Procurve Switch Configuration
Also see: HP Intelligent Management Center.
- After configuring the switch and adding it to IMC (using the "Auto-Discover" feature), you must also add it to the list of devices in the "Auto Backup Plan" (under Service\Configuration Center), so that its configuration is backed-up weekly.
- If you take a new switch out of the box, you'll want to connect with a console cable and enter the setup menu to configure basic IP settings.
Enter the default gateway, mask, and a static IP.
- 1 Console tips
- 2 Switch Configuration
- 3 notes
- 4 Power-Over-Ethernet
- 5 Useful Apps
- 6 Deploying Switch Software via TFTP using Command Line
- 7 Restoring Flash Image Using Xmodem console connection
I usually do the rest of the configuration from the command line. To quickly configure a switch, you can copy the following command-blocks and then paste them into PuTTY (by right-clicking inside the PuTTY window). You must first enter "config" mode with the following command:
If the block of commands you copied does not include a blank line at the bottom, then you'll have to hit "Enter" once to run the last command. When you're done making configuration changes, don't forget to save the running-config to startup-config using the following command:
The default administrative username on most newer Procurve switches is "manager". However, if you want to change this to something like "admin" for switch SSH access, just add a user with manager privileges using the following line. You'll then be prompted for a new password (just use the standard one).
password manager user-name admin
SSH and filetransfer settings
crypto key generate ssh ip ssh no telnet no telnet server ip ssh filetransfer
- IMPORTANT: After entering these commands, test SSH access! If you're connected to a switch with a console cable, close PuTTY. Ensure you're connected to the net via wifi or network cable. Open PuTTY: it should default to "SSH", so just type switch's IP and see if it connects. As long as it prompts you for a user or password, SSH is working.
- Assuming the manager pw is correctly set, this configuration should allow both access from both PuTTY and IMC.
- I advise using SCP for all file transfers (eg. configuration backups, software deployment). This method transfers files using an SSH connection (as opposed to TFTP, FTP, and SFTP), and is much faster than TFTP!
- If a switch is configured for secure filetransfers (look for the config line "ip ssh filetransfer"), then TFTP transfers are automatically disabled. If you need to use TFTP, you'll have to disable secure filetransfers first, by using the command "no ip ssh filetransfer".
- SNMPv3 is more secure than v1 or v2.
- Something like this should work on most Procurve switches (except the 2810). Enter your own auth and priv passwords, and a username.
snmpv3 enable AUTHPASSCODE PRIVPASSCODE n y snmpv3 user USERNAME auth sha AUTHPASSCODE priv aes PRIVPASSCODE snmpv3 group managerpriv user USERNAME sec-model ver3
SNMPv3 (2810 only)
- The 2810 requires different settings from most switches (requires des, not aes encryption), and uses different syntax.
snmpv3 enable AUTHPASSCODE PRIVPASSCODE n y snmpv3 user USERNAME auth sha AUTHPASSCODE priv PRIVPASSCODE snmpv3 group ManagerPriv user USERNAME sec-model ver3 snmpv3 targetaddress HOSTNAME params not_parms HOSTNAME_IP
In the "snmpv3 targetaddress" command, "HOSTNAME" is an arbitrary name for the targetaddress, and I think "not_parms" is an arbitrary name for a parameter list?
SNTP and time settings
Syncs time to a domain controller, sets central time-zone and daylight savings.
time timezone -360 daylight-time-rule continental-us-and-canada timesync sntp sntp unicast sntp server IP_OF_YOUR_DOMAIN_CONTROLLER sntp server priority 1 IP_OF_YOUR_DOMAIN_CONTROLLER
- Windows domains require very strict time synchronization to operate properly (within a few seconds). That's why computers with whose time or timezone is incorrect often have authentication problems. Windows domain servers are SNTP servers by default, and can be used by any device to automatically synch time.
- There are two "sntp server" lines because some switches require a slightly different syntax. You can paste both into PuTTY: the line whose syntax is incorrect for the switch you're currently working on will simply be ignored.
- You can confirm that a switch's time settings are correct with the following command:
When someone accidentally creates a "loop" (by plugging both ends of a network cable into wall jacks), loop-protection automatically disables those switch ports to prevent a layer-2 broadcast storm.
Enable loop-protection on all access ports (where n=number of access (not switch link) ports)
Send trap to IMC when loop is detected.
loop-protect trap loop-detected
Set protection interval to 1 second (the default is several seconds). This is the interval at which the switch checks for loops on a given port.
loop-protect transmit-interval 1
It's a good idea to prevent switch links from being disabled by loop-protection, so that you don't lose remote access (and so multiple rooms don't lose connectivity due to switch links going down). You can do this by only protecting the access ports. If you do enable protection on the switch ports, make sure you configure those ports to not be disabled when loops are detected.
loop-protect 25-28 receiver-action no-disable
View current Loop-Protection settings
I suggest configuring the following items on your switches (at a minimum)
- Primary IP for the switch (shows-up in configuration as the IP of VLAN 1)
- Loopback protection (on access ports only)
- Time settings, SNTP synch
- SSH access, telnet disabled
- TFTP filetransfers
- SNMPv3 (for IMC to read logs and read/write configuration data)
View switch's event log: (newest entries first)
show log -r
Clear switch's event log
Show console settings:
Clear arp table
Clear mac addresses
clear mac-address vlan 1 clear mac-address port 1-24
show snmp-server [COMMUNITY-STR]
show snmpv3 ? access-rights Show information about access rights. community Show SNMPv3 Community table. enable Show SNMPv3 status. engineid Show switch's SNMP engineId. group Show SNMPv3 User to Group mappings. notify Show SNMPv3 notification table. only Show SNMP message reception policy. params Show SNMPv3 Target Parameters table. restricted-access Show SNMPv1 and SNMPv2c access properties. targetaddress Show SNMPv3 Target Address table. user Show SNMPv3 users. view Show views.
