Release Notes: Version K.13.49 Software for the ProCurve Series 3500yl, 6200yl, 5400zl, and 8212zl Switches These release notes include information on the following: ■ Downloading switch software and documentation from the Web (page 2) ■ Best practices for major software updates, including contingency procedures for rolling back to previous software versions and configurations. Please read before updating software versions from K.12.xx to K.13.xx (page 7). ■ Notes for ROM updates required for all yl and zl switches running K.13.45 or earlier (page 17) ■ Clarifications for certain software features (page 20) ■ A listing of software enhancements in recent releases (page 26) ■ A listing of software fixes included in releases K.11.11 through K.13.49 (page 145) ■ Support Notes and Known Issues in releases K.11.11 through K.13.49 (page 17)—includes "Security notes about SNMP access to the hpSwitchAuth MIB objects" and other topics. S u p p or t N o t i c e s : WARNING. Updating to Version K.13.xx: . It is important that you update to K.13.xx from a configuration that has not been previously converted from a pre-K.13.xx format (e.g. a K.11.xx or K.12.xx configuration). If you have previously updated to K.13.xx and rolled back to K.12.xx to workaround an issue, you should load a saved K.12.xx configuration to the switch and boot to it prior to updating to K.13 again. Performing major software updates: Before updating your software version from K.12.xx to K.13.xx, read the recommended best practices for performing major software updates (page 7). Restriction in number of ACL mirror destinations: The K.13.01 software introduced a new restriction to a single ACL mirror destination. For more information, see "Restriction in number of ACL mirror destinations (page 24) . PIM-SM: PIM-SM users should make sure ProCurve switches that run K software should all be on the either pre-K.13.21 or post-K.13.21 versions of software due to a bug fix in K.13.21 that changes the way a rendezvous point is chosen. © Copyright 2006-2008 Hewlett-Packard Development Company, LP. The information contained herein is subject to change without notice. Publication Number 5991-4720 January 2009 Applicable Products ProCurve Switch 3500yl-24G-PWR Intelligent Edge (J8692A) ProCurve Switch 3500yl-48G-PWR Intelligent Edge (J8693A) ProCurve Switch 6200yl-24G-mGBIC (J8992A) ProCurve Switch 5406zl (J8697A) ProCurve Switch 5412zl (J8698A) ProCurve Switch 5406zl-48G (J8699A) ProCurve Switch 5412zl-96G (J8700A) ProCurve Switch 8212zl (J8715A) Disclaimer HEWLETT-PACKARD COMPANY MAKES NO WARRANTY OF ANY KIND WITH REGARD TO THIS MATERIAL, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. Hewlett-Packard shall not be liable for errors contained herein or for incidental or consequential damages in connection with the furnishing, performance, or use of this material. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein. Hewlett-Packard assumes no responsibility for the use or reliability of its software on equipment that is not furnished by Hewlett-Packard. Warranty Trademark Credits Microsoft®, Windows®, and Windows NT® are US registered trademarks of Microsoft Corporation. Adobe® and Acrobat® are trademarks of Adobe Systems Incorporated. Java™ is a US trademark of Sun Microsystems, Inc. Software Credits SSH on ProCurve Switches is based on the OpenSSH software toolkit. This product includes software developed by the OpenSSH Project for use in the OpenSSH Toolkit. For more information on OpenSSH, visit www.openssh.com. SSL on ProCurve Switches is based on the OpenSSL software toolkit. This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit. For more information on OpenSSL, visit www.openssl.org. This product includes cryptographic software written by Eric Young (eay@cryptsoft.com). This product includes software written by Tim Hudson (tjh@cryptsoft.com) Hewlett-Packard Company 8000 Foothills Boulevard, m/s 5551 Roseville, California 95747-5551 www.procurve.com See the Customer Support/Warranty booklet included with the product. A copy of the specific warranty terms applicable to your Hewlett-Packard products and replacement parts can be obtained from your HP Sales and Service Office or authorized dealer. Contents Software Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1 Premium License Switch Software Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Software Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Download Switch Documentation and Software from the Web . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 View or Download the Software Manual Set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Downloading Software to the Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 TFTP Download from a Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Xmodem Download From a PC or Unix Workstation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Using USB to Download Switch Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Saving Configurations While Using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Best Practices for Major Software Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Updating the Switch: Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Updating the Switch: Detailed Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Rolling Back Switch Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Viewing or Transferring Alternate Configuration Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 ProCurve Switch, Routing Switch, and Router Software Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 OS/Web/Java Compatibility Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Minimum Software Versions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Support Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17 ROM Update Required! . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 Using SNMP To View and Configure Switch Authentication Features . . . . . . . . . . . . . . . . . . . . 17 Support for the Wireless Edge Services zl Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 CAUTION: Updating to Version K.13.xx . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 Clarifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20 Known Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22 Release K.13.02 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 Release K.13.01 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 i Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26 Release K.11.12 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 Release K.11.13 through K.11.32 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 Release K.11.33 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 Release K.11.34 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 Release K.11.35 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 Release K.11.36 through K.11.39 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 Release K.11.40 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 Release K.11.41 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 Release K.11.42 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 Release K.11.43 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 Release K.11.44 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 Release K.11.45 Through K.11.47 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 Release K.11.48 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 Release K.11.49 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 Release K.11.60 through K.11.63 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 Release K.11.64 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 Release K.11.68 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 Release K.11.69 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 Release K.12.01 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 Release K.12.02 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 Release K.12.03 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 Release K.12.04 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 Configuring MSTP Port Connectivity Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 Release K.12.05 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 How RADIUS-Based Authentication Affects VLAN Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 Release K.12.06 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 Saving Security Credentials in a Configuration File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 Release K.12.07 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 Release K.12.08 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 Configuring a System Contact and Location for the Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 Release K.12.09 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 ii Release K.12.10 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 Show VLAN ports CLI Command Enhancement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 Release K.12.11 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 Release K.12.12 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 Release K.12.13 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 Release K.12.14 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 Release K.12.15 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 Send SNMP v2c Informs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 Release K.12.16 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 Release K.12.17 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 Release K.12.18 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 Release K.12.19 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 Release K.12.20 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 Release K.12.21 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 Release K.12.22 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64 Release K.12.23 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64 Release K.12.24 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64 Release K.12.26 through K.12.29 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64 Release K.12.30 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64 Release K.12.31 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64 Release K.12.32 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64 Release K.12.33 through K.12.40 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 Release K.12.41 through K.12.42 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 Release K.12.43 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 Release K.12.44 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 Release K.12.45 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66 Release K.12.46 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66 Release K.12.47 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66 Release K.12.48 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66 Release K.12.49 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66 Release K.12.50 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66 iii Release K.12.51 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66 Release K.12.52 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67 Release K.12.53 through K.12.55 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67 Release K.12.56 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67 Release K.12.57 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68 Release K.13.01 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69 Release K.13.02 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 VRRP Pre-Emptive Delay Timer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 Release K.13.03 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 New CLI Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 Release K.13.04 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76 Clear Module Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76 VRRP—Dynamic Priority Change . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77 DHCP Option 66 Automatic Configuration Update . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83 BOOTP/DHCP Relay Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85 Inbound Rate-Limiting for Broadcast and Multicast Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 DNS Capabilities for Telnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89 Show Module Enhancement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90 VRRP Option with Debug Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92 Copy Command with Show Tech Option . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93 Release K.13.05 through K.13.15 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94 Release K.13.16 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94 Console/Telnet Inactivity Timer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94 Management Access Security Enhancement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95 Show Interfaces Custom . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98 Mirror Port VLAN Tagging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101 Concurrent Web and MAC Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104 SSH Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105 Release K.13.17 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109 Release K.13.18 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109 Release K.13.19 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109 Using a Command Alias . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109 Configure Logging via SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111 Customizing Web Authentication HTML Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114 iv Enabling Customized Web Authentication Pages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115 Dynamic IP Lockdown . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129 Operating Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133 Release K.13.20 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138 Release K.13.21 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139 Release K.13.22 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139 Release K.13.23 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139 Release K.13.24 through K.13.25 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139 Release K.13.26 through K.13.39 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139 Release K.13.40 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139 LACP and Link Traps Global Disable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139 Clear Statistics Without Reboot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140 Increase MAC Lockout to 64 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141 Configure Logging via SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141 Operating Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143 Release K.13.41 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143 Release K.13.42 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143 Release K.13.43 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143 Release K.13.44 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144 Release K.13.45 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144 Release K.13.46 through K.13.48 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144 Release K.13.49 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144 Software Fixes in Release K.11.12 - K.13.49 . . . . . . . . . . . . . . . . . . . . . . .145 Release K.11.12 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145 Release K.11.13 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146 Release K.11.14 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146 Release K.11.15 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146 Release K.11.16 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147 Release K.11.17 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147 Release K.11.32 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147 Release K.11.33 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150 v Release K.11.34 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151 Release K.11.35 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151 Release K.11.36 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152 Release K.11.37 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152 Release K.11.38 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152 Release K.11.39 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152 Release K.11.40 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153 Release K.11.41 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153 Release K.11.43 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153 Release K.11.44 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154 Release K.11.46 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154 Release K.11.47 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155 Release K.11.48 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155 Release K.11.49 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155 Release K.11.61 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156 Release K.11.62 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156 Release K.11.63 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157 Release K.11.64 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157 Release K.11.65 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158 Release K.11.66 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158 Release K.11.67 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159 Release K.11.68 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159 Release K.11.69 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160 Release K.12.01 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160 Release K.12.02 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161 Release K.12.03 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162 Release K.12.04 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163 Release K.12.05 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164 Release K.12.06 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164 Release K.12.07 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164 Release K.12.08 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165 vi Release K.12.09 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165 Release K.12.10 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165 Release K.12.11 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166 Release K.12.12 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166 Release K.12.13 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166 Release K.12.14 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166 Release K.12.15 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167 Release K.12.16 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168 Release K.12.17 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168 Release K.12.18 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169 Release K.12.19 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169 Release K.12.20 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170 Release K.12.21 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170 Release K.12.22 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171 Release K.12.23 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171 Release K.12.24 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172 Release K.12.25 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172 Release K.12.26 through K.12.29 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173 Release K.12.30 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173 Release K.12.31 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173 Release K.12.32 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173 Release K.12.33 through K.12.40 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173 Release K.12.41 through K.12.42 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173 Release K.12.43 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173 Release K.12.44 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174 Release K.12.45 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174 Release K.12.46 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175 Release K.12.47 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175 Release K.12.48 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176 Release K.12.49 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176 Release K.12.50 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176 vii Release K.12.51 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176 Release K.12.52 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177 Release K.12.53 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177 Release K.12.54 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178 Release K.12.55 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179 Release K.12.56 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179 Release K.12.57 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179 Release K.13.02 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181 Release K.13.03 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182 Release K.13.04 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183 Release K.13.05 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186 Release K.13.06 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187 Release K.13.07 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187 Release K.13.08 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188 Release K.13.09 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189 Release K.13.10 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189 Release K.13.11 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190 Release K.13.12 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190 Release K.13.13 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192 Release K.13.14 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192 Release K.13.15 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193 Release K.13.16 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193 Release K.13.17 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194 Release K.13.18 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195 Release K.13.19 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196 Release K.13.20 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196 Release K.13.21 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197 Release K.13.22 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198 Release K.13.23 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198 Release K.13.24 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199 Release K.13.25 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199 viii Release K.13.26 through K.13.39 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200 Release K.13.40 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200 Release K.13.41 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201 Release K.13.42 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201 Release K.13.43 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202 Release K.13.44 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202 Release K.13.45 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203 Release K.13.46 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204 Release K.13.47 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206 Release K.13.48 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206 Release K.13.49 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207 ix Software Management Premium License Switch Software Features Software Management Premium License Switch Software Features The ProCurve 3500yl and 5400zl switches ship with the ProCurve Intelligent Edge software feature set. The additional Premium License switch software features for the 3500yl and 5400zl switches can be acquired by purchasing the optional Premium License and installing it on the Intelligent Edge version of these switches. As of February 2008, the Premium License features include the following: • OSPF • PIM Dense mode • PIM Sparse mode • VRRP • QinQ Part numbers for the Premium Licenses are: • 3500yl switches: J8993A • 5400zl switches: J8994A All software features are automatically included on the ProCurve 6200yl and 8212zl switches without the need for a Premium License. To purchase a Premium License for the 3500yl or 5400zl switches, go to the following Web page and click on How To Buy. www.hp.com/rnd/accessories/J8994A/accessory.htm To view or download a listing of Intelligent Edge and Premium License features, refer to the Software Features Index available for download on the product documentation page for your switch model. Note: Switch software Version K.11.33 software or newer is required for proper functioning of Intelligent Edge features on ProCurve Switch 3500yl series, and ProCurve Switch 5400zl series Software Updates Check the ProCurve Networking Web site frequently for free software updates for the various ProCurve switches you may have in your network. 1 Software Management Download Switch Documentation and Software from the Web Download Switch Documentation and Software from the Web You can download software updates and the corresponding product documentation from the ProCurve Networking Web site as described below. View or Download the Software Manual Set Go to: www.procurve.com/manuals You may want to bookmark this Web page for easy access in the future. You can also register on the My ProCurve portal to receive a set of ProCurve switch manuals on CD-ROM. To register and request a CD, go to www.procurve.com and click on My ProCurve Sign In. After registering and entering the portal, click on My Manuals. Downloading Software to the Switch ProCurve Networking periodically provides switch software updates through the ProCurve Networking Web site (www.procurve.com). After you acquire the new software file, you can use one of the following methods for downloading it to the switch: ■ For a TFTP transfer from a server, do either of the following: • ■ Select Download OS in the Main Menu of the switch’s menu interface and use the (default) TFTP option. • Use the copy tftp command in the switch’s CLI (see below). For an Xmodem transfer from a PC or Unix workstation, do either of the following: • Select Download OS in the Main Menu of the switch’s menu interface and select the Xmodem option. ■ • Use the copy xmodem command in the switch’s CLI (page 3). Use the USB port to download a software file from a USB flash drive (page 5). ■ Use the download utility in ProCurve Manager Plus. Note Downloading new software does not change the current switch configuration. The switch configuration is contained in a separate file that can also be transferred, for example, for archive purposes or to be used in another switch of the same model. This section describes how to use the CLI to download software to the switch. You can also use the menu interface for software downloads. For more information, refer to the Management and Configuration Guide for your switch. 2 Software Management Download Switch Documentation and Software from the Web TFTP Download from a Server Syntax:copy tftp flash <ip-address> <remote-os-file> [ < primary | secondary > ] Note that if you do not specify the flash destination, the TFTP download defaults to the primary flash. For example, to download a software file named K_11_1x.swi from a TFTP server with the IP address of 10.28.227.103: 1. Execute the copy command as shown below: ProCurve # copy tftp flash 10.28.227.103 K_11_1x.swi The primary OS image will be deleted. continue [y/n]? Y 03125K 2. When the switch finishes downloading the software file from the server, it displays the progress message Validating and Writing System Software to FLASH... 3. When the CLI prompt re-appears, the switch is ready to reboot to activate the downloaded software: a. Use the show flash command to verify that the new software version is in the expected flash area (primary or secondary) b. Reboot the switch from the flash area that holds the new software (primary or secondary), using the following command: Syntax: boot system flash [ < primary | secondary > ] After the switch reboots, it displays the CLI or Main Menu, depending on the Logon Default setting last configured in the menu’s Switch Setup screen. 4. Verify the software version by displaying the system information for the switch (for example, through the show system-information command), and viewing the Software revision field. Xmodem Download From a PC or Unix Workstation This procedure assumes that: ■ The switch is connected via the Console RS-232 port to a PC operating as a terminal. (Refer to the Installation and Getting Started Guide you received with the switch for information on connecting a PC as a terminal and running the switch console interface.) ■ The switch software is stored on a disk drive in the PC. ■ The terminal emulator you are using includes the Xmodem binary transfer feature. (For example, in the HyperTerminal application included with Windows NT, you would use the Send File option in the Transfer drop-down menu.) Using Xmodem and a terminal emulator, you can download a switch software file to either primary or secondary flash using the CLI. 3 Software Management Download Switch Documentation and Software from the Web Syntax: copy xmodem flash [< primary | secondary >] 1. To reduce the download time, you may want to increase the baud rate in your terminal emulator and in the switch to a value such as 115200 bits per second. (The baud rate must be the same in both devices.) For example, to change the baud rate in the switch to 115200, execute this command: ProCurve(config)# console baud-rate 115200 (If you use this option, be sure to set your terminal emulator to the same baud rate.) Changing the console baud-rate requires saving to the Startup Config with the “write memory” command. Alternatively, you can logout of the switch and change your terminal emulator speed and allow the switch to AutoDetect your new higher baud rate (i.e. 115200 bps) 2. Execute the following command in the CLI: ProCurve # copy xmodem flash primary The primary OS image will be deleted. continue [y/n]? Y Press ‘Enter’ and start XMODEM on your host... 3. Execute the terminal emulator commands to begin the Xmodem transfer. For example, using HyperTerminal: a. Click on Transfer, then Send File. b. Type the file path and name in the Filename field. c. In the Protocol field, select Xmodem. d. Click on the Send button. The download can take several minutes, depending on the baud rate used in the transfer. 4. If you increased the baud rate on the switch (step 1), use the same command to return it to its previous setting. (ProCurve recommends a baud rate of 9600 bits per second for most applications.) Remember to return your terminal emulator to the same baud rate as the switch.) 5. Use the show flash command to verify that the new software version is in the expected flash area (primary or secondary) 6. Reboot the switch from the flash area that holds the new software (primary or secondary). After the switch reboots, it displays the CLI or Main Menu, depending on the Logon Default setting last configured in the menu’s Switch Setup screen. 4 Software Management Download Switch Documentation and Software from the Web Using USB to Download Switch Software To use the USB port on the switch to download a software version from a USB flash drive: ■ The software version must be stored on the USB flash drive, and you must know the file name (such as K_12_10.swi). ■ The USB flash drive must be properly installed in the USB port on the switch. Note Some USB flash drives may not be supported on your switch. For information on USB device compatibility, refer to the HP ProCurve support Website: http://www.hp.com/rnd/support/faqs/index.htm. Syntax: copy usb flash <filename> [ < primary | secondary > ] For example, to download a software file named K_12_10.swi from a USB flash drive: 1. Execute the copy command as shown below: ProCurve # copy usb flash K_12_10.swi secondary The secondary OS image will be deleted. continue [y/n]? Y 03125K 2. When the switch finishes downloading the software file from the server, it displays the progress message Validating and Writing System Software to FLASH... 3. When the CLI prompt re-appears, the switch is ready to reboot to activate the downloaded software: a. Use the show flash command to verify that the new software version is in the expected flash area (primary or secondary) b. Reboot the switch from the flash area that holds the new software (primary or secondary), using the following command: Syntax: boot system flash [ < primary | secondary > ] After the switch reboots, it displays the CLI or Main Menu, depending on the Logon Default setting last configured in the menu’s Switch Setup screen. 4. 5 Verify the software version by displaying the system information for the switch (for example, through the show system-information command), and viewing the Software revision field. Software Management Saving Configurations While Using the CLI Saving Configurations While Using the CLI The switch operates with two configuration files: ■ Running-Config File: Exists in volatile memory and controls switch operation. Rebooting the switch erases the current running-config file and replaces it with an exact copy of the current startup-config file. To save a configuration change, you must save the running configuration to the startup-config file. ■ Startup-Config File: Exists in flash (non-volatile) memory and preserves the most recently-saved configuration as the “permanent” configuration. When the switch reboots for any reason, an exact copy of the current startup-config file becomes the new running-config file in volatile memory. When you use the CLI to make a configuration change, the switch places the change in the running-config file. If you want to preserve the change across reboots, you must save the change to the startup-config file. Otherwise, the next time the switch reboots, the change will be lost. There are two ways to save configuration changes while using the CLI: ■ Execute write memory from the Manager, Global, or Context configuration level. ■ When exiting from the CLI to the Main Menu, press [Y] (for Yes) when you see the “save configuration” prompt: Do you want to save current configuration [y/n]? 6 Software Management Best Practices for Major Software Updates Best Practices for Major Software Updates Major software updates contain new features and enhancements, and are designated by an increment to the major release version number. That is, K.12.xx represents a major update to software version(s) K.11.xx, and K.13.xx represents a major update to K.12.xx, and so forth. To mitigate against potential migration issues when performing such an update, this section documents best practices for updating the switch, including contingency procedures for rolling back to previous software versions and saved configurations. Caution Before you update the switch software to a major new version, ProCurve strongly recommends that you save off a copy of your config file to an external location. ProCurve advises against rolling back (going from a newer software version to an older software version) without copying on a backup config file to the device. Updating the Switch: Overview To perform a major update to your switch software, follow the steps below (see page 8 for details): 1. Download the image to your TFTP server. 2. Save your current configuration (Config1) to a backup configuration file (Config2). 3. Save your current configuration to an external tftp server. 4. Backup your current running image (Primary) to the secondary image. 5. Set your secondary image to boot with Config2. 6. Download the new image to the switch’s primary image. 7. Verify that your images and configuration are set correctly. 8. Reload the switch. After following these steps, you should end up with the following results: ■ Primary image will hold the new software image you want to install (for example, K.13.06) ■ Secondary image will hold the image you are currently running (for example, K.12.57) ■ Primary image will boot with config1 (config file corresponding to new software version—in this example, K.13.06) ■ Secondary image will boot with config2* (config file corresponding to previous software version—in this example, K.12.57) * The current config file must be copied to config2, or you will be unable to revert if the need arises. 7 Software Management Best Practices for Major Software Updates Note: You might opt to use a different methodology in which the new software will be installed as the secondary and not the primary image, in which case you would use the commands boot system flash secondary, and/or boot set-default flash secondary to change the location of the default boot. However, since you will still need to take precautions to allow you to revert to your previous configuration, ProCurve strongly recommends you follow the methods that are proposed in our update process. This will ensure that you can use our proposed roll back procedures should the need arise. Updating the Switch: Detailed Steps The following detailed steps shows how to update the switch software from an existing version to a major new release (in the example provided here, from version K.12.57 to version K.13.06). 1. Download the latest release software image to your TFTP server from the ProCurve Web site.: http://www.hp.com/rnd/software/switches.htm 2. Save your current configuration (Config1) to backup configuration file (Config2). a. Before copying the config, verify the current state of your system using the show version, show flash, and show config files commands. For example: Switch1# show version Image stamp: /sw/code/build/btm(t2g) Dec 7 2007 14:54:57 K.12.57 2415 Boot Image: Primary Switch1# show flash Image Size(Bytes) Date Version -------------- -------- ------Primary Image : 6782942 12/07/07 K.12.57 Secondary Image : 6765066 08/24/07 K.12.43 Boot Rom Version: K.12.12 Default Boot : Primary Switch1# show config files Configuration files: id | act pri sec | name ---+-------------+---------------------------------------------1 | * * * | config1 2 | | 3 | | 8 Software Management Best Practices for Major Software Updates b. Create a backup configuration file and verify the change. Switch1# copy config config1 config config2 Switch1# show config files Configuration files: id | act pri sec | name ---+-------------+---------------------------------------------1 | * * * | config1 2 | | config2 3 | | 3. Save the current config to a tftp server using the copy tftp command. For example: Switch1# copy startup-config tftp 10.1.1.60 Switch1_config_K_12_57.cfg Note This step is necessary because ProCurve does not support roll back (going from a newer software version to an older software version) without the ability to copy a backup config file onto the device. 4. Backup your current running image (primary) to the secondary image. Switch1# copy flash flash secondary Switch1# show flash Image Size(Bytes) Date Version -------------- -------- ------Primary Image : 6782942 12/07/07 K.12.57 Secondary Image : 6782942 12/07/07 K.12.57 Boot Rom Version: K.12.12 Default Boot : Primary 5. Set your secondary image to boot with Config2. Switch1# startup-default secondary config config2 Switch1# show config files Configuration files: id | act pri sec | name ---+-------------+-----------------------------------------------1 | * * | config1 2 | * | config2 3 | | 9 Software Management Best Practices for Major Software Updates Note This step will enable you to revert from K_13_05 to your previous image with your previous configuration just by invoking the command boot system flash secondary. 6. Download the new primary image. Switch1# copy tftp flash 192.168.1.60 K_13_06.swi primary The Primary OS Image will be deleted, continue [y/n]? At the prompt, answer y, for yes, and the new image will be downloaded and written to the File system. Once tftp download has been completed you will see the following message: Validating and Writing System Software to the Filesystem ... 7. Verify that your images and configuration are set correctly. For example, if you updated from K.12.57 to K.13.06, you should see the following outputs from the switch show commands: Switch1# show version Image stamp: /sw/code/build/btm(t2g) Mar 14 2008 09:59:53 K.12.57 2415 Boot Image: Primary Switch1# show flash Image Size(Bytes) Date Version -------------- -------- ------Primary Image : 7350018 03/14/08 K.13.06 Secondary Image : 6782942 12/07/07 K.12.57 Boot Rom Version: K.12.12 Default Boot : Primary Switch1# show config files Configuration files: id | act pri sec | name ---+-------------+-----------------------------------------------1 | * * | config1 2 | * | config2 3 | | 10 Software Management Best Practices for Major Software Updates 8. Reload the new switch image. Switch1# reload System will be rebooted from primary image. Do you want to continue [y/n]? y At the prompt, answer y, for yes, and the switch will boot with the new image. Note: As an additional step, ProCurve advises saving the startup-config to a tftp server using the copy tftp command. For example: Switch1# copy startup-config tftp 10.1.1.60 Switch1_config_K_13_06.cfg Rolling Back Switch Software If you have followed the update procedures documented in the previous section, you should be able to revert to your previous configuration and software version using the steps below. To roll back your switch from K.13.06 to K.12.57, for example, follow the steps below: 1. Verify that your images and configuration are set correctly using the show version, show flash, and show config files commands. Switch1# show version Image stamp: /sw/code/build/btm(t2g) Mar 14 2008 09:59:53 K.13.06 211 Boot Image: Primary Switch1# show flash Image Size(Bytes) Date Version -------------- -------- ------Primary Image : 7350018 03/14/08 K.13.06 Secondary Image : 6782942 12/07/07 K.12.57 Boot Rom Version: K.12.12 Default Boot : Primary Switch1# show config files Configuration files: id | act pri sec | name ---+-------------+------------------------------------------------ 11 Software Management Best Practices for Major Software Updates 1 | 2 | 3 | 2. * * * | config1 | config2 | Boot the switch using the secondary image (with config2). Switch1# boot system flash secondary System will be rebooted from secondary image. Do you want to continue [y/n]? y Answer y, for yes, and the switch will boot from the secondary image (K.12.57, in this example) with the corresponding configuration for that software version (Config2). Viewing or Transferring Alternate Configuration Files Viewing or copying an alternate configuration saved to the switch will always be accomplished through the software currently running on the switch. This may result in a misleading portrayal of the configuration. For example, if a configuration is created on K.12.57 and saved as config2, and if it is then viewed or transferred while the switch is running K.13.06, it will appear as though K.13.06 has converted the configuration. However, the alternate configuration file, config2, will still be intact on the switch and load properly when the switch is booted into the same software version from which the configuration file originated. When an enhancement introduces a feature that did not previously exist in the switch, it may present several challenges to the user. Backwards compatibility of the configuration created with a version of software that supports a new feature or parameter is not guaranteed. Software versions that did not recognize or support a particular command or parameter will not be able to interpret that line in the configuration. For this reason, it is strongly recommended that network administrators always save their configuration while still running the switch with the original software version, and with a notation indicating the software version on which the configuration was saved. For example, a user might save a configuration for a switch running K.12.57 to a TFTP server with an IP address of 10.10.10.15 as follows: ProCurve5406zl-onK1257# copy running-config tftp 10.10.10.15 5406onK1257 If, for example, the user deems it necessary to revert to the use of K.12.57, she can boot into it and then restore the saved config from the TFTP server. Viewing or copying an alternate configuration that is saved to the switch flash can be accomplished only with the software that is currently running on the switch. Here, for example, a configuration is created on K.12.57 and then saved to flash: ProCurve5406zl-onK1257# copy config config2 config K1257config <cr> 12 Software Management Best Practices for Major Software Updates And later, the configuration that was created on K.12.57 is viewed while the switch is running K.13.06: ProCurve5406zl-onK1306# show config K1257config <cr> The command output will show how the K.12.57 config would be interpreted, if it were to be used by the K.13.06 software. Copying the K1257config to a TFTP server would similarly trigger an interpretation by the software performing the file transfer. Note, however, that this does not actually change the configuration. If the version is rolled back from K.13.06 to K.12.57 with a command like the following (given that K.12.57 is stored in secondary flash), the K.12.xx formatted config is still intact and valid. ProCurve5406zl# boot system flash secondary config K1257config This “interpretation” during a TFTP or show command execution is inherent in the architecture of the switch. When switch features change significantly (e.g. the move from IPv4 support to IPv6 support), there may be configuration parameters from the previous config that cannot be translated by the switch for viewing while it is running the new software. This necessitates storing configurations for each version of software to an external location, if the user would like to view the stored config prior to reloading it. 13 Software Management ProCurve Switch, Routing Switch, and Router Software Keys ProCurve Switch, Routing Switch, and Router Software Keys Software Letter ProCurve Networking Products C 1600M, 2400M, 2424M, 4000M, and 8000M CY Switch 8100fl Series (8108fl and 8116fl) E Switch 5300xl Series (5304xl, 5308xl, 5348xl, and 5372xl) F Switch 2500 Series (2512 and 2524), Switch 2312, and Switch 2324 G Switch 4100gl Series (4104gl, 4108gl, and 4148gl) H Switch 2600 Series, Switch 2600-PWR Series: H.07.81 and earlier, or H.08.55 and greater, Switch 2600-8-PWR requires H.08.80 or greater. Switch 6108: H.07.xx and earlier I Switch 2800 Series (2824 and 2848) J Secure Router 7000dl Series (7102dl and 7203dl) K Switch 3500yl Series (3500yl-24G-PWR and 3500yl-48G-PWR), Switch 6200yl-24G, 5400zl Series (5406zl, 5406zl-48G, 5412zl, 5412zl-96G) and Switch 8212zl. L Switch 4200vl Series (4204vl, 4208vl, 4202vl-72, and 4202vl-48G) M Switch 3400cl Series (3400-24G and 3400-48G): M.08.51 though M.08.97, or M.10.01 and greater; Series 6400cl (6400cl-6XG CX4, and 6410cl-6XG X2 ): M.08.51 though M.08.95, or M.08.99 to M.08.100 and greater. N Switch 2810 Series (2810-24G and 2810-48G) PA/PB Switch 1800 Series (Switch 1800-8G – PA.xx; Switch 1800-24G – PB.xx) Q Switch 2510 Series (2510-24) R Switch 2610 Series (2610-24, 2610-24/12PWR, 2610-24-PWR, 2610-48 and 2610-48-PWR) T Switch 2900 Series (2900-24G, and 2900-48G) U Switch 2510-48 VA/VB Switch 1700 Series (Switch 1700-8 - VA and 1700-24 - VB) WA ProCurve Access Point 530 WS ProCurve Wireless Edge Services xl Module and the ProCurve Redundant Wireless Services xl Module WT ProCurve Wireless Edge Services zl Module and the ProCurve Redundant Wireless Services zl Module Y numeric Switch 2510G Series (2510G-24 and 2510G-48) Switch 9408sl, Switch 9300 Series (9304M, 9308M, and 9315M), Switch 6208M-SX and Switch 6308M-SX (Uses software version number only; no alphabetic prefix. For example 07.6.04.) 