Connecting the world…

HP

ProCurve – Secure Management

Managing networking components is possible via a web interface or via a command-line interface. It doesn’t matter which method you prefer, but it does matter that the connection should be secure. If you use telnet (cli) or http (web interface) the management traffic is send clear-text across the network.

I still notice that a lot of people use insecure communiction methods. It is preferred to use ssh (cli) or https (web interface) to manage your components. The commands below can be used with HP ProCurve components to enable ssh and https and disable telnet and http management protocols.(The key size depends on the type of component and firmware version used)

CLI

switch01(config)# crypto key generate ssh rsa bits 2048
switch01(config)# ip ssh
switch01(config)# no telnet-server

Web Interface

switch01(config)# crypto key generate cert rsa <1024|2048>
switch01(config)# crypto host-cert generate self-signed
Validity start date [02/16/2015]:
Validity end date   [02/16/2016]: 09/23/2320
Common name          [10.10.1.99]: switch01.booches.local
Organizational unit  [Dept Name]: ICT
Organization      [Company Name]: Booches
City or location          [City]: Bocholtz
State name               [State]: Limburg
Country code                [US]: NL
switch01(config)# web-management ssl
switch01(config)# no web-management plaintext

Next to using secure protocols, it is preferred to create unique credentials for every administrator. One way to create unique credentials is by configuring RADIUS / TACACS authentication. A common way is you configure RADIUS between the switch and the Active Directory. The following commands can be used to configure RADIUS on HP ProCurve switches.

switch01(config)# radius-server host 10.10.100.1 key <shared key>
switch01(config)# radius-server host 10.10.100.2 key <shared key>
switch01(config)# aaa authentication web login radius local
switch01(config)# aaa authentication web enable radius local
switch01(config)# aaa authentication ssh login radius local
switch01(config)# aaa authentication ssh enable radius local
switch01(config)# aaa authentication login privilege-mode

HP A4800G – DHCP relay

This article isn’t very difficult and spectacular. It is just for me as a quick note to configure DHCP relaying on a HP A4800G switch. The configuration of this type of switch is a little different compared to Cisco and/or legacy HP ProCurve switches. The following steps are required to configure DHCP relaying:

<SW01>system-view
System View: return to User View with Ctrl+Z.
[SW01]dhcp enable
[SW01]dhcp relay server-group <group id> ip <DHCP server>
[SW01]interface Vlan-interface24
[SW01]dhcp select relay
[SW01]dhcp relay server-select <group id>

As said before this is very simple. But for some reason I always forget the DHCP enable and DHCP select relay configuration options.

HP Virtual Connect Manager

While change the configuration of within a HP Virtual Connect Manager I noticed that I didn’t have any options to delete server profiles, Ethernet Networks or Shared Uplink Sets within the web browser.

I needed to change the configuration dramatically from an active / standby configuration to an active / active configuration. I also needed to change the complete server profile configuration and Ethernet Networks configuration.

I noticed that I can also connect through SSH to the HP VC Flex-10 Enet modules. This presents a CLI with different command options. And of course I had more options within the CLI compared to the web interface.

——————————————————————————-
HP Virtual Connect Management CLI v3.18
Build: 3.18-3 (r46087) Apr  1 2011 17:45:49
(C) Copyright 2006-2011 Hewlett-Packard Development Company, L.P.
All Rights Reserved
——————————————————————————-

GETTING STARTED:

help           : displays a list of available subcommands
exit           : quits the command shell
<subcommand> ? : displays a list of managed elements for a subcommand
<subcommand> <managed element> ? : displays detailed help for a command

->?

Through the CLI I had the option to remove the server profiles, Ethernet Networks and the configured Shared Uplink Set. The help command (?) is very useful to check the command syntax to remove different configuration settings. You have to remove the different items in the correct order. I used the following order:

  1. 1. Server Profile : remove profile <profile_name>
  2. 2. Ethernet Networks : remove network <enet_name>
  3. 3 Shared Uplink Set : remove uplinkset <sus_name>

When you try to delete the items in the wrong order you will receive an error message on the console, like shown below.

->remove uplinkset SUS1
ERROR: Operation not allowed : The requested shared uplink set is currently in use by one or more networks

After deleting the configuration I configured my desired setup. The configuration can be a lit bumpy, which depends on the firmware used with the Virtual Connect Manager. I found a very good article on configuring HP Virtual Connect Manager in conjunction with ESX, Windows Hyper-V.

HP Virtual Connect Ethernet Cookbook: Single and Multiple Enclosure Domain

TIP: when configuring or changing Ethernet network settings on a Server Profile, first unassigned the profile from the bay. Changing settings on an unassigned profile is much faster than on an assigned profile.

IBM Blade with Nortel and HP switches

Today I had to troubleshoot an IBM Blade system. The customer was complaining that all servers, except one, weren’t able to communicate with the rest of the network. The blade system contains two Nortel switches. Each Nortel switch is connected with a 3 Gbps LACP channel to separate HP switches. The HP switches are the core switches of the network and have VRRP configured between them. The servers have two network card, which are configured in an active / standby team configuration.

I started troubleshooting by simply pinging between the different servers in the blade system. The servers were able to ping each other. Next I tried to ping the default gateway. Only the working servers could ping the default gateway, the other servers couldn’t.

Looking at the active / standby team configuration, I noticed that the active NIC communicates with the Nortel switch connected to the VRRP slave switch. So the servers weren’t able to ping the VRRP master switch (default gateway), but they were able to ping the VRRP slave switch, but the VRRP master switch and VRRP slave switch could ping each other.

I look at the VLAN tagging configuration on the Nortel and HP switches, but all the ports had the correct VLAN tagging, so this couldn’t be the problem. I changed the teaming and made the secondary NIC the active one. Now all the servers were able to communicate with the rest of the network. I switched everything back to the previous configuration and the problem returned again.

Looking at these symptoms I could only point out the LACP channel as the cause of all the problems. Maybe something went wrong when establishing the LACP channel. I guess the load balancing algorithm used is MAC based, maybe destination MAC based. So all packets to the default gateway or another VLAN would use the MAC address of the VRRP master switch and these packets would be lost in a UDLD link. So I decided to disable to ports on the HP switch and only leave one port enabled.

After that all the switches could communicate with the rest of the network. I decided to disable that port and enable another single port. The servers were still able to communicate with the rest of the network. I tried using the last port and still everything was working perfectly. I decided to add the other two ports to the LACP channel. This time, by having the 3 Gbps LACP channel active, every was working perfectly.

In my opinion something went wrong during the establishment of the LACP channel. I found it difficult to troubleshoot the environment, because there aren’t a lot of troubleshooting methods for the HP switches and especially for the Nortel blade switches.

HP ProCurve licenses

During an check-up on a network, I looked at the configuration of two HP ProCurve 5400zl switches. One of these switches functions as the core switch and default gateway for the various VLANs. To improve the availability and redundancy of the default gateway, I mentioned the configuration of VRRP (Virtual Router Redundancy Protocol).

On of the two core switches had the opportunity to enable VRRP with the command: router vrrp. The other core switch didn’t had the option to enable VRRP. I found this a bit strange, because both switches have the same hardware properties and firmware version. I spent some time looking at the HP Procure website.There I noticed that theHP ProCurve 5400zl switches require a Premium License to enable VRRP. I didn’t even knew that HP ProCurve switches had different kind of licenses, but after contacting the supplier and obtaining the license, I could enable VRRP and improve the availability of the network.