HP 2520-8 Configuration Manual
  1. Manuals
  2. Brands
  3. HP Manuals
  4. Switch
  5. 2520-8
  6. Configuration manual

HP 2520-8 Configuration Manual

Hide thumbs
Table of Contents

Advertisement

Quick Links

HP Switch Software
IPv6 Configuration Guide
HP 2520-8-PoE Switch
HP 2520-24-PoE Switch
Software version S.15.09
August 2012

Advertisement

Table of Contents
loading

Related Manuals for HP 2520-8

Summary of Contents for HP 2520-8

  • Page 1 HP Switch Software IPv6 Configuration Guide HP 2520-8-PoE Switch HP 2520-24-PoE Switch Software version S.15.09 August 2012...
  • Page 3 HP Networking 2520 Switches August 2012 S.15.09 IPv6 Configuration Guide...
  • Page 4 Publication Number performance, or use of this material. 5998-3621 The only warranties for HP products and services are set August 2012 forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty.

  • Page 5: Table Of Contents

    IPv6 Addressing Configuration Introduction ................. 1-1 General Configuration Steps ............. 1-2 Configuring IPv6 Addressing ............ 1-3 Enabling IPv6 with an Automatically Configured Link-Local Address ..........1-3 Enabling Autoconfiguration of a Global Unicast Address and a Default Router Identity on a VLAN ............1-4 Enabling DHCPv6 ...............
  • Page 6 Outbound Telnet to Another Device ......... 2-4 Viewing the Current Telnet Activity on a Switch ......2-6 Enabling or Disabling Inbound Telnet Access ....2-7 Viewing the Current Inbound Telnet Configuration ..2-7 SNTP and Timep ................. 2-8 Configuring (Enabling or Disabling) the SNTP Mode ..2-8 Configuring an IPv6 Address for an SNTP Server ...
  • Page 7 Configuring Debug and Event Log Messaging ....4-11 Debug Command ............4-11 Configuring Debug Destinations ........4-12 Configuring an IPv6 Syslog Server ........ 4-12 For more information, see “Configuring Debug and Event Log Messaging” on page 4-11......4-13 Logging Command ............4-13 Displaying a Debug/Syslog for Configuration ....

  • Page 9: Product Documentation

    Electronic Publications The latest version of each of the publications listed below is available in PDF format on the HP Networking web site, as described in the Note at the top of this page. ■ Installation and Getting Started Guide—Explains how to prepare for and perform the physical installation and connect the switch to your network.
  • Page 10 Software Feature Index For the software manual set supporting your series 2520 switch models, this feature index indicates which manual to consult for information on a given software feature. Feature Management and Advanced Traffic Access Security Basic Operation Configuration Management Guide Guide 802.1Q VLAN Tagging...
  • Page 11 Feature Management and Advanced Traffic Access Security Basic Operation Configuration Management Guide Guide File Transfers Friendly Port Names GVRP IGMP Interface Access (Telnet, Console/Serial, Web) IP Addressing LACP LLDP LLDP-MED Loop Protection MAC Address Management MAC Lockdown MAC Lockout MAC-based Authentication Monitoring and Analysis Multicast Filtering Network Management...
  • Page 12 Feature Management and Advanced Traffic Access Security Basic Operation Configuration Management Guide Guide Port-Based Priority (802.1Q) Power over Ethernet (PoE) Quality of Service (QoS) RADIUS Authentication and Accounting Secure Copy SFTP SNMP Software Downloads (SCP/SFTP, TFTP, Xmodem) Spanning Tree (MSTP) SSH (Secure Shell) Encryption SSL (Secure Socket Layer) Stack Management (Stacking)

  • Page 13: Introduction

    IPv6 Addressing Configuration Introduction Feature Default Enable IPv6 with a Link-Local disabled Address Configure Global Unicast disabled Autoconfig Configure DHCPv6 Addressing disabled Configure a Static Link-Local None Address Configure a Static Global Unicast None 1-10 Address Change DAD Attempts 1-14 View Current IPv6 Addressing 1-17 In the default configuration, IPv6 operation is disabled on the switch.

  • Page 14: General Configuration Steps

    IPv6 Addressing Configuration General Configuration Steps General Configuration Steps The IPv6 configuration includes global and per-VLAN settings. This section provides an overview of the general configuration steps for enabling IPv6 on a given VLAN and can be enabled by any one of several commands. The following steps provide a suggested progression for getting started.

