hp networking training · agenda vlans increasing capacity spanning tree enabling convergence...
TRANSCRIPT
© 2006 Hewlett-Packard Development Company, L.P.The information contained herein is subject to change without notice.
HP Networking Training
Disclaimer
HEWLETT-PACKARD COMPANY MAKES NO WARRANTY OF ANY KIND WITH REGARD TO
THIS MATERIAL, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. Hewlett-Packard shall not be
liable for errors contained herein or for incidental or consequential damages in connection with the
furnishing, performance, or use of this material.
The only warranties for HP Networking products and services are set forth in the express warranty
statements accompanying such products and services. Nothing herein should be construed as
constituting an additional warranty. ProCurve Networking shall not be liable for technical or editorial
errors or omissions contained herein.
Hewlett-Packard assumes no responsibility for the use or reliability of its software on equipment that
is not furnished by Hewlett-Packard.
© Copyright 2009 Hewlett-Packard Development Company,
L.P. The information contained herein is subject to change
without notice.
2
Agenda
Vlans
Increasing Capacity
Spanning Tree
Enabling Convergence
Wireless MSM configurations
Trouble shooting (pending time)
HP Networking Switch Basics (pending time)
Note; This training is based around Heritage ProCurve Products
Rev. 6.11 3
© 2006 Hewlett-Packard Development Company, L.P.The information contained herein is subject to change without notice.
VLANs
Module:
What is a Vlan
The logical grouping of ports on a physical switch or group of physical switches to form Virtual LANs
Rev. 6.11 5
VLAN 206 users
VLAN 307 users
Each VLAN is a separate
broadcast domain
Traffic within each Vlan is
isolated from traffic generated
within the other Vlan
Rev. 6.11 6
VLAN allocations
• IT: 1-9, Admin: 10-19, Business: 20-29, Computer Science: 30-39, Engineering: 40-49
• Initially, first allocated value will be used
IP addressing scheme
• 2nd octet for usedas site identifier
• 3rd octet maps toVLAN ID
• 4th octet forhost numbers
– 1 to 49 for servers
– 50 to 150 for clients
Separate broadcast domain for each VLAN
Switch layout and VLAN assignments
7
. . .
. . .
. . .
. . .
School of Computer Science
School of Engineering
School of
Business
Administration IT
School of
Computer
Science
VLAN 10
10.1.10.0/24
VLAN 1 10.1.1.0/24
VLAN 5 10.1.5.0/24
VLAN 20
10.1.20.0/24
VLAN 30
10.1.30.0/24
VLAN 40
10.1.40.0/24
School of
Computer
Science
IT_switch
Edge_1
Edge_2
Edge_3
Rev. 6.11 7
IEEE 802.1Q tag
DestinationMAC address
SourceMAC address
Rest oforiginal packet
VLAN ID(12 bits)C
F I
Priority (3 bits)
VLAN Protocol ID (16 bits)
• All VLAN 20 traffic that the switch forwards through an uplink port will have a tag that contains the VLAN ID
• The packet headers sent by the host (10.1.20.51) in VLAN 20 anddestined for an IT server (10.1.1.26) would look like this:
Destination MAC Source MAC
0004e1-5e1100 080046-4f11ca 8100 000 0 014 0800 … 10.1.20.51 10.1.1.26
VLAN ID
Type
VLAN tag
Layer 3 (IP) headerLayer 2 (Ethernet) header
Source IP Destination IP
17
binary
VLAN tag(4 bytes)
Rev. 6.11 8
Port VLAN assignments example
• Ports connecting users in the same department are untagged members of the same VLAN
• Traffic forwarded through untagged ports does not carry IEEE 802.1Q tag
VLAN 206 users
VLAN 307 users
Edge_1(config)# vlan 20
Edge_1(vlan-20)# untagged a1-a3,a7-a9
Edge_1(vlan-20)# vlan 30
Edge_1(vlan-30)# untagged a23-a24,b1-b3,b7-b8
11
• For a given VLAN, the port IDs do not have to be contiguous
• In the case of a switch with multiple modules, the VLAN can span modules
Each VLAN is a separate
broadcast domain
Traffic within each department
is isolated from traffic
generated within the other
Floor 2 switch
School of C.S.
School of Business
Rev. 6.11 9
Untagged VLAN port membership
The switch:
• Maintains separate forwarding table for:
– VLAN 1, the default VLAN
– Each user VLAN (e.g., 5, 10, 20, 30 or 40)
• Uses the VLAN designations to determine the broadcast domain boundaries
• Uses the Layer 2 destination address of each packet to forward traffic, keeping it within the source VLAN
A port can be an untagged member of at most one VLAN
• When a port is assigned as an untagged member of a VLAN, it is automatically removed from the default VLAN (VLAN 1) or any other VLAN in which it is untagged
12
Rev. 6.11 10
IP addressing example
• Computers in the same VLAN must have IP addresses in the same subnet or address range
• To enable users to access resources outside of their local network, the VLAN must include a router interface
• In this case, the router interface is on the IT switch
13
VLAN 206 users
IT switch
Example: Six computers in VLAN 20IP addresses: 10.1.20.50 to 10.1.20.55Subnet mask: 255.255.255.0 (24 bits)Default gateway: 10.1.20.1
School of Business
Floor 2 switch
Rev. 6.11 11
Extending VLAN boundary across switches
• Assign the uplink as a member of VLANs 20 and 30 to include one or more ports on other switches
• Uplink‘s membership in VLAN 1 allows remote management
• To enable the switch to differentiate between user VLAN (20 and 30) traffic and management traffic, the uplink port is defined as a tagged member:
15
Edge_1(config)# vlan 20
Edge_1(vlan-20)# tagged d4
Edge_1(vlan-20)# vlan 30
Edge_1(vlan-30)# tagged d4
VLAN 206 users
Uplink used for transporting traffic for user VLANs 20 and 30 and also the management VLAN, VLAN 1
VLAN 307 users
IT switch
Floor 2 switch
Rev. 6.11 12
Viewing status of VLAN ports
• To see a list of all VLANs defined on the switch, use show vlans
command
• To display the ports associated with a particular VLAN, specifyVLAN ID:
Edge_1# show vlans 20
Status and Counters – VLAN Information – Ports – VLAN 20
802.1Q VLAN ID : 20
Name : VLAN20
Status : Static
Port Information Mode Unknown VLAN Status
A1 Untagged Learn Up
A2 Untagged Learn Up
A3 Untagged Learn Up
A7 Untagged Learn Up
A8 Untagged Learn Up
A9 Untagged Learn Up
D4 Tagged Learn Up
16
Floor 2 switch
Rev. 6.11 13
IEEE 802.1Q tag
DestinationMAC address
SourceMAC address
Rest oforiginal packet
VLAN ID(12 bits)C
F I
Priority (3 bits)
VLAN Protocol ID (16 bits)
• All VLAN 20 traffic that the switch forwards through an uplink port will have a tag that contains the VLAN ID
• The packet headers sent by the host (10.1.20.51) in VLAN 20 anddestined for an IT server (10.1.1.26) would look like this:
Destination MAC Source MAC
0004e1-5e1100 080046-4f11ca 8100 000 0 014 0800 … 10.1.20.51 10.1.1.26
VLAN ID
Type
VLAN tag
Layer 3 (IP) headerLayer 2 (Ethernet) header
Source IP Destination IP
17
binary
VLAN tag(4 bytes)
Rev. 6.11 14
Defining VLANs on IT switch
Tagged member ofVLANs 30, 40
Tagged membersof VLAN 5
Servers in address range:
10.1.5.0/24
19
• IT department‘s switch is directly connected to:
– Switches on the other three floors, and
– Switches that connect to servers accessible to all departments
• The commands that enable this connectivity are:
IT_switch(config)# vlan 10
IT_switch(vlan-10)# untagged a1-a3
IT_switch(vlan-10)# vlan 20
IT_switch(vlan-20)# tagged c3
IT_switch(vlan-20)# vlan 30
By default, all ports are untagged members of VLAN 1
Tagged . . . VLAN 30
Tagged . . . VLANs 20, 30
Untagged members of VLAN 10
IT_switch(vlan-30)# tagged c1-c3
IT_switch(vlan-30)# vlan 40
IT_switch(vlan-40)# tagged c1
IT_switch(vlan-40)# vlan 5
IT_switch(vlan-5)# tagged d1-d2
Untagged membersof VLAN 5
Rev. 6.11 15
Forwarding within VLAN 20
Edge_1# show mac vlan 20
Status and Counters – Address table – VLAN 20
MAC address Located on port
080046-4f11ca A1
080046-4f2d1f A2
080046-4f11ac A3
. . .
