HP A3100-8 v2 SI Switch (JG221A) HP A3100-16 v2 SI Switch (JG222A) HP A3100-24 v2 SI Switch (JG223A) HP A3100-8 v2 EI Switch (JD318B) HP A3100-16 v2 EI Switch (JD319B) HP A3100-24 v2 EI Switch (JD320B) HP A3100-8-PoE v2 EI Switch (JD311B)
Page 2
The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty.
Contents System maintenance and debugging ························································································································· 1 Ping·····················································································································································································1 Introduction ·······························································································································································1 Configuring ping ······················································································································································1 Ping configuration example ····································································································································2 Tracert ················································································································································································3 Introduction ·······························································································································································3 Configuring tracert ···················································································································································4 System debugging ····························································································································································5 Introduction to system debugging···························································································································5 Displaying debugging information·························································································································5 Configuring system debugging·······························································································································6 Ping and tracert configuration example ·························································································································6 NQA configuration ······················································································································································...
Page 4
TCP test configuration example ··························································································································· 41 UDP echo test configuration example ················································································································· 42 Voice test configuration example ························································································································ 44 DLSw test configuration example························································································································· 46 NTP configuration ······················································································································································48 NTP overview ································································································································································· 48 Applications of NTP ·············································································································································· 48 Advantages of NTP ··············································································································································· 48 How NTP works·····················································································································································...
Page 5
Configuring PoE profile ········································································································································ 78 Applying PoE profile ············································································································································· 78 Upgrading PSE processing software in service ·········································································································· 79 Displaying and maintaining PoE ·································································································································· 79 PoE configuration example ··········································································································································· 80 Troubleshooting PoE ······················································································································································ 81 SNMP configuration ··················································································································································82 SNMP overview······························································································································································ 82 SNMP mechanism ················································································································································· 82 SNMP protocol versions ·······································································································································...
Page 6
Configuring NTDP parameters···························································································································112 Manually collecting topology information ········································································································113 Enabling the cluster function ······························································································································113 Establishing a cluster···········································································································································113 Enabling management VLAN auto-negotiation ································································································114 Configuring communication between the management switch and the member switches within a cluster ··············································································································································································115 Configuring cluster management protocol packets ·························································································115 Cluster member management ····························································································································116 Configuring the member switches ······························································································································117 Enabling NDP ······················································································································································117...
Page 7
Outputting log information to a Linux log host·································································································172 Outputting log information to the console ········································································································173 Saving security logs into the security log file····································································································174 Support and other resources ·································································································································· 178 Contacting HP ······························································································································································178 Subscription service ············································································································································178 Related information······················································································································································178 Documents ····························································································································································178 Websites·······························································································································································178 Conventions ··································································································································································179...
System maintenance and debugging You can use the ping command and the tracert command to verify the current network connectivity, and use the debug command to enable debugging and to diagnose system faults based on the debugging information. Ping Introduction The ping command allows you to verify whether a device with a specified address is reachable, and to examine network connectivity.
Ping configuration example Network requirements As shown in Figure 1, check whether Device A and Device C can reach each other. If they can reach each other, obtain the detailed information for routes from Device A to Device C. Figure 1 Ping network diagram Configuration procedure # Use the ping command to display whether Device A and Device C can reach each other.
Enable sending of ICMP timeout packets on the intermediate device (the device between the source • and destination devices). If the intermediate device is an HP device, execute the ip ttl-expires enable command on the device. For more information about this command, see the Layer 3 — IP Services Command Reference.
To do… Use the command… Remarks Enter system view system-view — IPv4 network: tracert [ -a source-ip | -f first-ttl | -m max-ttl | -p port | -q packet-number | -w Required timeout ] * host Display the routes from source to Use either approach destination IPv6 network:...
Configuring system debugging Output of the debugging information may reduce system efficiency. Administrators usually use the debugging commands to diagnose network failure. After completing the debugging, disable the corresponding debugging function, or use the undo debugging all command to disable all the debugging functions.
Page 14
Figure 4 Ping and tracert network diagram 1.1.1.1/24 1.1.1.2/24 1.1.2.1/24 1.1.2.2/24 Device A Device B Device C Configuration procedure # Use the ping command to display whether Device A and Device C can reach each other. <DeviceA> ping 1.1.2.2 PING 1.1.2.2: 56 data bytes, press CTRL_C to break Request time out Request time out...
NQA configuration NQA overview Network Quality Analyzer (NQA) can perform various types of tests and collect network performance and service quality parameters such as delay jitter, time for establishing a TCP connection, time for establishing an FTP connection, and file transfer rate. With the NQA test results, you can diagnose and locate network faults, know network performance in time and take proper actions.
Page 16
Monitored elements Test type supported Mean Opinion Scores (MOS) (see “Configuring voice tests”) Voice test Threshold types The following threshold types are supported: average—Monitors the average value of monitored data in a test. If the average value in a test •...
Basic NQA concepts Test group An NQA test group specifies test parameters including the test type, destination address, and destination port. Each test group is uniquely identified by an administrator name and operation tag. You can configure and schedule multiple NQA test groups to test different objects. Test and probe After the NQA test group starts, tests are performed at a specific interval.
The NQA client computes the network performance and service quality parameters, such as the packet loss rate and round-trip time based on the received responses. NQA configuration task list Complete the following task to enable the NQA server: Task Remarks Configuring the NQA server Required for TCP, UDP echo, UDP jitter, and voice tests To perform NQA tests successfully, perform the following configurations on the NQA client:...
Follow these steps to configure the NQA server: To do… Use the command… Remarks Enter system view system-view — Required Enable the NQA server nqa server enable Disabled by default. Required The destination IP address and port nqa server { tcp-connect | number must be the same as those Configure the listening service udp-echo } ip-address...
Page 20
provides more output information. In addition, you can specify the next hop for ICMP echo tests. ICMP echo tests are used to locate connectivity problems in a network. Follow these steps to configure ICMP echo tests: To do… Use the command… Remarks Enter system view system-view...
Before you start DHCP tests, configure the DHCP server. If the NQA (DHCP client) and the DHCP server are not in the same network segment, configure a DHCP relay agent. NOTE: HP A3100 v2 Switch Series do not support the DHCP server and DHCP relay agent configuration. Configuring DHCP tests Follow these steps to configure DHCP tests: To do…...
Configuration prerequisites Before you start DNS tests, configure the mapping between a domain name and an IP address on a DNS server. Configuring DNS tests Follow these steps to configure DNS tests: To do… Use the command… Remarks Enter system view system-view —...
To do… Use the command… Remarks Required By default, no source IP address is specified. Configure the source IP address of The source IP address must be the source ip ip-address FTP request packets IP address of a local interface. The local interface must be up;...
To do… Use the command… Remarks Enter system view system-view — nqa entry admin-name Enter NQA test group view — operation-tag Configure the test type as HTTP, type http Required and enter test type view Required Configure the IP address of the HTTP server as the destination destination ip ip-address By default, no destination IP...
