Manuals / Brands / Computer Equipment / Switch / HP / Computer Equipment / Switch

HP ProCurve 2500 TACACS+ Operation, General Authentication Setup Procedure

1 270

Download 270 pages, 1.64 Mb

Enhancements in Release F.02.02

TACACS+ Authentication for Centralized Control of Switch Access Security

TACACS+ Operation

TACACS+ in Series 2500 switches manages authentication of logon attempts through either the Console port or Telnet. For both Console and Telnet you can configure a login (read-only) and an enable (read/write) privilege level access. When your primary authentication control for switch access is a TACACS+ server, you can also specify a local (switch-based) secondary authentication control.

Note

In release F.02.02, TACACS+ does not affect Web browser interface access. See "Controlling Web Browser Interface Access" on page 184.

General Authentication Setup Procedure

It is important to test the TACACS+ service before fully implementing it. Depending on the process and parameter settings you use to set up and test TACACS+ authentication in your network, you could accidentally lock all users, including yourself, out of access to a switch. While recovery is simple, it may pose an inconvenience that can be avoided.To prevent an unintentional lockout on a Series 2500 switch, use a procedure that configures and tests TACACS+ protection for one access type (for example, Telnet access), while keeping the other access type (console, in this case) open in case the Telnet access fails due to a configuration problem. The following procedure outlines a general setup procedure.

Note

If a complete access lockout occurs on the switch as a result of a TACACS+ configuration, see "Troubleshooting TACACS+ Operation" on page 186 for recovery methods.

1.Familiarize yourself with the requirements for configuring your TACACS+ server application to respond to requests from a Series 2500 switch. (Refer to the documentation provided with the TACACS+ server software.) This includes knowing whether you need to configure an encryption key. (See “Using the Encryption Key” on page 183.)