  • Page 15: Configuring Ipv6 Addressing

    IPv6 Addressing Configuration Configuring IPv6 Addressing Configuring IPv6 Addressing In the default configuration on a VLAN, any one of the following commands enables IPv6 and creates a link-local address. Thus, while any one of these methods is configured on a VLAN, IPv6 remains enabled and a link-local address is present: ipv6 enable (page 1-3) ipv6 address autoconfig (page 1-4)

  • Page 16: Enabling Autoconfiguration Of A Global Unicast Address And A Default Router Identity On A Vlan

    IPv6 Addressing Configuration Enabling Autoconfiguration of a Global Unicast Address and a Default Router Identity on a VLAN A link-local address always uses the prefix fe80:0:0:0. With IPv6 enabled, the VLAN uses received router advertise- ments to designate the default IPv6 router. (Refer to “Default IPv6 Router”...
  • Page 17 IPv6 Addressing Configuration Enabling Autoconfiguration of a Global Unicast Address and a Default Router Identity on a VLAN Implements unicast address autoconfiguration as follows: ■ If IPv6 is not already enabled on the VLAN, this command enables IPv6 and generates a link-local (EUI- 64) address. Generates router solicitations (RS) on the VLAN.

  • Page 18: Enabling Dhcpv6

    IPv6 Addressing Configuration Enabling DHCPv6 To view all currently configured IPv6 unicast addresses, use the following: show ipv6 (Lists IPv6 addresses for all VLANs configured on the switch.) ■ show ipv6 vlan < vid > (Lists IPv6 addresses configured on the VLAN.) ■...
  • Page 19 IPv6 Addressing Configuration Enabling DHCPv6 This option configures DHCPv6 on a VLAN, which initiates transmission of DHCPv6 requests for service. If IPv6 is not already enabled on the VLAN by the ipv6 enable command, this option also enables IPv6 and causes the switch to autocon- figure a link-local unicast address with an EUI-64 interface identifier.
  • Page 20 IPv6 Addressing Configuration Enabling DHCPv6 To view all currently configured IPv6 unicast addresses, use the following: show ipv6 (Lists IPv6 addresses for all VLANs configured on the switch.) ■ show ipv6 vlan < vid > (Lists IPv6 addresses configured on the VLAN.) ■...

  • Page 21: Configuring A Static Ipv6 Address On A Vlan

    IPv6 Addressing Configuration Configuring a Static IPv6 Address on a VLAN Configuring a Static IPv6 Address on a VLAN This option enables configuring of unique and static unicast IPv6 addresses for global and link-local applications, including: ■ link-local unicast (including EUI and non-EUI device identifiers) global unicast (and unique local unicast) ■...

  • Page 22: Statically Configuring A Global Unicast Address

    IPv6 Addressing Configuration Configuring a Static IPv6 Address on a VLAN ■ If IPv6 was enabled only by a statically configured link- local address, then deleting the link-local address disables IPv6 on the VLAN. ■ If other IPv6-enabling commands have been configured on the VLAN, then deleting the statically configured link-local address causes the switch to replace it with the default (EUI-64) link-local address for the VLAN, and IPv6...
  • Page 23 IPv6 Addressing Configuration Configuring a Static IPv6 Address on a VLAN < prefix-length >: Specifies the number of bits in the network prefix. If you are using the eui-64 option, this value must be 64. eui-64: Specifies using the Extended Unique Identifier format to create a device identifier based on the VLAN MAC address.

  • Page 24: Duplicate Address Detection (Dad) For Statically Configured Addresses

    IPv6 Addressing Configuration Disabling IPv6 on a VLAN Duplicate Address Detection (DAD) for Statically Configured Addresses Statically configured IPv6 addresses are designated as permanent. If DAD determines that a statically configured address duplicates a previously config- ured and reachable address on another device belonging to the VLAN, then the more recent, duplicate address is designated as duplicate.
  • Page 25 IPv6 Addressing Configuration Neighbor Discovery (ND) Track neighbor (local) routers. ■ Neighbor Discovery enables functions such as the following: ■ router and neighbor solicitation and discovery ■ detecting address changes for devices on a VLAN identifying a replacement for a router or router path that has become ■...

  • Page 26: Duplicate Address Detection (Dad)

    IPv6 Addressing Configuration Duplicate Address Detection (DAD) For related information, refer to: ■ RFC 2461: “Neighbor Discovery for IP Version 6 (IPv6)” Duplicate Address Detection (DAD) Duplicate Address Detection verifies that a configured unicast IPv6 address is unique before it is assigned to a VLAN interface on the switch. DAD is enabled in the default IPv6 configuration, and can be reconfigured, disabled, or re-enabled at the global config command level.

  • Page 27: Configuring Dad

    IPv6 Addressing Configuration Duplicate Address Detection (DAD) If an address is configured while DAD is disabled, the address is assumed to be unique and is assigned to the interface. If you want to verify the uniqueness of an address configured while DAD was disabled, re-enable DAD and then either delete and reconfigure the address, or reboot the switch.
  • Page 28 IPv6 Addressing Configuration Duplicate Address Detection (DAD) Syntax:. ipv6 nd reachable-time < milliseconds > Used on VLAN interfaces to configure the length of time in milliseconds a neighbor will be considered reachable after the Neighbor Unreachability Detection algorithm has confirmed it to be reachable.