Page 25
The destination affixes a time stamp to each packet that it receives, and then sends the packet back to the source. Upon receiving the response, the source calculates the delay jitter, which reflects network performance. Delay refers to the amount of time it takes a packet to be transmitted from source to destination or from destination to source.
To do… Use the command… Remarks Configure the interval the NQA Optional client must wait for a response from probe packet-timeout the server before it regards the packet-timeout 3000 milliseconds by default. response is timed out Optional By default, no source IP address is specified.
To do… Use the command… Remarks Optional By default, no source IP address is specified. Configure the source IP address of The source IP address must be the source ip ip-address SNMP packets IP address of a local interface. The local interface must be up;...
To do… Use the command… Remarks Optional By default, no source IP address is specified. Configure the source IP address of The source IP address must be the source ip ip-address TCP probe packets IP address of a local interface. The local interface must be up;...
To do… Use the command… Remarks Optional Configure the string to be filled in By default, the string is the data-fill string the data field of each UDP packet hexadecimal number 00010203040506070809. Optional Specify the source port of UDP source port port-number By default, no source port number packets is specified.
Page 30
Configuration prerequisites Voice tests require cooperation between the NQA server and the NQA client. Before you start voice tests, configure a UDP listening service on the NQA server. For more information about UDP listening service configuration, see “Configuring the NQA server.”...
To do… Use the command… Remarks Optional By default, the probe packet size depends on the codec type. The Configure the size of the data field data-size size default packet size is 172 bytes for in each probe packet G.711A-law and G.711 μ-law codec type, and 32 bytes for G.729 A-law codec type.
To do… Use the command… Remarks Optional By default, no source IP address is specified. Configure the source IP address of The source IP address must be the source ip ip-address probe packets IP address of a local interface. The local interface must be up;...
To do… Use the command… Remarks reaction item-number checked-element rtt Configure a reaction entry for threshold-type { accumulate monitoring packet round-trip time accumulate-occurrences | average } (only supported in UDP jitter and threshold-value upper-threshold lower-threshold voice tests) [ action-type { none | trap-only } ] Configure a reaction entry for reaction item-number checked-element monitoring the packet loss in each...
To do… Use the command… Remarks nqa entry admin-name Enter NQA test group view — operation-tag type { dlsw | dns | ftp | http | Enter test type view of the test icmp-echo | snmp | tcp | — group udp-echo | udp-jitter | voice } Optional...
To do… Use the command… Remarks Optional Configure the maximum number of history records By default, the maximum history-record number number that can be saved for a test number of records that can be group saved for a test group is 50. Configuring optional parameters for an NQA test group Optional parameters for an NQA test group are valid only for tests in this test group.
To do… Use the command… Remarks Optional Configure the maximum number of hops a probe packet traverses in ttl value 20 by default. the network Not available for DHCP tests. Optional Configure the ToS field in an IP packet header in an NQA probe tos value 0 by default.
Displaying and maintaining NQA To do… Use the command… Remarks display nqa history [ admin-name Display history records of NQA operation-tag ] [ | { begin | exclude | include } test groups regular-expression ] display nqa reaction counters [ admin-name Display the current monitoring operation-tag [ item-number ] ] [ | { begin | results of reaction entries...
Page 38
Configuration procedure NOTE: Before you make the configuration, make sure the devices can reach each other. # Create an ICMP echo test group and specify 10.2.2.2 as the destination IP address for ICMP echo requests to be sent. <DeviceA> system-view [DeviceA] nqa entry admin test [DeviceA-nqa-admin-test] type icmp-echo [DeviceA-nqa-admin-test-icmp-echo] destination ip 10.2.2.2...
Extended results: Packet loss in test: 0% Failures due to timeout: 0 Failures due to disconnect: 0 Failures due to no connection: 0 Failures due to sequence error: 0 Failures due to internal error: 0 Failures due to other errors: 0 Packet(s) arrived late: 0 # Display the history of DHCP tests.
[DeviceA] undo nqa schedule admin test # Display the results of the last DNS test. [DeviceA] display nqa result admin test NQA entry (admin admin, tag test) test results: Destination IP address: 10.2.2.2 Send operation times: 1 Receive response times: 1 Min/Max/Average round trip time: 62/62/62 Square-Sum of round trip time: 3844 Last succeeded probe time: 2008-11-10 10:49:37.3...
[DeviceA-nqa-admin-test-ftp] destination ip 10.2.2.2 # Specify 10.1.1.1 as the source IP address for probe packets. [DeviceA-nqa-admin-test-ftp] source ip 10.1.1.1 # Set the FTP username to admin, and password to systemtest. [DeviceA-nqa-admin-test-ftp] username admin [DeviceA-nqa-admin-test-ftp] password systemtest # Configure the device to upload file config.txt to the FTP server for each probe operation. [DeviceA-nqa-admin-test-ftp] operation put [DeviceA-nqa-admin-test-ftp] filename config.txt # Enable the saving of history records.
Page 43
Figure 10 Network diagram for the HTTP tests Configuration procedure NOTE: Before you make the configuration, make sure the devices can reach each other. # Create an HTTP test group. <DeviceA> system-view [DeviceA] nqa entry admin test [DeviceA-nqa-admin-test] type http # Specify the IP address of the HTTP server 10.2.2.2 as the destination IP address for HTTP tests.
Failures due to sequence error: 0 Failures due to internal error: 0 Failures due to other errors: Packet(s) arrived late: 0 # Display the history of HTTP tests. [DeviceA] display nqa history admin test NQA entry (admin admin, tag test) history record(s): Index Response Status...
Page 45
[DeviceA] nqa schedule admin test start-time now lifetime forever # Stop UDP jitter tests after a period of time. [DeviceA] undo nqa schedule admin test # Display the result of the last UDP jitter test. [DeviceA] display nqa result admin test NQA entry (admin admin, tag test) test results: Destination IP address: 10.2.2.2 Send operation times: 10...
Start time: 2008-05-29 13:56:14.0 Life time: 47 seconds Send operation times: 410 Receive response times: 410 Min/Max/Average round trip time: 1/93/19 Square-Sum of round trip time: 206176 Extended results: Packet loss in test: 0% Failures due to timeout: 0 Failures due to disconnect: 0 Failures due to no connection: 0 Failures due to sequence error: 0 Failures due to internal error: 0...
Page 47
Figure 12 Network diagram for SNMP tests Configuration procedure NOTE: Before you make the configuration, make sure the devices can reach each other. Configure SNMP agent (Device B). # Enable the SNMP agent service, and set the SNMP version to all, the read community to public, and the write community to private.
Failures due to sequence error: 0 Failures due to internal error: 0 Failures due to other errors: 0 Packet(s) arrived late: 0 # Display the history of SNMP tests. [DeviceA] display nqa history admin test NQA entry (admin admin, tag test) history record(s): Index Response Status...