169

Contents

Release Notes: for the ProCurve Series 2300 and 2500 Switches Page Page Contents Software Management Enhancements in Release F.05.05 through F.05.70 Page Enhancements in Release F.04.08 Enhancements in Release F.02.11 Enhancements in Release F.02.02 Page Updates and Corrections for the Management and Configuration Guide Software Fixes Page Page Software Management View or Download the Software Manual Set Downloading Software to the Switch N o t e TFTP Download from a Server Validating and Writing System Software to FLASH Logon Default Xmodem Download From a PC or Unix Workstation This procedure assumes that: The switch is connected via the Console ■The switch software is stored on a disk drive in the PC Send File Saving Configurations While Using the CLI Running-Config File: Startup-Config save configuration ProCurve Switch, Routing Switch, and Router Software Keys Enhancements in Release F.05.05 through F.05.70 Implementation of LLDP LLDP Terminology Adjacent Device: Advertisement: See LLDPDU Active Port: Packet Boundaries in a Network Topology Table 1. Viewable Data Available for LLDP Advertisements LLDP Standards Compatibility IEEE ■RFC 2922 (PTOPO, or Physical Topology MIB) ■RFC 2737 (Entity MIB) LLDP Operating Rules Port Trunking IP Address Advertisements Spanning-Tree Blocking Viewing the Current LLDP Configuration Viewing LLDP-detectedDevices Figure 3. Example of Viewing the LLDP Remote Device Information Details Enabling or Disabling LLDP Operation on the Switch lldp run Syntax [ no ] lldp run For example, to disable LLDP on the switch, use the command: Configuring Per-PortLLDP Transmit/Receive New Console Option console local-terminal console local-terminalvt100 Clarification of Time Zone Issue Syslog Overview Syslog Figure 4. A Syslog server collecting Event Log Messages from Multiple Switches Syslog Operation Syntax: [no] logging < syslog-ip-addr no logging syslog-ip-address Syntax: [no] logging facility < facility-name user user (the default) — Random user-levelmessages kern — Kernel messages auth — Security/Authorization messages syslog — Messages generated internally by Syslog lpr — Line-Printersubsystem Viewing the Syslog Configuration Syntax: show debug show debug Configuring Syslog Logging 1.If you want to use a Syslog server for recording Event Log messages: See Figure 6 below for an example of adding an additional Syslog server Figure 6. Configuring multiple Syslog Servers Operating Notes for Syslog Isolated Port Groups (Enhanced) group1 group2 Caution Options for Isolated Port Groups Uplink (the default) Table 2. Communication Allowed Between Port-IsolationTypes within a Switch Figure 7. Communication Allowed Between Port-IsolationTypes within a Switch Operating Rules for Port Isolation Trunking is supported only LACP is allowed only on the Uplink ports no int e < port-numbers > lacp Configuring Port Isolation on the Switch Steps for Configuring Port Isolation Remove all 2.Identify the devices you will connect to the switch’s ports 7.Enable port isolation on the switch Configuring and Viewing Port-Isolation Syntax: [ no ] port-isolation uplink public, group1, group2, private, local show port-isolation Table 3. Port Isolation Plan Figure 8. Example of Isolating Ports on a Series 2500 Switch Figure 9. Example of Port-IsolationConfiguration Messages Related to Port-IsolationOperation Port Isolation is disabled. It must be enabled first Troubleshooting Port-IsolationOperation Configuring Port-BasedAccess Control (802.1X) Overview Why Use Port-BasedAccess Control General Features 802.1X on the Series 2500 switches includes the following: Switch operation as both an authenticator (for supplicants having a ■Prevention of traffic flow in either direction on unauthorized ports Temporary Figure 10. Example of an 802.1X Application Accounting How 802.1X Operates Authenticator Operation 2.The switch responds with an identity request Switch-PortSupplicant Operation ■Switch “A” has port 1 configured for 802.1X supplicant operation ■You want to connect port 1 on switch “A” to port 5 on switch “B” Figure 11. Example of Supplicant Operation •A “success” response unblocks port 5 to normal traffic from port Terminology 802.1X-Aware: Authenticator: CHAP (MD5): Challenge Handshake Authentication