0004e1-5e1100 D4
VLAN 20
IT_switch(config)# vlan 20
IT_switch(vlan-20)# ip addr
10.1.20.1/24
MAC address:0004ea-5e1100
18
IT switch
Default gateway for hosts is 10.1.20.1
Floor 2 switch
Rev. 6.11 16
IT switch is responsible for forwarding IP traffic between directly connected VLANs
This requires two items to be configured:
• IP routing must be enabled:
• An IP address must be assigned to each VLAN on the IT switch for which it will perform IP forwarding
– The IP address must be within the range of the hosts in that VLAN
– The IP hosts in the VLAN must have the router‘s IP interface defined as their default gateway
Forwarding between VLANs
20
IT_switch(config)# ip routing
Rev. 6.11 17
Determining VLAN interface IP addresses
This port leads to hosts in the networks:10.1.20.0/24, 10.1.30.0/24 and 10.1.1.0/24
• Choose an IP address for each router interface based on the address range to be assigned to the hosts in the connected VLAN
• Default gateway for IP hosts in each VLAN should be set to the ―router interface‖ IP address
21
VLAN ID Port MembersAddress Range
of HostsRouter Interface
IP Address
VLAN 1 Untagged a1-d4 10.1.1.0/24 10.1.1.1/24
VLAN 5 Tagged d1, d2 10.1.5.0/24 10.1.5.1/24
VLAN 20 Tagged c3 10.1.20.0/24 10.1.20.1/24
VLAN 30 Tagged c3 10.1.30.0/24 10.1.30.1/24
These two ports lead to hosts in the networks: 10.1.5.0/24 and 10.1.1.0/24
IT switch Floor 1
Rev. 6.11 18
• At the VLAN configuration context:
Assigning IP addresses to VLAN interfaces
There are two ways to assign IP addresses to VLAN interfaces from the CLI:
• At the global configuration context:
22
IT_switch(config)# vlan 10
IT_switch(vlan-10)# ip address 10.1.10.1/24
IT_switch(vlan-10)# vlan 20
IT_switch(vlan-20)# ip address 10.1.20.1/24
IT_switch(config)# vlan 10 ip address 10.1.10.1/24
IT_switch(config)# vlan 20 ip address 10.1.20.1/24
IP addresses can also be assigned to VLAN interfaces from the menu and web interfaces
Rev. 6.11 19
Viewing IP addresses
To view IP address information at the CLI, use the show ip
command:
IT_switch# show ip
Internet (IP) Service
IP Routing : Enabled
Default TTL : 64
VLAN : IP Config IP Address Subnet Mask
------------- + ------------- -------------- ----------------
DEFAULT_VLAN : Manual 10.1.1.1 255.255.255.0
VLAN10 : Manual 10.1.10.1 255.255.255.0
VLAN20 : Manual 10.1.20.1 255.255.255.0
25
Rev. 6.11 20
Layer 2 or Layer 3 forwarding?
A switch is sometimes called a ―routing switch‖ because it performs both Layer 2 and Layer 3 forwarding
Determines whether to forward a given frame using Layer 2 or Layer 3 information based on the destination MAC address in the frame‘s header
• Layer 2 forwarding is performed for frames whose destination MAC address is different from the switch‘s MAC address
• Layer 3 forwarding is performed for frames whose destination MAC address is the same as the switch‘s MAC address
27
Rev. 6.11 21
Layer 2 forwarding betweenhosts in the same VLAN
IP: 10.1.1.1/24
MAC: 0004ea-5e1100
Computer Science
Database server
IP: 10.1.30.26/24
MAC: 080046-4F11CA
Computer Science
Backup server
IP: 10.1.30.11/24
MAC: 080046-4F01D3
Edge_2
3rd floor
Edge_1 receives the frame through port D4, submits it to Layer 2 forwarding table lookup, and forwards it through port B2 to the backup server.
IT_switch submits the frame to the Layer 2 forwarding table lookup because the destination MAC address is different from its own MAC address.
The switch forwards the frame through port C3.
IT_switch
1st floor
2
3 Edge_1
2nd floor
28
Edge_2‘s Layer 2 forwarding table indicates that the frame‘s destination MAC address (080046-45F01D3)is reached through port D4.
1
VLAN 30
VLAN 30
VLAN 30
VLAN 30
Rev. 6.11 22
Tag manipulation in Layer 2 forwarding
Computer Science
Database server
10.1.30.26/24
Computer Science
Backup server
10.1.30.11/24
Edge_2
3rd floor
IT_switch receives the tagged frame through port C2 and forwards it through port C3.
Both ports are tagged members of VLAN 30, so tag is retained.
Edge_2 receives frame through port B5, an untagged member of VLAN 30.
Forwarding table lookup returns port D4, a tagged member of VLAN 30
Edge_2 adds 4-bytetag to the frame identifying VLAN 30.
IT_switch
1st floor
1
2
3
Edge_1
2nd floor
30
1522 bytes
1518 bytes
Edge_1 receives tagged frame through port D4 and forwards it through port B2, an untagged member of VLAN 30, so tag is stripped before forwarding the frame.
4
1518 bytes
untagged
tagged
tagged
tagged
untagged
tagged
1522 bytes
Rev. 6.11 23
Layer 3 forwarding betweenhosts in different VLANs
VLAN 40 interface
IP: 10.1.40.1/24
MAC: 0004ea-5e1100
Computer Science
IP: 10.1.30.50/24
GW: 10.1.30.1
MAC: 080046-07015A
Engineering
Simulation server
IP: 10.1.40.15/24
MAC: 080046-02148C
Edge_2
3rd floor
IT_switch creates a new Layer 2 header with destination MAC address 080046-02148c and forwards it through port C4.
Client determines that destination host is on a different network and resolves MAC address to that of its default gateway, 004ea-5e1100.
IT_switch recognizes its MAC address in destination field, removes Layer 2 header, submits the IP packet to Layer 3 route table lookup, and determines that router interface 10.1.40.1 leads to destination network.
IT_switch
1st floor
1
2
3
Edge_3
4th floor
31
VLAN 30
VLAN 40
VLAN 30
VLAN 40
VLAN 30 interface
IP: 10.1.30.1/24
MAC: 0004ea-5e1100
Edge_3 receives the frame through port D4, submits it to Layer 2 forwarding table lookup, and forwards it through port A1.
4
Rev. 6.11 24
Tag manipulation in Layer 3 forwarding
VLAN 10 interface
IP: 10.1.40.1/24
Computer Science
IP: 10.1.30.50/24
GW: 10.1.30.1
Edge_2
3rd floor
Before forwarding frame through port C4, IT_switch adds 4-byte tag to frame to identify VLAN 40.
IT_switch receives the tagged frame, removes Layer 2 header, and submits IP packet for Layer 3 route table lookup.
IT_switch
1st floor
3
4
Edge_3
4th floor
33
VLAN 30 interface
IP: 10.1.30.1/24
Edge_2 receives a frame through port B16, an untagged member of VLAN 30.
1
Engineering
Simulation server
IP: 10.1.40.15/24
MAC: 080046-02148C
1518 bytes
untagged
tagged
tagged
tagged
untagged
tagged
Edge_2 adds 4-byte tag to the frame identifying VLAN 30, forwards on port D4.
2
1522 bytes
Before forwarding frame through untagged port A1, Edge_3 strips tag from frame.