14 Software Management OS/Web/Java Compatibility Table OS/Web/Java Compatibility Table The switch Web agent supports the following combinations of OS browsers and Java Virtual Machines: Operating System Internet Explorer Windows NT 4.0 SP6a 5.00, 5.01 5.01, SP1 6.0, SP1 Windows 2000 Pro SP4 5.05, SP2 6.0, SP1 Windows XP Pro SP2 6.0, SP2 and 7.0 Windows Server SE 2003 SP2 Java Sun Java 2 Runtime Environment: – Version 1.3.1.12 – Version 1.4.2.05 Sun Java 2 Runtime Environment: – Version 1.5.0_11, Version 1.6.0 Windows Vista Minimum Software Versions For ProCurve Series 3500yl, 6200yl, 5400zl, and 8212zl Switches and Hardware Features ProCurve Device Product Number Minimum Supported Software Version ProCurve 100-BX-D SFP-LC Transceiver J9099B K.13.45 ProCurve 100-BX-U SFP-LC Transceiver J9100B K.13.45 ProCurve 1000-BX-D SFP-LC Mini-GBIC J9142B K.13.45 ProCurve 1000-BX-U SFP-LC Mini-GBIC J9143B K.13.45 ProCurve 10-GbE X2-SC LRM Optic J9144A K.13.20 J9051A and J9052A K.12.43 Switch 8212zl Base System J8715A K.12.31 100-FX SFP-LC Transceiver J9054B K.12.01 J8993A and J8994A K.11.33 J8706A K.11.33 ProCurve Wireless Edge Services zl Module and the ProCurve Redundant Wireless Services zl Module Premium Features on Series 3500yl and 5400zl Switches Switch 5400zl 24p Mini-GBIC Module 15 Software Management Minimum Software Versions ProCurve Device Product Number Minimum Supported Software Version Switch 5400zl 4p 10-GbE CX4 Module J8708A K.11.33 Switch 6200yl-24G-mGBIC J8992A K.11.33 Switch 3500yl 2p 10GbE X2 + 2p CX4 Module J8694A K.11.17 16 Support Notes Minimum Software Versions Support Notes ROM Update Required! All yl and zl switches running K.12.45 system software or earlier, will have the BootROM updated by this new version of system software. This software download will boot the switch twice, first to update the BootROM to version K.12.14, and then to load the system software. Following file copy to the switch flash and initiation of the reload, no additional user intervention is needed. Do not interrupt power to the switch during this important update. To confirm that the boot ROM and system software have updated successfully following a reload into software version K.13.49 or newer, follow the process below at your switch CLI. ProCurve_zl_yl_Switch# show flash Image Size(Bytes) Date Version -------------- -------- ------Primary Image : 7497667 12/10/08 K.13.49 <--Indicates that system software is updated Secondary Image : 7497667 12/10/08 K.13.49 Boot Rom Version: K.12.14 <-- Indicates the boot ROM is updated Default Boot : Primary Using SNMP To View and Configure Switch Authentication Features Beginning with software release K.12.01, manager read/write access is available for a subset of the SNMP MIB objects for switch authentication (hpSwitchAuth) features. That is, in the default state, a device with management access to the switch can view the configuration for several authentication features, and using SNMP sets, can change elements of the authentication configuration. Security Note In the default configuration for SNMP MIB object access, SNMP sets can be used to reconfigure password and key MIB objects. This means that a device operating as a management station with access to the switch can be used to change the SNMP MIB settings. This can pose a security risk if the feature is used to incorrectly configure authentication features or to reconfigure authentication features to unauthorized settings. If you want to block the SNMP MIB object access described above, use the following command to disable the feature: 17 Support Notes Minimum Software Versions ProCurve(config)# snmp-server mib hpswitchauthmib excluded For more information on the above topic, refer to "Using SNMP To View and Configure Switch Authentication Features" in the "RADIUS Authentication and Accounting" chapter of the Access Security Guide for your switch. For an overview of the security features available on the switch, refer to chapter 1, "Security Overview", in the Access Security Guide for your switch. Security: Downloading and booting software release K.12.01 or greater for the first time automatically enables SNMP access to the hpSwitchAuth MIB objects. If this is not desirable for your network, ProCurve recommends that you disable it after downloading and rebooting with the latest switch software. ACL numbering restrictions: The K.12.01 release enforces ACL numbering restrictions. See the Note under Version K.12.01 Software Fixes on page 160 (PR_1000389442) for details. OSPF virtual link: OSPF virtual links configurations will be lost with the update to K.12.01. See the Note under Version K.12.01 Software Fixes on page 161 (PR_1000374003) for details. MSTP auto-edge-port support and default settings: With version K.12.04 (page 33), automatic detection of edge ports is supported, along with revised command options and default settings. Resources (PR_1000388697): When the switch is writing large files to flash (for example, a transfer of a very large configuration or a software update), switch resources may be impacted during the write operation, causing some potential loss of hello packets. This may impact VRRP, OSPF or spanning tree protocol. In order to mitigate potentially undesirable affects, updates to the switch software should be made during a scheduled downtime. Increasing the hello interval of time sensitive protocols may also assist with mitigation of this issue. Support for the Wireless Edge Services zl Module The addition of support for the zl Wireless Edge Services Module will change the way in which radio ports are treated by the zl and yl Series Switches. If the default setting of LLDP auto-provisioning is left intact, LLDP information from the ProCurve Radio Ports (J9004A, J9005A, J9006A) will trigger these devices to be placed into VLAN 2100 or the first available VLAN not already configured above that (see the section entitled Using Auto-Provisioning to Establish a Radio Port VLAN in the 18 Support Notes Minimum Software Versions Management and Configuration Guide for ProCurve Wireless Edge Services zl Module here: ftp://ftp.hp.com/pub/networking/software/WESM-zl-MgmtCfg-Aug2007-59918626.pdf). Network administrators who do not wish to have the radio ports moved to the auto-provisioned VLAN should disable this feature with the command "no lldp auto-proision" at the CLI. CAUTION: Updating to Version K.13.xx It is important that you update to K.13.xx from a configuration that has not been previously converted from a pre-K.13.xx format (e.g. a K.11.xx or K.12.xx configuration). If you have previously updated to K.13.xx and rolled back to K.12.xx to workaround an issue, you should load a saved K.12.xx configuration to the switch and boot to it prior to updating to K.13 again. 19 Clarifications Minimum Software Versions Clarifications The following clarification or updates apply to documentation for the ProCurve Series 3500yl, 6200yl, 5400zl, and 8212zl Switches as of July 2008. ■ Maximum Number of VLANs Supported in Hardware for PIM-S — Page 4-5 in the Multicast and Routing Guide dated January 2008 for switches running version K software incorrectly states that up to 2048 flows are supported in hardware across a maximum of 512 VLANs. Up to 2048 flows are supported across a maximum of 128 VLANs. ■ Maximum Number of Flows in the MRT — Page 4-41 in the Multicast and Routing Guide dated January 2008 for switches running version K software incorrectly states that up to 1023 flows are supported. Up to 2048 flows are supported. ■ Enabling Jumbo Frames and Flow Control: The Series 3500yl, 6200yl, 5400zl, and 8212zl switches support simultaneous use of Jumbo Frames and Flow Control. (An earlier version of the Management and Configuration Guide had incorrectly stated that these features could not be enabled at the same time.) ■ Clarification for the Number of IP addresses and maximum VLANs that can be configured on the switch: You can configure a maximum of 512 routed VLANs per switch. A VLAN can be configured with up to 32 IP addresses. However, the maximum number of IP addresses that can be configured on the switch is 2048, so it is not possible to configure up to the maximum number of routed VLANs (512) with 32 IP addresses each. For example, if you wanted to use all available IP addresses for the switch and utilize all 512 possible routed VLANS with as many assigned IP addresses as possible, the configuration is calculated as follows: 512 routed VLANs x 4 IP addresses per VLAN = 2048 total IP addresses. Refer to the Advanced Traffic Management Guide for further details. ■ TACACS+ Encryption Key Exclusion from TFTP Copies When using the copy command to transfer a configuration to a TFTP server, any server-specific or global encryption keys in the TACACS+ configuration will not be included in the transferred file. Otherwise, a security breach could occur, allowing access to the TACACS+ user name/password information. ■ RIP and OSPF Redistribution: RIP operation supports static, connected, and OSPF route redistribution. OSPF operation supports static, connected, and RIP route redistribution. (The earlier version of the Advanced Traffic Management Guide omitted RIP and OSPF route redistribution.) 20 Clarifications Minimum Software Versions ■ Maximum UDP Broadcast Forwarding Entries: The number of UDP broadcast entries and IP helper addresses combined can be up to 16 per VLAN, with an overall maximum of 2048 on the switch. An earlier version of the Multicast and Routing Guide (page 5-142) had incorrectly stated that the overall maximum is 256. ■ Reload Command Description Syntax: Reload This command boots the switch from the currently active flash image and startup-config file. Because reload bypasses some subsystem self-tests, the switch boots faster than if you use a boot command. Note: To identify the currently active startup-config file, use the show config files command. (This is a clarification of Syntax: Reload (page 6.33) in the Management and Configuration Guide.) Using Reload The reload command reboots the switch from the flash image on which you are currently booted (primary or secondary) or the flash image that was set either by the boot set-default command or by the last executed boot system flash <primary | secondary> command. Because reload bypasses some subsystem self-tests, the switch reboots faster than when you use either of the boot command options. If you are using redundant management and redundancy is enabled when using reload, the switch will failover to the other management module. (This is a clarification of Using Reload (page 6.24) in the Management and Configuration Guide.) ■ MSTP mCheck: Unlike other MSTP parameters, 'mCheck' is not a configurable option. It is a flag that tells MSTP to initiate transmission of RST/MST BPDUs for a MigrateTime (3 secs) period, to test whether all STP Bridges on the attached LAN have been removed and the Port can migrate to the native MSTP mode and use RST/MST BPDUs for transmission. The 'mCheck' is always cleared (set FALSE) prior to port initialization. Virus-Throttling (Connection-rate filtering): As of release K.12.01, this feature enables notification of worm-like behavior detected on all inbound IP traffic. (The Advanced Traffic Management Guide retains some incorrect references to filtering on IP routed traffic only.) Some of the earlier ProCurve MSTP implementations allowed the 'mCheck' option to be a configurable parameter. It was stored in the config. That was corrected beginning with version K.12.04. 21 Known Issues Minimum Software Versions Known Issues Release K.13.25 The following problems are known issues as of release K.13.25. SFTP/SCP (PR_0000008270) — An SFTP or SCP client session may not close after a config download session ends. The work-around is to close the client manually. Release K.13.23 The following problems are known issues in release K.13.23 or newer. ■ MAC Authentication (PR_0000007477) — When large numbers of MAC authentications are attempted immediately after the switch (re)boots, some of the MAC authentications may fail when they should succeed. Workaround: Increase the RADIUS server delay. Release K.13.08 The following problems are known issues in release K.13.08 or newer. ■ CLI (PR_0000001893) — The copy flash CLI command does not function in ProCurve 8212zl switches running K.13.05 or later. Workaround: use the CLI command copy tftp flash. ■ Config/TFTP (PR_1000748292) — The switch allows conflicting configuration parameters to be loaded via TFTP transfer to the startup-config (ip address <x.x.x.x> and no ip address). ■ Port Security (PR_1000777162) — When Port Security is configured for static MAC address learning, prolonged flooding of unicast traffic may occur under certain conditions. ■ Certificate (PR_1000416167) — The Web Management interface submission form limits CA-signed certificates to 1800 bytes. ■ CLI (PR_1000760929) — The CLI output from the command show name int <x-x> does not display the port number beyond the ninth port. ■ RADIUS/Jumbo (PR_ 1000779048) — When an 802.1X enabled port belongs to a VLAN that is jumbo enabled, the Access-Request will specify a value of Framed-MTU of 9182 bytes. When the RADIUS server replies with a large frame, the switch does not respond, causing the authentication process to halt. ■ SNMP Trap (PR_1000772026) — The ProCurve 3500yl Switches do not send the proper OID value for a Redundant Power Supply (RPS) failure. 22 Known Issues Minimum Software Versions ■ Web (PR_1000761014) — The Web interface truncates 16 character passwords to 15 characters. Workaround: configure 16 character passwords via the CLI. ■ ICMP (PR_1000764033) — ICMP TTL expired messages are being sent with a source address of the interface the message leaves from rather than the interface that receives the expired packet. ■ Auto-TFTP/Config (PR_0000001410) — Auto-TFTP configuration is lost during the update from K.12.xx to K.13.03. ■ Web Authentication (PR_0000000968) — Web authentication to IAS over PEAP may trigger a software exception crash with a message similar to the following. Software exception at exception.c:501 -- in 'mWebAuth', task ID = 0x843c2b0 -> internal error ■ DHCP Snooping (PR_1000469934) — When DHCP Snooping is enabled and configured, and a client sends a “DHCPINFORM” after receiving address information, the DHCP Server response is not forwarded to the client by the switch. ■ CLI (PR_1000745509) — There are multiple issues with respect to the output from the CLI command show ipv6 neighbor vlan <x>. ■ Module Selftest (PR_0000001273) — After reboot, ports 1-24 or ports 25-48 on the ProCurve 3500yl or ports 1-24 on the 6200yl Switches may become unresponsive followed by green and amber port LEDs remaining lit. Ports recover automatically. The log file will show the following messages. chassis: Ports 1-24: Slave ROM Tombstone: 0x13000601 chassis: Ports 1-24: Lost Communications detected - Heart Beat Lost(4A) chassis: Ports 1-24 Downloading chassis: Ports 1-24 Download Complete chassis: Ports 1-24 Ready ■ ECMP (PR_1000798467) — A switch using OSPF ECMP may mis-route traffic for routes with long prefixes (/31 or /32). ■ CLI (PR_1000782972) — The CLI command show system power provides incorrect output for those regions that use a 220 volt standard. ■ CLI (PR_1000430534) — Output from the show port-access mac-based CLI command may omit connected clients. ■ CLI (PR_1000776583) — The output for CLI command show access-list resources does not accurately display the number of QoS/ACL masks available. ■ Config Transfer (PR_1000781015) — A config file transfer will fail with a “corrupted configuration” message, if the config file specifies MDIX-mode for a dual-personality port. 23 Known Issues Release K.13.02 ■ Config Transfer (PR_1000781004) — The switch allows a config file transfer to set an invalid speed-duplex setting on a 100FX SFP. ■ Config Transfer (PR_1000781031) — When the valid port setting 'auto-1000' is configured for a 10/100/1000 interface and the configuration gets copied to the switch, the port setting is altered to 'auto.' ■ Config Transfer (PR_1000781011) — A config file copied to the switch allows an entry to enable flow control on a half-duplex interface. However, flow control on a half-duplex interface is disabled, as specified by IEEE 802.3 Annex 31B. ■ CLI (PR_1000775644) — When flow control is enabled, the output from a show int brief CLI command inaccurately indicates that flow control is off. Release K.13.02 The following are known issues in release K.13.02 or newer. ■ ACL Mirrors: Beginning with K.13.02 software, ACLs can only be mirrored to a single destination. Release K.13.01 The following are known issues in release K.13.01 or newer. ■ Rate-Limiting: The "bps" mode for Ingress/Egress Rate-Limiting has been removed from the MIB, from the config, and as a CLI option (help-text also updated). Bandwidth is now measured in KBPS. Configurations which have rate-limiting configured in bps units will be successfully converted to the updated unit of measurement as the software is updated from K.11.xx or K.12.xx to K.13.xx. ■ PCM+ USB Autorun (PR_1000767612) — Issuing the command copy startup-config usb test may crash the switch when executed in a PCM+ Autorun cmd file. The crash message is similar to: PPC Data Storage (Bus Error) exception vector 0x300: ■ Restriction in number of ACL mirror destinations — The K.13.01 software introduced a new restriction to a single ACL mirror destination. K.12 versions of software allowed up to 4 ACL mirror destinations. Users with multiple ACL mirror sessions must edit their configurations so that they contain only a single mirror destination prior to updating to K.13.01 or newer software. If a switch with multiple ACL mirror destinations is updated from K.12.xx to K.13.01 or newer, only the first destination will function. The additional mirror sessions will have to be edited out of the configuration offline, and the valid configuration then loaded onto the switch. 24 Known Issues Release K.13.01 25 Enhancements Release K.11.12 Enhancements Enhancements Unless otherwise noted, each new release includes the enhancements added in all previous releases. Enhancements are listed in chronological order, oldest to newest software release. To review a summary of enhancements included since the last general release that was published, begin with “Release K.13.01 Enhancements” on page 69. Descriptions and detailed instructions for enhancements included in Release K.13.01 or earlier are included in the latest release of manuals for the ProCurve Series 3500yl, 6200yl, 5400zl, and 8212zl switches (January 2008), available on the Web at www.hp.com/rnd/support/manuals. Release K.11.11 was the first production software release for the ProCurve 3500yl, 6200yl, and 5400zl Series switches. Release K.12.31 was the first production software release for the ProCurve 8212zl switch. Release K.12.57 is the last public release of the K.12.xx software. The 3500yl, 6200yl, 5400zl, and 8212zl software code was rolled to the K.13.0x code branch with no intervening releases. Release K.11.12 Enhancements Release K.11.12 includes the following enhancement: ■ MSTP Enhancement Implementation of legacy path cost MIB and CLI option for MSTP. Release K.11.13 through K.11.32 Enhancements No enhancements, software fixes only. Release K.11.33 Enhancements ■ With the K.11.33 software release, support for the following ProCurve products was added: • • • • J8698A / J8700A(bundle) for the ProCurve switch 5412zl J8706A - ProCurve Switch 5400zl 24p Mini-GBIC Module J8708A - ProCurve Switch 5400zl 4p 10-GbE CX4 Module J8992A - ProCurve Switch 6200yl-24G-mGBIC Release K.11.34 Enhancements Release K.11.34 includes the following enhancements: ■ Increased number of Telnet/SSH sessions: The maximum number of simultaneous Telnet/SSH sessions has been increased from three to five. The CLI commands show telnet and show ip ssh now report on five sessions rather than just three. 26 Enhancements Release K.11.35 Enhancements ■ CLI-configured sFlow with multiple instances: In earlier software releases, the only method for configuring sFlow on the switch was via SNMP using only a single sFlow instance. Beginning with software release K.11.34, sFlow can also be configured via the CLI for up to three distinct sFlow instances. For more information, refer to the section on “CLI-Configured sFlow with Multiple Instances” in the chapter titled “Configuring for Network Management Applications” in the Management and Configuration Guide for your switch. ■ Event log display options: Two new options have been added to provide greater flexibility in viewing event log entries via the CLI. The show logging command now includes an option to reverse the standard display, and a clear logging command has been added to remove all event log entries from the show logging display output. For more information, refer to the section on “Using the Event Log To Identify Problem Sources” in the Appendix titled “Troubleshooting” in the Management and Configuration Guide for your switch. ■ Scheduled reload: Additional parameters have been added to the reload command to allow for a scheduled reboot of the switch via the CLI. For more information, refer to the section on “Rebooting your Switch” in the Chapter titled “Switch Memory and Configuration” in the Management and Configuration Guide for your switch. ■ Real-time rate display: The show interface port-utilization command provides a real-time rate display for all ports on the switch. Release K.11.35 Enhancements Release K.11.35 includes the following enhancement: ■ Added support for STP Per-Port BPDU Filtering and SNMP Traps. ■ Added an option to configure the switch to use the management VLAN IP address in the Option 82 field for all DHCP requests received from various VLANs. Release K.11.36 through K.11.39 Enhancements No new enhancements, software fixes only. Release K.11.40 Enhancements Release K.11.40 includes the following enhancement: ■ 27 RSTP/MSTP BPDU Protection: When this feature is enabled on a port, the switch will disable (drop the link) of a port that receives a spanning tree BPDU, log a message, and optionally, send an SNMP trap. Enhancements Release K.11.41 Enhancements Release K.11.41 Enhancements Release K.11.43 includes the following enhancement: ■ Added support for Unidirectional Fiber Break Detection (UDLD). Release K.11.42 Enhancements No enhancements, software fixes only. Release K.11.43 Enhancements Release K.11.43 includes the following enhancement: ■ 802.1X Controlled Directions enhancement. With this change, Administrators can use “Wake-on-LAN” with computers that are connected to ports configured for 802.1X authentication. Release K.11.44 Enhancements Release K.11.44 includes the following enhancement: ■ Loop Protection enhancement allows STP to detect and block network topology loops on a single port. Release K.11.45 Through K.11.47 Enhancements No enhancements, software fixes only. Release K.11.48 Enhancements Release K.11.48 includes the following enhancement: ■ The show tech transceiver CLI command output now contains the HP part number and revision information for all transceivers (mGBICs) on the switch. Release K.11.49 Enhancements Release K.11.49 includes the following enhancement: ■ DHCP Protection (Snooping) enhancement. 28 Enhancements Release K.11.60 through K.11.63 Enhancements Release K.11.60 through K.11.63 Enhancements No enhancements, software fixes only. ■ Versions K.11.50 through K.11.59 were never built. ■ Version K.11.60 was never released. Release K.11.64 Enhancements Release K.11.64 includes the following enhancement: ■ Loop Protection feature additions, including packet authentication, loop detected trap, and receiver port configuration. ■ Historical information about MAC addresses that have been moved has been added to the "show tech" command output. Release K.11.68 Enhancements Release K.11.68 includes the following enhancement: ■ Improved SFlow function to accommodate bursty traffic. Release K.11.69 Enhancements No new enhancements, software fixes only. Release K.11.69 is the last release of the K.11.xx software. The 3500yl, 6200yl, and 5400zl switch series software code was rolled to the K.12.0x code branch with no intervening releases. 29 Enhancements Release K.12.01 Enhancements Release K.12.01 Enhancements Release K.12.01 is a major software update containing many new features and enhancements to existing features. The following updates have been documented in the latest revisions to the manuals (February 2007). Refer to the manuals for additional details. Software Manual/ Enhancements Description Management and Configuration Guide Bi-directional Rate Limiting: In earlier releases, all traffic rate-limiting applied to inbound traffic only, and was specified as a percentage of total bandwidth. This enhancement allows you to configure outbound rate-limiting for all traffic on a port, and specify bandwidth usage in terms of bits per second (bps). Loopback Interface: A virtual interface that is always up and reachable as long as at least one of the IP interfaces on the switch is operational. By default, each switch has an internal loopback interface (lo0). You can configure up to seven other loopback interfaces on the switch. USB Support Provides an option for using a USB device as a source or destination for file transfers. Refer to "Using USB To Download Switch Software" in the "File Transfers" appendix of the Management and Configuration Guide for your switch (February 2007 or newer). For information on USB device compatibility on the 3500yl, 5400zl, and 6200yl switches, refer to the HP ProCurve support Website: http://www.hp.com/rnd/support/faqs/index.htm. Intelligent Mirroring Enables copying of network traffic from a network interface to a local or remote exit port where a host such as a traffic analyzer or intrusion detection system (IDS) is connected. DNS Resolver Used in local network domains to enable the use of a hostname or fully-qualified domain name to perform ping and traceroute operations from the switch. SNMP-Server Source IP Provides added security by allowing you to send SNMP replies from the Commands: same IP address as the one on which the corresponding SNMP request was received. SNMPv3 AES Support: Authentication and privacy for SNMPv3 users has been enhanced to support AES 128-bit encryption as a privacy protocol in SNMPv3 messages in compliance with RFC 3826. Multicast and Routing Guide OSPF NSAA: Support for Not-So-Stubby-Areas (NSAA). DHCP Relay: Enhancements to the DHCP Relay feature allow you to disable the hop count in DHCP requests, and enable support for up to 2048 IP helper addresses of DHCP servers. 30 Enhancements Release K.12.01 Enhancements Software Manual/ Enhancements Description Advanced Traffic Management Guide Qos Queue Config: Allows you to reduce the number of outbound queues that all switch ports will use to buffer packets for 802.1p user priorities. Number of Default VLANs: In the factory default state, support has been increased from 8 VLANs to 256 VLANs. (You can reconfigure the switch to support up to 2048 (vids up to 4094) VLANs.) Migrating Layer 3 VLANs Using Allows you to upgrade to ProCurve routing switches without stopping the VLAN MAC Configuration: operation of attached hosts that use existing routers as their default gateway to route traffic between VLANs. Access Security Guide RADIUS AAA: Provides client-level security that allows LAN access to individual 802.1X clients (up to 32 per port), where each client gains access to the LAN by entering valid user credentials. This operation improves security by opening a given port only to individually authenticated clients, while simultaneously blocking access to the same port for clients that cannot be authenticated. SNMP Access to Switch Enables manager read/write access for a subset of the SNMP MIB objects Authentication features: for switch authentication features. Security Note: Downloading and booting software release K.12.01 or greater for the first time automatically enables SNMP access to the hpSwitchAuth MIB objects. For more information, or to disable this feature see“Support Notes” on page 17 for details. Password Set via SNMP: Allows configuration of username and password via SNMP. Client-based Access Control: In earlier releases, all traffic rate-limiting applied to inbound traffic only, and was specified as a percentage of total bandwidth. This enhancement allows you to configure outbound rate-limiting for all traffic on a port, and specify bandwidth usage in terms of bits per second (bps). Virus Throttling This enhancement allows connection-rate filtering on all IP traffic (not just on Bridged Traffic: routed traffic as in earlier releases). ACLs on Port Traffic and Bridged Allows configuration of ACLs to filter traffic entering the switch on a VLAN Traffic: or port. Dynamic ARP Protection: Protects your network from ARP cache poisoning by dropping packets, with an invalid IP-to-MAC address binding, that are received on untrusted ports. Instrumentation Monitor: Protects your network from a variety of common attacks by generating alerts for detected anomalies on the switch. 31 Enhancements Release K.12.02 Enhancements Software Manual/ Enhancements Description Controlled Directions Allows you to use the aaa port-access controlled-directions command to Web/MAC Auth: configure how a port transmits traffic before it successfully authenticates a client and enters the authenticated state. This feature is available for both 802.1X and Web/MAC authorization. Note on Manual Updates: In addition to the above updates to the manuals, the chapter on ACLs has been moved from the Advanced Traffic Management Guide to the Access Security Guide. The Access Security Guide also provides a new introductory “Security Overview” chapter, plus a new chapter on “Advanced Threat Protection” covering topics such as DHCP Snooping and Dynamic Arp Protection. In addition to the updates listed above, K.12.01 also provides the following enhancements: ■ Enhancement (PR_1000298920) — A ping request issued to a VLAN which is down will now return a more specific message; instead of "request timed out," the message "The destination address is unreachable" will be displayed. ■ Enhancement (PR_1000373226) — Support was added for the ProCurve 100-FX SFP-LC Transceiver (J9054B). ■ Enhancement (PR_1000376626) — Enhance CLI qos dscp-map help and show dscp-map text to warn the user that inbound classification based on DSCP code points only occurs if qos type-of-service diff-services is also configured. Release K.12.02 Enhancements No enhancements, software fixes only. Release K.12.03 Enhancements Release K.12.03 includes the following enhancements: ■ Enhancement (PR_1000379804) — Historical information about MAC addresses that have been moved has been added to the show tech command output. ■ Enhancement (PR_1000398393) — For the interface <port-list> speed-duplex command, added the auto-10-100 configuration option to constrain a link to 10/100 Mbps speed and allow a more rapid linkup process when 1000 Mbps operation is not possible. ■ Enhancement (PR_1000404544) — Provides TCP/UDP port range prioritization in the qos command; the range option assigns an 802.1p priority to (IPv4) TCP or UDP packets associated with a range of TCP/UDP ports. qos <udp-port | tcp-port> < tcp/udp port number | range <tcp/udp port number > <tcp/udp port number > > priority < 0 - 7> 32 Enhancements Release K.12.04 Enhancements For more information, refer to “QoS TCP/UDP Priority” in the Advanced Traffic Management Guide. Release K.12.04 Enhancements Release K.12.04 includes the following enhancement: ■ Enhancement MSTP (PR_1000369492) — Update of MSTP implementation to the latest IEEE P802.1Q-REV/D5.0 specification to stay in compliance with the protocol evolution. For more information on selected configuration options and updated MSTP port parameters, see “Configuring MSTP Port Connectivity Parameters” below. Configuring MSTP Port Connectivity Parameters With release K.12.04, all ports are configured as auto-edge-ports by default, and the spanning tree edge-port option has been removed. This section describes selected spanning-tree <port-list> command parameters for enhanced operation. Basic port connectivity parameters affect spanning-tree links at the global level. Therefore, in most cases, ProCurve recommends that you use the revised default settings for these parameters and apply changes on a per-port basis only where a non-default setting is clearly indicated by the circumstances of individual links (for example, see the root-guard option below). To display the spanning-tree settings for each port, use the show spanning-tree config command. Syntax: [no] spanning-tree < port-list > < auto-edge-port | admin-edge-port | mcheck | root-guard | tcn-guard > [auto-edge-port] Enables auto-edge-port operation for MSTP, and supports the automatic detection of edge ports. (Default: Yes, enabled) The port will look for BPDUs for 3 seconds; if there are none it begins forwarding packets. If admin-edge-port is enabled for a port, the setting for auto-edge-port is ignored whether set to yes or no. If admin-edge-port is disabled, and auto-edge-port has not been disabled, then the auto-edge-port setting controls the behavior of the port. The no spanning-tree < port-list > auto-edge-port command disables auto-edge-port operation on the specified ports. 33 Enhancements Release K.12.04 Enhancements [admin-edge-port] Enables admin-edge-port for RSTP/MSTP. If a bridge or switch is detected on the segment, the port automatically operates as non-edge, not enabled. (Default: No - disabled) If admin-edge-port is disabled on a port and auto-edge-port has not been disabled, the auto-edge-port setting controls the behavior of the port. The no spanning-tree < port-list > admin-edge-port command disables admin-edge-port operation on the specified ports. [mcheck] Forces a port to send RSTP/MSTP BPDUs for 3 seconds. This allows for another switch connected to the port and running RSTP to establish its connection quickly and for identifying switches running 802.1D STP. If the whole-switch force-version parameter is set to stp-compatible, the switch ignores the mcheck setting and sends 802.1D STP BPDUs out all ports. [root-guard] MSTP only. When a port is enabled as root-guard, it cannot be selected as the root port even if it receives superior STP BPDUs. The port is assigned an “alternate” port role and enters a blocking state if it receives superior STP BPDUs. The BPDUs received on a root-guard port are ignored. All other BPDUs are accepted and the external devices may belong to the spanning tree as long as they do not claim to be the Root device. (Default: No - disabled) Note: In standard Spanning Tree Protocol operation, the calculation of active network topologies may be an issue when switches outside the core region of a network are under shared or limited administrative control. Such a switch may become a Root Bridge for the entire network and create non-optimal forwarding paths. By enabling the root-guard feature on ports that face outside the core network, external boundaries for the core network are created to ensure the Root Bridge is located within the core network. [tcn-guard] When tcn-guard is enabled for a port, it causes the port to stop propagating received topology change notifications and topology changes to other ports. (Default: No - disabled) 34 Enhancements Release K.12.04 Enhancements Syntax: spanning-tree < port-list > < hello-time | path-cost | point-to-point-mac | priority > [hello-time < global | 1 - 10 > When the switch is the CIST root, this parameter specifies the interval (in seconds) between periodic BPDU transmissions by the designated ports. This interval also applies to all ports in all switches downstream from each port in the < port-list >. A setting of global indicates that the ports in < port-list > on the CIST root are using the value set by the global spanning-tree hello-time value. When a given switch “X” is not the CIST root, the per-port hello-time for all active ports on switch “X” is propagated from the CIST root, and is the same as the hello-time in use on the CIST root port in the currently active path from switch “X” to the CIST root. (That is, when switch “X” is not the CIST root, then the upstream CIST root’s port hello-time setting overrides the hello-time setting configured on switch “X”. (Default Per-Port setting: Use Global. Default Global Hello-Time: 2.) [path-cost < auto | 1.200000000 >] Assigns an individual port cost that the switch uses to determine which ports are forwarding ports in a given spanning tree. In the default configuration (auto) the switch determines a port’s path cost by the port’s type: – 10 Mbps: 2000000 – 100 Mbps: 200000 – 1 Gbps: 20000 point-to-point-mac <true | false | auto > This parameter informs the switch of the type of device to which a specific port connects. True (default): Indicates a point-to-point link to a device such as a switch, bridge, or end-node. False: Indicates a connection to a hub (which is a shared LAN segment). Auto: Causes the switch to set False on the port if it is not running at full duplex. (Connections to hubs are half-duplex.) 35 Enhancements Release K.12.05 Enhancements priority < 0.15 > MSTP uses this parameter to determine the port(s) to use for forwarding. The port with the lowest assigned value has the highest priority. While the actual priority range is 0 to 240, this command specifies the priority as a multiplier (0-15) of 16. That is, when you specify a priority multiplier of 0-15, the actual priority assigned to the switch is: (priority-multiplier) x 16 = priority The default priority-multiplier value is 8. For example, if you configure “2” as the priority multiplier for a given port, then the actual priority is 32. Thus, after you specify the port priority multiplier, the switch displays the actual port priority (and not the multiplier) in the show spanning-tree config display. You can view the actual multiplier setting for ports by executing show running and looking for an entry in this form: spanning-tree <port-list> priority <priority-multiplier> For example, configuring port 2 with a priority multiplier of “3” results in this line in the show running-config output: spanning-tree B2 priority 3 Release K.12.05 Enhancements Release K.12.05 includes the following enhancement: ■ Enhancement (PR_1000408960) — RADIUS-Assigned GVRP VLANs enhancement. For more information, see “How RADIUS-Based Authentication Affects VLAN Operation” below. How RADIUS-Based Authentication Affects VLAN Operation Using a RADIUS server to authenticate clients, you can provide port-level security protection from unauthorized network access for the following authentication methods: ■ 802.1X: Port-based or client-based access control to open a port for client access after authenticating valid user credentials. ■ MAC address: Authenticates a device’s MAC address to grant access to the network. ■ Web-browser interface: Authenticates clients for network access using a Web page for user login. 36 Enhancements Release K.12.05 Enhancements Note You can use 802.1X (port-based or client-based) authentication and either Web or MAC authentication at the same time on a port, with a maximum of 32 clients allowed on the port. (The default is one client.) Web authentication and MAC authentication are mutually exclusive on the same port. Also, you must disable LACP on ports configured for any of these authentication methods. For more information, refer to the “Configuring Port-Based and User-Based Access Control (802.1X)” and “Web and MAC Authentication” chapters of the Access Security Guide. VLAN Assignment on a ProCurve Port Following client authentication, VLAN configurations on a ProCurve port are managed as follows when you use 802.1X, MAC, or Web authentication: ■ The port resumes membership in any tagged VLANs for which it is already assigned in the switch configuration. Tagged VLAN membership allows a port to be a member of multiple VLANs simultaneously. ■ The port is temporarily assigned as a member of an untagged (static or dynamic) VLAN for use during the client session according to the following order of options. a. The port joins the VLAN to which it has been assigned by a RADIUS server during client authentication. b. If RADIUS authentication does not include assigning the port to a VLAN, then the switch assigns the port to the authorized-client VLAN configured for the authentication method. c. If the port does not have an authorized-client VLAN configured, but is configured for membership in an untagged VLAN, the switch assigns the port to this untagged VLAN. Operating Notes ■ 37 During client authentication, a port assigned to a VLAN by a RADIUS server or an authorized-client VLAN configuration is an untagged member of the VLAN for the duration of the authenticated session. This applies even if the port is also configured in the switch as a tagged member of the same VLAN. The following restrictions apply: • If the port is assigned as a member of an untagged static VLAN, the VLAN must already be configured on the switch. If the static VLAN configuration does not exist, the authentication fails. • If the port is assigned as a member of an untagged dynamic VLAN that was learned through GVRP, the dynamic VLAN configuration must exist on the switch at the time of authentication and GVRP-learned dynamic VLANs for port-access authentication must be enabled Enhancements Release K.12.05 Enhancements If the dynamic VLAN does not exist or if you have not enabled the use of a dynamic VLAN for authentication sessions on the switch, the authentication fails. ■ To enable the use of a GVRP-learned (dynamic) VLAN as the untagged VLAN used in an authentication session, enter the aaa port-access gvrp-vlans command, as described in “Enabling the Use of GVRP-Learned Dynamic VLANs in Authentication Sessions” on page 42. ■ Enabling the use of dynamic VLANs in an authentication session offers the following benefits: • You avoid the need of having static VLANs pre-configured on the switch. • You can centralize the administration of user accounts (including user VLAN IDs) on a RADIUS server. For information on how to enable the switch to dynamically create 802.1Q-compliant VLANs on links to other devices using the GARP VLAN Registration Protocol (GVRP), refer to the “GVRP” chapter in the Advanced Traffic Management Guide. ■ For an authentication session to proceed, a ProCurve port must be an untagged member of the (static or dynamic) VLAN assigned by the RADIUS server (or an authorized-client VLAN configuration). The port temporarily drops any current untagged VLAN membership. If the port is not already a member of the RADIUS-assigned (static or dynamic) untagged VLAN, the switch temporarily reassigns the port as an untagged member of the required VLAN (for the duration of the session). At the same time, if the ProCurve port is already configured as an untagged member of a different VLAN, the port loses access to the other VLAN for the duration of the session. (A port can be an untagged member of only one VLAN at a time.) When the authentication session ends, the switch removes the temporary untagged VLAN assignment and re-activates the temporarily disabled, untagged VLAN assignment. ■ If GVRP is already enabled on the switch, the temporary untagged (static or dynamic) VLAN created on the port for the authentication session is advertised as an existing VLAN. If this temporary VLAN assignment causes the switch to disable a different untagged static or dynamic VLAN configured on the port (as described in the preceding bullet and in “Example of Untagged VLAN Assignment in a RADIUS-Based Authentication Session” on page 39), the disabled VLAN assignment is not advertised. When the authentication session ends, the switch: • Removes the temporary untagged VLAN assignment and stops advertising it. • Re-activates and resumes advertising the temporarily disabled, untagged VLAN assignment. ■ If you modify a VLAN ID configuration on a port during an 802.1X, MAC, or Web authentication session, the changes do not take effect until the session ends. ■ When a switch port is configured with RADIUS-based authentication to accept multiple 802.1X and/or MAC or Web authentication client sessions, all authenticated clients must use the same port-based, untagged VLAN membership assigned for the earliest, currently active client session. 38 Enhancements Release K.12.05 Enhancements Therefore, on a port where one or more authenticated client sessions are already running, all such clients are on the same untagged VLAN. If a RADIUS server subsequently authenticates a new client, but attempts to re-assign the port to a different, untagged VLAN than the one already in use for the previously existing, authenticated client sessions, the connection for the new client will fail. For more on this topic, refer to “802.1X Open VLAN Mode” in the “Configuring Port-Based and Client-Based Access Control (802.1X)” chapter in the Access Security Guide. Example of Untagged VLAN Assignment in a RADIUS-Based Authentication Session The following example shows how an untagged static VLAN is temporarily assigned to a port for use during an 802.1X authentication session. In the example, an 802.1X-aware client on port A2 has been authenticated by a RADIUS server for access to VLAN 22. However, port A2 is not configured as a member of VLAN 22 but as a member of untagged VLAN 33 as shown in Figure 1. Scenario: An authorized 802.1X client requires access to VLAN 22 from port A2. However, access to VLAN 22 is blocked (not untagged or tagged) on port A2 and VLAN 33 is untagged on port A2. Figure 1. Example of an Active VLAN Configuration in the Menu Interface View In Figure 1, if RADIUS authorizes an 802.1X client on port A2 with the requirement that the client use VLAN 22, then: ■ VLAN 22 becomes available as Untagged on port A2 for the duration of the session. ■ VLAN 33 becomes unavailable to port A2 for the duration of the session (because there can be only one untagged VLAN on any port). To view the temporary VLAN assignment as a change in the active configuration, use the show vlan <vlan-id> command as shown in Figure 2, where <vlan-id> is the (static or dynamic) VLAN used in the authenticated client session. 