FAQs

A: The J8988A module is a single port 10-GbE transceiver module intended to support the existing SR, LR, and ER transceivers for uplink connectivity. Expected throughput is between 2.5 and 7Gbps depending on packet size. However, traffic from a single source MAC address to a single destination MAC address will be limited to a maximum of 1 Gbps throughput. That makes this module ideal for switch-to-switch connections.

» Return to top

A: Depending on network topology, the following solutions are recommended for throughput needs higher than 1 Gigabit

           
1. For 10G throughput requirements
   • 5400zl with 10G module (for chassis-based deployment) or
   • 3500yl/2900 (for stackable deployments)
2. For throughput needs greater than 1 Gbps, up to 4 Gbps on a ProCurve 5300xl
   • trunk together four 1Gbps links to achieve 4 Gbps throughput
3. For throughput greater than 4Gbps or for topologies which are fiber constrained
   • use ProCurve Switch xl 1-Port 10-GbE X2 Module (J8988A)

» Return to top

A:  The following optic transceivers are recommended for use with the ProCurve Switch xl 1-Port 10-GbE X2 Module

• ProCurve 10GbE X2-SC SR Optic (J8436A)
• ProCurve 10GbE X2-SC LR Optic (J8437A)
• ProCurve 10GbE X2-SC ER Optic (J8438A)

» Return to top

A: Up for four J8988A modules are supported in each chassis.

» Return to top

A: Yes; up to two J8988A modules may be configured in a trunk to allow for greater throughput. The trunk may only contain 10-GbE connections; mixed throughput links are not supported in a trunk configuration with this module.

» Return to top

A: No. For high density 10-GbE switch-to-server connectivity, the ProCurve Switch 5400zl family of switches is an ideal chassis-based solution.

» Return to top

A: E.11.02 is the minimum required software revision.

» Return to top

A: No. The Guaranteed Minimum Bandwidth feature is not supported. All other ProCurve Switch 5300xl software features, such as meshing, are supported.

» Return to top

The hub, switch, or router will correctly sense (not auto-negotiate) the 10Mbps or 100Mbps speed. Since the end node was configured for a specific speed and duplex state and therefore does not negotiate, the hub, switch, or router will choose the communication mode specified by the 802.3u standard, namely half-duplex.

With one device running at half-duplex and the device on the other end of the connection at full-duplex, the connection will work reasonably well at low levels of traffic. At high levels of traffic the full-duplex device (end node, in this case) will experience an abnormally high level of CRC or alignment errors. The end users usually describe this situation as, "Performance seems to be approximately 1Mbps!" Often, end nodes will drop connections to their servers.

In this same situation, the half-duplex device will experience an abnormally high level of late collisions.

The network administrator must take care to verify the configuration of each network device during installation. Also, check the operational mode of each network device. That is, check both how you configured it and also that it comes up as you expect, for example, at 10Mbps/half-duplex.

» Return to top

Q: Is Gigabit Ethernet auto-negotiation the same as Plug-n-Play?
No. By the time the IEEE issued the 802.3z specification, they knew about the 10/100Mbps auto-negotiation problem (see the FAQ "Is 10/100Mbps auto-negotiation the same as Plug-n-Play?"). To prevent it, 802.3z auto-negotiation requires that, if one side of a connection is configured to auto-negotiate, the other side must also auto-negotiate if the connection is to come up. In other words, if a switch is configured to auto-negotiate and its attached end node is configured to, say, 1000Mbps/full-duplex, the 803.2z spec requires that the switch NOT allow the link to come up.

» Return to top

Q: How does the HP Auto-MDIX feature work? What ProCurve Switch 5300xl Series products support this feature?
HP Auto-MDIX is a feature on all 10/100-TX and 100/1000-T ports of the ProCurve Switch 5300xl Series. When configured in the default configuration "AUTO", the switch automatically detects the signaling on the cable from the connected device and operates as either an MDI or MDIX port. As a result, a "straight-through" twisted-pair cable can be used; you no longer have to use "crossover" cables, although "crossover" cables can also be used for any of the connections. The following products support the HP Auto-MDIX feature:

• ProCurve Switch XL 10/100-TX Module (J4820A/J4820B)
• ProCurve Switch XL 100/1000-T Module (J4821A/J4821B)
• ProCurve Switch XL Mini-GBIC Module (J4878A/J4878B)

» Return to top

Q: Why does my ProCurve Switch 5300xl Series not automatically reboot after I TFTP new software to the switch?
For greater control and flexibility, the ProCurve Switch 5300xl Series will not automatically reboot when you TFTP new software to either the primary or secondary flash. Use the CLI command boot system flash <primary/secondary> to boot the switch up with the new switch software.