51518 bytes
1522 bytes
Rev. 6.11 25
IP helper address for DHCP clients
Identifies a DHCP server per VLAN
• IP address may be host-specific, subnet-specific, or all ―1‘s‖
Switch acts as DHCP relay agent
• DHCP relay (default) and IP routing must be enabled
IT_switch(vlan-20)# ip helper-address 10.1.1.12
34
VLAN 20
DHCP Server
10.1.1.12
Client sends DHCP request, broadcast to 255.255.255.255
Edge_1
Unicast packet routed by relay agent based on IP helper address
Edge_2
VLAN 20
1
2
Broadcast forwarded by Edge_2 and Edge_1 on ports connecting to VLAN 20
Edge_3
IT_switch
Unicast DHCP response sent to relay agent
34
IP: 10.1.20.93
5
Relay agent sends unicast response to client
DHCP Relay Agent
Rev. 6.11 26
Modifying VLAN port membership
Planning for VLANs
Configuring and verifying VLANs
Modifying VLAN port membership
– Adding tagged or untagged ports to a VLAN
– Removing tagged or untagged ports from a VLAN
37
Rev. 6.11 27
Rules for adding ports to VLANs
When you add a port to a VLAN as an untagged member:
• If it is currently an untagged member of another VLAN, the port‘s membership is simply changed to the new VLAN
• If it is currently a tagged member of one or more VLANs, the port retains those memberships
When you add a port as an tagged member of a VLAN, its status (tagged or untagged) in other VLANs is unaffected
A port may be an untaggedmember of at most one VLAN
38
General Rule
Rev. 6.11 28
Rules for removing ports from VLANs
If a port is a member of only one VLAN:
• Add the port to another VLAN to avoid orphaning the port
39
A port must be a member of at least one VLAN
General Rule
Edge_1(vlan-vid)# no tagged|untagged <port-list>
Edge_1(vlan-vid)# tagged|untagged <port-list>
If a port is a member of multiple VLANs:
• Reverse the command that initially added the port‘s membership to the VLAN it is to be removed from
Rev. 6.11 29
Summary: Modifying VLAN port membership
Observe these rules when adding ports to a VLAN, removing ports from a VLAN, or deleting a VLAN from a switch:
1. A port may be an untagged member of at most one VLAN
2. A port must be a member of at least one VLAN
3. When deleting a VLAN, any ports that are untagged members must be moved to the default VLAN or another VLAN
42
© 2006 Hewlett-Packard Development Company, L.P.The information contained herein is subject to change without notice.
Increasing Capacityand Improving Availability
Module:
Rev. 6.11 31
Increasing switch link capacity
Six 1000Base-T full-duplex servers((6 x 1000Mb) x 2)
full-duplex gigabit fiber links
• Servers in the IT department are connected to 6108 switches
• The full-duplex gigabit link provisioned between each 6108 switch and the 5304xl core switch carries traffic to and from six full-duplex gigabit servers
3
• To increase the capacity of the connection between the core and the 6108 switches, a second link may be aggregated with the existing link
Six 1000Base-T full-duplex servers((6 x 1000Mb) x 2)
Rev. 6.11 32
Requirements for link aggregation
Link aggregation is also known as ―port trunking‖in HP Networking environments
Links in a port trunk must be coterminous—begin together and end together
Maximum number of links comprising a trunk is 4 or 8, depending on the HP Networking switch family
• Maximum number of trunks per switch also varies based on the HP Networking switch family
4
Rev. 6.11 33
Increasing capacity for server switches
Six 1000Base-T full-duplex servers((6 x 1000Mb) x 2)
5
Six 1000Base-T full-duplex servers((6 x 1000Mb) x 2)
• Links A and B are coterminous and can be aggregated
– C and D can also be aggregated
• The links can be of any speed and media type
• Links B and C are not coterminous and cannot be aggregated
– Similarly, A and C, A and D, and B and D cannot be aggregated
AB
CD
Rev. 6.11 34
Layer 2 conversations
Trk1
6
Trk2
• For load-sharing purposes, a conversation is unidirectional, consisting of a source and destination MAC address (SA/DA) pair
• Traffic between any two hosts consists of two conversations:
– Transmissions that originate with Server A and are destined for the Backup Server have the SA/DA pair: 3B-2C… / 00-0F…
– Transmissions that originate with the Backup Server and are destined for Server A have the SA/DA pair: 00-0F… / 3B-2C…
Server AMAC: 3B-2C…
Backup ServerMAC: 00-0F…
Rev. 6.11 35
Multiple Layer 2 conversations
Trk1
8
Trk2
Backup ServerMAC: 00-0F …
• The Backup Server backs up both Server A and Server B
• Each SA/DA pair is a different conversation and therefore could take a different path
Server BMAC: 02-68 …
Server AMAC: 3B-2C …
Rev. 6.11 36
Bi-directional load sharing
Switch A Switch B
Server BMAC: 02-68…
Server A MAC: 3B-2C…
Backup ServerMAC: 00-0F…
Backup ServerMAC: 00-0F…
Two separate conversations (3B-2C,00-0F and 02-68,00-0F) travel over different links
Two separate conversations (00-0F,3B-2C and 00-0F,02-68) travel over different links
Core
Switch A Switch BCore
9
Server BMAC: 02-68…
Server A MAC: 3B-2C…
Rev. 6.11 37
Multiple conversations hash to the same link
Switch A Switch B
Server BMAC: 02-68…
Server A MAC: 3B-2C…
Backup ServerMAC: 00-0F…
Backup ServerMAC: 00-0F…
Core
Switch A Switch BCore
9
Server BMAC: 02-68…
Server A MAC: 3B-2C…
• Selection of a link within a trunk is not adaptive since it is based on a hash of source and destination MAC addresses
Rev. 6.11 38
broadcast
Trunk groups and broadcasts
Server
Switch B floods the broadcast through non-trunked ports
Switch BSwitch A
Switch A floods the broadcast through all its
ports except the trunk ports
Switch B forwards the broadcast over ONE of the links in the trunk based on
its table entries
12
Trunk
Rev. 6.11 39
broadcast
Redundant links and broadcast storm
Server
Switch BSwitch A
Switch B floods the broadcast over ALL
of the links
Switch A also floods the broadcast over
ALL of the links
13
These redundant links are NOT defined
as a trunk
Rev. 6.11 40
Port trunking methods
HP Port Trunking
• Does not use a protocol to set up the trunk
• Port trunking is compatible with other trunking methods because it is statically defined
Link Aggregation Control Protocol (LACP)
• LACP is defined by IEEE standard 802.3ad
• Both sides may be statically defined, however, LACP also supports a dynamic method for recognizing aggregated links
Both methods use both source and destination addresses for load sharing
14
Rev. 6.11 41
Configuring port trunking
IT_switch(config)# trunk 21,22 trk1 lacp
16
• The trunk command is used to create an HP port trunk or LACP port trunk
• trk1, trk2, etc. are fixed label names for trunks
Edge_1(config)# trunk ?
[ethernet] PORT-LIST Specify the ports that are to be added to/removed from a
trunk.
Edge_1(config)# trunk c1,c2 ?
trk1 Trunk group 1
trk2 Trunk group 2
...
Edge_1(config)# trunk c1,c2 trk1 ?
trunk Do not use any protocol to create or maintain the trunk.
lacp Use IEEE 802.1ad Link Aggregation protocol.
<cr>
Edge_1(config)# trunk c1,c2 trk1 lacp
Edge_1(config)#
Rev. 6.11 42
Impact of port trunking on VLAN status
17
Edge_1# show run
...
vlan 1
name "DEFAULT_VLAN“
untagged A1-A24,B1-B24,C1-C4
ip address 10.1.1.2 255.255.255.0
exit
vlan 10
name "VLAN10“
tagged C1 ...
Edge_1(config)# trunk c1,c2 trk1 lacp
Edge_1# show run
...
vlan 1
name "DEFAULT_VLAN"
untagged A1-A24,B1-B24,C3-C4,Trk1
ip address 10.1.1.2 255.255.255.0
exit
vlan 10
name "VLAN10"
tagged ...
