Beruflich Dokumente
Kultur Dokumente
Objectives
Explain the interoperability between Cisco and ProCurve equipments in the same network Compare the differences and similarities in features and in configuration Interoperability in detail:
Content
1. Migrating from a Cisco Infrastructure to a ProCurve Infrastructure 2. VLANs Interoperability 3. Spanning-Tree Interoperability 4. Hardening Spanning-Tree 5. L2 Discovery Protocols LLDP - CDP 6. Gateway redundancy HSRP - VRRP 7. POE, IP Phones and QOS 8. Network Access Control 9. Layer 2 layer 3 interfaces 10. IP Routing 11. Access Control Lists Conclusion
3
Multivlan Uplink
OSPF
Link Aggregation
2- VLANs Interoperability
Default
a1
G1/20
ProCurve
Cisco
11
For a switch to switch connection between a ProCurve and a Cisco switch carrying multiple VLANs (1-3 in our case) you have to configure the following. On the ProCurve side you configure for every VLAN port a1 to be a member of. For VLAN 1 we configure port a1 to be an untagged member which corresponds with the native VLAN on the Cisco side. On the Cisco switch you configure it on the interface instead: Configure the interface as a switchport, set the encapsulation to 802.1q (dot1q) as Cisco also support a proprietary VLAN encapsulation called ISL. Configure the interface as a switchport trunk. That will automatically allow all configured VLANs to pass the interface. Therefore you have to restrict the VLANs with the command switchport trunk allowed vlan 1-3. As
the switch is sending by default Cisco proprietary Desktop Trunking Protocol (DTP) frames out you may disable this with the command switchport nonegotiate. By default the Cisco native VLAN is 1 which basically means that the frames for VLAN 1 are sent out untagged.
11
ProCurve
a1
Cisco
G1/20
12
The following show how to configure a port for an end-node like a PC or notebook. On the ProCurve side you configure on the corresponding VLAN port a1 to be an untagged member. On the Cisco side you configure the interface as a switchport with the mode access. Now you assign the VLAN id to this interface with the command switchport access vlan 2
12
Cisco
interface GigabitEthernet 1/20 switchport switchport access vlan 2 switchport mode access switchport voice vlan 3
ProCurve
a1
LLDP-MED: Voice VLAN ID=3 Mode: tagged
Cisco
G1/20
CDPv2: Voice VLAN ID=3 Mode: tagged LLDP-MED: Voice VLAN ID=3 Mode: tagged LLDP-MED support has started on Cisco Catalyst switches 3760, 3750, 2960, 2970 switches running 12.2(37)SE and on Cisco Catalyst 6500 running 12.2(33)SXH 13
Here it is shown how you configure the switch to connect an IP phone (hard phone) with a PC cascaded. On the ProCurve side you configure the port a1 to be an untagged member of VLAN 2. This is the VLAN for the PC. And you need to configure port a1 to be a tagged member of VLAN 3 which is the id the IP phone may use to send and receive the traffic. That the phone can learn the VLAN id it has to use, you can configure VLAN 3 as a voice VLAN which will start sending out LLDP-MED frames if an IP phone with LLDP-MED support is detected. On the Cisco side you need to configure on the interface an access VLAN 2 for the PC and a voice VLAN 3 for the IP phone. On older IOS versions this enabled the switch to send out Cisco proprietary CDPv2 information with the voice VLAN id included. Current IOS versions will also send out LLDP-MED frames.