» Return to top

Q: Why does my ProCurve Switch 5300xl Series boot into the primary flash image after I lose power to the switch?
Primary flash is the default storage location for the ProCurve Switch 5300xl Series. Following a switch reset (button on front brow) or loss of power, the switch will boot from this default storage location.

» Return to top

Q: Why can't I TFTP or XMODEM software into the secondary flash image using the menu interface on the ProCurve Switch 5300xl Series?
As the default user interface on the switch, the Command Line Interface (CLI) provides access to all configurable features on the ProCurve Switch 5300xl Series. The menu interface supports TFTP and XMODEM to primary flash only.

» Return to top

Q: How do I know what version of software I am currently running on my ProCurve Switch 5300xl Series? How do I get information about the contents of the flash images?
To determine version information about the software the switch is currently running, use the show version command from the CLI. To get information about the contents of flash and current boot image, use the show flash command from the CLI.

» Return to top

What is ECMP?
ECMP is a load balancing protocol under OSPF that allows the 5300 to load share up to 4 equal cost next hops.

» Return to top

» Return to top

Q: Can I add my new ProCurve 300xl Series products to my ProCurve Switch 4000m, 8000m, 1600m, 2400m and 2424m mesh environment?
Yes, meshing on the ProCurve 5300xl Series products will interoperate with the ProCurve 4000m, 8000m, 1600m, 2400m and 2424m switches. Here are some operating rules when using meshing:

• A meshed switch can have some ports in the meshed domain and others outside the meshed domain. That is, ports within the meshed domain must be configured for meshing, while ports outside the meshed domain must not be configured for meshing.
• Meshed links must be point-to-point switch links.
• Within any meshed switch, all ports belong to the same meshed domain.
• A switch can have up to 24 meshed ports.
• A mesh domain can include up to 12 switches.
• A hub linking meshed switch ports is not allowed.
• Features such as VLANs, STP, and IGMP must be configured consistently across all switches in the mesh.
• If a ProCurve 4000m, 8000m, 1600m, 2400m and 2424m switch detects a duplicate MAC address on multiple switches while in a mesh with a ProCurve 5300xl Series product, the mesh will not function properly.
• If a duplicate MAC address already exists through separate switches in a mesh and you try to add ProCurve 4000m, 8000m, 1600m, 2400m and 2424m switches, the ProCurve 4000m, 8000m, 1600m, 2400m and 2424m switches will not join the mesh. These ports will be in a "blocked" state.

Click here to view supported and unsupported mesh topology examples.

» Return to top

Q: What is a Secure Management VLAN and how would I use it in my network? Could enabling Spanning Tree affect my Secure Management VLAN?
This feature allows a user to set up an isolated network (VLAN) to manage network devices. Access to this Secure Management VLAN, and to the switch's management functions (Menu, CLI, and web browser interface), is available only through ports configured as members of the Secure Management VLAN.

• Multiple ports on the switch can belong to the Secure Management VLAN. This allows connections for multiple management stations you want to have access to the Secure Management VLAN, while at the same time allowing Secure Management VLAN links between switches configured for the same Secure Management VLAN.
• Only traffic from the Secure Management VLAN can manage the switch, which means that only the workstations and PCs connected to ports belonging to the Secure Management VLAN can manage and reconfigure the switch.
• Enabling Spanning Tree may cause loss of connectivity if the port that the Secure Management VLAN is on becomes blocked.

Refer to the ProCurve Series 5300xl Switches Management and Configuration Guide for more information on Secure Management VLAN.

» Return to top

Q: Can I add the ProCurve 5300xl Series product to my ProCurve 4100gl Series IP Management stack?
No. IP Stack Management is not supported on the ProCurve 5300xl Series products.

» Return to top

Q: Can I use GVRP across a mixed mesh of ProCurve 5300xl Series products and ProCurve Switch 4000m, 8000m, 1600m, 2400m and 2424m?
Since GVRP is not supported on the ProCurve Switch 4000m, 8000m, 1600m, 2400m and 2424m switches, GVRP is not supported on a mixed mesh that consists of both the ProCurve Switch 4000m, 8000m, 1600m, 2400m and 2424m switches and the Switch 5300xl. Although the user is not prohibited from configuring GVRP in a mixed mesh, VLANs will not be dynamically learned on the ProCurve Switch 4000m, 8000m, 1600m, 2400m and 2424m switches across the mesh.

» Return to top

Q: Can I use ProCurve Switch 4100gl modules in a ProCurve Switch 5300xl Series and vice versa?
Although GL and XL modules may look alike, they are specifically designed to operate in their respective chassis. An XL module will not operate in a GL chassis and a GL module will not operate in an XL chassis. Inserting a module in the incorrect chassis will not damage the module or chassis and the module will not be powered up.

