We've noticed in many ways that traditional networking even in WANs and LANs has changed very little. Years ago most networks were running on 100mbit and today most still are.
Even the average internet connection is largely unchanged from several years ago with some minor exceptions from Europe and Asia.
-------------------------------------
ProCurve J4903A Switch 2824
Software revision I.10.77
Copyright (C) 1991-2009 Hewlett-Packard Co. All Rights Reserved.
RESTRICTED RIGHTS LEGEND
Use, duplication, or disclosure by the Government is subject to restrictions
as set forth in subdivision (b) (3) (ii) of the Rights in Technical Data and
Computer Software clause at 52.227-7013.
HEWLETT-PACKARD COMPANY, 3000 Hanover St., Palo Alto, CA 94303
We'd like to keep you up to date about:
* Software feature updates
* New product announcements
* Special events
Please register your products now at: www.ProCurve.com
Press any key to continue
-------------------------------------------
LACP Problems - Be Warned - Disable LACP Unless You Need It!
Disable LACP, this is the link aggregation protocol where you can combine 4 ports to increase the overall bandwidth. This sure sounds great but all LACP ports should be disabled unless you are using it. The reason is because it often takes down ports of computers/servers for no apparent or justified reason and it is a pain to troubleshoot. LACP should only be enabled on ports that are actually going to use LACP.
Symptoms in the log are as follows:
I 01/02/90 01:41:36 ports: port 7 is Blocked by LACP
I 01/02/90 01:41:39 ports: port 7 is now on-line
I 01/02/90 01:45:23 ports: port 7 is now off-line
I 01/02/90 01:45:48 ports: port 7 is Blocked by LACP
I 01/02/90 01:45:51 ports: port 7 is now on-line
I 01/02/90 01:56:47 ports: port 7 is now off-line
I 01/02/90 02:22:42 ports: port 7 is Blocked by LACP
I 01/02/90 02:22:42 ports: port 7 is now off-line
I 01/02/90 02:39:44 ports: port 7 is Blocked by LACP
I 01/02/90 02:39:47 ports: port 7 is now on-line
I 01/02/90 02:45:15 ports: port 7 is now off-line
I 01/02/90 02:56:42 ports: port 7 is Blocked by LACP
I 01/02/90 02:56:45 ports: port 7 is now on-line
I 01/02/90 02:57:44 ports: port 7 is now off-line
#check if you have lacp enabled on any ports
show lacp
no LACP ports found.
How to disable LACP:
*Warning if you have machines that do not come back automatically if the link goes up and down be warned that this could take some or all machines offline and needs physical intervention. When I typed the "no interface all lacp" this took down most computers on the switch and they did not come back on their own except a few.
ProCurve Switch 2824# config
ProCurve Switch 2824(config)#
ProCurve Switch 2824(config)# no interface all lacp
wr mem
Disable port
*Warning about port disable/enable is that I find some servers detect the uplink but will not work after being re-enabled without a network restart (eg. service network restart
The "8" represents port numbers. You can also do a range such as "8-15"
config
int ethernet 8 disable
---------------------------
Enable Port
*Warning about port disable/enable is that I find some servers detect the uplink but will not work after being re-enabled without a network restart (eg. service network restart
config
int ethernet 8 enable
------------------------------------
Check each port's bandwidth usage in mbit
The "Util" field is how many mbit per second the port is doing. You need to base the % percentage off the port speed eg. 10,100 or 1000 mbit.
