Preparing Procurve Switches for Production
By Mark Sutton Monday, 23rd March 2009
We recently took delivery of some new Procurve 5406zl switches for our Cloud platform. As with any new device being attached to the network there are quite a few tasks that must be done before it can be plugged into the production network. Naturally we document this internally but this time the process was quite interesting so I thought I'd blog it as well. The process breaks down into the following steps:- Unpack the boxes, check contents
- Install additional modules
- Power up the device on the bench to make sure it passes self-test
- Physically install the switch in the rack
- Power up and change switch passwords
- Disable insecure protocols
- Connect the switch to the network
- Upgrade the firmware
- Configure Network Time Synchronisation
- Configure spanning-tree protocol
- Configure maximum vlans and reload
5. Power up and change switch passwords
Once the switch is installed in the rack, connect power and wait for the switch to initialise. In our case it took around a minute for the switch to wake up and pass self-test. Connect the console cable and log in to the switch. Change the passwords with the following commands:ProCurve Switch 5406zl# conf t ProCurve Switch 5406zl(config)# password all New password for operator: *************** Please retype new password for operator: *************** Autorun is disabled as operator/manager password is configured. New password for manager: *************** Please retype new password for manager: ***************** ProCurve Switch 5406zl(config)# exit
6. Disable insecure protocols
The 5406zl switch ships with SSH, telnet and insecure web control panel. We'll disable the latter two as they are not needed and pose a security risk to the device:ProCurve Switch 5406zl# conf t ProCurve Switch 5406zl(config)# no telnet-server ProCurve Switch 5406zl(config)# no web-management ProCurve Switch 5406zl(config)# exit
7. Connect the switch to the network
Now the switch has been secured, it can be connected to the network. Most Procurve switches I have encountered shipped with DHCP enabled on the default vlan id, 1. I prefer to set static addresses on switches, especially if they will be involved in routing packets...ProCurve Switch 5406zl# conf t ProCurve Switch 5406zl(config)# vlan 1 ProCurve Switch 5406zl(vlan-1)# no ip address dhcp-bootp ProCurve Switch 5406zl(vlan-1)# ip address X.X.X.X 255.255.255.0 ProCurve Switch 5406zl(vlan-1)# exit ProCurve Switch 5406zl(config)# ip default-gateway Y.Y.Y.Y ProCurve Switch 5406zl(config)# exitNote that it is not absolutely necessary to set a default route unless the switch is routing packets off the local subnet or needs to be configured from another subnet. Leaving the default gateway unset can enhance the switch security somewhat, preventing any sort of direct access to tcp services like SSH from the "outside world".
8. Upgrade the firmware
This is the most involved step... The 5406zl switch provides secondary flash and multiple configuration slots to enable safe firmware updates and rollback capability if something goes wrong. It's not absolutely necessary to use these features but if you don't want any risk of bricking your expensive new switch then it's probably worth the extra 5 minutes worth of manual reading and commands. First we check the current firmware version, and verify what is in the secondary flash and configuration slots:ProCurve Switch 5406zl# show version
Image stamp: /sw/code/build/btm(t3a)
Oct 17 2008 20:03:02
K.13.45
706
Boot Image: Primary
ProCurve Switch 5406zl# show flash
Image Size(Bytes) Date Version
----- ---------- -------- -------
Primary Image : 7494786 10/17/08 K.13.45
Secondary Image : 7442476 08/04/08 K.13.25
Boot Rom Version: K.12.12
Default Boot : Primary
ProCurve Switch 5406zl# show config files
Configuration files:
id | act pri sec | name
---+-------------+------------------------------------------------
1 | * * * | config1
2 | |
3 | |
Here we can see the switch in it's factory state. Running firmware version is K.13.45 on the primary image, and a single configuration, config1.
First we'll back up the configuration to another slot :
ProCurve Switch 5406zl# copy config config1 config config2 ProCurve Switch 5406zl# show config files Configuration files: id | act pri sec | name ---+-------------+------------------------------------------------ 1 | * * * | config1 2 | | config2 3 | |Next we'll take a copy of the configuration to another server for good luck:
ProCurve Switch 5406zl# sh ru Running configuration: ; J8697A Configuration Editor; Created on release #K.13.45 hostname "ProCurve Switch 5406zl" no web-management no telnet-server module 1 type J8702A module 2 type J8702A module 3 type J8702A ip default-gateway Y.Y.Y.Y snmp-server community "public" Unrestricted vlan 1 name "DEFAULT_VLAN" untagged A1-A24,B1-B24,C1-C24 ip address X.X.X.X 255.255.255.0 exit no autorun password manager password operatorBefore re-flashing the switch with the latest firmware we'll copy the current flash to secondary flash and set secondary flash to boot to config2 (our copy). If the switch upgrade fails for whatever reason, it's possible the update modified the configuration file in config1, making it incompatible with the older firmware.