» Return to top

• ProCurve Gigabit-SX-LC Mini-GBIC (J4858A)
• ProCurve Gigabit-LX-LC Mini-GBIC (J4859A)
• ProCurve Gigabit-LH-LC Mini-GBIC (J4860A) (note: requires software version E.06.01 or greater)

» Return to top

Q: How are MAC addresses allocated on the ProCurve 5300xl Series product?
The ProCurve 5300xl Series assigns MAC addresses in these areas:

• For management functions, one Base MAC address is assigned to the default VLAN (VID = 1). (All VLANs on the switch use the same MAC address.)
• For internal switch operations: One MAC address is assigned per port.
• MAC addresses are assigned at the factory. The switch automatically implements these addresses for VLANs and ports as they are added to the switch.

» Return to top

Q: What are the differences between the ProCurve Switch 5308xl (J4819A), the ProCurve Switch 5304xl (J4850A), ProCurve Switch 5372xl (J4848A) and the ProCurve Switch 5348xl (J4849A)?
The ProCurve Switch 5308xl (J4819A) is an unpopulated 8 slot chassis and the ProCurve Switch 5304xl (J4850A) is an unpopulated 4 slot chassis. The ProCurve Switch 5372xl (J4848A) is a bundle of the ProCurve Switch 5308xl (J4819A) and three ProCurve Switch XL 10/100-TX modules (J4820A/J4820B). The ProCurve Switch 5348xl (J4849A) is a bundle of the ProCurve Switch 5304xl (J4850A) and two ProCurve Switch XL 10/100-TX modules (J4820A/J4820B).

» Return to top

Q: What are the differences between the ProCurve Switch 5300xl Series and the ProCurve Switch 4100gl Series?
The ProCurve Switch 5300xl series are Layer 3 switches, and the ProCurve Switch 4100gl series are Layer 2 switches. The 5300xl series consists of an 8-slot chassis that supports up to a maximum of 192 10/100Base-T RJ-45 ports or up to a maximum of 32 100/1000-T ports, and a 4-slot chassis that supports up to a maximum of 96 10/100Base-T RJ-45 ports or up to a maximum of 16 100/1000-T ports. The 4100gl series consists of an 8-slot chassis that supports up to a maximum of 192 10/100Base-T RJ-45 ports or up to a maximum of 48 100/1000-T ports, and a 4-slot chassis that supports up to a maximum of 96 10/100Base-T RJ-45 ports or up to a maximum of 24 100/1000-T ports. The ProCurve Switch 5300xl Series supports Gigabit-SX and Gigabit-LX connectivity. The ProCurve Switch 4100gl supports Gigabit-SX, Gigabit-LX, 100-FX SC and Gigabit stacking connectivity.

» Return to top

Q: What modules are supported on the ProCurve Switch 5300xl Series? Are the supported modules "hot-swappable"?
The following modules are supported in the ProCurve Switch 5300xl Series:

• ProCurve Switch XL 10/100-TX module (J4820A/J4820B)
• ProCurve Switch XL 100/1000-T module (J4821A/J4821B)
• ProCurve Switch XL Mini-GBIC module (J4878A/J4878B)

Modules can be inserted into the switch while the unit is powered on. Inserting a module into a previously unused slot or replacing a module with another of the same type does not require a reboot. Replacing a module with another of a different type requires a reboot of the switch.

» Return to top

Q: Is redundant power supported on the ProCurve Switch 5300xl Series? Is the Redundant Power Supply "hot-swappable"?
The ProCurve Switch 5300xl Series supports the "hot-swappable" ProCurve Switch Redundant Power Supply (J4839A).

» Return to top

Q: When I start a console session on my new ProCurve Switch 5300xl Series, I get the prompt "HP ProCurve Switch 5300xl#". How do I access the menu interface?
The default interface for the ProCurve Switch 5300xl Series is the Command Line Interface (CLI). The CLI is a full-featured interface that can be used to get status information (show commands) and perform configuration changes (configuration context). To access the menu interface, issue the command "menu" from the CLI. Also, using the "setup" command from the CLI or menu interface allows you to configure most of the basic options on the switch such as IP addressing and passwords.

» Return to top

Q: What are the compatible OS, Browser, and Java versions for the 5300xl series switch web agents?
The ProCurve web browser interface supports the following combinations of OSs, browsers, and Java virtual machines for switch software version E.08.01 and greater:

» Return to top

Q: What is ICMP Rate Limiting?
ICMP Rate Limiting is an ingress feature that limits inbound ICMP traffic to a percentage of bandwidth.