[DeviceA] nqa schedule admin test start-time now lifetime forever # Stop the TCP tests after a period of time. [DeviceA] undo nqa schedule admin test # Display the results of the last TCP test. [DeviceA] display nqa result admin test NQA entry (admin admin, tag test) test results: Destination IP address: 10.2.2.2 Send operation times: 1...
Page 50
<DeviceB> system-view [DeviceB] nqa server enable [DeviceB] nqa server udp-echo 10.2.2.2 8000 Configure Device A. # Create a UDP echo test group. <DeviceA> system-view [DeviceA] nqa entry admin test [DeviceA-nqa-admin-test] type udp-echo # Configure UDP packets to use 10.2.2.2 as the destination IP address and port 8000 as the destination port.
Voice test configuration example Network requirements As shown in Figure 15, configure NQA voice tests to test the delay jitter of voice packet transmission and voice quality between Device A and Device B. Figure 15 Network diagram for voice tests Configuration procedure NOTE: Before you make the configuration, make sure the devices can reach each other.
Page 52
Extended results: Packet loss in test: 0% Failures due to timeout: 0 Failures due to disconnect: 0 Failures due to no connection: 0 Failures due to sequence error: 0 Failures due to internal error: 0 Failures due to other errors: 0 Packet(s) arrived late: 0 Voice results: RTT number: 1000...
Failures due to sequence error: 0 Failures due to internal error: 0 Failures due to other errors: 0 Packet(s) arrived late: 0 Voice results: RTT number: 4000 Min positive SD: 1 Min positive DS: 1 Max positive SD: 360 Max positive DS: 1297 Positive SD number: 1030 Positive DS number: 1024 Positive SD sum: 4363...
Page 54
NOTE: Before you make the configuration, make sure the devices can reach each other. # Create a DLSw test group, and configure DLSw probe packets to use 10.2.2.2 as the destination IP address. <DeviceA> system-view [DeviceA] nqa entry admin test [DeviceA-nqa-admin-test] type dlsw [DeviceA-nqa-admin-test-dlsw] destination ip 10.2.2.2 # Enable the saving of history records.
NTP configuration NTP overview Defined in RFC 1305, the Network Time Protocol (NTP) synchronizes timekeeping among distributed time servers and clients. NTP runs over the User Datagram Protocol (UDP), using UDP port 123. The purpose of using NTP is to keep consistent timekeeping among all clock-dependent devices within a network so that the devices can provide diverse applications based on the consistent time.
How NTP works Figure 17 shows the basic workflow of NTP. Device A and Device B are connected over a network. They have their own independent system clocks, which need to be automatically synchronized through NTP. For an easy understanding, assume the following conditions: Prior to system clock synchronization between Device A and Device B, the clock of Device A is set •...
NTP message format NTP uses two types of messages, clock synchronization messages and NTP control messages. An NTP control message is used in environments where network management is needed. Because it is not essential for clock synchronization, it is not described in this document. NOTE: All NTP messages mentioned in this document refer to NTP clock synchronization messages.
Stratum—An 8-bit integer that indicates the stratum level of the local clock, with the value ranging • from 1 to 16. The clock precision decreases from stratum 1 through stratum 16. A stratum 1 clock has the highest precision. A stratum 16 clock is not synchronized. •...
Page 59
In client/server mode, a client can be synchronized to a server, but a server cannot be synchronized to a client. Symmetric peers mode Figure 20 Symmetric peers mode In symmetric peers mode: Devices that work in symmetric active mode and symmetric passive mode exchange NTP messages with the Mode field 3 (client mode) and 4 (server mode).
Clients listen to the broadcast messages from servers. When a client receives the first broadcast message, the client and the server start to exchange messages, with the Mode field set to 3 (client mode) and 4 (server mode), to calculate the network delay between client and the server. Then the client enters the broadcast client mode.
Configuring the operation modes of NTP Devices can implement clock synchronization in one of the following modes: Client/server mode • • Symmetric mode Broadcast mode • Multicast mode • For the client/server mode or symmetric mode, you need to configure only clients or symmetric-active peers.
NOTE: ip-address In the ntp-service unicast-server command, must be a unicast address. It cannot be a • broadcast address, a multicast address or the IP address of the local clock. When the source interface for NTP messages is specified by the source-interface argument, the source •...
broadcast server for sending NTP broadcast messages and an interface also needs to be specified on each broadcast client for receiving broadcast message. Configuring a broadcast client To do… Use the command… Remarks Enter system view system-view — Required interface interface-type Enter VLAN interface view Enter the interface used to receive interface-number...
To do… Use the command… Remarks interface interface-type Enter the interface used to send Enter VLAN interface view interface-number NTP multicast message. ntp-service multicast-server Configure the device to work in [ ip-address ] Required NTP multicast server mode [ authentication-keyid keyid | ttl ttl-number | version number ] * NOTE: A multicast server can synchronize broadcast clients only when its clock has been synchronized.
Follow these steps to disable an interface from receiving NTP messages: To do… Use the command… Remarks Enter system view system-view — interface interface-type Enter interface view — interface-number Required Disable the interface from ntp-service in-interface disable An interface is enabled to receive receiving NTP messages NTP messages by default.
Configuration procedure Follow these steps to configure the NTP service access-control right to the local device: To do… Use the command… Remarks Enter system view system-view — Configure the NTP service ntp-service access { peer | query | Required access-control right for a peer server | synchronization } peer by default device to access the local device...
Page 67
To do… Use the command… Remarks Enter system view system-view — Required Enable NTP authentication ntp-service authentication enable Disabled by default Required ntp-service authentication-keyid Configure an NTP authentication keyid authentication-mode md5 No NTP authentication key by value default Required ntp-service reliable Configure the key as a trusted key By default, no authentication key is authentication-keyid keyid...
To do… Use the command… Remarks Multicast server mode: ntp-service multicast-server authentication-keyid keyid NOTE: The procedure for configuring NTP authentication on a server is the same as on a client. Also, the same authentication key must be configured on both the server and client. Displaying and maintaining NTP To do…...
Clock status: unsynchronized Clock stratum: 16 Reference clock ID: none Nominal frequency: 64.0000 Hz Actual frequency: 64.0000 Hz Clock precision: 2^7 Clock offset: 0.0000 ms Root delay: 0.00 ms Root dispersion: 0.00 ms Peer dispersion: 0.00 ms Reference time: 00:00:00.000 UTC Jan 1 1900 (00000000.00000000) # Specify Device A as the NTP server of Device B so that Device B is synchronized to Device A.