13
Cisco VTP
VLAN Trunking Protocol Cisco Proprietary protocol Supported by Cisco and ???. Not supported by ProCurve Propagates VLAN creation in VTP Domain Server, Client and Transparent VTP Modes Allowed VLANs automatically controlled on Cisco trunks by VTP Pruning VLANs filtered on Cisco trunks by VTP pruning VTP Pruning Password protected
Dynamic VLAN advertisement in a mixed environment with Cisco Catalyst and HP ProCurve switches. GVRP provides 802.1Q-compliant VLAN pruning and dynamic VLAN creation. With GVRP, the switch can exchange VLAN configuration information with other GVRP switches, prune unnecessary broadcast and unknown unicast traffic, and dynamically create and manage VLANs on switches connected through 802.1Q trunk ports. GVRP is an IEEE standard. GVRP can also be used to by end stations to advertise the VLAN they would like to join. Currently there are no implementations known to me where this is implemented, e.g. Microsoft, Linux, Apple. VTP is a Cisco proprietary Layer 2 messaging protocol that maintains VLAN configuration consistency by managing the addition, deletion, and renaming of VLANs on a network-wide basis. VTP is a client-server protocol. On a VTP servers you can create, modify, and delete VLANs. VTP servers advertise their VLAN configuration to other switches and synchronize their VLAN configuration with other switches based on advertisements received over trunk links. VTP clients behave the same way as VTP servers, but you cannot create, change, or delete VLANs on a VTP client. VTP-GVRP interaction is possible on Cisco switches running CatOS 5.3 or higher. These Catalyst switches can be configured to distribute the VTP learned or configured VLANs via GVRP to HP ProCurve switches. The following needs to be configured on the Cisco switch apart from the VTP configuration: enable GVRP globally set gvrp enable enable GVRP on the port connected to an HP Procurve switch set port gvrp enable mod_num/port_num The following needs to be configured on the HP ProCurve Switch: Enable GVRP globally gvrp You may disable GVRP on ports connected to clients: interface <port-list> unknown-vlans disable The GVRP protocol do not support advertising of VLAN names, therefore you will not see the VTP assigned names on HP ProCurve switches.
14
ProCurve
show interface brief
Cisco
show interfaces status
show vlan
show vlan id <vlan-id> show interfaces status show interfaces <port> switchport show interfaces <port> trunk show interfaces trunk
15
a1 a2
G1/20 G1/21
ProCurve
trk1
po1
Cisco
16
How to configure a static link aggregate between a ProCurve and Cisco switch? Remember that the naming for a link aggregation is different between ProCurve and Cisco switches. On the ProCurve side you have to configure a trunk port on which you have to specify the member ports. When you configure the above command trunk a1-a2 trk1 trunk you
created a trunk port called trk1 in static mode where port a1 and a2 belong to. On the Cisco side you need to configure the physical interfaces G1/20 and G1/21 to belong to the same channel-group. With the mode on command you specifry a static channel. Once you have done this a new interface is created called port-channel 1.
16
interface GigabitEthernet 1/20 channel-group 1 mode <active | passive> interface GigabitEthernet 1/21 channel-group 1 mode <active | passive>
Sent LACP frame actively or just respond passively
a1 a2
G1/20 G1/21
ProCurve
trk1
po1
Cisco
17
Here is the same setup with using the dynamic link aggregation control protocol LACP. On the ProCuve side you just specify lacp instead of trunk. On the Cisco side you configure the mode to either active or passive which corresponds to LACP spoken actively or just passively responding to LACP frames.
17
ProCurve switch
18
Cisco VSS appears as one switch to which a link aggregation can be set without requiring Spanning-Tree
Pay attention to MultiVLAN Ports. 1. Make sure Native VLAN on Cisco Trunk = Untagged VLAN on Tagged port 2. Ensure same VLANs are allowed and configured Note: BPDUs (Spanning Tree, LLDP, LACP) are not attached to the untagged or any VLAN on ProCurve contrarily to Cisco.
19
19
3- Spanning-Tree Interoperability
Spanning-Tree Interoperability
Introduction to the different STP modes MSTP on Cisco and ProCurve Without 1 MST instance With load balancing between Instances PVST+ on Cisco and MSTP ProCurve
21
We have to distinguish switch configurations for different kind of connections. - End User ports (PCs, Printer,) - IP phone ports - End User + IP phone ports - Server ports for one VLAN - Server ports for multiple VLANs - Switch-to-Switch ports for one VLANs - Switch-to-Switch ports for multiple VLANs - Aggregated ports
21
Support of STP
Notes PVST BPDUs are STP compatible in VLAN 1 Rapid PVST BPDUs are RSTP compatible in VLAN 1 The best choice for Interoperability. Caution with pre-implementation of MSTP on Cisco
STP: IEEE 802.1D Standard Spanning Tree PVST: Per Vlan Spanning-Tree (Proprietary based on STP 802.1D ) Rapid PVST: Proprietary based on RSTP 802.1w) RSTP: Rapid Spanning Tree (802.1w IEEE standard) MSTP: Multi Instance Spanning-Tree (802.1s IEEE standard)
22
22
802.1D and 802.1w This left links unused since all VLANs took the same physical topology.