» Return to top

Q: How is the ICMP Rate Limit configured?
The ICMP Rate Limit is configured per-port and applies to all ICMP traffic.

» Return to top

Can I specify ICMP packet types to limit?
No. ICMP Rate Limiting is applied to all ICMP traffic and does not distinguish between different subtypes of ICMP traffic.

» Return to top

Q: What is Link Layer Discovery Protocol - Media Endpoint Discovery (LLDP-MED)?
LLDP-MED is an extension to the 802.1AB standard which allows automatic deployment of convergence network policies; voice vlan assignment, layer 2 and 3 QoS policies, as well as detailed inventory management capabilities.

» Return to top

Q: Which vendors support LLDP-MED?
At the time this is being written, the LLDP MED has not been ratified by the standards committee, however there is broad industry support for this standard. Among those participating are HP, Mitel, Enterasys, Avaya, Foundry, Nortel, 3com, and many others.

» Return to top

What good is LLDP-MED if the standard has not yet been ratified?
The standard is close to ratification and HP is working with other vendors so that as soon as there are VoIP phones that support this standard they should work with the implementation we are currently distributing.

» Return to top

Q: Can 5300xl series switches in a meshed configuration run differing versions of software?
Due to significant improvements to mesh operation in the E.07.xx software releases, all 5300xl series switches are required to run the same version of software in order to successfully interoperate with other 5300xl switches in a meshed topology.

Please note that although a mesh may appear to operate properly with some switches running release E.07.27 (or greater) and other switches running E.06.xx or earlier, this scenario creates a mesh environment that is not supported by HP.

» Return to top

Q: Can we still use "virus throttling" on the 5300xl even though it is not supported on the "downlink" ports?
You may use Virus Throttling in the switch for other wired ports, but it may not be used on ports associated with the ACM. The issue here is that individual ports on the ACM (up and down) are shared among many clients, and the virus throttling affects the whole product and the ports not associated with the ACM.

» Return to top

Q: Would there be a reason to trunk two gig links for the uplink since the throughput is limited to 350mbps (besides redundancy)?
No - but remember that these "trunks" do not need to carry only ACM traffic. The 5300xl can be doing many other things and thus require a trunk for other aspects of the customer network.

» Return to top

Q: Is this Access module a hot swap only if it has two installed?
No, each module is individually hot swappable.

» Return to top

Q: What will happen if more than two ACM modules are installed in a chassis?
The 3rd and further ACM modules are not brought up, and a message is placed in the switch log. There is no danger to the switch or the ACMs. The limit is well documented.

» Return to top

Q: Should you shutdown the module before removing it, rebooting the switch, etc?
Yes, but this is not required.

» Return to top

Q: What will happen when the battery dies?
Usually nothing. It only maintains the clock when the module is not powered up.

» Return to top

Q: What is the maximum memory supported?
The module maximum is large, but the ACM application is locked to the shipping size of 256 MB. This is not a field upgradeable component. We will not support any other memory other than what is shipped with the product.

» Return to top

Q: Are there any configurations to be done to the new ACM replacement module?
There are some CLI configurations that are very similar to both the 5300xl Switch and the 700 Series products. Adding the module for the first time requires configuration; replacing (swapping out) a failed module is a simple hot swap.

» Return to top

Q: Where is the configuration stored for the access module?
The local configuration (IP address, ACS & shared secret) are stored in the switch; overall rights are in the ACS. As with the rest of the switch, passwords are not saved in the exported configuration file. They must be re-entered upon restore. This includes the shared secret.

» Return to top

Q: Is there a way to download the Port & VLAN configuration for backup?
A normal backup of the switch configuration includes the configuration of ports and VLANs for the ACM. Port and VLAN information is backed up with the 5300xl configuration. Backup the 5300xl configuration and you have the Port and VLAN backup. As with the rest of the switch, passwords are not saved in the exported configuration file. They must be re-entered upon restore. This includes the shared secret.

» Return to top

Q: If you assign an IP address to the Client VLANs, can you telnet to the switch or will a 5300 with routing enabled try to route between them?
You cannot add an IP address to the downlink VLANs

» Return to top

Q: Does downgrading the OS version result in erasing the running config?
No. Downgrading the version of the ACM will not affect the switch's running config (but, there is only the 4.1.3.93 version at this time). Downgrade of the switch software may affect the running config, depending on what version you go to.

» Return to top

Q: What happens if a VLAN 2000 already exists when you install a module?
The switch picks the first unused VLAN above that.

» Return to top

Q: When the ACM is shutdown, will the 5300 ports configured as client ports be locked out of the network just as they would be when a 720 they were attached to is powered off?
Correct. The ACM will not forward traffic when it is shut down.