Protocol EAP EAPOL: Friendly Client: MD5: PVID (Port VID): General Operating Rules and Notes Error configuring port X: LACP and 802.1X cannot be run together Note on 802.1X and LACP General Setup Procedure for Port-BasedAccess Control (802.1X) Do These Steps Before You Configure 802.1X Operation Overview: Configuring 802.1X Authentication on the Switch eap-radius chap-radius radius host Configuring Switch Ports as 802.1X Authenticators 1. Enable 802.1X Authentication on Selected Ports Syntax: aaa port-accessauthenticator < port-list [control < authorized | auto | unauthorized >] Controls authentication mode on the specified port: authorized: Syntax: aaa port-accessauthenticator < port-list > (Syntax Continued) [quiet-period< 0 - 65535 >] (Default: 60 seconds) [tx-period< 0 - 65535 >] [supplicant-timeout< 1 - 300 >] control auto Note: control authorized port- security 3. Configure the 802.1X Authentication Method Figure 12. Example of 802.1X (Port-Access)Authentication 4. Enter the RADIUS Host IP Address(es) 5. Enable 802.1X Authentication on the Switch 802.1X Open VLAN Mode Introduction ■Acquiring IP addressing from a DHCP server Unauthorized-Client VLAN 3rd Priority: Use Models for 802.1X Open VLAN Modes Authorized-Client Table 4. 802.1X Open VLAN Mode Options 802.1X Per-PortConfiguration Port Response No Open VLAN mode: tication session Open VLAN Mode with Only an Unauthorized-ClientVLAN Configured: Open VLAN Mode with Only an Authorized-ClientVLAN Configured: Operating Rules for Authorized-Clientand Unauthorized-ClientVLANs Condition Rule command or the VLAN Menu screen in the Menu interface.) VLAN Assignment Received from a RADIUS Server Multiple Authenticator Ports Using the Same Unauthorized-Clientand Authorized-ClientVLANs all 802.1X authenticator ports configured on the switch Attempt Setting Up and Configuring 802.1X Open VLAN Mode Preparation Before you configure the 802.1X Open VLAN mode on a port: i.Port 5 is an untagged member of VLAN 1 (the default VLAN) ii.You configure port 5 as an 802.1X authenticator port Configuring General 802.1X Operation: Syntax: aaa port-accessauthenticator e < port-list > control auto 2.Configure the 802.1X authentication type. Options include: If you selected either Adds a server to the RADIUS configuration 4.Activate authentication on the switch Configuring 802.1X Open VLAN Mode rad4all 802.1X Open VLAN Operating Notes not While an When a client’s authentication attempt on an Syntax: port-security[ethernet] < port-list learn-mode port-access action < none | send-alarm| send-disable Note on Blocking a Non-802.1XDevice control authorized For example, suppose that you want to connect two switches, where: ■Switch “A” has port 1 configured for 802.1X supplicant operation Figure 13. Example of Supplicant Operation Syntax: [no] aaa port-accesssupplicant [ethernet] < port-list Configuring a Supplicant Switch Port identity secret Syntax: aaa port-accesssupplicant [ethernet] < port-list [identity < username >] max-start start-period start- period Displaying 802.1X Configuration, Statistics, and Counters Show Commands for Port-AccessAuthenticator Without displays whether port-access supplicant Viewing 802.1X Open VLAN Mode Status port-access authenticator show vlan Figure 14. Example Showing Ports Configured for Open VLAN Mode Table 5. Open VLAN Mode Status Syntax: show vlan < vlan-id Figure 15. Example of Showing a VLAN with Ports Configured for Open VLAN Mode Show Commands for Port-AccessSupplicant port- list Connecting - Starting authentication Authenticated Acquired How RADIUS/802.1X Authentication Affects VLAN Operation Static VLAN Requirement (This is because a port can be an untagged member of only one VLAN at a time.) Figure 16. Example of an Active VLAN Configuration You can see the temporary VLAN assignment by using the Page Notes ■Eliminates and ceases to advertise the temporary VLAN assignment ■Re-activatesand resumes advertising the temporarily disabled VLAN assignment Messages Related to 802.1X Operation Table 6. 