.11.25 Release R.11.25 ■ CDP/LLDP (PR_0000005741) — The switch is not consistently detecting neighboring Cisco Catalyst switches via CDP. ■ Crash (PR_0000015095) — The switch may reboot unexpectedly when it receives a certain type of traffic. A message similar to the following may be present in the switch event and crash logs.
© 2001, 2008, 2009 Hewlett-Packard Development Company, LP. The information contained herein is subject to change without notice.
