Procurve Switch Configuration

Jump to: navigation, search

Also see: HP Intelligent Management Center.

First-time configuration:

  • After configuring the switch and adding it to IMC (using the "Auto-Discover" feature), you must also add it to the list of devices in the "Auto Backup Plan" (under Service\Configuration Center), so that its configuration is backed-up weekly.
  • If you take a new switch out of the box, you'll want to connect with a console cable and enter the setup menu to configure basic IP settings.

Enter the default gateway, mask, and a static IP.

Console tips

I usually do the rest of the configuration from the command line. To quickly configure a switch, you can copy the following command-blocks and then paste them into PuTTY (by right-clicking inside the PuTTY window). You must first enter "config" mode with the following command:

config terminal

If the block of commands you copied does not include a blank line at the bottom, then you'll have to hit "Enter" once to run the last command. When you're done making configuration changes, don't forget to save the running-config to startup-config using the following command:

wr m

Switch Configuration

User Name

The default administrative username on most newer Procurve switches is "manager". However, if you want to change this to something like "admin" for switch SSH access, just add a user with manager privileges using the following line. You'll then be prompted for a new password (just use the standard one).

password manager user-name admin

SSH and filetransfer settings

crypto key generate ssh
ip ssh
no telnet
no telnet server
ip ssh filetransfer
  • IMPORTANT: After entering these commands, test SSH access! If you're connected to a switch with a console cable, close PuTTY. Ensure you're connected to the net via wifi or network cable. Open PuTTY: it should default to "SSH", so just type switch's IP and see if it connects. As long as it prompts you for a user or password, SSH is working.
  • Assuming the manager pw is correctly set, this configuration should allow both access from both PuTTY and IMC.
  • I advise using SCP for all file transfers (eg. configuration backups, software deployment). This method transfers files using an SSH connection (as opposed to TFTP, FTP, and SFTP), and is much faster than TFTP!
  • If a switch is configured for secure filetransfers (look for the config line "ip ssh filetransfer"), then TFTP transfers are automatically disabled. If you need to use TFTP, you'll have to disable secure filetransfers first, by using the command "no ip ssh filetransfer".


  • SNMPv3 is more secure than v1 or v2.
  • Something like this should work on most Procurve switches (except the 2810). Enter your own auth and priv passwords, and a username.
snmpv3 enable
snmpv3 user USERNAME auth sha AUTHPASSCODE priv aes PRIVPASSCODE
snmpv3 group managerpriv user USERNAME sec-model ver3

SNMPv3 (2810 only)

  • The 2810 requires different settings from most switches (requires des, not aes encryption), and uses different syntax.
snmpv3 enable
snmpv3 group ManagerPriv user USERNAME sec-model ver3
snmpv3 targetaddress HOSTNAME params not_parms HOSTNAME_IP

In the "snmpv3 targetaddress" command, "HOSTNAME" is an arbitrary name for the targetaddress, and I think "not_parms" is an arbitrary name for a parameter list?

SNTP and time settings

Syncs time to a domain controller, sets central time-zone and daylight savings.

time timezone -360 daylight-time-rule continental-us-and-canada
timesync sntp
sntp unicast
sntp server priority 1 IP_OF_YOUR_DOMAIN_CONTROLLER
  • Windows domains require very strict time synchronization to operate properly (within a few seconds). That's why computers with whose time or timezone is incorrect often have authentication problems. Windows domain servers are SNTP servers by default, and can be used by any device to automatically synch time.
  • There are two "sntp server" lines because some switches require a slightly different syntax. You can paste both into PuTTY: the line whose syntax is incorrect for the switch you're currently working on will simply be ignored.
  • You can confirm that a switch's time settings are correct with the following command:
show time

Loop Protection

When someone accidentally creates a "loop" (by plugging both ends of a network cable into wall jacks), loop-protection automatically disables those switch ports to prevent a layer-2 broadcast storm.

Enable loop-protection on all access ports (where n=number of access (not switch link) ports)

loop-protect 1-n

Send trap to IMC when loop is detected.

loop-protect trap loop-detected

Set protection interval to 1 second (the default is several seconds). This is the interval at which the switch checks for loops on a given port.

loop-protect transmit-interval 1

It's a good idea to prevent switch links from being disabled by loop-protection, so that you don't lose remote access (and so multiple rooms don't lose connectivity due to switch links going down). You can do this by only protecting the access ports. If you do enable protection on the switch ports, make sure you configure those ports to not be disabled when loops are detected.

loop-protect 25-28 receiver-action no-disable

View current Loop-Protection settings

show loop-protect


I suggest configuring the following items on your switches (at a minimum)

  • Primary IP for the switch (shows-up in configuration as the IP of VLAN 1)
  • Loopback protection (on access ports only)
  • Time settings, SNTP synch
  • SSH access, telnet disabled
  • TFTP filetransfers
  • SNMPv3 (for IMC to read logs and read/write configuration data)

General Commands

View switch's event log: (newest entries first)

show log -r

Clear switch's event log

clear logging

Show console settings:

show console

Clear arp table

clear arp

Clear mac addresses

clear mac-address vlan 1
clear mac-address port 1-24


show snmp-server [COMMUNITY-STR]
show snmpv3 ?
 access-rights         Show information about access rights.
 community             Show SNMPv3 Community table.
 enable                Show SNMPv3 status.
 engineid              Show switch's SNMP engineId.
 group                 Show SNMPv3 User to Group mappings.
 notify                Show SNMPv3 notification table.
 only                  Show SNMP message reception policy.
 params                Show SNMPv3 Target Parameters table.
 restricted-access     Show SNMPv1 and SNMPv2c access properties.
 targetaddress         Show SNMPv3 Target Address table.
 user                  Show SNMPv3 users.
 view                  Show views.