» Return to top

Q: Is the ACM log file stored in volatile memory (and would be lost on power off reboot just as the switch logs are lost?) Is the ACM's log saved in RAM on the module instead of in the 5300 chassis's RAM?
The ACM's log, just like the 720's, is stored in RAM, and will be lost from the ACM when power is lost or the module is rebooted. However, the log is pushed to the ACS (740/760), and should be available there.

» Return to top

Q: When the module is reset to factory defaults does it leave the VLANs it created behind (remaining in the switch config), for example, VLAN 2000?
That is correct. However, if the SWITCH is reset to factory defaults, those settings and VLANs are lost.

» Return to top

Q: What if the MODULE is reset? Do the VLANs the module created remain?
For the written log... If the module is reset, it just reboots. If it is reset to factory defaults, its own configuration (IP address, location of the ACS, and shared secret) are lost, but the switch VLAN configuration remains untouched. If the switch configuration is reset to factory defaults, both its configuration and that of the ACM are cleared.

To clarify, resetting the module to factory defaults does NOT delete the VLANs created.

» Return to top

Q: Will the switch with the ACM only control 12 ports on the switch?
Any of the switch's ports can be controlled by the ACM. It is possible to put all 168 remaining switch ports on one ACM, but that is NOT recommended.

» Return to top

Q: Are the firmware updates freely downloadable from ProCurve's Web site or are some licenses required?
Yes and they are free.

» Return to top

Q: Which OS version do you need to support the module?
We will release with 4.1.3.93 or greater for the 700 series and E.09.21 or greater for the 5300xl switch.

» Return to top

Q: Is the module SNMP-manageable from a remote location? How can a dead module be detected if the switch itself is fine?
As with the 700 series, there is a MIB for reading statistics, but the module is not configurable via SNMP.

There will be error messages that propagate up from the ACM to the switch. If the switch detects the inability to communicate with the ACM then an event log message will be put in the log. The BIOS POST errors are an example. If a critical BIOS power on self test (POST) failure occurs when the ACM is inserted into a slot in a 5300xl chassis, a message is posted to the Event Log. The 5300xl switch resets the ACM, up to two times (a total of three attempts to pass the POST). If the ACM fails three consecutive times, the module does not power on. The 5300xl switch can operate successfully if this occurs.

» Return to top

Q: Does the XL ACM module have its own SNMP SysOid so that the module is discovered via SNMP as a separate device?
Yes it does.

» Return to top

Q: Does the ProCurve Access Controller xl Module use the same software as the 720wl?
No. The code is different since this is a different hardware platform. They are built from the same code base so features will track together.

» Return to top

Q: Are the ProCurve Access Controller xl Module messages displayed through the CLI command?
Yes.

» Return to top

Q: If a syslog server is configured on the 5300xl, will the ProCurve Access Controller xl Module messages be reported to it?
Yes. General switch event log messages will go to the configured server and ProCurve Access Controller xl Module specific messages are managed through the 740/760wl.

» Return to top

Q: What are RADIUS Assigned per-port ACLs?
RADIUS based per-port ACLs are a new feature in E.10.x software that allows a 5300 to get assigned inbound, layer 3 ACLs by a RADIUS server.

» Return to top

Q: How are the RADIUS Assigned ACLs configured?
The 5300 only needs to be configured as a RADIUS client. The actual configuration of the ACEs is done on the RADIUS server. The server must state the vendor and Vendor Specific Attribute for ProCurve ACLs that can be found in the 5300 documentation. RADIUS server specific configuration details should be available in the RADIUS server software.

» Return to top

Q: What routing functionality exists on the ProCurve Switch 5300xl Series? Can I route AppleTalk and IPX traffic on the ProCurve Switch 5300xl Series?
The ProCurve Switch 5300xl Series can function as a Layer 2 switch only and as a Layer 3 switch. Here is a summary of Layer 3 features on the ProCurve Switch 5300xl Series:

• IPv4 Unicast Routing
• Routing Information Protocol (RIP) version 1 (v1), version 2 (v2) and v1-compatible-v2
• Open Shortest Path First (OSPF)
• Static Routes
• Access Control List (ACL) (Note: keep checking this web site for future availability of ACL support)

The ProCurve Switch 5300xl Series supports IP Routing only. AppleTalk and IPX traffic will not be routed. However, this traffic will be forwarded at Layer 2.

To use the layer 3 features, use the CLI command "ip routing" at the global configuration level. Refer to the Chapter on IP Routing in the ProCurve Series 5300xl Switches Management and Configuration Guide for more information.