  • Page 29: View The Current Ipv6 Addressing Configuration

    IPv6 Addressing Configuration View the Current IPv6 Addressing Configuration View the Current IPv6 Addressing Configuration Use these commands to view the current status of the IPv6 configuration on the switch. Syntax: show ipv6 Lists the current, global IPv6 settings and per-VLAN IPv6 addressing on the switch.
  • Page 30 IPv6 Addressing Configuration View the Current IPv6 Addressing Configuration Address Origin: Autoconfig: The address was configured using stateless ■ address autoconfiguration (SLAAC). In this case, the device identifier for global unicast addresses copied from the current link-local unicast address. DHCP: The address was assigned by a DHCPv6 server. Note ■...
  • Page 31 IPv6 Addressing Configuration View the Current IPv6 Addressing Configuration Switch(config)# show ipv6 Internet (IPv6) Service IPv6 Routing : Disabled Default Gateway : 10.0.9.80 ND DAD : Enabled DAD Attempts Vlan Name : DEFAULT_VLAN IPv6 Status : Disabled Vlan Name : VLAN10 IPv6 Status : Enabled Address...
  • Page 32 IPv6 Addressing Configuration View the Current IPv6 Addressing Configuration Syntax: show ipv6 vlan < vid > Displays IP and IPv6 global configuration settings, the IPv6 status for the specified VLAN, the IPv6 addresses (with prefix lengths) configured on the specified VLAN, and the expiration data (Expiry) for each address.: IPv6 Routing: This setting is always Disabled.
  • Page 33 IPv6 Addressing Configuration View the Current IPv6 Addressing Configuration DAD Attempts: Indicates the number of neighbor solicita- ■ tions the switch transmits per-address for duplicate (IPv6) address detection. Implemented when a new address is configured or when an interface with config- ured addresses comes up (such as after a reboot).
  • Page 34 IPv6 Addressing Configuration View the Current IPv6 Addressing Configuration Switch# show ipv6 Internet (IPv6) Service IPv6 Routing : Disabled Default Gateway : fe80::213:c4ff:fedd:14b0 ND DAD : Enabled DAD Attempts Vlan Name : DEFAULT_VLAN IPv6 Status : Disabled Vlan Name : VLAN10 IPv6 Status : Enabled Address...

  • Page 35: Router Access And Default Router Selection

    IPv6 Addressing Configuration Router Access and Default Router Selection Switch(config)# show run Running configuration: Statically configured IPv6 addresses . . . appear in the show run output. vlan 10 name "VLAN10" untagged A1-A12 Commands for automatic IPv6 address ipv6 address fe80::127 link-local configuration appear in the show run output, but the addresses resulting from ipv6 address 2001:db8::127/64...

  • Page 36: Router Solicitations

    IPv6 Addressing Configuration Router Access and Default Router Selection Router Solicitations When an IPv6 interface becomes operational on the switch, a router solicita- tion is automatically sent to trigger a router advertisement (RA) from any IPv6 routers reachable on the VLAN. (Router solicitations are sent to the All- Routers multicast address;...

  • Page 37: Router Redirection

    IPv6 Addressing Configuration View IPv6 Gateway, Route, and Router Neighbors Router Redirection With multiple routers on a VLAN, if the default (first-hop) router for an IPv6- enabled VLAN on the switch determines that there is a better first-hop router for reaching a given, remote destination, the default router can redirect the switch to use that other router as the default router.

  • Page 38: Viewing Ipv6 Router Information

    IPv6 Addressing Configuration View IPv6 Gateway, Route, and Router Neighbors Switch(config)# show ipv6 route IPv6 Route Entries “Unknown” Address Dest : ::/0 Type : static Gateway : fe80::213:c4ff:fedd:14b0%vlan10 Dist. : 40 Metric : 0 Dest : ::1/128 Type : connected Loopback Address Gateway : Dist.
  • Page 39 IPv6 Addressing Configuration View IPv6 Gateway, Route, and Router Neighbors MTU: This is the Maximum Transmission Unit (in bytes) allowed for frames on the path to the indicated router. Hop Limit: The maximum number of router hops allowed. Prefix Advertised: Lists the prefix and prefix size (number of leftmost bits in an address) originating with the indicated router.

