HPE Community
Comware Based
1757070 Members
2605 Online
108858 Solutions
New Discussion

HP 5900 need final touches on configuration, it is a long read.....

 
idiot_wind
Occasional Contributor

‎07-26-2020 11:47 AM

‎07-26-2020 11:47 AM

HP 5900 need final touches on configuration, it is a long read.....

Greetings All,

I was tasked with assisting a colleague to configure a new installation of some switches and servers.  In the past I would go onsite and do this activity myself but with the state of travel currently that is not possible.  While onsite I would need to “play” with the commands until I got the configuration I was looking for.  This was something that I would do every 2 years or so I never knew it cold.  My bad for not taking notes on what I did and assuming that I would have access to previous installations and configurations remotely to copy from, I am documenting every keystroke now.

My colleague has no experience with switches or networking, he was chosen because he can get into the site with no issues.  Screen sharing is not possible, neither is a Teams or Skype call due to poor bandwidth onsite, we communicate over IM and email.

Now that you know the back story here is what I have; what I have done;  and what I am trying to accomplish.  Any direction would be greatly appreciated.  Thank you in advance.

 

Here is what I have:

- 2 HP 5900 switches

            version 7.1.045, Release 2432P05

- 2 HP 5940 switch

            I do not have version information on this switch as of this time.

 

Here is what my end result is to look like and what has been accomplished so far:

- create 4  VLAN’s on the 5900 (Completed with the below configuration)

  •            VLAN 100
  •                Network 172.22.173.128/27
  •                Ports 1/0/1 to 1/0/16, 1/1/48, 2/0/1 to 2/0/16, and 2/1/48
  •                VLAN ip address 172.22.175.158 255.255.255.224
  •            VLAN 101
  •                Network 172.22.173.160/27
  •                Ports 1/0/17 to 1/0/32 and 2/017 to 2/0/32
  •                VLAN ip address 172.22.173.190 255.255.255.224
  •            VLAN 102
  •                Network 172.22.173.192/28
  •                Ports 2/0/33 – 2/0/35
  •                VLAN ip address 172.22.173.206 255.255.255.240
  •             VLAN 103
  •                Network 172.22.173.208/29
  •                Ports 1/0/37 to 1/0/40 and 2/0/37 – 2/0/40
  •                VLAN ip address 172.22.173.222 255.255.255.248
  •  

- create 2 VLAN’s on the 5940 (Completed)

  •             VLAN 1000
  •                         Network 10.10.10.0/27
  •                         Ports 1/0/1 to 1/0/16 and 2/0/1 to 2/0/16
  •                         VLAN ip address 10.10.10.30 255.255.255.240
  •             VLAN 1032
  •                         Network 10.10.10.32/28
  •                         Ports 1/0/17 to 1/0/32 and 2/0/17 to 2/0/32
  •                         VLAN ip address 10.10.10.46 255.255.255.240
  •  
  • - IRF setup on the 5900 (Completed)
  •  
  • - IRF setup on the 5940 (Completed)
  •  
  • - Configure the management IP address on the 5900 (Completed)
  •             interface M-GigabitEthernet0/0/0
  •             ip address 172.22.173.179 255.255.255.224 (within VLAN 100)
  •             ip route-static 0.0.0.0 0.0.0.0 172.22.173.163
  • Does it make sense to run a cable from the management port to one of the ports in VLAN 100? I have at least 10 free ports on VLAN’s 100, 101, 1000, and 1032.
  •  
  • - Configure the management IP address on the 5940 (Completed)
  •                 interface M-GigabitEthernet0/0/0
  •                 ip address 172.22.173.177 255.255.255.224 (within VLAN 100)
  •                 ip route-static 0.0.0.0 0.0.0.0 172.22.173.163

Does it make sense to run a cable from the management port to one of the ports in VLAN 100? I have at least 10 free ports on the following VLAN’s 100, 101, 1000, and 1032.

 

- ssh on both switches (Completed)

  •               public-key local create rsa
  •               ssh server enable
  •               user-interface vty 0 15
  •               authentication-mode scheme
  •               protocol inbound ssh
  •               super password simple XXXXXXXXXX
  •               local-user admin
  •               password simple ZZZZZZZZZ
  •               authorization-attribute user-role level-0
  •               service-type ssh

 

Configuration not implemented yet (complete commands that I am planning on sharing with the onsite colleague):

                on the 5900

                - ports 1/0/47 and 2/0/48 are coming from customer, these ports need to be configured so that    they can reach VLAN 100 and VLAN 101.