39 Enhancements Release K.12.05 Enhancements In the show command output, port A2 is temporarily configured as untagged on VLAN 22 for an 802.1X session. This temporary configuration change is necessary to accommodate an 802.1X client’s access, authenticated by a RADIUS server, in which the server included an instruction to assign the client session to VLAN 22. Note: In the current VLAN configuration ( Figure 1), port A2 is only listed as a member of VLAN 22 in show vlan 22 output when an 802.1X session with an authenticated client is active. Otherwise, port A2 is not listed. Figure 2. Active Configuration for VLAN 22 Temporarily Changes for the 802.1X Session However, as shown in Figure 1, because VLAN 33 is configured as untagged on port A2 and because a port can be untagged on only one VLAN, port A2 loses access to VLAN 33 for the duration of the 802.1X session on VLAN 22. You can verify the temporary loss of access to VLAN 33 by entering the show vlan 33 command as shown in Figure 3. Although port A2 is configured as Untagged on VLAN 33 (Figure Figure 1), port A2 is not listed in show vlan 33 output during the 802.1X session that uses VLAN 22 in Untagged mode. However, when the 802.1X session on VLAN 22 ends, the active configuration restores port A2 as an untagged member of VLAN 33. Figure 3. Active Configuration for VLAN 33 Temporarily Drops Port 22 for the 802.1X Session 40 Enhancements Release K.12.05 Enhancements When the 802.1X client session on port A2 ends, the port removes the temporary untagged VLAN membership. The static VLAN (VLAN 33) that is “permanently” configured as untagged on the port becomes available again. Therefore, when the RADIUS-authenticated 802.1X session on port A2 ends, VLAN 22 access on port A2 also ends, and the untagged VLAN 33 access on port A2 is restored as shown in Figure 4. When the 802.1X session on VLAN 22 ends, the active configuration restores VLAN 33 on port A2. Figure 4. The Active Configuration for VLAN 33 Restores Port A2 After the 802.1X Session Ends 41 Enhancements Release K.12.05 Enhancements Enabling the Use of GVRP-Learned Dynamic VLANs in Authentication Sessions Syntax: aaa port-access gvrp-vlans Enables the use of dynamic VLANs (learned through GVRP) in the temporary untagged VLAN assigned by a RADIUS server on an authenticated port in an 802.1X, MAC, or Web authentication session. Enter the no form of this command to disable the use of GVRP-learned VLANs in an authentication session. For information on how to enable a switch to dynamically create 802.1Q-compliant VLANs, refer to the “GVRP” chapter in the Access Security Guide. Notes: 1. If a port is assigned as a member of an untagged dynamic VLAN, the dynamic VLAN configuration must exist at the time of authentication and GVRP for port-access authentication must be enabled on the switch. If the dynamic VLAN does not exist or if you have not enabled the use of a dynamic VLAN for authentication sessions on the switch, the authentication fails. 2. After you enable dynamic VLAN assignment in an authentication session, it is recommended that you use the interface unknown-vlans command on a per-port basis to prevent denial-of-service attacks. The interface unknown-vlans command allows you to: • Disable the port from sending advertisements of existing GVRP-created VLANs on the switch. • Drop all GVRP advertisements received on the port. For more information, refer to the “GVRP” chapter in the Advanced Traffic Management Guide. 3. If you disable the use of dynamic VLANs in an authentication session using the no aaa port-access gvrp-vlans command, client sessions that were authenticated with a dynamic VLAN continue and are not deauthenticated. (This behavior differs form how static VLAN assignment is handled in an authentication session. If you remove the configuration of the static VLAN used to create a temporary client session, the 802.1X, MAC, or Web authenticated client is deauthenticated.) However, if a RADIUS-configured dynamic VLAN used for an authentication session is deleted from the switch through normal GVRP operation (for example, if no GVRP advertisements for the VLAN are received on any switch port), authenticated clients using this VLAN are deauthenticated. For information on how static and dynamic VLANs are assigned in a RADIUS-based 802.1X, MAC, or Web authentication session, refer to the “How RADIUS-Based Authentication Affects VLAN Operation” section in the “RADIUS Authentication and Accounting” chapter of the Access Security Guide. 42 Enhancements Release K.12.06 Enhancements Release K.12.06 Enhancements Release K.12.06 includes the following enhancement: ■ Enhancement (PR_1000308332) — Passwords (hashed) can be saved to the configuration file. Saving Security Credentials in a Configuration File In software release K.12.06 and greater, you can store and view the following security settings in the running-config file associated with the current software image by entering the include-credentials command. Earlier software releases store these security configuration settings only in internal flash memory and do not allow you to include and view them in the running-config file. ■ Local manager and operator passwords and (optional) user names that control access to a management session on the switch through the CLI, menu interface, or Web browser interface ■ SNMP security credentials used by network management stations to access a switch, including authentication and privacy passwords ■ Port-access passwords and usernames used as 802.1X authentication credentials for access to the switch ■ TACACS+ encryption keys used to encrypt packets and secure authentication sessions with TACACS+ servers ■ RADIUS shared secret (encryption) keys used to encrypt packets and secure authentication sessions with RADIUS servers ■ Secure Shell (SSH) public keys used to authenticate SSH clients that try to connect to the switch. Benefits of Saving Security Credentials The benefits of including and saving security credentials in a configuration file are as follows: ■ After making changes to security parameters in the running configuration, you can experiment with the new configuration and, if necessary, view the new security settings during the session. After verifying the configuration, you can then save it permanently by writing the settings to the startup-config file. ■ By permanently saving a switch’s security credentials in a configuration file, you can upload the file to a TFTP server or Xmodem host, and later download the file to the ProCurve switches on which you want to use the same security settings without having to manually configure the settings (except for SNMPv3 user parameters) on each switch. 43 Enhancements Release K.12.06 Enhancements ■ By storing different security settings in different files, you can test different security configurations when you first download a new software version that supports multiple configuration files by changing the configuration file used when you reboot the switch. For more information about how to experiment with, upload, download, and use configuration files with different software versions, refer to the following chapters: ■ “Switch Memory and Configuration” and “File Transfers” in the Management and Configuration Guide ■ “Configuring Username and Password Security” in the Access Security Guide Security Settings that Can Be Saved This section describes the security settings that can be saved to a configuration file in software release K.12.06 and greater: ■ Local manager and operator passwords and user names ■ SNMP security credentials, including SNMPv1 community names and SNMPv3 usernames, authentication, and privacy settings ■ 802.1X port-access passwords and usernames ■ TACACS+ encryption keys ■ RADIUS shared secret (encryption) keys ■ Public keys of SSH-enabled management stations that are used by the switch to authenticate SSH clients that try to connect to the switch Local Manager and Operator Passwords In software releases earlier than K.12.06, the manager and operator passwords and user names used to start a management session on the switch are treated as follows: ■ You set the passwords and (optional) user names using the CLI or menu interface as described in “Configuring Local Password Security” in the Access Security Guide. ■ Only the following information is saved to the running configuration: password manager [user-name <name>] password operator [user-name <name>] 44 Enhancements Release K.12.06 Enhancements In software release K.12.06 and greater, you cannot view the configured local password settings in plain text. However, by entering the include-credentials command described later, you can view a hash of the local password settings in the running-config file, in the format: password manager [user-name <name>] <hash-type> <pass-hash> password operator [user-name <name>] <hash-type> <pass-hash> Where: <name> is an alphanumeric string for the user name assigned to the manager or operator. <hash-type> indicates the type of hash algorithm used: SHA-1. <pass-hash> is the SHA-1 authentication protocol’s hash of the password. For example, a manager username and password may be stored in a running-config file as follows: password manager user-name Spock SHA1 2fd4e1c67a2d28fced849ee1bb76e7391b93eb12 If you permanently save password configurations in the startup-config file by entering the write memory command, the passwords take effect when a switch boots with the software version associated with the configuration file. Caution If a startup configuration file does not contain a manager or operator password, the switch will not have password protection and can be accessed through Telnet, the serial port, or Web interface with full manager privileges. Password Command In software release K.12.06 and greater, the password command in the CLI is enhanced to support the following syntax: Syntax: [no] password <manager | operator | port-access> [user-name <name>] <hash-type> <password> Where: ■ manager configures access to the switch with manager-level privileges. ■ operator configures access to the switch with operator-level privileges. ■ port-access configures access to the switch through 802.1X authentication with operator-level privileges. ■ user-name <name> is the (optional) text string of the user name associated with the password. 45 Enhancements Release K.12.06 Enhancements ■ The <hash-type> parameter specifies the type of algorithm (if any) used to hash the password. Valid values are plaintext or sha-1. ■ The <password> parameter is the clear ASCII text string or SHA-1 hash of the password. You can enter a manager/operator password in clear ASCII text or hashed format, while the port-access password must be clear ASCII text only. Manager and operator passwords are displayed and saved in a configuration file only in hashed format; port-access passwords are displayed and saved only as plain ASCII text. After you enter the complete command syntax that includes the password, the password is set and you are not prompted to enter the password a second time. This command enhancement allows you to configure manager, operator, and 802.1X port-access passwords using the CLI in only one step (instead of entering the password command and then being prompted twice to enter the actual password, as in software releases earlier than K.12.06). ■ For more information about configuring local manager and operator passwords, refer to the “Configuring Username and Password Security” chapter in the Access Security Guide. ■ For more information about configuring a port-access password for 802.1X client authentication, see “802.1X Port-Access Credentials” on page 47. SNMP Security Credentials In software releases earlier than K.12.06, SNMP security credentials are saved in a configuration file as follows: ■ SNMPv1 community names and write-access settings are saved as shown in the following example: snmp-server community "vulcan" Unrestricted ■ SNMPv3 authorization and privacy protocols and passwords used with each SNMPv3 user are not saved. However, SNMPv3 user names are saved; for example: snmpv3 user "initial" In software release K.12.06 and greater, SNMPv1 community names and write-access settings, and SNMPv3 usernames are still saved in the running configuration when you enter the include-credentials command. In addition, the following SNMPv3 security parameters are also saved: snmpv3 user “<name>" [auth <md5|sha> “<auth-pass>”] [priv “<priv-pass>"] Where: <name> is the name of an SNMPv3 management station. auth <md5 | sha> is the (optional) authentication method used for the management station. 46 Enhancements Release K.12.06 Enhancements <auth-pass> is the hashed authentication password used with the configured authentication method. priv “<priv-pass>” is the (optional) hashed privacy password used by a privacy protocol to encrypt SNMPv3 messages between the switch and the station. The following example shows the additional security credentials for SNMPv3 users that can be saved in a running-config file: snmpv3 user boris \ auth md5 “9e4cfef901f21cf9d21079debeca453” \ priv “82ca4dc99e782db1a1e914f5d8f16824” snmpv3 user alan \ auth sha “8db06202b8f293e9bc0c00ac98cf91099708ecdf” \ priv “5bc4313e9fd7c2953aaea9406764fe8bb629a538” Figure 5. Security Credentials for SNMPv3 Although you can enter an SNMPv3 authentication or privacy password in either clear ASCII text or the SHA-1 hash of the password, the password is displayed and saved in a configuration file only in hashed format, as shown in the preceding example. For more information about the configuration of SNMP security parameters, refer to the “Configuring for Network Management Applications” chapter in the Management and Configuration Guide. 802.1X Port-Access Credentials In software release K.12.06 and greater, 802.1X authenticator (port-access) credentials can be stored in a configuration file. 802.1X authenticator credentials are used by a port to authenticate supplicants requesting a point-to-point connection to the switch. 802.1X supplicant credentials are used by the switch to establish a point-to-point connection to a port on another 802.1X-aware switch. Only 802.1X authenticator credentials are stored in a configuration file. For information about how to use 802.1X on the switch both as an authenticator and a supplicant, refer to the “Configuring Port-Based and Client-Based Access Control (802.1X)” chapter in the Access Security Guide. In software release K.12.06 and greater, the local password configured with the password command is no longer accepted as an 802.1X authenticator credential. A new configuration command (password port-access) is introduced to configure the local operator username and password used as 802.1X authentication credentials for access to the switch. The password port-access values are now configured separately from the manager and operator passwords configured with the password manager and password operator commands and used for management access to the switch. For information on the new password command syntax, see “Password Command” on page 45. 47 Enhancements Release K.12.06 Enhancements After you enter the complete password port-access command syntax, the password is set. You are not prompted to enter the password a second time. TACACS+ Encryption Key Authentication You can use TACACS+ servers to authenticate users who request access to a switch through Telnet (remote) or console (local) sessions. TACACS+ uses an authentication hierarchy consisting of: ■ Remote passwords assigned in a TACACS+ server ■ Local manager and operator passwords configured on the switch. When you configure TACACS+, the switch first tries to contact a designated TACACS+ server for authentication services. If the switch fails to connect to any TACACS+ server, it defaults to its own locally assigned passwords for authentication control if it has been configured to do so. For improved security, you can configure a global or server-specific encryption key that encrypts data in TACACS+ packets transmitted between a switch and a RADIUS server during authentication sessions. The key configured on the switch must match the encryption key configured in each TACACS+ server application. (The encryption key is sometimes referred to as “shared secret” or “secret” key.) For more information, refer to the “TACACS+ Authentication” chapter in the Access Security Guide. In software releases earlier than K.12.06, the global and server-specific TACACS+ encryption keys cannot be saved in a configuration file that can be copied from the switch. These keys are stored only in flash memory and can be viewed by using the show tacacs command. In software release K.12.06 and greater, TACACS+ shared secret (encryption) keys can be saved in a configuration file with the following syntax: tacacs-server key <keystring> Where: <keystring> is the encryption key (in clear text) used for secure communication with all or a specific TACACS+ server. RADIUS Shared-Secret Key Authentication You can use RADIUS servers as the primary authentication method for users who request access to a switch through Telnet, SSH, Web interface, console, or port-access (802.1X). The shared secret key is a text string used to encrypt data in RADIUS packets transmitted between a switch and a RADIUS server during authentication sessions. Both the switch and the server have a copy of the key; the key is never transmitted across the network. For more information, refer to the “RADIUS Authentication and Accounting” chapter in the Access Security Guide. In software releases earlier than K.12.06, the global and server-specific RADIUS encryption keys cannot be saved in a configuration file that can be copied from the switch. These keys are stored only in flash memory and can be viewed by using the show radius command. 48 Enhancements Release K.12.06 Enhancements In software release K.12.06 and greater, RADIUS shared secret (encryption) keys can be saved in a configuration file with the following syntax: radius-server key <keystring> Where: <keystring> is the encryption key (in clear text) used for secure communication with all or a specific RADIUS server. SSH Client Public-Key Authentication Secure Shell version 2 (SSHv2) is used by ProCurve switches to provide remote access to SSH-enabled management stations. Although SSH provides Telnet-like functions, unlike Telnet, SSH provides encrypted, two-way authenticated transactions. SSH client public-key authentication is one of the types of authentication used. Client public-key authentication uses one or more public keys (from clients) that must be stored on the switch. Only a client with a private key that matches a public key stored on the switch can gain access at the manager or operator level. For more information about how to configure and use SSH public keys to authenticate SSH clients that try to connect to the switch, refer to the “Configuring Secure Shell” chapter in the Access Security Guide. In software releases earlier than K.12.06, client public-keys that are used to authenticate SSH clients are only stored in flash memory, not in the running-config file. You can view the SSH public keys stored on a switch by entering the show crypto client-public-key command. The only SSH security credential that is stored in the running configuration are the following commands: aaa authentication ssh login public-key aaa authentication ssh enable public-key ■ The aaa authentication ssh login public-key command allows operator access using SSH public-key authentication. ■ The aaa authentication ssh enable public-key command allows manager access using SSH public-key authentication. In software release K.12.06 and greater, the SSH security credential that is stored in the running configuration is the syntax of the ip ssh public-key command used to authenticate SSH clients for manager or operator access, along with the hashed content of each SSH client public-key. The syntax of the ip ssh public-key command is as follows: ip ssh public-key <manager|operator> <keystring> Where: manager allows manager-level access using SSH public-key authentication. operator allows operator-level access using SSH public-key authentication. <keystring> is a legal SSHv2 (RSA or DSA) public key. The text string for the public key must be a single quoted token. 49 Enhancements Release K.12.06 Enhancements If the keystring contains double-quotes, it can be quoted with single quotes ('keystring'). The following restrictions for a keystring apply: ■ A keystring cannot contain both single and double quotes. ■ A keystring cannot have extra characters, such as a blank space or a new line. However, to improve readability, you can add a backlash at the end of each line. Note In software release K.12.01 and earlier, you can add up to ten SSH client public-keys to the switch only by using the copy command; for example: $ copy tftp public-key ip-addr filename <manager|operator> [append] If you enter the optional append keyword, the transmitted public-keys are added to existing SSH public-key configurations. If you omit the append keyword, the transmitted keys overwrite existing SSH public-key configurations. In software release K.12.06 and greater, the ip ssh public-key command allows you to configure only one SSH client public-key at a time. (This command behavior differs from the copy command, which in earlier software releases allows you to load up to ten SSH client public-key configurations at once if they are stored in a single file on a TFTP server.) Therefore, the ip ssh public-key command behavior includes an implicit append that never overwrites existing public-key configurations on a running switch. In all software releases, if you download a software configuration file that contains SSH client public-key configurations, the downloaded public-keys overwrite any existing keys, as happens with any other configured values. To display the SSH public-key configurations (72 characters per line) stored in a configuration file, enter the show config or show running-config command. The following example shows the SSH public keys configured for manager access, along with the hashed content of each SSH client public-key, that are stored in a configuration file: 50 Enhancements Release K.12.06 Enhancements ... include-credentials ip ssh public-key manager “ssh-dss \ AAAAB3NzaC1kc3MAAACBAPwJHSJmTRtpZ9BUNC+ZrsxhMuZEXQhaDME1vc/ EvYnTKxQ31bWvr/bT7W58NX/YJ1ZKTV2GZ2QJCicUUZVWjNFJCsa0v03XS4 BhkXjtHhz6gD701otgizUOO6/Xzf4/J9XkJHkOCnbHIqtB1sbRYBTxj3NzA K1ymvIaU09X5TDAAAAFQCPwKxnbwFfTPasXnxfvDuLSxaC7wAAAIASBwxUP pv2scqPPXQghgaTkdPwGGtdFW/+K4xRskAnIaxuG0qLbnekohi+ND4TkKZd EeidgDh7qHusBhOFXM2g73RpE2rNqQnSf/QV95kdNwWIbxuusBAzvfaJptd gca6cYR4xS4TuBcaKiorYj60kk144E1fkDWieQx8zABQAAAIEAu7/1kVOdS G0vE0eJD23TLXvu94plXhRKCUAvyv2UyK+piG+Q1el1w9zsMaxPA1XJzSY/ imEp4p6WXEMcl0lpXMRnkhnuMMpaPMaQUT8NJTNu6hqf/LdQ2kqZjUuIyV9 LWyLg5ybS1kFLeOt0oo2Jbpy+U2e4jh2Bb77sX3G5C0= spock@sfc.gov” ip ssh public-key manager ‘ssh-rsa \ AAAAB3NzaC1yc2EAAAADAQABAAAAgQDyO9RDD52JZP8k2F2YZXubgwRAN0R JRs1Eov6y1RK3XkmgVatzl+mspiEmPS4wNK7bX/IoXNdGrGkoE8tPkxlZOZ oqGCf5Zs50P1nkxXvAidFs55AWqOf4MhfCqvtQCe1nt6LFh4ZMig+YewgQG M6H1geCSLUbXXSCipdPHysakw== "TectiaClientKey [1024-bit rsa, nobody@testmachine, Mon Aug 15 2005 14:47:34]”’ ip ssh public-key manager “ssh-rsa \ AAAAB3NzaC1yc2EAAABIwAAAIEA1Kk9sVQ9LJOR6XO/hCMPxbiMNOK8C/ay +SQ10qGw+K9m3w3TmCfjh0ud9hivgbFT4F99AgnQkvm2eVsgoTtLRnfF7uw NmpzqOqpHjD9YzItUgSK1uPuFwXMCHKUGKa+G46A+EWxDAIypwVIZ697QmM qPFj1zdI4sIo5bDett2d0= joe@hp.com” ... \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ Figure 6. Example of Hashed Content of an SSH Client Public Key If a switch configuration contains multiple SSH client public keys, each public key is saved as a separate entry in the configuration file. You can configure up to ten SSH client public-keys on a switch. 51 Enhancements Release K.12.06 Enhancements Enabling the Storage and Display of Security Credentials To enable the security settings described in “Security Settings that Can Be Saved” on page 44 to be included and viewed in the running configuration on the switch, enter the include-credentials command. Syntax: [no] include-credentials Enables the inclusion and display of the currently configured manager and operator usernames and passwords, RADIUS shared secret keys, SNMP and 802.1X authenticator (port-access) security credentials, and SSH client public-keys in the running configuration. (Earlier software releases store these security configuration settings only in internal flash memory and do not allow you to include and view them in the running-config file.) To view the currently configured security settings in the running configuration, enter one of the following commands: • show running-config: Displays the configuration settings in the current running-config file. • write terminal: Displays the configuration settings in the current running-config file. For more information, refer to the “Switch Memory and Configuration” chapter in the Management and Configuration Guide. To copy the contents of the running-config file from the switch to a USB flash memory device, enter the copy running-config usb command. For more information, refer to the “File Transfers” appendix in the Management and Configuration Guide. The “no” form of the command disables only the display and copying of these security parameters from the running configuration, while the security settings remain active in the running configuration. Default: The security credentials described in “Security Settings that Can Be Saved” on page 44 are not stored in the running configuration. 52 Enhancements Release K.12.06 Enhancements Operating Notes Caution ■ When you first enter the include-credentials command to save the additional security credentials to the running configuration, these settings are moved from internal storage on the switch to the running-config file. You are prompted by a warning message to perform a write memory operation to save the security credentials to the startup configuration. The message reminds you that if you do not save the current values of these security settings from the running configuration, they will be lost the next time you boot the switch and will revert to the values stored in the startup configuration. ■ When you boot a switch with a startup configuration file that contains the include-credentials command, any security credentials that are stored in internal flash memory are ignored and erased. The switch will load only the security settings in the startup configuration file, if any. ■ In software releases earlier than K.12.06, configuration changes to some security credentials (described in “Security Settings that Can Be Saved” on page 44) are applied immediately and saved in internal storage (flash memory) on the switch. They do not require you to enter the write memory command to permanently save them in the startup configuration. However, in software release K.12.06 and greater, this switch behavior changes. Security settings are no longer automatically saved internally in flash memory and loaded with the startup configuration when a switch boots up. The configuration of all security credentials requires that you use the write memory command to save them in the startup configuration in order for them to not be lost when you log off or reboot the switch. A warning message reminds you to permanently save a security setting, which was formerly automatically saved in internal flash, after you configure it. ■ After you enter the include-credentials command, the currently configured manager and operator usernames and passwords, RADIUS shared secret keys, SNMP and 802.1X authenticator (port-access) security credentials, and SSH client public-keys are saved in the running configuration. Use the no include-credentials command to disable the display and copying of these security parameters from the running configuration (using the show running-config and copy running-config commands), without disabling the configured security settings on the switch. After you enter the include-credentials command, you can toggle between the non-display and display of security credentials in show and copy command output by alternately entering the no include-credentials and include-credentials commands. 53 Enhancements Release K.12.06 Enhancements ■ After you permanently save security configurations to the current startup-config file using the write memory command, you can view and manage security settings with the following commands: • show config: Displays the configuration settings in the current startup-config file. • copy config <source-filename> config <target-filename>: Makes a local copy of an existing startup-config file by copying the contents of the startup-config file in one memory slot to a new startup-config file in another, empty memory slot. • copy config tftp: Uploads a configuration file from the switch to a TFTP server. • copy tftp config: Downloads a configuration file from a TFTP server to the switch. • copy config xmodem: Uploads a configuration file from the switch to an Xmodem host. • copy xmodem config: Downloads a configuration file from an Xmodem host to the switch. For more information, refer to the “Switch Memory and Configuration” chapter in the Management and Configuration Guide. ■ ■ The switch supports the storage of up to three configuration files. Each configuration file contains its own security credentials and these security configurations may differ. It is the responsibility of the system administrator to ensure that the appropriate security credentials are contained in the configuration file that is loaded with each software image. • When you load a configuration file associated with a software release earlier than K.12.06 on a switch running software release K.12.06 or greater, all security credentials in the configuration file are supported. • When you load a configuration file associated with a software release K.12.06 or greater on a switch running a software release earlier than K.12.06, all security credentials saved with the include-credentials command are rejected as invalid configurations by the earlier software. If you have already enabled the storage of security credentials (including local manager and operator passwords) by entering the include-credentials command, the Reset-on-clear option is disabled. When you press the Clear button on the front panel, the manager and operator usernames and passwords are deleted from the running configuration. However, the switch does not reboot after the local passwords are erased. (The reset-on-clear option normally reboots the switch when you press the Clear button.) For more information about the Reset-on-clear option and other front-panel security features, refer to the “Configuring Username and Password Security” chapter in the Access Security Guide. 54 Enhancements Release K.12.06 Enhancements ■ ■ 55 If you upgrade ProCurve software on a switch from an earlier software release to software release K.12.06 or greater and then enter the include-credentials command, security passwords are managed as follows: • The manager password (if any) in the earlier software version is copied into the running configuration. The other two configuration files, if configured, will not have a manager password configured. • The operator password (if any) in the earlier software version is copied into the running configuration. The other two configuration files, if configured, will not have an operator password configured. • No port-access password for 802.1X authentication is configured. The operator password in the earlier software version is not automatically copied as the new port-access password. To configure password access to the switch through 802.1X authentication, use the password port-access command as described in “Password Command” on page 45. (It is not recommended that you use the same password for operator console access and for 802.1X port-access authentication.) • The SSH client public-keys for manager and operator access are copied from flash memory into the running configuration. • The RADIUS shared secret and TACACS+ encryption keys for access to authentication servers are already included in the running configuration. • SNMPv3 user credentials are already included in the running configuration. If you downgrade ProCurve software on a switch and use a software release earlier than K.12.06, security passwords are managed as follows: • Because SNMPv3 user credentials, RADIUS shared secret keys, and TACACS+ encryption keys are already included in the startup configuration, these security credentials are not lost. They continue to be used in the earlier software version. • The local manager and operator passwords are not recognized by an earlier software version and are not saved in the running configuration. However, passwords in inactive configuration files remain stored there. Although they are not displayed in show config command output, they are not automatically erased. • Although the hashed SSH client public-keys (for manager and operator access) are not recognized by an earlier software version, they remain stored so that they are immediately reloaded if you upgrade back to software release K.12.06 or greater. • As in a software upgrade, no port-access (operator) password for 802.1X authentication is saved from software release K.12.06 or greater. Enhancements Release K.12.06 Enhancements Restrictions The following restrictions apply when you enable security credentials to be stored in the running configuration with the include-credentials command: ■ The private keys of an SSH host cannot be stored in the running configuration. Only the public keys used to authenticate SSH clients can be stored. An SSH host’s private key is only stored internally; for example, on the switch or on an SSH client device. ■ SNMPv3 security credentials saved to a configuration file on a switch cannot be used after downloading the file on a different switch. The SNMPv3 security parameters in the file are only supported when loaded on the same switch for which they were configured. The reason is that when SNMPv3 security credentials are saved to a configuration file, they are saved with the engine ID of the switch as shown here: snmpv3 engine-id 00:00:00:0b:00:00:08:00:09:01:10:01 If you download a configuration file with saved SNMPv3 security credentials on a switch, when the switch loads the file with the current software version, the SNMPv3 engine ID value in the downloaded file must match the engine ID of the switch in order for the SNMPv3 users to be configured with the authentication and privacy passwords in the file. (To display the engine ID of a switch, enter the show snmpv3 engine-id command. To configure authentication and privacy passwords for SNMPv3 users, enter the snmpv3 user command.) If the engine ID in the saved SNMPv3 security settings in a downloaded configuration file does not match the engine ID of the switch: • The SNMPv3 users are configured, but without the authentication and privacy passwords. You must manually configure these passwords on the switch before the users can have SNMPv3 access with the privileges you want. • Only the snmpv3 user <user_name> credentials from the SNMPv3 settings in a downloaded configuration file are loaded on the switch; for example: snmpv3 user boris snmpv3 user alan ■ In software release K.12.06 and greater, you can store 802.1X authenticator (port-access) credentials in a configuration file. However, 802.1X supplicant credentials cannot be stored. ■ In software release K.12.06 and greater, the local operator password configured with the password command is no longer accepted as an 802.1X authenticator credential. A new configuration command (password port-access) is introduced to configure the username and password used as 802.1X authentication credentials for access to the switch. You can store the password port-access values in the running configuration by using the include-credentials command. 56 Enhancements Release K.12.07 Enhancements Note that the password port-access values are configured separately from local operator username and passwords that are configured with the password operator command and used for management access to the switch. For more information about how to use the password port-access command to configure operator passwords and usernames for 802.1X authentication, refer to the “Configuring Port-Based and Client-Based Access Control (802.1X)” chapter in the Access Security Guide. Release K.12.07 Enhancements No enhancements, software fixes only. Release K.12.08 Enhancements Release K.12.08 includes the following enhancement: ■ Enhancement (PR_1000413764) — Increase the size of the sysLocation and sysContact entries from 48 to 255 characters. Configuring a System Contact and Location for the Switch Both the system-contact and the system-location fields allow up to 255 characters when configured through the CLI or the Web browser interface. CLI Command Syntax: snmp-server [contact <system-contact>] [location <system-location>] where < system-contact > and <system-location > are ASCII strings up to 255 characters each. Web Browser Interface Using the Web browser interface for the switch, click the Configuration tab, and select System Info to access the System Location and System Contact fields. In each field, you can enter ASCII strings up to 255 characters each. You can view all the characters by using the cursor to scroll through the field. Menu Interface Unlike the CLI command and the Web browser interface, the Menu interface will only allow configuration of System Contact and System Location strings of up to 48 characters. However, if a System Contact or System Location string length configured through the CLI command or Web browser interface exceeds 48 characters, the Menu fields will display “+” followed by the last 47 characters of the string. Use the CLI show running, show config, or show system-information commands to see the complete text string. 57 Enhancements Release K.12.09 Enhancements Release K.12.09 Enhancements No enhancements, software fixes only. Release K.12.10 Enhancements Release K.12.10 includes the following enhancement: ■ Enhancement (PR_1000419653) — The show vlan ports command was enhanced to display each port in the VLAN separately, display the friendly port name (if configured), and display the VLAN mode (tagged/untagged) for each port. See “Show VLAN ports CLI Command Enhancement” below. Show VLAN ports CLI Command Enhancement The show vlan ports command has been enhanced with an option (detail) to display VLAN memberships on a per-port basis when a range of ports is specified in the command. In addition, user-specified port names will be displayed (if assigned), along with tagged or untagged membership modes. Displaying the VLAN Membership of One or More Ports This command shows VLAN memberships associated with a port or a group of ports. Syntax show vlan ports < port-list > [detail] Displays VLAN information for an individual port or a group of ports, either cumulatively or on a detailed per-port basis. port-list: Specify a single port number, a range of ports (for example, a1-a16), or all. detail: Displays detailed VLAN membership information on a per-port basis. Descriptions of items displayed by the command are provided below. Port name: The user-specified port name, if one has been assigned. VLAN ID: The VLAN identification number, or VID. Name: The default or specified name assigned to the VLAN. For a static VLAN, the default name consists of VLAN-x where “x” matches the VID assigned to that VLAN. For a dynamic VLAN, the name consists of GVRP_x where “x” matches the applicable VID. Status: Port-Based: Port-Based, static VLAN Protocol: Protocol-Based, static VLAN Dynamic: Port-Based, temporary VLAN learned through GVRP. 58 Enhancements Release K.12.10 Enhancements Voice: Indicates whether a (port-based) VLAN is configured as a voice VLAN. Jumbo: Indicates whether a VLAN is configured for Jumbo packets. For more on jumbos, refer to the chapter titled “Port Traffic Controls” in the Management and Configuration Guide for your switch. Mode: Indicates whether a VLAN is tagged or untagged. The following examples illustrate the displayed output depending on whether the detail option is used. ProCurve# show vlan ports a1-a33 Status and Counters - VLAN Information - for ports A1-A33 VLAN ID ------1 10 20 33 Name ----------------DEFAULT_VLAN VLAN_10 VLAN_20 GVRP_33 | + | | | | Status ---------Port-based Port-based Protocol Dynamic Voice ----No Yes No No Jumbo ----No No No No ProCurve# Figure 7. Example of “Show VLAN Ports” Cumulative Listing ProCurve# show vlan ports a1-a4 detail Status and Counters - VLAN Information - for ports A1 Port name: Voice_Port VLAN ID Name ------- ----------------1 DEFAULT_VLAN 10 VLAN_10 | + | | Status ---------Port-based Port-based Voice ----No Yes Jumbo ----No No Mode -----Untagged Tagged Status and Counters - VLAN Information - for ports A2 Port name: Uplink_Port VLAN ID Name ------- ----------------1 DEFAULT_VLAN 20 VLAN_20 33 GVRP_33 | + | | | Status ---------Port-based Protocol Dynamic Voice ----No No No Jumbo ----No No No Mode -----Untagged Tagged Tagged Status and Counters - VLAN Information - for ports A3 VLAN ID Name | Status + Figure 8. Example of “Show VLAN Ports” Detail Listing 59 Voice Jumbo Mode Enhancements Release K.12.11 Enhancements Release K.12.11 Enhancements No enhancements, software never released. Release K.12.12 Enhancements No enhancements, software fixes only. Release K.12.13 Enhancements No enhancements, software never released. Release K.12.14 Enhancements No enhancements, software fixes only. Release K.12.15 Enhancements Release K.12.15 includes the following enhancement: ■ Enhancement (PR_1000427592) — This enhancement adds the client’s IP address to the RADIUS accounting packets sent to the RADIUS server by the switch. The IP address of the client is included in the RADIUS accounting packet sent by the switch to the RADIUS server. The client obtains the IP address through DHCP, so DHCP snooping must be enabled for the VLAN of which the client is a member. ■ Enhancement (PR_1000428642) — The SNMP v2c describes two different notification-type PDUs: traps and informs. Prior to this software release, only the trap’s sub-type was supported. This enhancement adds support for informs. Send SNMP v2c Informs Enabling and Configuring SNMP Informs You can use the snmp-server informs command (SNMPv2c and SNMPv3 versions) to send notifications when certain events occur. When an SNMP Manager receives an informs request, it can send an SNMP response back to the sending agent. This lets the agent know that the informs request reached its destination and that traps can be sent successfully to that destination. Informs requests can be sent several times until a response is received from the SNMP manager or the configured retry limits are reached. The request may also timeout. 60 Enhancements Release K.12.15 Enhancements To enable SNMP informs, enter this command: Syntax: [no] snmp-server enable informs Enables or disables the informs option for SNMP. Default: Disabled To configure SNMP informs request options, use the following commands. Syntax: [no] snmp-server informs [retries<retries>] [timeout<seconds>] [pending <pending>] Allows you to configure options for SNMP informs requests. retries: Maximum number of times to resend an informs request. Default: 3 timeout: Number of seconds to wait for an acknowledgement before resending the informs request. Default: 30 seconds pending: Maximum number of informs waiting for acknowledgement at any one time. When the maximum configured number is reached, older pending informs are discarded. Default: 25 To specify the manager that receives the informs request, use the snmp-server host command. Syntax: snmp-server host < ip-address >[<traps | informs>] [version <1 | 2c | 3>]< community-string > Using community name and destination IP address, this command designates a destination network-management station for receiving SNMP event log messages from the switch. If you do not specify the event level, then the switch does not send event log messages as traps. You can specify up to 10 trap receivers (network management stations). Note: In all cases, the switch sends any threshold trap(s) or informs to the network management station(s) that explicitly set the threshold(s). [traps | informs>] Select whether SNMP traps or informs are sent to this management station. [version <1 | 2c | 3>] Select the version of SNMP being used. Note: SNMP informs are supported on version 2c or 3 only. [<none | all | non-info | critical | debug>] Options for sending switch Event Log messages to a trap receiver. The levels specified with these options apply only to Event Log messages, and not to threshold traps. 61 Enhancements Release K.12.16 Enhancements You can see if informs are enabled or disabled with the show snmp-server command as shown in Figure 9. ProCurve(config)# show snmp-server SNMP Communities Community Name MIB View Write Access ---------------- -------- -----------public Manager Unrestricted Trap Receivers Link-Change Traps Enabled on Ports [All] : All Send Authentication Traps [No] : No Informs [Yes] : Yes Address | Community ---------------------------------------- Events Sent in Trap ---------------- Excluded MIBs Snmp Response Pdu Source-IP Information Selection Policy : Default rfc1517 Trap Pdu Source-IP Information Selection Policy : Default rfc1517 Figure 9. Example Showing SNMP Informs Option Enabled Release K.12.16 Enhancements No enhancements, software fixes only. Release K.12.17 Enhancements No enhancements, software fixes only. Release K.12.18 Enhancements Release K.12.18 includes the following enhancement: 62 Enhancements Release K.12.19 Enhancements ■ Enhancement (PR_1000428213) — This software enhancement adds the ability to configure a secondary authentication method to be used when the RADIUS server is unavailable for the primary port access method. For more information, see the ProCurve Access Security Guide. ■ Enhancement (PR_1000415155) — The ARP age timer was enhanced from the previous limit of 240 minutes to allow for configuration of values up to 1440 minutes (24 hours) or "infinite" (99,999,999 seconds or 3.2 years). For more information, see the ProCurve Multicast and Routing Guide. ■ Enhancement (PR_1000438015) — The banner message of the day (MOTD) size has been increased to support up to 3070 characters. Release K.12.19 Enhancements No enhancements, software fixes only. Release K.12.20 Enhancements No enhancements, software fixes only. Release K.12.21 Enhancements Release K.12.21 includes the following enhancement: ■ Enhancement (PR_1000440049) — Classifier-Based Rate Limiting capability was added. Classifier-Based Rate Limiting (also known as Rate Limit Port ACLs or RL-PACLs) allows you to create an ACL and apply it on a per-port basis to rate-limit network traffic. For more information, see the ProCurve Access Security Guide. ■ Enhancement (PR_1000374051) — The 5400zl switches are not detecting packets from an Avaya G700 PBX or Cajun switch due to irregular Ethernet packets sent by those devices. This is a workaround that will alter the 5400zl software to allow 100Mb operation on the upcoming "C" revision of the 1000 Base-T Mini-GBICs (J8177C) that fit in the J8705A module. The port containing the 1000 Base-T Mini-GBIC can be configured with new speed options of "auto-100," "100-full," and "100-half." ■ Enhancement (PR_1000443349) — This enhancement is to allow the concurrent use of SFTP with TACACS+ authentication for SSH connections. For more information, see the ProCurve Access Security Guide. 