Port Mode | --------------------------- | ---------------------------
| Kbits/sec Pkts/sec Util | Kbits/sec Pkts/sec Util
--------- -------- + ---------- ---------- ----- + ---------- ---------- -----
1 1000FDx | 5016 15 00.50 | 5040 47 00.50
2 1000FDx | 0 0 0 | 0 0 0
3 1000FDx | 2536 0 00.25 | 5024 32 00.50
4 1000FDx | 12376 691 01.23 | 5352 448 00.53
5 1000FDx | 600 0 00.06 | 5024 32 00.50
6 1000FDx | 3960 0 00.39 | 5024 32 00.50
7 1000FDx | 5360 77 00.53 | 5344 112 00.53
8 1000FDx | 0 0 0 | 0 0 0
9 1000FDx | 2488 0 00.24 | 5024 32 00.50
10 1000FDx | 2536 0 00.25 | 5024 32 00.50
11 1000FDx | 2488 0 00.24 | 5024 32 00.50
12 1000FDx | 2472 0 00.24 | 5024 32 00.50
13 1000FDx | 0 0 0 | 0 0 0
14 1000FDx | 0 0 0 | 0 0 0
15 1000FDx | 0 0 0 | 0 0 0
16 1000FDx | 0 0 0 | 0 0 0
17 1000FDx | 0 0 0 | 0 0 0
18 1000FDx | 0 0 0 | 0 0 0
19 1000FDx | 5680 538 00.56 | 12760 784 01.27
20 100HDx | 0 0 0 | 520 32 00.52
21 1000FDx | 0 0 0 | 0 0 0
22 1000FDx | 0 0 0 | 0 0 0
23 1000FDx | 0 0 0 | 0 0 0
24 1000FDx | 0 0 0 | 0 0 0
-------------------------------------------------------------
Show What Port MAC Address Belongs To
show mac 00:1F:D0:00:13:CC
Status and Counters - Address Table - 001fd0-0013cc
MAC Address : 001fd0-0013cc
Located on Port : 8
Show All MAC Addresses By Port
show mac all
If no MAC is displayed it means no device is connected or the device is not active or the port on the switch may be bad or disabled.
Status and Counters - Port Address Table - 17
MAC Address
-------------
show specific port mac
show mac 10
Set Mac Address Security:
ProCurve Switch 2824(config)# port-security 1 learn-mode static
The 1 above is the port number and then we are setting the learn mode:
The learn mode options are:
continuous Continuous MAC address learn mode.
static Static MAC address learn mode.
configured Static MAC address configured mode.
port-access Learn port-access authorized MAC address only.
limited-continuous Limited continuous MAC address learn mode.
Set how many MAC's are allowed to use the port:
port-security 1 address-limit X
Where x is the number of devices that are allowed to use the port
Add allowed MAC's like this:
port-security 1 mac-address themacaddress
Check port security settings of port:
show port-security 1
Port Security
Port : 1
Learn Mode [Continuous] : Static Address Limit [1] : 3
Action [None] : Send Alarm
Authorized Addresses
--------------------
deadbe-efbce8
Check overall port status
show interfaces is very useful for counting traffic and also identifying network issues
Status and Counters - Port Status
| Intrusion MDI Flow Bcast
Port Type | Alert Enabled Status Mode Mode Ctrl Limit
----- --------- + --------- ------- ------ ---------- ----- ----- ------
1 100/1000T | No Yes Up 1000FDx MDIX off 0
2 100/1000T | No Yes Down 1000FDx MDIX off 0
3 100/1000T | No Yes Up 1000FDx MDI off 0
4 100/1000T | No Yes Up 1000FDx MDIX off 0
5 100/1000T | No Yes Up 1000FDx MDIX off 0
6 100/1000T | No Yes Up 1000FDx MDI off 0
7 100/1000T | No Yes Up 1000FDx MDI off 0
8 100/1000T | No No Down 1000FDx MDI off 0
9 100/1000T | No Yes Up 1000FDx MDI off 0
10 100/1000T | No Yes Up 1000FDx MDI off 0
11 100/1000T | No Yes Up 1000FDx MDI off 0
12 100/1000T | No Yes Up 1000FDx MDI off 0
13 100/1000T | No Yes Down 1000FDx MDI off 0
14 100/1000T | No Yes Down 1000FDx MDI off 0
15 100/1000T | No Yes Down 1000FDx MDIX off 0
16 100/1000T | No Yes Down 1000FDx MDIX off 0
17 100/1000T | No Yes Down 1000FDx MDIX off 0
18 100/1000T | No Yes Down 1000FDx MDIX off 0
19 100/1000T | No Yes Up 1000FDx MDIX off 0
20 100/1000T | No Yes Up 100HDx MDIX off 0
21 100/1000T | No Yes Down 1000FDx MDIX off 0
22 100/1000T | No Yes Down 1000FDx MDI off 0
23 100/1000T | No Yes Down 1000FDx MDI off 0
24 100/1000T | No Yes Down 1000FDx MDIX off 0
show interfaces gives you more detail
Notice Port 7 showing 203 "Errors Rx". It was because of a bad cable and we wondered why that server had spotty connectivity.