ProCurve Switch 5406zl# copy flash flash secondary ProCurve Switch 5406zl# show flash Image Size(Bytes) Date Version ----- ---------- -------- ------- Primary Image : 7494786 10/17/08 K.13.45 Secondary Image : 7494786 10/17/08 K.13.45 Boot Rom Version: K.12.12 Default Boot : Primary ProCurve Switch 5406zl# startup-default secondary config config2 ProCurve Switch 5406zl# show config files Configuration files: id | act pri sec | name ---+-------------+------------------------------------------------ 1 | * * | config1 2 | * | config2 3 | |Now we'll download the latest firmware (currently K.13.58 for this switch) to a TFTP server and READ THE RELEASE NOTES! Reading the release notes is very important before attempting firmware upgrades on a switch. There could be gotchas. Be warned if you know better and ignore the release notes... With the new firmware unzipped on the TFTP server we can download it to the switch primary flash:
ProCurve Switch 5406zl# copy tftp flash Z.Z.Z.Z /procurve5406zlFW/K_13_58.swi primary The Primary OS Image will be deleted, continue [y/n]? y 07187K Validating and Writing System Software to the Filesystem ...Once the uprgade is complete, verify the firmware was written to the slot for good luck, and reload the swtch to the new firmware.
ProCurve Switch 5406zl# show version
Image stamp: /sw/code/build/btm(t3a)
Oct 17 2008 20:03:02
K.13.45
706
Boot Image: Primary
ProCurve Switch 5406zl# show flash
Image Size(Bytes) Date Version
----- ---------- -------- -------
Primary Image : 7544081 02/26/09 K.13.58
Secondary Image : 7494786 10/17/08 K.13.45
Boot Rom Version: K.12.12
Default Boot : Primary
ProCurve Switch 5406zl# reload
System will be rebooted from primary image. Do you want to continue [y/n]? y
Do you want to save current configuration [y/n/^C]? n
Connection closed by foreign host.
Once the switch reboots, log back in and verify the correct firmware version is booted.
ProCurve Switch 5406zl# show version
Image stamp: /sw/code/build/btm(t3a)
Feb 26 2009 14:41:45
K.13.58
29
Boot Image: Primary
ProCurve Switch 5406zl# show flash
Image Size(Bytes) Date Version
----- ---------- -------- -------
Primary Image : 7544081 02/26/09 K.13.58
Secondary Image : 7494786 10/17/08 K.13.45
Boot Rom Version: K.12.17
Default Boot : Primary
The switch is now upgraded.
9. Configure Network Time Synchronisation
Next we need to configure network time synchronisation. We operate two unicast NTPv4 servers on our network, and want to sync every 300 seconds (5m).ProCurve Switch 5406zl# conf t ProCurve Switch 5406zl(config)# sntp unicast ProCurve Switch 5406zl(config)# sntp 30 ProCurve Switch 5406zl(config)# sntp server priority 1 87.124.127.5 4 ProCurve Switch 5406zl(config)# sntp server priority 2 87.124.127.6 4 ProCurve Switch 5406zl(config)# timesync sntp ProCurve Switch 5406zl(config)# exitThe switch time should update after a few moments.
10. Configure spanning-tree protocol
Next we want to enable Multiple Spanning-Tree Protocol support:ProCurve Switch 5406zl# conf t ProCurve Switch 5406zl(config)# spanning-tree ProCurve Switch 5406zl(config)# exitNote that the switch might freeze for a few seconds while STP wakes up. This is normal.
11. Configure maximum vlans and reload
Procurve switches come with a maximum vlan limit set much lower than the hardware is capable of. I am yet to find any advice against opening up this limit to the maximum number of vlans from the start. Given that changing this value requires a switch reload it's definitely best to be prepared in advance so you don't run out. Use the following commands to see what limit has been configured at the factory:ProCurve Switch 5406zl# show vlans Status and Counters - VLAN Information Maximum VLANs to support : 64 Primary VLAN : Default Management VLAN : VLAN ID Name | Status Voice Jumbo ------- -------------------- + ---------- ----- ----- 1 Default | Port-based No NoTo expand the maximum vlan limit and reload the switch use the following commands:
ProCurve Switch 5406zl# conf t ProCurve Switch 5406zl(config)# max-vlans 2048 ProCurve Switch 5406zl(config)# exit ProCurve Switch 5406zl# reload
Mission Accomplished
The switch is now configured in a suitable initial state for production. There will still be a way to go in order to configure it for your particular application. You will need to add your vlans and configure Spanning-Tree correctly, add inter-switch links (or trunks) and connect your hosts. I'll write more about these steps in the very near future once I have it all up and running...
Posted in Technology, vCluster |
No Comments » 