63 Enhancements Release K.12.22 Enhancements Release K.12.22 Enhancements Release K.12.22 includes the following enhancement: ■ Enhancement (PR_1000443026) — Support for the new revision "C" Mini-GBICs was added to the CLI and the "show tech" command. ■ Enhancement (PR_1000444415) — OSPF Passive Interface support was added. For more information, see the ProCurve Multicast and Routing Guide. Release K.12.23 Enhancements Release K.12.23 includes the following enhancement: ■ Enhancement (PR_1000449129) — This enhancement allows MAC or Web-based authentication to use PEAP/MS-CHAPv2 protocols in addition to the default setting of CHAP. For more information, see the ProCurve Access Security Guide. Release K.12.24 Enhancements No enhancements, software fixes only. Release K.12.26 through K.12.29 Enhancements No enhancements; Never built. Release K.12.30 Enhancements No enhancements; Never released. Release K.12.31 Enhancements Release K.12.31 includes the following enhancement: ■ Enhancement — Support for the following ProCurve product was added. J9091A / J8715A (bundle) for the ProCurve switch 8212zl Release K.12.32 Enhancements Never released. Build K.12.32 includes the following enhancement: 64 Enhancements Release K.12.33 through K.12.40 Enhancements ■ Enhancement — Merged all of the K.12.24 and earlier software fixes and enhancements with the ProCurve switch 8212zl support. Release K.12.33 through K.12.40 Enhancements No enhancements; Never built. Release K.12.41 through K.12.42 Enhancements No enhancements; Never released. Release K.12.43 Enhancements Release K.12.43 includes the following enhancement: ■ Enhancement — Support for the following ProCurve products was added. J9051A ProCurve Wireless Edge Services zl Module J9052A ProCurve Redundant Wireless Edge Services zl Module For more information, see “Support for the Wireless Edge Services zl Module” on page 18. Release K.12.44 Enhancements Release K.12.44 includes the following enhancement: ■ Enhancement (PR_1000457691) — This enhancement allows the mapping of all theoretically available VLAN IDs (1-4094) to an MSTP instance, even if some of the VLANs are not currently configured on the switch. (This enhancement was subsequently improved, see “Release K.12.51 Enhancements” on page 66.) For more information on MSTP VLANs, see the ProCurve Advanced Traffic Management Guide. ■ Enhancement (PR_1000457868) — Local Proxy ARP enhancement. For more information, see the ProCurve Multicast and Routing Guide. ■ Enhancement (PR_1000456271) — PC attached to telephone. (This enhancement was subsequently removed, see “Release K.12.47 Enhancements” on page 66.) For more information on endpoint device discovery, see the sections on LLDP-MED in the ProCurve Management and Configuration Guide. This enhancement was added back with Release K.12.51 (see “Release K.12.51 Enhancements” on page 66). 65 Enhancements Release K.12.45 Enhancements Release K.12.45 Enhancements No enhancements; Never released. Release K.12.46 Enhancements No enhancements; Never released. Release K.12.47 Enhancements Release K.12.47 includes the following enhancement: ■ Enhancement Removed (PR_1000468258) — The PC attached to IP telephone enhancement was removed. Release K.12.48 Enhancements Release K.12.48 includes the following enhancement: ■ Enhancement Removed (PR_1000470136) — Removal of the enhancement that allows the mapping of all theoretically available VLAN IDs (1-4094) to an MSTP instance, even if some of the VLANs are not currently configured on the switch. The initial implementation of this enhancement did not allow smooth migration of pre-existing MSTP configurations. (For information on the initial implementation, see “Release K.12.44 Enhancements” on page 65. This enhancement was subsequently improved and re-introduced, see “Release K.12.51 Enhancements” on page 66.). Release K.12.49 Enhancements No enhancements; Bug fixes only. Release K.12.50 Enhancements No enhancements; Bug fixes only. Release K.12.51 Enhancements Release K.12.51 includes the following enhancements: 66 Enhancements Release K.12.52 Enhancements ■ Enhancement (PR_10004570598) — An improved version of the MSTP-VLAN mapping enhancement referenced in PR_1000457691 was added. This enhancement allows the mapping of all theoretically available VLAN IDs (1-4094) to an MSTP instance, even if some of the VLANs are not currently configured on the switch. For more information, see the ProCurve Management and Configuration Guide. ■ Enhancement (PR_1000471015) — Reintroduction of the feature referenced in PR_1000456271, that will allow a PC to connect with its RADIUS-assigned VLAN after an attached IP phone has authenticated on the authenticating port. For information on the initial implementation, see “Release K.12.44 Enhancements” on page 65. Release K.12.52 Enhancements Release K.12.52 includes the following enhancement (Never Released.): ■ Enhancement (PR_1000458484) — This enhancement allows the user to set a maximum frame size for jumbo frames at the global level. For more information, see the ProCurve Management and Configuration Guide. ■ Enhancement (PR_1000461576) — This enhancement introduces PVST Protection and Filtering. For more information, see the ProCurve Advanced Traffic Management Guide. ■ Enhancement (PR_1000462841) — This enhancement changes the re-authentication process to allow an authenticated client to remain authenticated during re-authentication. For more information, see the ProCurve Access Security Guide. ■ Enhancement (PR_1000462104) — This enhancement allows the configuration of modules not currently inserted in the switch. For more information, see the ProCurve Management and Configuration Guide. ■ Enhancement (PR_1000462847) — This enhancement allows the configuration of transceivers not currently inserted in the switch. For more information, see the ProCurve Management and Configuration Guide. Release K.12.53 through K.12.55 Enhancements No enhancements; Bug fixes only. Release K.12.56 Enhancements Release K.12.56 includes the following enhancement: 67 Enhancements Release K.12.57 Enhancements ■ Enhancement (PR_1000464170) — This feature provides support for adding the LLDP VLAN Name TLV to LLDP advertisements generated by ProCurve switches. For more information, see the ProCurve Management and Configuration Guide. Release K.12.57 Enhancements Release K.12.57 includes the following enhancement: ■ Enhancement (PR_1000713394) — Adjustable IGMP Querier interval. For more information, see the ProCurve Management and Configuration Guide. Release K.12.57 is the last public release of the K.12.xx software. The series 3500yl, 6200yl, 5400zl, and 8212zl switches software code was rolled to the K.13.0x code branch with no intervening releases. 68 Enhancements Release K.13.01 Enhancements Release K.13.01 Enhancements Release K.13.01 is a major software update containing many new features and enhancements to existing features, including IPv6 host and application layer features (see “IPv6 Configuration Guide for 2900/3500/5400/6200/8200” on page 71 for details). The following enhancements have been documented in the latest revisions to the manuals (January 2008). Refer to the indicated manuals for additional details. Software Manual/ Enhancements Description Management and Configuration Guide PoE Power Allocation Methods: Allows you to manually allocate the amount of PoE power for a port by either its class or a defined value. USB Secure Autorun: Helps ease the configuration of ProCurve switches by providing a way to auto-execute CLI commands from a USB flash drive. Note that the ability to create a valid AutoRun file also requires ProCurve Manager. For details, see the section on “USB Autorun” in the Appendix on “File Transfers”. SNMP Traps: Allow you to configure the switch to send network security and link-change notifications to configured trap receivers. More error conditions can be reported and logged to help resolve security threats and network issues. MAC-based Remote Mirroring: Allows you to use MAC as a criteria in selecting traffic that needs to be monitored in addition to current port, ACL, and direction criteria. Show Command Changes: The show power-management CLI command has been changed to show power-over-ethernet. You can use this command and the show power slot <slot-id> to display information about PoE power. The show system-information CLI command syntax has been changed to show system with additional options to display details of system components: fans, information, power-supply, and temperature. Scalability: Increased max trunks (60); and increased helper address (4k). For scalability values for VLANs, hardware, ARP, and routing, see the new Appendix titled “Scalability: IP Address, VLAN, and Routing Maximum Values”. Advanced Traffic Management Guide STP Root Guard: STP root guard allows user to prevent changes to the root bridge and thus preventing malicious attackers from modifying the root switch and ensuring that the STP topology maintain the optimal setting. QinQ: QinQ (provider bridging) has been added to allow frames from multiple customers to be forwarded through another topology (provider network) using service VLANs or S-VLANs. For more information, see the new “QinQ Provider Bridging” chapter. 69 Enhancements Release K.13.01 Enhancements Software Manual/ Enhancements Description STP Diagnostics: Adds more diagnostic functions to resolve STP issues. See the section on “Troubleshooting an MSTP configuration” in the chapter on Multiple Instance Spanning-Tree Operation. Routing and Multicast Guide Host-based OSPF-ECMP: Allows OSPF to add routes with multiple next-hop addresses and with equal costs to a given destination IP address. Access and Security Guide Dynamic Configuration Arbiter: ProCurve provides different methods (for example, CLI, SNMP, or IDM/RADIUS) to configure network and security parameters and respond to threats. This feature allows you to determine the client-specific parameters that are assigned in an authentication session by applying or removing them as needed in a specified hierarchy of precedence. RADIUS Attributes: Additional RADIUS attributes included with this release: • Change of authorization: allows changes to user service without re-authentication • Vendor-ID: allows Microsoft RADIUS servers to use vendor ID as part of the policy • Capability advertisement: allows the switch to advertise its capability to the RADIUS server • Session termination: allows the switch to report to the RADIUS server the reason a session is terminated For more information, see the section on “Additional RADIUS Attributes” in the chapter on “RADIUS Authentication and Accounting”. RADIUS VLAN Support: Supports RADIUS-assigned tagged and untagged VLAN configuration on an authenticated port. This allows you, for example, to use IDM to dynamically configure tagged and untagged VLANs as required for different client devices, such as PCs and IP phones, that share the same switch port. See the section on “VLAN Assignment in an Authentication Session” in the chapter on “RADIUS Authentication and Accounting”. PoE Planning and Implementation Guide Power Redundancy: Support has been added for PoE redundancy. When PoE redundancy is enabled, PoE redundancy occurs automatically. The switch keeps track of power use and won’t supply PoE power to additional PoE devices trying to connect if that results in the switch not having enough power in reserve for redundancy if one of the power supplies should fail. 70 Enhancements Release K.13.02 Enhancements Software Manual/ Enhancements Description Note on Manual Updates: In addition to the above updates to the manuals, with this release the 8212zl software manuals and 3500/5400/6200 software manuals have been combined into a single manual set. Where features apply only to a specific model or models, this will be indicated in the chapter or heading for that feature; for example, "Redundancy (Switch 8212zl)" or "Stack Management for the Series 3500yl Switches and the 6200yl Switch." New Product Documentation: IPv6 Configuration Guide for 2900/3500/5400/6200/8200. Provides background information on IPv6 technologies and concepts, plus complete coverage of ProCurve's implementation of CLI commands for configuring IPv6 host and application layer features, including IPv6 addressing, auto configuration, dual stack support (IPv4/IPv6), Multicast Listener Discovery (MLD), IPv6 management and diagnostics. The Master Index is a new feature to help find information more readily, providing clickable links from a combined Master Index PDF to the per Chapter PDF files from all five software manuals. To locate and access topics across the combined manual set using the index, download the Master Index zip file from the Web to a directory on your computer. Release K.13.02 Enhancements Release K.13.02 includes the following enhancements. ■ Enhancement: Beginning with K.13.02, DHCP can now be enabled on a Management VLAN. Since, by definition, there is no routing to or from a VLAN configured as a management VLAN, DHCP relay is still prohibited so the DHCP server must be attached to the management VLAN for that VLAN to acquire an address. All DHCP options will be supported. ■ Enhancement (PR_1000458124) — VRRP Preemptive Delay Timer. For more information, see “VRRP Pre-Emptive Delay Timer” on page 71 below. VRRP Pre-Emptive Delay Timer In order to maintain availability of the default gateway router, the Virtual Router Redundancy Protocol (VRRP) advertises a “virtual” router to the hosts. At least two other physical routers are configured to be virtual routers, but only one router provides the default router functionality at any given time. If the Owner router or its VLAN goes down, the Backup router takes over. When the Owner Router comes back on line (Fail-back), it takes control of the virtual IP address that has been assigned to it. It begins sending out VRRP advertisement packets at regular intervals. The Backup router receives the VRRP advertisement packet and transitions to the Backup state. 71 Enhancements Release K.13.02 Enhancements When OSPF is Also Enabled on the VRRP Routers When OSPF is enabled on the routers and a Fail-back event occurs, the Owner router immediately takes control of the virtual IP address and provides the default gateway functionality. If OSPF has not converged, the route table in the Owner router may not be completely populated. When the hosts send packets to the default gateway, the Owner router may not know where to send them and packets may be dropped. Caution While you can run OSPF and VRRP concurrently on a router, it is best not to run VRRP with other routing protocols such as RIP or OSPF on the same interface or VLAN as this can create operational issues. Configuring the Preempt Delay Timer The VRRP Pre-empt Delay Timer (PDT) allows you to configure a period of time before the Owner router takes back control of the virtual IP address. It does not transition to the Master state until the timer period expires. The timer value configured should be long enough to allow OSPF convergence following OSPF updates. The PDT is applied only during initialization of the router, that is, when the router is rebooting with the VRRP parameters present in the startup config file. Syntax: [no] preempt-delay-time <1-600 > Allows you to specify a time in seconds that the Owner router will wait before taking control of the virtual IP address and beginning to route packets. You can configure the timer on VRRP Owner and Backup routers. Note: If you have configured the Preempt Delay Timer with a non-zero value, you must use the no form of the command to change it to 0 (zero). Default: 0 (zero) seconds. Note If the PDT is active for a virtual router, you cannot change the router’s mode from Owner to Backup or Backup to Owner. To change the mode, make the PDT inactive and then reconfigure the mode. For example: ProCurve(config)# no vlan 16 vrrp vrid 23 preempt-delay time 12 72 Enhancements Release K.13.02 Enhancements where VID = 16 VRID = 23 PDT = 12 seconds VRRP Preempt Mode with LACP and Older ProCurve Devices There can be an issue with VRRP Preempt Mode if an older ProCurve device (2524, 2650, 2848, 3400cl, or 5300) is the intermediate device connecting to a VRRP router and has LACP set in “enable, passive” mode. This mode is set by default on older ProCurve devices, whereas it is disabled by default on later models such as the ProCurve Series 5400zl. ProCurve recommends that you use compatible LACP settings on devices that connect with VRRP routers on VRRP VLANs. What Occurs at Startup When the Owner router comes online, it will wait for the configured amount of time before taking control of the virtual IP address. This period of time is calculated as follows: If the value of the Master down time (3 * advertisement interval) is less than or equal to the preempt delay time, then the Owner router will wait until the Master down time (3 * advertisement interval) has expired. During this waiting period, if the Owner router receives a VRRP packet for its virtual IP address from the Backup router, it will wait until the PDT expires before taking control of its virtual IP address. If the Owner router does not receive any VRRP packets and the Master down time expires, the Owner router can take control of its virtual IP address immediately. If the value of the Master down time (3 * advertisement interval) is greater than the preempt delay time, then the Owner Router will wait until the PDT expires before taking control of its virtual IP address. Selecting a Value for the PDT You should select the value for the PDT carefully to allow time for OSPF to populate the Owner router’s route tables. The choice depends on the following: ■ The OFPF router dead interval—the number of seconds the OSPF router waits to receive a hello packet before assuming its neighbor is down. ■ The number of router interfaces that participate in OSPF ■ The time it may take from reception of the OSPF packets to when the population of the route table is completed. 73 Enhancements Release K.13.02 Enhancements There are trade-offs between selecting a small advertisement value and a large preempt delay time. A small advertisement value results in a faster failover to the Backup router. A larger PDT value allows OSPF to converge before the Owner router takes back control of its virtual IP address. Choosing a large PDT value (greater than the Master down time) may result in an unnecessary failover to the Backup router when the VRRP routers (Owner and Backup) start up together. Choosing a large advertisement interval and thereby a large Master down time results in a slower failover to the Backup router when the Owner router fails. Possible Configuration Scenarios Preempt Delay Time = Zero Seconds. This is the default behavior. It works in the same way that VRRP works currently. Preempt Delay Time is Greater Than or Equal to the Master Down Time (3 times the advertisement interval). a. An Owner Virtual Router after reboot—waits for the Master Down Time. If the Owner router does not receive a packet during this time, it becomes the Master. If it receives a VRRP advertisement from its peer during this time, it waits until the expiration of the preempt delay time before becoming the Master. b. A Backup Virtual Router after reboot—waits for the Master Down Time. If the Backup router does not receive a packet during this time, it becomes the Master. If it receives a VRRP advertisement from its peer during this time, it waits until the expiration of the preempt delay time before becoming the Backup. Preempt Delay Time is Less Than the Master Down Time. a. Owner router—becomes the Master after expiration of the preempt delay time. b. Backup router—becomes the Backup after expiration of the preempt delay time. When the Preempt Delay Time is not Applicable Once the router has rebooted and is in steady state VRRP operation, the PDT is not applicable if: ■ The VRRP VLAN goes down and comes back up ■ The Virtual Router is disabled and re-enabled ■ VRRP is globally disabled and then re-enabled Backward Compatibility If a VRRP router functions with an older version that does not have the pre-empt delay timer enhancement, it will take over virtual IP address control immediately on start-up or when there is a fail-back event. There should be no backward compatibility issues. 74 Enhancements Release K.13.03 Enhancements Error Messages Error Error Message Attempting to assign the preempt delay time to the Virtual Router before declaring it as an Owner or Backup The Virtual Router must be defined as an Owner or Backup router first. Attempting to assign an out of range preempt delay time Invalid input: <out of range value> to the Virtual Router instance. Attempting to change the preempt delay time value when the Virtual Router is active. VR operation must be “down” prior to modifying VR’s parameters Release K.13.03 Enhancements Release K.13.03 includes the following enhancements. ■ Enhancement (PR_1000400991) — The 802.1X Controlled Directions feature now functions independently of the STP configuration, allowing you to run STP and 802.1X separately. For more information, see “New CLI Commands” below. New CLI Commands These three commands show the administrative state of the controlled-directions: show port-access authenticator config show port-access mac-based config show port-access web-based config These three commands show the operational state of the controlled-directions: show port-access authenticator show port-access mac-based show port-access web-based 75 Enhancements Release K.13.04 Enhancements Release K.13.04 Enhancements Release K.13.04 includes the following enhancements. ■ Enhancement (PR_ 0000000081) — The CLI clear module command allows you to remove module configuration information from the configuration file. Clear Module Configuration Overview Because of the hot-swap capabilities of the modules, when a module is removed from the chassis of a ProCurve series 5400 switch, the module configuration remains in the configuration file. This enhancement allows you to remove the module configuration information from the configuration file. Syntax: [no] module <slot> Allows removal of the module configuration in the configuration file after the module has been removed. Enter an integer between 1 and 12 for <slot>. For example: ProCurve(config)# no module 3 Note This does not change how hot-swap works. Operating Notes The following restrictions apply: ■ The slot being cleared must be empty ■ There was no module present in the slot since the last boot ■ If there was a module present after the switch was booted, the switch will have to be rebooted before any module (new or same) can be used in the slot. ■ This does not clear the configuration of a module still in use by the switch. 76 Enhancements Release K.13.04 Enhancements ■ Enhancement (PR_ 0000000082) — The CLI track interface command allows you to configure tracking for a port or list of ports, or a trunk or list of trunks. VRRP—Dynamic Priority Change Overview This enhancement provides the ability to dynamically change the priority of the virtual router (VR) when certain events occur. The Backup VR releases virtual IP address control by reducing its priority when tracked entities such as ports, trunks, or VLANs go down. You can also force the Backup to take ownership of the VR if you have previously caused it to release control. In normal VRRP operation, one router (Router-1) is in the Master state and one router (Router-2) is in the Backup state. Router-1 provides the default gateway for the host. If Router-1 goes down for any reason, the Backup router, Router-2, provides the default gateway for the host. VR 1 10.10.10.1 (Virtual IP Address) Intranet Router-1 Router-2 VLAN VID: 22 IP: 10.10.10.21 VLAN VID: 22 IP: 10.10.10.23 Router 1 Configuration VRID: 1 Status: Master Virtual IP Addr: 10.10.10.1 MAC Addr: 00-00-5E-00-01-01 Priority: 150 Switch VLAN VID: 22 Host “A” Router 2 Configuration VRID: 1 Status: Backup Virtual IP Addr: 10.10.10.1 MAC Addr: 00-00-5E-00-01-01 Priority: 100 Figure 10. Example VRRP Configuration If all the tracked entities configured on Router-1 go down, Router-1 begins sending advertisements with a priority of zero. This causes Router-2 to take control of the virtual IP. Any applications or routing protocols such as RIP or OSPF on Router-1 that were using its IP address are no longer able to use that IP interface. Router-1 does not respond to any ARP requests for that IP address. Router-2 takes control of the IP address and responds to ARP requests for it with the virtual MAC address that corresponds to VRID-1. 77 Enhancements Release K.13.04 Enhancements Note A Backup VR switches to priority zero instead of its configured value when all its tracked entities go down. An Owner VR always uses priority 255 and never relinquishes control voluntarily. CLI Commands The following commands are used for this enhancement. Note You can only configure tracked interfaces or VLANs on the Backup router. Configuring Track Interface The track interface command allows you to configure tracking for a port or list of ports, or a trunk or list of trunks. Note VR operation must be down before executing this command. Use the no enable command to disable VR operation. Syntax: [no] track interface <port-list/trunk-list> Allows you to specify a port or port list, or trunk or trunk list, that will be tracked by this virtual router. If the port or trunk is down, the virtual router switches to the router specified by the priority value. The command is executed in VRID instance context. For example: ProCurve(config)# vlan 25 ProCurve(vlan-25)# vrid 1 ProCurve(vlan-25-vrid-1)# track interface 10-12, Trk1 78 Enhancements Release K.13.04 Enhancements Configuring Track VLAN The track vlan command allows you to specify a VLAN or range of VLANs to be tracked by the VR. Notes VR operation must be down before executing this command. Use the no enable command to disable VR operation. The VRs operating VLAN can’t be configured as a tracking VLAN for that VR. Syntax: [no] track vlan <vlan-id range> Allows you to specify a VLAN or range of VLANs that will be tracked by this virtual router. If the VLAN is down, or the VLAN or IP address has been deleted, the virtual router switches to the router specified by the dynamic priority value. The command is executed in VRID instance context. For example: ProCurve(config)# vlan 25 ProCurve(vlan-25)# vrid 1 ProCurve(vlan-25-vrid-1)# track vlan 10 24-26 Note When the first tracked port or tracked VLAN comes up after being down, the VR waits for the preempt delay time before it tries to take control back. The VR resumes being a Backup with its configured priority as soon as the first tracked entity is up. The behavior of the VR is not affected by any tracked entities until after the expiration of the preempt delay time. However, if while waiting for the preempt delay time to expire, a Master goes down, the VR tries to take control of the virtual IP. Removing all Tracked Entities Use the no track command to remove all interfaces and vlans from being tracked. 79 Enhancements Release K.13.04 Enhancements Syntax: no track The command allows you to remove tracking for all configured track entities (ports, trunks, and VLANs). The command is executed in VRID instance context. For example: ProCurve(vlan-25-vrid-1)# no track Failover Operation Failover operation involves handing off of the VRs control of the virtual IP to another VR. Once a failover command is issued, the VR begins sending advertisements with priority zero instead of the configured priority. When the VR detects a peer VR taking control, it releases control of the virtual IP and ceases VR operation until a failback is executed. Failover only occurs on a Backup VR operating as Master. If you specify the with-monitoring option, the VR continues to monitor the virtual IP after ceasing VR operation. If the Master VR goes down, it then re-takes control of the virtual IP. Syntax: failover [with-monitoring] Allows you to force the Backup VR operating as Master to relinquish ownership of the VR instance. The command is executed in VRID instance context. Failback Operation The failback command forces the Backup VR to take ownership of the VR instance. Failback is disabled on the Owner VR; it can only be executed on the Backup VR. Failback can only occur on a VR on which failover or failover with-monitoring has been executed. Syntax: failback Forces the Backup VR to take ownership of the VR instance. This command only takes effect if the Backup VR instance has a higher priority than the current Owner, which is normal VRRP router behavior. The command is executed in VRID instance context. 80 Enhancements Release K.13.04 Enhancements Displaying the VRRP Configuration You can display the VRRP tracked entities by entering the command shown in Figure 11. ProCurve(vlan-25-vrid-1)# show vrrp tracked-entities VRRP Tracked entities VLAN ID ---------25 25 25 25 25 VR ID ---------1 1 1 1 1 Type ---------port port port port vlan ID -----------------------------7 12 13 14 1 Figure 11. Example of show vrrp tracked entities Command You can display the VRRP configuration by entering the command shown in Figure 12. ProCurve(vlan-25-vrid-1)# show vrrp vlan 25 vrid 1 config VRRP Virtual Router Configuration Information Vlan ID : 25 Virtual Router ID : 1 Administrative Status [Disabled] : Enabled Mode [Uninitialized] : Owner Priority [100] : 255 Advertisement Interval [1] : 1 Preempt Mode [True] : True Preempt Delay Time [0] : 0 Primary IP Address : Lowest IP Address Subnet Mask --------------- --------------10.10.10.1 255.255.255.0 Figure 12. Example Showing the VRRP Configuration Operating Notes • 81 There are no backward compatibility issues with this enhancement. If a VRRP router has an older firmware version that does not have the dynamic priority changeover feature, it will not have the needed configuration options. Enhancements Release K.13.04 Enhancements • The VRs operating VLAN can’t be configured as a tracking VLAN for that VR. • Ports that are part of a trunk can’t be tracked. • A port that is tracked can’t be included in a trunk. • Trunks that are tracked can’t be removed; you are not able to remove the last port from the trunk. • LACP (active or passive) cannot be enabled on a port that is being tracked. • If a VLAN is removed or a port becomes unavailable, the configuration is retained and they are tracked when they become available again. • After the Owner VR relinquishes control of its IP address, that IP address becomes unavailable to all other applications and routing protocols such as RIP and OSPF. • To avoid operational issues, it is recommended that VRRP is not run on the same interface/VLAN with other routing protocols, such as RIP and OSPF. Error Messages Track Interface Message Description VR must be defined as “backup” first You have to declare a VR as Backup before assigning a track interface to it. Invalid input: <out of range value> You have to assign a valid port or trunk to the VR instance. VR operation must be “down” prior to modifying VR’s parameters You cannot change the track interface when the VR is active. Use the no enable command to disable the VR. Can’t track a port that is part of a trunk You can’t configure tracking on a port that is a member of a trunk. Tracking is disabled on owner You can’t configure a track interface on an Owner VR. Cannot remove trunk being tracked by VRRP You can’t remove a trunk that is being tracked by a VR Cannot enable LACP on a VRRP tracked port You can’t enable LACP on a port that is being tracked by a VR. Too many entities to track You have selected too many entities to be tracked by the VR. Cannot track trunk/LACP member You can’t track the specified trunk or LACP member. VRRP tracked port is not allowed in trunk You can’t add this tracked port to a trunk. VRRP tracked port is not allowed in LACP You can’t use LACP with the tracked port. Operation is not permitted on VR when it is configured as owner or is uninitialized. The VR must be a Backup and initialized in order to execute the operation. 82 Enhancements Release K.13.04 Enhancements Enhancement (PR_ 0000000084) — DHCP Option 66 provides a way to automatically download and initially boot from a configuration that is different from the factory-shipped configuration. ■ DHCP Option 66 Automatic Configuration Update Overview ProCurve switches are initially booted up with the factory-shipped configuration file. This enhancement provides a way to automatically download a different configuration file from a TFTP server using DHCP Option 66. The prerequisites for this to function correctly are: • One or more DHCP servers with Option 66 are enabled • One or more TFTP servers has the desired configuration file. Caution This feature must use configuration files generated on the switch to function correctly. If you use configuration files that were not generated on the switch, and then enable this feature, the switch may reboot continuously. CLI Command The command to enable the configuration update using Option 66 is: Syntax: [no] dhcp config-file-update Enables configuration file update using Option 66. Default: Enabled ProCurve(config)# dhcp config-file-update Figure 13. Example of Enabling Configuration File Update Using Option 66 83 Enhancements Release K.13.04 Enhancements Possible Scenarios for Updating the Configuration File The following table shows various network configurations and how Option 66 is handled. Scenario Behavior Single Server serving Multiple VLANs • Each DHCP-enabled VLAN interface initiates DHCPDISCOVER message, receives DHCPOFFER from the server, and send DHCPREQUEST to obtain the offered parameters. • If multiple interfaces send DHCPREQUESTs, it’s possible that more than one DHCPACK is returned with a valid Option 66. • Evaluating and updating the configuration file occurs only on the primary VLAN. • Option 66 is ignored by any interfaces not belonging to the primary VLAN. Multiple Servers serving a Single VLAN • Each DHCP-enabled VLAN interface initiates one DHCPDISCOVER and receives one or more DHCPOFFER messages. • Each interface accepts the best offer. • Option 66 is processed only for the interface belonging to the primary VLAN. Multiple Servers serving Multiple VLANs • Each DHCP-enabled VLAN interface initiates DHCPDISCOVER and receives one or more DHCPOFFER messages. • Each interface accepts the best offer. • Option 66 is processed only for the interface belonging to the primary VLAN. Multi-homed Server serving Multiple VLANs • The switch perceives the multi-homed server as multiple separate servers. • Each DHCP-enabled VLAN interface initiates DHCPDISCOVER and receives one DHCPOFFER message. • Each interface accepts the offer. • Option 66 is processed only for the interface belonging to the primary VLAN. Operating Notes Replacing the Existing Configuration File: After the DHCP client downloads the configuration file, the switch compares the contents of that file with the existing configuration file. If the content is different, the new configuration file replaces the existing file and the switch reboots. Option 67 and the Configuration File Name: Option 67 includes the name of the configuration file. If the DHCPACK contains this option, it overrides the default name for the configuration file (switch.cfg) Global DHCP Parameters: Global parameters are processed only if received on the primary VLAN. Best Offer: The “Best Offer” is the best DHCP or BootP offer sent by the DHCP server in response to the DHCPREQUEST sent by the switch. The criteria for selecting the “Best Offer” are: 84 Enhancements Release K.13.04 Enhancements • DHCP is preferred over BootP • If two BootP offers are received, the first one is selected • For two DHCP offers: – The offer from an authoritative server is selected – If there is no authoritative server, the offer with the longest lease is selected Log Messages The file transfer is implemented by the existing TFTP module. The system logs the following message if an incorrect IP address is received for Option 66: Invalid IP address <ip-address> received for DHCP Option 66 ■ Enhancement (PR_ 0000000085) — The DHCP relay address configuration enhancement provides a way to configure a gateway address for the DHCP relay agent to use for DHCP requests, rather than the DHCP relay agent automatically assigning the lowest-numbered IP address. BOOTP/DHCP Relay Gateway Overview Previously, the DHCP relay agent selected the lowest-numbered IP address on the interface to use for DHCP messages. The DHCP server then used this IP address when it assigned client addresses. However, this IP address may not be the same subnet as the one on which the client needs the DHCP Service. This enhancement provides a way to configure a gateway address for the DHCP relay agent to use for DHCP requests, rather than the DHCP relay agent automatically assigning the lowest-numbered IP address. You must be in VLAN context to use this command, for example: ProCurve# config ProCurve(config)# vlan 1 ProCurve(vlan-1)# Syntax: ip bootp-gateway <ip-addr> Allows you to configure an IP address for the DHCP relay agent to use for DHCP requests. The IP address must have been configured on the interface. Default: Lowest-numbered IP address 85 Enhancements Release K.13.04 Enhancements If the IP address has not already been configured on the interface (VLAN), you will see the message shown in Figure 14. ProCurve# config ProCurve(config)# vlan 1 ProCurve(vlan-1)# ip bootp-gateway 10.10.10.1 The IP address 10.10.10.1 is not configured on this VLAN. Figure 14. Example of Trying to Configure an IP Address that is not on this Interface (VLAN) Displaying the BOOTP Gateway To display the configured BOOTP gateway for an interface (VLAN) or all interfaces, enter this command. You do not need to be in VLAN context mode. Syntax: show dhcp-relay bootp-gateway [vlan <vid>] Displays the configured BOOTP gateway for a specified VLAN (interface). If a specific VLAN ID is not entered, all VLANs and their configured BOOTP gateways display. Figure 15 shows an IP address being assigned to a gateway for VLAN 22, and then displayed using the show dhcp-relay bootp-gateway command. ProCurve(vlan-22)ip bootp-gateway 12.16.18.33 ProCurve(vlan-22)# exit ProCurve(config)# show dhcp-relay bootp-gateway vlan 22 BOOTP Gateway Entries VLAN BOOTP Gateway -------------------- --------------VLAN 22 12.16.18.33 Figure 15. An Example of Assigning a Gateway to an Interface and then Displaying the Information 86 Enhancements Release K.13.04 Enhancements Operating Notes ■ • If the configured BOOTP gateway address becomes invalid, DHCP relay agent returns to the default behavior (assigning the lowest-numbered IP address). • If you try to configure an IP address that is not assigned to that interface, the configuration will fail and the previously configured address (if there is one) or the default address is used. Enhancement (PR_ 0000000086) — This enhancement allows rate-limiting of inbound broadcast and multicast traffic on the switch. Inbound Rate-Limiting for Broadcast and Multicast Traffic This enhancement allows rate-limiting (throttling) of inbound broadcast and multicast traffic on the switch. The rate-limiting is implemented as a percentage of the total available bandwidth on the port. Rate-limiting inbound broadcast or multicast traffic helps prevent the switch from being disrupted by traffic storms if they occur on the rate-limited port. You can execute the rate-limit command from the global or interface context, for example: ProCurve(config)# interface 3 rate-limit bcast in percent 10 or ProCurve(config)# interface 3 ProCurve(eth-3)# rate-limit bcast in percent 10 Syntax: rate-limit < bcast | mcast > in percent <0-100> no rate-limit <bcast | mcast> in Enables rate-limiting and sets limits for the specified inbound broadcast or multicast traffic. Only the amount of traffic specified by the percent is forwarded. Default: Disabled For example, if you want to set a limit of 50 percent on inbound broadcast traffic for port 3, you can first enter interface context for port 3 and then execute the rate-limit command, as shown in Figure 1. Only 50 percent of the inbound broadcast traffic will be forwarded. 87 Enhancements Release K.13.04 Enhancements ProCurve(config)# int 3 ProCurve(eth-3)# rate-limit bcast in percent 50 ProCurve 3500(eth-3)# show rate-limit bcast Broadcast-Traffic Rate Limit Maximum % Port ----1 2 3 4 5 | + | | | | | Inbound Limit ------------Disabled Disabled 50 Disabled Disabled Mode --------Disabled Disabled % Disabled Disabled Radius Override --------------No-override No-override No-override No-override No-override Figure 1. Example of Inbound Broadcast Rate-limiting of 50% on Port 3 If you rate-limit multicast traffic on the same port, the multicast limit is also in effect for that port, as shown in Figure 2. Only 20 percent of the multicast traffic will be forwarded. ProCurve(eth-3)# rate-limit mcast in percent 20 ProCurve(eth-3)# show rate-limit mcast Multicast-Traffic Rate Limit Maximum % Port ----1 2 3 4 | + | | | | Inbound Limit ------------Disabled Disabled 20 Disabled Mode --------Disabled Disabled % Disabled Radius Override --------------No-override No-override No-override No-override Figure 2. Example of Inbound Multicast Rate-limiting of 20% on Port 3 To disable rate-limiting for a port enter the no form of the command. 88 Enhancements Release K.13.04 Enhancements ProCurve(eth-3)# no rate-limit mcast in ProCurve(eth-3)# show rate-limit mcast Multicast-Traffic Rate Limit Maximum % Port ----1 2 3 4 | + | | | | Inbound Limit ------------Disabled Disabled Disabled Disabled Mode --------Disabled Disabled Disabled Disabled Radius Override --------------No-override No-override No-override No-override Figure 3. Example of Disabling Inbound Multicast Rate-limiting for Port 3 Operating Notes • This rate-limiting feature does not limit unicast traffic. • This feature does not include outbound multicast rate-limiting. For more detailed information about rate-limiting, see the Multicast and Routing Guide for your switch. ■ Enhancement (PR_ 0000000087) — This enhancement enables a Telnet client to use the histamine in command input. DNS Capabilities for Telnet Overview This enhancement enables a Telnet client to use the hostname in command input. Syntax: telnet <ipv4-addr | ipv6-addr | hostname | switch-num> Initiates an outbound telnet session to another network device. The destination can be specified as: • • • • 89 IPv4 address IPv6 address Hostname Stack number of a member switch (1-16) if the switch is a commander in a stack and stacking is enabled Enhancements Release K.13.04 Enhancements For example, if the host “Labswitch” is in the domain abc.com, you can enter the following command and the destination is resolved to “Labswitch.abc.com”. ProCurve(config)# telnet Labswitch You can also enter the full domain name in the command: ProCurve(config)# telnet Labswitch.abc.com You can use the show telnet command to display the resolved IP address. ProCurve(config)# show telnet Telnet Activity -------------------------------------------------------Session : ** 1 Privilege: Manager From : Console To : ------------------------------------------------------Session : ** 2 Privilege: Manager From : 12.13.14.10 To : 15.33.66.20 ------------------------------------------------------Session : ** 3 Privilege: Operator From : 2001:db7:5:0:203:4ff:fe0a:251 To : 2001:db7:5:0:203:4ff1:fddd:12 Figure 16. Example of show telnet Command Displaying Resolved IP Addresses ■ Enhancement (PR_ 0000000089) — The CLI show modules command displays additional component information for system support modules and mini-GBICS. Show Module Enhancement Overview With this enhancement, the CLI show modules command will display additional component information for the following: • System Support Modules (SSM) — identification, including serial number • Mini-GBICS — a list of installed mini-GBICs displaying the type, “J” number, and serial number (when available) 90 Enhancements Release K.13.04 Enhancements Syntax: show modules [details] Displays information about the installed modules, including: • The slot in which the module is installed • The module description • The serial number • The System Support Module description, serial number, and status (8212zl only) Additionally, the part number (J number) and serial number of the chassis is displayed. ProCurve(config)# show modules Status and Counters - Module Information Chassis: 5406zl J8697A Serial Number: Slot Module Description ----- ---------------------------------------A ProCurve J8706A 24p SFP zl Module B ProCurve J8702A 24p Gig-T zl Module C ProCurve J8707A 4p 10-Gbe zl Module SG560TN124 Serial Number -------------AD722BX88F FE999CV77F FB345DC99D Figure 17. Example of the show modules Command Output ProCurve(config)# show modules details Status and Counters - Module Information Chassis: 8212zl J8715A Serial Number: SG560TN124 Slot Module Description Serial Number ----- ----------------------------------------------------MM1 ProCurve J9092A Management Module 8200zl AD722BX88F SSM ProCurve J8784A System Support Module AF988DC78G C ProCurve J8750A 20p +4 Mini-GBIC Module 446S2BX007 GBIC 1: J4859B 1GB LX-LC 4720347DFED734 GBIC 2: J4859B 1GB LX-LC 4720347DFED735 Status ------Active Active Active Figure 18. An Example of the show modules details Command for the 8212zl Showing SSM and Mini-GBIC Information 91 Enhancements Release K.13.04 Enhancements Note On ProCurve 3500yl and 6200yl series switches, the mini-GBIC information does not display as the ports are fixed and not part of any module. ■ Enhancement (PR_ 0000000101) — This enhancement adds a vrrp option to the debug command. VRRP Option with Debug Command This enhancement adds a vrrp option to the debug command. This option turns on the tracing of the incoming and outgoing VRRP packets. The information in the following table is included in the output. Syntax: [no] debug vrrp Displays VRRP debug messages. Displaying the “Near-Failover” Statistic There is a new VRRP statistic that will track occurrences of “near failovers” on the Backup VRRP routers. This makes visible any difficulties the VRRP routers are having receiving the “heartbeat” advertisement from the Master router. (A “near failover” is one that is within one missed VRRP advertisement packet of beginning the Master determination process.) The show vrrp command displays this statistic. 92 Enhancements Release K.13.04 Enhancements ProCurve(config)# show vrrp VRRP Global Statistics Information VRRP Enabled Protocol Version Invalid VRID Pkts Rx Checksum Error Pkts Rx Bad Version Pkts Rx : : : : : Yes 2 0 0 0 VRRP Virtual Router Statistics Information Vlan ID Virtual Router ID State Up Time Virtual MAC Address Master's IP Address Associated IP Addr Count Advertise Pkts Rx Zero Priority Rx Bad Length Pkts Mismatched Interval Pkts Mismatched IP TTL Pkts : : : : : : : : : : : : 22 1 Initialize 64 mins 00005e-000101 1 0 0 0 0 0 Near Failovers : Become Master : Zero Priority Tx : Bad Type Pkts : Mismatched Addr List Pkts : Mismatched Auth Type Pkts : 0 0 0 0 0 0 Figure 19. Example of the show vrrp Command with Statistics ■ Enhancement (PR_ 0000000420) — This enhancement provides the show-tech option for customizing copy tftp output. Copy Command with Show Tech Option This enhancement allows the show-tech command to execute a series of commands found in a special file stored in flash. If no file is found, the current hard-coded list is used. This feature provides the ability to customize the output. To upload the customized list, the copy tftp command will include the show-tech option in the destination parameter. Syntax: copy <source> <destination> [options] Copy data files to or from the switch. 93 Enhancements Release K.13.05 through K.13.15 Enhancements <source>: specify the source of the data. It can be tftp, xmodem, command, usb, or any of the following switch data files: • • • • • • • running-config startup-config crash-log [a|b|c|d|e|f|g|h|master] crash-data event-log flash command-output <command> Note: When using command output, place the desired CLI command in double quotes, for example, “show system”. <destination>: specify the copy target. It can be tftp, xmodem, usb, or one of the following switch data files: • • • • • startup-config command-file flash pub-key-file show-tech For example: ProCurve(config)# copy tftp show-tech 10.10.10.3 commandfile1 Figure 4. Example of Using the show-tech Command to Upload a Customized List Release K.13.05 through K.13.15 Enhancements No enhancements; Bug fixes only. Release K.13.16 Enhancements Release K.13.16 includes the following enhancements: ■ Enhancement (PR_0000001641) — This enhancement allows the user to set the console inactivity time out without rebooting the switch. Console/Telnet Inactivity Timer This enhancement allows you to configure the inactivity timer and have the new value take effect immediately, without a reboot of the system. 