  • Page 40: Address Lifetimes

    IPv6 Addressing Configuration Address Lifetimes Address Lifetimes Every configured IPv6 unicast and anycast address has a lifetime setting that determines how long the address can be used before it must be refreshed or replaced. Some addresses are set as “permanent” and do not expire. Others have both a “preferred”...
  • Page 41 IPv6 Addressing Configuration Address Lifetimes Table 1-1. IPv6 Unicast Addresses Lifetimes Address Source Lifetime Criteria Link-Local Permanent Statically Configured Unicast Permanent Autoconfigured Global Finite Preferred and Valid Lifetimes DHCPv6-Configured Finite Preferred and Valid Lifetimes A new, preferred address used as a replacement for a deprecated address can be acquired from a manual, DHCPv6, or autoconfiguration source.
  • Page 42 IPv6 Addressing Configuration Address Lifetimes 1-30...

  • Page 43: Ipv6 Management Features

    IPv6 Management Features Introduction Feature Default Neighbor Cache 2-1, 2-3 SNTP Address None Timep Address None 2-12 TFTP 2-14 SNMP Trap Receivers None 2-21 This chapter focuses on the IPv6 application of management features that support both IPv6 and IPv4 operation. For additional information on these features, refer to the current Management and Configuration Guide for your switch.
  • Page 44 IPv6 Management Features Viewing and Clearing the IPv6 Neighbors Cache Syntax: show ipv6 neighbors [vlan < vid >] Displays IPv6 neighbor information currently held in the neighbor cache. After a period without communication with a given neighbor, the switch drops that neighbor’s data from the cache.

  • Page 45: Clearing The Neighbor Cache

    001279-88a100 REACH local fe80::10:27 001560-7aadc0 REACH dynamic 3 fe80::213:c4ff:fedd:14b0 0013c4-dd14b0 REACH dynamic 1 Figure 2-1. Example of Neighbor Cache Without Specifying a VLAN HP Switch(config)# show ipv6 neighbor vlan 10 IPv6 ND Cache Entries IPv6 Address MAC Address State Age Port...

  • Page 46: Ipv6 Telnet Operation

    IPv6 addresses configured on the VLAN interface for the switch on which the command is executed, are not removed.) Removed addresses are listed in the command output. HP Switch(config)# clear ipv6 neighbors HP Switch(config)# show ipv6 neighbors HP Switch# show ipv6 neighbors...
  • Page 47 IPv6 Management Features IPv6 Telnet Operation Outbound Telnet establishes a Telnet session from the switch CLI to another IPv6 device, and includes these options. • Telnet for Link-Local Addresses on the same VLAN requires the link-local address and and interface scope: <...

  • Page 48: Viewing The Current Telnet Activity On A Switch

    To: The destination of the outbound session, if in use. For example, the following figure shows that the switch is running one outbound, IPv4 session and is being accessed by two inbound sessions. HP Switch# show telnet Telnet Activity --------------------------------------------------------...

  • Page 49: Enabling Or Disabling Inbound Telnet Access

    Shows the current configuration of IPv4 and IPv6 inbound telnet permissions, as well as other information. For both pro- tocols, the default setting allows inbound sessions. HP Switch(config)# show console Inbound Telnet Setting for Console/Serial Link IPv4 and IPv6 Telnet...

  • Page 50: Sntp And Timep

    IPv6 Management Features SNTP and Timep SNTP and Timep Configuring (Enabling or Disabling) the SNTP Mode The software enables configuration of a global unicast address for IPv6 SNTP time server. This section lists the SNTP and related commands, including an example of using an IPv6 address.

  • Page 51: Configuring An Ipv6 Address For An Sntp Server

    IPv6 Management Features SNTP and Timep Configuring an IPv6 Address for an SNTP Server N o t e To use a global unicast IPv6 address to configure an IPv6 SNTP time server on the switch, the switch must be receiving advertisements from an IPv6 router on a VLAN configured on the switch.
  • Page 52 IPv6 Management Features SNTP and Timep For example, to configure link-local and global unicast SNTP server addresses ■ fe80::215:60ff:fe7a:adc0 (on VLAN 10, configured on the switch) 2001:db8::215:60ff:fe79:8980 ■ as the priority “1” and “2” SNTP servers, respectively, using version 7, you would enter these commands at the global config level, as shown below.

  • Page 53: Configuring (Enabling Or Disabling) The Timep Mode

    IPv6 Management Features SNTP and Timep For example, the show sntp output for the preceding sntp server command example would appear as follows: HP Switch(config)# show sntp SNTP Configuration This example illustrates the command output when both IPv6 and IPv4 server Time Sync Mode: Sntp addresses are configured.
  • Page 54 IPv6 Management Features SNTP and Timep N o t e To use a global unicast IPv6 address to configure an IPv6 Timep server on the switch, the switch must be receiving advertisements from an IPv6 router on a VLAN configured on the switch. To use a link-local IPv6 address to configure an IPv6 Timep server on the switch, it is necessary to append %vlan followed (without spaces) by the VLAN ID of the VLAN on which the server address is available.
  • Page 55 Timep server. For example, the show timep output for the preceding ip timep manual command example would appear as follows: HP Switch(config)# show timep Timep Configuration Time Sync Mode: Timep TimeP Mode [Disabled] : Manual...