Status and Counters - Port Counters
Flow Bcast
Port Total Bytes Total Frames Errors Rx Drops Rx Ctrl Limit
----- ------------ ------------ ------------ ------------ ----- ------
1 3,164,403... 2,285,255... 0 0 off 0
2 457,687,164 2,150,118... 0 0 off 0
3 3,716,409... 2,795,214... 14 0 off 0
4 1,897,977... 2,207,705... 0 0 off 0
5 626,012,466 3,843,597... 0 0 off 0
6 2,628,057... 2,138,559... 0 0 off 0
7 1,498,582... 476,790,025 0 0 off 0
8 2,830,274... 1,696,622... 589 0 off 0
9 1,573,201... 3,990,337... 0 0 off 0
10 1,930,438... 2,808,292... 238 0 off 0
11 3,137,823... 3,577,438... 1476 0 off 0
12 2,363,525... 99,291,760 1102 0 off 0
13 0 0 0 0 off 0
14 0 0 0 0 off 0
15 0 0 0 0 off 0
16 0 0 0 0 off 0
17 0 0 0 0 off 0
18 0 0 0 0 off 0
19 2,186,889... 2,963,434... 1 0 off 0
20 530,240,341 746,865,357 581 0 off 0
21 1866 7 2 0 off 0
22 2288 7 2 0 off 0
23 2246 7 2 0 off 0
24 190,610 1821 2 0 off 0
Password Issues/Requirements
Note that these switches support a maximum of 16 characters. Spaces cannot be used and it is not obvious if you have gone over the limit so if you cannot login after setting a password type it out and count 16 characters and use only those and you should be able to login.
If your password is lost/unknown you can reset just the password (not the switch settings) by holding the "Clear" button on the front of the switch for at least 1 second. Note again this does not reset the switch config but only the password when done this way.
By default telnet is not enabled or installed on the latest Windows servers so you'll get an error saying:
telnet is not recognized as an internal or external command
dism /online /Enable-Feature /FeatureName:TelnetClient
Enter configuration console:
enable
configure terminal
This is important because if your console doesn't look like below none of the commands will work!
Switch(config)#
Save and Apply Settings
wr
Show Switch Configuration:
show run
Show Port List/Status:
Switch#show interface status
Port Name Status Vlan Duplex Speed Type
Fa0/1 connected 1 a-full a-100 10/100BaseTX
Fa0/2 notconnect 1 auto auto 10/100BaseTX
Fa0/3 notconnect 1 auto auto 10/100BaseTX
Fa0/4 notconnect 1 auto auto 10/100BaseTX
Fa0/5 notconnect 1 auto auto 10/100BaseTX
Fa0/6 notconnect 1 auto auto 10/100BaseTX
Fa0/7 notconnect 1 auto auto 10/100BaseTX
Fa0/8 notconnect 1 auto auto 10/100BaseTX
Fa0/9 notconnect 1 auto auto 10/100BaseTX
Fa0/10 notconnect 1 auto auto 10/100BaseTX
Fa0/11 notconnect 1 auto auto 10/100BaseTX
Fa0/12 notconnect 1 auto auto 10/100BaseTX
Fa0/13 notconnect 1 auto auto 10/100BaseTX
Fa0/14 notconnect 1 auto auto 10/100BaseTX
Fa0/15 notconnect 1 auto auto 10/100BaseTX
Fa0/16 notconnect 1 auto auto 10/100BaseTX
Fa0/17 notconnect 1 auto auto 10/100BaseTX
Fa0/18 notconnect 1 auto auto 10/100BaseTX
Fa0/19 notconnect 1 auto auto 10/100BaseTX
Fa0/20 notconnect 1 auto auto 10/100BaseTX
Fa0/21 notconnect 1 auto auto 10/100BaseTX
Fa0/22 notconnect 1 auto auto 10/100BaseTX
Fa0/23 notconnect 1 auto auto 10/100BaseTX
Fa0/24 notconnect 1 auto auto 10/100BaseTX
Gi0/1 connected 1 a-full a-1000 10/100/1000BaseTX
Gi0/2 notconnect 1 auto auto Not Present
Show config of individual port or vlan
You could also have used "interface vlan 1" and you would get the config of the vlan.
Switch#show running-config interface gi0/1
Building configuration...