Root
23
23
MSTP=MST(IEEE 802.1s)
In a response to a need to allow standards compliant 802.1D/w/Q switches have multiple logical paths for redundancy, 802.1s, Multiple Spanning Tree Protocol (MSTP), was ratified. 802.1s enhances 802.1Q allowing groups of VLANs to be assigned to different spanning tree instances Instances chosen to match number of possible logical paths through the layer 2 network. Often times this is only 2 or 3 that are required instead of 100s with PVST. Before (with PVST)
Root of 3 VLANs 1 VLANs 2 VLANs 3 VLANs 1 VLANs 2 VLANs 3 VLANs 1 Root of 2 VLANs 2 VLANs 3
Root of 1
24
Cisco
Cisco
X
ProCurve
MSTP
Pros: simple, all switches speak the same standard protocol Cons: no load balancing
26
Cisco
Cisco
Cisco
Cisco
X
ProCurve
MSTP
X
ProCurve
MSTP
To support the compliant IEEE 802.1s-2002 standard, Cisco switches must run at least the following firmware versions : Cisco Catalyst 2950, 3550, 3560, 3750: IOS 12.2(25)SEC Cisco Catalyst 4000: native IOS 12.2(25)SG Cisco Catalyst 6000: native IOS 12.2(18)SXF or CatOS 8.3
28
MST concepts
Switches belong to the same MST region if they share the same configuration parameters: 1- MST Config Name (32 Bytes, case sensitive) 2- MST Revision Number (2 bytes) 3- MST Instances which are set by assignment of VLANs Example of an MST Configuration:
30
31
Cisco:
Cisco(config)# spanning-tree mst instance-id priority <priority>
32
Cisco:
Cisco(config)# interface gigabitethernet0/2 Cisco(config-if)# spanning-tree portfast
33
interface GigabitEthernet 1/20 switchport trunk encapsulation dot1q switchport trunk native vlan 1 switchport trunk allowed vlan 1-3 switchport mode trunk
interface GigabitEthernet 1/20 switchport trunk encapsulation dot1q switchport trunk native vlan 1 switchport trunk allowed vlan 2-3 switchport mode trunk
Untagged
IEEE Destination MAC: 01:80:c2:00:00:00
CST Information
MSTP Specific Parameters MSTI . additional IST Info. Info. MSTI Info.
34
Untagged
IEEE Destination MAC: 01:80:c2:00:00:00
CST Information
MSTP Specific Parameters MSTI . additional IST Info. Info. MSTI Info.
Use trunk ports configuration on inter-switch links and always check that you have switchport mode trunk configured! If you use access ports you create MST region boundaries.
35
36
36
Untagged
IEEE Destination MAC: 01:80:c2:00:00:00
RSTP 802.1w
Untagged
IEEE Destination MAC: 01:80:c2:00:00:00
MSTP 802.1s
Untagged
IEEE Destination MAC: 01:80:c2:00:00:00
CST Information
IST Info.
Tagged
Cisco Destination MAC: 01:00:0c:cc:cc:cd
38
38
Cisco
Cisco
X
ProCurve
Pros: simple and still use PVST+ for backbone Cons: no load balancing
39
Cisco
Cisco
X
ProCurve
Cisco ProCurve Design #1 Cisco PVST+ view for all other VLANs
PVST+ or RapidPVST+
Cisco
Cisco
The ProCurve switch will also block the PVST+ BPDUs as the whole port is blocked. Therefore the right Cisco switch will not receive any PVST+ BPDU through the ProCurve switch.
41
Modify bridge priority to tweak the STP root selection per VLAN Cisco(config)# spanning-tree vlan 1-2 priority 4096
Modify the interface cost if necessary per VLAN Cisco(config)# interface gigabitethernet0/2 Cisco(config-if)# spanning-tree vlan 1-2 cost 10000
Modify the interface priority if necessary per VLAN Cisco(config)# interface gigabitethernet0/2 Cisco(config-if)#spanning-tree vlan 1-2 port-priority 4
42
Enable STP edge-port where desired (End User interfaces): Either globally which will affect all non-trunking ports:
Cisco(config)# spanning-tree portfast default
43
interface GigabitEthernet 1/20 switchport trunk encapsulation dot1q switchport trunk native vlan 1 switchport trunk allowed vlan 1-3 switchport mode trunk
interface GigabitEthernet 1/20 switchport trunk encapsulation dot1q switchport trunk native vlan 1 switchport trunk allowed vlan 2-3 switchport mode trunk
If the VLAN 1 is not allowed on a trunk port no IEEE BPDU is sent out !!!