94 Enhancements Release K.13.16 Enhancements Syntax: console inactivity-timer <minutes> If the console port has no activity for the number of minutes configured, the switch terminates the session. A value of zero indicates the inactivity timer is disabled. Default: 0 (zero) For example: ProCurve(config)# console inactivity-timer 20 ■ Enhancement (PR_1000780247) — This enhancement provides hpicf Download MIB support for transferring configuration files both to and from a TFTP server. Prior to this enhancement, MIB support was limited to downloading and uploading software files. ■ Enhancement (PR_0000001430) — This enhancement allows the user to configure access methods for IP Authorized Manager entries. Management Access Security Enhancement This feature allows the configuration of access methods for IP Authorized Manager entries. Each of the management access methods will have its own set of authorized managers. The access methods include: • SSH • Telnet • Web • TFTP • SNMP You can configure the access method via the CLI, the menu, or through the Web interface. The menu interface only supports IPv4. The following restrictions apply to all three methods of configuration. 95 • When no IP authorized manager rules are configured, the access method feature is disabled, that is, access is not denied. • If the Management VLAN is configured, access can only be on that VLAN. • Using the access method feature is optional. If no access method is configured, the access method defaults to “all”. • If access is not specified, it defaults to “manager”. • The IP mask defaults to 255.255.255.255. • Up to 100 IP authorized manager entries are allowed. Enhancements Release K.13.16 Enhancements Setting the Management Access Method—CLI Enter the following command to configure the management access method using the CLI. Syntax: [no] ip authorized-managers <ip-address> <ip-mask>> access [manager | operator] access-method [all | ssh | telnet | web | snmp | tftp] [no] ipv6 authorized-managers <ip-address> <ip-mask> access [manager | operator] access-method [all | ssh | telnet | web | snmp | tftp] Configures one or more authorized IP addresses. access [manager | operator] Configures the privilege level for <ip-address>. Applies only to access through telnet, SSH, SNMPv1, SNMPv2c, and SNMPv3. Default: manager access-method [all | ssh | telnet | web | snmp | tftp] Configures access levels by access method and IP address. Each management method can have its own set of authorized managers. Default: all ProCurve(config)# ip authorized-managers 10.10.10.2 255.255.255.255 manager access-method ssh Figure 5. Example of Configuring IP Authorized Manager Access Method SSH ProCurve(config)# show ip authorized-manager IPV4 Authorized Managers -----------------------Address : 10.10.10.10 Mask : 255.255.255.255 Access : Manager Access Method : ssh Figure 6. Example of show authorized-managers Command with Access Method Configured Setting the Management Access Method—Menu Only IPv4 is supported when using the menu to set the management access method. To access the menu screen, type menu at the switch prompt, then select 2. Switch Configuration, then 6. IP Authorized Managers. The menu screen for IP Managers displays. Click on Edit to make changes. 96 Enhancements Release K.13.16 Enhancements ProCurve 22-Apr-2008 20:17:53 ==========================- CONSOLE - MANAGER MODE -============================ Switch Configuration - IP Managers Authorized Manager IP ---------------------10.10.240.2 10.10.245.3 10.10.246.200 10.10.245.30 Actions-> Back Add IP Mask ---------------------255.255.255.255 255.255.255.255 255.255.255.255 255.255.255.0 Edit Delete Access Level -----------Manager Operator Operator Operator Access Method ------------all ssh tftp ssh Help Figure 7. Example of Menu Showing Authorized Managers with Access Method ProCurve 22-Apr-2008 20:17:53 ==========================- CONSOLE - MANAGER MODE -============================ Switch Configuration - IP Managers Authorized Manager IP: 10.10.245.3 IP Mask [255.255.255.255]:255.255.255.255 Access Level:Operator Access Method:ssh Actions-> Back Add Edit Delete Help Figure 8. Example of Edit Menu for IP Managers Setting the Management Access Method—Web Interface To set the management access method in the Web interface, click on the Security tab, and then click on the Authorized Addresses button. Fill in the fields with the correct information and click Add. The Authorized Managers IP list in the Web interface is the same list that was configured with the ip authorized-managers command in the CLI. 97 Enhancements Release K.13.16 Enhancements Figure 9. Example of Configuring Authorized Manager Access Method in the Web Interface See “Using Authorized IP Managers” in the Access Security Guide for your switch for more information about authorized IP managers. ■ Enhancement (PR_0000000090) — This enhancement allows you to choose which information to display when you enter the show interfaces command. Show Interfaces Custom This command enhancement allows you to choose which information to display when you enter the show interfaces command. You can create show commands displaying the information that you want to see in any order you want. 98 Enhancements Release K.13.16 Enhancements Syntax: show interfaces custom [port-list] column-list Select the information that you want to display. Parameters include: ■ port name ■ type ■ vlan ■ intrusion ■ enabled ■ status ■ speed ■ mdi ■ flow Columns supported are: Parameter Column Displays Examples port Port identifier A2 type Port type 100/1000T status Port status up or down speed Connection speed and duplex 1000FDX mode Configured mode auto, auto-100, 100FDX mdi MDI mode auto, MDIX flow Flow control on or off name Friendly port name vlanid The vlan id this port belongs to, 4 or “tagged” if it belongs to more tagged than one vlan enabled port is or is not enabled yes or no intrusion intrusion Intrusion alert status no bcast Broadcast limit 0 99 Enhancements Release K.13.16 Enhancements ProCurve(config)# show int custom 1-4 port name:4 type vlan intrusion speed enabled mdi Status and Counters - Custom Port Status Port ---1 2 3 4 Name ---------Acco Huma Deve Lab1 Type ---------100/1000T 100/1000T 100/1000T 100/1000T VLAN ----1 1 1 1 Intrusion Alert --------No No No No Speed ------1000FDx 1000FDx 1000FDx 1000FDx Enabled ------Yes Yes Yes Yes MDI-mode -------Auto Auto Auto Auto Figure 20. Example of the Custom show interfaces Command You can specify the column width by entering a colon after the column name, then indicating the number of characters to display. In Figure 20 the Name column only displays the first four characters of the name. All remaining characters are truncated. Note Each field has an fixed minimum width to be displayed. If you specify a field width smaller than the minimum width, the information is displayed at the minimum width. For example, if the minimum width for the Name field is 4 characters and you specify Name:2, the Name field displays 4 characters. Parameters can be entered in any order. There is a limit of 80 characters per line; if you exceed this limit an error displays. Error Messages Error Error Message Requesting too many fields (total characters exceeds 80) Total length of selected data exceeds one line Field name is misspelled Invalid input: <input> Mistake in specifying the port list Module not present for port or invalid port: <input> The port list is not specified Incomplete input: custom 100 Enhancements Release K.13.16 Enhancements Note on Using Pattern Matching with the “Show Interfaces Custom” Command If you have included a pattern matching command to search for a field in the output of the show int custom command and the show int custom command produces an error, the error message may not be visible and the output is empty. For example, if you enter a command that produces an error (vlan is misspelled) with the pattern matching include option: ProCurve(config)# show int custom 1-3 name vlun | include vlan1 the output may be empty. It is advisable to try the show int custom command first to ensure there is output, and then enter the command again with the pattern matching option. ■ Enhancement (PR_0000000857) — This enhancement reduces the PIM delay time, thereby reducing the amount of time it takes for a packet to arrive at its destination when an IGMP Join is issued. A delay occurs in PIM when processing IGMP Join messages. This enhancement reduces the delay, thereby reducing the amount of time it takes for a packet to arrive at its destination when an IGMP Join is issued. There are no CLI changes with this enhancement. ■ Enhancement (PR_0000001790) — This enhancement provides the no-tag-added parameter that gives the user the option of not tagging a mirrored copy of an outbound packet. Mirror Port VLAN Tagging ProCurve switches can mirror inbound and outbound traffic to local ports on the switch, or to ports on remote switches. Currently, a VLAN tag is added to the mirrored copy of untagged outbound packets to indicate the source VLAN of the packet. However, it is desirable in some situations to have mirrored packets look exactly like the original packet. This enhancement provides the no-tag-added parameter that gives you the option of not tagging a mirrored copy of an outbound packet. Note A mirror destination for the session must be assigned before a port monitoring source is assigned. 101 Enhancements Release K.13.16 Enhancements Syntax: [no] interface <port-num | trunk-name | mesh> monitor all <in | out | both> mirror <session-num> [no-tag-added] Assigns a mirroring source to a previously configured mirroring session on a source switch. It specifies the port, trunk, and/or mesh source to use, the direction of traffic to mirror, and the session identifier. Note: If configuring a mesh, designate it using the literal string “mesh”. [no-tag-added] Prevents tagging of a mirrored copy of an outbound packet You can also use the no-tag-added parameter with ACL traffic filtering when mirroring IP traffic. Syntax: [no] interface <port-num | trunk-name | mesh> monitor ip access-group <acl-name> in mirror <session-num> [no-tag-added] Assigns a mirroring source to a previously configured mirroring session on a source switch. It specifies the ports, trunk name, or mesh to use, the previously configured ACL to use for selecting traffic to mirror, and the session identifier. Note: If configuring a mesh, designate it using the literal string “mesh”. [no-tag-added] Prevents tagging of a mirrored copy of an outbound packet ProCurve(config)#interface 3 monitor all in mirror 1 no-tag-added ProCurve(config)#interface 2 monitor ip access-group A in mirror 2 no-tag-added ProCurve(config)#interface mesh monitor all both mirror 1 no-tag-added Figure 21. Mirroring Commands with the no-tag-added Option ProCurve# show monitor Network Monitoring Sessions -------1 2 Status ----------active active Type ----port port Sources ------3 2 ACL --no yes Figure 22. Example of a Currently Configured Mirroring Summary on a Source Switch 102 Enhancements Release K.13.16 Enhancements ProCurve# show monitor 1 Network Monitoring Session: 1 Session Name: ACL: no ACL relationship exists Mirror Destination: Untagged traffic : Monitoring Sources -----------------Port: 3 48 untagged Direction --------Both Indicates the no-tag-added option is configured. Figure 23. Example of Session Output Showing no-tag-added Option Note For more information about traffic mirroring, see “Monitoring and Analyzing Switch Operation” in the Management and Configuration Guide for your switch. For more information about ACL filtering, see “Access Control Lists (ACLs)” in the Access Security Guide for your switch. Using SNMP to Configure No-Tag-Added The MIB object hpicfBridgeDontTagWithVlan is used to implement the no-tag-added option, as shown below: hpicfBridgeDontTagWithVlan OBJECT-TYPE SYNTAX INTEGER { enabled(1), disabled(2) } MAX-ACCESS read-write STATUS current DESCRIPTION “This oid mentions whether VLAN tag is part of the mirror’ed copy of the packet. The value ‘enabled’ denotes that the VLAN tag shouldn’t be part of the mirror’ed copy; ‘disabled’ does put the VLAN tag in the mirror’ed copy. Only one logical port is allowed. This object is persistent and when written the entity 103 Enhancements Release K.13.16 Enhancements SHOULD save the change to non-volatile storage.” DEFVAL { 2 } ::= { hpicfBridgeMirrorSessionEntry 2 } Operating Notes ■ • The specified port can be a physical port, a trunk port, or a mesh port. • Only a single logical port (physical port or trunk) can be associated with a mirror session when the no-tag-added option is specified. No other combination of ACL mirroring, VLAN mirroring, or port mirroring can be associated with the mirror session. If more than one logical port is specified, the following error message is displayed: • Cannot monitor more than 1 logical port with no-tag-added option • If a port changes its VLAN membership and/or untagged status within the VLAN, the “untagged port mirroring” associated with that port is updated when the configuration change is processed. • Only four ports or trunks can be monitored at one time when all four mirror sessions are in use (one logical port per mirror session) without VLAN tags being added to the mirrored copy. • The no-tag-added option can also be used when mirroring is configured with SNMP. • A VLAN tag is still added to the untagged packets obtained via VLAN-based mirroring. Enhancement (PR_1000756562) — This enhancement provides concurrent Web/MAC and 802.1x authentication. Concurrent Web and MAC Authentication This enhancement allows Web and MAC authentication concurrently on the same port. It is assumed that MAC authentication will use an existing MAC address. Conditions for Concurrent Web and MAC Authentication The following conditions apply for concurrent Web and MAC authentication on the same port: • A specific MAC address cannot be authenticated by both Web and MAC authentication at the same time. • Each new Web/MAC Auth client always initiates a MAC authentication attempt. This same client can also initiate Web authentication at any time before the MAC authentication succeeds. If either authentication succeeds then the other authentication (if in progress) is ended. No further Web/MAC authentication attempts are allowed until the client is de-authenticated. 104 Enhancements Release K.13.16 Enhancements • Web and MAC authentications are not allowed on the same port if unauthenticated VLAN (that is, a guest VLAN) is enabled for MAC authentication. An unauthenticated VLAN can’t be enabled for MAC authentication if Web and MAC authentication are both enabled on the port. • Hitless re-authentication must be of the same type (MAC) that was used for the initial authentication. Non-hitless re-authentication can be of any type. The remaining Web/MAC functionality, including interactions with 802.1X, remains the same. Web and MAC authentication can be used for different clients on the same port. Normally, MAC authentication finishes much sooner than Web authentication. However, if Web authentication should complete first, MAC authentication will cease even though it is possible that MAC authentication could succeed. There is no guarantee that MAC authentication ends before Web authentication begins for the client. These changes are backward compatible with all existing user configurations. ■ Enhancement (PR_0000000088) — This enhancement provides new features for use with SSH. The SSH enhancements are: AES encryption (included in the K.13.02 release). A new configuration option is added to allow the server to specify the set of ciphers available for client connection; A configurable key; Message Authentication Code (MAC) configuration. A new configuration option provides the ability to configure which MACs a client is permitted to use; Feedback information; and, SSH CLI show command information enhancements. SSH Enhancements Overview The SSH enhancements are: • AES encryption (included in the K.13.02 release). A new configuration option is added to allow the server to specify the set of ciphers available for client connection. • Configurable key • Message Authentication Code (MAC) configuration. A new configuration option provides the ability to configure which MACs a client is permitted to use. • Feedback information • SSH CLI show command information enhancements Specifying the Set of Ciphers The following command allows you to specific which ciphers are available for a client to use for connection. All ciphers are available by default; use the no form of the command to disable specific ciphers. 105 Enhancements Release K.13.16 Enhancements Syntax: [no] ip ssh [cipher <cipher-type>] Cipher types that can be used for connection by clients. Valid types are: • aes128-cbc • 3des-cbc • aes192-cbc • aes256-cbc • rijndael-cbc@lysator.liu.se • aes128-ctr • aes192-ctr • aes256-ctr Default: All cipher types are available. Use the no form of the command to disable a cipher type. ProCurve(config)# no ip ssh cipher 3des-cbc Figure 24. Example of Disabling a Specific Cipher Configuring Key Lengths and DSA/RSA Support This enhancement allows you to specify the type and length of the generated host key. The command is: Syntax: crypto key generate ssh [dsa | rsa [bits <num-bits>]] Specify the type and length of the host key that is generated. You can also generate and use a DSA key as the host key. The size of the host key is platformdependent as different switches have different amounts of processing power. The size is represented by the <num-bits> key word and has the values shown in Table 1. The default value is used if num-bits is not specified. 106 Enhancements Release K.13.16 Enhancements Table 1. RSA/DSA Values for Various ProCurve Switches Platform Maximum RSA Key Size (in bits) DSA Key Size (in bits) 5400/3500/6200/8200/2900 1024, 2048, 3072 Default: 2048 1024 2610 1024, 2048 Default: 1024 1024 Message Authentication Code (MAC) Support This enhancement allows configuration of the set of MACs that are available for selection. Syntax: [no] ip ssh [mac <MAC-type>] Allows configuration of the set of MACs that can be selected. Valid types are: • hmac-md5 • hmac-sha1 • hmac-sha1-96 • hmac-md5-96 Default: All MAC types are available. Use the no form of the command to disable a MAC type. Displaying the SSH Information The show ip ssh command has been enhanced to display information about ciphers, MACs, and key types and sizes. 107 Enhancements Release K.13.16 Enhancements ProCurve(config)# show ip ssh SSH Enabled TCP Port Number IP Version Host Key Type : : : : No 22 IPv4orIPv6 RSA Secure Copy Enabled : No Timeout (sec) : 120 Host Key Size : 1024 Ciphers : aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc, rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr MACs : hmac-md5,hmac-sha1,hmac-sha1-96,hmac-md5-96 Ses --1 2 3 4 5 6 Type -------console inactive inactive inactive inactive inactive | Source IP Port + ---------------------------------------------- ----| | | | | | Figure 25. Example of show ip ssh Command Showing Ciphers, MACs and Key Information Logging Messages There are new event log messages when a new key is generated and zeroized for the server: ssh: New <num-bits> -bit [rsa | dsa] SSH host key installed ssh: SSH host key zeroized There are also new messages that indicates when a client public key is installed or removed: ssh: <num-bits>-bit [rsa | dsa] client public key [installed | removed] ([manager| operator] access) (key_comment) Note: Only up to 39 characters of the key comment are included in the event log message. Debug Logging To add ssh messages to the debug log output, enter this command: ProCurve# debug ssh LOGLEVEL where LOGLEVEL is one of the following (in order of increasing verbosity): • fatal • error • info • verbose 108 Enhancements Release K.13.17 Enhancements • debug • debug2 • debug3 Release K.13.17 Enhancements No enhancements; Bug fixes only. Release K.13.18 Enhancements Release K.13.18 includes the following enhancements: ■ Enhancement (PR_1000406763) — New commands were added to the CLI response to the show tech command. Release K.13.19 Enhancements Release K.13.19 includes the following enhancements: ■ Enhancement (PR_0000003808) — This enhancement allows the user to create command aliases for use in place of command names and their options. Using a Command Alias You can create a simple command alias to use in place of a command name and its options. Choose an alias name that is not an existing CLI command already. Existing CLI commands are searched before looking for an alias command; an alias that is identical to an existing command will not be executed. The alias command is executed from the current configuration context (operator, manager, or global). If the command that is aliased has to be executed in the global configuration context, you must execute the alias for that command in the global configuration context as well. This prevents bypassing the security in place for a particular context. ProCurve recommends that you configure no more than 128 aliases. Syntax: [no] alias <name> <command> 109 Enhancements Release K.13.19 Enhancements Creates a shortcut alias name to use in place of a commonly used command. The alias command is executed from the current config context. name: Specifies the new command name to use to simplify keystrokes and aid memory. command: Specifies an existing command to be aliased. The command must be enclosed in quotes. Use the no form of the command to remove the alias. For example, if you use the show interface custom command to specify the output, you can configure an alias for the command to simplify execution. ProCurve(config)# show int custom 1-4 port name:4 type vlan intrusion speed enabled mdi Status and Counters - Custom Port Status Port ---1 2 3 4 Name ---------Acco Huma Deve Lab1 Type ---------100/1000T 100/1000T 100/1000T 100/1000T VLAN ----1 1 1 1 Intrusion Alert --------No No No No Speed ------1000FDx 1000FDx 1000FDx 1000FDx Enabled ------Yes Yes Yes Yes MDI-mode -------Auto Auto Auto Auto ProCurve(config)# alias showintstatus “show int custom 1-4 port name:4 type vlan intrusion speed enabled mdi” ProCurve(config)# ProCurve(config)# showintstatus Status and Counters - Custom Port Status Port ---1 2 3 4 Name ---------Acco Huma Deve Lab1 Type ---------100/1000T 100/1000T 100/1000T 100/1000T VLAN ----1 1 1 1 Intrusion Alert --------No No No No Speed ------1000FDx 1000FDx 1000FDx 1000FDx Enabled ------Yes Yes Yes Yes MDI-mode -------Auto Auto Auto Auto Figure 26. Example of Using the Alias Command with show int custom 110 Enhancements Release K.13.19 Enhancements Note Remember to enclose the command being aliased in quotes. Command parameters for the aliased command can be added at the end of the alias command string. For example: ProCurve(config)# alias shoconfig “show config” ProCurve(config)# shoconfig status To change the command that is aliased, re-execute the alias name with new command options. The new options are used when the alias is executed. To display the alias commands that have been configured, enter the show alias command. ProCurve(config)# show alias Name -------------------showint showintstatus Command -----------------------------show int show int custom 1-4 port name:4 type vlan intrusion speed enabled mdi Figure 27. Example of Alias Commands and Their Configurations ■ Enhancement (PR_0000000818) — This enhancement allows the user to enter addresses and filter parameters for syslog using SNMP, which allows more options for remote access and management of the switch. Configure Logging via SNMP Overview Debug messages generated by the software can be sent to a syslog server. This feature provides the ability to enter addresses and filter parameters for syslog using SNMP, which allows more options for remote access and management of the switch. The HP enterprise MIB hpicfSyslog.mib is added to allow the configuration and monitoring of syslog. (RFC 3164 supported) The CLI has some additional parameters to permit interoperability with SNMP that are explained below. 111 Enhancements Release K.13.19 Enhancements Note See the section “Command Differences for the ProCurve Series 2600/2800/3400cl/6400cl Switches” on page 113 for command differences on these switches. Adding a Description for a Syslog Server You can associate a user-friendly description with each of the IP addresses (IPv4 only) configured for syslog using the CLI or SNMP. The CLI command is: Syntax: logging <ip-addr> control-descr <text_string>] no logging <ip-addr> [control-descr] An optional user-friendly description that can be associated with a server IP address. If no description is entered, this is blank. If <text_string> contains white space, use quotes around the string. IPv4 addresses only. Use the no form of the command to remove the description. Limit: 255 characters Note: To remove the description using SNMP, set the description to an empty string. ProCurve(config)# logging 10.10.10.2 control-descr syslog_one Figure 10. Example of the Logging Command with a Control Description Caution Entering the no logging command removes ALL the syslog server addresses without a verification prompt. Adding a Priority Description You can add a user-friendly description for the set of syslog filter parameters using the priority-descr option. The description can be added with the CLI or SNMP. The CLI command is: 112 Enhancements Release K.13.19 Enhancements Syntax: logging priority-descr <text_string> no logging priority-descr Provides a user-friendly description for the combined filter values of severity and system module. If no description is entered, this is blank. If <text_string> contains white space, use quotes around the string. Use the no form of the command to remove the description. Limit: 255 characters ProCurve(config)# logging priority-descr severe-pri Figure 11. Example of the Logging Command with a Priority Description Note A notification is sent to the SNMP agent if there are any changes to the syslog parameters either through the CLI or with SNMP. Command Differences for the ProCurve Series 2600/2800/3400cl/6400cl Switches CLI Commands The ProCurve series 2600/2800/3400cl/6400cl switches do not have the following CLI logging commands: • logging severity • logging system-module SNMP Commands The ProCurve series 2600/2800/3400cl/6400cl switches do not support the following SNMP objects: • hpicfSyslogPrioritySeverity • hpicfSyslogSystemModule Operating Notes • 113 Duplicate IP addresses are not stored in the list of syslog servers. Enhancements Release K.13.19 Enhancements ■ • If the default severity value is in effect, all messages that have severities greater than the default value are passed to syslog. For example, if the default severity is “debug”, all messages that have severities greater than debug are passed to syslog. • There is a limit of six syslog servers. All syslog servers are sent the same messages using the same filter parameters. • An error is generated for an attempt to add more than six syslog servers. Enhancement (PR_0000003390) — This enhancement allows the user to customize Web Authentication HTML pages. Customizing Web Authentication HTML Files The Web Authentication process displays a series of Web pages and status messages to the user during login. The Web pages that are displayed can be: • Generic, default pages generated directly by the switch software • Customized pages hosted on a local Web server. By creating customized login Web pages, you can improve the “look and feel” of the Web Authentication process to correspond more closely with your network and business needs. For example, you can: • Identify the network that a client is trying to log into. • Provide contact information if a client has difficulty connecting to the network. • Incorporate CSS styles consistent with the appearance of your network. To implement these “enhanced” Web Authentication pages, you need to: • Configure and start a Web server on your local network, • Customize the HTML template files and make them accessible to the Web server • Configure the switch to display the customized files by using the aaa port-access web-based <port-list > ewa-server command. The customized Web pages you create can be hosted on up to three Web servers in your network. Implementing multiple Web servers provides redundancy in case access to any of the other servers fail. Implementing Customized Web-Auth Pages Guidelines • Customized Web Authentication pages are configured per switch, so that each Web-Auth enabled port displays the same customized pages at client login. 114 Enhancements Release K.13.19 Enhancements • You can use up to three Web servers in your network to store and display customized Web pages for Web Authentication login. • To configure a Web server on your network, follow the instructions in the documentation provided with the server. • Before you enable custom Web Authentication pages, you should: Determine the IP address or host name of the Web server(s) that will host your custom pages. Determine the path on the server(s) where the HTML files (including all graphics) used for the login pages are stored. Configure and start the Web server(s). Create the customized Web pages as described in “Guidelines for Customizing the HTML Templates” on page 115, and store them in the document path on the designated servers. Test that they are accessible at the designated URL(s). Enabling Customized Web Authentication Pages To enable customized Web-Auth pages on a switch, use the aaa port-access web-based ewa-server command to specify the server’s IP address or host name and the path to the customized HTML files on the server. See “Commands for Using Custom Web Authentication Pages” on page 128 for syntax details. Guidelines for Customizing the HTML Templates When you customize an HTML template, follow these guidelines: • Do not change the name of any of the HTML files (index.html, accept.html, and so on). • Some template pages use Embedded Switch Includes (ESIs) or Active Server Pages. These should not be modified when customizing HTML files. ESIs behave as follows: i. A client’s Web browser sends a request for an HTML file. The switch passes the request to a configured Web server. ii. The Web server responds by sending a customized HTML page to the switch. Each ESI call in the HTML page is replaced with the value (in plain text) retrieved by the call. iii. The switch sends the final version of the HTML page to the client’s Web browser. • 115 Store all customized login Web pages (including any graphics) that you create for client login on each Web server at the path you will configure with the aaa port-access web-based ewa-server command. Enhancements Release K.13.19 Enhancements Customizable HTML Templates The sample HTML files described in the following sections are customizable templates. To help you create your own set HTML files, a set of the templates can be found on the download page for ‘K’ software. File Name Page index.html 116 accept.html 118 authen.html 119 reject_unauthvlan.html 120 timout.html 122 retry_login.html 123 sslredirect.html 124 rejectnovlan.html 126 User Login Page (index.html) Figure 12. User Login Page The index.html file is the first login page displayed, in which a client requesting access to the network enters a username and password. In the index.html Template file, you can customize any part of the source code except for the form that processes the username and password entered by a client. 116 Enhancements Release K.13.19 Enhancements <!-ProCurve Web Authentication Template index.html --> <html> <head> <title>User Login</title> </head> <body> <h1>User Login</h1> <p>In order to access this network, you must first log in.</p> <form action="/webauth/loginprocess" method="POST"> <table> <tr> <td>Username: </td> <td><input name="user" type="text"/></td> </tr> <tr> <td>Password: </td> <td><input name="pass" type="password"/></td> </tr> <tr> <td></td> <td><input type="submit" value="Submit"/></td> </tr> </table> </form> </body> </html> Figure 13. HTML Code for User Login Page Template 117 Enhancements Release K.13.19 Enhancements Access Granted Page (accept.html) Figure 14. Access Granted Page The accept.html file is the Web page used to confirm a valid client login. This Web page is displayed after a valid username and password are entered and accepted. The client device is then granted access to the network. To configure the VLAN used by authorized clients, specify a VLAN ID with the aaa port-access web-based auth-vid command parameter when you enable Web Authentication. The accept.html file contains the following ESIs, which should not be modified: • The WAUTHREDIRECTTIMEGET ESI inserts the value for the waiting time used by the switch to redirect an authenticated client while the client renews its IP address and gains access to the network. • The WAUTHREDIRECTURLGET ESI inserts the URL configured with the redirect-url parameter (see page 4-25 in the Access Security Guide.) to redirect a client login or the first Web page requested by the client. 118 Enhancements Release K.13.19 Enhancements <!-ProCurve Web Authentication Template accept.html --> <html> <head> <title>Access Granted</title> <!-- The following line is required to automatically redirect --> <meta http-equiv="refresh"content="<!- ESI(WAUTHREDIRECTTIMEGET, 1) ->;URL=<! ESI(WAUTHREDIRECTURLGET, 1) ->"/> </head> <body> <h1>Access Granted</h1> <!-The ESI tag below will be replaced with the time in seconds until the page redirects. --> <p>You have been authenticated. Please wait <!- ESI(WAUTHREDIRECTTIMEGET, 1 -> seconds while network connection refreshes itself.</p> </body> </html> Figure 15. HTML Code for Access Granted Page Template Authenticating Page (authen.html) Figure 16. Authenticating Page 119 Enhancements Release K.13.19 Enhancements The authen.html file is the Web page used to process a client login and is refreshed while user credentials are checked and verified. <!-ProCurve Web Authentication Template authen.html --> <html> <head> <title>Authenticating</title> <!-- The following line is always required --> <meta http-equiv="refresh" content="2;URL=/webauth/statusprocess"> </head> <body> <h1>Authenticating...</h1> <p>Please wait while your credentials are verified.</p> </body> </html> Figure 17. HTML Code for Authenticating Page Template Invalid Credentials Page (reject_unauthvlan.html) Figure 18. Invalid Credentials Page 120 Enhancements Release K.13.19 Enhancements The reject_unauthvlan.html file is the Web page used to display login failures in which an unauthenticated client is assigned to the VLAN configured for unauthorized client sessions. You can configure the VLAN used by unauthorized clients with the aaa port-access web-based unauth-vid command when you enable Web Authentication. The WAUTHREDIRECTTIMEGET ESI inserts the value for the waiting time used by the switch to redirect an unauthenticated client while the client renews its IP address and gains access to the VLAN for unauthorized clients. This ESI should not be modified. <!-ProCurve Web Authentication Template reject_unauthvlan.html --> <html> <head> <title>Invalid Credentials</title> <!-- The following line is required to automatically redirect --> <meta http-equiv="refresh"content="<!- ESI(WAUTHREDIRECTTIMEGET, 1) ->;URL=<! ESI(WAUTHREDIRECTURLGET, 1) ->"/> </head> <body> <h1>Invalid Credentials</h1> <p>Your credentials were not accepted. However, you have been granted gues account status. Please wait <!- ESI(WAUTHREDIRECTTIMEGET, 1) -> seconds while networ connection refreshes itself.</p> </body> </html> Figure 19. HTML Code for Invalid Credentials Page Template 121 Enhancements Release K.13.19 Enhancements Timeout Page (timeout.html) Figure 20. Timeout Page The timeout.html file is the Web page used to return an error message if the RADIUS server is not reachable. You can configure the time period (in seconds) that the switch waits for a response from the RADIUS server used to verify client credentials with the aaa port-access web-based server-timeout command when you enable Web Authentication. <!-ProCurve Web Authentication Template timeout.html --> <html> <head> <title>Timeout</title> </head> <body> <h1>Timeout</h1> <p>Your credentials could not be verified with authentication server. Please retry later.</p> </body> </html> Figure 21. HTML Code for Timeout Page Template 122 Enhancements Release K.13.19 Enhancements Retry Login Page (retry_login.html) Figure 22. Retry Login Page The retry_login.html file is the Web page displayed to a client that has entered an invalid username and/or password, and is given another opportunity to log in. The WAUTHRETRIESLEFTGET ESI displays the number of login retries that remain for a client that entered invalid login credentials. You can configure the number of times that a client can enter their user name and password before authentication fails with the aaa port-access web-based max-retries commands when you enable Web Authentication. This ESI should not be modified. 123 Enhancements Release K.13.19 Enhancements <!-ProCurve Web Authentication Template retry_login.html --> <html> <head> <title>Invalid Credentials</title> <!-The following line is required to automatically redirect the user back to the login page. --> <meta http-equiv="refresh" content="5;URL=/EWA/index.html"> </head> <body> <h1>Invalid Credentials</h1> <p>Your credentials were not accepted. You have <!- ESI(WAUTHRETRIESLEFTGET,1 -> retries left. Please try again.</p> </body> </html> Figure 23. HTML Code for Retry Login Page Template SSL Redirect Page (sslredirect.html) Figure 24. SSL Redirect Page 124 Enhancements Release K.13.19 Enhancements The sslredirect file is the Web page displayed when a client is redirected to an SSL server to enter credentials for Web Authentication. If you have enabled SSL on the switch, you can enable secure SSL-based Web Authentication by entering the aaa port-access web-based ssl-login command when you enable Web Authentication. The WAUTHSSLSRVGET ESI inserts the URL that redirects a client to an SSL-enabled port on a server to verify the client’s username and password. This ESI should not be modified. <!-ProCurve Web Authentication Template sslredirect.html --> <html> <head> <title>User Login SSL Redirect</title> <meta http-equiv="refresh" content="5;URL=https://<!- ESI(WAUTHSSLSRVGET,1 ->/EWA/index.html"> </head> <body> <h1>User Login SSL Redirect</h1> <p>In order to access this network, you must first log in.</p> <p>Redirecting in 5 seconds to secure page for you to enter credentials or < href="https://<!- ESI(WAUTHSSLSRVGET,1) ->/EWA/index.html">click here</a>.</p> </body> </html> Figure 25. HTML Code for SSL Redirect Page Template 125 Enhancements Release K.13.19 Enhancements Access Denied Page (reject_novlan.html) Figure 26. Access Denied Page The reject_novlan file is the Web page displayed after a client login fails and no VLAN is configured for unauthorized clients. The WAUTHQUIETTIMEGET ESI inserts the time period used to block an unauthorized client from attempting another login. To specify the time period before a new authentication request can be received by the switch, configure a value for the aaa port-access web-based quiet-period command when you enable Web Authentication. This ESI should not be modified. 126 Enhancements Release K.13.19 Enhancements <!-ProCurve Web Authentication Template reject_novlan.html --> <html> <head> <title>Access Denied</title> <!-The line below is required to automatically redirect the user back to the login page. --> <meta http-equiv="refresh" content="<!- ESI(WAUTHQUIETTIMEGET,1) ->;URL=/EWA/index.html"> </head> <body> <h1>Access Denied</h1> <p>Your credentials were not accepted. Please wait <!- ESI(WAUTHQUIETTIMEGET 1) -> seconds to retry. You will be redirected automatically to login page.</p> </body> </html> Figure 27. HTML Code for Access Denied Page Template 127 Enhancements Release K.13.19 Enhancements Commands for Using Custom Web Authentication Pages Command Page [no] aaa port-access web-based <port-list > ewa-server 128 show port-access web-based config <port-list > 129 aaa port-access web-based ewa-server Syntax: aaa port-access web-based [ewa-server <ipv4-addr | hostname> [<page-path>]] Configures a connection with the Web server at the specified IPv4 address (ipv4-addr) or host name (ipv4-addr) on which customized login Web pages used for Web Authentication are stored. A maximum of 3 Web servers may be configured on the switch. The optional <page-path> parameter defines the directory path on the server where all customized login Web pages (graphics, HTML frames, and HTML files) are stored. (Default: The default <page-path> value is “/” for root directory. If the Web server is also used for other purposes, you may wish to group the HTML files in their own directory, for example in “/EWA/”) ProCurve Switch (config)# aaa port-access web-based 47 ewa-server 10.0.12.179 /EWA ProCurve Switch (config)# aaa port-access web-based 47 ewa-server 10.0.12.180 /EWA ProCurve Switch (config)# Figure 29. Adding Web Servers with the aaa port-access web-based ews-server Command ProCurve Switch (config)# aaa port-access web-based 47 ewa-server 10.0.12.181 ProCurve Switch (config)# Figure 31. Removing a Web Server with the aaa port-access web-based ews-server Command 128 Enhancements Release K.13.19 Enhancements show port-access web-based config Syntax: show port-access web-based config [<port-list>] Displays the currently configured Web Authentication settings for all ports or specified ports, including web-specific settings for password retries, SSL login status, and a redirect URL, if specified. ProCurve Switch (config)# show port-access web-based 47 config Port Access Web-Based Configuration DHCP Base Address : 192.168.0.0 DHCP Subnet Mask : 255.255.255.0 DHCP Lease Length : 10 Allow RADIUS-assigned dynamic (GVRP) VLANs [No] : No EWA_Server Address -----------------10.0.12.179 10.0.12.180 | + | | EWA-Server Page Path -------------------/EWA /EWA Client Port Enabled Limit ----- -------- -----47 Yes 1 Client Moves -----No Logoff Period --------300 Re-Auth Period --------0 Unauth VLAN ID -------1 Auth VLAN ID -------0 Cntrl Dir ----both ProCurve Switch (config)# Figure 33. Example of show port-access Web-based config Command Output Enhancement (PR_1000460265) — This enhancement provides Dynamic IP Lockdown, which is used to prevent IP source address spoofing on a per-port and per-VLAN basis. Dynamic IP Lockdown The Dynamic IP Lockdown feature is used to prevent IP source address spoofing on a per-port and per-VLAN basis. When dynamic IP lockdown is enabled, IP packets in VLAN traffic received on a port are forwarded only if they contain a known source IP address and MAC address binding for the port. The IP-to-MAC address binding can either be statically configured or learned by the DHCP Snooping feature. 129 Enhancements Release K.13.19 Enhancements Protection Against IP Source Address Spoofing Many network attacks occur when an attacker injects packets with forged IP source addresses into the network. Also, some network services use the IP source address as a component in their authentication schemes. For example, the BSD “r” protocols (rlogin, rcp, rsh) rely on the IP source address for packet authentication. SNMPv1 and SNMPv2c also frequently use authorized IP address lists to limit management access. An attacker that is able to send traffic that appears to originate from an authorized IP source address may gain access to network services for which he is not authorized. Dynamic IP lockdown provides protection against IP source address spoofing by means of IP-level port security. IP packets received on a port enabled for dynamic IP lockdown are only forwarded if they contain a known IP source address and MAC address binding for the port. Dynamic IP lockdown uses information collected in the DHCP Snooping lease database and through statically configured IP source bindings to create internal, per-port lists. The internal lists are dynamically created from known IP-to-MAC address bindings to filter VLAN traffic on both the source IP address and source MAC address. Differences Between Switch Platforms There are some differences in the feature set and operation of Dynamic IP Lockdown, depending on the switch on which it is implemented. These are listed below. • There is no restriction on GVRP on 3500/5400 switches. On 2600/2800/3400cl switches, Dynamic IP Lockdown is not supported if GVRP is enabled on the switch. • Dynamic IP Lockdown has the host limits shown in the table below. There is a DHCP snooping limit of 8,000 entries. Switch Number of Hosts Comments 3500/5400 64 bindings per port Up to 4096 bindings per switch This limit is shared with DHCP snooping because they both use the snooping database. 3400cl/2800 32 bindings per port Up to 32 VLANs with DHCP snooping enabled This is not guaranteed as the hardware resources are shared with QoS. 2600 8 bindings per port Up to 8 VLANs with DHCP snooping enabled This is not guaranteed as the hardware resources are shared with QoS. • A source is considered “trusted” for all VLANs if it is seen on any VLAN without DHCP snooping enabled. • On the ProCurve switch series 5400 and 3500, dynamic IP lockdown is supported on a port configured for statically configured port-based ACLs. 130 Enhancements Release K.13.19 Enhancements Prerequisite: DHCP Snooping Dynamic IP lockdown requires that you enable DHCP snooping as a prerequisite for its operation on ports and VLAN traffic: • Dynamic IP lockdown only enables traffic for clients whose leased IP addresses are already stored in the lease database created by DHCP snooping or added through a static configuration of an IP-to-MAC binding. Therefore, if you enable DHCP snooping after dynamic IP lockdown is enabled, clients with an existing DHCP-assigned address must either request a new leased IP address or renew their existing DHCP-assigned address. Otherwise, a client’s leased IP address is not contained in the DHCP binding database. As a result, dynamic IP lockdown will not allow inbound traffic from the client. • It is recommended that you enable DHCP snooping a week before you enable dynamic IP lockdown to allow the DHCP binding database to learn clients’ leased IP addresses. You must also ensure that the lease time for the information in the DHCP binding database lasts more than a week. Alternatively, you can configure a DHCP server to re-allocate IP addresses to DHCP clients. In this way, you repopulate the lease database with current IP-to-MAC bindings. • The DHCP binding database allows VLANs enabled for DHCP snooping to be known on ports configured for dynamic IP lockdown. As new IP-to-MAC address and VLAN bindings are learned, a corresponding permit rule is dynamically created and applied to the port (preceding the final deny any vlan <VLAN_IDs> rule as shown in the example in Figure 3). These VLAN_IDs correspond to the subset of configured and enabled VLANS for which DHCP snooping has been configured. • For dynamic IP lockdown to work, a port must be a member of at least one VLAN that has DHCP snooping enabled. • Disabling DHCP snooping on a VLAN causes Dynamic IP bindings on Dynamic IP Lockdown-enabled ports in this VLAN to be removed. The port reverts back to switching traffic as usual. Filtering IP and MAC Addresses Per-Port and Per-VLAN This section contains an example that shows the following aspects of the Dynamic IP Lockdown feature: 131 • Internal Dynamic IP lockdown bindings dynamically applied on a per-port basis from information in the DHCP Snooping lease database and statically configured IP-to-MAC address bindings • Packet filtering using source IP address, source MAC address, and source VLAN as criteria Enhancements Release K.13.19 Enhancements In this example, the following DHCP leases have been learned by DHCP snooping on port 5. VLANs 2 and 5 are enabled for DHCP snooping. IP Address MAC Address VLAN ID 10.0.8.5 001122-334455 2 10.0.8.7 001122-334477 2 10.0.10.3 001122-334433 5 Figure 28. Sample DHCP Snooping Entries The following example shows an IP-to-MAC address and VLAN binding that have been statically configured in the lease database on port 5. IP Address MAC Address VLAN ID 10.0.10.1 001122-110011 5 Figure 29. An Example of a Static Configuration Entry Assuming that DHCP snooping is enabled and that port 5 is untrusted, dynamic IP lockdown applies the following dynamic VLAN filtering on port 5: permit 10.0.8.5 001122-334455 vlan 2 permit 10.0.8.7 001122-334477 vlan 2 permit 10.0.10.3 001122-334433 vlan 5 permit 10.0.10.1 001122-110011 vlan 5 deny any vlan 1-10 permit any Figure 30. Example of Internal Statements used by Dynamic IP Lockdown Note that the deny any statement is applied only to VLANs for which DHCP snooping is enabled. The permit any statement is applied only to all other VLANs. 