» Return to top

Q: With routing enabled, I got the message "IP Routing support must be disabled first" when I tried to configure meshing. Why?
The ProCurve 5300xl Series product does not support the configuration of routing and meshing at this same time. If you have meshing enabled, you will not be able to enable routing on the ProCurve 5300xl Series product until you disable meshing and vice versa.

» Return to top

Q: Can I route traffic on a VLAN that gets its IP address from DHCP?
DHCP IP addresses by definition are temporary assignments and it is highly recommended that all routed interfaces be configured with static IP addresses. Although the user is not prohibited from routing on a VLAN that received its IP address from DHCP, it is not a supported configuration.

In addition, the user is prohibited from changing an interface to DHCP if a Static Route is using that interface. Conversely, the user is prohibited from adding a Static Route to an interface that has a DHCP IP address.

» Return to top

Q: With routing enabled, is the default gateway used to route traffic?
The default gateway on the ProCurve 5300xl Series product is used when the product is configured as a Layer 2 switch and the traffic is destined off subnet. Although still displayed in the menu and configuration file, the default gateway is not used when routing is enabled.

» Return to top

Q: With routing enabled on the ProCurve 5300xl Series product, how can I prohibit a VLAN from routing traffic?
With routing enabled on the ProCurve 5300xl Series, any VLAN that has an IP address configured will be a routed VLAN. If you do not wish to have traffic routed on a particular VLAN, do not configure an IP address on that VLAN.

» Return to top

Q: With RIP enabled, I noticed that my configured default route was distributed to neighboring RIP routers. Is this expected behavior?
In the initial release of software for the ProCurve Switch 5300xl, static routes are distributed into RIP by default. A default route is considered to be a static route and will be distributed as well. To disable static route distribution, use the CLI command "no redistribute static" from the global RIP configuration context. In a future release, static route distribution will be disabled by default.

» Return to top

Q: Why does my ProCurve Switch 5308xl (J4819A), 5372xl (J4848A), 5348xl (J4849A), and 5304xl (J4850A) stop forwarding packets across modules after several weeks of continuous operation?
In software versions prior to E.06.03, there is a synchronization issue between the switch chassis and modules that can occur after several weeks of continuous operation. This can result in packets being dropped by the switch instead of being forwarded.

This issue is fixed in software version E.06.03, or greater, available on our website at http://www.procurve.com/customercare/support/software/switches.htm.

If you believe you are experiencing this issue, rebooting your 5300xl switch will temporarily resolve the situation until you upgrade to software version E.06.03 or greater.

» Return to top

Q: When I connected my new ProCurve Switch 5300xl Series to my ProCurve Switch 4000m using a Gigabit-SX or Gigabit-LX connection, the link did not come up. Why not?
The ProCurve Gigabit-SX module used in the ProCurve Switch 4000m, 8000m, 1600m, 2424m and 2400m is set by factory-default to "1000 Fdx" whereas the factory-default setting for the ProCurve Gigabit-SX/LX-LC Mini-GBIC used in the ProCurve Switch 5300xl Series is set to "Auto". The configuration must be set to match on both ends to provide Gigabit connectivity.

» Return to top

Q: When connecting my ProCurve Switch 5300xl Series to a ProCurve Routing Switch 9300 Series using Gigabit-SX or LX Mini-GBICs, why is the link not being established when both devices are configured for the default setting?
During extensive testing of Gigabit mini-GBIC connectivity on the ProCurve Series 5300xl Switch, HP observed a small number of times when the Gigabit link to a ProCurve Routing Switch 9300 mini-GBIC would not be established when both sides are in the default configuration. The default configuration for a Gigabit-SX or Gigabit-LX port on both the ProCurve Series 5300xl Switch and the ProCurve Routing Switch 9300 is "Auto". Therefore, HP recommends that if you have an ProCurve Series 5300xl Switch with an ProCurve Switch XL mini-GBIC Module (J4878A/J4878B) using either of these mini-GBICs:

• ProCurve Gigabit-SX-LC mini-GBIC (J4858A)
• ProCurve Gigabit-LX-LC mini-GBIC (J4859A)

and you will be connecting them to a mini-GBIC port on a ProCurve Routing Switch 9315m, 9308m, or 9304m, you should configure both sides of the link to be "1000-Full Duplex". You can continue to use the default configuration in other situations, such as connecting a mini-GBIC port on the ProCurve Series 5300xl Switch to mini-GBIC ports on another ProCurve Series 5300xl or Series 4100gl Switch, or when connecting to non-mini-GBIC ports on a ProCurve Routing Switch 9300 or Series 4100gl Switch.

» Return to top

Q: How does the switch "throttle viruses"?
The 5300 takes advantage of the behavior of worms that causes a node to communicate with a large number of clients in an attempt to exploit them. The Connection Rate Filter (CRF) is the feature that monitors the rate at which new route requests are made by a host. If the rate exceeds the threshold set in the connection rate filter, that host can be disallowed, throttled, or simply have a notification stating the threshold has been exceeded.