Software Downloading

The easiest way to manually deploy software from a TFTP server is by using the menu command and selecting "Download OS". See TFTPd for instructions.

TFTP download of switch software using CLI: On any switch with tftp client enabled. example assumes tftp server (like tftp32) is running on computer whose ip is, and the file "R_11_07.swi" is located in base dir of tftp server. Command may differ based on current software version being used. For 3500yl K.15.9.009, the command looks like this:

copy tftp flash K_15_12_0012.swi [primary | secondary]

If you don't specify primary or secondary, it places the new software in primary by default. To choose which software the switch loads at boot:

boot system flash <primary | secondary>

When upgrading software, it's best practice to download the new software to whichever slot isn't currently being used. For example, if the switch currently has version K.15.9 in primary and K.15.12 in secondary, and it's set to boot from primary, then you should download your new version to secondary, and then configure the switch to boot from the secondary flash. This way if the new software doesn't work, it's easier to make it revert to the old software in primary.

You can use this command to download any file in IMC's builtin tftp server root dir, which is:

C:\Program Files\iMC\server\data\image

You can also manually download software from the device using the menu command. Go to Download OS, specify your IMC server's IP and the file name. You should see a progress indicator as it downloads it. Software downloaded using the menu always go into primary flash.

Troubleshooting: "Download is in progress, you cannot reboot now!" If you try to reboot the switch with the boot command and get this error, a previous SSH session is probably hung (IMC does this sometimes). To close the hung sesssion, issue this command:

show telnet

You'll be shown a numbered list of open connections, like this:

Switch#  show telnet

 Telnet Activity

  Session Privilege From            To
  ------- --------- --------------- ---------------
        1 Superuser Console
    **  2 Manager

In this case, my workstation IP is, and Session 1 is the hung IMC connection, so we'll kill session 1:

kill 1

If this doesn't work, try logging-in to the web interface and rebooting from there. Option may be called "Reset device".

LLDP Commands

show lldp info local-device
show lldp info remote-device

Display LLDP status, including per-port info.

show lldp config

Display LLDP stats (frames sent/received per-port).

show lldp stats

Model-Specific Commands

Disable automatic config file download. Enabled by default. Allows newly-installed switches to automatically download a base config file. Model 2620.

no dhcp config-file-update


Procurve switches with PoE/PoE+ functionality should deliver power automatically on all ports by default. However, sometimes when the switch loses power or the site loses connectivity briefly, any ports connected to AP's may not deliver power as they should. You can fix this by rebooting the switch, or by cycling the power status on the port, like this:

Switch(config)# no int 1-24 power
Switch(config)# int 1-24 power

Useful Apps

  • 3com Daemon - old program that works really well, and handles large transfers better than many other servers, including filezilla.
  • Tftpd32 - nice light tftp server, for use when you need to manually transfer software to a switch.

Deploying Switch Software via TFTP using Command Line

  • Always read the release notes for switch software before trying to update!
  • If "ip ssh filetransfer" is set, you must first disable ssh filetransfers with "no ip ssh filetransfer". You then have to issue the command "tftp client".
  • You should be able to download software from IMC, but you can also use tftpd32 on a windows box.

To view flash:

show flash

To view system info:

show system

To verify digital signature on software:

verify signature flash [primary OR secondary]

To download software:

copy tftp flash [tftp server's ip] [remote file name] [primary OR secondary]

To change default software loaded at boot:

boot set-default flash <primary | secondary>

Restoring Flash Image Using Xmodem console connection

If the switch software is corrupted (for example by a problem during a software update), you may not be able to SSH or even connect via a normal console session. Sometimes you can connect via a console cable and reach a limited menu that allows you to upload a new software image from your laptop.

  • See "2610 Management and Config Guide".
  • Note: you may not be able to use Putty to do the transfer via xmodem. Instead try HyperTerminal.
  • Terminal Emulator settings:
Baud rate: 9600
No parity
8 bits
1 stop bit
No flow control
  • If successful, you'l get a prompt that looks like this:
  • At this prompt, for help type:
  • If you're going to upload an image over this xmodem console connection, you can speed it up by running at a higher baud rate. First change the switch's baud rate with this command:
sp 115200
  • Then change your emulator settings to 115200 baud rate.
  • Reconnect to the switch, and start the Console Download utility with the "do" command
  • When prompted to continue using console download utility, hit Y
  • It'll start printing an odd character on the terminal screen, which means it's waiting for you to start a transfer. In the HyperTerminal menu, go to transfer, send file. browse for the .swi file, and make sure you select "Xmodem" from the drop down box. You should then get a new dialogue box showing transfer progress.