44
interface GigabitEthernet 1/20 switchport access vlan 10 switchport mode access Switchport voice vlan 20
45
RapidPVST+
po1
Cisco Cisco
Gig2/x Gig2/x
MSTP ProCurve
a1-a20,b1-b20,c1-c24,d1-d24
46
RapidPVST+
po1
Cisco 6506_left configuration: spanning-tree mode rapid-pvst spanning-tree extend system-id spanning-tree pathcost method long spanning-tree vlan 1-4094 priority 0 interface Port-channel1 no ip address switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 1-6 switchport mode trunk interface GigabitEthernet2/x no ip address switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 1-6 switchport mode trunk Cisco
Cisco
Gig2/x Gig2/x
MSTP ProCurve
a24 b24
a1-a20,b1-b20,c1-c24,d1-d24
47
RapidPVST+
po1
Cisco 6509_right configuration: Cisco spanning-tree mode rapid-pvst spanning-tree extend system-id spanning-tree pathcost method long spanning-tree vlan 1-4094 priority 4096 interface Port-channel1 no ip address switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 1-6 switchport mode trunk interface GigabitEthernet2/x no ip address switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 1-6 switchport mode trunk Cisco
Gig2/x Gig2/x
MSTP ProCurve
a24 b24
a1-a20,b1-b20,c1-c24,d1-d24
48
49
49
Cisco
Cisco
STP blocked for VLAN 1,2,3
Cisco
Cisco
X
Be sure to tweak STP that blocking occurs on the Cisco switches !!!
Pros: load balancing and PVST+ for backbone Cons: more complex to configure and troubleshoot
50
Cisco
Gig2/8 Gig2/1
Cisco
Gig2/1 Gig2/8
ProCurve
a24
X
b24
. . .
1. Why are the ports b24 on the ProCurve switches in the blocking state and not the ports Gig 2/1 to Gig 2/8 on the right Cisco switch? ProCurve
a24
X
b24
a1-a20,b1-b20,c1-c24,d1-d24
Cisco
Gig2/8 Gig2/1
Cisco
Gig2/1
X
ProCurve
Gig2/8
a24 b24
. . .
ProCurve
a24 b24
2. What do you have to change to block the ports Gig 2/1 and Gig 2/8 on the right Cisco switch?
a1-a20,b1-b20,c1-c24,d1-d24
Cisco
Gig2/8 Gig2/1
Cisco
Gig2/1
ProCurve
b24
. . .
ProCurve
a24 b24
a1-a20,b1-b20,c1-c24,d1-d24
a24
Gig2/8
ort 0 P p 00 ST st 20 co
ort P p 00 ST t 200 s co
2. What do you have to change to block the ports Gig 2/1 and Gig 2/8 on the right Cisco switch?
Cisco ProCurve Design #2 Cisco PVST+ view for all other VLANs
STP root
po1
Cisco
Gig2/8 Gig2/1
X
Gig2/1
Cisco
Gig2/8
X
STP port cost 20000
. .
1. Why might Spannging-Tree block the ports on po1 for the other VLANs?
STP port cost 20000
2. How do you make sure that the ports Gig2/1 to Gig2/8 of the right Cisco switch are blocking and not po1?
All tagged Cisco PVST BPDUs which are sent to the Cisco specific multicast MAC address 01:00:0c:cc:cc:cd are forwarded unchanged by ProCurve switches as any other frame !!!
54
Cisco ProCurve Design #2 Cisco PVST+ view for all other VLANs
STP root
po1
Cisco
Gig2/8 Gig2/1 Gig2/1
Cisco
Gig2/8
X
STP port cost 20000
. .
STP port cost 20000
2. How do you make sure that the ports Gig2/1 to Gig2/8 of the right Cisco switch are blocking and not po1?
All tagged Cisco PVST BPDUs which are sent to the Cisco specific multicast MAC address 01:00:0c:cc:cc:cd are forwarded unchanged by ProCurve switches as any other frame !!!
