Tutorial 5: How to Configure a HP 2650 Switch

Roadmap to this tutorial: This document will show you how to configure a HP2650 switch. For this document I have chosen to use the example of configuring the HP2650 switch with the host name dc2521-cs1a. You will need to modify the appropriate settings for the switch that you are configuring uch as the hostname and IP address and possibly the control/primary vlans to suit the requirements for your network setup.

Choose a name

To begin the process of setting up switch in the CS department you will need to pick a proper switch name. Use the following conventions:

       BuildingcodeRoom-org-unit#letter

where:

• Buildingcode is a campus building code (typically DC or MC; see http://plantoperations.uwaterloo.ca/floor_plans/ for reference)
• Room is the room number including any letter suffix (e.g. 2554b)
• - is a literal hyphen character
• org-unit represents the org-unit user of the switch, typically cs or cscf but possibly a research-group designation like plg
• # is a digit representing the ordinal number of this device in this room (eg the first device has number 1, the second has 2, etc), and
• letter is optional and is used to denote the whether or not the device is an aggregation device.

Aggregation devices do not have a letter, whereas the subordinate devices connected to an aggregation switch are distinguished by a letter a, b, c, etc.

For example, an aggregation switch in DC 2521 would be dc2521-cs1, and dc2521-cs1a would be an non-aggregation switch connected to dc2521-cs1.

See Tutorial 1 for more details.

Determine an IP address

Determine an IP address to go with the proper name you have chosen from UW DNS site. To create the IP and name use this address web address:

https://maintain.uwaterloo.ca/

It is a secure site therefore you must have access rights to enter and create entries.

If you are doing a standard setup for one of our core infrastructure switches, the address should be in either:

• vlan 1810, address range 172.19.10.0/24 for MATH building switches
• vlan 1812, address range 172.19.12.0/24 for Davis Center switches

See the current VLAN assignments for more details.

Connect to the console port

You are now ready to start the configuration of the switch. Connect the switch serial port to a serial port on a PC and use a terminal program such as hyperterm to configure the switch. You will require a cross over cable, HP supplies cables with each switch. If you don't have a cable see Dan Hergott and he will loan you one.

The proper serial protocol settings for the terminal program are:

• 9600 baud,
• 8 data bits,
• 1 stop bit and
• Xon-xoff flow control.

Although HP switches can automatically support higher baud rates HP technical support and trainers recommends you only use 9600 baud, as all of the switch startup messages ONLY are displayed at 9600 baud.

See Tutorial 2 for more details.

Power up the switch

After you have connected a proper cablen and have started the terminal program with the above settings you can power up the switch. When you are starting up a HP2650 you will see typical startup and boot messages such as when the switch is rebooted or powered cycled:

ROM information:
   Build directory: /sw/rom/build/fishrom(f04)
   Build date:      Jul 21 2004
   Build time:      10:45:52
   Build version:   H.08.02
   Build number:    137

OS identifier found at @ 0x7cb80000
Verifying Image validity ...
CRC on OS image header Passed
CRC on complete OS image file Passed
Valid OS image @ 0x7cb80000

Decompressing...done.

Initializing...initialization done.

Waiting for Speed Sense.  Press <Enter> twice to continue.

Connected at 9600 baud
update
HP J4899B ProCurve Switch 2650
Firmware revision H.08.67

Copyright (C) 1991-2005 Hewlett-Packard Co.  All Rights Reserved.

RESTRICTED RIGHTS LEGEND
Use, duplication, or disclosure by the Government is subject to restrictions
as set forth in subdivision (b) (3) (ii) of the Rights in Technical Data and
Computer Software clause at 52.227-7013.
HEWLETT-PACKARD COMPANY, 3000 Hanover St., Palo Alto, CA 94303

Press any key to continue

HP ProCurve Switch 2650#

Clear previous userids and passwords

If the switch has been configured once before with a user name and password it will display username instead of press any key to continue. If you know the manager user name and password then use them to proceed otherwise you will have to clear the switch passwords. To clear the password press the clear button twice with on front left side of the switch with a ball point pen and then reboot the switch.