Edge_1(config)# vlan 10 tagged trk1
Before creating trunk, port C1 is a tagged member of
VLAN 10
Create trunk with ports C1 and C2
After trunk creation, Trk1becomes an untagged
member of the default VLAN
Port C1 is no longer assigned to VLAN 10 and C2 is no
longer assigned to VLAN 1
Trk1 must be assigned as a tagged member of VLAN 10
Rev. 6.11 43
Link aggregation summary
Benefits:
• Increases the capacity of links between switches and links between a switch and a server
• Very fast convergence
• On link failure, conversations assigned to the failed link will be distributed over the remaining links
Provides load sharing as opposed to load balancing
Requires point-to-point coterminous links—must begin together and end together
25
Rev. 6.11 44
Layer 2 redundancy: STP and RSTP
Link aggregation
Layer 2 redundancy: STP and RSTP
– STP and RSTP similarities
– Setting Bridge Priority
– Spanning Tree and VLANs
29
Rev. 6.11 45
Spanning Tree review
Switch_A Switch_B
Spanning Tree Protocol (STP) automatically:
• Elects one switch to be the root
• Detects loops in the topology
• Uses the lowest cost path to the root
31
Rev. 6.11 46
RSTP and STP similarities
Rapid Reconfiguration Spanning Tree Protocol
• In the current IEEE 802.1D standard, RSTP supersedes STP
Both STP and RSTP
• Use Bridge Priority to elect a Root Bridge
• Use BPDU messages to determine best path to Root Bridge
• Specify default port costs based on link speed
RSTP advantages over STP
• Faster convergence
• Ports default to ―edge‖ state, allowing rapid transition to Forwarding State
– Edge state indicates device connecting to port is not a switch
Spanning Tree is turned off by default on HP Networking switches
32
Rev. 6.11 47
Addresses and identifiers
Two identifiers play an important role in determining the active path through the bridged network
• Bridge ID—64-bit (8-byte) field consisting of:
– 16-bit user definable priority value
– 48-bit bridge MAC address
• Port ID—16-bit (2-byte) field consisting of:
– 8-bit user definable priority value
– 8-bit port number
34
BridgePriority
PortPriority
PortNumber
MACAddress
Bridge ID Port ID
16 bits 48 bits 8 bits 8 bits
Rev. 6.11 48
Link costs and path costs
When RSTP is enabled, all ports are assigned a default link cost
• 10 Gigabit—2,000
• 1 Gigabit—20,000
• 100 Mbps—200,000
• 10 Mbps—2,000,000
Root Path Cost
• Cost of the shortest path between a switch and the Root Bridge
Root Port
• Port with the lowest cost path to the Root Bridge
• If multiple ports on a switch have the same lowest cost path, the neighbors‘ Bridge IDs are used as a tiebreaker
35
Rev. 6.11 49
Setting Bridge PriorityBridge Priority 4096
Root
Bridge Priority 8192
Bridge Priority 32768 Bridge Priority 32768
• Bridge Priority for RSTP switches is set in increments of 4096
• To set the Bridge Priority to 4096:
Edge_1(config)# span priority 1
• To set the Bridge Priority at 8192:
Edge_1(config)# span priority 2
• To return Bridge Priority to default setting of 32768:
Edge_1(config)# span priority 8
In this network, each link has a cost
of 20000
Backup Root
36
Edge_1 Edge_2
Edge_3 Edge_4
Rev. 6.11 50
Impact of Bridge Priority setting
37
Bridge Priority 4096
Root
Bridge Priority 8192
Bridge Priority 32768 Bridge Priority 32768
Backup Root
• All ports on Edge_1 (Root Bridge) are in Forwarding state
Edge_1 Edge_2
Edge_3 Edge_4
L2L5
L4
L1
L3
• Other switches select Root Port directly adjacent to Root Bridge
• One switch forwards traffic on behalf of each LAN, the Designated Bridge, which is selected based on Bridge ID
• Edge_1 is Designated Bridge for Links 1, 2, and 3
• Edge_2 is Designated Bridge for Links 4 and 5 because it has better priority
DPDP
DP
F F
F
FF
DP DP
F
RP
F
F
RP
RPB B
Rev. 6.11 51
Edge_1(config)# show span
Status and Counters – Spanning Tree Information
Protocol Version : RSTP
STP Enabled : Yes
Force Version : RSTP-operation
Switch Priority : 4096 Hello Time : 2
Max Age : 20 Forward Delay : 15
Topology Change Count : 20
Time Since Last Change : 1 hour
Root MAC Address : 0004ea-5e1100
Root Path Cost : 0
Root Port : This switch is root
Root Priority : 4096
Port Type Cost Priority State : Designated Bridge
---- --------- --------- -------- ---------- + -----------------
...
B4 100/1000T 20000 128 Forwarding : 0004ea-5e1100
...
C1 100/1000T 20000 128 Forwarding : 0004ea-5e1100
...
D4 100/1000T 20000 128 Forwarding : 0004ea-5e1100
Spanning Tree details for Root Bridge
38
Bridge Priorityis set to ―1‖
Root Bridge indicators
Root Bridge is Designated Bridge
for its locally connected links
Rev. 6.11 52
Edge_2(config)# show span
Status and Counters – Spanning Tree Information
Protocol Version : RSTP
STP Enabled : Yes
Force Version : RSTP-operation
Switch Priority : 8192 Hello Time : 2
Max Age : 20 Forward Delay : 15
Topology Change Count : 20
Time Since Last Change : 1 hour
Root MAC Address : 0004ea-5e1100
Root Path Cost : 20000
Root Port : A1
Root Priority : 4096
Port Type Cost Priority State : Designated Bridge
---- --------- --------- -------- ---------- + -----------------
...
A1 100/1000T 20000 128 Forwarding : 0004ea-5e1100
...
C1 100/1000T 20000 128 Forwarding : 0004ea-5e5000
...
C4 100/1000T 20000 128 Forwarding : 0004ea-5e5000
Spanning Tree details for non-Root Bridge
39
Bridge Priority is set to ―2‖
Root Bridge indicators
Rev. 6.11 53
Why set Bridge Priority?
• All switches have default
Bridge Priority 32768
• All ports have default Port Priority 128
• All links cost are 20000
MAC: 0001e6-093800MAC: 0001e6-0f1332
MAC: 0004ea-100da3MAC: 0004ea-2a1312
MAC: 0004ea-5e1100 MAC: 0004ea-5e5000
• If Bridge Priority is not administratively-defined, which of these switches will become the Root Bridge?
• How does this affect the active path through the network?
• Root Ports
RootBackup Root
• Designated Ports
40
RP
RP
RP
RP
RP
DP
BDP
DP
DP
DP
DP B
Rev. 6.11 54
RSTP edge ports
• All ports are edge ports by default when RSTP is enabled, which causes rapid transition to Forwarding State
• Ports that are connected to other switches should NOT be treated as edge ports
Edge_1(config)# no span b4,c1,d4 edge-port
Edge_2(config)# no span a1,c1,c4 edge-port
Edge_3(config)# no span a1,a4 edge-port
Edge_4(config)# no span a1,a4 edge-port
Edge_1 Edge_2
Edge_3 Edge_4
End stations End stations
41
L2 L5L4
L1
L3
F
RP
F
F RP
RP
DP DP
Rev. 6.11 55
Configuring and enabling RSTP
Spanning Tree can be configured before it is enabled
• Sample configuration commands:
42
Edge_2(config)# span c12 point-to-point-mac force-false
Edge_2(config)# span Trk1 pri 4
Edge_2(config)# span a1 path-cost 40000
Edge_1(config)# span
Edge_1(config)# span pri 1
Edge_1(config)# no span b4,c1,d4 edge
Enable Spanning Tree when configuration is complete:
Disabling Spanning Tree (no span) does not remove existing
settings from the configuration
Rev. 6.11 56
Combining Spanning Tree and VLANs
When Spanning Tree and VLANs are combined:
• Both RSTP and STP standards specify a single Spanning Tree that resolves loops in a bridged network
• Regardless of the number of VLANs in the bridged network, BPDUs are sent untagged
• Redundant links between switches are blocked
– Network designers must ensure not to isolate VLANs
46
Rev. 6.11 57
Scenario: Spanning Tree and VLANs
Edge_3Edge_4
Edge_2
VID 10
VID 10
VID 10VID 30
VID 20VID 20
VID 20
VID 30
10, 20
10
30
10
20
20
• Three VLANs are distributed across four switches with redundant links
• While it may seem sufficient to define the common point-to-point link between two switches as a tagged member of only the VLANs
that are shared by the switches, the operation of Spanning Tree can result in isolation of VLAN hosts
47
Edge_1
Rev. 6.11 58
Poor design can isolate VLANs
Edge_3Edge_4
VID 10
VID 10
VID 10VID 30
VID 20VID 20
VID 20
VID 30
10, 20
10
30
10
20
20
• Only three of the six links between the switches are required for full
connectivity; three are blocked
• Are any hosts isolated from other hosts in the same VLAN?