132 Enhancements Release K.13.19 Enhancements Enabling Dynamic IP Lockdown To enable dynamic IP lockdown on all ports or specified ports, enter the ip source-lockdown command at the global configuration level. Use the no form of the command to disable dynamic IP lockdown. Syntax: [no] ip source-lockdown [port-list] Enables dynamic IP lockdown globally on all ports or on specified ports on the routing switch. Operating Notes ■ Dynamic IP lockdown is enabled at the port configuration level and applies to all bridged or routed IP packets entering the switch. The only IP packets that are exempt from dynamic IP lockdown are broadcast DHCP request packets, which are handled by DHCP snooping. ■ DHCP snooping is a prerequisite for Dynamic IP Lockdown operation. The following restrictions apply: • DHCP snooping is required for dynamic IP lockdown to operate. To enable DHCP snooping, enter the dhcp-snooping command at the global configuration level. • Dynamic IP lockdown only filters packets in VLANs that are enabled for DHCP snooping. In order for Dynamic IP lockdown to work on a port, the port must be configured for at least one VLAN that is enabled for DHCP snooping. To enable DHCP snooping on a VLAN, enter the dhcp-snooping vlan [vlan-id-range] command at the global configuration level or the dhcp-snooping command at the VLAN configuration level. • Dynamic IP lockdown is not supported on a trusted port. (However, note that the DHCP server must be connected to a trusted port when DHCP snooping is enabled.) By default, all ports are untrusted. To remove the trusted configuration from a port, enter the no dhcp-snooping trust <port-list> command at the global configuration level. For more information on how to configure and use DHCP snooping, refer to the “Configuring Advanced Threat Protection” chapter in the Access Security Guide. ■ After you enter the ip source-lockdown command (enabled globally with the desired ports entered in <port-list>), the dynamic IP lockdown feature remains disabled on a port if any of the following conditions exist: • If DHCP snooping has not been globally enabled on the switch. • If the port is not a member of at least one VLAN that is enabled for DHCP snooping. • If the port is configured as a trusted port for DHCP snooping. Dynamic IP lockdown is activated on the port only after you make the following configuration changes: 133 • Enable DHCP snooping on the switch. • Configure the port as a member of a VLAN that has DHCP snooping enabled. Enhancements Release K.13.19 Enhancements • Remove the trusted-port configuration. ■ You can configure dynamic IP lockdown only from the CLI; this feature cannot be configured from the Web management or menu interface. ■ If you enable dynamic IP lockdown on a port, you cannot add the port to a trunk. ■ Dynamic IP lockdown must be removed from a trunk before the trunk is removed. Adding an IP-to-MAC Binding to the DHCP Binding Database A switch maintains a DHCP binding database, which is used for dynamic IP lockdown as well as for DHCP and ARP packet validation. The DHCP snooping feature maintains the lease database by learning the IP-to-MAC bindings of VLAN traffic on untrusted ports. Each binding consists of the client MAC address, port number, VLAN identifier, leased IP address, and lease time. Dynamic IP lockdown supports a total of 4K static and dynamic bindings with up to 64 bindings per port. When DHCP snooping is enabled globally on a VLAN, dynamic bindings are learned when a client on the VLAN obtains an IP address from a DHCP server. Static bindings are created manually with the CLI or from a downloaded configuration file. When dynamic IP lockdown is enabled globally or on ports the bindings associated with the ports are written to hardware. This occurs during these events: • Switch initialization • Hot swap • A dynamic IP lockdown-enabled port is moved to a DHCP snooping-enabled VLAN • DHCP snooping or dynamic IP lockdown characteristics are changed such that dynamic IP lockdown is enabled on the ports Potential Issues with Bindings • When dynamic IP lockdown enabled, and a port or switch has the maximum number of bindings configured, the client DHCP request will be dropped and the client will not receive an IP address through DHCP. • When dynamic IP lockdown is enabled and a port is configured with the maximum number of bindings, adding a static binding to the port will fail. • When dynamic IP lockdown is enabled globally, the bindings for each port are written to hardware. If global dynamic IP lockdown is enabled and disabled several times, it is possible to run out of buffer space for additional bindings. The software will delay adding the bindings to hardware until resources are available. 134 Enhancements Release K.13.19 Enhancements Adding a Static Binding To add the static configuration of an IP-to-MAC binding for a port to the lease database, enter the ip source-binding command at the global configuration level. Use the no form of the command to remove the IP-to-MAC binding from the database. Syntax: [no] ip source-binding <vlan-id> <ip-address> <mac-address> <port-number> vlan-id Specifies a valid VLAN ID number to bind with the specified MAC and IP addresses on the port in the DHCP binding database. ip-address Specifies a valid client IP address to bind with a VLAN and MAC address on the port in the DHCP binding database. mac-address Specifies a valid client MAC address to bind with a VLAN and IP address on the port in the DHCP binding database. port-number Specifies the port number on which the IP-to-MAC address and VLAN binding is configured in the DHCP binding database. Note Note that the ip source-binding command is the same command used by the Dynamic ARP Protection feature to configure static bindings. The Dynamic ARP Protection and Dynamic IP Lockdown features share a common list of source IP-to-MAC address bindings. Verifying the Dynamic IP Lockdown Configuration To display the ports on which dynamic IP lockdown is configured, enter the show ip source-lockdown status command at the global configuration level. Syntax: show ip source-lockdown status 135 Enhancements Release K.13.19 Enhancements An example of the show ip source-lockdown status command output is shown in Figure 31. Note that the operational status of all switch ports is displayed. This information indicates whether or not dynamic IP lockdown is supported on a port. ProCurve(config)# show ip source-lockdown status Dynamic IP Lockdown (DIPLD) Information Global State: Enabled Port Operational State -------- -----------------A1 Active A2 Not in DHCP Snooping vlan A3 Disabled A4 Disabled A5 Trusted port, Not in DHCP Snooping vlan . . . . . . . . . . . . . .. Figure 31. Example of show ip source-lockdown status Command Output Displaying the Static Configuration of IP-to-MAC Bindings To display the static configurations of IP-to-MAC bindings stored in the DHCP lease database, enter the show ip source-lockdown bindings command. Syntax: show ip source-lockdown bindings [<port-number>] port-number (Optional) Specifies the port number on which source IP-to-MAC address and VLAN bindings are configured in the DHCP lease database. An example of the show ip source-lockdown bindings command output is shown in Figure 32. 136 Enhancements Release K.13.19 Enhancements ProCurve(config)# show ip source-lockdown bindings Dynamic IP Lockdown (DIPLD) Bindings Mac Address ----------001122-334455 005544-332211 . . . . . . . . Figure 32. IP Address VLAN Port -----------------10.10.10.1 1111 X11 10.10.10.2 2222 Trk11 . . . . . . . . . . . . . . . . Not in HW --------YES . . . Example of show ip source-lockdown bindings Command Output In the show ip source-lockdown bindings command output, the “Not in HW” column specifies whether or not (YES or NO) a statically configured IP-to-MAC and VLAN binding on a specified port has been combined in the lease database maintained by the DHCP Snooping feature. Debugging Dynamic IP Lockdown To enable the debugging of packets dropped by dynamic IP lockdown, enter the debug dynamic-ip-lockdown command. Syntax: debug dynamic-ip-lockdown To send command output to the active CLI session, enter the debug destination session command. Counters for denied packets are displayed in the debug dynamic-ip-lockdown command output. Packet counts are updated every five minutes. An example of the command output is shown in Figure 33. When dynamic IP lockdown drops IP packets in VLAN traffic that do not contain a known source IP-to-MAC address binding for the port on which the packets are received, a message is entered in the event log. 137 Enhancements Release K.13.20 Enhancements ProCurve(config)# debug dynamic-ip-lockdown DIPLD (PORT DIPLD (PORT DIPLD (PORT DIPLD (PORT DIPLD (PORT DIPLD (PORT DIPLD (PORT DIPLD (PORT DIPLD (PORT DIPLD (PORT DIPLD (PORT DIPLD (PORT DIPLD (PORT 01/01/90 00:01:25 4) -> 192.168.2.1 01/01/90 00:06:25 4) -> 192.168.2.1 01/01/90 00:11:25 4) -> 192.168.2.1 01/01/90 00:16:25 4) -> 192.168.2.1 01/01/90 00:21:25 4) -> 192.168.2.1 01/01/90 00:26:25 4) -> 192.168.2.1 01/01/90 00:31:25 4) -> 192.168.2.1 01/01/90 00:36:25 4) -> 192.168.2.1 01/01/90 00:41:25 4) -> 192.168.2.1 01/01/90 00:46:25 4) -> 192.168.2.1 01/01/90 00:51:25 4) -> 192.168.2.1 01/01/90 00:56:25 4) -> 192.168.2.1 01/01/90 01:01:25 4) -> 192.168.2.1 Figure 33. : denied ip 192.168.2.100 (0), 1 packets : denied ip 192.168.2.100 (0), 294 packets : denied ip 192.168.2.100 (0), 300 packets : denied ip 192.168.2.100 (0), 300 packets : denied ip 192.168.2.100 (0), 299 packets : denied ip 192.168.2.100 (0), 300 packets : denied ip 192.168.2.100 (0), 300 packets : denied ip 192.168.2.100 (0), 299 packets : denied ip 192.168.2.100 (0), 300 packets : denied ip 192.168.2.100 (0), 300 packets : denied ip 192.168.2.100 (0), 300 packets : denied ip 192.168.2.100 (0), 299 packets : denied ip 192.168.2.100 (0), 300 packets (0) (0) (0) (0) (0) (0) (0) (0) (0) (0) (0) (0) (0) Example of debug dynamic-ip-lockdown Command Output Release K.13.20 Enhancements Release K.13.20 includes the following enhancements: ■ Enhancement (PR_0000004124) — Support is added for the J9144A ProCurve 10-GbE X2-SC LRM Optic, an X2 form-factor transceiver that supports the 10-Gigabit LRM standard, providing 10-gigabit connectivity for up to 220 meters on legacy multimode fiber. 138 Enhancements Release K.13.21 Enhancements Release K.13.21 Enhancements No enhancements; Bug fixes only. Release K.13.22 Enhancements No enhancements; Bug fixes only. Release K.13.23 Enhancements No enhancements; Bug fixes only. Release K.13.24 through K.13.25 Enhancements No enhancements; Bug fixes only. Release K.13.26 through K.13.39 Enhancements No enhancements; Software never built. Release K.13.40 Enhancements Release K.13.40 includes the following enhancements (Never released): ■ Enhancement (PR_0000003127) — Link Trap and LACP Global Enable/Disable. LACP and Link Traps Global Disable Two SNMP commands are added to allow disabling of LACP and link traps on multiple ports at one time. The new commands operate in the same manner as the CLI commands no int all lacp and no snmp-server enable traps link-change all. The new SNMP OIDs are: hpSwitchLACPConfig OBJECT IDENTIFIER ::= { hpSwitchConfig 28 } hpSwitchLACPAllPortsStatus OBJECT-TYPE SYNTAX INTEGER { 139 Enhancements Release K.13.40 Enhancements disabled (1), active (2), passive (3) } ACCESS read-write STATUS mandatory DESCRIPTION “Used to set administrative status of LACP on all the ports. A Port can have one of the three administrative status of LACP. Active/Passive/Disabled are the three states.” ::= { hpSwitchLACPConfig 1 } hpSwitchLinkUpDownTrapAllPortsStatus OBJECT-TYPE SYNTAX INTEGER { enable (1), disable (2) } ACCESS read-write STATUS current DESCRIPTION “Used to either enable/disable the Link Up/Link Down traps for all the ports.” ::= { hpSwitchPortConfig 3 } ■ Enhancement (PR_0000003128) — The ability to clear statistics was added. Clear Statistics Without Reboot It is useful to be able to clear all counters and statistics without rebooting the switch when troubleshooting network issues. The clear statistics global command clears all counters and statistics for all interfaces except SNMP. You can also clear the counters and statistics for an individual port using the clear statistics <port-list> command. Syntax: clear statistics <<port-list> | global > When executed with the <port-list> option, clears the counters and statistics for an individual port.When executed with the global option, clears all counters and statistics for all interfaces except SNMP. The show interfaces [<port-list>] command displays the totals accumulated since the last boot or the last clear statistics command was executed. The menu and web pages also display these totals. 140 Enhancements Release K.13.40 Enhancements SNMP displays the counter and statistics totals accumulated since the last reboot; it is not affected by the clear statistics global command or the clear statistics <port-list> command. An SNMP trap is sent whenever the statistics are cleared. Note The clearing of statistics cannot be uncleared. ■ Enhancement (PR_0000003718) — The MAC Lockout limit was increased. Increase MAC Lockout to 64 The MAC lockout feature allows all traffic to or from a given MAC address to be dropped by the switch. A MAC address can exist on many different VLANs, so a lockout MAC address must be added to the MAC table as a drop. As this can quickly fill the MAC table, restrictions are placed on the number of lockout MAC addresses based on the number of VLANs configured. The restriction for the range of 17-256 VLANs is being increased to allow up to 64 lockout MAC addresses. ■ VLANs Configured Number of MAC Lockout Addresses Total Number of MAC Addresses 1-8 200 1,600 9-16 100 1,600 17-256 64 16,384 257-1024 16 16,384 1025-2048 8 16,384 Enhancement (PR_0000007388) — Crash Log Debug was enhanced. Configure Logging via SNMP Debug messages generated by the software can be sent to a syslog server. This feature provides the ability to enter addresses and filter parameters for syslog using SNMP, which allows more options for remote access and management of the switch. The HP enterprise MIB hpicfSyslog.mib is added to allow the configuration and monitoring of syslog. (RFC 3164 supported) The CLI has some additional parameters to permit interoperability with SNMP that are explained below. 141 Enhancements Release K.13.40 Enhancements Adding a Description for a Syslog Server You can associate a user-friendly description with each of the IP addresses (IPv4 only) configured for syslog using the CLI or SNMP. The CLI command is: Syntax: logging <ip-addr> control-descr <text_string>] no logging <ip-addr> [control-descr] An optional user-friendly description that can be associated with a server IP address. If no description is entered, this is blank. If <text_string> contains white space, use quotes around the string. IPv4 addresses only. Use the no form of the command to remove the description. Limit: 255 characters Note: To remove the description using SNMP, set the description to an empty string. ProCurve(config)# logging 10.10.10.2 control-descr syslog_one Figure 34. Example of the Logging Command with a Control Description Caution Entering the no logging command removes ALL the syslog server addresses without a verification prompt. Adding a Priority Description You can add a user-friendly description for the set of syslog filter parameters using the priority-descr option. The description can be added with the CLI or SNMP. The CLI command is: Syntax: logging priority-descr <text_string> no logging priority-descr Provides a user-friendly description for the combined filter values of severity and system module. If no description is entered, this is blank. If <text_string> contains white space, use quotes around the string. Use the no form of the command to remove the description. Limit: 255 characters 142 Enhancements Release K.13.41 Enhancements ProCurve(config)# logging priority-descr severe-pri Figure 35. Example of the Logging Command with a Priority Description Note A notification is sent to the SNMP agent if there are any changes to the syslog parameters either through the CLI or with SNMP. Operating Notes • Duplicate IP addresses are not stored in the list of syslog servers. • If the default severity value is in effect, all messages that have severities greater than the default value are passed to syslog. For example, if the default severity is “debug”, all messages that have severities greater than debug are passed to syslog. • There is a limit of six syslog servers. All syslog servers are sent the same messages using the same filter parameters. • An error is generated for an attempt to add more than six syslog servers. Release K.13.41 Enhancements No enhancements; Bug fixes only. (Not a public release) Release K.13.42 Enhancements No enhancements; Bug fixes only. (Never released) Release K.13.43 Enhancements Release K.13.43 includes the following enhancements (Not a public release): ■ 143 Enhancement (PR_0000003557) — The ability to enable/disable the USB port via CLI and SNMP was added. Note that after being disabled and subsequently re-enabled, the USB port may not function consistently with the PCM USB Autorun features until the switch has been reloaded. Enhancements Release K.13.44 Enhancements Release K.13.44 Enhancements No enhancements; Bug fixes only. (Not a public release) Release K.13.45 Enhancements The following problems were resolved in release K.13.45. ■ Enhancement (PR_0000010783) — Support was added for the following products. J9099B - ProCurve 100-BX-D SFP-LC Transceiver J9100B - ProCurve 100-BX-U SFP-LC Transceiver J9142B - ProCurve 1000-BX-D SFP-LC Mini-GBIC J9143B – ProCurve 1000-BX-U SFP-LC Mini-GBIC Release K.13.46 through K.13.48 Enhancements No new enhancements, software fixes only. (Never released) Release K.13.49 Enhancements No new enhancements, software fixes only. 144 Software Fixes in Release K.11.12 - K.13.49 Release K.11.12 Software Fixes in Release K.11.12 - K.13.49 Software fixes are listed in chronological order, oldest to newest. Unless otherwise noted, each new release includes the software fixes added in all previous releases. Release K.11.11 was the first production software release for the ProCurve 3500yl, 6200yl, and 5400zl Series switches. Release K.11.69 is the last release of the K.11.xx software. The 3500yl, 6200yl, and 5400zl switch series software code was rolled to the K.12.00 code branch with no intervening releases. The first production software release for the 8212zl switch is K.12.31. Release K.12.57 is the last public release of the K.12.xx software. The 3500yl, 6200yl, 5400zl, and 8212zl software code was rolled to the K.13.0x code branch with no intervening releases. Release K.11.12 The following problems were resolved in release K.11.12 (never released) ■ ACL/QoS (PR_1000317233) — Under some circumstances, the Switch may apply an ACL or QoS configuration setting incorrectly. ■ Configuration/Security (PR_1000316441) — Operator level can save Manager privilege level changes to the configuration. ■ Crash Log (PR_1000309533) — Incorrect crash message displayed in the log, "Too many HSL interrupts". ■ Crash (PR_1000317489) — Changing the QoS/ACL portion of the running configuration may cause a switch module to crash with a message similar to: CL Int status=0x10000000 ■ Gig-T SFP Modules (PR_1000316433) — The switch accepts a Gig-T SFP dual personality module when it should not accept these modules.w ■ Help file enhancement (PR_1000300491) — Added support for Help files. Switch can provide a navigation pane on the left side of the screen containing 'Contents' and 'Search' capability. ■ 10 Gig Transceiver (PR_1000317965) — Switch reports incorrect Link status when a defective fiber cable is connected to the Switch. ■ LED (PR_1000316434) — If a mini-GBIC is installed during switch bootup, that port's link LED will not turn on. 145 Software Fixes in Release K.11.12 - K.13.49 Release K.11.13 ■ MSTP Enhancement (PR_1000310463) — Implementation of legacy path cost MIB and CLI option for MSTP. ■ RSTP (PR_1000307278) — Replacing an 802.1D bridge device with an end node (non-STP device) on the same Switch port, can result in the RSTP Switch sending TCNs. ■ Web UI (PR_1000303371) — In the Web User Interface, the QOS Device Priority window scroll bar does not allow sufficient scrolling to view all entries. ■ Web UI (PR_1000311917) — When the last port on the last card is configured in a trunk or mesh, and a user browses to a specific location in the Web user interface, the HTTP Web server degrades the switch, causing the Web user interface to hang. Release K.11.13 The following problems were resolved in release K.11.13 (never released) ■ Routing (PR_1000306239) — In some cases, the command 'show ip route' may display incorrect information. ■ Self-test (PR_1000315509) — The self-test LED does not turn off after bootup of an empty chassis. ■ sFlow (PR_1000317785) — Using Inmon Traffic Server, traffic will be reported on ports with no traffic present. Other ports may or may not have faulty counter reports. Release K.11.14 The following problems were resolved in release K.11.14 (never released) ■ SNMP (PR_1000315054) — SNMP security violations are entering the switch syslog when a valid SNMPv3 'get' operation is initiated. ■ Web (PR_1000302713) — When using the Web interface and a large amount of stacking interactions occur, portions of the information from the stack commander may no longer appear. Release K.11.15 The following problems were resolved in release K.11.15 (never released) ■ CLI (PR_1000298299) — After a reboot, the Switch does not provide warning that the running configuration and startup configuration differ, and does not offer an option to save the running configuration. 146 Software Fixes in Release K.11.12 - K.13.49 Release K.11.16 ■ CLI (PR_1000315256) — Inconsistent error message, "Resource unavailable," when configuring more than the maximum number of allowed static IP routes. ■ Crash (PR_1000322009)— The Switch may crash with a message similar to: Software exception in ISR at queues.c:123. ■ Menu (PR_1000318531) — When using the Menu interface, the Switch hostname may be displayed incorrectly. Release K.11.16 The following problems were resolved in release K.11.16 (not a general release) ■ 10 GbE module (PR_1000321201) — At a high temperature and with long cables, the Switch 3500yl X2/CX4 10-GbE module (J8694A) may not work properly. Release K.11.17 The following problems were resolved in release K.11.17 ■ Stacking (PR_1000298299) - The Stack Commander setting is not written to the configuration file, so Web/Stacking does not work. Release K.11.32 The following problems were resolved in release K.11.32 ■ Authentication (PR_1000334731) — PEAP/TLS EAP types with IAS Radius Server fail to authenticate. ■ CLI (PR_1000298038) — The command "show arp" displays incomplete information. ■ CLI (PR_1000308346) — The command "show tech" failed to execute. ■ CLI (PR_1000308601) — The Stack Close Up device view does not display all stack members. ■ CLI (PR_1000329325) — Unrecognizable characters printed to console on User Authentication timeout when logging in via TACAS server. ■ CLI (PR_1000329977) — User is unable to edit any SNMPv3 target address entries. ■ Config (PR_1000326255) — The stacking interval setting does not appear in the startup or running configuration files. ■ Crash (PR_1000228633) — The Switch may crash with a message similar to: 147 Software Fixes in Release K.11.12 - K.13.49 Release K.11.32 Software exception at ldbal_cost.c:1577 -- in 'eDrvPoll', task ID = 0x1760650-> ASSERT: failed. ■ Crash (PR_1000314305) — The switch may crash with a message similar to: Software exception at ipamMApi.c:1592/1594 -- in 'eRouteCtrl' ■ Crash (PR_1000323759) — The Switch may crash with a message similar to: TLB Miss: Virtual Addr=0x00000185 IP=0x8027ae04 Task='mLACPCtrl' Task ID=0x81597410 fp:0x00000000 sp:0x815972d0 ra:0x8027aa90 sr:0x1000fc01. ■ Crash (PR_1000324041) — A module may crash due to ACL Parity Interrupt with a message similar to 'ACL Int stats=0x1000000 28=0x80000b2'. ■ Crash (PR_1000325030) — The Switch may crash with a message similar to: 'Software exception at vls_dyn_reconfig.c:1939 -- in 'mLpmgrCtrl', task ID = 0xa139a80'. ■ Crash (PR_1000325540) — The Switch may crash with a message similar to: Software exception at sw_sem.c:712 -- in 'mSnmpCtrl. ■ Crash (PR_1000327132) — The Switch may crash with a message similar to: Software exception in ISR at btmDmaApi.c:304. ■ Crash (PR_1000329818) — The Switch may crash with a message similar to: assert in btmDmaApi.c:289 - out of msgs, need to throttle rmon & syslog msgs. ■ Crash (PR_1000330009) — The Switch may crash with a message similar to: slave assert at bttfSlaveLearn.c:1426 - extended bcast loop condition. ■ Crash (PR_1000332703) — The Switch may crash with a message similar to: slave assert at ngDmaRx.c:495 - ease sample outbound received a fragment. ■ Crash (PR_1000329485) — Broadcast loop creates additional packets causing throughput traffic to decrease. ■ Crash/ACL (PR_1000332850) — When authenticating using Radius ACLS, configuring and un-configuring multiple ACLs may cause the Switch to crash. ■ Crash (PR_1000334992) — The Switch may crash with a message similar to: "Software exception in ISR at btmDmaApi.c:289 -> No resources available". 148 Software Fixes in Release K.11.12 - K.13.49 Release K.11.32 ■ Crash (PR_1000335430) — The Switch may crash with a message similar to: "Cam range reservation error" crash at aqSlaveRanges.c:172. ■ Event Log (PR_1000308669) — After a Switch reset, the event log does not display correct information. ■ Event Log (PR_1000310958) — Unsupported modules do not produce an event log message in the Switch. ■ Fault LED (PR_1000314005) — Upon a fan fault, the fault LED does not indicate an error. ■ Flash Memory (PR_1000320941) — An incorrect error message is displayed when the Switch experiences a Flash memory failure. ■ Flow Control (PR_1000333879) — Flow Control not functioning properly. ■ Help Menu (PR_1000307772) — The Help menu text for command "router pim rp-candidate hold-time" displayed incorrect values. ■ Help Menu (PR_1000326670) — Web User Interface Help file link URLs exceed maximum length. ■ ICMP (PR_1000315805) — When the Switch receives a UDP packet on a closed port, Switch fails to send an ICMP response message back to the sender. ■ ICMP/Rate Limiting (PR_1000319946) — Configuring ICMP Rate Limiting on interfaces causes the Switch to create duplicate requests, which affects the total throughput of the blade. ■ LED (PR_1000325259) — Test LED flashing wrong color when a defective Mini-GBIC is installed. ■ LLDP (PR_1000319356) — LLDP does not discover CDPv2 devices. ■ MAC Authentication (PR_1000329738) — Switch may improperly flush the ARP cache when adding or removing an authorized MAC address. ■ MAC Authentication (PR_1000335314) — While authenticating multiple ports via MAC authentication, the Switch successfully authenticates the port but fails to learn the source MAC address. ■ Meshing (PR_1000325260) — With meshing enabled, it is possible that packet buffers may get corrupted resulting in a Switch reboot. ■ Module (PR_1000307404) — With no cable attached, the X2 CX4 transceiver link LED remains on after a switch power up or hot swap of module. ■ Modules (PR_1000314454) — Blades fail to reboot (retry) after failing a selftest. 149 Software Fixes in Release K.11.12 - K.13.49 Release K.11.33 ■ Module (PR_1000330312) — Booting up the Switch with an unsupported module installed may cause all existing modules to fail. ■ MSTP Enhancement (PR_1000331792) — Implementation of Spanning-tree BPDU Filter and SNMP Traps. ■ Power Supply (PR_1000310159) — After power supply failovers, the Switch incorrectly reports power being available on ports that are actually powered down. ■ QoS/Rate Limiting (PR_1000319946) — QoS/Rate limiting may stop working or impact unwanted traffic streams. ■ QOS (PR_1000325028) — Switch may crash after configuring QOS device-priority. ■ SNMPv3 (PR_1000325021) — SNMPv3 lines may mistakenly be removed from the configuration file. ■ STP (PR_1000333992) — In a redundant STP network with PIM running, PIM packets may get assigned a higher queue priority than STP packets, which may cause network loops. ■ Switch (PR_1000327506) — Fixed issue where Switch incorrectly allowed jumbos frames to be configured for 10/100 ports. ■ VLAN (PR_1000334107) — User is unable to add a port to a VLAN and the Switch responds with an invalid error message. ■ Web UI (PR_1000308213) — Removed Web Stacking Tab within the Web User Interface for the 5400zl products. ■ Web UI (PR_1000308225) — When using the Web User Interface, the device view of the Stack Close-up is missing. ■ Web UI (PR_1000311087) — Serial number for 5400zl products within the Web-UI exceeds the provided rectangle. ■ Web UI (PR_1000322777) — When using the Web User Interface in the Configuration Tab, a user is unable to modify a port name. ■ Web UI (PR_1000329279) — When using the Web user interface Commander's Stack Close Up view, some stack members are not displayed. Release K.11.33 The following problems were resolved in release K.11.33 ■ Buffer Leak (PR_1000336963) — The Switch may run out of packet buffers under certain conditions. ■ Crash/ACL (PR_1000337717) — The Switch may crash with a message similar to: 150 Software Fixes in Release K.11.12 - K.13.49 Release K.11.34 "Software exception at alloc_free.c:422 -- in 'eDrvPoll'...-> No msg buffer", when Switch is configured for ACL logging. ■ Module J8705A (PR_1000336281) — The Switch 5400zl 20P 10/100/1000 + 4 mini GBIC module (J8705A) may stop forwarding packets. Release K.11.34 The following problems were resolved in release K.11.34 (not a general release) ■ CLI (PR_1000323423) — Entering an incorrect password three times for either the operator or manager levels causes the CLI to display erroneous characters. ■ CLI (PR_1000322029) — The command "show vlans" does not display data correctly in the status field. ■ IDM (PR_1000334365) — Using EAP/802.1x with IDM ACLs can result in memory leaks. ■ Management (PR_1000337447) — The switch is unmanageable using Telnet or SNMP. ■ OSPF (PR_1000339542) — When using the "show IP route" or "show ip route ospf" commands after configuring an AS External LSA (type 5) with a configured metric, the "show" commands display an incorrect metric value. ■ Web UI (PR_1000331431) — The QoS Configuration Tab does not work correctly when using the Web User Interface. Release K.11.35 The following problems were resolved in release K.11.35 (never released) ■ Authentication (PR_1000343377) — When running the Windows XP 802.1x supplicant and the switch sends a re-authentication, Windows XP prompts the user to re-enter their username and password again. ■ Authentication (PR_1000344961) — A port with multiple 802.1x users on it will allow traffic to pass for a user after that user's supplicant has been stopped. ■ DHCP (PR_1000323679) — Client cannot obtain an IP address when two DHCP servers are connected on different local networks. ■ Enhancement (PR_1000336169) — Added support for STP Per-Port BPDU Filtering and SNMP Traps. ■ Enhancement (PR_1000311957) — Added an option to configure the switch to use the management VLAN IP address in the Option 82 field for all DHCP requests received from various VLANs. 151 Software Fixes in Release K.11.12 - K.13.49 Release K.11.36 ■ MIB (PR_1000307831) — The MIB value for ipAddrTable is not populated. ■ RIP (PR_1000331536) — RIP does not send a route poison update in response to a failed route. ■ Show tech (PR_1000294072) — Show Tech statistics displays incorrect port names for fixed ports. Release K.11.36 The following problems were resolved in release K.11.36 (never released) ■ 10-GbE (PR_1000346107) — The guaranteed minimum bandwidth feature is not working on 10-GbE ports. Release K.11.37 The following problems were resolved in release K.11.37 (not a general release) ■ Login (PR_1000347300) — Login failures do not result in an "Invalid Password" response. Release K.11.38 The following problems were resolved in release K.11.38 (never released) ■ 10-GbE (PR_1000346107) — The Guaranteed minimum bandwidth feature does not work on 10-GbE ports. ■ CLI (PR_1000305349) — The command, no ip router-id, does not work. Once a router-ID is set, there is no way to remove it. ■ QoS (PR_1000346708) — IP-Precedence does not set the correct priority if all TOS bits are set to 1. Release K.11.39 The following problems were resolved in release K.11.39 (never released) ■ Crash (PR_1000344998) — The switch may crash with a message similar to Software exception at sme.c:103 -- in 'mSess1', task ID = 0x8e05520 -> ASSERT: failed ■ Crash (PR_1000351693) — The switch may crash with a message similar to 152 Software Fixes in Release K.11.12 - K.13.49 Release K.11.40 Software Exception at rt_table.c.758 -- in 'eRouteCtrl', task ID = 0x8a d6b30 -> Routing Task: Route Destinations exceeded Release K.11.40 The following problems were resolved in release K.11.40 (not a general release) ■ CLI (PR_1000353548) — Use of the command show span incorrectly displays an error, "STP version was changed. To activate the change you must save the configuration to flash and reboot the device." ■ Crash (PR_1000352922) — The switch may crash with a message similar to mstp_ptx_sm.c:118 -- in 'mMstpCtrl', task ID = 0x8899e70 -> ASSERT: failed ■ Enhancement (PR_1000346164) — RSTP/MSTP BPDU Protection: When this feature is enabled on a port, the switch will disable (drop the link) a port that receives a spanning tree BPDU, log a message, and optionally, send an SNMP TRAP. Release K.11.41 The following problems were resolved in release K.11.41 ■ Enhancement (PR_1000344652) — Added support for Unidirectional Fiber Break Detection. ■ Hang (PR_1000346328) — Switch hangs during initialization, switch may fail to boot. RMON alarms/events configuration files corrupted. ■ MDI/MDI-X (PR_1000354050) — Forced MDI and MDIX modes were reversed on the 3500yl - forced MDI was transmitting out pins 3 and 6 instead of 1 and 2, and vice versa. ■ Port Monitoring (PR_1000354067) — The CLI does not allow users to mirror mesh ports, resulting in "Error setting value monitor for port <n>". ■ SSH (PR_1000350999) — The SSH login prompts user to "press any key to continue" twice before providing a prompt. ■ Web-UI (PR_1000354104) — The Web-UI limited the size of the "Common Name" field in the SSL configuration tab to 16 characters Release K.11.43 Version K.11.42 was never released. 153 Software Fixes in Release K.11.12 - K.13.49 Release K.11.44 The following problems were resolved in release K.11.43 (not a general release) ■ Crash (PR_1000307842) — When deleting/removing CLI ACLs, IDM ACLs, management VLAN, or virus throttle lockouts, switch crashes with error similar to: "Delete virtual meter with nonzero rule RefCount". ■ Crash (PR_1000334982) — When Web authentication is used with open VLANs, a software exception may occur, with the switch reporting something similar to this. Software exception at wma_vlan_sm.c:289 -- in 'mWebAuth', task ID = 0x81e408e0 -> ASSERT: failed ■ Enhancement (PR_1000358903) — 802.1X Controlled Directions enhancement. With this change, Administrators can use “Wake-on-LAN” with computers that are connected to ports configured for 802.1X authentication. ■ VRRP (PR_1000356388) — VRRP returns the physical MAC address instead of the virtual MAC address when replying with proxy-ARP. Release K.11.44 The following problems were resolved in release K.11.44 (not a general release) ■ Enhancement (PR_1000361504) — This enhancement allows STP to detect and block network topology loops on a single port. Release K.11.46 Version K.11.45 was never released. The following problems were resolved in release K.11.46 (not a general release) ■ CLI (PR_1000345301) — The output from the "show config state" CLI command doesn't always report changes made to the configuration. ■ CLI (PR_1000305584) — The output from the "show power" commands on the ProCurve 3500yl switches references slot letters when it should display port numbers. ■ Crash (PR_1000357083) — The switch management may run out of packet buffers and crash with a message similar to: Software exception at ngDmaTx.c:722 -- in 'tDevPollTx', task ID = 0x4305c504 -> HW DMA DRIVER unable. ■ Hang (PR_1000359640) — The switch may hang on initialization and become unresponsive. 154 Software Fixes in Release K.11.12 - K.13.49 Release K.11.47 Release K.11.47 The following problems were resolved in release K.11.47 (not a general release) ■ Management VLAN (PR_1000299387) — The management VLAN does not allow connectivity from valid addresses. ■ SNMP (PR_1000358129) — The command line interface (CLI) becomes unresponsive after running RMON traps code. Release K.11.48 The following problems were resolved in release K.11.48 (not a general release) ■ CLI (PR_1000345301) — The output from the "show config state" CLI command doesn't always report changes made to the configuration. ■ Crash (PR_1000334710) — When saving changes to the IGMP configuration, the switch may crash with a message similar to this. TLB Miss: Virtual Addr=0x00000000 IP=0x80591238 Task='mSess1' ■ Crash (PR_1000351243) — The switch may crash at boot-up if more than 1000 VLANs are configured. ■ Enhancement (PR_1000351445) — The "show tech transceiver" CLI command output now contains the HP part number and revision information for all transceivers on the switch. ■ OSPF (PR_1000363648) — The "restrict" CLI command in OSPF redistribution does not filter the default route. Release K.11.49 The following problems were resolved in release K.11.49 (not a general release) ■ 802.1X (PR_1000358534) — For the Controlled Directions feature of 802.1X to operate correctly, spanning tree must be enabled and authenticator ports must be set as edge ports. This fix removes a limitation that requires these steps be done in a specific order. ■ Crash (PR_1000346971) — When stacking is disabled, the switch may crash with a message similar to: PPC Data Storage (Bus Error) exception vector 0x300: Stack Frame=0x08895e48 HW Addr=0x39200000 IP=0x007132f8 Task='mSnmpCtrl' ■ 155 Enhancement (PR_1000366744) — DHCP Protection enhancement. For more information about this feature, please watch the ProCurve Web site. Software Fixes in Release K.11.12 - K.13.49 Release K.11.61 ■ sFlow (PR_1000361604) — Changed the maximum sFlow skipcount to 24 bits. Release K.11.61 Versions K.11.50 through K.11.59 were never built. Version K.11.60 was never released. The following problems were resolved in release K.11.61 (not a general release) ■ 802.1X (PR_1000367404) — Increased the maximum number of 802.1X users per port to 32. ■ Crash (PR_1000366583) — When a large config is saved using the "write memory" CLI command, the switch may crash with a message similar to: NMI event SW:IP=0x00897870 MSR:0x00029210 LR:0x00100c80 Task='mSess1' Task ID=0x8d13fe0. Release K.11.62 The following problems were resolved in release K.11.62 (not a general release) ■ ACL (PR_1000368901) — Outbound access control lists (ACLs) do not function after a reboot. ■ Authorization (PR_1000365285) — IP Authorized Managers feature behaves incorrectly with regard to Telnet access. ■ CLI (PR_1000313916) — The CLI output for the "show ip" command is misaligned; the proxy-arp column is shifted over to the left by one. ■ Crash (PR_1000356446) — When traffic monitoring is in use, the switch may crash with a message similar to this. Data Bus Error: Addr=0x704a6114 Data=0x00000011 flags=0x10000751, IP=0x4012eaac Task='mEaseUpdt' TaskID=0x42fef338 ■ Routing (PR_1000350144) — Adding a VLAN and assigning an IP address to that VLAN through the menu interface takes routing information protocol (RIP) offline in all VLANs. ■ sFlow (PR_1000361604) — Changed the maximum sFlow skipcount to 24 bits. ■ VLAN (PR_1000356062) — When configuring from the menu interface, the 3500yl series switches will not allow the following name format for a new VLAN: "VLANx" (where "x" is a VLAN number). 156 Software Fixes in Release K.11.12 - K.13.49 Release K.11.63 Release K.11.63 The following problems were resolved in release K.11.63 ■ 802.1p QoS (PR_1000368188) — 802.1p prioritization may not work once a trunk is enabled on a module, unless the user issues the commands "qos type-of service ip-precedence" or "qos type-of service diff-services". ■ Crash (PR_1000368540) — The switch may crash with a message similar to: Software exception at parser.c:8012 -- in 'mSess2', task ID = 0x90e10e0 -> ASSERT: failed. ■ Menu/Event Log (PR_1000319407) — Disabling of event log numbers, via the "no log-numbers" CLI command, doesn't work properly when viewing the event log via the Menu. Using the 'next' and 'prev' buttons causes the log numbers to reappear. ■ PCM Traffic Monitoring/Performance Degradation (PR_1000370061) — The switch is affected by PCM traffic monitoring, causing throughput degradation. ■ RADIUS (PR_1000358525) — Attributes that were overridden by RADIUS (CoS, Rate, and ACL) remain active if an authenticated user fails to send EAP-LOGOFF. Release K.11.64 The following problems were resolved in release K.11.64 (not a general release) ■ Crash (PR_1000372604) — When multiple of instances of sFlow have been configured via the CLI, the switch may crash with an error similar to: Software exception at sflow.c:1170 -- in 'mEaseCtrl', task ID = 0x80e5fe0-> ASSERT: failed. ■ Enhancement (PR_1000376406) — Loop Protection feature additions, including packet authentication, loop detected trap, and receiver port configuration. ■ Event Log (PR_1000373796) — Selecting "Save", within the IP Configuration screen of the Menu causes unnecessary Event Log messages. ■ sFlow/Flow-Control (PR_1000375851) — To protect performance if Flow-Control is enabled on any one or more ports , egress sFlow sampling will be disabled on all ports and a CLI/Event Log message will be generated. ■ VLAN/CLI (PR_1000368900) — VLAN names over 12 characters in length cause the output from the command "show ip route" to be displayed incorrectly. 157 Software Fixes in Release K.11.12 - K.13.49 Release K.11.65 Release K.11.65 The following problems were resolved in release K.11.65 (not a general release) ■ Alarms/Log (PR_1000371908) — The ambient temperature measured by the 5406zl chassis is 4 degrees C too high, causing the generation of false high temperature alarms. ■ CLI (PR_1000377318) — The output from the CLI command, 'show dhcp-relay' is truncated. ■ Enhancement (PR_1000379804) — Historical information about MAC addresses that have been moved has been added to the "show tech" command output. ■ Menu/Counters (PR_1000370619) — The Menu Interface does not reflect changes to SNMP OIDs for "IP Mgmt - Tx/Rx" counters; the counter always reads "0." ■ Syslog (PR_1000379802) — Forwarding of event log message to a configured syslog server is not disabled when a specific event log message has been disabled via the MIB. ■ VRRP (PR_1000380627) — VRRP packets are received on a non-VRRP VLAN causing excessive event log/syslog messages. Release K.11.66 The following problems were resolved in release K.11.66 (not a general release) ■ CLI (PR_1000379455) — The output from some CLI "show" commands produces incorrectly formatted output on the screen. ■ CLI (PR_1000309983) — Using the "show tech" command immediately after boot and before the modules have initialized causes the command to fail, and leaves the user in an unsupported CLI state. ■ CLI (PR_1000364628) — The command output from "show ip rip peer" yields an improperly formatted peer IP address. ■ Meshing (PR_1000386393) — A 5412zl switch may crash with a bus error, when 4 Port CX4 module (J8708A) in Slot L is configured for Meshing. The crash message is similar to the following. PPC Data Storage (Bus Error) exception vector 0x300: Stack Frame=0x08af5298 HW Addr=0x4b5a697c IP=0x00372ed8 Task='mLdBalCtrl' Task 0 fp: 0x00000018 ■ sFlow (PR_1000378885) — The sFlow samplePool for trunks is sometimes unchanged between samples. This may cause inaccurate spikes in traffic monitoring applications that measure the utilization on trunk ports. 158 Software Fixes in Release K.11.12 - K.13.49 Release K.11.67 ■ Web/RADIUS (PR_1000368520) — Web Authentication doesn't authenticate clients due to a failure to send RADIUS requests to the configured server. ■ WebUI (PR_1000371598) — Unable to Access Stack Members through Commander WebUI. Use of the WebUI "stack access" drop-down list on the stacking commander returns a "Page not found" error. Release K.11.67 The following problems were resolved in release K.11.67 (not a general release) ■ MSTP (PR_1000385573) — MSTP instability when root switch priority is changed. This causes other switches with better priority to assert themselves as root, thus causing a root war to occur. Release K.11.68 Software never released. ■ CLI/LLDP (PR_1000377191) — Output from the CLI command, "show lldp info remote-device <port>" shows a blank field for the chassis ID. ■ Crash (PR_1000390591) — Software exception at sflow.c:3903 after re-starting sflow sampling. Switch may crash with a message similar to: Software exception at sflow.c:3903 -- in 'mSnmpEvt', task ID = 0x8248e90-> ASSERT: failed ■ DHCP (PR_1000386886) — DHCP-relay uses an inconsistent address when the VLAN is multinetted. This fix forces the lowest IP address to be used for DHCP. ■ Enhancement (PR_1000388709) — SFlow does not accommodate bursty traffic. ■ ROM update (PR_1000390486) — ROM update to version K.11.03, required to support the upcoming K.12 software update. ■ Trunking (PR_1000238829) — Trunks numbered trk10 and greater cause the output from the CLI command "show span" output to be misaligned. 