Page 70
After Device B is synchronized to Device A , Device C works in the symmetric-active mode and • Device B will act as peer of Device C. Device C is the symmetric-active peer while Device B is the symmetric-passive peer. Figure 24 Network diagram for NTP symmetric peers mode configuration Configuration procedure Configure IP addresses for interfaces (Details not shown)
[DeviceC] display ntp-service status Clock status: synchronized Clock stratum: 4 Reference clock ID: 3.0.1.32 Nominal frequency: 100.0000 Hz Actual frequency: 100.0000 Hz Clock precision: 2^18 Clock offset: -21.1982 ms Root delay: 15.00 ms Root dispersion: 775.15 ms Peer dispersion: 34.29 ms Reference time: 15:22:47.083 UTC Sep 19 2005 (C6D95647.153F7CED) The output shows that Device C has been synchronized to Device B and the clock stratum level of Device C is 4.
Page 72
Figure 25 Network diagram for NTP broadcast mode configuration Vlan-int2 3.0.1.31/24 Switch C Vlan-int2 3.0.1.30/24 Switch A Vlan-int2 3.0.1.32/24 Switch B Configuration procedure Set the IP address for each interface as shown in Figure 25. (Details not shown) Configuration on Switch C: # Configure Switch C to work in broadcast server mode and send broadcast messages through VLAN-interface 2.
Peer dispersion: 34.30 ms Reference time: 16:01:51.713 UTC Sep 19 2005 (C6D95F6F.B6872B02) The output shows that Switch A has been synchronized to Switch C, and the clock stratum level of Switch A is 3, while that of Switch C is 2. # View the NTP session information of Switch A, which shows that an association has been set up between Switch A and Switch C.
Page 74
[SwitchC] interface vlan-interface 2 [SwitchC-Vlan-interface2] ntp-service multicast-server Configure Switch D: # Configure Switch D to work in multicast client mode and receive multicast messages on VLAN-interface <SwitchD> system-view [SwitchD] interface vlan-interface 2 [SwitchD-Vlan-interface2] ntp-service multicast-client Because Switch D and Switch C are on the same subnet, Switch D can receive the multicast messages from Switch C without being enabled with the multicast functions and can be synchronized to Switch C.
[SwitchB-Vlan-interface3] igmp enable [SwitchB-Vlan-interface3] igmp static-group 224.0.1.1 [SwitchB-Vlan-interface3] quit [SwitchB] interface ethernet 1/0/1 [SwitchB-Ethernet1/0/1] igmp-snooping static-group 224.0.1.1 vlan 3 Configure Switch A: <SwitchA> system-view [SwitchA] interface vlan-interface 3 # Configure Switch A to work in multicast client mode and receive multicast messages on VLAN-interface [SwitchA-Vlan-interface3] ntp-service multicast-client # View the NTP status of Switch A after clock synchronization.
Page 76
Figure 27 Network diagram for configuration of NTP client/server mode with authentication Configuration procedure Set the IP address for each interface as shown in Figure 27. (Details not shown) Configure Device B: <DeviceB> system-view # Enable NTP authentication on Device B. [DeviceB] ntp-service authentication enable # Set an authentication key.
source reference stra reach poll offset delay disper ************************************************************************** [12345] 1.0.1.11 127.127.1.0 -75.5 31.0 16.5 note: 1 source(master),2 source(peer),3 selected,4 candidate,5 configured Total associations : Total associations : Configuring NTP broadcast mode with authentication Network requirements As shown in Figure 28, Switch C functions as the NTP server for multiple devices on different network segments and synchronizes the time among multiple devices as follows: •...
Page 78
<SwitchD> system-view [SwitchD] ntp-service authentication enable [SwitchD] ntp-service authentication-keyid 88 authentication-mode md5 123456 [SwitchD] ntp-service reliable authentication-keyid 88 # Configure Switch D to work in the NTP broadcast client mode. [SwitchD] interface vlan-interface 2 [SwitchD-Vlan-interface2] ntp-service broadcast-client Now, Switch D can receive broadcast messages through VLAN-interface 2, and Switch C can send broadcast messages through VLAN-interface 2.
PSE is integrated in a switch or router, and an external PSE is independent from a switch or router. HP PSEs are built in and can be classified into two types: Device with a single PSE—Only one PSE is available on the device, so the whole device is •...
Figure 29 PoE system diagram Protocol specification The protocol specification related to PoE is IEEE 802.3af. PoE configuration task list You can configure a PoE interface by using either of the following methods: At the command line interface (CLI). • Through configuring the PoE profile and applying the PoE profile to the PoE interface.
PD supports power over spare wires), you have to change the order of the lines in the twisted pair cable to supply power to the PD. • HP A3100 v2 EI Switch Series only support for signal mode. Follow these steps to enable PoE for a PoE interface:...
To do… Use the command… Remarks Enter system view system-view — interface interface-type Enter PoE interface view — interface-number Required Enable PoE for the PoE interface poe enable Disabled by default. Optional Configure a description for the PD By default, no description for the poe pd-description text connected to the PoE interface PD connected to the PoE interface...
Configuring the maximum PoE interface power The maximum PoE interface power is the maximum power that the PoE interface can provide to the connected PD. If the power required by the PD is larger than the maximum PoE interface power, the PoE interface will not supply power to the PD.
Configuration prerequisites Enable PoE for PoE interfaces. Configuration procedure Follow these steps to configure PoE interface power management: To do… Use the command… Remarks Enter system view system-view — Required Configure PoE interface power poe pd-policy priority management priority policy Not configured by default.
A PoE profile is a collection of configurations that contain multiple PoE features. On large-scale networks, you can apply a PoE profile to multiple PoE interfaces, so that these interfaces have the same PoE features. If the PoE interface connecting to a PD changes to another one, apply the PoE profile applied on the originally connected interface to the connected interface instead of reconfiguring the features defined in the PoE profile one by one.
To do… Use the command… Remarks Enter system view system-view — interface interface-type Enter PoE interface view — interface-number Apply the PoE profile to the current apply poe-profile { index index | Required PoE interface name profile-name } CAUTION: A PoE profile can be applied to multiple PoE interfaces, and a PoE interface can be applied with only one PoE profile.
To do… Use the command… Remarks display poe pse [ | { begin | Display the information of PSE exclude | include } regular-expression ] display poe-profile [ index index | Display all information of the name profile-name ] [ | { begin | configurations and applications of exclude | include } the PoE profile...
SNMP configuration SNMP overview The Simple Network Management Protocol (SNMP) is an Internet standard protocol widely used for a management station to access and operate the devices on a network, regardless of their vendors, physical characteristics and interconnect technologies. SNMP enables network administrators to read and set the variables on managed devices for state monitoring, troubleshooting, statistics collection, and other management purposes.
• Inform—The NMS sends alarms to other NMSs. SNMP protocol versions HP supports SNMPv1, SNMPv2c, and SNMPv3. • SNMPv1 uses community names for authentication. To access an SNMP agent, an NMS must use the same community name as set on the SNMP agent. If the community name used by the NMS is different from the community name set on the agent, the NMS cannot establish an SNMP session to access the agent or receive traps and notifications from the agent.