Edge_2
10, 20
20
10
Active path
48
DP
B
F RP
RP
RPDP
DP
B
BFF
Edge_1
Root
Rev. 6.11 59
Assigning all VLANs to redundant links
Edge_3Edge_4
VID 10
VID 10
VID 10VID 30
VID 20VID 20
VID 20
VID 30
10, 20, 30
10, 20, 30
10, 20, 30
10, 20, 30
10, 20, 30
10, 20, 30
• Assigning all three VLANs to switch-to-switch links assures that all VLANs will be reachable regardless of which links
are blocked
Edge_2
10, 20, 30
10, 20, 30
10, 20, 30
Active path
49
DP
B
F RP
RP
RPDP
DP
B
BFF
Edge_1
Root
Rev. 6.11 60
Summary: STP and RSTP
RSTP provides faster convergence than STP
Bridge ID and Port ID are significant factors in determining the fastest path through a bridged network
• Bridge Priority should be configured manually to ensure proper selection of the Root Bridge
• Port Priority can be configured manually to affect active path selection
RSTP and STP are interoperable by design
Designers must ensure that Spanning Tree operation does not isolate VLAN members
53
© 2006 Hewlett-Packard Development Company, L.P.The information contained herein is subject to change without notice.
Enabling Convergence
Module
Rev. 6.11 62
Prioritizing traffic
Prioritizing traffic
– Prioritization tasks
– Classification criteria
– Scheduling (servicing queues)
– Standards for marking traffic
– Rate limiting
– Guaranteed minimum bandwidth
Supporting IP Multicast
2
Rev. 6.11 63
HP Networking University scenario
New applications are planned to be added to the HP Networking University network in the near future:
• Video surveillance cameras in public areas to be upgraded
• Voice over IP to be used for phone system
• Video conferencing capabilities to be extended to the network edge
Switches used to upgrade the network edge must:
• Support traffic prioritization
• Enable power to be carried over Ethernet
• Enable multicast traffic to be forwarded only to intended receivers
3
Rev. 6.11 64
Traffic prioritization tasks
Classification
• Recognize traffic that should be prioritized
• Assign a traffic class (0-7)
Scheduling
• Map traffic classes to queues
• High priority traffic gets a greater percentage of the outbound bandwidth than normal or low priority traffic
Marking
• Indicates within the header how traffic should be handled
• Layer 2 marking—IEEE 802.1p
• Layer 3 marking—IP ToS or DiffServ
4
Rev. 6.11 65
ingress port
0
1
2
3
4
5
6
7
Classification
Classification
Traffic can be classified based on a previously defined characteristic such as VLAN ID, inbound port or IP address
Various HP Networking switches can map traffic to up to 8 traffic classes
5
Rev. 6.11 66
Scheduling—Mapping and queuing
Traffic classes are mapped to queues within the switch
Each queue is allocated a minimum percentage of bandwidth where high priority traffic is allocated the highest percentage
0
1
2
3
4
5
6
7
ClassificationPhysicalQueuing
ingress port
1 (lowest priority)
2 (normal priority)
3 (medium priority)
4 (highest priority)
6
Rev. 6.11 67
MarkingSwitch can indicate a priority level in the frame‘s header
IEEE 802.1p standard specifies up to 8 priority levels that can be marked in the IEEE 802.1Q tag
0
1
2
3
4
5
6
7
ingress port
1 (lowest priority)
2 (normal priority)
4 (highest priority)
egress port
Priority level will be marked on frames forwarded through a tagged port
7
ClassificationPhysicalQueuing
3 (medium priority)
Rev. 6.11 68
Traffic classification by an edge switch
Two conditions may require a switch to classify traffic:
• Hosts are incapable of setting priority for the traffic they generate
• Untrusted hosts set illegitimate priorities
Some switches can classify traffic based on:
• IEEE 802.1Q VLAN ID
• IP address (source or destination)
• TCP or UDP port number
• Value in 802.1p or TOS field
• LAN protocol (Ethernet type field)
• Incoming source port on the switch
Other switches may be able to classify traffic based on incoming source port
8
Rev. 6.11 69
Weighted round-robin queuing
QueuesPercentage of bandwidth 1
2800 2600 4100gl 2 5300xl
4 (high) 55 75 61 45
3 (medium) 28 19 30
2 (normal) 14 5 31 16
1 (low) 3 1 8 8
1 Percentage of bandwidth is based on number of packets2 HP Networking Switch 4100gl supports 3 queues3 Applicable to HP Networking Switch 5400zl, 3500yl and 6200yl
Queue 4
Queue 3
Queue 1
Queue 2
2600
9
Queues
Percentage of bandwidth 1
5400zl 3
8 (high) 20
7 (high) 15
6 (medium) 10
5 (medium) 10
4 (normal) 10
3 (low) 30
2 (low) 3
1 (normal) 2
HP Networking Switch 2600 series example
• If the switch receives traffic mapped to all four queues in a given time period 75% of the bandwidth would be allocated to high priority traffic. Normal priority traffic would use 5% of the bandwidth.
• If all traffic has the same priority level (e.g. normal) in a given time period, 100% of the bandwidth is given to that traffic.
Rev. 6.11 70
Standards for marking traffic
IEEE 802.1p (Layer 2 marking)
• Part of IEEE 802.1Q standard
• Specifies 8 priority levels (0-7) that are identified within the 802.1Q tag
• Relevant within and between VLANs; ports that carry 802.1p prioritization information must be tagged
IETF RFC 2475 - DiffServ (Layer 3 marking)
• Specifies a method for setting priority in a 6-bit field in the IP datagram header
• DiffServ settings are maintained between routed networks, including WAN interfaces
• Up to 64 code points may be defined
– RFCs 2474 and 2475 specify 13 service levels
10
Rev. 6.11 71
Traffic prioritization using 802.1p
A 3-bit field in the 802.1Q tag is reserved for prioritization
Some end stations set priorities for their traffic
HP Networking switches set marker for prioritized traffic forwarded over tagged links
000001010011100101110111
11
DestinationMAC address
SourceMAC address
Rest oforiginal packet
VLAN ID(12 bits)C
F I
Priority (3 bits)
VLAN Protocol ID (16 bits)
VLAN tag(4 bytes)
8 possible values
for 3-bit Priority field
Rev. 6.11 72
IP Type of Service
IP datagram header includes an 8-bit Type of Service (ToS) field that was defined to allow a host application to provide handling instructions to a router
Differentiated Services redefines the field
Precedence Type of Service Unused
0 1 2 3 4 5 6 7
Differentiated Services codepoint
Unused
0 1 2 3 4 5 6 7
Original Definition (IP Precedence):
New Definition (Differentiated Services):
X X X 0LD
X X X X X X 0 0
HT
HR
LC
12
Rev. 6.11 73
Classifying traffic based on ingress port
Video surveillance cameras to be installed do not mark traffic with high priority
Edge_3(config)# int 5-8
Edge_3(eth-5-8)# qos priority 6
Edge_3(config)# show run
. . .
int 5
qos priority 6
int 6
qos priority 6
int 7
qos priority 6
int 8
qos priority 6
. . .