  • Page 56: Tftp File Transfers Over Ipv6

    IPv6 Management Features TFTP File Transfers Over IPv6 TFTP File Transfers Over IPv6 TFTP File Transfers over IPv6 You can use TFTP copy commands over IPv6 to upload, or download files to and from a physically connected device or a remote TFTP server, including: ■...

  • Page 57: Enabling Tftp For Ipv6

    IPv6 Management Features TFTP File Transfers Over IPv6 Enabling TFTP for IPv6 Client and server TFTP for IPv6 is enabled by default on the switch. However, if it is disabled, you can re-enable it by specifying TFTP client or server functionality with the tftp <client | server>...
  • Page 58 IPv6 Management Features TFTP File Transfers Over IPv6 Using TFTP to Copy Files over IPv6 Use the TFTP copy commands described in this section to: ■ Download specified files from a TFTP server to a switch on which TFTP client functionality is enabled. ■...
  • Page 59 IPv6 Management Features TFTP File Transfers Over IPv6 flash < primary | secondary >: Copies a software file stored ■ on a remote host to primary or secondary flash memory on the switch. To run a newly downloaded software image, enter the reload or boot system flash command. pub-key-file: Copies a public-key file to the switch.
  • Page 60 IPv6 Management Features TFTP File Transfers Over IPv6 Syntax: copy <source > tftp < ipv6-addr > < filename > < pc | unix > [oobm] Copies (uploads) a source data file on a switch that is enabled with TFTP server functionality to a file on the TFTP server at the specified IPv6 address, where <source>...

  • Page 61: Using Auto-Tftp For Ipv6

    IPv6 Management Features TFTP File Transfers Over IPv6 < ipv6-addr >: If this is a link-local address, use this IPv6 address format: fe80::< device-id >%vlan< vid > fe80::123%vlan10 For example: If this is a global unicast address, use this IPv6 format: <...
  • Page 62 IPv6 Management Features TFTP File Transfers Over IPv6 Syntax: auto-tftp <ipv6-addr > <filename > Configures the switch to automatically download the specified software file from the TFTP server at the specified IPv6 address. The file is downloaded into primary flash memory at switch startup.

  • Page 63: Snmp Management For Ipv6

    As with SNMP for IPv4, you can manage a switch via SNMP from an IPv6- based network management station by using an application such as E-PCM or E-PCM+. For more go to the HP web site at www.hp.com/Networking/support.) SNMP Features Supported The same SNMP for IPv4 features are supported over IPv6: ■...
  • Page 64 IPv6 Management Features SNMP Management for IPv6 Executed at the global config level to configure an SNMP trap receiver to receive SNMPv1 and SNMPv2c traps, SNMPv2c informs, and (optionally) event log messages snmp-server listen <oobm|data|both> For switches with a separate out-of-band management port, specifies whether the switch listens for SNMP traps on the out- of-band management interface, the data interface, or both.
  • Page 65 (including the IPv4 or IPv6 address) that can receive SNMPv1 and SNMPv2c traps, and the source IP (interface) address used in IP headers when sending SNMP notifications (traps and informs) or responses to SNMP requests. HP Switch(config)# show snmp-server SNMP Communities Community Name MIB View Write Access...

  • Page 66: Ip Preserve For Ipv6

    IP Preserve for IPv6 The show snmpv3 targetaddress command displays the configuration (including the IPv4 or IPv6 address) of the SNMPv3 management stations to which notification messages are sent. HP Switch(config)# show snmpv3 targetaddress snmpTargetAddrTable [rfc2573] Target Name IP Address...
  • Page 67 IPv6 Management Features IP Preserve for IPv6 To download an IP Preserve configuration file to an IPv6-based switch, enter the TFTP copy command as described in “TFTP File Transfers over IPv6” on page 2-14 to copy the file as the new startup-config file on a switch. When you download an IP Preserve configuration file, the following rules apply: ■...
  • Page 68 IPv6 Management Features IP Preserve for IPv6 HP Switch(config)# show run Running configuration: ; J9138A Configuration Editor; Created on release #S.15.XX ; Ver #01:05:04 Because the switch’s IPv6 address and default gateway were statically configured hostname "HP Switch" (not assigned by a DHCP server), when the...