To do… Use the command… Remarks Optional By default, the contact information snmp-agent sys-info { contact is Hewlett-Packard Development Configure system information for sys-contact | location sys-location Company, L.P, the location the SNMP agent | version { all | { v1 | v2c | information is null, and the v3 }* } } protocol version is SNMPv1...
Page 92
To do… Use the command… Remarks Enter system view system-view — Optional Disabled by default You can enable the SNMP Enable the SNMP agent snmp-agent agent with this command or any command that begins with snmp-agent. Required By default, the contact snmp-agent sys-info { contact information is Hewlett-Packard Configure system information for the...
Configuring network management-specific interface index About the network management-specific interface index A network management (NM)-specific ifindex identifies an interface and is provided by the SNMP managed device to the NMS. A network management-specific ifindex takes one of the following formats: 16-bit NM-specific ifindex—A 16-bit NM-specific ifindex value contains 16 bits and ranges from 1 •...
To do… Use the command… Remarks Enter system view system-view — Optional Switch the format of an snmp-agent ifmib long-ifindex NM-specific ifindex from 16-bit to By default, an NM-specific ifindex enable 32-bit is in 16-bit format. CAUTION: Some configurations use parameters that relate to NM-specific ifindex, so the switch of NM-specific ifindex causes temporary ineffectiveness of these configurations.
NOTE: Disable SNMP logging in normal cases to prevent a large amount of SNMP logs from decreasing device • performance. The total output size for the node field (MIB node name) and the value field (value of the MIB node) in •...
Configuring trap sending parameters Configuration prerequisites Before you configure trap parameters, complete the following tasks: Complete the basic SNMP settings and check that they are the same as on the NMS. If SNMPv1 or • SNMPv2 is used, you must configure a community name. If SNMPv3 is used, you must configure an SNMPv3 user and MIB view.
Displaying and maintaining SNMP To do… Use the command… Remarks Display SNMP agent system display snmp-agent sys-info [ contact | location | information, including the contact, version ]* [ | { begin | exclude | include } physical location, and SNMP regular-expression ] version display snmp-agent statistics [ | { begin | exclude |...
<Sysname> system-view [Sysname] snmp-agent sys-info version v1 v2c [Sysname] snmp-agent community read public [Sysname] snmp-agent community write private # Configure contact and physical location information for the switch. [Sysname] snmp-agent sys-info contact Mr.Wang-Tel:3306 [Sysname] snmp-agent sys-info location telephone-closet,3rd-floor # Enable SNMP traps, set the NMS at 1.1.1.2 as an SNMP trap destination, and use public as the community name.
# Assign the NMS read and write access to the objects under the interface node (OID 1.3.6.1.2.1.2), and deny its access to any other MIB objects. Set the user name to managev3user, authentication protocol to MD5, authentication key to authkey, the privacy protocol to DES56, and the privacy password to prikey. <Sysname>...
Page 100
Figure 36 Network diagram for SNMP logging Agent 1.1.1.1/24 Console 1.1.1.2/24 Terminal Configuration procedure NOTE: This example assumes that you have configured all required SNMP settings for the NMS and the agent (“SNMPv1/SNMPv2c configuration example” and “SNMPv3 configuration example”). # Enable logging display on the terminal. (This function is enabled by default. Skip this step if you are using the default.) <Sysname>...
Page 101
Field Description srcIP IP address of the NMS SNMP operation type (GET or SET). node MIB node name and OID of the node instance. erroIndex Error index, with 0 meaning no error. errorstatus Error status, with noError meaning no error. Value set when the SET operation is performed (this field is null for a GET operation).
Among the RMON groups defined by RMON specifications (RFC 2819), the device uses the statistics group, history group, event group, and alarm group supported by the public MIB. HP also defines and implements the private alarm group, which enhances the functions of the alarm group.
History group The history group defines that the system periodically collects statistics of traffic information on an interface and saves the statistics in the history record table (ethernetHistoryTable) for query convenience of the management switch. The statistics include bandwidth utilization, number of error packets, and total number of packets.
Private alarm group The private alarm group calculates the values of alarm variables and compares the result with the defined threshold, realizing a more comprehensive alarm function. The system handles the prialarm alarm table entry—as defined by the user—in the following ways: Periodically samples the prialarm alarm variables defined in the prialarm formula.
To do… Use the command… Remarks Enter system view system-view — Enter Ethernet interface view interface interface-type interface-number — Create an entry in the RMON history rmon history entry-number buckets number Required control table interval sampling-interval [ owner text ] NOTE: entry-number must be globally unique and cannot be used on another interface.
To do… Use the command… Remarks rmon prialarm entry-number prialarm-formula prialarm-des sampling-interval { absolute | Create an entry in the private alarm changeratio | delta } rising-threshold table threshold-value1 event-entry1 falling-threshold threshold-value2 event-entry2 entrytype { forever | cycle cycle-period } [ owner text ] NOTE: A new entry cannot be created if its parameters are identical with the parameters of an existing entry.
To do… Use the command… Remarks display rmon prialarm Display RMON prialarm [ entry-number ] [ | { begin | Available in any view configuration information exclude | include } regular-expression ] display rmon event Display RMON events [ entry-number ] [ | { begin | Available in any view configuration information exclude | include }...
etherStatsCRCAlignErrors : 0 , etherStatsCollisions etherStatsDropEvents (insufficient resources): 0 Packets received according to length: : 235 65-127 : 67 128-255 256-511: 1 512-1023: 0 1024-1518: 0 Perform SNMP Get operation on the NMS to obtain the value of the MIB node. •...
Alarm group configuration example Network requirements As shown in Figure 40, Agent is connected to a console terminal through its console port and to an NMS across Ethernet. Do the following: Connect Ethernet 1/0/1 to the FTP server. Gather statistics on traffic of the server on Ethernet •...
Page 111
Samples type : delta Variable formula : 1.3.6.1.2.1.16.1.1.1.4.1<etherStatsOctets.1> Sampling interval : 5(sec) Rising threshold : 100(linked with event 1) Falling threshold : 50(linked with event 2) When startup enables : risingOrFallingAlarm Latest value # Display statistics for interface Ethernet 1/0/1. <Sysname>...
Cluster management configuration Cluster management overview Cluster management definition With the growth of networks, a great number of access devices are needed at network borders. Management for these devices is very complicated; moreover, each device needs an IP address and wastes IP address resources.
Figure 41 Network diagram for a cluster As shown in Figure 41, the device configured with a public IP address and performing the management function is the management switch, the other managed devices are member switches, and the device that does not belong to any cluster but can be added to a cluster is a candidate switch.
Page 114
The management switch adds or deletes a member switch and modifies cluster management • configuration according to the candidate switch information collected through NTDP. Introduction to NDP NDP discovers the information about directly connected neighbors, including the device name, software version, and connecting port of the adjacent devices.