To set the priority for a range of ports:
13
Rev. 6.11 74
Marking in IEEE 802.1Q tag
DA SA 0800 <IP header>
DA SA 8100 110 0 03c 0800...
vlan 60
untagged 5-8
tagged 9
14
Because uplink port is a tagged member of VLAN 60,all outbound VLAN 60 traffic carries a tag
This tag contains a high priority marker (110)
802.1Q Priority VLAN ID
Rev. 6.11 75
Retaining priority when forwarding between VLANs
...
vlan 61
tagged a1
ip address 10.1.65.1/24
...
vlan 60
tagged d1
ip address 10.1.60.1/24
...
DA SA 8100 110 0 60 0800...
Security monitoring stations
DA SA 8100 110 0 61 0800...
15
Surveillance cameras and security monitoring stations are in different VLANs
Upstream switch retains the priority setting when forwarding between networks
Rev. 6.11 76
Enabling other types of classification
On some switches, traffic classification policies can also be defined within:
• VLAN configuration context to specify a priority value per VLAN
16
Core(config)# qos device-priority 10.10.15.27 pri 6
Example:
Core(config)# qos ?
udp-port Set UDP port based priority.
tcp-port Set TCP port based priority.
device-priority Configure device-based priority.
dscp-map Define mapping between a DSCP (Differentiated-
Services Codepoint) value and 802.1p priority.
protocol Configure protocol-based priority.
type-of-service Configure the Type-of-Service method the device uses
to prioritize IP traffic.
Core(vlan-20)# qos pri 6
• Global configuration level to set a priority level for particular TCP/UDP port numbers, IP addresses, and protocol
Rev. 6.11 77
Resolving conflicting priority settings
When traffic to be classified matches multiple prioritization policies, the switch enforces the following precedence:
• UDP/TCP application type (port number)
• Device priority (destination or source IP address)
• IP Type of Service field
• Protocol (Ethernet Type field)
• VLAN ID
• Incoming source port on the switch
• Incoming 802.1p value
18
Higher
Lower
Preced
en
ce
Rev. 6.11 78
Supporting IP Multicast
Prioritizing traffic
Supporting IP Multicast
– Limiting multicasts with IGMP
– IGMP terms
– Displaying IGMP information
47
Rev. 6.11 79
Limiting multicasts with IGMP
IP multicast traffic is sent by a server to a destination multicast group address
A host sends an IGMP ―membership‖ message signaling an intention to join the group
Switches configured to support IGMP forward the data stream only toward hosts that have joined the group
• Switches without IGMP support will flood multicast packets through all ports, potentially to unintended recipients
Switches configured to support IGMP send periodic ―query‖ messages to verify at least one member is still active on each attached network
• Hosts confirm their intention to continue receiving the multicast stream using an IGMP ―membership‖ message
A host sends an IGMP ―leave‖ message signaling an intention to stop receiving the multicast stream
49
Rev. 6.11 80
IGMP terms
IGMP host
• End station that runs multicast applications using IGMP
• Sends a ―membership‖ message to signal intention to receive a multicast data stream and a ―leave‖ message to stop receiving
Querier
• IGMP device that sends requests and collects responses, determining the location of multicast data receivers
• Each multicast-enabled broadcast domain has one active querier and possibly a backup querier
Multicast group
• Set of hosts, routers, and/or switches that send or receive multicast data streams to or from the same source(s)
50
Rev. 6.11 81
IGMP Querier
Every LAN that is multicast-enabled must have an IGMP Querier
Each IGMP switch or router can be configured to participate in Querier Election
• It listens for queries and becomes the Querier if it hears none
The Querier sends out Queries based on a Query Interval
• Other IGMP switches and routers listen for Queries and will elect a new Querier if they stop hearing Queries.
If a multicast router is present, it becomes the Querier
• A HP Networking switch can become a Querier for a VLAN if it has an IP address defined for that VLAN
• Without an IP address, the switch can still be configured to participate in IGMP, but cannot become the Querier
51
Rev. 6.11 82
IGMP Membership Report
multicast server
IGMP client
Hosts 2 and 4 send IGMPMembership Reports to ―join‖ the multicast group
Edge_1
Edge_2 Edge_3
IGMP client
• All three switchesare IGMP-enabled
host1 host2 host3 host4
53
Rev. 6.11 83
Data-driven IGMP
multicast server
IGMP client
With Data-driven IGMP, the switches send the multicast data stream only toward group members
Edge_1
Edge_2Edge_3
IGMP client
55
Rev. 6.11 84
IGMP snooping
multicast server
IGMP client
With IGMP snooping, the switches send the multicast data stream toward all hosts initially
Edge_1
Edge_2Edge_3
IGMP client
54
After a time period of not receiving IGMP membershipreports from some hosts, the switch stops sending the multicast stream toward those hosts
Only receives multicast data stream initially
Rev. 6.11 85
IGMP Fast-Leave
multicast server
IGMP client
Edge_1 will stop sending data stream if there is no response to its periodic Host Membership Query
3
2 Edge_3 immediately stops sending toward former client, since no other active clients
Edge_1
Edge_2Edge_3
1 Host sends IGMP LeaveGroup message
56
Rev. 6.11 86
Enabling IGMP support
IGMP is enabled within the context of each VLAN that will support IP multicast traffic:
Edge_1(config)# vlan 20
Edge_1(vlan-20)# ip igmp
A HP Networking switch can act as the querier for any VLAN if it has an IP address assigned:
Edge_1(vlan-20)# ip address 10.10.20.15/24
If an IP address is assigned to the VLAN, but the switch should not participate in querier election, you can disable the feature :
Edge_1(vlan-20)# no ip igmp querier
58
© 2006 Hewlett-Packard Development Company, L.P.The information contained herein is subject to change without notice.
MSM Controller Overview
Module
MSM765zl Module
MSM760 Appliance
88
MSM760 and MSM765zl Controllers
5400zl/8200zl series
MSM Controllers
89
MSM 760 MSM 765 zl
Service Pack Access (Basic) Mobility Mobility Only
Services• WLAN Mgmt
and Control•Guest Access
•WLAN Mgmt and Control
•Guest Access•Roaming
•WLAN Mgmt and Control•Guest Access
•Roaming
Port Speed 10/100/1000 10000
ScalabilityMaximum # of Access Points Supported:
40 expandable to 200
Maximum # of Access Points Supported:
40 expandable to 200
Simultaneous Users Unlimited Unlimited
Simultaneous guest access users
1000 expandable to 2000 1000 expandable to 2000
Warranty 1 year hardware limited warrantyLifetime hardware warranty
5 years on Hard Drive
MSM Controllers (cont).
Rev. 6.11 90
MSM 710
Service Pack Access (Basic) Mobility
Services• WLAN Mgmt
and Control•Guest Access
•WLAN Mgmt and Control
•Guest Access•Roaming
Port Speed 10/100/1000
ScalabilityMaximum # of Access Points Supported:
10
Simultaneous Users Unlimited
Simultaneous guest access users
100
Warranty 1 year hardware limited warranty
MSM AP exchanges low bandwidth management traffic with controller
High bandwidth traffic between user & host is forwarded locally by MSM AP
HP Networking Architecture?