159 Software Fixes in Release K.11.12 - K.13.49 Release K.11.69 Release K.11.69 The following problems were resolved in release K.11.69 ■ Routing (PR_1000392086) — The switch learns a bogus MAC address when the next hop address is unknown, causing the switch to stop forwarding traffic. Release K.11.69 is the last release of the K.11.xx software. The 3500yl, 6200yl, and 5400zl switch series software code was rolled to the K.12.0x code branch with no intervening releases. Release K.12.01 The following problems were resolved in release K.12.01 ■ ACL (PR_1000393287) — When the same ACL is applied (in or out) to more than 2 VLANs it does not get applied to the third VLAN or higher. ■ ACL (PR_1000389442) — Numbering restrictions are not enforced at the CLI; ACLs numbered 200 or higher are considered valid. This fix enforces ACL numbering restrictions and converts existing ACLs numbered 200 or higher into named ACLs. If an invalid name of form XXX is found, it will be converted to "invalidXXX". Note: If you have ACLs configured with numbers greater than or equal to 200, you need to reconfigure those ACLs with either a valid name or valid number prior to loading K.12.01 software, or it will be tagged as invalid. For example, if you have an ACL called 222 and it is applied to a vlan, the K.12.01 script will convert the 222 ACL to "invalid222" and apply it to the vlan. ■ CLI (PR_1000332352) — The output of a show int brief command should show the negotiated flow control status rather than the flow control configuration setting. ■ Crash (PR_1000385237) — Applying an access control list with more than 105 entries to a VLAN interface causes the switch to crash with a message similar to: Software exception at enDecode.c:54 -- in 'mSess1', task ID = 0x8e7da60 -> out of memory! ■ Crash (PR_1000392105) — Specific actions in the port status screen of the menu interface may trigger a crash. Scrolling down to the ports on a module in slot L and pressing [enter] may cause the switch to crash with a message similar to: Software exception at exception.c:424 -- in 'mSess1', task ID = 0x8dd1ab0 -> Memory system error at 0x881a480 - memPartFree 160 Software Fixes in Release K.11.12 - K.13.49 Release K.12.02 ■ Enhancement (PR_1000298920) — A ping request issued to a VLAN which is down will now return a more specific message; instead of "request timed out", the message "The destination address is unreachable" will be displayed. ■ Enhancement (PR_1000373226) — Support was added for the ProCurve 100-FX SFP-LC Transceiver (J9054B). ■ Enhancement (PR_1000376626) — Enhance CLI qos dscp-map help and show dscp-map text to warn the user that inbound classification based on DSCP codepoints only occurs if qos type-of-service diff-services is also configured. ■ Event Log (PR_1000330310) — Failed attempts to communicate with an unknown module type fill the event log message buffer. ■ Routing (PR_1000359162) — When the user configures a static route that overlaps with a local subnet configured on the switch, the router will not respond to packets destined for its own IP address. The packets for its own IP address will be routed using the configured static route. ■ OSPF (PR_1000374003) — The switch assigns itself a router-id of the neighbor router's in a virtual link. Note: Existing OSPF virtual link configurations may be lost with the update to K.12.01. Either save the K.11 configuration and reload it once the switch is running K.12, or plan to reconfigure any virtual links at the CLI after booting into the K.12.01 software. ■ SNMP (PR_1000392847) — RMON alarms that monitor port-specific OIDs are lost if the switch is rebooted. Release K.12.02 The following problems were resolved in release K.12.02 ■ Crash (PR_1000398746) — The switch may crash with the task "swInitTask". This could result in repeated crashes until the switch configuration is cleared. ■ Crash/Traffic Monitoring (PR_1000396662) — When Traffic Monitoring is enabled on the switch by a network management station (such as PCM) the switch may crash with a message similar to: Data Bus Error: Addr=0x704a613c Data=0xffffffff flags=0x10000750, IP=0x4012fa80 Task='tSvcWorkQ' TaskID=0x44b42ad0 cpsr=0x80000013 161 Software Fixes in Release K.11.12 - K.13.49 Release K.12.03 ■ Crash (PR_1000392863) — Switch may crash when setmib tcpConnState is used, with a message similar to: NMI event SW:IP=0x0079f4a0 MSR:0x00029210 LR:0x006dca60 Task='eTelnetd' Task ID=0x8a7cbb0 cr: 0x20000042 sp:0x08a7c870 ■ Daylight savings (PR_1000364740) — Due to the passage of the Energy Policy Act of 2005, Pub. L. no. 109-58, 119 Stat 594 (2005), starting in March 2007 daylight time in the United States will begin on the second Sunday in March and end on the first Sunday in November. ■ DHCP (PR_1000397753) — A unicast DHCP request that has already been relayed by another router is sometimes dropped. ■ Hang (PR_1000397964) — The switch appears to hang where all routing stops, the switch cannot ping anything, even addresses configured locally. ■ Proxy-ARP (PR_1000393571) — Proxy-ARP sends responses to gratuitous ARPs. ■ Remote Mirroring/Trunking (PR_1000397196) — Remote mirroring configured on a trunk does not restart after the switch is rebooted. Workaround: after a switch reboot, reconfigure the trunk remote as a mirroring source. ■ RIP (PR_1000393366) — The switch does not process RIP (v2) responses containing subnets with a classful subnet mask, when the receiving RIP switch has a connected VLSM network defined that would fall within that classful range. Release K.12.03 The following problems were resolved in release K.12.03 (not a general release) ■ CLI (PR_1000373443) — The CLI update command help text and confirmation message is misleading and confusing. ■ Crash (PR_1000399448) — Changes to traffic monitoring settings may trigger the switch to crash with a message similar to: Software exception at ease_ctrl.c:575 -- in 'mEaseCtrl', task ID = 0x8347161 ■ Crash (PR_1000401664) — Use of the CLI command dir with a very large path name may cause the switch to crash with a message similar to: PC Data Storage (Bus Error) exception vector 0x300: Stack Frame=0x08e54928 HW Addr=0x00b3eefc IP=0x0018a740 Task='mSess2' Task ID=00 fp: 0x00000000 sp: ■ Enhancement (PR_1000379804) — Historical information about MAC addresses that have been moved has been added to the show tech command output. 162 Software Fixes in Release K.11.12 - K.13.49 Release K.12.04 ■ Enhancement (PR_1000398393) — For the interface <port-list> speed-duplex command, added the auto-10-100 configuration option to constrain a link to 10/100 Mbps speed and allow a more rapid linkup process when 1000 Mbps operation is not possible. ■ Enhancement (PR_1000404544) — Provides TCP/UDP port range prioritization in the qos command; the range option assigns an 802.1p priority to (IPv4) TCP or UDP packets associated with a range of TCP/UDP ports.. Release K.12.04 Software never released. ■ ACL (PR_1000402901) — The ACL resequencing feature may discard some ACEs in a random fashion. ■ CLI (PR_1000403104) — Executing the erase startup-configuration command and rebooting does not clean up the RMON 'alarm' table. ■ Crash (PR_1000405465) — Use of dynamically assigned ACLs may cause the switch to reboot with the following error: Software exception at aclBttfMUtils.c:1208 -- in 'midmCtrl', task ID = 0x85f6a60 -> internal error ■ Enhancement MSTP (PR_1000369492) — Update of MSTP implementation to the latest IEEE P802.1Q-REV/D5.0 specification to stay in compliance with the protocol evolution. Note The updated standard provides auto-edge-port operation for MSTP, and supports the automatic detection of edge ports. The port will look for BPDUs for 3 seconds; if there are none, it begins forwarding packets. For more information on selected configuration options and updated MSTP port parameters, see “Release K.12.04 Enhancements” on page 33. ■ Remote Mirroring/SNMP (PR_1000395595) — Removing a VLAN via SNMP does not remove the related ACL relationship to that VLAN. ■ sFlow (PR_1000408145) — sFlow samples for routed packets do not occur bidirectionally; inbound packets are dropped and only outbound packets are sampled. ■ Traceroute (PR_1000379199) — The reported traceroute time is inaccurate; it is one decimal place off. 163 Software Fixes in Release K.11.12 - K.13.49 Release K.12.05 Release K.12.05 The following problems were resolved in release K.12.05. ■ BootROM (PR_1000402707) — BootROM does not update to latest version when updating code to primary flash. ■ CLI (PR_1000309998) — Management module is incorrectly displayed as J8627A rather than the correct J8726A product number in response to the show modules command. ■ Enhancement (PR_1000408960) — RADIUS-Assigned GVRP VLANs enhancement. For more information, see “Release K.12.05 Enhancements” on page 36. ■ Menu (PR_1000392862) — The menu will allow invalid values (greater than 720 sec) to be entered for the SNTP poll interval. Release K.12.06 Software never released. ■ Enhancement (PR_1000308332) — Passwords (hashed) are saved to the configuration file. For more information, see “Release K.12.06 Enhancements” on page 43. Release K.12.07 The following problems were resolved in release K.12.07. ■ Config (PR_1000405639) — Various characters in configuration file names (including dash, ampersand, plus, and spaces within quotes) result in truncated names after reboot. This is not just a display issue; the command erase config <filename> does not remove a file containing the problem characters. ■ Config (PR_1000410790) — Errors are returned when applying the interface <port-list> speed-duplex auto-10-100 command to interfaces 45 through 48 on a 3500yl-48G-PWR switch. ■ Crash (PR_1000410758) — When the interface <port-list> speed-duplex auto-10-100 command is issued on a range of ports, the switch may crash with a message similar to: NMI event HW:IP=0x0083f224 MSR:0x00029210 LR:0x0033c3c4 Task='tDevPollRx' Task ID=0x9137e50 cr: 0x20000022 sp:0x09137d78 xer:0x20000000 ■ RIP (PR_1000377789) — RIP restrict filters are not working upon reboot. ■ RMON (PR_1000410885) — RMON alarms/thresholds set via SNMP are cleared after reboot. 164 Software Fixes in Release K.11.12 - K.13.49 Release K.12.08 Release K.12.08 Software never released. ■ Enhancement (PR_1000413764) — Increase the size of the sysLocation and sysContact entries from 48 to 255 characters. For more information, see “Release K.12.08 Enhancements” on page 57. Release K.12.09 The following problem was resolved in release K.12.09 (Not a general release). ■ Crash (PR_1000385844) — With sFlow sampling enabled, the switch may crash with a message similar to: Software exception at ngDmaTx.c:729 -- in 'tDevPollTx', task ID = 0x4305bba8 -> HW DMA DRIVER unable to transmit anymore Release K.12.10 The following problems were resolved in release K.12.10. ■ ARP (PR_1000414347) — ARP table address learning is slow; once the switch has its ARP table cleared, the clients will be unable to communicate for approximately 30 seconds. ■ Config (PR_1000416508) —- Cannot create alternate startup-config file. Although show config files shows an available slot, the switch does not allow copying from an existing config file to create a new config file in the vacant slot. ■ Crash (PR_1000421322) — Following execution of config-related CLI commands (such as show running-config or show tech) or when PCM attempts to retrieve the configuration file using TFTP from a switch having a large configuration file, the switch may crash with a message similar to: Software exception at exception.c:373 -- in 'tTftpDmn', task ID = 0x11cfaa8 -> Memory system error at 0x1175550 - memPartFree The following related crash message may also be addressed with this fix: PPC Bus Error exception vector 0x300: Stack-frame=0x016778b0 HW Addr=0x667c4c88 IP=0x004dbc88 Task='eChassMgr' Task ID=0x1677dd8 fp: 0x667c4c88 sp:0x01677970 lrecpgyp ■ 165 Enhancement (PR_1000419653) — The show vlan command was enhanced to display each port in the VLAN separately, display the friendly port name (if configured), and display the VLAN mode (tagged/untagged/forbidden) for each port. For more information, see “Release K.12.10 Enhancements” on page 58. Software Fixes in Release K.11.12 - K.13.49 Release K.12.11 ■ SNMP (PR_1000374893) — When retrieving the switch serial number via SNMP, the management module serial number is returned instead of the chassis serial number. ■ SNMP (PR_1000422129) — HP Fault Finder doesn't send the interface index with the SNMP trap, even though it is listed in the system log. Release K.12.11 Software never released. Release K.12.12 The following problems were resolved in release K.12.12 (Not a general release). ■ Crash (PR_1000420709) — Entering a backslash at the CLI may cause the switch to crash with a message similar to: PPC Data Storage (Bus Error) exception vector 0x300: Stack Frame=0x08e66508 HW Addr=0x00b4f2ac IP=0x0018a864 Task='mSess1' Task ID=0x8e67170 fp: 0x3be00000 sp: ■ Link LED (PR_1000425143) — The Small Form-factor Pluggable (SFP) link LED does not work when SFP is hot-swapped into the switch. Release K.12.13 Software never released. Release K.12.14 The following problems were resolved in release K.12.14. ■ Authentication (PR_1000422933) — Issue with local password authentication. ■ CLI/Clear button (PR_1000424194) — The command no password manager deletes the password, but fails to delete the username. Similarly, pressing the clear button deletes the password but not the username. ■ SNMP (PR_1000423362) — Setting username via SNMP (hpSwitchAuthMIB) deletes the password. 166 Software Fixes in Release K.11.12 - K.13.49 Release K.12.15 ■ Hotswap (PR_1000422714) — Hotswapping a module may result in a false module self-test failure. After hotswapping the module, the following messages may appear in the event log: I W I I I I I W W W W W I W W 05/27/06 05/27/06 05/27/06 05/27/06 05/27/06 05/27/06 05/27/06 05/27/06 05/27/06 05/27/06 05/27/06 05/27/06 05/27/06 05/27/06 05/27/06 12:06:54 12:07:00 12:32:47 12:32:48 12:32:49 12:32:50 12:32:50 12:33:11 12:33:34 12:33:57 12:34:19 12:34:42 12:34:44 12:35:05 12:35:05 00076 ports: port B23 is now on-line 00564 ports: port B23 PD Invalid Signature indication 00068 chassis: Slot B Inserted 00068 chassis: Slot B Inserted 00068 chassis: Slot B Inserted 00067 chassis: Slot B Removed 00077 ports: port B23 is now off-line 00374 chassis: Slot B Slave ROM Tombstone: 0x00000000 00374 chassis: Slot B Slave ROM Tombstone: 0x00000000 00374 chassis: Slot B Slave ROM Tombstone: 0x00000000 00374 chassis: Slot B Slave ROM Tombstone: 0x00000000 00374 chassis: Slot B Slave ROM Tombstone: 0x00000000 00179 mgr: SME CONSOLE Session - MANAGER Mode 00374 chassis: Slot B Slave ROM Tombstone: 0x00000000 00274 chassis: Slot B self test failure or unsupported Multiple insertion messages may be included. The errors appear in the log as either a tombstone, HSL failure, or a loss of communications. Release K.12.15 The following problems were resolved in release K.12.15. ■ Enhancement (PR_1000427592) — This enhancement adds the client’s IP address to the RADIUS accounting packets sent to the RADIUS server by the switch. ■ Crash (PR_1000407238) — Execution of the "show config" command when the startup configuration is different than the running configuration may cause the switch to crash with a message similar to: Software exception at cli_mirror.c:6201 -- in 'mSess1', task ID = 0x8e53690 -> ASSERT: failed ■ SNMP (PR_1000406398) — The URL embedded SNMP traps are not sent as SSL (https) when SSL is enabled, but are sent as plain-text (http) instead. This may result in the trap receiver (such as PCM) being unable to display the URL if SSL is enabled. ■ Enhancement (PR_1000428642) — The SNMP v2c describes two different notification-type PDUs: traps and informs. Prior to this software release, only the trap’s sub-type was supported. This enhancement adds support for informs. ■ Crash (PR_1000427674) — False positive memory testing may result in an ACL interrupt crash with an event log message similar to: chassis: Slot L ACL Int status=0x2000000 25=0x80000005: Task=tDevPollRx Task ID=0x4305d314 IP=0x40087044 167 Software Fixes in Release K.11.12 - K.13.49 Release K.12.16 ■ Rate-Limiting (PR_1000420720) — Rate limiting is broken beyond 9.5 Mbps. For any rate limit set to more than 9.5 Mbps, the actual rate drops to 1 Mbps. Release K.12.16 The following problems were resolved in release K.12.16. ■ Crash (PR_1000415621) — Removing a VLAN that has OSPF configured may cause the switch to crash with a message similar to: NMI event HW:IP=0x0084a0a4 MSR:0x00029210 LR:0x00513ee4 Task='eRouteCtrl' Task ID=0x89658b0' ■ Crash (PR_1000428582) — Typing non-alphanumeric characters at the CLI prompt may cause the switch to crash with a message similar to: PPC Data Storage (Bus Error) exception vector 0x300:Stack Frame=0x08e36878 HW Addr=0x00b4f2ec IP=0x0018a974 Task='mSess1' Task ID=0x0fp: 0x18020800 sp: Release K.12.17 The following problems were resolved in release K.12.17. ■ STP (PR_1000420442) — The switch erroneously allows configuration of spanning tree parameters on an interface that is a member of a trunk (link aggregation group), which creates an invalid configuration. ■ CLI (PR_1000429474) — The "all" parameter is missing from the "password" command. ■ Radius (PR_1000432556) — When DHCP snooping is enabled on the client VLAN, and the client is on a VLAN other than the default VLAN, the Framed-IP-Address attribute is not added to the RADIUS accounting packet as it should be. ■ Crash (PR_1000416453) — Execution of the "show tech" command in an SSH session may cause the switch to crash with a message similar to: Software exception - Assert in pmgr_util.c:1155 -- in 'mSess2', task ID = 0x85adf60 168 Software Fixes in Release K.11.12 - K.13.49 Release K.12.18 Release K.12.18 The following problems were resolved in release K.12.18. ■ CLI (PR_1000419379) — The “interface” command does not exist in the VLAN context, resulting in an inability to shift to the interface configuration context directly from the VLAN context. ■ Hang (PR_1000434809) — The switch may hang, causing all the port LEDs to remain lit, and stop transmitting traffic. ■ Enhancement (PR_1000428213) — This software enhancement adds the ability to configure a secondary authentication method to be used when the RADIUS server is unavailable for the primary port access method. ■ Crash (PR_1000436274) — Typing a question mark ("?") at the "multi-line" input prompt (">") may cause the switch to crash. The crash occurs when the switch is trying to print the error message that states: Expansion help not available on multi-line input. ■ CLI (PR_1000433948) — When command authorization is in use, the "show tech" command fails at the “show tech buffer” component, even when the permission list indicates that it should be allowed. ■ Enhancement (PR_1000415155) — The ARP age timer was enhanced from the previous limit of 240 minutes to allow for configuration of values up to 1440 minutes (24 hours) or "infinite" (99,999,999 seconds or 3.2 years). ■ Enhancement (PR_1000438015) — The banner message of the day (MOTD) size has been increased to support up to 3070 characters. Release K.12.19 The following problems were resolved in release K.12.19. ■ ACL (PR_1000432563) — ACLs with the "permit" parameter on L4 ports and using operators ‘gt’/‘lt’/‘range’ do not function as expected. The ACL does not drop traffic with non-permitted L4 ports. Instead, all traffic with L4 ports is forwarded. ■ CLI (PR_1000438486) — When using the "port-access mac-based" CLI command, the client MAC address is sent in lower case and as the username to the RADIUS server. This fix adds an option so that the MAC address is in uppercase when sent to the RADIUS server. This fix adds additional parameters to the CLI command to support this: "aaa port-access mac-based addr-format." 169 Software Fixes in Release K.11.12 - K.13.49 Release K.12.20 ■ 10-GbE Log (PR_1000424384) — The switch is not checking for the presence of the J8694A ProCurve yl 10G X2-CX4 module early enough in the boot process, triggering a log message when the check is executed. Release K.12.20 The following problems were resolved in release K.12.20 (Never released.) Release K.12.21 The following problems were resolved in release K.12.21 (never released). ■ ARP Protection (PR_1000438129) — ARP and ARP protection data may not display correctly following a CLI or SNMP status query. ■ Enhancement (PR_1000440049) — Classifier-Based Rate Limiting capability was added. Classifier-Based Rate Limiting (also known as Rate Limit Port ACLs or RL-PACLs) allows you to create an ACL and apply it on a per-port basis to rate-limit network traffic. ■ CLI (PR_1000342461) — If a trunk is configured, output from the CLI command “show lldp info remote <port number>" reports incorrect information for the remote management address. This may result in a failure to discover or map devices connected to these trunks by management applications that use LLDP discovery (e.g. ProCurve Manager). ■ Enhancement (PR_1000374051) — The 5400zl switches are not detecting packets from an Avaya G700 PBX or Cajun switch due to irregular Ethernet packets sent by those devices. This is a workaround that will alter the 5400zl software to allow 100Mb operation on the upcoming "C" revision of the 1000 Base-T Mini-GBICs (J8177C) that fit in the J8705A module. The port containing the 1000 Base-T Mini-GBIC can be configured with new speed options of "auto-100," "100-full," and "100-half." ■ Crash (PR_1000434888) — A switch module may crash with a message similar to: ACL Int status=0x10000000 28=0x80002f3a: Task=tDevPollTx Task ID=0x4305c504 IP=0x400693e8 ■ Enhancement (PR_1000443349) — This enhancement is to allow the concurrent use of SFTP with TACACS+ authentication for SSH connections. ■ VRRP/Meshing (PR_1000435853) — A MESHed link in the path between a VRRP Owner and VRRP Backup may lead to a situation where both VRRP routers remain in Master state for a VRID after that VRID fails over to the Backup and then the Owner comes back online. 170 Software Fixes in Release K.11.12 - K.13.49 Release K.12.22 ■ Routing (PR_1000432449) — If the switch is configured with both port security and routing, a physical port transition on the host may cause the switch to stop transmitting routed traffic to that host. Clearing the ARP cache resolves this problem until another port transition occurs. ■ RADIUS (PR_1000442879) — If RADIUS (or TACACS+) keys are configured, and then the switch is updated to a software revision with the ability to save the security credentials in the configuration file (K.12.06 or later), the RADIUS keys are no longer shown in output from the "show run” or “show config" commands until the "include-credentials" command is issued. Release K.12.22 The following problems were resolved in release K.12.22. ■ Enhancement (PR_1000443026) — Support for the new revision "C" Mini-GBICs was added to the CLI and the "show tech" command. ■ Enhancement (PR_1000444415) — OSPF Passive Interface support was added. ■ Crash (PR_1000442695) — Pasting a VRRP configuration into the running configuration via a Telnet session may cause the switch to crash with a message similar to: Software exception at vrrp_statemach.c:205 -- in 'mVrrpCtrl', task ID = 0x8b154a0-> internal error Release K.12.23 The following problems were resolved in release K.12.23. ■ Crash (PR_1000415534) — Execution of the "lockout-mac" CLI command, may cause the switch to crash with a message similar to: PPC Data Storage (Bus Error) exception vector 0x300: Stack Frame=0x0ab9a738 HW Addr=0x00b3f104 IP=0x00801d2c Task='eDrvPoll' Task ID=0xab9ad20 fp: 0x0f3808c0 sp ■ AAA/CLI (PR_1000445886) — This changes the syntax of 'aaa authentication <port-access | mac-based | web-based>' commands which were previously added in PR_1000438486. ■ CLI (PR_1000403478) — Power over Ethernet (802.3af) CLI commands were removed from platforms that do not support PoE (such as the ProCurve 6200yl switch). ■ Broadcast-limit (PR_1000429594) — The broadcast limit feature affects multicast traffic. This fix modifies the feature so that it only affects broadcast traffic. 171 Software Fixes in Release K.11.12 - K.13.49 Release K.12.24 ■ MSTP (PR_1000439775) — The switch generates a topology change when a port goes off-line. With MSTP enabled and all ports left at default (auto-edge-port), when a port transitions to offline, a TC will be generated, and the topology change counter increases. ■ Multicast (PR_1000436118) — Multicast forwarding with IGMP is slow and causes an unacceptable delay in servicing. ■ Enhancement (PR_1000449129) — This enhancement allows MAC or Web-based authentication to use PEAP/MS-CHAPv2 protocols in addition to the default setting of CHAP. ■ Crash (PR_1000444112) — Downloading a configuration file to the switch may cause a crash with a message similar to: Software exception at cli_config_action.c:5479 -- in 'mftTask' ■ SNMP (PR_1000448463) —The SNMP Engine ID Discovery process described in RFC 3414 is not working properly. Release K.12.24 The following problems were resolved in release K.12.24. ■ Hang (PR_1000448429) — A bank of ports may fail the self test, crash or stop functioning after several weeks of use. This failure may result in event log messages similar to those listed below. W 06/10/07 08:07:22 00374 chassis: Ports 25-48: Lost Communications detected - Heart Beat Lost I 06/10/07 08:07:22 00077 ports: port 31 is now off-line I 06/10/07 08:07:22 00077 ports: port 40 is now off-line I 06/10/07 08:07:29 00375 chassis: Ports 25-48 Downloading I 06/10/07 08:07:30 00376 chassis: Ports 25-48 Download Complete W 06/10/07 08:08:32 00374 chassis: Ports 25-48 Failed to boot-timeout (AGENT_FAILED) Release K.12.25 The following problems were resolved in release K.12.25. ■ Config (PR_ 1000451779) — Software update, TFTP restoration of the configuration or reloading the switch on software version K.12.22 may delete a Mini-GBIC VLAN port assignment. 172 Software Fixes in Release K.11.12 - K.13.49 Release K.12.26 through K.12.29 Release K.12.26 through K.12.29 Software never built. Release K.12.30 Software never released. Release K.12.31 The following problems were resolved in release K.12.31. ■ Enhancement — Support for the following ProCurve product was added. J9091A / J8715A (bundle) for the ProCurve switch 8212zl Release K.12.32 Never released. The following problems were resolved in build K.12.32. ■ Enhancement — Merged all of the K.12.24 and earlier software fixes and enhancements with the ProCurve switch 8212zl support. Release K.12.33 through K.12.40 Software never built. Release K.12.41 through K.12.42 Software never released. Release K.12.43 The following problems were resolved in release K.12.43. ■ Enhancement — Support for the following ProCurve products was added. J9051A ProCurve Wireless Edge Services zl Module J9052A ProCurve Redundant Wireless Edge Services zl Module For more information, see “Support for the Wireless Edge Services zl Module” on page 18. 173 Software Fixes in Release K.11.12 - K.13.49 Release K.12.44 Release K.12.44 Not a general release. ■ Enhancement (PR_1000457691) — This enhancement allows the mapping of all theoretically available VLAN IDs (1-4094) to an MSTP instance, even if some of the VLANs are not currently configured on the switch. For more information, see “Release K.12.44 Enhancements” on page 65. ■ Enhancement (PR_1000457868) — Local Proxy ARP enhancement. For more information, see “Release K.12.44 Enhancements” on page 65. ■ Enhancement (PR_1000456271) — PC attached to telephone. For more information, see “Release K.12.44 Enhancements” on page 65. Release K.12.45 The following problems were resolved in build K.12.45. (Never Released.) ■ STP (PR_1000449365) — ARP & MAC tables get out of sync after a spanning tree (MSTP or RSTP) re-convergence. An ARP entry fails to be associated to the port even though the MAC entry exists. This may result in an unexpected ping failure. ■ PIM (PR_1000450431) — IP Multicast Routing PIM-DM Stops Forwarding Flows, and the event log reports: PIM: Failed alloc[ation] of HW Flow for flow <multicast address> ■ SSH (PR_1000453226) — Configuration of SSH login to the manager mode (aaa authentication ssh enable public-key <enter>) triggers an error “Not legal combination of authentication methods”, but it should be a valid command syntax. ■ Authentication (PR_1000454714) — Concurrent 802.1X and MAC-authentication does not give the 802.1X value precedence. This fix gives 802.1X VLAN assignment precedence over MAC auth RADIUS VLAN assignment. ■ SNMP (PR_1000389902) — The switch is not sending an "embedded URL" within the SNMP trap for an FFI event to the PCM server monitoring traps. The embedded URL, if sent, would allow someone looking at the log event on the PCM server to simply click on the URL and be immediately connected to the switch. ■ CLI (PR_1000418891) — The Connection Rate Filter ignore list does not display properly in the output for the show run command; the IP address and mask are incorrectly printed on the next line. 174 Software Fixes in Release K.11.12 - K.13.49 Release K.12.46 ■ SNMP (PR_1000444744) — An snmp set of hpicfDot1xPaePortauth or an snmp set hpicfDot1xPaePortSupp of an invalid value may cause the switch to crash with a message similar to the following: ASSERT at aaa8021x_dyn_reconfig.c. ■ SSH (PR_1000461002) — Issue with authentication when SSH is configured. Release K.12.46 The following problems were resolved in build K.12.46. (Never Released.) ■ Mirroring (PR_1000458287) — Remote mirroring does not work in slots K or L of the 5412zl or 8212zl chassis. ■ Crash (PR_1000456340) — Switch may crash with a message similar to: No message buffers: alloc_free.c:435. The trigger for this crash is unknown, though it is suspected to be related to sFlow. ■ Module Failure (PR_1000464335) — Switches running K.12.31 - K.12.43 may experience a problem with modules failing to boot. The system log may report a message similar to the following: W 11/08/05 02:43:14 00374 chassis: boot-timeout-(AGENT_FAILED) I 11/08/05 02:43:19 00375 chassis: I 11/08/05 02:43:21 00376 chassis: W 11/08/05 02:44:21 00274 chassis: unsupported module ■ Slot D Failed to Slot D Downloading Slot D Download Complete Slot D self test failure or Telnet hang (PR_1000457765) — If Ctrl+S is typed and then the Telnet window is closed, the Telnet session may become unresponsive, and fail to reset by the kill command issued at the console prompt. This may require the switch to be reloaded to become active again. Release K.12.47 The following problems were resolved in release K.12.47. ■ 175 Enhancement Removed (PR_1000468258) — The PC attached to IP telephone enhancement was removed. For more information, see “Release K.12.47 Enhancements” on page 66. Software Fixes in Release K.11.12 - K.13.49 Release K.12.48 Release K.12.48 The following problems were resolved in release K.12.48. ■ Enhancement Removed (PR_1000470136) — Removal of the enhancement that allows the mapping of all theoretically available VLAN IDs (1-4094) to an MSTP instance, even if some of the VLANs are not currently configured on the switch. The initial implementation of this enhancement did not allow smooth migration of pre-existing MSTP configurations. For more information, see “Release K.12.48 Enhancements” on page 66. ■ CLI (PR_1000417447) — Some of the instrumentation monitoring parameters (e.g. arp reply monitoring) are not functioning. Release K.12.49 The following problems were resolved in build K.12.49. (Never Released.) ■ Enhancement (PR_10004570598) — An improved version of the MSTP-VLAN mapping enhancement referenced in PR_1000457691 was added. This enhancement allows the mapping of all theoretically available VLAN IDs (1-4094) to an MSTP instance, even if some of the VLANs are not currently configured on the switch. For more information, see “Release K.12.44 Enhancements” on page 65. ■ MSTP (1000457691) — MSTP instances are removed from the configuration after an update and reload into software version K.12.47. ■ Enhancement (PR_1000471015) — Reintroduction of the feature referenced in PR_1000456271, that will allow a PC to connect with its RADIUS-assigned VLAN after an attached IP phone has authenticated on the authenticating port. For more information, see “Release K.12.44 Enhancements” on page 65. Release K.12.50 The following problems were resolved in build K.12.50. (Never Released.) ■ CLI (PR_1000464787) — Minor modifications to internal switch functions. Release K.12.51 The following problems were resolved in release K.12.51. ■ Trunking (PR_1000461440) — When dynamic ARP protection and DHCP snooping are configured, a trunk’s trust status cannot be configured from the appropriate interface configuration context. 176 Software Fixes in Release K.11.12 - K.13.49 Release K.12.52 ■ Routing (PR_1000424308) — A static route that points to a deleted VLAN may cause other routing table errors. ■ CLI (PR_1000473468) — Removing a VLAN range from an MSTP instance (e.g., no spanning-tree instance 2 vlan 10-20) fails to delete the VLANs. Listing individually the VLANs desired for deletion will correctly remove the VLANs. Release K.12.52 The following problems were resolved in release K.12.52 (never released). ■ Enhancement (PR_1000458484) — This enhancement allows the user to set a maximum frame size for jumbo frames at the global level. For more information, see “Release K.12.52 Enhancements” on page 67. ■ Enhancement (PR_1000461576) — This enhancement introduces PVST Protection and Filtering. For more information, see “Release K.12.52 Enhancements” on page 67. ■ Enhancement (PR_1000462841) — This enhancement changes the re-authentication process to allow an authenticated client to remain authenticated during re-authentication. For more information, see “Release K.12.52 Enhancements” on page 67. ■ Enhancement (PR_1000462104) — This enhancement allows the configuration of modules not currently inserted in the switch. For more information, see “Release K.12.52 Enhancements” on page 67. ■ Enhancement (PR_1000462847) — This enhancement allows the configuration of transceivers not currently inserted in the switch. For more information, see “Release K.12.52 Enhancements” on page 67. Release K.12.53 The following problems were resolved in release K.12.53. ■ Crash (PR_1000472846) — Rebooting the switch with an active Telnet session and while remote mirroring is in use may cause the switch to crash with a message similar to the following. There may also be other, unknown triggers that cause this crash. 0x4001bf18 in fatal_exception (file=0x400a8b8c "ngDmaRx.c", line=1413, errorcode=256, str=0x400a8b7c "ASSERT: failed." ■ 177 xSTP (PR_1000715227) — When there is no module and transceiver inserted in the target slot, attempts to set up a unique path cost on the transceiver port results in an "invalid input" error. Software Fixes in Release K.11.12 - K.13.49 Release K.12.54 Release K.12.54 The following problems were resolved in release K.12.54. ■ Connection Rate Filter (PR_1000440871) — Some types of traffic could result in connection rate filtering (CRF) that blocks the switch management IP address. ■ Connection Rate Filter (PR_1000716601) — Connection Rate Filtering does not remove throttled entries when filtering is disabled. The throttled host remains permanently blocked. ■ TFTP (PR_1000427390) — When the configuration of a 6200yl switch is copied to a TFTP server, the config shows a line with the following description: module 1 type JFIXME. If that line is removed from the config and then the config is transferred back to the switch, the transfer will fail with the switch reporting, “corrupted config.” This fix results in the fixed switch ports being described as: module 1 type J8992A. ■ Crash (PR_1000716461) — Loading a configuration file that uses up all the ACL resources may cause the switch to crash with a message similar to: NMI event SW: IP=0x007c755c MSR: 0x00029210 LR: 0x007c7544 Task='mftTask' Task ID=0x8a60920cr: 0x24024442 sp: 0x08a5f850 xer: 0x20000000 ■ Link Speed (PR_1000432419) — Ports 1-24 on the ProCurve 3500yl-24G-PWR and ports 25-48 on the ProCurve 3500yl-48G-PWR switches may link at 10/100 speeds rather than the gigabit speed they support. ■ TFTP (PR_1000419582) — The switch CLI counter displays the wrong size of the file being transferred when uploading from switch flash to TFTP server. The file that is actually transferred is the correct size. This CLI display is in error. ■ PIM (PR_1000306675) — The switch CLI does not allow the commands to remove PIM and IP multicast routing after the removal of a premium license from ProCurve 5400zl or 3500yl Series switches. ■ CLI (PR_1000447529) — The CLI output of the command show rate-limit all is corrupted. ■ Manufacturing (PR_1000740632) — Upon reload, the manufacturing information is zeroed out. 178 Software Fixes in Release K.11.12 - K.13.49 Release K.12.55 Release K.12.55 The following problems were resolved in release K.12.55 (never released). ■ DARPP (PR_1000736402) — The last port on the switch will not be initialized with Dynamic ARP Protection (DARPP) characteristics if the last two ports are DARPP configured. For example, if the switch has 24 ports and ports 23 and 24 have DARPP characteristics, the DARPP characteristics for port 24 will not be initialized. The last port will be initialized in all other cases. ■ CLI (PR_1000340826) — The CLI output from a show interface command truncates counters that have large values. ■ CLI (PR_1000742974) — The CLI had some initial limitations within the interface context for configuration of uninserted modules and transceivers. This fix addresses the interface context for spanning-tree, aaa port-access, DHCP snooping, loop protection, and a number of other features. Release K.12.56 The following problems were resolved in release K.12.56. ■ Enhancement (PR_1000464170) — This feature provides support for adding the LLDP VLAN Name TLV to LLDP advertisements generated by ProCurve switches. For more information, see “Release K.12.56 Enhancements” on page 67. Release K.12.57 The following problems were resolved in release K.12.57. ■ Enhancement (PR_1000713394) — Adjustable IGMP Querier interval. ■ Daylight Savings Time (PR_1000467724) — This change corrects the schedule for Western Europe Time Zone: DST to start the last Sunday in March and DST to end the last Sunday in October. ■ SSH/SCP (PR_1000742969) — The following issues with using SSH/SCP were fixed. 1) In show ip ssh, sessions 3 & 4 may display "console" instead of "inactive," when those sessions are not in use. 2) The switch does not send an appropriate exit-status message to the client. This corrects the symptom that occurs in some applications, which reports a message similar to: Fatal error: Server unexpectedly closed connection. 179 Software Fixes in Release K.11.12 - K.13.49 Release K.12.57 3) The SSH client application does not get a command prompt (or equivalent) back from the switch until the OS is verified and burned to flash. 4) The show flash command incorrectly shows an OS image present in flash before the OS has completely copied to flash. ■ Routing (PR_1000744325) — When a PC is using the switch as its default gateway, and that switch is set with a default route to another device on the same VLAN, duplication of packets may occur. Symptoms may include seeing TCP packets out of order due to retransmission. ■ ACL (PR_1000751460) — Manipulating ACEs on a switch with the ACL applied may result in a switch hang or crash with a message similar to the following. SubSystem 0 went down: 11/05/07 10:16:07 Software exception at ipAccessHandle.c:161 -- in 'mSess2', task ID = 0x876ffa0 -> internal error ■ PIM (PR_1000745983) — PIM-Sparse Mode causes packet drops in protocols that use a destination IP multicast address such as VRRP/OSPF hello packets, and RIPv2 advertisements. ■ 802.1X (PR_1000741874) — Entering invalid 802.1X credentials (triggering failed authentication) and then trying again with valid credentials may cause the switch may crash with a message similar to the following. Symptoms and triggers for this problem may vary. Software exception at aaa8021x_util.c:2290 -- in 'm8021xCtrl', task ID = 0x85db0 -> ASSERT: failed. ■ Manufacturing (PR_1000752302) — The ESP module does not initialize in the zl switches during the manufacturing process. ■ Connection Rate Filter (PR_1000751758) — The “low sensitivity” connection rate filter setting was too sensitive. This fix improved the filter accuracy for "low sensitivity" levels. ■ Config (PR_1000749046) — The running and startup configurations that are copied via TFTP do not match the output from the show run or show config output for the ProCurve 3500yl and 6200yl switches. ■ Hang (PR_1000752561) — Multiple SNMP get requests over a 10-GbE link leave the switch in a problematic state. In this state one or more of the following may occur. 1) Some CLI commands may not produce the expected output, or the output will be truncated. 2) The reload command may not properly respond to some parameters. 3) New Telnet sessions may not be allowed to form. 4) DHCP requests may be lost by the switch. 5) The system may need to be reloaded before the issues clear. 180 Software Fixes in Release K.11.12 - K.13.49 Release K.13.02 Release K.13.02 The following problems were resolved in release K.13.02. ■ Enhancement (PR_1000458124) — VRRP Preemptive Delay Timer. For more information, see “Release K.13.02 Enhancements” on page 71. ■ CLI (PR_1000307590) — Tab-help error in the spanning-tree instance <instance number> vlan <vlan number> command context. ■ CLI (PR_1000330684) — Help text in the spanning-tree <port_id> context was updated. ■ CLI (PR_1000742426) — The CLI command copy usb pub-key-file doesn't provide all the appropriate options. ■ Event Log (PR_1000751191) — There is a misspelled event log message: chassis: Insufficient power supplies. ■ Event Log (PR_1000757272) — There may be corruption in PIM log messages. ■ DHCP Snooping (PR_1000757935) — DHCP Snooping may miss some packets in certain situations. ■ Mirroring (PR_1000758793) — When a mirror ACL is applied with multiple destinations, only one of those destinations work properly. Beginning with K.13.02 software, there is only one ACL mirror destination supported. ■ Mirroring (PR_1000758803) — Applying a second mirror ACL using the same access group number adds a conflicting mirror session rather than replacing the existing entry. ■ Mirroring (PR_1000758810) — When an ACL used as a mirror ACL is modified, the mirror does not get updated. ■ Mirroring (PR_1000758814) — Applying a mirror ACL may overwrite a standard mirror session (of the same number) rather than triggering an error stating that the mirror session is already in use. ■ Counters (PR_1000758834) — SFLOW counter-polling samples may be infrequent or they may stop until the switch is rebooted. ■ IGMP (PR_1000739226) — Some hosts or downstream devices may experience a disruption in multicast data due to the loss of IGMPv3 reports. ■ VRRP (PR_1000401050) — Turning on IP multicast routing without enabling PIM may cause VRRP starvation. ■ SCP (PR_1000760416) — Software transferred through SCP upload becomes corrupted; the image is successfully copied via SCP, but when the switch processes the image in copying to flash, the write never completes. 181 Software Fixes in Release K.11.12 - K.13.49 Release K.13.03 ■ CLI (PR_1000455370) — Commands that display portmaps may yield corrupted output. For example, a single port may be displayed as a port range. ■ RIP (PR_1000751858) — Some static routes may not be correctly distributed by RIPv1 or RIPv2. ■ PIM (PR_1000714322) — A new multicast stream may not get forwarded by the switch. ■ Crash (PR_1000759046) — Using the "\" character with or without other character combinations may cause the switch to crash with a message similar to the following. There may also be different crash messages resulting from the same problem. Software exception at parser.c:2653 — in 'mSess1', task ID = 0x898e6a0-> ASSERT: failed ■ PIM (PR_1000749627) — A switch with PIM-SM may send a prune to the RP when none is required. ■ Web Management (PR_1000472572) — The Web Management Interface does not properly allow configuration of port monitoring/mirroring. Addendum to Release K.13.02: ■ ACL (PR_1000714376/1000760152) — Attempts to apply an access group to a range of ports will fail after the initial configuration unless a write mem and reload are done in between configuration statements. Release K.13.03 The following problems were resolved in release K.13.03. ■ Enhancement (PR_1000400991) — The 802.1X Controlled Directions feature now functions independently of the STP configuration. For more information, see “Release K.13.03 Enhancements” on page 75. ■ IPv6 (PR_1000768670) — When virus throttling is configured on a port that belongs to an IPv6 enabled VLAN, some IPv6 all nodes (ff02::1) multicast traffic may be dropped. ■ Mirroring (PR_1000768655) — After a mirror ACL has been modified, some ACL commands that follow may result in an unresponsive CLI session. ■ IDM ACL (PR_1000768727) — An IDM ACL that uses the syntax, destination ip "any" will result in a parsing error, the ACL will not be applied, and the client authentication will fail. Workaround: Instead of the term "any," use “0.0.0.0/0.” ■ VRRP PDT (PR_1000756475) — If the VRRP preemptive delay timer (PDT) is configured, the virtual router mode (Owner or Backup) cannot be changed unless the PDT configuration is removed. 182 Software Fixes in Release K.11.12 - K.13.49 Release K.13.04 ■ Crash (PR_1000763409) — When entering and deleting ACLs, the switch may crash with a message similar to: PPC Data Storage (Bus Error) exception vector 0x300: Stack Frame=0x087a1ba8 HW Addr=0x1f89d420 IP=0x005e62e0 Task=’mSess2’ Task ID=0x87a3cd0.fp: 0x00000005 sp:0x087a1c68 lr:0x005e6340. ■ DHCP Relay (PR_1000751623) — If the IP address on a VLAN interface is changed, any previously configured IP Helper address stops working. Release K.13.04 The following problems were resolved in release K.13.04 (never released). ■ Self-test/Module (PR_0000000510) — Inserting a module into a Switch 8212zl may result in the module failing to initialize with one of the following error messages: Self test failure or unsupported module, or chassis: Insufficient power supplies to power Slot <x> ■ Port/Config (PR_1000772652) — A switch running software version K.12.52 or later only accepts the speed-duplex settings ‘auto’ or ‘1000-full’ for the dual-personality ports when the configuration file is transferred to the switch via tftp, scp or sftp. Other port settings that should be valid cause the file transfer to abort with a "corrupted download file" error. ■ Port/Config (PR_1000778004) — The switch accepts, via file transfer, a config file with invalid speed/duplex settings on dual-personality ports. Additionally, the 100-FX port settings do not survive a reboot. ■ TFTP/ACL (PR_1000771560) — The copy tftp command-file command rejects ACL remarks if they do not contain the keywords permit or deny. ■ SNMPv3/Config (PR_1000777656) — The SNMPv3 configuration is removed from the switch's config file after an update from K.12.xx to K.13.03. ■ SSH/Config (PR_1000777873) — SSH becomes disabled (an ‘ip ssh’ entry in the config file becomes a ‘no ip ssh’ entry in the config file) after an update from K.12.xx to K.13.03. In K.12.xx software, SSH is disabled by default. In K.13.xx software, SSH is enabled by default. Since default values are not displayed in the output of show run or show config commands, this results in a difference in the configuration file output of SSH from K.12.xx to K.13.xx. ■ TFTP/Config (PR_0000000922) — TFTP client configuration becomes disabled (‘no tftp client’) after an update from K.12.xx to K.13.03. ■ 'show tech all/route'/Hang (PR_1000779458) — When the show tech all or show tech route commands are used within a remote management session, the switch may hang. 183 Software Fixes in Release K.11.12 - K.13.49 Release K.13.04 ■ Enhancement (PR_ 0000000081) — The CLI clear module command allows you to remove module configuration information from the configuration file. For more information, see “Release K.13.04 Enhancements” on page 76. ■ Enhancement (PR_ 0000000082) — The CLI track interface command allows you to configure tracking for a port or list of ports, or a trunk or list of trunks. For more information, see “Release K.13.04 Enhancements” on page 76. ■ Enhancement (PR_ 0000000084) — DHCP Option 66 provides a way to automatically download and initially boot from a configuration that is different from the factory-shipped configuration. For more information, see “Release K.13.04 Enhancements” on page 76. ■ Enhancement (PR_ 0000000085) — The DHCP relay address configuration enhancement provides a way to configure a gateway address for the DHCP relay agent to use for DHCP requests, rather than the DHCP relay agent automatically assigning the lowest-numbered IP address. For more information, see “Release K.13.04 Enhancements” on page 76. ■ Enhancement (PR_ 0000000086) — This enhancement allows rate-limiting of inbound broadcast and multicast traffic on the switch. For more information, see “Release K.13.04 Enhancements” on page 76. ■ Enhancement (PR_ 0000000087) — This enhancement enables a Telnet client to use the hostname in command input. For more information, see “Release K.13.04 Enhancements” on page 76. ■ Enhancement (PR_ 0000000089) — The CLI show modules command displays additional component information for system support modules and mini-GBICS. For more information, see “Release K.13.04 Enhancements” on page 76. ■ Enhancement (PR_ 0000000101) — This enhancement adds a vrrp option to the debug command. For more information, see “Release K.13.04 Enhancements” on page 76. ■ Enhancement (PR_ 0000000420) — This enhancement provides the show tech option for customizing copy tftp output. For more information, see “Release K.13.04 Enhancements” on page 76. ■ 'show tech' (PR_0000000635) — The show tech CLI command will cause an "Invalid input: power" error message to be displayed in the ProCurve Switch 6200yl-24G-mGBIC. ■ CLI (PR_0000000358) — The output from the show modules CLI command shows the module serial number as being all zeros, or fails to show any output at all for that value. ■ CLI/sFlow (PR_0000000360) — The switch administrator is unable to configure sFlow for ports on modules that have not been inserted yet into the switch. 