  • Page 69: Ipv6 Management Security Features

    IPv6 Management Security Features This chapter describes management security features that are IPv6 counter- parts of IPv4 management security features on the switches covered by this guide. Feature Default configure authorized IP managers for IPv6 disabled configuring secure shell for IPv6 disabled 3-12 enabling secure copy and secure FTP for IPv6...
  • Page 70 IPv6 Management Security Features Authorized IP Managers for IPv6 You configure authorized IPv4 manager addresses using the ip autho- • rized-managers command. For more information, refer to the “Using Authorized IP Managers” chapter in the Access Security Guide. You configure authorized IPv6 manager addresses using the ipv6 •...

  • Page 71: Configuring Authorized Ip Managers For Switch Access

    IPv6 Management Security Features Authorized IP Managers for IPv6 Configuring Authorized IP Managers for Switch Access To configure one or more IPv6-based management stations to access the switch using the Authorized IP Managers feature, enter the ipv6 authorized- managers command Syntax: [no] ipv6 authorized-managers <ipv6-addr>...

  • Page 72: Configuring Multiple Station Access

    IPv6 Management Security Features Authorized IP Managers for IPv6 N o t e s If you do not enter a value for the ipv6-mask parameter when you configure an authorized IPv6 address, the switch automatically uses FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF as the default mask (see “Configuring Authorized IP Managers for Switch Access”...
  • Page 73 IPv6 Management Security Features Authorized IP Managers for IPv6 Conversely, in a mask, a “0” binary bit means that either the “on” or “off” setting of the corresponding IPv6 bit in an authorized address is valid and does not have to match the setting of the same bit in the specified IPv6 address. Figure 3-2 shows the binary expressions represented by individual hexadeci- mal values in an ipv6-mask parameter.
  • Page 74 IPv6 Management Security Features Authorized IP Managers for IPv6 Example. Figure 3-3 shows an example in which a mask that authorizes switch access to four management stations is applied to the IPv6 address: 2001:DB8:0000:0000:244:17FF:FEB6:D37D. The mask is: FFFF:FFFF:FFFF:FFF8:FFFF:FFFF:FFFF:FFFC. Manager- or Operator-Level Access Block Block Block...
  • Page 75 IPv6 Management Security Features Authorized IP Managers for IPv6 to 0 (“off”) and allow the corresponding bits in an authorized IPv6 address to be either “on” or “off”. As a result, only the four IPv6 addresses shown in Figure 3-5 are allowed access. Block Block Block...
  • Page 76 IPv6 Management Security Features Authorized IP Managers for IPv6 FFFF requires all bits in each corresponding block of an authorized IPv6 address to have the same “on” or “off” setting as the device ID in the specified IPv6 address. In this case, each bit in the device ID (last four blocks) in an authorized IPv6 address is fixed and can be only one value: 244:17FF:FEB6:D37D.
  • Page 77 IPv6 Management Security Features Authorized IP Managers for IPv6 Figure 3-7 shows the bits in the fourth block of the mask that determine the valid subnets in which authorized stations with an IPv6 device ID of 244:17FF:FEB6:D37D reside. FFF8 in the fourth block of the mask means that bits 3 - 15 of the block are fixed and, in an authorized IPv6 address, must correspond to the “on”...

  • Page 78: Displaying An Authorized Ip Managers Configuration

    Authorized IP Managers for IPv6 Displaying an Authorized IP Managers Configuration Use the show ipv6 authorized-managers command to list the IPv6 stations authorized to access the switch; for example: HP Switch# show ipv6 authorized-managers IPv6 Authorized Managers --------------------------------------- Address : 2001:db8:0:7::5...
  • Page 79 IPv6 mask. Also, if you do not specify an access value to grant either Manager- or Operator-level access, by default, the switch assigns Man- ager access. For example: HP Switch# ipv6 authorized-managers 2001:db8::a8:1c:e3:69 HP Switch# show ipv6 authorized-managers IPv6 Authorized Managers...

  • Page 80: Secure Shell (Ssh) For Ipv6

    IPv6 Management Security Features Secure Shell (SSH) for IPv6 Editing an Existing Authorized IP Manager Entry. To change the mask or access level for an existing authorized IP manager entry, enter the IPv6 address with the new value(s). Any parameters not included in the command are reset to their default values.