55
RapidPVST+
po1
Cisco
Gig2/x
Cisco
Gig2/x
MSTP
ProCurve
a24 b24
a1-a20,b1-b20,c1-c24,d1-d24
56
RapidPVST+
po1
Cisco
Gig2/x
Cisco
Gig2/x
MSTP
ProCurve
a24 b24
a1-a20,b1-b20,c1-c24,d1-d24
57
Start setup as in previous scenario If Cisco switches are in the Core, to get PVST load balancing Increase Cost of Inter-Core link in VLAN 1 (E.g.: 30000) Reduce Cost of Inter-Core link in other VLANs (E.g.: 10000) Set priorities on Root and Secondary root to get load balancing between VLANs
2)
3)
58
58
4- Hardening Spanning-Tree
Spanning-Tree problems
Unstable STP can be caused by: Uni-directional links Rogue devices talking STP Permanent STP topology changes due to flapping ports or End User ports not set to edge mode (portfast) Loops not detected by STP
60
Uni-directional Link Detection (UDLD) Uni-directional Link Detection (UDLD) BPDU-protection Loop-protect Root-Guard BPDU-Guard Keepalive Root-Guard Loop-Guard
61
61
Root transmits BPDUs Neighbor doesnt receive them and thinks the root is dead now claims its the new root Bottom switch opens up ist blocked port loop in the network Network goes down, troubleshooting very difficult
RX TX
TX RX
RX
62
RFN is optional but enabled by default on 1000BaseX on Cisco and ProCurve switches when Auto-negotiation is used. Recommendation: always use Autoneg on 1000BaseX connection
63
Cisco
Acknowledge hello.
Cisco
Cisco
ProCurve
ProCurve
Acknowledge hello.
ProCurve
64
ProCurve
Cisco
Global for all fiber ports: Cisco(config)# udld aggressive
Or interface specific: Cisco(config)# interface gig0/2 Cisco(config-if)# udld port aggressive Recovery configured globally: Cisco(config)# errdisable recovery cause udld errdisable recovery interval 300(default)
65
BPDU-Guard, BPDU-protection
You should not allow STP BPDUs to be received on an end user port. Therefore enable this feature on all End User ports. If a BPDU is received the port is put in an errordisable state (Cisco) or the port is disabled (ProCurve).
ProCurve
Cisco
Global for all ports: Cisco(config)# spanning-tree portfast bpduguard default
Interface specific on global config: ProCurve(config)# spanning-tree a1 bpdu-protection Recovery configured globally: ProCurve(config)# spanning-tree bpdu-protection-timeout 300
Or interface specific: Cisco(config)# interface gig0/2 Cisco(config-if)# spanning-tree bpduguard enable Recovery configured globally: Cisco(config)# errdisable recovery cause bpduguard errdisable recovery interval 300(default)
66
ProCurve
Interface specific on global config: ProCurve(config)# loop-protect a1 Recovery configured globally: ProCurve(config)# loop-protect disable-timer 300
Cisco
By default enabled on all copper ports
Recovery configured globally: Cisco(config)# errdisable recovery cause loopback errdisable recovery interval 300(default)
The ProCurve loop-protect feature is an edge-port feature and therefore not intended for interswitch links.
67
Spanning-Tree Root-Guard
ProCurve
Interface specific on global config: ProCurve(config)# spanning-tree a1 root-guard Recovery is done automatically
Cisco
Interface specific: Cisco(config)# interface gig0/2 Cisco(config-if)# spanning-tree guard root Recovery is done automatically
68
RapidPVST+
po1
Cisco Cisco
Gig2/x Gig2/x
MSTP
ProCurve
X
b24
a1-a20,b1-b20,c1-c24,d1-d24
Cisco
CDP by default enabled on all ports
Support on LLDP has started on Cisco Catalyst switches series 2960, 3760, 3750 switches running 12.2(37)SE without SNMP MIB support and on Cisco Catalyst 6500 running 12.2(33)SXH
LLDP TX
CDP TX CDP RX
CDP table, CDP MIB
ProCurve
LLDP, CDP RX
CDP table, CDP MIB
Cisco
A Cisco switch is visible in the LLDP and CDP table as entries are cross populated
71
71
HSRP - VRRP
Active HSRP Router IP: MAC: vIP: vMAC: 10.1.1.2 0000.0c12.3456 10.1.1.1 0000-0c07.ac00
Cisco The rest of the routers provide hot standby in case the local router fails.