802.1X Operating Messages LACP has been disabled on 802.1X port(s) Error configuring port < port-number>: LACP and 802.1X cannot be run together IGMP Version 3 Support Enhancements in Release F.04.08 Using Friendly (Optional) Port Names Show augments does not replace Configuring and Operating Rules for Friendly Port Names Configuring Friendly Port Names Configuring a Single Port Name Figure 20. Example of Configuring a Friendly Port Name Figure 21. Example of Configuring One Friendly Port Name on Multiple Ports Displaying Friendly Port Names with Other Port Data You can display friendly port name data in the following combinations: This command lists names assigned to a specific port show name [ port-list ] Figure 23. Example of Friendly Port Name Data for Specific Ports on the Switch show interface <port-number statistics listing Figure 24. Example of a Friendly Port Name in a Per-PortStatistics Listing Name Name : not assigned This option tells you which friendly port names have been saved to the startup-config file. (The Configuring Secure Shell (SSH) ■Client public-keyauthentication ■Switch SSH and user password authentication Figure 26. Client Public Key Authentication Model Note on OpenSSH, visit http://www.openssh.com on OpenSSH, visit Figure 27. Switch/User Authentication SSH on the Series 2500 switches supports these data encryption methods: ■SSH Server: An HP Series 2500 switch with SSH enabled Key Pair: PEM (Privacy Enhanced Mode): Public Key: ■Enable Level: Manager privileges on the switch Steps for Configuring and Using SSH for Switch and Client Authentication SSH Options The general steps for configuring SSH include: A. Client Preparation Optional—If B.Switch Preparation Assign a login (Operator) and enable (Manager) password on the switch (page erase Once you generate a key pair on the switch you should avoid the session is not secure Configuring the Switch for SSH Operation 1. Assigning a Local Login (Operator) and Enable (Manager) Password 2. Generating the Switch’s Public and Private Key Pair Figure 31. Example of Generating a Public/Private Host Key Pair for the Switch IP SSH 3. Providing the Switch’s Public Key to Clients Figure 33. Example of a Correctly Formatted Public Key (Unbroken ASCII String) Displaying the Public Key Non-encoded ASCII numeric string: Phonetic hash: 4. Enabling SSH on the Switch and Anticipating SSH Client Contact Behavior SSH Client Contact Behavior To enable SSH on the switch Generate a public/private key pair if you have not already done so. (Refer to 2.Execute the ip ssh command To disable SSH on the switch, do either of the following: Note on Port Number key-size ip ssh port web-management no telnet 5. Configuring the Switch for SSH Authentication Syntax: copy tftp pub-key-file< ip-address > < filename aaa authentication ssh login rsa Configures the switch to authenticate < local | none a client public-keyat the login level 6. Use an SSH Client To Access the Switch Further Information on SSH Client Public-KeyAuthentication 4.If there is a match, the switch: a.Generates a random sequence of bytes b.Uses the client’s public key to encrypt this sequence c.Send these encrypted bytes to the client b.Uses MD5 to create a hash version of this information c.Returns the hash version to the switch The switch computes its own hash version of the data in step Using client public-keyauthentication requires these steps: Copy the public key for each client into a Copy the client’s public key (in ASCII .txt 3.Copy the client-public-keyfile into a TFTP server accessible to the switch Copying a client-public-keyinto the switch requires the following: One or more Note on Public Keys Syntax: copy tftp pub-key-file <ip-address><filename Copies a public key file from a TFTP show ip client-public-key[ babble | fingerprint ] switch’s current client-public-keyfile You can replace the existing client You can remove the existing client clear public-key Syntax: clear public-key Messages Related to SSH Operation 00000K Peer unreachable 00000K Transport error Indicates the switch experienced a problem when may be wrong Generating new RSA host key. If the After you execute the crypto key generate [rsa] cache is depleted this could take up to two minutes Configuring RADIUS Authentication and Accounting Remote Authentication Dial-In User Service Authentication Accounting EAP(Extensible Authentication Protocol): Host: See RADIUS Server NAS (Network Access Server): RADIUS (Remote Authentication Dial In User Service): Preparation: Configuring the Switch for RADIUS Authentication Outline of the Steps for Configuring RADIUS Authentication 1.Configure Authentication for the Access Methods You Want RADIUS To Protect Figure 42. Example Configuration for RADIUS Authentication 2. Configure the Switch To Access a RADIUS Server 1.Change the encryption key for the server at 10.33.18.127 to "source0127 Add a RADIUS server with an IP address of 10.33.18.119 and a To make the changes listed prior to figure 43, you would do the following: 3. Configure the Switch’s Global RADIUS Parameters radius-serverretransmit < 1 .. 