  • Page 81: Configuring Ssh For Ipv6

    IPv6 Management Security Features Secure Shell (SSH) for IPv6 Public keys from SSH clients are stored on the switch. Access to the switch is granted only to a client whose private key matches a stored public key. ■ Password-only client authentication The switch is SSH-enabled but is not configured with the login method that authenticates a client’s public-key.
  • Page 82 IPv6 Management Security Features Secure Shell (SSH) for IPv6 Specify a cipher type to use for connection. Valid types are: • aes128-cbc • 3des-cbc • aes192-cbc • aes256-cbc • rijndael-cbc@lysator.liu.se • aes128-ctr • aes192-ctr • aes256-ctr Default: All cipher types are available. Use the no form of the command to disable a cipher type.
  • Page 83 IPv6 Management Security Features Secure Shell (SSH) for IPv6 [port < 1-65535 | default >] TCP port number used for SSH sessions in IPv4 and IPv6 connections (Default: 22). Valid port numbers are from 1 to 65535, except for port numbers 23, 49, 80, 280,443, 1506, 1513 and 9999, which are reserved for other subsystems.
  • Page 84 IPv6 Management Security Features Secure Shell (SSH) for IPv6 parameter is available only on switches that listen have a separate out-of-band management port. Values for this parameter are: • oobm — inbound SSH access is enabled only on the out-of-band management port. •...

  • Page 85: Displaying An Ssh Configuration

    With SSH running, the switch supports one console session and up to five other SSH and Telnet (IPv4 and IPv6) sessions. WebAgent sessions are also supported, but are not displayed in show ip ssh output. HP Switch# show ip ssh Source IPv6 IP addresses of SSH clients are displayed in hexadecimal format. SSH Enabled...
  • Page 86 IPv6 Management Security Features Secure Copy and Secure FTP for IPv6 By default, SSH is enabled for IPv4 and IPv6 connections on a switch. If you have not disabled SSH connections from IPv6 clients (by entering the ip ssh ip-version 4 command), you can perform secure file transfers to and from IPv6 client devices by entering the ip ssh filetransfer command.

  • Page 87: Ipv6 Diagnostic And Troubleshooting

    IPv6 Diagnostic and Troubleshooting Introduction Feature Default IPv6 ICMP Message Interval and 100 ms 10 max tokens Token Bucket ping6 Enabled traceroute6 The IPv6 ICMP feature enables control over the error and informational message rate for IPv6 traffic, which can help mitigate the effects of a Denial- of-service attack.
  • Page 88 IPv6 Diagnostic and Troubleshooting ICMP Rate-Limiting Controlling the frequency of ICMPv6 error messages can help to prevent DoS (Denial- of- Service) attacks. With IPv6 enabled on the switch, you can control the allowable frequency of these messages with ICMPv6 rate-limiting. Syntax:.

  • Page 89: Ping For Ipv6 (Ping6)

    IPv6 Diagnostic and Troubleshooting Ping for IPv6 (Ping6) Ping for IPv6 (Ping6) The Ping6 test is a point-to-point test that accepts an IPv6 address or IPv6 host name to see if an IPv6 switch is communicating properly with another device on the same or another IPv6 network.
  • Page 90 IPv6 Diagnostic and Troubleshooting Ping for IPv6 (Ping6) Syntax: ping6 < ipv6-address | hostname | switch-number > [repetitions < 1 - 10000 >] [timeout < 1 - 60 >] [data-size < 0 - 65507 >] [data-fill < 0 - 1024 >] [source < ipv6-addr | vid >] [oobm] ping6 <link-local-address%vlan<vid>...

  • Page 91: Traceroute For Ipv6

    IPv6 Diagnostic and Troubleshooting Traceroute for IPv6 HP Switch# ping6 fe80::2:1%vlan10 fe80:0000:0000:0000:0000:0000:0002:0001 is alive, time = 975 ms Switch# ping6 2001:db8::a:1c:e3:3 repetitions 3 2001:0db8:0000:0000:000a:001c:00e3:0003 is alive, iteration 1, time = 15 ms 2001:0db8:0000:0000:000a:001c:00e3:0003 is alive, iteration 2, time = 15 ms...
  • Page 92 IPv6 Diagnostic and Troubleshooting Traceroute for IPv6 Syntax: traceroute6 < ipv6-address | hostname > [minttl < 1-255 > [maxttl < 1-255 > [timeout < 1-120 >] [probes < 1-5 >] [source < ipv6-addr | vid | loopback <0-7> | oobm>] [dstport <1-34000>] [srcport <1-34000>] traceroute6 <link-local-address%vlan<vid>...
  • Page 93 VLAN-ID on which the traceroute packet is being sent. [dstport <1-34000>] Destination port. [srcport <1-34000>] Source port. HP Switch# traceroute6 2001:db8::10 traceroute to 2001:db8::10 1 hop min, 30 hops max, 5 sec. timeout, 3 probes 2001:db8::a:1c:e3:3 0 ms 0 ms...