HOST
MSM Controller
HOST
AP
Controller
ControlData
Control & Data
Data
HP HP NetworkingMSM solution
Other Manufacturers
MSM Edge Switched Service
MSM AP is managed centrally but processes data at the edge• MSM APs get its config, policies & firmware update from controller
• MSM APs reports connections and events to controller
• MSM AP authenticates Wifi nodes directly with the RADIUS server
Key Advantage: • Controller scales easily (for 802.11n) as User traffic does not cross it
• MSM AP continues to work without controller: provides Resiliency
Authentication
Control
Switch MSM Controller
Corporate RADIUS
Data
IP
MSM AP
MSM Edge Switched Service (cont…)
• Wireless user traffic is bridged into local VLAN
• Infrastructure Requires:
− Setting of VLANs at network edge (AP switch ports)
• For Static VLAN or Dynamic VLAN assignment
− Local Routing
− Local DHCP sevices
Switch MSM Controller
Corporate RADIUS
Data
Local VLAN
IP
Architecture for Centralized Guest Service
MSM AP ―tunnels‖ Guest traffic up to the MSM Controller
• Access control occurs at the controller using either the internal or external radius server
• Traffic is routed/NATed (option) onto a vlan local to the Controller
Key advantages:
• Wireless traffic is isolated from wired LAN and is centrally authenticated & Firewalled
Switch
MSM Controller
MSM AP
Control + Authentication + Data
Access controlled guest data
IPRADIUS
Architecture for Centralized Guest Service (cont)
User IP address is assigned (or relayed) by controller
Guests belongs to a local (private) IP Subnet on the controller
User traffic is routed, shaped, tagged & optionally NATed, at the controller
Infrastructure does not require user VLAN settings or DHCP services at the Edge.
Switch
MSM Controller
MSM AP
Control + Authentication + Data
Access controlled guest data
IP
DHCP
Edge or Centralized Service ?
96
MSM Edge ArchitectureMSM Centralized architecture
(Access controlled traffic)
User traffic is: Bridged on to the VLAN at the APTunneled to controller and Routed on a
VLAN of the Controller
Access Point switch port
is tagged with multiple VLANS requires only one VLAN
IP Subnet of Users Local to AP Local to controller and/or NATed
Authentication of users
Managed by AP Managed by Controller
Guest Users? Open SSID without authentication Full centralized Web Authentication
Simultaneous guest access users
Unlimited 1000 expandable to 2000
AdministrationMore tasks on infrastructure at AP
(VLANs, DHCP…)Less tasks on Infrastructure
Key advantage Scalability Wireless traffic isolated from rest of LAN
© 2006 Hewlett-Packard Development Company, L.P.The information contained herein is subject to change without notice.
MSM AP Overview
Module
MSM Access Point Models
Single radio Dual radios Triple radios
Model MSM310 (-R) MSM410 MSM422 MSM320 (-R) MSM325* MSM335*
Radio(s) a/b/g a/b/g/n n + a/b/g 2x a/b/g 2 x a/b/g 3 x a/b/g
Enclosure indoor outdoor indoor Indoor indoor outdoor Indoor Indoor
Operating Modes
Client access
Local Mesh
Packet capture
Client accessLocal Mesh Packet Capture
Client access
Local Mesh
Packet capture
Client access
Local Mesh
Packet capture
Client access
Local Mesh
Packet capture
RF security (Sensor)
Client access
Local Mesh
Packet capture
RF security
(Sensor)
Part numbers
J9379A J9383A J9427A J9359A J9364A J9368A J9373A J9357A
98
J9384A HP Networking MSM320 RF Sensor License
•All AP can be powered with standard PoE - 802.3af!
•Operate in both controlled and autonomous mode
•* One Radio can be set as Sensor
99 21 October 2010
Questions
How does an AP associate with a controller?
How does an AP receive its config?
Discovery of controlled MSM APs – Phase 1I. Automatic connection to the controller
• if in the same VLAN, MSM APs discover Controller via UDP Broadcast
• If not in the same VLAN, the IP address of the controller can be sent via Option 43 of DHCP or can be resolved via DNS
MSM ControllerMSM AP
Corporate DHCP Server
Corporate DNS Server
?
......and you can always manually provision a device if required.
Discovery of controlled MSM APs – Phase 2
II. Configuration of AP
• MSM AP is adopted by MSM Controller (Automatically or authenticated using a local or remote radius server)
• Firmware is updated if needed
• Configuration/policies securely downloaded from controller
MSM ControllerMSM AP Authenticate
Check FirmwarePush Config
Discovery of controlled MSM APs – Phase 3
III. AP activates radios/profiles and becomes operational
• MSM Controller uses a secure control tunnel with MSM AP
• Wireless user traffic is directly forwarded to the LAN
MSM Controller
MSM AP
HOST
Control tunnel
103 21 October 2010
Question
How can we provide different setup to different APs?
Configuration of controlled MSM APs AP Groups.
• MSM APs with similar parameters are grouped together:
– Use of Radios (AP,local mesh, sensors)
– Egress VLANS.
– Active services.
– Location.
Group: Floor1
Group: Reception
RADIO 1: 802.11nRADIO 2: 802.11b/g
RADIO 1: 802.11aRADIO 2: 802.11b/g
105 21 October 2010
106 21 October 2010
107 21 October 2010
Question
How do you configure wireless networks for different applications such as Enterprise Users, Voice over IP, Guests?
Virtual Service Community (VSC)
VSC Profile defines:
• Virtual AP parameters: SSID, broadcast
• Encryption, Authentication
• Service quality
• Mobility options
• VLAN usage
• Filters
VSC #Enterprise
Virtual Service Communities
109 21 October 2010
110 21 October 2010
Question
Can we apply selectively a VSC profile to different group of APs?
Configuration of controlled MSM APs
Bind VSCs to Groups & associate VLAN to use for edge traffic
VSC :Visitors
VSC:Cameras
VSC :Enterprise
VSC: Voice
Group - Reception
Group – Floor1
VLAN 40
VLAN 50
Drag & Drop
112 21 October 2010
Default Visitor Interface
―Hidden Node‖ Issue
Limitation of 802.11
• Hidden node
– Node A, in range of the receiver R, is not in range of the sender B, and therefore cannot know that B is transmitting to R
– When both A and B attempt to transmit to R, CSMA/CA does not work. Collision happens and R receives garbage. Nodes end up re-transmitting
113
21 October
2010
R
A
B
R
A
B
Collision
What Does All This Means?
If you try to use a high gain antenna to get more penetration (and hence coverage), it does not necessarily work
114
21 October
2010
Myths and Misconceptions
Myth #1: An AP with longer range is better
– Longer range increases the incidence of hidden node issue
Myth #2: Use AP that has larger coverage so I can use less number of APs
– See myth #1
– No signal overlap therefore no AP redundancy
Myth #3: If my laptop see a strong signal from the AP then wireless coverage is excellent
– The AP may not see a strong signal from your laptop
– See myth #1
115
21 October
2010
Requirement Analysis
Questions to ask (that we usually don‘t ask):
• What is the purpose of the wireless network?
– This determines the number and type of wireless services
• What applications will run over the wireless network?
– This determines the bandwidth, number of wireless clients support and affects AP quantity
• What encryption and authentication will be used?
– This determines the need for Mobility or Access controller
• What are the types of wireless client devices?
– This determines the cell size
• How many concurrent wireless users expected?
– This determines AP quantity
116
21 October
2010
Learning By Experience
Have your own equipment!
Test it out for yourself!
You have to experienced it for yourself!
117
21 October
2010
Mounting of Access Point
Don‘ts
• Do not enclose in a metal enclosure
• Do not mount on a metal beam
• Do not mount near lighting fixtures
• Do not mount near aircon ducts and pipings
• Do not mount on or behind a refrigerator
• Do not mount it in a closet with fire retardant door
• Do not mount it more than two walls away from clients
• Do not mount it such that signal penetrates obliquely through obstruction
118
21 October
2010
© 2006 Hewlett-Packard Development Company, L.P.The information contained herein is subject to change without notice.
MSM 765 Controller Getting Started
Module
MSM 765 License Install
Install the Product License Key
The starting point for this procedure is the Service OS CLI prompt for the MSM765zl you are activating.
1. Install the product license key:
licenses install activation <license key>
Where <license key> is the product license key just provided by the My
HP Networking portal. The key must be entered precisely as received including
the dashes. If possible, copy and paste the string as received.
2. Boot the MSM765zl product:
boot product
3. At prompt:
System will be rebooted.Do you want to continue [y/n]?
Respond with ―y‖.
The product reboots.