Cisco
Standby routers stay idle as far as packet forwarding from the client side is concerned.
Client
active HSRP router: interface vlan1 ip address 10.1.1.2 255.255.255.0 standby 1 ip 10.1.1.1 standby 1 priority 200 standby 1 preempt
standby HSRP router: interface vlan1 ip address 10.1.1.3 255.255.255.0 standby 1 ip 10.1.1.1 standby 1 priority 190 standby 1 preempt
74
Master VRRP Router Owner of vIP address IP: MAC: vIP: vMAC: 10.1.1.1 0000.0c12.3456 10.1.1.1 0000.5e00.0101
Backup VRRP Router Non-Owner of vIP address IP: MAC: vIP: vMAC: 10.1.1.2 0000.0c78.9abc
The rest of the routers provide backup in case the local router fails.
ProCurve
ProCurve
Backup routers stay idle as far as packet forwarding from the client side is concerned.
Client
Virtual IP address is only pingable and answering SNMP requests on the VRRP owner
VRRP master router: router vrrp vlan1 ip address 10.1.1.1 255.255.255.0 vrrp vrid 1 owner virtual-ip-address 10.1.1.1 priority 255 enable exit exit
VRRP backup router: router vrrp vlan1 ip address 10.1.1.2 255.255.255.0 vrrp vrid 1 backup virtual-ip-address 10.1.1.1 priority 100 enable exit exit
76
Multi-Vendor Support
Shared connections for PC and IP-phone
How does IP phone auto-configure the voice VLAN and QoS?
1. Auto-config voice VLAN and L2/L3 QoS using LLDP-MED (ProCurve switches) or CDPv2 (Cisco switches) 2. Many phones support vendor specific DHCP process for auto-config
Avaya, Alcatel, Mitel, Siemens, ShoreTel etc DHCP server on data VLAN advertises voice VLAN ID and QoS For Cisco, set the admin VLAN ID via the Network Configuration setup when connecting to a Cisco network
DHCP server
IP network
IP phone
IP PBX
PC
78
78
Cisco
interface GigabitEthernet 1/20 switchport switchport access vlan 2 switchport mode access switchport voice vlan 3
ProCurve
a1
LLDP-MED: Voice VLAN ID=3 Mode: tagged
Cisco
G1/20
CDPv2: Voice VLAN ID=3 Mode: tagged LLDP-MED: Voice VLAN ID=3 Mode: tagged LLDP-MED support has started on Cisco Catalyst switches 3760, 3750, 2960, 2970 switches running 12.2(37)SE and on Cisco Catalyst 6500 running 12.2(33)SXH 79
Here it is shown how you configure the switch to connect an IP phone (hard phone) with a PC cascaded. On the ProCurve side you configure the port a1 to be an untagged member of VLAN 2. This is the VLAN for the PC. And you need to configure port a1 to be a tagged member of VLAN 3 which is the id the IP phone may use to send and receive the traffic. That the phone can learn the VLAN id it has to use, you can configure VLAN 3 as a voice VLAN which will start sending out LLDP-MED frames if an IP phone with LLDP-MED support is detected. On the Cisco side you need to configure on the interface an access VLAN 2 for the PC and a voice VLAN 3 for the IP phone. On older IOS versions this enabled the switch to send out Cisco proprietary CDPv2 information with the voice VLAN id included. Current IOS versions will also send out LLDP-MED frames.