5 If a RADIUS server fails to respond to an authentication request, specifies how many retries to attempt before closing the session (Default: 3; Range: 1 - 5) Local Authentication Process Controlling Web Browser Interface Access When Using RADIUS Authentication This section assumes you have already: ■Configured RADIUS authentication on the switch for one or more access methods ■Configured one or more RADIUS servers to support the switch Exec accounting: System accounting: Operating Rules for RADIUS Accounting ■RADIUS servers used for accounting are also used for authentication ■The switch must be configured to access at least one RADIUS server Outline of the Steps for Configuring RADIUS Accounting 1. Configure the Switch To Access a RADIUS Server Select the Accounting Type(s): Exec: exec ■System: Use system if you want to collect accounting data when: •A system boot or reload occurs 3. (Optional) Configure Session Blocking and Interim Updating Options General RADIUS Page Page RADIUS Authentication RADIUS Accounting Changing RADIUS-ServerAccess Order Figure 57. Search Order for Accessing a RADIUS Server Re-enter Figure 58. Example of New RADIUS Server Search Order Messages Related to RADIUS Operation Troubleshooting RADIUS Operation IP Preserve: Retaining VLAN-1IP Addressing Across Configuration File Downloads Operating Rules for IP Preserve ip preserve The Figure 59. Example of Implementing IP Preserve in a Configuration File For example, consider Figure 60: Figure 60. Example of IP Preserve Operation To summarize the IP Preserve effect on IP addressing: The Role of 802.1Q VLAN Tagging Outbound Port Queues and Packet Priority Settings Operating Rules for Port-BasedPriority on Series 2500 Switches Configuring and Viewing Port-BasedPriority Messages Related to Prioritization Troubleshooting Prioritization Using the "Kill" Command To Terminate Remote Sessions Syntax: kill [<session-number>] kill Figure 64. Example of Using the "Kill" Command To Terminate a Remote Session Overview Transitioning from STP to RSTP Configuring RSTP CLI: Configuring RSTP Abbreviation: Figure 65. Example of the Spanning Tree Configuration Display Enabling or Disabling RSTP Abbreviation: [no] span Enabling STP Instead of RSTP Abbreviation: span prot stp You can configure one or more of the Table 9. Whole-SwitchRSTP Parameters Abbreviations: span protocol-version<rstp | stp force-version <rstp-operation| stp-compatible priority <0 - 15 Reconfiguring Per-Port Spanning Tree Values Table 10. Per-PortRSTP Parameters spanning-tree[ethernet] <port-list span <port-list path-cost<1 - 200000000 path <1 - 200000000 point-to-point-mac <force-true| force-false| auto Menu: Configuring RSTP menu 2.Switch Configuration 4.Spanning Tree Operation dit 8.Repeat step 6 for each additional parameter you want to change 6. Reboot Switch Web: Enabling or Disabling RSTP To enable or disable Spanning Tree using the Web browser interface: 1.Click on the Configuration tab Enhancements in Release F.02.11 Fast-UplinkSpanning Tree Protocol (STP) ■Used as a wiring closet switch (also termed an edge switch or a leaf switch) Configured for Terminology (2 x (forward delay) + link down detection) Table 11. STP Parameter Settings for Figure With the above-indicatedtopology and configuration: Scenario 1: ■Scenario 2: If Switch "1" fails, then: Operating Rules for Fast Uplink Menu: Viewing and Configuring Fast-UplinkSTP a.Press [E] (Edit) to move the cursor to the Protocol Version field b.Press the Space bar once to change the Protocol Version field to STP c.Press [Enter] to return to the command line Figure 71. Changing from RSTP to STP Requires a System Reboot e.Press [0] (zero) to return to the Main Menu, then [6] to reboot