The easiest way to manually deploy software from a TFTP server is by using the menu command and selecting "Download OS". See TFTPd for instructions.
TFTP download of switch software using CLI: On any switch with tftp client enabled. example assumes tftp server (like tftp32) is running on computer whose ip is 10.30.1.17, and the file "R_11_07.swi" is located in base dir of tftp server. Command may differ based on current software version being used. For 3500yl K.15.9.009, the command looks like this:
copy tftp flash 10.30.1.17 K_15_12_0012.swi [primary | secondary]
If you don't specify primary or secondary, it places the new software in primary by default. To choose which software the switch loads at boot:
boot system flash <primary | secondary>
When upgrading software, it's best practice to download the new software to whichever slot isn't currently being used. For example, if the switch currently has version K.15.9 in primary and K.15.12 in secondary, and it's set to boot from primary, then you should download your new version to secondary, and then configure the switch to boot from the secondary flash. This way if the new software doesn't work, it's easier to make it revert to the old software in primary.
You can use this command to download any file in IMC's builtin tftp server root dir, which is:
You can also manually download software from the device using the menu command. Go to Download OS, specify your IMC server's IP and the file name. You should see a progress indicator as it downloads it. Software downloaded using the menu always go into primary flash.
Troubleshooting: "Download is in progress, you cannot reboot now!" If you try to reboot the switch with the boot command and get this error, a previous SSH session is probably hung (IMC does this sometimes). To close the hung sesssion, issue this command:
You'll be shown a numbered list of open connections, like this:
Switch# show telnet Telnet Activity Session Privilege From To ------- --------- --------------- --------------- 1 Superuser Console ** 2 Manager 10.30.1.17
In this case, my workstation IP is 10.30.1.17, and Session 1 is the hung IMC connection, so we'll kill session 1:
If this doesn't work, try logging-in to the web interface and rebooting from there. Option may be called "Reset device".
show lldp info local-device show lldp info remote-device
Display LLDP status, including per-port info.
show lldp config
Display LLDP stats (frames sent/received per-port).
show lldp stats
Disable automatic config file download. Enabled by default. Allows newly-installed switches to automatically download a base config file. Model 2620.
no dhcp config-file-update
Procurve switches with PoE/PoE+ functionality should deliver power automatically on all ports by default. However, sometimes when the switch loses power or the site loses connectivity briefly, any ports connected to AP's may not deliver power as they should. You can fix this by rebooting the switch, or by cycling the power status on the port, like this:
Switch(config)# no int 1-24 power Switch(config)# int 1-24 power
- 3com Daemon - old program that works really well, and handles large transfers better than many other servers, including filezilla.
- Tftpd32 - nice light tftp server, for use when you need to manually transfer software to a switch.
Deploying Switch Software via TFTP using Command Line
- Always read the release notes for switch software before trying to update!
- If "ip ssh filetransfer" is set, you must first disable ssh filetransfers with "no ip ssh filetransfer". You then have to issue the command "tftp client".
- You should be able to download software from IMC, but you can also use tftpd32 on a windows box.
To view flash:
To view system info:
To verify digital signature on software:
verify signature flash [primary OR secondary]
To download software:
copy tftp flash [tftp server's ip] [remote file name] [primary OR secondary]
To change default software loaded at boot:
boot set-default flash <primary | secondary>
Restoring Flash Image Using Xmodem console connection
If the switch software is corrupted (for example by a problem during a software update), you may not be able to SSH or even connect via a normal console session. Sometimes you can connect via a console cable and reach a limited menu that allows you to upload a new software image from your laptop.
- See "2610 Management and Config Guide".
- Note: you may not be able to use Putty to do the transfer via xmodem. Instead try HyperTerminal.
- Terminal Emulator settings:
Baud rate: 9600 No parity 8 bits 1 stop bit No flow control
- If successful, you'l get a prompt that looks like this:
- At this prompt, for help type:
- If you're going to upload an image over this xmodem console connection, you can speed it up by running at a higher baud rate. First change the switch's baud rate with this command:
- Then change your emulator settings to 115200 baud rate.
- Reconnect to the switch, and start the Console Download utility with the "do" command
- When prompted to continue using console download utility, hit Y
- It'll start printing an odd character on the terminal screen, which means it's waiting for you to start a transfer. In the HyperTerminal menu, go to transfer, send file. browse for the .swi file, and make sure you select "Xmodem" from the drop down box. You should then get a new dialogue box showing transfer progress.