79
Cisco pre-standard PoE: Fast Link Pulse Reflected Fast Link Pulse
DHCP request in voice VLAN DHCP response: IP add., Gateway, TFTP server DHCP Server TFTP request for configuration Cisco7940G TFTP request of configuration
80
IEEE 802.3af: Apply voltage and classify device Return current Cisco7941/42/61/62G LLDP-MED: PoE requirement, firmware, serial# LLDP-MED: voice VLAN ID, etc (CDPv2 is still supported)
Switch
DHCP request in voice VLAN DHCP response: IP add., Gateway, TFTP server Cisco7945/65G DHCP Server TFTP request for configuration TFTP request of configuration
81
LLDP example
ProCurve Switch 5406zl# show run vlan 3 name "data" untag a1, ... exit vlan 6 name "IP phone" qos priority 6 tagged a1, ... voice exit
ProCurve
a1
LLDP-MED: Voice VLAN ID=3 Mode: tagged
Cisco IP phone
ProCurve Switch 5406zl# show vlan port a1 detailed Status and Counters - VLAN Information - for ports A1 VLAN ID ------3 6 Name -------------------data IP phone | + | | Status ---------Port-based Port-based Voice ----No Yes Jumbo ----No No Mode -------Untagged Tagged
ProCurve Switch 5406zl# show lldp info remote-device LLDP Remote Devices Information LocalPort | ChassisId PortId PortDescr SysName --------- + ------------------------- ------ --------- ---------------------A1 | 192.168.0.33 000... SW PORT SEP000F2322DDAA.cis...
82
System Capabilities Supported System Capabilities Enabled Remote Management Address Type : ipv4 Address : 192.168.0.33 MED Information Detail EndpointClass Media Policy Vlan id Media Policy Priority Media Policy Dscp Media Policy Tagged Poe Device Type Power Requested Power Source Power Priority
Footer text
HP ProCurve Confidential
83
Access switch
. ax m e ic ps Vo K b 80
P0 P1
PC
P1
P0
P2
During Data Traffic Bursts, Buffers can become congested, causing voice packets to be dropped
84
IP PBX
IP network
PC with Softphone
P SI
IP Phone A
g in al nny n i g k Si , S 3 2 .3 ,H
) CP C (S
SI P, H
.3 Sig 23 n , S ali ki ng nn y (S CC P)
IP Phone B
data
data
PC
PC
85
86
qos dscp-map 000000 priority 0 name BE qos dscp-map 101110 priority 7 name EF
87
Multi-user authentication on the same port 802.1X - MAC auth. WEB auth.
LLDP-MED
RFC 4675
RADIUS LDAP, AD, Flat File User Database
VLAN, QoS, ACL, Rate-limit
multi-user authentication
IEEE 802.3af
IDM
1. 2. 3. 4.
Secure authentication of IP phone and PC with a single connection 802.1x Mac - Web LLDP-MED to auto-provision phone with voice VLAN and QoS LLDP-MED for detailed topology, phone inventory management, and location... Dynamic assignment of untagged data and tagged voice VLAN accoreding to RFC 4675
89
89
More interest across EMEA support provision location info -In phones, for use in E-112 emergency calls. Switch port is fixed when provisioned (unlike phone/user) best place Then LLDP-MED communicates info to phone Esp true - consider VoWiFi / PDA best way - wireless network controller
ProCurve
working to extend LLDP-MED to support physical location suitable for use by WLAN and other wireless standards
------------------------
Legacy PBX
E911
physical location corresponded to phone number (static) phone required manual re-provisioning
Moving
IP Telephony Challenge
Users Every
can pick-up phones and simply move them (just like a PC)
89
5406zl# show port-access authenticator a1 clients detailed Port Access Authenticator Client Status Detailed Client Base Details : Port : a1 Session Status : Open Session Time(sec) Frames In : 0 Frames Out Username : CP-7970G-SEP000F2322... MAC Address IP : n/a Access Policy Details : COS Map : 00000000 In Limit % Tagged VLANs : 6 Out Limit RADIUS-ACL List : No Radius ACL List Client Base Details : Port : a1 Session Status : Open Frames In : 0 Username : PROCURVE\aeinstein IP : n/a Access Policy Details : COS Map : 00000000 Untagged VLAN : 3 RADIUS-ACL List : No Radius ACL List