184 Software Fixes in Release K.11.12 - K.13.49 Release K.13.04 ■ 185 CLI (PR_0000000476) — Various CLI parameters are rejected by the switch as invalid when the administrator is trying to configure ports of transceivers/modules that have not yet been inserted into the switch. Affected commands include ip source-binding; interface <x> power; interface <x> unknown-vlans block; output from the command, show vlans; interface <x> monitor; and mirror <x> port <x>. Software Fixes in Release K.11.12 - K.13.49 Release K.13.05 Release K.13.05 The following problems were resolved in release K.13.05 (not a public release). ■ Link/Config (PR_1000771549) — On a ProCurve 3500yl Series Switch, a link will not come up after configuring the port mode from MDI to AUTOMDIX (on one side of the link). ■ Static Route/Config (PR_1000785177) — The VLAN ID for the static route configuration is changed from its original value after updating from K.12.xx to K.13.03. ■ SNMP/Config (PR_1000780506) — The TFTP transfer of a config file to the switch will fail if the config file contains the command snmp-server trap-source <xx.xx.xx.xx>. ■ Crash (PR_0000000971) — Following MAC authentication of a number of users that have a RADIUS ACL, priority, and a number of other parameters applied, the switch may crash with a message similar to: NMI event SW:IP=0x00334dc8 MSR:0x00029210 LR:0x00334e3c Task='mWebAuth' Task ID=0x8413770. cr: 0x20004044 sp:0x08413260 xer:0x20000000 ■ Crash (PR_1000783817) — The switch may crash with a message similar to: NMI event SW:IP=0x0010770c MSR:0x00029210 LR:0x00107714 Task='midmCtrl' Task ID=0x8417f00 xer:0x00000000 cr: 0x24004084 sp:0x08417c08 ■ SNMP/Config (PR_1000786158) — The TFTP transfer of a configuration file created on K.12.xx to a switch running K.13.03 will fail if the configuration file contains the command snmp-server enable traps authentication. ■ IPv6/Config (PR_1000781026) — When a configuration file is transferred to the switch and the file contains a VLAN with the ‘ipv6 mld’ statement, the switch alters the ‘ipv6 mld’ statement to ‘no ipv6 mld fastleave 1-A24,=1-Mesh,Trk1-Trk60,Dyn1-Dyn60’. ■ SNTP/Config (PR_1000786156) — The TFTP transfer of a configuration file created on K.12.xx to a switch running K.13.03 will fail if the configuration file contains the command sntp server <x.x.x.x>. ■ VLAN/Config (PR_1000782308) — Updating from K.12.xx to K.13.03 may result in an incorrect port VLAN assignment. ■ Telnet-Server/Config (PR_0000000946) — The TFTP transfer of a config file to the switch will fail if the config file contains the command no telnet-server. ■ Authorized-Manager/Config (PR_1000789930) — The update from K.12.xx to K.13.03 does not translate the IP authorized-manager configuration properly. 186 Software Fixes in Release K.11.12 - K.13.49 Release K.13.06 ■ UDLD (PR_0000001433) — After the switch is rebooted, UDLD may continue to keep switch ports in a blocked state. ■ VLAN Mirroring/Config (PR_0000001240) — The VLAN Mirroring configuration is changed from its original value after updating from K.12.xx to K.13.03. ■ Bootup/Flash (PR_1000785118) — During the write-to-flash process, the OS file may become truncated if the switch is interrupted (by crash or power outage, for example). This fix minimizes that risk for ProCurve 3500yl, 6200yl, 5400zl Series Switches. ■ Bootup/Flash (PR_1000785113) — During the write-to-flash process, the configuration file may become truncated if the switch is interrupted (by crash or power outage, for example). This fix minimizes that risk for ProCurve 3500yl, 6200yl, 5400zl Series switches. Release K.13.06 The following problems were resolved in release K.13.06 (not a public release). ■ Static Route/Config (PR_0000001471) — Rebooting a switch running K.13.03 may cause the static route configuration to become corrupted. ■ OSPF (PR_1000385566) — When jumbo frames are enabled on a VLAN configured for OSPF, the state stops at EXCHANGE and EXSTART. ■ UDLD (PR_0000001616 and PR_0000001638) — After the switch is rebooted, UDLD may continue to keep ports in a blocked state, particularly if the port is in a static LACP trunk. ■ CLI (PR_0000001643) — The ip authorized-managers CLI command does not allow the 10.0.0.0 IP address to be used. Release K.13.07 The following problems were resolved in release K.13.07 (not a public release). ■ Loopback Interface (PR_1000793862) — A ping or Telnet session to a loopback address may fail intermittently. A traceroute to the loopback address completes successfully. This may cause some protocol packets to fail to reach the loopback address. ■ Crash (PR_0000001689) — A switch running software version K.13.04 or higher may crash during configuration of a trunk group from either the CLI or menu interface. Event log messages may be similar to the following. W 03/11/06 03:18:53 00374 chassis: Ports 25-48 Slave ROM Tombstone: 0x13000601 187 Software Fixes in Release K.11.12 - K.13.49 Release K.13.08 W 03/11/06 0x13000601 W 03/11/06 detected I 03/11/06 I 03/11/06 I 03/11/06 03:18:53 00374 chassis: Ports 25-48 Slave ROM Tombstone: 03:18:53 00374 chassis: Ports 25-48: Lost Communications Heart Beat Lost 03:19:00 00375 chassis: Ports 25-48 Downloading 03:19:01 00376 chassis: Ports 25-48 Download Complete 03:19:15 00422 chassis: Ports 25-48 Ready ■ ARP Protect/Config (PR_0000001549) — The VLAN ID range for the ARP protection configuration is changed from its original value after updating from K.12.xx to K.13.03. ■ Crash/Config Migration (PR_0000001607) — If VRRP is configured on a switch and the switch is rolled back from K.13.xx to K.12.xx and then updated to K.13.xx again, the switch may get into a continuous crash/reboot state. The crash messages may be similar to the following. NMI event SW:IP=0x0015e960 MSR:0x00029210 LR:0x00229944 Task='mSess1' Task ID=x86fe5f0 cr: 0x24022488 sp:0x086fd960 xer:0x00000000 NMI event SW:IP=0x0083670c MSR:0x00029210 LR:0x007c4e1c Task='mIpCtrl' Task ID0x8c0ed90 cr: 0x24004084 sp:0x08c0e4c0 xer:0x20000000 Software exception at vrrp_common_lib.c:279 -- in 'swInitTask', task ID = 0x917630 The fix involves partially removing some of the VRRP configuration and then generating an Event Log message similar to: E 07/14/06 10:14:15 00227 mgr: Partial config deleted for subsystem=vrrp;see release notes. Release K.13.08 The following problems were resolved in release K.13.08. ■ SNMP/Config (PR_0000001672) — The snmp-server configuration may change during the migration from K.12.xx to K.13.03. ■ Web/MAC Authentication (PR_1000793226) — Web or MAC authentication to the switch by a client that moves from one port to another may either fail or cause the switch to crash with a message similar to the following. Program exception vector - Task='mWebAuth' Task ID=0x83bc390 188 Software Fixes in Release K.11.12 - K.13.49 Release K.13.09 Release K.13.09 The following problems were resolved in release K.13.09. ■ Crash (PR_0000001689a) — A switch running software version K.13.04 or higher may crash during configuration of broadcast rate limiting. Event log messages may be similar to the following. W 03/11/06 03:18:53 00374 chassis: Ports 25-48 Slave ROM Tombstone: 0x13000601 W 03/11/06 03:18:53 00374 chassis: Ports 25-48 Slave ROM Tombstone: 0x13000601W 03/11/06 03:18:53 00374 chassis: Ports 25-48: Lost Communications detected - Heart Beat Lost I 03/11/06 03:19:00 00375 chassis: Ports 25-48 Dowloading I 03/11/06 03:19:01 00376 chassis: Ports 25-48 Download Complete I 03/11/06 03:19:15 00422 chassis: Ports 25-48 Ready ■ Web Authentication (PR_0000002047) — Use of Web authentication with MS-CHAP-v2 to Microsoft IAS may cause the switch to crash with a message similar to the following. Software exception at exception.c:501 -- in 'mWebAuth', task ID = 0x8438440 Memory System error at 0x7f56610 - memPartFree ■ MAC Authentication (PR_0000002075) — A client that fails MAC authentication will be blocked by AAA rather than the port being moved, unblocked, into a configured Unauthenticated VLAN. Release K.13.10 The following problems were resolved in release K.13.10 (never released). ■ VLAN/Config (PR_1000782308) — Updating from K.12.xx to K.13.03 may result in an incorrect port VLAN assignment. ■ MAC Authentication (0000002318) — Authenticated MAC Auth clients may intermittently get placed into the unauthenticated VLAN and never come on-line. ■ Port Security (PR_1000777162) — When Port Security is configured for static MAC address learning, prolonged flooding of unicast traffic may occur under certain conditions. ■ Static Routes/Config (0000001461) — Static routes mapped to VLANs are incorrectly migrated during the update from K.12.xx to K.13.xx. ■ Wrong Error Message/VRRP (0000000909) — You may receive an "inconsistent value" error message when attempting to add (max+1) entity for VRRP to track. The correct error message should be "too many entries to track." 189 Software Fixes in Release K.11.12 - K.13.49 Release K.13.11 ■ RADIUS/Jumbo (PR_ 1000779048) — When an 802.1X-enabled port belongs to a VLAN that is jumbo enabled, the Access-Request will specify a value of Framed-MTU of 9182 bytes. When the RADIUS server replies with a large frame, the switch does not respond, causing the authentication process to halt. ■ RADIUS (0000001164) — The switch drops RADIUS messages with EAP-packets larger than 1496 bytes. ■ Auto-TFTP/Config (PR_0000001410) — The Auto-TFTP configuration is lost during the update from K.12.xx to K.13.03. Release K.13.11 The following problems were resolved in release K.13.11 (not a public release). ■ TACACS+ (PR_1000764992) — After authentication to the switch using TACACS+, the switch may crash with a message similar to the following. PPC Data Storage (Bus Error) exception vector 0x300:.Stack Frame=0x08632568 HW Addr=0x30313165 IP=0x008bba1c Task='mTacacsR' Task ID=0x86329c0.fp: 0x08632750 sp:0x08632628 lr:0x008bba00 ■ DHCP Snooping (PR_1000469934) — When DHCP Snooping is enabled and configured, and a client sends a “DHCPINFORM” after receiving address information, the DHCP server response is not forwarded to the client by the switch. ■ Crash (1000790369) — Use of VRRP may cause the switch to crash with a message similar to the following. Software exception at vrrp_common_lib.c:313 -- in 'mVrrpCtrl', task ID = 0x8526e20 ■ Static Route (0000002610) — After an update/roll-back/update (K.12 to K.13 to K.12 to K.13), static route entries may become corrupted, causing the CLI to hang following execution of the show ip route command. Release K.13.12 The following problems were resolved in release K.13.12 (never released). ■ Crash (PR_0000002347) — When a VLAN is deleted, all the modules may crash with a message similar to the following. ipamSRtDescr.c Line:289 mIpAdMUpCt0x4484364c ->ASSERT: ■ failed Certificate (PR_1000416167) — The Web Management interface submission form limits CA-signed certificates to 1800 bytes. 190 Software Fixes in Release K.11.12 - K.13.49 Release K.13.12 ■ 802.1X (PR_0000002036) — 802.1X with Funk Steel Belted RADIUS server causes the switch to fail to assign the VLAN that it was sent with the "Tunnel-Private-Group-Id" parameter. ■ Module Selftest (PR 0000001273) — After a reboot, ports 1-24 or ports 25-48 on the ProCurve 3500yl, or ports 1-24 on the 6200yl switches, may become unresponsive followed by green and amber port LEDs remaining lit. The ports recover automatically. The log file will show the following messages. chassis: chassis: Lost(4A) chassis: chassis: chassis: Ports 1-24: Slave ROM Tombstone: 0x13000601 Ports 1-24: Lost Communications detected - Heart Beat Ports 1-24 Downloading Ports 1-24 Download Complete Ports 1-24 Ready ■ SNMP (PR_1000772026) — The wrong OID is set for a redundant power supply (RPS) failure. ■ CLI (PR_0000002177) — When a ProCurve switch yl 10-GbE module (J8694A) is inserted into a 3500yl or 6200yl switch, the switch may prompt, "Do you want to save the config?," even when no changes to the config have been made. ■ Loopback Interface (PR_0000002165) — A ping or Telnet session to a loopback address may fail intermittently. A traceroute to the loopback address completes successfully. This may cause some protocol packets to fail to reach the loopback address. ■ CLI (PR_1000745509) — Output from the CLI command show ipv6 neighbors vlan <x> is not displaying the correct age, and it may erroneously display the State Age as "stale" after a recent learn. ■ ICMP (PR_1000764033) — ICMP TTL expired messages are being sent with a source address of the interface from which the message is sent rather than the from the interface that receives the expired packet. ■ Web (PR_1000761014) — The Web interface truncates 16 character passwords to 15 characters. ■ MIB (PR_1000770084) — Several OIDs in MIB violate RFC 2737 and RFC 4133. The affected OIDs are: .iso.org.dod.internet.mgmt.mib-2.entityMIB.entityMIBObjects.entityPhysic al.entPhysicalTable.entPhysicalEntry.entPhysicalHardwareRev .iso.org.dod.internet.mgmt.mib2.entityMIB.entityMIBObjects.entityPhysical.entPhysicalTable.entPhys calEntry.entPhysicalFirmwareRev 191 Software Fixes in Release K.11.12 - K.13.49 Release K.13.13 .iso.org.dod.internet.mgmt.mib2.entityMIB.entityMIBObjects.entityPhysical.entPhysicalTable.entPhys calEntry.entPhysicalSerialNum .iso.org.dod.internet.mgmt.mib2.entityMIB.entityMIBObjects.entityPhysical.entPhysicalTable.entPhys calEntry.entPhysicalModelName Release K.13.13 The following problems were resolved in release K.13.13 (never released). ■ 802.1X (PR_1000446227) — Switch 802.1X authentication running over PAP does not work if the RADIUS message authenticator attribute is required. This fix added the message authenticator attribute to non-EAP RADIUS responses. ■ VLAN/MSTP (PR_0000002103) — The alteration of the VLAN/MSTP instance mapping in the pending configuration is not properly functioning. Any attempt to remove a single VLAN ID (VID) from one MSTP instance and then assign it to another MSTP instance fails, though specifying a VID range succeeds. ■ SSH (PR_0000001296) — Upon reboot, if no key is present, a 1024-bit dsa ssh host key is installed rather than the previous default host key type of a 2048-bit rsa key. ■ CLI (PR_1000430534) — Output from the show port-access mac-based CLI command may omit connected clients. ■ Static Routes/Config (0000001461) — Static routes mapped to VLANs are incorrectly migrated during the update from K.12.xx to K.13.xx. This is a further improvement to the fix originally implemented in K.13.10. ■ DHCP (PR_0000002888) — A client may not be able to get a DHCP address when the Management VLAN is configured on the switch. Release K.13.14 The following problems were resolved in release K.13.14 (not a public release). ■ OSPF (PR_0000003395) — If a transceiver or mini-GBIC is inserted (hotswapped) on a port that is a member of a VLAN configured for jumbo frames and OSPF, the OSPF state stops at EXCHANGE and EXSTART. 192 Software Fixes in Release K.11.12 - K.13.49 Release K.13.15 Release K.13.15 The following problems were resolved in release K.13.15 (never released). No enhancements; No bug fixes. Release K.13.16 The following problems were resolved in release K.13.16 (not a public release). ■ Enhancement (PR_0000001641) — This enhancement allows the user to set the console inactivity time out without reboot. For more information, see “Release K.13.16 Enhancements” on page 94. ■ Enhancement (PR_1000780247) — This enhancement provides hpicf Download MIB support for transferring configuration files both to and from a TFTP server. Prior to this enhancement, MIB support was limited to downloading and uploading software files. For more information, see “Release K.13.16 Enhancements” on page 94. ■ Enhancement (PR_0000001430) — This enhancement allows the user to configure access methods for IP Authorized Manager entries. For more information, see “Release K.13.16 Enhancements” on page 94. ■ Enhancement (PR_0000000090) — This enhancement allows you to choose which information to display when you enter the show interfaces command. For more information, see “Release K.13.16 Enhancements” on page 94. ■ Enhancement (PR_0000000857) — This enhancement reduces the PIM delay time, thereby reducing the amount of time it takes for a packet to arrive at its destination when an IGMP Join is issued. For more information, see “Release K.13.16 Enhancements” on page 94. ■ Enhancement (PR_0000001790) — This enhancement provides the no-tag-added parameter that gives the user the option of not tagging a mirrored copy of an outbound packet. For more information, see “Release K.13.16 Enhancements” on page 94. ■ Enhancement (PR_1000756562) — This enhancement provides concurrent Web/MAC and 802.1x authentication. For more information, see “Release K.13.16 Enhancements” on page 94. ■ Enhancement (PR_0000000088) — This enhancement provides new features for use with SSH. The SSH enhancements are: AES encryption (included in the K.13.02 release). A new configuration option is added to allow the server to specify the set of ciphers available for client connection; A configurable key; Message Authentication Code (MAC) configuration. 193 Software Fixes in Release K.11.12 - K.13.49 Release K.13.17 A new configuration option provides the ability to configure which MACs a client is permitted to use; Feedback information; and, SSH CLI show command information enhancements. For more information, see “Release K.13.16 Enhancements” on page 94. ■ Config (PR_0000000741) — When the rate limit for broadcast or multicast inbound is set to 0% (i.e. blocking all traffic), output from the CLI command show running config doesn’t display any rate limit information. If the rate limit is set to 100% (i.e. allow all traffic – the default), show running config shows that rate-limiting is set to 100%. The correct behavior is for non-default values to be displayed in the configuration. Release K.13.17 The following problems were resolved in release K.13.17 (not a public release). ■ RADIUS/Jumbo (PR_ 1000779048) — When an 802.1X enabled port belongs to a VLAN that is jumbo enabled, the Access-Request will specify a value of Framed-MTU of 9182 bytes. When the RADIUS server replies with a large frame, the switch does not respond, causing the authentication process to halt. ■ Protocol Starvation (PR_0000003814) — If the switch is configured for routing, certain packets may cause a packet buffer leak, resulting in some or all of the following symptoms: • OSPF neighbor relationships and route information are lost • PIM neighbor relationships are lost • Telnet, Ping, and SNMP become unresponsive Authorized Managers (PR_1000806039) — ProCurve Manager may delete Authorized Managers that have been configured on the switch. ■ Crash (PR_0000001756) — Configuration of VLANs and VLAN port assignment using SNMP may cause the switch may crash with a message similar to the following. Software exception at bcmHwVlans.c:149 -- in 'mAdMgrCtrl', task ID = 0x18636e8 -> ASIC call failed: Entry not found. ■ Crash (PR_1000715077) — When RADIUS Accounting is configured, the switch may crash with a message similar to the following. NMI event SW:IP=0x002bd6c4 MSR:0x00029210 LR:0x002bc6a8 Task='mAcctCtrl' Task ID=0x85e9f10 cr: 0x48000084 sp:0x085e9e38 xer:0x20000000 ■ Static Route/Config (PR_0000003962) — Updating from K.13.03 - K.13.09 to K.13.10 K.13.16 can cause static routes configured with a VLAN as the next hop (vs. an IP address) do not translate correctly. 194 Software Fixes in Release K.11.12 - K.13.49 Release K.13.18 ■ SNMP (PR_1000761379) — When an SNMP get is used to gather statistics, the interface B1 on a J8702A module only updates its SNMP counters on every other query. ■ SNMP (PR_0000001807) — Use of a correctly configured third party utility to connect to the switch via SNMPv3 may result in the following event log message. SNMP Security access violation from <ip address> ■ PIM/Config (PR_0000002040) — PIM configurations mapped to VLANs are incorrectly mapped after updating from K.12.xx to K.13.xx. Note that while this fix addresses the way the configuration is updated, rolling back the software while using the same configuration can still result in corruption in PIM configurations mapped to VLANs. Release K.13.18 The following problems were resolved in release K.13.18 (never released). ■ UDLD (PR_0000002473) — UDLD protocol packets received on a (non-UDLD) trunk port are incorrectly forwarded out of same port they are received on, resulting in high CPU usage on the switch. ■ Enhancement (PR_1000406763) — New commands were added to the CLI response to the "show tech" command. For more information, see “Release K.13.18 Enhancements” on page 109. ■ SSH (PR_0000002946) — ProCurve 8212zl switches do not automatically create the SSH folder on /cfa0; the result is that attempts to generate a crypto key may result in the following error. Installing new RSA key. If the key/entropy cache is depleted, this could take up to a minute. Operation aborted. ■ ACL (PR_0000004860) — Mirrored ACL packets that match deny statements, are mirrored; the correct behavior is that only packets matching permit statements should be mirrored. ■ Crash (PR_0000004166) — When the PIM Sparse Mode "trap all" parameter is configured and the link to PIM neighbor is disabled, the switch will crash and may report a message similar to the following. Software exception at exception.c:501 -- in 'mPimsmCtrl', task ID = 0x8215d30 Memory system error at 0x7c838f0 – memPartFree ■ 195 Mirror/CLI (PR_0000003269) — The CLI incorrectly configures the option "no-tag-added" across multiple mirror sessions, resulting in the wrong output saved to the config file. Software Fixes in Release K.11.12 - K.13.49 Release K.13.19 ■ Wake-On-LAN (PR_0000004794) — Wake-On-LAN does not always work successfully. ■ IP Phone (PR_0000004803) — A tandem IP phone may stop talking to the switch after a connected PC login failure and reboot. ■ PIM-SM (PR_0000005219) — When the switch sends a “Register-Stop” message, it will use an incorrect source IP address in the packet header of the message. Rather than using the IP address configured for the PIM RP, the switch uses the VLAN IP address. ■ Mirroring (PR_0000002926) — When mirroring on a mesh or trunk port, the mirror session is not cleared after the mesh or trunk configuration is deleted. Release K.13.19 The following problems were resolved in release K.13.19 (not a public release). ■ Enhancement (PR_0000003808) — This enhancement allows the user to create command aliases for use in place of command names and their options. For more information, see “Release K.13.19 Enhancements” on page 109. ■ Enhancement (PR_0000000818) — This enhancement allows the user to enter addresses and filter parameters for syslog using SNMP, which allows more options for remote access and management of the switch. For more information, see “Release K.13.19 Enhancements” on page 109. ■ Enhancement (PR_0000003390) — This enhancement allows the user to customize Web Authentication HTML pages. For more information, see “Release K.13.19 Enhancements” on page 109. ■ Enhancement (PR_1000460265) — This enhancement provides the user with Dynamic IP Lockdown, which is used to prevent IP source address spoofing on a per-port and per-VLAN basis. For more information, see “Release K.13.19 Enhancements” on page 109. Release K.13.20 The following problems were resolved in release K.13.20 (not a public release). ■ Enhancement (PR_0000004124) — Support was added for the J9144A ProCurve 10-GbE X2-SC LRM Optic. For more information, see “Release K.13.20 Enhancements” on page 138. ■ 10-GbE (PR_0000001701) — Sometimes, the LRM optic is misidentified as an LR optic. ■ CLI (PR_0000001528) — 10-GbE X2 transceivers do not report their part numbers in response to the CLI command show tech transceivers. 196 Software Fixes in Release K.11.12 - K.13.49 Release K.13.21 ■ X2 Transceivers (PR_0000004758) — Some ProCurve SR and ER X2-10GbE (J8436A, J8437A) transceivers have a timing issue that prevents the transceivers from being correctly identified either when hot swapped or during a cold boot. ■ LEDs (PR_0000005623) — Upon insertion of a removable transceiver – either X2 or SFP - the link LED fails to light for the 2 second-long indication of insertion confirmation. ■ Event Log (PR_0000005624) — A failed "removable" transceiver results in two event log messages rather than just one. ■ Authentication (PR_0000005582) — Sometimes PC in the PC-phone tandem authentication does not get authorized on its untagged VLAN. Release K.13.21 The following problems were resolved in release K.13.21 (never released). ■ CLI (PR_1000760929) — Output from the CLI command show name int <port list> fails to display the port number for interfaces with numbers larger than 9. ■ Config (PR_0000003638) — Fastboot can be configured, but then it cannot be disabled. ■ Multicast Filter (PR_0000002988) — Multicast filters may become corrupted following their initial configuration, save and subsequent switch reload. ■ Self-Test (PR_0000001406) — The failure of a single module within a Switch 8212zl or 5400zl chassis may cause false self-test failures for other installed modules. ■ CLI (PR_0000005300) — The displayed output of the CLI command show ip pim rp-set is not properly formatted. ■ CLI (PR_0000005302) — The displayed output of the CLI command show ip pim pending is not properly formatted. ■ CLI (PR_1000782972) — An incorrect line voltage value may be displayed in the output of the show system power CLI command. ■ CLI (PR_0000005381) — Attempts to perform a copy flash <primary|secondary> at the CLI of a 8212zl switch running K.13.05 or higher will fail with the following error. Flash-to-flash copy of product code failed ■ Config (PR_1000781011) — Copying a config onto a switch allows the appearance of an invalid flow control setting (enabled) on half duplex ports. ■ Config (PR_1000781015) — When the MDIX-mode is configured for dual-personality ports, copying a config onto a switch fails and produces a message about config file corruption. 197 Software Fixes in Release K.11.12 - K.13.49 Release K.13.22 ■ Config (PR_1000781031) — When the valid port setting ‘auto-1000’ is configured for any 10/100/1000 interface in an external configuration file and the configuration file is copied to the switch, the system returns the port setting to the default value, changing ‘auto-1000’ to ‘auto.’ ■ CLI (PR_0000004687) — The CLI command ip access-list resequence <name-str> does not accept a number for the ACL title as it should. ■ PIM-SM (PR_0000006180) — PIM Sparse Mode may choose an incorrect rendezvous point (RP), causing interoperability problems. This fix changes the way a RP is chosen such that ALL the devices running "K" versions of software must be on either pre- or post-fix software version in order to use the same criteria to choose the PIM RP. ■ Event Log (PR_1000755803) — ProCurve Manager is unable to display a link to the switch Web Interface in events generated by Fault Finder. Release K.13.22 The following problems were resolved in release K.13.22 (not a public release). ■ CLI (PR_0000002856/1000769143) — The switch is unable to execute the CLI command show tech while in QinQ svlan mode. ■ OSPF (PR_0000006183) — OSPF ECMP may drop up to 50% of the traffic destined for its next hop. ■ Mini-GBIC (PR_0000006298) — Mini-GBICs in dual-personality ports fail self-test when the switch is running K.13.20-K.13.21. Workaround: Configure fastboot. ■ Licensing (PR_0000006554) — An invalid hardware ID (required for Premium Licensing in 3500yl and 5400zl switches) is created by switches running K.13.15 - K.13.21. Release K.13.23 The following problems were resolved in release K.13.23. ■ Crash (PR_0000006624) — When using the Web Management Interface on software version K.13.17 and higher, the switch may crash if the "Configuration" and then "IP Configuration" tabs are clicked. There may be other triggers for this crash. The switch will display a message similar to the following. PPC Data Storage (Bus Error) exception vector 0x300: Stack Frame=0x0815da48 HW Addr=0xa2d3e193 IP=0x00169178 Task='tHttpd' Task ID=0x fp: 0x00a650c4 sp: 198 Software Fixes in Release K.11.12 - K.13.49 Release K.13.24 ■ Authentication (PR_0000007209) — A PC behind a tandem IP phone is not able to authenticate. Release K.13.24 The following problems were resolved in release K.13.24 (not a public release). ■ OSPF (PR_0000006183a) — OSPF ECMP may drop up to 50% of the traffic destined for its next hop. This fix adds to that implemented in K.13.22 via the same PR. ■ Crash (PR_0000003949) — Implementation of OSPF ECMP route changes may cause the switch to crash with a message similar to the following. Software exception at exception.c:501 -- in 'eRouteCtrl', task ID = 0x83da3f0 -> Memory system error at 0x7bd9540 - memPartFree ■ 802.1X (PR_ 0000007259) — Configuring 802.1X without activating it does not function as expected, resulting in blocking of the port. Release K.13.25 The following problems were resolved in release K.13.25. ■ SSH (PR_0000002934) — Copying the client's public SSH keys from the switch fails with the following error. Couldn't read from remote file "/ssh/mgr_keys/authorized_keys ■ Crash (PR_0000004023) — Repeated PCM configuration scans may cause the switch to crash with a message similar to the following. PPC Data Storage (Bus Error) exception vector 0x300: Stack Frame=0x07af44c0 HW Addr=0x6520463a IP=0x00965a88 Task='tSsh0' Task ID=0x7af4810fp: 0x013d97cc sp:0 ■ Management Module (PR_0000005902) — The management module may become unresponsive, resulting in loss of Telnet, Web Management, and console access functionality of the switch. ■ 802.1X Authentication (PR_0000002695) — When an 802.1X enabled port belongs to a VLAN that is jumbo enabled, the Access-Request will specify a value of Framed-MTU of 9182 bytes. This allows the RADIUS server to reply with a large fragment which the switch does not process, causing the authentication to fail. This is an additional fix for the issue described in K.13.17 via PR_1000779048. 199 Software Fixes in Release K.11.12 - K.13.49 Release K.13.26 through K.13.39 ■ GVRP/RADIUS (PR_0000006051) — RADIUS-assigned VLANs are not propagated correctly in GVRP. Please see “Note: This fix is associated with some new switch behavior: ” for a description of the behavior change with this fix. Note: This fix is associated with some new switch behavior: When only one port has learned of a dynamic VLAN, it will advertise that VLAN if an auth port has been RADIUS-assigned that dynamic VLAN, regardless of the unknown-VLANs configuration of that port. The fix accommodates RADIUS-assigned (and hpicfUsrProf MIB-assigned) tagged VLANs as well as untagged VLANs. These changes are enabled by default and are not configurable. This fix does not modify any other GVRP behavior. ■ Assert (PR_0000001836) — VRRP configuration conversion from K.12.xx to K.13.xx software may experience a crash (assert) in ConfigRecIndex(). ■ Assert (PR_0000005208) — Entering no ipv6 enable at the CLI may result in a crash with a message similar to the following. Software exception at ConfigRecIndex.cc:421 -- in 'mSess1', task ID = 0x58c1c38-> ASSERT: failed. ■ Config (PR_0000002620) — A MAC-lockdown command that includes VLAN information may fail when it is copied to the default configuration. Release K.13.26 through K.13.39 Software never built. Release K.13.40 The following problems were resolved in release K.13.40 (Never released). ■ Enhancement (PR_0000003127) — Link Trap and LACP Global Enable/Disable. For more information, see “Release K.13.40 Enhancements” on page 139. ■ Enhancement (PR_0000003128) — The ability to clear statistics was added. For more information, see “Release K.13.40 Enhancements” on page 139. ■ Enhancement (PR_0000003718) — The MAC Lockout limit was increased. For more information, see “Release K.13.40 Enhancements” on page 139. ■ Enhancement (PR_0000007388) — Crash Log Debug. For more information, see “Release K.13.40 Enhancements” on page 139. ■ Crash (PR_0000003597) — Configuring a kbps based rate-limit on 10Gig port may trigger a crash in the area of bttfHwRateLimits.c:2191. 200 Software Fixes in Release K.11.12 - K.13.49 Release K.13.41 Release K.13.41 The following problems were resolved in release K.13.41 (Not a public release). ■ AAA (PR_0000008409) — The CLI commands aaa authentication and aaa accounting return a resource unavailable error. ■ PCM (PR_0000008113) — Repeated ProCurve Manager Config Scans may trigger subsequent Config Scan failure. Release K.13.42 The following problems were resolved in release K.13.42 (Never released). ■ Config (PR_0000007953) — The config line spanning-tree instance <n> vlan <vid> is truncated in some cases, causing loss of configuration after reload of the config file. ■ CLI (PR_0000000912) — The CLI command copy tftp show-tech fails, resulting in failure to create a custom show-tech file on the switch. ■ TFTP (PR_0000008559) — The switch administrator is unable to download a new image file after executing the CLI command erase primary flash; a corrupted download file error is reported. ■ ARP (PR_0000008011) — When port-security is configured, the switch sends ARP requests twice for an unknown DA, making the switch appear to be slow. ■ SFTP/SCP (PR_0000008270) — Beginning with software version K.13.25, SFTP/SCP will not close the "client" session after the file transfer. The client session will need to be manually closed. ■ RADIUS (PR_0000007278) — MAC-based authentication doesn't work with a secondary RADIUS server unless the primary and secondary RADIUS server keys are identically configured. ■ Crash (PR_0000006476) — Some configuration commands entered at the CLI (e.g. web, or no web) may cause the switch to crash with a message similar to the following: PPC Data Storage (Bus Error) exception vector 0x300:Stack Frame=0x088befe8HW Addr=0x00cff108 IP=0x0096ca4c Task='mSnmpCtrl' Task ID=0x88bf320 fp: 0x0845a7e0 ■ Crash (PR_0000005940) — An attempt at tab completion for some configuration tasks in the PIM context may cause the switch to crash with a message similar to the following: Software exception at parser.c:6291 -- in 'mSess1', task ID = 0x82ab3b0 201 Software Fixes in Release K.11.12 - K.13.49 Release K.13.43 ■ CLI (PR_0000004042) — The CLI command snmp-server response-source dst-ip-of-request does not work as expected when the destination IP address of the SNMP Request is the Loopback IP. The source IP address of the SNMP Response should be the destination IP of the SNMP Request, but instead the switch uses the IP address of the active interface from which the SNMP Response was sent. ■ CLI (PR_0000007686) — The switch does not allow IP authorized-manager configuration of 10.0.0.0. ■ TACACS+ (PR_0000003839) — The TACACS server configuration parameter accepts an address from an invalid/reserved IP range: 0.0.0.1 to 0.255.255.255. ■ Boot Log (PR_0000009434) — The switch doesn't create an event log message after deleting an invalid TACACS server host config entry upon bootup following an update from K.12.xx to K.13.xx Release K.13.43 The following problems were resolved in release K.13.43 (Not a public release). ■ CLI (PR_0000005759) — There may be odd CLI output in response to a show modules command, if that command is executed during module initialization. ■ SNMP (PR_0000001926) — An SNMP query for the MIB ifInUnknownProtos returns incorrect and varying results. ■ Enhancement (PR_0000003557) — The ability to enable/disable the USB port via CLI and SNMP was added. Note that after being disabled and subsequently re-enabled, the USB port may not function consistently with the PCM USB Autorun features until the switch has been reloaded. For more information, see “Release K.13.43 Enhancements” on page 143. Release K.13.44 The following problems were resolved in release K.13.44 (Not a public release). ■ ICMP Redirects (PR_0000004534) — With the next hop router is in the same VLAN as the host machine, the switch does not generate ICMP redirects. ■ Crash (PR_0000009736) — In some situations, ICMP redirects may cause the switch to crash with a message similar to the following. PPC Data Storage (Bus Error) exception vector 0x300: Stack Frame=0x084f2e40 HW Addr=0x00cff108 IP=0x00870e5c Task='mIpPktRecv' Task ID=0x84f3140 fp: 0x0a84d994 202 Software Fixes in Release K.11.12 - K.13.49 Release K.13.45 ■ CLI (PR_1000803731) — If the "|" character exists in the banner text of a configuration file downloaded via TFTP transfer, the banner text may become corrupted, or the TFTP transfer may fail with a corrupted download file error message. ■ Hang (PR_0000007806) — Using the CLI command no arp on ARP entries that do not exist may cause the switch to hang. ■ CLI (PR_0000008617) — The copy command for USB options has incorrect optional parameters for plain text files. ■ RADIUS Accounting (PR_0000004139) — Procurve switches do not send the accounting-request to a RADIUS server upon execution of the reload CLI command. ■ RADIUS Accounting (PR_0000004145) — An incomplete "Calling-Station-ID" field is sent in the accounting-request to the RADIUS server upon execution of the boot system CLI command. ■ RADIUS Accounting (PR_0000004141) — The "Acct-Status-Type" attribute is missing in the accounting-request to RADIUS server upon execution of the boot system CLI command. ■ Terminal Display (PR_0000008238) — The default boot message is displayed with the wrong formatting if the terminal width is changed. ■ CLI (PR_0000008236) — The enable CLI command is listed in enable-mode help. ■ UDLD (PR_0000009505) — UDLD misconfiguration (where UDLD is enabled on one side and disabled on the other) could lead to a unicast packet storm which results in MSTP is running with multiple roots. ■ CLI (PR_0000008217) — The copy flash CLI command does not allow the user to specify a source OS location (primary/secondary). Release K.13.45 The following problems were resolved in release K.13.45. ■ STP (PR_0000010815) — When a switch configured with BPDU protection is added to a network, if the MSTP configuration of the uplink port is changed from auto-edge to no auto-edge there is a topology change event that takes place as the switch asserts itself as a new root. ■ Enhancement (PR_0000010783) — Support was added for the following products. J9099B - ProCurve 100-BX-D SFP-LC Transceiver J9100B - ProCurve 100-BX-U SFP-LC Transceiver J9142B - ProCurve 1000-BX-D SFP-LC Mini-GBIC 203 Software Fixes in Release K.11.12 - K.13.49 Release K.13.46 J9143B – ProCurve 1000-BX-U SFP-LC Mini-GBIC For more information, see “Release K.13.45 Enhancements” on page 144. ■ Transceivers (PR_0000010525) — Intermittent self test failure may occur if transceivers are hot-swapped in and out of the switch in too short a time frame. Note that even with this fix, transceivers should always be allowed to initialize fully prior to removal and subsequent re-insertion. Best Practice Tip: Upon hot insertion of a transceiver, the Mode LED will come on for two seconds while the transceiver is initialized. Once the Mode LED has extinguished, it is safe to remove the transceiver. ■ Selftest Failure (PR_0000010937) — Rarely, the switch may experience self test failure of all the modules. Messages like the following will be visible in the event log. Re-seating the modules may allow successful self-test to occur. W <date/time stamp> 00374 chassis: Slot # Failed to boot-timeout-(SELFTEST) Release K.13.46 The following problems were resolved in release K.13.46. (Never released.) ■ sFlow (PR_0000003723) — The switch uses the loopback as the sFlow agent address, even after explicit configuration of the VLAN IP address and the collector receiving the sFlow packets. ■ SCP/SFTP (PR_0000009174) — Failure to upload a configuration via SFTP/SCP may occur. As a result, it is possible that the switch may become unresponsive or crash with a message similar to the following. Software exception at cfg_edit.cc:313 – in ‘swinitTask’, task ID = 0xa9bbcc0 ■ SCP (PR_0000011488) — The switch does not return the scp/sftp session after new software is uploaded. ■ CLI (PR_0000009997) — The CLI response to the boot set-default flash <primary | secondary> configuration setting is inconsistent between the zl (5400zl/8212zl) and yl (3500yl/6200yl) switches, potentially causing issues for customers running scripts. ■ Password Encryption (PR_0000011828) — The Password Manager portion of the Include Credentials feature is using SHA-0 Instead of SHA-1 for creation of the hash value. In order to accommodate customers that have worked around this issue, this fix will translate the configuration and correctly report the use of SHA-0 in the config after a software update containing this fix. Example line from password encryption config prior to the fix: 204 Software Fixes in Release K.11.12 - K.13.49 Release K.13.46 password operator sha-1 "lsadkjlkjfsd..." Example of what that line might look like after the fix: password operator sha0 "lsadkjlkjfsd...” No switch administrator intervention is required for the forward configuration translation to occur. Support Note: This fix has implications for rolling back the software. If password encryption is configured and a switch running software with the fix is rolled back to a software version prior to the fix using the same config file, the config loading will fail, and error messages for each line containing "sha0" or "sha1" will be displayed on the switch terminal. In the following example, sha1 was line 14 in the config, and sha0 was on line 15 of the config. Line:14. Invalid input: *sha1* Line:15. Invalid input: *sha0* To avoid configuration compatibility issues, please follow the instructions in the “Best Practices for Major Software Updates” on page 7. If roll back to a pre-fix software version occurs without following the Best Practice suggestion (association of a compatible config file with a software version), the switch administrator should gain access to the switch by hitting <enter> at the password prompt, and must then reconfigure the password encryption with valid parameters (the pre-fix CLI syntax is SHA-1, versus the post-fix CLI use of SHA0 or SHA1). The default hash value for newly configured password encryption on a software version with this fix is SHA1. ■ CLI (PR_0000009860) — Output from the CLI command show module erroneously reports the 8212zl System Support Module (SSM) product number as J8784A instead of J9095A. ■ Crash (PR_0000011049) — Copying a configuration with mirroring enabled from USB to switch may trigger a software exception with a message similar to the following. Software exception at cli_mirror.c:9953 -- in 'mftTask', task ID = 0xa932bc0 ■ VRRP (PR_0000003634) — When the VRRP Owner router (with preempt-delay-time configured) is rebooting, the VRRP Backup router momentarily gives up Master role (but does resume it) before the VRRP Owner is back online. This may cause an unexpected outage. ■ DHCP Relay (PR_0000011726) — When the VRRP backup router is the master for the network, DHCP Discover packets are relayed with a corrupted IP address for the Relay Agent. This causes the server to look up a client address range for an invalid network segment, and ultimately fail to communicate with the DHCP Server. ■ PC/Phone Authentication (PR_0000010104) — When using an IP phone in tandem with a PC, sometimes the post-authentication VLAN assignment of the PC is delayed. 205 Software Fixes in Release K.11.12 - K.13.49 Release K.13.47 Release K.13.47 The following problems were resolved in release K.13.47. (Never released.) ■ OSPF ECMP (PR_0000004798) — Some IP subnets which are multiple hops away are not reachable from certain clients despite the presence of the target subnet in the switch routing table. Workaround: Initiate a traceroute from the switch to the client PC. Release K.13.48 The following problems were resolved in release K.13.48. (Never released.) ■ DHCP Relay (PR_0000013661/000008196) — After adding a second IP Address to a VLAN with IP Helper configured, the switch Relay Agent IP Address gets corrupted such that the DHCP server does not recognize the request as part of a configured scope, and drops the request. Workaround: Save the configuration and reload the switch after configuration of an IP Helper address and DHCP Relay. ■ Module/Fabric Errors (PR_0000012418) — Switches running system software version K.12.45 or higher may see one or more of the following errors in the event log, potentially causing false self-test failures. W 12/02/08 14:24:59 00374 chassis: HSL Non-Fatal F0: SLOT D HSL #11 - HSL status FF002000 W 12/02/08 14:25:25 00374 chassis: Slot D: Msg loss detected - no ack for seq # 37 W 12/02/08 14:25:38 00374 chassis: Slot D Slave ROM Tombstone: 0x13000601 W 12/02/08 14:25:38 00374 chassis: Slot D: Lost Communications detected – Source Message System(59) W 12/02/08 14:25:58 00374 chassis: HSL Non-Fatal F0: SLOT D HSL #11 - HSL status FF002000 W 12/02/08 14:26:17 00374 chassis: Slot D: Msg loss detected - no ack for seq # 40 W 12/02/08 14:27:28 00374 chassis: Slot D Failed to boot-timeout(SELFTEST) ■ OSPF ECMP (PR_0000013777) — When the switch is acting as an ECMP router with multiple next hops available, sometimes it fails to route packets received on a local VLAN to hosts that are reachable via ECMP routes. The result is intermittent connectivity to hosts on the other side of ECMP routes. ■ Boot ROM (PR_0000014318) — This build introduces the new K.12.14 boot ROM, a prerequisite for future updates. Please do not interrupt power to the switch during the software/boot ROM update! 206 Software Fixes in Release K.11.12 - K.13.49 Release K.13.49 Release K.13.49 The following problems were resolved in release K.13.49. ■ 207 Auto-TFTP (PR_0000014646/0000013552) — Certain software file names may trigger auto-tftp to reload the same software file repeatedly. © 2006 - 2008 Hewlett-Packard Development Company, LP. The information contained herein is subject to change without notice. January 2009 Manual Part Number 5991-4720
advertising