the switch Figure 72. The Spanning Tree Operation Screen b.Use [Tab] to move to the Mode field for port c.Use the Space bar to select Uplink as the mode for port d.Use [v] to move to the Mode field for Trk1 e.Use the Space bar to select Uplink as the Mode for Trk1 Page 1.From the Main Menu, select: 1.Status and Counters 7.Spanning Tree Information 2. Press [S] (for Show ports) to display the status of individual ports Figure 75. Example of STP Port Status with Two Redundant STP Links CLI: Viewing and Configuring Fast-UplinkSTP Page Page Operating Notes Fast-UplinkTroubleshooting The Show Tech Command for Listing Switch Configuration and Operating Details 1.In Hyperterminal, click on Transfer | Capture Text In the 3.Click [Start] to create and open the text file 4.Execute show tech: HP2512# show tech Enhancements in Release F.02.02 TACACS+ Authentication for Centralized Control of Switch Access Security A3 or A2 or Figure 82. Example of TACACS+ Operation Series 2500 Switch Authentication Options Local: TACACS+: Terminology Used in TACACS Applications: communication server remote access server terminal server Local Authentication: General System Requirements To use TACACS+ authentication, you need the following: HP2512> show version Menu Interface: From the Main Menu, click on TACACS+ Operation General Authentication Setup Procedure 3.Determine the following: Note on Privilege Levels Page Configuring TACACS+ on the Switch The switch offers three command areas for TACACS+ operation: CLI Commands Described in this Section Viewing the Switch’s Current Authentication Configuration This example shows the default authentication configuration Figure 83. Example Listing of the Switch’s Authentication Configuration Viewing the Switch’s Current TACACS+ Server Contact Configuration Syntax: show tacacs Configuring the Switch’s Authentication Methods Table 12. AAA Authentication Parameters Table 13. Primary/Secondary Authentication Table HP2512(config)#aaa authenticationconsole login tacacs local HP2512(config)#aaa authenticationconsole enable tacacs local local HP2512(config)#aaa authenticationtelnet enable tacacs local HP2512(config)# Configuring the Switch’s TACACS+ Server Access The tacacs-servercommand configures these parameters: The host IP address(es) An optional encryption key The timeout value Page first-choice server: Figure 85. Example of the Switch with Two TACACS+ Server Addresses Configured The servers would then be listed with the new "first-choice"server, that is: Figure To configure westside as a global encryption key: HP2512(config) tacacs-serverkey westside To configure westside as a per-serverencryption key: HP2512(config)tacacs-serverhost 10.28.227.63 key westside To delete a global encryption key from the switch, use this command: How Authentication Operates General Authentication Process Using a TACACS+ Server Figure 87. Using a TACACS+ Server for Authentication The switch queries the If the switch does not receive a response from the Local Authentication Process (For a listing of authentication options, see Table 13 on page 175.) Using the Encryption Key General Operation Global key: Individual key: Encryption Options in the Switch HP2512(config)# tacacs-serverkey north40campus HP2512(config)# tacacs-serverhost 10.28.227.87 key south10campus Controlling Web Browser Interface Access When Using TACACS+ Authentication Messages Table 14. Tacacs Messages Operating Notes When TACACS+ is not enabled on the manager-level Troubleshooting TACACS+ Operation If the switch can access the server device (that is, it can ■The account has expired ■The access attempt is through a port that is not allowed for the account ■The time quota for the account has been exhausted ■The time credit for the account has expired ■The access attempt is outside of the timeframe allowed for the account ■The allowed number of concurrent logins for the account has been exceeded default user CDP (Updated by Software Version F.05.50) http://www. procurve.com New Time Synchronization Protocol Options TimeP Time Synchronization SNTP Time Synchronization SNTP provides two operating modes: Unicast Mode: General Steps for Running a Time Protocol on the Switch: • TimeP: DHCP or Manual 3.Configure the remaining parameters for the time protocol