: 0 : 0 : 000f23-22ddaa
: 0 %
: 0
: 0 : 0
90
90
Layer-2 Interfaces
ProCurve
Layer-2 port configuration:
Cisco
Layer-2 port configuration:
vlan 1 untagged a1
Enabled layer-2 protocols by default: - HP stacking (on most switches) - LACP passive (on some switches) - LLDP
Enabled layer-2 protocols by default: Cisco DTP protocol Cisco VTP protocol Cisco PVST+ protocol Cisco CDP protocol Keepalive (on copper ports)
92
Layer-3 Interfaces
Network 1.1.1.0/30
Network 2.2.2.0/24
ProCurve
Cisco
User Network 1
Transfer Network
User Network 2
93
Layer-3 Interfaces
ProCurve
Layer-3 port configuration:
A separate VLAN for transfer layer-3 vlan 100 subnet needs to be created untagged a1 ip address 1.1.1.2 255.255.255.252
Cisco
Layer-3 port configuration: interface GigabitEthernet 1/20 no switchport ip address 1.1.1.1 255.255.255.252 Enabled layer-2 protocols by default: - Cisco CDP protocol - Keepalive (on copper ports)
Enabled layer-2 protocols by default: - HP stacking (on most switches) - LLDP Layer-2 protocols to be disabled per port if globally enabled: Spanning-tree: (config)# spanning-tree a1 bpdu-filter GVRP: (config)# no interface a1 (config-eth-a1)#unknown-vlans disable
94
10- IP Routing
OSPF
OSPF area 0
Network 2.2.2.0/24 Vlan1: 1.1.1.1 int Vlan1: 1.1.1.2 Network 3.3.3.0/24
ProCurve
Network 1.1.1.0/30
Cisco
User Network 1
Transfer Network
User Network 2
96
OSPF
ProCurve
router ospf area 0 interface loopback 1 ip address 99.99.99.1 ip ospf 99.99.99.1 area 0 interface Loopback1 vlan 1 ip address 1.1.1.1 255.255.255.0 ip ospf 1.1.1.1 area 0 ip ospf cost 10 vlan 2 ip address 2.2.2.1 255.255.255.0 ip ospf 2.2.2.1 passive ip ospf 2.2.2.1 area 0 ip ospf cost 10 interface Vlan3 ip address 3.3.3.1 255.255.255.0 ip ospf cost 10
97
Cisco
router ospf 1 passive-interface Vlan3 network 1.1.1.2 0.0.0.0 area 0 network 3.3.3.1 0.0.0.0 area 0 network 99.99.99.2 0.0.0.0 area 0
ip address 99.99.99.2 255.255.255.255 ip ospf cost 10 interface Vlan1 ip address 1.1.1.2 255.255.255.0 ip ospf cost 10
OSPF differences
Cisco to be enabled with network statement globally ProCurve to be enabled on the VLAN Redistribution differences ProCurve: always NBMA Cisco: highest loopback IP used as router ID ProCurve: lowest loopback IP used as router ID ProCurve: loopback always /32 mask ProCurve: OSPF link cost is 1 by default (same on Cisco VLAN interfaces)
98
ACL on ProCurve
ProCurve OS supports Standard & Extended ACL Numbered (1-99, 100-200) & Named ACLs Routed ACL (applied to Inbound and Outbound routed traffic) VLAN ACL (applied to inbound switched traffic) Static and Dynamic Port ACL (applied to inbound switches traffic)
L3
Routed ACL
L2
L2
99
ACL on ProCurve
ACL example
ProCurve(config)# ip access-list extended visitors ProCurve(config-acl)# deny ip any 10.0.0.0/8 ProCurve(config-acl)# permit udp any any eq dns ProCurve(config-acl)# permit tcp any any eq http ProCurve(config-acl)# deny ip any any log ProCurve(config-acl)# exit ProCurve(config)# vlan 100 ip access-group visitors in
100
Sequence number can be changed and used for insertion and removal. E.g.: Insert an entry (numbered are assigned by range of 10)
ProCurve(config-acl)# 5 permit ip any host 10.1.234.172 ProCurve(config-acl)# 25 remark permit dns and http
101
2. Edit ACL offline using a text (.txt) file format 3. use TFTP to load an offline ACL into the switchs running-config
ProCurve(config)# copy tftp command-file 10.10.10.1 acl02.txt pc Running configuration may change, do you want to continue [y/n]? Y
102
Conclusion
Conclusion
Interoperability works! VLAN interoperability is quite easy to manage For link aggregation use no protocols or LACP Pay special attention to Spanning-Tree Prefer MSTP whenever possible Or Rapid-PVST on Cisco with RSTP/MSTP on ProCurve Make sure VLAN 1 is allowed on Cisco trunks IP Routing protocols interoperates
104
105