Page 115
then forwards the NTDP topology-collection request after its prior port forwards the NTDP topology-collection request. Cluster management maintenance Adding a candidate switch to a cluster You should specify the management switch before creating a cluster. The management switch discovers and defines a candidate switch through NDP and NTDP protocols. The candidate switch can be automatically or manually added to the cluster.
If communication between the management switch and a member switch is recovered, the member • switch which is in Disconnect state will be added to the cluster, and the state of the member switch locally and on the management switch will be changed to Active. •...
Page 117
Task Remarks Enabling NDP globally and for specific ports Optional Configuring NDP parameters Optional Enabling NTDP globally and for specific ports Optional Configuring NTDP parameters Optional Manually collecting topology information Optional Enabling the cluster function Optional Configuring the Establishing a cluster Required Enabling management VLAN auto-negotiation Required...
NOTE: HP recommends that you disable NDP on a port which connects with the devices that do not need to join the cluster. This prevents the management switch from adding and collecting topology information from devices which do not need to joint the cluster.
NOTE: HP recommends that you disable NTDP on a port which connects with the devices that do not need to join the cluster. This prevents the management switch from adding and collecting topology information from devices which do not need to join the cluster.
NOTE: The two delay values should be configured on the topology collecting device. A topology-collection request sent by the topology collecting device carries the two delay values, and a device that receives the request forwards the request according to the delays. Manually collecting topology information The management switch collects topology information periodically after a cluster is created.
To do… Use the command… Remarks Enter system view system-view — Optional Specify the management VLAN management-vlan vlan-id By default, VLAN 1 is the management VLAN. Enter cluster view cluster — Required Configure the private IP address ip-pool ip-address { mask | range for member switches mask-length } Not configured by default.
To do… Use the command… Remarks Required Enable management VLAN management-vlan synchronization auto-negotiation enable Disabled by default. Configuring communication between the management switch and the member switches within a cluster In a cluster, the management switch and member switches communicate by sending handshake packets to maintain connection between them.
To do… Use the command… Remarks Required The destination MAC address is 0180-C200-000A by default. The following are the configurable Configure the destination MAC MAC addresses: address for cluster management cluster-mac mac-address • 0180-C200-0000 protocol packets • 0180-C200-000A • 0180-C200-0020 through 0180-C200-002F •...
Rebooting a member switch To do… Use the command… Remarks Enter system view system-view — Enter cluster view cluster — reboot member { member-number Reboot a specified member switch | mac-address mac-address } Required [ eraseflash ] Configuring the member switches Enabling NDP Enabling NDP globally and for specific ports.
To do… Use the command… Remarks Switch from the operation interface cluster switch-to { member-number of the management switch to that | mac-address mac-address | Required of a member switch sysname member-sysname } Switch from the operation interface of a member switch to that of the cluster switch-to administrator Required management switch...
Configuring topology management The concepts of blacklist and whitelist are used for topology management. An administrator can diagnose the network by comparing the following topologies: current topology —the information of a node and its neighbors in the cluster—and the standard topology. Topology management whitelist (standard topology)—A whitelist is a list of topology information •...
After you configure an FTP/TFTP server for a cluster, the members in the cluster access the FTP/TFTP • server configured through the management switch. • After you configure a log host for a cluster, all the log information of the members in the cluster will be output to the configured log host in the following way: Member switches send their log information to the management switch The management switch converts the addresses of log information and sends them to the log...
To do… Use the command… Remarks Enter system view system-view — Enter cluster view cluster — cluster-snmp-agent community Configure the SNMP community { read | write } community-name Required name shared by a cluster [ mib-view view-name ] cluster-snmp-agent group v3 group-name [ authentication | Configure the SNMPv3 group privacy ] [ read-view read-view ]...
NOTE: If a cluster is dismissed or the member switches are removed from the whitelist, the configurations of Web user accounts are still retained. Displaying and maintaining cluster management To do… Use the command… Remarks display ndp [ interface Display NDP configuration interface-list ] [ | { begin | exclude information | include } regular-expression ]...
Cluster management configuration example Network requirements Three switches form cluster abc, whose management VLAN is VLAN 10. In the cluster, Switch B • serves as the management switch (Administrator), whose network management interface is VLAN-interface 2; Switch A and Switch C are the member switches (Member). All the devices in the cluster use the same FTP server and TFTP server on host 63.172.55.1/24, and •...
Page 131
not shown here. Configure the management switch Switch B # Enable NDP globally and for ports Ethernet 1/0/2 and Ethernet 1/0/3. <SwitchB> system-view [SwitchB] ndp enable [SwitchB] interface Ethernet 1/0/2 [SwitchB-Ethernet1/0/2] ndp enable [SwitchB-Ethernet1/0/2] quit [SwitchB] interface Ethernet 1/0/3 [SwitchB-Ethernet1/0/3] ndp enable [SwitchB-Ethernet1/0/3] quit # Configure the period for the receiving device to keep NDP packets as 200 seconds.
Page 132
# Enable the cluster function. [SwitchB] cluster enable # Configure a private IP address range for the member switches, which is from 172.16.0.1 to 172.16.0.7. [SwitchB] cluster [SwitchB-cluster] ip-pool 172.16.0.1 255.255.255.248 # Configure the current device as the management switch, and establish a cluster named abc. [SwitchB-cluster] build abc Restore topology from local flash file,for there is no base topology.
Port mirroring configuration Introduction to port mirroring Port mirroring is the process of copying packets passing through a port/CPU (called a mirroring port/CPU) to another port (called the monitor port) connected with a monitoring device for packet analysis. You can port-mirror inbound, outbound, or bidirectional traffic on a port/CPU as needed. Classification of port mirroring Port mirroring can be local or remote: •...
Page 134
Figure 45 Local port mirroring implementation As shown in Figure 45, packets of the mirroring port are mirrored to the monitor port for the data monitoring device to analyze. Layer 2 remote port mirroring Layer 2 remote port mirroring uses cooperation between a remote source mirroring group and a remote destination mirroring group, as shown in Figure 46.
The destination device does the following: Receives the mirrored packets. Compares their VLAN IDs to the ID of the remote probe VLAN configured in the remote destination group. If the VLAN IDs of these mirrored packets match the remote probe VLAN ID, the device forwards them to the data monitoring device through the monitor port.
To do… Use the command… Remarks Enter system view system-view — Create a local mirroring group mirroring-group group-id local Required NOTE: A local mirroring group takes effect only after you configure a monitor port and mirroring ports/CPUs for Configuring mirroring ports for the local mirroring group If you use system view, you can use a list to configure multiple mirroring ports for a mirroring group at one time.
To ensure that the port mirroring function works properly, do not enable STP, MSTP, or RSTP on the • monitor port. HP recommends you use a monitor port only for port mirroring to ensure that the data monitoring device • receives and analyzes only the mirrored traffic rather than a mix of mirrored traffic and normally...