you selected Disabling Time Synchronization In the System Information screen of the Menu interface, set the ■In the config level of the CLI, execute no timesync Table 15. SNTP Parameters Menu: Viewing and Configuring SNTP To View, Enable, and Modify SNTP Time Protocol: Figure 88. The System Information Screen (Default Values) iv.Press [>] to move the cursor to the Poll Interval field, then go to step CLI: Viewing and Configuring SNTP Viewing the Current SNTP Configuration Configuring (Enabling or Disabling) the SNTP Mode Enabling SNTP in Broadcast Mode sntp broadcast Configures Broadcast as the SNTP mode For example, suppose: Time synchronization is in the Syntax: timesync sntp Selects SNTP as the time synchronization method sntp unicast Configures the SNTP mode for Unicast operation sntp server Figure 93. Example of Specifying the SNTP Protocol Version Number Changing the SNTP Poll Interval Figure 94. Example of SNTP with Time Sychronization Disabled no sntp Figure 95. Example of Disabling Time Synchronization by Disabling the SNTP Mode TimeP: Viewing, Selecting, and Configuring Table 16. Timep Parameters Menu: Viewing and Configuring TimeP To View, Enable, and Modify the TimeP Protocol: Figure 96. The System Information Screen (Default Values) Viewing the Current TimeP Configuration Configuring (Enabling or Disabling) the TimeP Mode ■Time synchronization is configured for SNTP 2.Select TimeP as the time synchronization mode 3.Enable TimeP for DHCP mode 4.View the TimeP configuration Figure 99. Example of Enabling TimeP Operation in DHCP Mode timesync timep Selects TimeP ip timep manual Disabling the TimeP Mode SNTP Unicast Time Polling with Multiple SNTP Servers Address Prioritization Adding and Deleting SNTP Server Addresses Adding Addresses Figure 103. Example of SNTP Server Address Prioritization Deleting Addresses Menu Interface Operation with Multiple SNTP Server Addresses Configured SNTP Messages in the Event Log Operation and Enhancements for Multimedia Traffic Control (IGMP) How Data-DrivenIGMP Operates This section uses the following terms to describe IGMP operation: Querier: ■IGMP Device: A switch or router running IGMP traffic control features Figure 104. Example of Data-DrivenIGMP Operation IGMP Operates With or Without IP Addressing Fast-LeaveIGMP Automatic Fast-LeaveOperation. If a Series 2500 switch port is : a.Connected to only one end node b.The end node currently belongs to a multicast group; i.e. is an IGMP client c.The end node subsequently leaves the multicast group Figure 105. Example of Automatic Fast-LeaveIGMP Criteria To list the Forced Fast-Leavestate for all ports in the switch: Figure 106. Listing the Forced Fast-LeaveState for Ports in an HP2512 Switch To list the Forced Fast-Leavestate for a single port getmib hpSwitchIgmpPortForcedLeaveState.1. <port-number (Not case-sensitive.) Figure 107. Listing the Forced Fast-LeaveState for a Single Port CLI: Configuring Per-PortForced Fast-LeaveIGMP Syntax: setmib hpSwitchIgmpPortForcedLeaveState.1.<port-number> -i< 1 | 2 setmib 1.3.6.1.4.1.11.2.14.11.5.1.7.1.15.3.1.5.1.<port-number> -i< 1 | 2 where: 1 = Forced Fast-Leaveenabled Querier Operation Table 17. Well-KnownIP Multicast Address Groups Excluded from IGMP Filtering Switch Memory Operation Port Security: Changes to Retaining Learned Static Addresses Across a Reboot Recommended Port Security Procedures Retention of Static Addresses Delete the address by using the command •Reset the switch to its factory-defaultconfiguration Delete it by using the Username Assignment and Prompt Updates and Corrections for the Management and Configuration Guide At the Interface Context Level At the Global Configuration Level This change affects the following commands: Restoring the Factory-DefaultConfiguration, Including Usernames and Passwords ■Execute the no password command in the CLI Select the ■Press and hold the Clear button on the switch for one second GVRP Does Not Require a Common VLAN Incomplete Information on Saving Configuration Changes Update to Information on Duplicate MAC Addresses Across VLANs Incorrect Command Listing for Viewing Configuration Files ■show config : Displays the startup-configfile ■show config run : Displays the running-configfile (The write terminal command also displays