Current configuration : 36 bytes
!
interface GigabitEthernet0/1
end
Create VLAN:
Switch(config)#vlan 80
Switch(config-vlan)#name realtechtalk.com
Assign VLAN:
Switch(config)#int fa0/19
Switch(config-if)#switchport access vlan 80
Show all VLANs:
show vlan
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/6, Fa0/7, Fa0/8
Fa0/9, Fa0/10, Fa0/11, Fa0/12
Fa0/13, Fa0/14, Fa0/15, Fa0/16
Fa0/17, Fa0/18, Fa0/19, Fa0/20
Fa0/21, Fa0/22, Fa0/23, Fa0/24
Gi0/1, Gi0/2
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup
VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1 enet 100001 1500 - - - - - 0 0
1002 fddi 101002 1500 - - - - - 0 0
1003 tr 101003 1500 - - - - - 0 0
1004 fdnet 101004 1500 - - - ieee - 0 0
1005 trnet 101005 1500 - - - ibm - 0 0
Show Specific VLAN
show vlan id 1
Configure interfaces
100M Ethernet is normally known as fa0
So for port 1 you would use fa0/1
int fa0/1
or
int fastethernet0/1
1Gig Ethernet known as gigabitethernet or gi0
int gigabitethernet0/1
or
int gi0/1
You can configure vlans in the same way:
int vlan 1
Working with a range of ports (example of ports 1-12)
int range fa0/1-12
Enable Port(s)
int fa0/1
no shutdown
The no in front of shutdown means turn on the port (the opposite or !)
How to Assign ports to vlan
#how to assign ports to vlan in this case it is ports 1-24 and they are being assigned to vlan 1
Switch(config)#int range fa0/1-24
Switch(config-if-range)#switchport access vlan 1
Port Security
Maximum MAC addresses/devices
Where 8 below is the maximum number of MAC's
rtt(config)#int fa0/3
rtt(config-if)#switchport port-security maximum 8
To Disable MAC Limit
rtt(config-if)#no switchport port-security maximum
How To Disable Port Security On A Port
no switchport port-security
no switchport port-security violation protect
no switchport port-security mac-address sticky
no switchport mode access
BPDU Guard
This can be the source of a lot of pain for end users and network admins. To understand this, first let's talk about STP (Spanning Tree Protocol) which is designed to prevent routing loops that would otherwise kill a network. A routing loop could be something as simple as an ethernet cable that has both ends plugged into the same switch.
STPworks by exchanging BPDU (Bridge Protocol Data Units) which are multicast messages sent out and contain info like the source MAC, switch ID, originating switch port, switch port priority. It then uses an algorithm based on the BPDU information to create an STA (Spanning Tree Algorithm) at the layer 2 level and will shut down a port if it is creating a loop.
Now BPDU Guard in the world of Cisco just means that if it receives a BPDU it will shutdown the port in errdisable.
I say this is good in terms of keeping a network secure and running well, but a pain for end users who need to run a managed switch and for network admins who were unaware that BPDU was enabled.
Check a port's settings and you may see this:
rtt#show run int gi0/1
Building configuration...
Current configuration : 335 bytes
!
interface GigabitEthernet0/1
switchport access vlan 999
switchport mode access
switchport port-security
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
macro description cisco-desktop
spanning-tree portfast
spanning-tree bpduguard enable
end
To disable bpduguard
rtt(config-if)#spanning-tree bpduguard disable
To enable bpduguard
rtt(config-if)#spanning-tree bpduguard enable
*Note you can also enable or disable BPDUguard globally by just being in conf t
#enable by default
rtt(config)#spanning-tree portfast bpduguard default
#disable by default
rtt(config)#no spanning-tree portfast bpduguard default
How to assign IP to VLAN
Choose your interface eg vlan 777
Where below 10.25.20.2 is the IP and the netmask is 255.255.255.0
Switch(config-if)#ip address 10.25.20.2 255.255.255.0
Assign the default gateway:
Switch(config-if)#ip default-gateway 10.25.20.1
How To Set Administrative "enable" mode Password
Switch(config)#enable password realtechtalk.com
DHCP Server Creation for VLAN
Create VLAN and assign IP 10.25.2.2 and DFGW 10.25.2.1
switch(config-if)#int vlan 1800
switch(config-if)#ip address 10.25.2.2 255.255.255.0
switch(config-if)#ip default-gateway 10.25.2.1
#you could add Option 150 if this VLANis for phones and you have a CUCM Server (specify the CUCM server IP)
switch(dhcp-config)#option 150 ip 10.25.2.8
Create DHCP Pool for VLAN 1800 range 10.25.2.0
#to match the DHCP Pool to the VLAN we mention vlan1800 as the name of the pool below.
switch(config)#ip dhcp pool vlan1800
switch(dhcp-config)#network 10.25.2.0 255.255.255.0
switch(dhcp-config)#dns-server 8.8.8.8 4.2.2.1
switch(dhcp-config)#default-router 10.25.2.1
Exclude Relevant Addresses
switch(config)#ip dhcp excluded-address 10.25.2.1 10.25.2.2
Enable SSH:
First we need to generate keys for the SSH server which takes a bit of time if you choose a decent key size
crypto key generate rsa
A key size of anything less than 4096 is useless but some older routers or switches may only support 2048. 4096 on a 2960G takes forever for example.