  •                                 conf t
  •                                 trunk 1/0/47 2/0/47 trk1 lacp
  •                                 vlan 100 untagged trk1
  •                                 vlan 101 untagged trk1

 

                - ports 1/0/37 and 1/0/38 are coming from the customer, these ports need to be configured so that they can reach VLAN 102

  •                                 conf t
  •                                 trunk 1/0/37 1/0/38 trk2 lacp
  •                                 vlan 102 untagged trk2
  •  

- ports 1/0/37 and 1/0/38 are coming from the customer, these ports need to be configured so that they can reach VLAN 102

  •                                 conf t
  •                                 trunk 2/0/38 1/0/2/38 trk3 lacp
  •                                 vlan 102 untagged trk3
  •  

Here are the configurations that I need help with, assuming that all the above is correct.

- How do I get to route between VLAN’s 100 and VLAN 101, I was told that the customer will NOT provide the ability route between these 2 VLAN’s. 

On my servers do I just need to provide the VLAN ip address of that subnet as the default route address? 

Servers are not installed as of yet so I cannot test.

 

- How do I setup IP addresses to on the switches so that they can be ssh’ed to from a sever?

I have IP addresses 172.22.173.180 and 172.22.173.178 available to me that can be used.

                I am thinking on the 5900:           

                                config terminal

                                address stack 172.22.173.180 netmask 255.255.255.224 default-gateway ????????

                On the 5940:      

                                config terminal

                                address stack 172.22.173.178 netmask 255.255.255.224 default-gateway ????????

Is there any other configuration that needs to be done? 

Should each switch get its own IP address for management?

 

That is about all, as if this wasn’t enough.  Please let me know your thoughts or suggestions. 

One of my main concerns is that once I am able to have access to the switches remotely that I am going to make a modification that is going to require someone to go onsite and make some changes because I locked everyone out, so as much as I would like to do the configuration I would rather make sure that it is correct and that I will not have to make any modifications. We are just a vendor to the customer; this is not our facility so gaining access after remote connectivity is established would be frowned upon as once remote access is established it is thought that all installation and configuration should be configured remotely.

 

I was going to share the current running configuration file but when reviewing it I noticed some major mistakes and I did not want to contradict  how I stated it is set up and what the configuration file shared, trying to cut down on the confusion.  I can publish once the config is in sync with the items that I documented above that are marked “Completed”.

 

Many thanks in advance for making it to the end of this long drawn out configuration question, greatly appreciate your time and response.

 

Not to be ungrateful but I am requesting command or advice that is known to be 100% correct and accurate, as I stated I am not onsite where I can “play” with commands.

 

Best regards,

frank

0 Kudos
2 REPLIES 2
parnassus
Honored Contributor

‎07-28-2020 11:36 PM - edited ‎07-29-2020 01:51 AM

‎07-28-2020 11:36 PM - edited ‎07-29-2020 01:51 AM

Re: HP 5900 need final touches on configuration, it is a long read.....

Hi! Reading about your accomplished steps and open tasks/questions will immediately surface a question: what is your goal? what is your exact purpose?

I try to explain: you completed IRF setup for a four-member IRF stack (5900) and a two-members IRF stack (5940) so both IRF stacks should be already managed by a (let me call it that way) "frontend" IP address within each respective VLANs range (I see specifically VLANs range 100-103 on 5900 IRF and VLANs 1000,1032 on 5940 IRF)...but you're also citing OoBM (Out of Band Management) interfaces setup (no, do not loop them back to "frontend" interfaces...OoBM is OoBM...AKA it should be connected to a physically separated network and should remain that if possible, routed/protected in order to be reacheable for administration/management purposed...if not is totally possible to keep it separated you can loop it back to "inband" interfaces within a particular reacheable VLAN but it's like having a double access if you also manage the IRF through an inband connectivity, say through one of your VLANs dedicated to manage your IRF Stack)...so it's a little bit unclear what type of network(s) you have in mind and what network(s) you will have already available at site.