» Return to top

Q: Do I have to update virus definition files periodically?
No. There are no virus definition files. The CRF simply monitors the new connection rate at the routed interface and if that rate exceeds the threshold, action will be taken.

» Return to top

Q: If a node exceeds the CRF threshold, does that mean the client has a virus?
Not necessarily, although it would be wise to act as if it did unless you find another explanation for why the threshold was exceeded. There are some valid applications that do exhibit a high connection rate in valid use. One example is Web JetAdmin, which discovers printers on the network by a number of methods one of which is a subnet ping sweep. Another application where this may happen is ProCurve Manager.

» Return to top

Q: What do I do if a valid application triggers the CRF?
First make sure that the client is not infected with a worm. Once you are sure that this client is "clean", and you understand the connection rate behavior, you may create an Access Control Entry (ACE) to exclude this client from the connection rate filtering.

» Return to top

Q: What is the difference between Virus Throttling and Connection Rate Filtering?
Virus throttling is the term used to describe the benefit of features like Connection Rate Filtering (CRF). Connection rate filtering is the specific feature implemented in the E.09.xx software code that will detect and respond to clients that are exhibiting high connection rate (virus like) behavior. At this point the two terms are almost synonymous since CRF is the first virus throttling feature.

» Return to top

Q: What are the trigger points for the connection rate filter function?
The trigger points, or sensitivities can best be shown in the table below:

» Return to top

Q: Does the CRF completely stop the spread of viruses?
No. CRF identifies hosts displaying "virus like" behavior at the routed interface, notifies the network administrator, and throttles the connection by blocking the host for a penalty period or by blocking the host altogether until the network administrator manually unblocks it.

» Return to top

Q: Do I need to have routing enabled to use CRF?
Yes. The CRF only works on routed traffic. Layer 2 switched traffic is unaffected.

» Return to top

Q: What kind of viruses does the CRF function work on?
For the sake of our discussion, CRF works on worms that are a subset of viruses. One way to describe the difference between worms and viruses is that viruses rely on code that must be executed whereas worms need only replicate. The discussion of virus types and how to classify them can be complicated and controversial. The class of worm that CRF is primarily concerned with is that which attempts to replicate by taking advantage of vulnerabilities of other hosts (i.e. known weaknesses in network applications behind unsecured ports). A worm of this variety chooses a set of hosts to attack based on an address range (sequential or random) that is exhaustively searched, either by blindly attempting to make a connection/send a datagram, or by first sending an ICMP ping message and listening for a reply. It is this behavior, searching a large number of IP addresses that is exploited by CRF.

» Return to top

Q: If the CRF does not completely stop viruses, why is it useful?
If worms such as the Sasser worm of a couple years ago are left to spread unchecked, there are a couple of negative impacts to the network. First, much if not essentially all of the network bandwidth is consumed by the traffic generated by the worm. Second, many network products fail due to the demands of routing to so many new addresses. Even though CRF does allow some spreading of a worm or virus, it will limit it severely so that network utilization does not get out of control, and routers will not suffer performance degradation or failure.

» Return to top

Q: Does the CRF disable a client when it detects a high connection rate?
CRF actually filters a client from the routed interface when response is set to throttle or block. The client continues to operate and traffic in its own subnet is unaffected.

» Return to top

Q: Does the CRF disable a port when it detects a high connection rate?
CRF responses are client Source Address based. Once triggered, the offending SA is blocked (in the case of response set to blocking) from being routed regardless of the port from which that SA is seen.

» Return to top

• Notify-only: Generates event log entry and trap event when sensitivity threshold exceeded.
• Throttle: Generates event log and trap event and then blocks routing of traffic from offending host for penalty period defined by sensitivity. After the penalty period the function is reset and routing resumes.
• Block: Generates event log and trap event and then blocks routing of traffic from offending host until manually reset by administrator.

» Return to top

Q: Can I set a different sensitivity for every port on the switch?
No. Sensitivity is set globally for the entire switch, response is set per port, filtering is host based or source address based.

» Return to top

Q: Can I set a different response for every port on the switch?
Yes. Sensitivity is set globally for the entire switch, response is set per port, filtering is host based or source address based.

Q: Can I exclude an individual port on the switch from the CRF function?
Yes. You can set Access Control Entries ACEs to exclude individual hosts. This will likely be required for valid network applications that perform some kind of network discovery or for some other reason exhibit valid high connection rate behavior.