The name for the keys will be: rttkey
Choose the size of the key modulus in the range of 360 to 4096 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.
How many bits in the modulus [512]: 4096
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]
From enable mode enable password encryption otherwise if someone sees your config, they will see your raw password in unencrypted form:
service password-encryption
Create username and password:
username rttuser password rttpassword Enter line vty 0 4, enable SSH and tell it to authenticate as a local user (eg. the one created above)
line vty 0 4
(config-line)# transport input ssh
(config-line)# login local
(config-line)# password 7
(config-line)# exit
Troubleshooting
Why can't I ping or connect to my VLAN IP?
Make sure the VLAN that has the IP is assigned to a port
Make sure the IP address is correct and it has the appropriate default gateway if necessary
Make sure your client side machine has an IP on that subnet AND that you have a route to it through the right adapter (eg. in Linux ip route add 10.10.25.0/24 dev eth0)*Remember to specify the /24 or whatever mask you desire and the right device.
Is the port and VLAN in a noshut state?
Cannot Set VLAN on port due to VTP errors:
Switch(config-if)#switchport access vlan 1234
% Access VLAN does not exist. Creating vlan 1234
Switch(config-if)#
*Mar 1 00:17:02.688: %PM-2-VLAN_ADD: Failed to add VLAN 1234 - VTP error.
A quick and easy way is to turn off VTP as VTP can pose a risk to production environments due to its ability to automatically delete VLANs.
vtp mode off
Setting device to VTP Off mode for VLANS.
It is common that you may get access to undocumented equipment and need to reset the password. This applies to many Cisco routers whether 2600, 2900, 3900 etc...
Cisco's Guide says to hit Ctrl +Pause/Break but if it doesn't work on some devices causing people to say "cisco password reset pause break does not work", you can see Cisco's alternative key combinations here:
Step 1: Power Cycle The Router/Switch to enter rommon mode
For Routers like 2900/3900 follow this guide to remove the CF disk first.
Immediately and within 60 seconds hit Ctrl + Pause/Break repeatedly until you see the "rommon 1" prompt. If the image boots normally to the console, then you've hit the keys too late or maybe you need to check the alternative key combinations above.
Type "confreg 0x2142" and then "reset". This will then give you root access without authentication.
Step 2 - Wait for the reboot, load config and reset the password
Once the image loads, make sure that you hit "no" to the "Would you like to enter the initial configuration dialog".
Type "en" or "enable" to enter enable mode.
copy start run
Then hit "enter" to accept the default destination filename of "running-config"
Now Reset Your Enable Password:
conf t
enable secret oursecretpassword
Remember to save the current config:
wr
or
copy run start
If you need to reset the console password:
This is wise to do as presumably you don't have access in any other mode at this point and if you exit enable mode you won't be able to re-enter if there is a password on the console.
Be sure to do a "wr" or copy run start after this to save the changes.
Step 3 - Reset config register
in config mode you have to set the register back to 2102, otherwise the router will keep booting without the startup config.
config-register 0x2102
This was done on a 2900 but applies to all the switches of the same era.
Step 1 - Power Cycle and enter recovery mode
If you have physical access you can power cycle and hold the mode button down for 15 seconds. After that the SYS light will flash on the switch and you will see the following screenshot.
If you don't have physical access (eg. it is a datacenter swich over console only) then power cycle and hit "Ctrl+Pause/Break" repeatedly once the power is on until you see the below.
Step 2 - Disable startup config file
Type: flash_init
Type: dir flash:
This shows us all of the files on the flash card, normally the startup file will be "config.text". We will be renaming it temporarily until we boot.
Rename the config.text: rename flash:config.text flash:config.text.orig
Step 3 - Boot
Type: boot
You will see output like this
At this point you could just default the switch but we want to reset the password and presumbly look at the existing config and just reset the password for now.
When it asks us if we want the initial configuration dialog? [yes/no]: Answer no
Type: no
Step 4 - Enter Enable Mode, Restore Config And Reset Password
Enter enable mode
Type: en
Restore our config file:
Type: rename flash:config.text.orig flash:config.text
Set a new password of "realtechtalk.com" (obviously change to the password you want for security reasons).
Type: enable secret realtechtalk.com
Save The New Config/Password You Set
Type: do wr