A second doubt is about: who is going to be responsible about IP Routing? each IRF Stack can be set (as it is once you assign an IP to a VLAN interface) as be responsible for routing of its own VLANs (at least for those with an assigned IP address)...but then what is going to the relationship (in terms of Layer 3 routing or Layer 2 swithing) between your two IRF Stacks and between them and the remaning part of your Customer network? Here you need to clarify who is who and who is the router (and this is related to the topology design, somewhat).

Third: you say you neet to connect to Customer network...is that going to happen through the 5900 IRF Stack, through the 5940 IRF stack, through both? what type of uplink(s) are you forced to serve? single link? Ports Aggregation controlled with LACP? from where to where.

Commands' syntax you suggested about forming a ports aggregation - the "trunk 1/0/37 1/0/38 trk2 lacp" - and setting the VLAN id memberships - the "vlan 102 untagged trk2" - (remember: Prot Trunks = HP ProCurve jargon, BAGG/LAGs = HP Comware jargon) are typically used on ArubaOS-Switch OS based switch series (AKA HP ProVision of HP ProCurve) which differ from the ones used on HPE Comware OS based switch series (5900/5940)...so what (doubt: are you used to HP ProCurve and little bit less about HP Comware)?

IMHO before going too deep with CLI Commnads it should be essentially clear (a) what you have (what you will find at Customer site), (b) what is required by you to setup (as a part of the new network) and (c) how to fit these new systems (IRF Stacks)...and that should be clarified in terms of both physical connectivity and logical connectivity.


I'm not an HPE Employee
Kudos and Accepted Solution banner
0 Kudos
idiot_wind
Occasional Contributor

‎07-29-2020 09:04 AM

‎07-29-2020 09:04 AM

Re: HP 5900 need final touches on configuration, it is a long read.....

Greetings Parnassus,

Thank you for responding to my mess of an injury.  I could have been much clear in my original post; I hope to do so now after your question.

- The 5900's are stacked together, but not included in the 5940 stack

- The 5940's are stacked together, but not included in the 5900 stack

-  VLAN 100 = iLO connectivity ports 1/01 - 1/0/16 and 2/0/1 - 2/0/16 for HP servers and 2/0/48 1st 5940 management port

- VLAN 101 = OAM connectivity 1/0/17 - 1/0/16 and 2/0/1 - 2/0/16 for HP servers and 2/0/48 2nd 5940 management port

- VLAN 102 = Customer data connectivity 2/0/33 - 2/0/35 

- VLAN 103 = Customer data ingestion 1/0/37 - 1/0/40 and 2/0/37 - 2/0/40

- VLAN 1000 and VLAN 1032 are on the 5940 switches but I do not have a copy of the running configuration yet.  Theses VLAN's will be for internal communication between the HP servers and will not need to be accessible by any other “external” server.  

- Ports 1/0/47 and 2/047 will be connected to the customers network so that we can gain access to the servers remotely.  I have no additionl information about this configuration.

- The customer will not be providing any routing between VLAN 100 and VLAN 101, so one of my questions is can that be done within the 5900 stack?

- There will be no need to route traffic between any other configured VLAN's besides VLAN 100 and VLAN 101.

- As for the management of either of the stacks, I want to be able to connect to a server and then login to either the 5900 stack or the 5940 stack so that configuration changes can be made if needed.  If I understand correctly, if I add an IP to the interface M-GigabitEthernet 0/0/0 then I need to connect a cable from the management port to a switch port in order to access the stack via that IP address.

- Does the stack get an IP address in addition to each individual member in the stack get their own IP address?

- There were some configuration changes made since the post on Sunday, below is the currently running configuration.

- Just in general, what other modification do you believe should be made to make this "good" switch configuration.

I hope between my explanation above and the configuration below all of your inquires will be satisfied, if not please bear with me as I am not a network person by any stretch of the imagination but I am willing to learn and won’t ask the same question twice.

Thank you in advance for taking the time and patience to help me understand and resolve my issues, greatly appreciated.