Configuring Layer 2 remote port mirroring Layer 2 remote port mirroring configuration task list Configuring Layer 2 remote port mirroring is to configure remote mirroring groups. To do that, configure the remote source mirroring group on the source device and configure the cooperating remote destination mirroring group on the destination device.
Configuration prerequisites Before configuring Layer 2 remote port mirroring, make sure that you have created static VLANs for the remote probe VLAN. CAUTION: Both the remote source mirroring group on the source device and the remote destination mirroring group on the destination device must use the same remote probe VLAN. Configuring a remote source mirroring group (on the source device) To configure a remote source mirroring group, make the following configurations on the source device.
Page 140
To do… Use the command… Remarks Required [ mirroring-group group-id ] Configure the current port as a By default, a port does not serve as mirroring-port { both | inbound | mirroring port a mirroring port for any mirroring outbound } group.
NOTE: HP recommends you use the remote probe VLAN for port mirroring exclusively. • To remove the VLAN configured as a remote probe VLAN, you must first remove the remote probe VLAN •...
Page 142
To ensure that the port mirroring function works properly, do not enable STP, MSTP, or RSTP on the monitor port. HP recommends you use a monitor port only for port mirroring. This is to ensure that the data monitoring •...
Assigning the monitor port to the remote probe VLAN Follow these steps to assign the monitor port to the remote probe VLAN: To do… Use the command… Remarks Enter system view system-view — Enter the interface view of the interface interface-type interface-number —...
Page 144
The reflector port of a remote source mirroring group must be an access port and belong to the default • VLAN, VLAN 1. HP recommends you configure an unused port as the reflector port of a remote source mirroring group • and disable STP on it.
Displaying and maintaining port mirroring To do… Use the command… Remarks display mirroring-group { group-id | all | local | remote-destination | Display the configuration of port remote-source } [ | { begin | Available in any view mirroring groups exclude | include } regular-expression ] Port mirroring configuration examples...
# Disable Spanning Tree Protocol (STP) in the monitor port Ethernet 1/0/3. [DeviceA] interface ethernet 1/0/3 [DeviceA-Ethernet1/0/3] undo stp enable [DeviceA-Ethernet1/0/3] quit Verify the configurations. # Display the configuration of all port mirroring groups. [DeviceA] display mirroring-group all mirroring-group 1: type: local status: active mirroring port:...
Page 147
[DeviceA] mirroring-group 1 remote-source # Create VLAN 2. [DeviceA] vlan 2 [DeviceA-vlan2] quit # Configure VLAN 2 as the remote probe VLAN, Ethernet 1/0/1 as a source port, and Ethernet 1/0/3 as the reflector port in the mirroring group. [DeviceA] mirroring-group 1 remote-probe vlan 2 [DeviceA] mirroring-group 1 mirroring-port ethernet 1/0/1 both [DeviceA] mirroring-group 1 reflector-port ethernet 1/0/3 # Configure Ethernet 1/0/2 as a trunk port that permits the packets of VLAN 2 to pass through.
# Configure VLAN 2 as the remote probe VLAN of the mirroring group. Configure Ethernet 1/0/2 as the monitor port of the mirroring group and assign Ethernet 1/0/2 to VLAN 2. [DeviceC] mirroring-group 1 remote-probe vlan 2 [DeviceC] interface ethernet 1/0/2 [DeviceC-Ethernet1/0/2] mirroring-group 1 monitor-port [DeviceC-Ethernet1/0/2] port access vlan 2 # Disable Spanning Tree Protocol (STP) in the monitor port Ethernet 1/0/2.
Page 149
# Configure an unused port (Ethernet 1/0/5 for example) of Switch A as the reflector port of remote source mirroring group 1, and disable STP on the port. [SwitchA] mirroring-group 1 reflector-port Ethernet 1/0/5 [SwitchA] interface Ethernet 1/0/5 [SwitchA-Ethernet1/0/5] undo stp enable # Create VLAN 10 and assign the three ports (Ethernet 1/0/1 1 through Ethernet 1/0/13) connecting the three data monitoring devices to VLAN 10.
Traffic mirroring configuration (available only on the A3100 v2 EI) Traffic mirroring overview Traffic mirroring is the action of copying the specified packets to the specified destination for packet analyzing and monitoring. You can configure mirroring traffic to an interface or to the CPU. Mirroring traffic to an interface: Copies the matching packets on an interface to a destination •...
To do… Use the command… Remarks Exit behavior view quit — Required Create a policy and enter qos policy policy-name policy view By default, no policy exists. Required Associate the class with the classifier tcl-name behavior traffic behavior in the QoS By default, no traffic behavior is behavior-name policy...
Page 152
NOTE: ACL and QoS Configuration Guide For more information about applying a QoS policy, see the Apply a QoS policy to an interface By applying a QoS policy to an interface, you can regulate the traffic received on the interface. A policy can be applied to multiple interfaces, but only one policy can be applied in inbound direction of an interface.
Displaying and maintaining traffic mirroring To do… Use the command… Remarks Display traffic behavior display traffic behavior Available in any view configuration information user-defined [ behavior-name ] display qos policy user-defined Display QoS policy configuration [ policy-name [ classifier Available in any view information tcl-name ] ] Traffic mirroring configuration examples...
Page 154
[Sysname-behavior-1] quit # Create QoS policy 1 and associate traffic behavior 1 with class 1 in the QoS policy. [Sysname] qos policy 1 [Sysname-policy-1] classifier 1 behavior 1 [Sysname-policy-1] quit # Apply the QoS policy to the incoming traffic of Ethernet 1/0/1. [Sysname] interface Ethernet 1/0/1 [Sysname-Ethernet1/0/1] qos apply policy 1 inbound After the configurations, you can monitor all packets sent from Host A on the data monitoring device.
Stack configuration Stack configuration overview To manage network devices situated at distant sites as a whole, you can connect the network devices and perform necessary configurations to establish a stack, helping reduce customer investments and simplify network management. Introduction to stack A stack is a management domain that comprises several network devices connected to one another through stack ports.
The administrator can log in to any slave device from the master device of the stack, and perform • configurations for the slave device. Stack configuration task list Complete the following tasks to configure stack: Task Remarks Configuring a private IP address pool for a Required stack Configuring the master device of a...
Creating a stack After you execute the stack role master command on a stack-capable device, the device becomes the master device of a stack and automatically adds the devices connected with its stack ports to the stack. Follow the steps below to create a stack: To do…...
Displaying and maintaining stack configuration To do… Use the command… Remarks display stack [ members ] [ | Display the stack information of { begin | exclude | include } Available in any view stack members regular-expression ] Stack configuration example Network requirements Switch A, Switch B, Switch C, and Switch D are connected with one another.
# Display stack information of the stack members on Switch A. <stack_0.SwitchA> display stack members Number Role : Master Sysname : stack_0. SwitchA Switch type: HP A3100-16-PoE v2 EI Switch MAC address: 000f-e200-1000 Number Role : Slave Sysname : stack_1. SwitchB...