  • Page 94: Dns Resolver For Ipv6

    IPv6 Diagnostic and Troubleshooting DNS Resolver for IPv6 DNS Resolver for IPv6 The Domain Name System (DNS) resolver is designed for local network domains where it enables use of a host name or fully qualified domain name to support DNS-compatible commands from the switch. DNS operation supports these features: ■...
  • Page 95 IPv6 Diagnostic and Troubleshooting DNS Resolver for IPv6 The no form of the command removes the specified address from the server address list configured on the switch. < ip-addr >: Specifies the address of an IPv6 or IPv4 DNS server. [oobm]: For switches that have a separate out-of-band manage- ment (OOBM) port, this parameter specifies that communica- tion with the DNS server goes through that OOBM port.

  • Page 96: Viewing The Current Configuration

    DNS server residing in that domain is also configured on the switch. The commands for these steps are as follows: HP Switch(config)# ip dns server-address priority 1 2001:db8::127:10 HP Switch(config)# ip dns domain-name mygroup.hpnetworking.net HP Switch(config)# ping6 mars-1 fe80::215:60ff:fe7a:adc0 is alive, time = 1 ms Figure 4-3.

  • Page 97: Configuring Debug And Event Log Messaging

    IPv6 Diagnostic and Troubleshooting Debug/Syslog for IPv6 operation. For example, you can send messages about routing misconfigura- tions and other network protocol details to an external device, and later use them to debug network-level problems. Configuring Debug and Event Log Messaging To specify the types of debug and Event Log messages that you want to send to an external device: Use the debug <...

  • Page 98: Configuring Debug Destinations

    IPv6 Diagnostic and Troubleshooting Debug/Syslog for IPv6 Configuring Debug Destinations A Debug/Syslog destination device can be a Syslog server (up to six maximum) and/or a console session: Use the debug destination < logging | session | buffer > command to enable ■...

  • Page 99: For More Information, See "Configuring Debug And Event Log Messaging

    IPv6 Diagnostic and Troubleshooting Debug/Syslog for IPv6 For more information, see “Configuring Debug and Event Log Messaging” on page 4-11. Logging Command Syntax: [no] logging < syslog-ipv4-addr > Enables or disables Syslog messaging to the specified IPv4 address. You can configure up to six addresses. If you config- ure an address when none are already configured, this com- mand enables destination logging (Syslog) and the Event debug type.

  • Page 100: Displaying A Debug/Syslog For Configuration

    IPv4/IPv6 debug destinations (Syslog servers or CLI session) and Syslog ■ server facility to be used Figure shows an example of show debug command output that displays a configured IPv6 Syslog server. HP Switch(config)# show debug Debug Logging Displays the default debug configuration when no Syslog Destination:...

  • Page 101: Ipv6 Terminology

    IPv6 Terminology DAD Duplicate Address Detection. Refer to “Duplicate Address Detection (DAD)” on page 1-14. Device Identifier The low-order bits in an IPv6 address that identify a specific device. For example, in the link-local address 2001:db8:a10:101:212:79ff:fe88:a100/64, the bits forming 212:79ff:fe88:a100 comprise the device identifier. DoS Denial-of-Service.
  • Page 102 IPv6 Terminology...
  • Page 103 Symbols auto-TFTP 1-11 disabled 2-19 … … %vlan suffix 2-12 downloading software images 2-19 … … for IPv6 2-19 … debug messages 4-11 binary expressions of IPv6 address … … address configuration duplicate unicast addresses on an interface 1-14 clear neighbor cache …...
  • Page 104 1-10 … … displaying debug configuration 4-14 preferred lifetime 1-28 … … valid lifetime 1-28 … configuration … domain-name HP Networking … view configuration 4-10 switch documentation … … documentation feature matrix ICMP … latest versions bucket-size … … release notes error-interval …...
  • Page 105 inform messages 2-21 autoconfiguration … … IP masks link-local address manual multiple authorized manager configuration … stations link-local suffix 2-12 … … single authorized manager neighbor cache, clear … station neighbor cache, view … … used in configuring authorized IP neighbor discovery 1-12 …...
  • Page 106 used IPv6 link-local of global unicast address … autoconfiguration use of IPv6 address as source or … manual address configuration destination 1-28 … See static address configuration. priority masks public-key file See IP masks. TFTP download 2-17 … MIB support SNMP 2-21 router advertisements...
  • Page 107 show ipv6 1-11 1-17 SSHv2 restriction 3-16 … … show run version 1 3-16 … IPv6 output 1-22 startup-config … SNMP TFTP download 2-17 … configuring SNMPv1/v2c trap TFTP upload on remote device 2-18 … receiver 2-22 static address configuration …...
  • Page 108 uploading configuration file 2-18 global unicast address manual … uploading crash data file 2-18 configuration 1-10 … … uploading crash log 2-18 IPv6 link-local address … uploading event log 2-18 autoconfiguration … … uploading running-config file 2-18 link-local address … uploading software image file 2-18 autoconfiguration...
  • Page 110 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty.

This manual is also suitable for:

2520-24

Table of Contents