Please see the current configuration below:

<rmce-eea-sw1g1>display current-configuration

#

version 7.1.045, Release 2432P05

#

sysname rmce-eea-sw1g1

#

irf mac-address persistent timer

irf auto-update enable

undo irf link-delay

irf member 1 priority 32

irf member 2 priority 31

irf mode normal

#

lldp global enable

#

system-working-mode standard

password-recovery enable

#

vlan 1

#

vlan 100

name iLO

#

vlan 101

name OAM

#

vlan 102

name APP

#

vlan 103

name Data_Collection

#

irf-port 1/1

port group interface Ten-GigabitEthernet1/0/49

port group interface Ten-GigabitEthernet1/0/50

port group interface Ten-GigabitEthernet1/0/51

port group interface Ten-GigabitEthernet1/0/52

#

irf-port 2/2

port group interface Ten-GigabitEthernet2/0/49

port group interface Ten-GigabitEthernet2/0/50

port group interface Ten-GigabitEthernet2/0/51

port group interface Ten-GigabitEthernet2/0/52

#

stp global enable

#

interface Bridge-Aggregation1

port link-type trunk

port trunk permit vlan 1 100 to 101

link-aggregation mode dynamic

#

interface NULL0

#

interface Vlan-interface100

ip address 172.22.173.158 255.255.255.224

#

interface Vlan-interface101

ip address 172.22.173.179 255.255.255.224

#

interface Vlan-interface102

ip address 172.22.173.206 255.255.255.240

#

interface Vlan-interface103

ip address 172.22.173.214 255.255.255.248

#

(Remove 40 Gig interfaces, they are not configured)

#

interface GigabitEthernet1/0/1

port link-mode bridge

port access vlan 100

#

interface GigabitEthernet1/0/17

port link-mode bridge

port access vlan 101

#

interface GigabitEthernet1/0/33

port link-mode bridge

#

interface GigabitEthernet1/0/34

port link-mode bridge

#

interface GigabitEthernet1/0/35

port link-mode bridge

#

interface GigabitEthernet1/0/36

port link-mode bridge

#

interface GigabitEthernet1/0/37

port link-mode bridge

port access vlan 103

#

interface GigabitEthernet1/0/41

port link-mode bridge

#

interface GigabitEthernet1/0/47

port link-mode bridge

port link-type trunk

port trunk permit vlan 1 100 to 101

port link-aggregation group 1

#

interface GigabitEthernet1/0/48

port link-mode bridge

port access vlan 101

#

interface GigabitEthernet2/0/1

port link-mode bridge

port access vlan 100

#

interface GigabitEthernet2/0/17

port link-mode bridge

port access vlan 101

#

interface GigabitEthernet2/0/36

port link-mode bridge

port access vlan 102

#

interface GigabitEthernet2/0/37

port link-mode bridge

port access vlan 103

#

interface GigabitEthernet2/0/41

port link-mode bridge

#

interface GigabitEthernet2/0/47

port link-mode bridge

port link-type trunk

port trunk permit vlan 1 100 to 101

port link-aggregation group 1

#

interface GigabitEthernet2/0/48

port link-mode bridge

port access vlan 101

#

interface M-GigabitEthernet0/0/0

#

interface Ten-GigabitEthernet1/0/49

#

scheduler logfile size 16

#

line class aux

user-role network-admin

#

line class vty

user-role network-operator

#

line aux 0 1

user-role network-admin

#

line vty 0 15

authentication-mode scheme

user-role network-operator

protocol inbound ssh

#

line vty 16 63

user-role network-operator

#

ip route-static 0.0.0.0 0 172.22.173.163

#

ssh server enable

#

super password role network-admin hash $h$6$R8/hjUqkof4pObBO$1kU/UHvF/SG0ehnSCVPX+FHHMPbmJNPq4MtVzwnU72fStmaZkDvYX4gvTHCy4yIiu4Z6KnVTwk4Yp5Ep/cW2zA==

#

radius scheme system

user-name-format without-domain

#

domain system

#

domain default enable system

#

role name level-0

description Predefined level-0 role

#

role name level-1

description Predefined level-1 role

#

user-group system

#

local-user admin class manage

password hash $h$6$n31TrSYDglJQeicZ$YltB8guNDWHvdSYkSgrq5aGCC8cWa2RZo44SVddsBuyZ70knxxwnLTaqUHJPHM9a1ZWsstdFnlWGgrCSIjt8rw==

service-type ssh

authorization-attribute user-role level-0

authorization-attribute user-role network-operator

#

return

<rmce-eea-sw1g1>

 

0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.