the running-configfile.) ■Daylight Time Rule setting Misleading Statement About VLANs Software Fixes Page Page Release F.01.08 Fixed in release F.01.08: 100/1000-T transceiver — Web-Browser Fixed in release F.02.02: Transceiver — Config — a.SNMP community parameter unrestricted is changed to (null) b.forbid commands are added to the VLAN configuration ->Software Exception at woody_dev.c: 450 in AdMgrCtrl ->ppmgr_setDefaultPriority: invalid port number Link — Monitor Port — Ping — Release F.02.04 (Beta Release Only) Fixed in release F.02.04: Buffer Leak — ■CDP — The switch sends the wrong MAC address for itself in CDP packets Console/TELNET — LED — Port security — TELNET — Web-browser interface — Release F.02.06 (Beta Release Only) Textual modifications made to the Isolated Port Groups feature Release F.02.07 (Beta Release Only) This release adds two new features: ■Spanning Tree fast "uplink" mode XRMON — Release F.02.08 (Beta Release Only) Fixed in F.02.08: ->Software exception at woodyDma_recv.c:154 --in 'eDrvPoll Release F.02.09 Release F.02.12 Fixed in release F.02.12 Release F.02.13 Fixed in release F.02.13 Monitoring Port — Port Configuration — Port Monitoring — TFTP — VARIOUS: Crash/Bus Error — Release F.04.02 Release F.04.08 Fixed in release F.04.08 Release F.04.09 Fixed in release F.04.09 Agent Hang — Fixed in release F.05.05 ARP — ■GARP/Event log — Garp event log messages may be garbled show arp show trunks Event Log — GVRP — LACP/802.1X — Loop/VTP — Menu — Menu/CLI — Modified help message for RSTP Menu/VLAN — The VLAN help text has been modified NNM/Stacking — TACACS+ — Time Zone — VTP/ISL — Release F.05.09 (Beta Release Only) Fixed in release F.05.09 Release F.05.12 (Beta Release Only) Adds the following enhancement: ■Changes to 802.1X to support Open VLAN Mode Release F.05.13 (Beta Release Only) ■Changes to Isolated Port Groups to add two new groups: group1 and group2 Performance/Crash (PR_4967) — Transceiver hot-swap (PR_3138) — Transceivers (PR_3167) — crash with a bus error similar to: ->Bus error: HW Addr=0x29283030 IP=0x002086ac Task='mSnmpCtrl Task ID=0x165ae00 Flow control — software exception at alloc_free.c ... buf_free: corrupted buffer ■SNMP — The switch does not support community names other than PUBLIC in traps SNMP/Crash — ->Bus error: HW Addr=0x5265766d IP=0x002592e8 Task='mSnmpCtrl Task ID=0x12c2158 fp: 0x00000005 sp:0x012c1e28 lr:0x00259430 ■TACACS+ — The TACACS server IP is shown on the 'splash screen Example output: ■Web — Sun java v1.3.x and v1.4.x interoperability issue: high CPU utilization ■Web/Stack Mgmt — Software version isn't displayed in Web-agentidentity screen Release F.05.17 Modification of Manufacturing test commands Release F.05.19 (Never Released) Fixed in release F.05.19 ■Counters (PR_92221) — Counters for J4834A 100/1000 xcvr do not clear ■Crash/Bus Error (PR_92466) — Bus error related to 802.1X/unauthorized VLAN Agent Hang (PR_92802) — ■Syslog (PR_1000003656) — The syslog capability added to F.05.22 ■Syslog (PR_1000004080) — A timep event log message on syslog is truncated Web (PR_81848) Web (PR_82039) Web (PR_82199) Release F.05.24 (Not a General Release) Fixed in release F.05.24 Web (PR_1000007144) Release F.05.25 (Not a General Release) Fixed in release F.05.25 SNMP (PR_1000190654) Web/Crash (PR_1000092011) exception.c:356 --in 'mHttpCtrl', task ID = 0x139ba42 Web UI/Port Security (PR_1000195894) port-security Release F.05.32 (Not a General Release) Fixed in release F.05.32 TFTP/Config (PR_1000215024) Release F.05.33 Fixed in release F.05.33 Release F.05.37 (Not a General Release) CLI (PR_83354) show mac vlan <VID Release F.05.38 (Never Released) Fixed in release F.05.38 Release F.05.51 (Never Released) Fixed in release F.05.51 Crash (PR_1000297510) Release F.05.52 Fixed in release F.05.52 Release F.05.55 Fixed in release F.05.55 LLDP (PR_1000310666) Menu (PR_1000318531) RSTP (PR_99049) Release F.05.59 Fixed in release F.05.59 Release F.05.60 Fixed in release F.05.60 RSTP (PR_10004013943) Daylight Savings (PR_1000467724) Release F.05.64 (Never Released) No issues fixed in release F.05.64 Release F.05.65 Fixed in release F.05.65 Release F.05.69 Fixed in release F.05.69 ProCurve Manager (PR_1000768253) Stacking Transceivers (PR_1000784489) TACACS+ (PR_0000003839)