Information center configuration Information center overview Introduction to information center Acting as the system information hub, information center classifies and manages system information, offering powerful support for network administrators and developers in monitoring network performance and diagnosing network problems. The following describes the working process of information center: Receives the log, trap, and debugging information generated by each module.
NOTE: Information center assigns log, trap, and debugging information to 10 information channels according to eight severity levels and then outputs the information to different destinations. The following describes the working process in details. Classification of system information The system information of the information center is categorized into the following types: Log information •...
Table 5 Information channels and output destinations Information Default channel Default output destination Description channel name number Receives log, trap and debugging console Console information. Receives log, trap and debugging monitor Monitor terminal information, facilitating remote maintenance. Receives log, trap and debugging loghost Log host information and information will be...
%Jun 26 17:08:35:809 2008 Sysname SHELL/4/LOGIN: VTY login from 1.1.1.1 If the output destination is the log host, the system information is in the following formats: HP and UNICOM.
Page 164
NOTE: The closing set of angel brackets (< >), the space, the forward slash (/), and the colon are all required • in the UNICOM format. The format in the previous section is the original format of system information, so you may see the •...
Page 165
IP address of the device that generates the system information. In other cases (when the system information is sent to a log host in the format of HP, or sent to other •...
This field indicates the source of the information, such as the source IP address of the log sender. This field is optional and is displayed only when the system information is sent to a log host in the format of HP.
To do… Use the command… Remarks Optional Configure the channel through info-center console channel By default, system information is which system information can be { channel-number | output to the console through output to the console channel-name } channel 0 (console). info-center source { module-name | default } channel { channel-number Optional...
To do… Use the command… Remarks Optional info-center channel Name the channel with a specified channel-number name Table 5 for default channel channel number channel-name names. Optional Configure the channel through info-center monitor channel By default, system information is which system information can be { channel-number | output to the monitor terminal output to a monitor terminal...
} Set the format of the system Optional information sent to a log host to info-center format unicom HP by default. UNICOM Required By default, the system does not output information to a log host. If info-center loghost { ipv6...
To do… Use the command… Remarks Optional info-center channel Name the channel with a specified channel-number name Table 5 for default channel channel number channel-name names. Optional Configure the channel through info-center trapbuffer [ channel By default, system information is which system information can be { channel-number | output to the trap buffer through...
To do… Use the command… Remarks Optional Configure the format of the time info-center timestamp { debugging The time stamp format for log, trap stamp | log | trap } { boot | date | none } and debugging information is date by default.
Follow these steps to set to output system information to the web interface: To do… Use the command… Remarks Enter system view system-view — Optional Enable information center info-center enable Enabled by default. Optional info-center channel Name the channel with a specified channel-number name Table 5 for default channel...
Page 173
authentication and logging in to the device, and other users—including the system administrator— cannot perform these operations to the security log file. NOTE: You can authorize a security log administrator by executing the authorization-attribute user-role • security-audit command in local user view. The system administrator cannot view, copy, and rename the security log file;...
Page 174
To do… Use the command… Remarks Optional Set the alarm threshold of the info-center security-logfile 80 by default. When the usage of security log file usage alarm-threshold usage the security log file reaches 80%, the system will inform the user. Managing the security log file After passing the AAA local authentication, the security log administrator can perform the following operations:...
To do… Use the command… Remarks Move a specified file from a storage medium delete [ /unreserved ] file-url to the recycle bin Remove a folder rmdir directory Format a storage format device medium Restore a file from the undelete file-url recycle bin sftp server [ port-number ] [ identity-key { dsa | rsa } |...
With this feature applied to a port, when the state of the port changes, the system does not generate port link up/down logging information, and you cannot monitor the port state changes conveniently. HP recommends that you use the default configuration in normal cases.
Displaying and maintaining information center To do… Use the command… Remarks display channel [ channel-number Display the information about | channel-name ] [ | { begin | Available in any view information channels exclude | include } regular-expression ] Display the information about each display info-center Available in any view output destination...
Page 178
# Specify the host with IP address 1.2.0.1/16 as the log host. Use channel loghost to output log information (optional, loghost by default), and use local4 as the logging facility. [Sysname] info-center loghost 1.2.0.1 channel loghost facility local4 # Disable the output of log, trap, and debugging information of all modules on channel loghost. [Sysname] info-center source default channel loghost debug state off log state off trap state off CAUTION:...
# syslogd -r & After the configurations, the system will be able to record log information into the log file. Outputting log information to a Linux log host Network requirements • Send log information to a Linux log host with an IP address of 1.2.0.1/16; Log information with severity equal to or higher than informational will be output to the log host;...
local5.info /var/log/Device/info.log In the configuration, local5 is the name of the logging facility used by the log host to receive logs, and info is the information level. The Linux system will record the log information with severity level equal to or more severe than informational to file /var/log/Device/info.log.
CAUTION: Because the default system configurations for different channels are different, you need to first disable the output of log, trap, and debugging information of all modules on the specified channel (console in this example). Then configure the output rule as needed so that unnecessary information will not be output. # Configure the information output rule: allow log information of ARP and IP modules with severity equal to or higher than informational to be output to the console.
Page 182
Figure 57 Network diagram for saving security logs in a specific directory Configuration considerations The configuration in this example includes the following parts: logging in as the system administrator and as the security log administrator. Logging in to the device as the system administrator Enable the saving of the security logs into the security log file and set the frequency with which the •...
Page 183
# Authorize the user to use SSH, Telnet, and terminal services. [Sysname-luser-seclog] service-type ssh telnet terminal [Sysname-luser-seclog] quit # According to the network plan, the user will log in to the device through SSH or telnetting, so you need to configure the authentication mode of the VTY user interface as scheme. [Sysname] display user-interface vty ? INTEGER<0-15>...
Page 184
%@176 Nov 2 17:02:53:766 2009 Sysname SHELL/5/SHELL_LOGOUT:Console logged out from con0. Contents of other logs are omitted here. The command output indicates that the new content in the buffer has not been saved into the security log file yet. # Save the contents of the security log file buffer into the security log file manually. <Sysname>...
Related information Documents To find related documents, browse to the Manuals page of the HP Business Support Center website: http://www.hp.com/support/manuals For related documentation, navigate to the Networking section, and select a networking category. •...
Conventions This section describes the conventions used in this documentation set. Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown. Italic Italic text represents arguments that you replace with actual values. Square brackets enclose syntax choices (keywords or arguments) that are optional. Braces enclose a set of required syntax choices separated by vertical bars, from which { x | y | ...
Page 187
Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features.
A C D E H I L N P R S T U Configuring threshold monitoring,25 Configuring traffic mirroring,143 Adding a candidate switch to a cluster,1 18 Contacting HP,178 Alarm group configuration example,103 Conventions,179 Creating an NQA test group,12 Cluster configuration task list,109...