Start configuration mode

The next step setting up the switch is the setting of the switch is to enter the configuration mode . Type:

   config term
   banner motd *
      Please note this is a CSCF managed device.
      For assistance please contact:
      Dan Hergott: phone 519-888-4567 x32454
      Trevor Grove: phone 519-888-4567 x34679
   *

Set switch name

Now enter in the hostname of the switch with the following command:

   hostname dc2521-cs1a

Configure SNMP contact

Next configure the snmp-server contact information field by typing:

   snmp-server contact network-cs-contact@cscf.uwaterloo.ca

Configure SNMP location

Next configure the snmp-server location. Type the command:

   snmp-server location "dc2521"

Note that this information must be the same as in UW DNS or ONA will give an error message.

Configure SNMP community (read-only)

Next setup your snmp-server community strings. These strings are required for people and ONA to properly access the switch using SNMP commands. The command are for read-only access:

   snmp-server community password Operator

Configure SNMP community (read-write)

The command for setting read-write access is:

snmp-server community password Manager Unrestricted 

Note: this line is critical for ONA to work properly!

Remove SNMP public string

For security purposes you MUST remove the public string from snmp-server:

   no snmp-server community public

Configure VLANs

Next you have to set the maximum amount of Vlans that you want on the switch CSCF uses 64 vlans maximum on the edge switches. The command to set the maximum vlans is:

   max-vlan 64

Configure control VLAN

Set up the primary (control) vlan(s) on switch. If the switch is brand new or the configuration has been erased then it has the a factory default setting. The factory default has all ports assigned to VLAN 1 and are untagged. We prefer to ignore VLAN 1 and use VLAN 4090 as the "unassigned" VLAN. You will need to create a new primary (control) VLAN. This primary vlan will use the ip number (and subnet mask) you have chosen with the UW-DNS system. The VLAN that CSCF Department currently uses for switch control is based on the location of the switch: VLAN 1810 for MC and VLAN 1812 for DC. To setup the switch on the CS network you will have to create the appropriate VLAN 6 with the associated name (dc-cs-cvl for 1812 in DC; mc-cs-cvl for 1810 in MC) and assign at least one TAGGED port to this vlan that will be connected to itsr upstream switch to your network. For this example we will setup the last two network ports on the switch to be the tagged control ports. To perform these tasks you will type the following commands:

   vlan 1810 or 1812 name "mc-cs-cvl" or "dc-cs-cvl"
   ip address 172.19.(10/12).XXX 255.255.255.0
   tagged 49-50
   no ip igmp
   primary-vlan (1810 or 1812)
   management-vlan (1810 or 1812)
   exit
   ip default-gateway 172.19.(MC=10 or DC=12).1 
   no vlan 1
   vlan 4090
   no ip address
   name deadzone
   exit

Set up timezone

To maintain proper time the switch timezone area has to be set properly. We are located in time zone area -300 minutes from GMT. The command to do this is:

   time timezone -300

Set up daylight-savings

As well you need to setup the daylight savings time rule for our area of Canada. The command to type for our area is:

   time daylight-time-rule continental-us-and-canada

Setup SNTP for time synchronization

Unfortunately HP switches don't not have a battery backed up real time clock. Therefore you need to have a timeserver on your network so it can get its correct current time. Use these two commands to set it up with SNTP unicast timeserver. The commands are:

   sntp server 129.97.128.10 timesync sntp

Disable Cisco discovery protocol

By default the switch has the Cisco Discovery protocol enabled - it is recommended by Bruce Campbell to disable this protocol. To remove this protocol enter this command:

   no cdp run

Set console timeout

For security purposes you should make the console time out after 15 minutes of no console activity. If you don't setup this step, switch access via IP /telnet SSH can be locked out if the sessions are ended incorrectly. It should be noted that the switch will only support 4 simultaneous telnet/SSH connections. Type this command to setup the inactivity timer:

   console inactivity-timer 15

Disable web management

Unless you create a self-signed SSL certificate and restrict the web-management to SSL only, you should turn off web management to the switch. Enter this command:

   no web-management

To enable web management, use the management website in plaintext mode to generate a self-signed certificate, install it, then

web-management SSL
no web-management plaintext

Setup IP management addresses

To allow access control to the switch you must setup a list of IP authorized managers. The access control can be set to