120
Assign an IP Address to the MSM765zl LAN Port
HP Networking Switch 5406zl#
To set the MSM765zl LAN port IP address:
1. Select the MSM765zl of interest, specifying the slot and index.
services <slot-id> <index>
2. Enable the chosen MSM765zl CLI and select its config context:
config
3. Select the MSM765zl LAN port interface:
interface ip lan
4. Assign it an IP address of 192.168.1.1 and a subnet mask of 255.255.255.0.
ip address 192.168.1.1/24
121
References
Getting started manual
http://www.hp.com/rnd/support/manuals/mscseries.htm
MSM Configuration Examples V1.0 PDF (distributed during class)
http://www.procurve.com
122
© 2006 Hewlett-Packard Development Company, L.P.The information contained herein is subject to change without notice.
Basic Network Troubleshooting
Module
Rev. 6.11 124
Device indicators and settings
• Power, fan, module and port LEDs
• LED mode select button
– Link activity, full-duplex, maximum speed, Error
• Switch hardware statistics
– System-wide information
• Event logs
• LAN port, WAN interface, and wireless AP configuration settings, status, and counters
Information resources—Device indicators and settings
14
Console port
Resetand Clear
recessed buttonsStatus LEDs for
fans, power supplies,and switch modules
LED Mode Select button and indicator LEDs
Self-test LED
3400cl example
5300xl example
LED Mode Select button and indicator LEDs
Status LEDs forExpansion module, RPS,
fan, self-test
Rev. 6.11 125
Network topology and connectivity indicators include:
• LLDP information
– Neighbor status and identifying information
• Spanning Tree information
– Bridge topology information and state of each bridge port
• VLAN information
– List of VLANs, port status (tagged/untagged), VLAN state (up/down)
• Layer 2 forwarding tables
– MAC addresses associated with ports and VLANs
• Layer 3 routing tables
– Currently active dynamic and static routes, next hop gateways
Information resources—Network topology and connectivity
15
Rev. 6.11 126
Viewing status of switch hardware
To view system information such as firmware revision, total and free memory and packet buffers, and CPU utilization:
Switch# show cpu
Switch# show module
Switch# show system
To view a list of the location, type, and serial number of modules recognized by the switch:
To view the percentage of load on the CPU during the last one-second, five-second, and one-minute intervals:
16
Rev. 6.11 127
Frequent port state transitions can indicate a problem with cable, port, port module, or client network adapter
Interpreting the Event Log
Event log holds up to 1000 entries
• It is erased when the switch loses power, but retained on reboot (reload or boot)
• To see events since last power cycle:
Switch# show log -a
Listing can be filtered based on the entity that generated the event, for example:
Switch# show log ports
Switch(config)# console events <none|debug|all|not-info|critical>
Severity level of Event Log entries viewed at the console is configurable:
17
Rev. 6.11 128
Viewing port status
To view operational status of all ports:
Switch# show interfaces config
Switch# show interfaces brief
To view configured status of all ports:
• Indicators:
– Administrative state (enabled or disabled)
– Link status (up or down)
– Operational speed/mode, flow control status, and MDI mode
• Indicators:
– Ports configured with non-default settings
– Administrative state (enabled or disabled)
– Configured speed/mode, flow control status, and MDI mode
19
Rev. 6.11 129
Viewing port counters
To view a high level table of counters for all ports:
Switch# show interfaces <port-list>
Switch# show interfaces
• Indicators:
– Link status
– Number of unicast and multicast/broadcast packets transmitted and received
– Number of bytes transmitted and received
– Eight different error counters
– Broadcast packet counts
• Indicators:
– Total bytes and total frames
– Errors and drops
– Flow control status
To view the details of a specified list of ports:
20
Rev. 6.11 130
Resolving Spanning Tree issues
When upper layer protocols (IP, TCP, UDP, HTTP, etc.) cannot communicate and Spanning Tree is enabled:
• Isolate to determine whether crucial links are unintentionally blocked by Spanning Tree
Use the output from show span on each switch to update a
network map with the following information:
• The state of each port connected to a switch-to-switch link
– Blocking and Forwarding
• Root Port and Designated Port
• Non-default Bridge Priority and Port Priority settings
24
Rev. 6.11 131
Resolving VLAN issues
Lack of logical connectivity when physical connection is active can point to a VLAN configuration issue:
• To view a list of configured VLANs:
Switch# show vlan <port-list>
Verify that the VLAN is ‗Up‘
• A VLAN is ‗Up‘ if the link status is up for at least one of its port members
• A VLAN is ‗Down‘ if it has no ports with an ‗Up‘ link status
• To view a list of ports per VLAN (with tagging status)
Switch# show vlan
• To see a list of VLANs per port (without tagging status)
Switch# show vlan <vlan-id>
25
Rev. 6.11 132
Viewing Layer 2 forwarding tables
To view all learned MAC addresses and the port on which each was heard:
Switch# show mac <mac-address>
Switch# show mac <port-list>
Switch# show mac <vlan-id>
Switch# show mac
To view a specific MAC addresses-to-port mapping:
To view MAC addresses heard on a given VLAN:
To view a list of MAC addresses heard on a given port:
26
Rev. 6.11 133
Layer 3 tools and information
For network reachability problems beyond a Layer 3 neighbor:
• First, verify IP routing is enabled, by default it is disabled on switches
• Use ping determine reachability of a destination
– Recognize the difference between ―Network/host unreachable‖ vs. ―Not responding‖ vs. ―Bad IP address‖
• Use traceroute to determine the path traversed from a source to a destination
• Use show arp to see a list of neighbors for which the IP addresses have been resolved to their MAC addresses
• Use show ip route to list the currently active dynamic and static routes
– A static route will be removed if the next hop gateway or port that is used becomes unavailable
To send RIP or OSPF messages to the event log, use debug ip rip|ospf
28
Rev. 6.11 134
Wireless LAN troubleshooting
Wireless LAN issues usually fall into the following areas:
• Clients
• Access points
• Server or network infrastructure
Where is the problem occurring? Client, AP, server?
• Can I reach the management interface or ping the AP from a management station or wired client?
• Is anybody else associated to this access point?
• Am I using the correct SSID?
• Am I using the correct security settings (WEP, WPA)?
• Can I see any radio signal coming from the AP?
32
Rev. 6.11 135
Client troubleshooting
Wireless interface installation issues
• Is the wireless adapter properly installed?
• Are you using the most recent set of drivers?
• Is the radio enabled?
Incorrect WLAN settings
• SSIDs are case sensitive
• Blank SSIDs will associate to any AP with strongest signal
• Radio settings—Ensure radio frequency and speed match the type of the WLAN
Security settings
• Static key issue—WEP, WPA(2)-PSK
• Dynamic—802.1X, WPA(2), 802.11i
• Operating system supplicant compatibility issues
34
Rev. 6.11 136
Access point troubleshooting
Installation issues
• Is the AP card properly installed, if applicable?
• Is the radio enabled?
• Country code set, if applicable?
• Lost passwords or username and password
Incorrect WLAN settings
• SSIDs are case sensitive
• Radio settings—Ensure radio frequency and speed match the type of clients on the WLAN
• Security settings must match WLAN clients
Advanced features
• VLAN IDs or RF settings
Access point hardware
• Antenna issues
• Firmware or configuration files corrupt?
36
Rev. 6.11 137
As the mobility solution becomes more secure, the interdependencies increase, especially if username / password authentication is being used
• AP RADIUS server settings
• EAP protocol type
• Authentication server issues:Active Directory, UNIX, Kerberos
• Connectivity issues between AP and RADIUS server, or RADIUSand Authentication server
Infrastructure troubleshooting
37
AP authenticat
orclientsupplican
t
RADIUSauthentication server
IPnetwork
Rev. 6.11 138
Port mirroring
To get a closer look …
• Traffic from any set of ports may be sent to another port for collection and analysis
• Define the ―mirror‖ port at global configuration level
– Port that receives traffic of ports being monitored
Switch(config)# mirror-port c2
Switch(eth-a12)# monitor
• Enable monitoring within port context configuration level
– Ports whose traffic is copied to the mirror port
– May be a trunked port or a single port
38
• Keep in mind, the mirror port must be made a member of the
same VLAN as the monitored ports