» Return to top

Q: If I ping an IP interface of a VLAN, but none of the ports in the VLAN are active, will I get a response from ping?
There is a one-to-one relationship between a VLAN and an IP network interface. Since the VLAN is defined by a group of ports, the state (up/down) of those ports determines the state of the IP network interface associated with that VLAN. When a port-based VLAN or an IPv4 or IPv6 protocol-based VLAN comes up because one or more of its ports is up, the IP interface for that VLAN is also activated. Likewise, when a VLAN is deactivated because all of its ports are down, the corresponding IP interface is also deactivated.

» Return to top

Q: My ProCurve Switch 5300xl Series is configured with multiple VLANs and I want the switch to use DHCP to learn its IP address and default gateway for each VLAN. Since the ProCurve Switch 5300xl Series supports a single global default gateway, which of the DHCP supplied default gateway addresses will the switch use?
The ProCurve Switch 5300xl Series will use the DHCP information received on the VLAN configured as the "Primary VLAN". In the factory-default configuration, the switch designates the default VLAN (DEFAULT_VLAN) as the "Primary VLAN". However, you can designate another VLAN as the "Primary VLAN" using the "Primary VLAN" configuration option. For more information, refer to Chapter 7 "Configuring IP Addressing" of the ProCurve Series 5300xl Switches Management and Configuration Guide.

» Return to top

Q: What is the recommended way to connect multiple VLANs between a ProCurve Switch 5300xl Series and a ProCurve Switch 800t, 2000, 1600m, 2400m, 2424m, 4000m, 8000m?
The diagram below illustrates the question.

The following ProCurve switches provide VLANs and have a single MAC/Ethernet address (filtering) table: Switch 800t, 2000, 1600m, 2400m, 2424m, 4000m, 8000m. In the diagram above we show a Switch 8000m, but the following discussion applies to all of the switches listed in the previous sentence. The ProCurve Switch 5304xl and 5308xl, as a default gateway, have a single MAC address for all of its VLANs. In the diagram above we show a 5308xl, but this could be a 5304xl as well.

Let's consider PC "A" attempting to send an IP packet to PC "B". PC "A" will send the 8000m a packet with the 5308xl's MAC address in the destination field. If the 8000m has not yet learned this MAC address, the 8000m will flood the packet out all of its VLAN1 ports, including the VLAN1 link to the 5308xl. The 5308xl will then route the packet toward PC "B" via its link with the 8000m's VLAN2 connection. The 8000m will enter the 5308xl's MAC address into its MAC address table as located in VLAN2. The 8000m will also forward the packet to PC "B".

Let's consider a second packet that PC "A" sends to PC "B". PC "A" sends the packet, again addressed to the 5308xl's MAC address, to the 8000m. The 8000m will check its address table and find that the 5308xl appears to be located on VLAN2. Since the 8000m believes that this MAC address is not located on VLAN1, the switch will discard the packet.

Later, when the 5308xl transmits a packet to the 8000m via the VLAN1 link, the 8000m will update its address table to indicate that the 5308xl's MAC address is located in VLAN1 instead of VLAN2. As you can see, the 8000m's location information for the 5308xl's MAC address will vary over time between VLAN1 and VLAN2. For this reason, some packets directed through the 8000m for the 5308xl's MAC address will be discarded. Performance may appear to be poor or connectivity may appear to be broken.

To avoid this issue, simply use one cable between the 8000m and the 5308xl instead of two, making sure that the two VLANs use tags on that link, as shown below.

» Return to top

Q: Are there any interoperability restrictions or issues when interconnecting a 1600m/2400m/2424m/25xx/4000m/8000m switch and a Series 5300xl switch?
These two switch families have significantly different architectures. The 5300xl series switches use a multiple forwarding database utilizing a single MAC address and multiple VIDs. Switches using a multiple forwarding database can properly interpret multiple occurrences of the same MAC address received from the same device, but on different ports belonging to different VLANs. However, switches having a single forwarding database do not have this capability and interpret multiple instances of a MAC address on different ports as a "duplicate MAC address" error condition. As a result, using a switch with a single forwarding database may have interoperability restrictions when deploying features such as multiple VLANs and XRRP.

Please see the FAQ "Q: What is the recommended way to connect multiple VLANs between a ProCurve Switch 5300xl Series and a ProCurve Switch 800t, 2000, 1600m, 2400m, 2424m, 4000m, 8000m?" on how to correctly interconnect the 1600m/2400m/2424m//25xx/4000m/8000m switches with Series 5300xl switches when using multiple VLANs.

For more information on correctly configuring XRRP in environments with multiple VLANs, refer to "Multiple VLAN Considerations" in the "XRRP Operation Notes" section of the XRRP chapter in the
ProCurve Series 5300xl Switches Management and Configuration Guide.