• read-only or
• read-write

Here is the list of commands that are required for access to the switch via SSH, telnet and ONA:

   ip authorized-managers 129.97.0.0 255.255.0.0 access Operator
   ip authorized-managers 129.97.15.0 255.255.255.0 access manager
   ip authorized-managers 129.97.128.0 255.255.255.0 access manager
   ip authorized-managers 172.19.10.0 255.255.255.0 access manager
   ip authorized-managers 172.19.12.0 255.255.255.0 access manager

Set up logging

Your network system should have some sort of logging facility to keep track of your switches error messages. If you do have a log server then type in these commands:

   logging facility local3 logging 129.97.50.184 

Configure spanning-tree

This step is very important. To prevent a network loop and a network broadcast storm which will adversely effect the network, usually rendering it in-operable you MUST turn on the Rapid Spanning Tree Protocol (RSTP) on the switch. To enable RSTP on the switch type the following two commands:

   spanning-tree 
   spanning-tree priority 14 force-version RSTP-operation 

Other spanning-tree configurations are under review. For devices that are know to be edge devices (hosts and other non-switch devices), consider:

• loop-protect
• bpdu-filter (especially for anything connecting to another STP region, like wireless APs or Engineering switches)
• admin-edge-port

For any ports with down-stream Cisco switches, enable pvst-filter.

Disable auto MDIX

Also very important to stop accidental network loops is to turn off auto midx on the HP edge switch ports so that a jumper between two work area jacks won't bring down the who CS network as they did in ST#

1. Type the following commands where S-E is the starting switch port and and ending switch port:

   int SX-EX                        
   mdix-mode mdix

An example would be:

   int 1-48
   mdix-mode mdix
   exit

SSH access"> Setup SSH access

For security purposes, CSCF uses SSH to access the switches. For SSH to work on the switch you must type the following commands:

   crypto key generate ssh
   ip ssh

Create userids

The HP switches support the creation of two users, a operator and a manager. The operator has limited access rights, the manger full access rights. In CSCF we use the username operator for the operator rights access and for manager access we use the userid of root. The create these users type these commands:

   password manager user-name root
   password operator user-name operator

Assign passwords

After creating the two users you have to setup the appropriate passwords, when you issue the next two command you will be prompted for passwords. See Dave Gawley for Dan Hergott or the CSCF safe for the passwords to enter. The commands for assigning passwords are:

   password manager
   password operator

Save the initial configuration

The switch should now save the switch configuration by typing the

command

   write memory

Reboot the switch

For all of the changes to be activated the switch will need to be rebooted. To reboot the switch type the command:

   reload.

If the switch prompts to save configuration type y (yes).

Erasing a configuration

Should you feel that you have made mistakes in your configuration you can erase the configuration and want to start ALL over by logging into the switch as manager and issuing these commands:

 
   config terminal 
   erase start-up configuration
   y 

Testing the switch

You can test your switch you will need to connect port 50 from the new switch to a active Q-tagged port on CSCF network with a tag to vlan 1810/1812 on the port. Once you have connected the switch you can verify network connectivity by making sure the link light on both switches turn on. If both are active the perform a ping test from the switch. Ping the gateway address for the switch by using this command:

   ping 172.19.10.1 or 172.19.12.1

If the ping test does not respond it may be that the spanning tree is still reconfiguring. Wait a minute and try the ping test again.

Should the ping tests fail then you will need someone to help you determine the problem. Contact Dave Gawley or Dan Hergott for assistance or their designates.

Additional notes:

On an HP5406-HP5412 you CANNOT assign a vlan to an empty GBIC port. It will give an error.

Revision history:

• Document written by Dan Hergott
• Last edit date:5 February 2008
• converted to TWiki format by trg, 2009-7
• minor technical revisions (timesync, loop protect)
• verified and minor revisions by Dan Hergott 18 May 2010