پیکربندی سوییچ HP Procurve

This document is intended to provide a quick install of the HP ProCurve 5400 OpenFlow Switch, for those who have never used the switch command-line interface (CLI). With the CLI, Pressing “?” will provide list of available commands and options each have.

Getting Started

Manuals

For general commands, see the main switch manual: [1]. The Table of Contents is worth skimming, so you have an idea of what other features are available on the switch.

Console Access

The front serial port provides initial console access; from here, you can add an IP address, to change the firmware image or access the switch CLI.

A USB-to-serial adapter typically works with most systems. The port must be configured to 9600 baud, 8 data bits, 1 stop bit, no parity, no hardware flow control.

For example, with ckermit and a USB-to-serial adapter installed on an Ubuntu machine:

sudo apt-get install ckermit
sudo kermit -l /dev/ttyUSB0
set speed 9600
set carrier-watch off
set flow-control none
set parity none
connect

Minicom may also work.

sudo apt-get install minicom
sudo minicom -s
<change setup>

IP Address

After logging in through the serial port, you’ll want to set up an IP address, and copy over any configuration files. If your network uses equivalent switches, ask the network admin for a custom configuration file with site-specific VLANs and security policy.

To display the IP address settings for the switch:

show ip

Consult the manual for changing the IP address, and make sure it’s set to the correct VLAN.

Login

ssh (or telnet) hpsw1

Firmware Flashing

The switch has two firmware banks, primary and secondary.

It is recommended to have a stock firmware image, K_13_49.swi or later, in the . Vanilla firmware images are available from the HP ProCurve switch software website. The OpenFlow-enabled firmware image is, then, copied to the secondary bank. Following instructions are based on this recommendation.

Before replacing a secondary image, boot into primary:

boot system flash primary

Then, copy your firmware over through the methods below.

Finally, reboot into the new secondary firmware image:

boot system flash secondary

SCP Flashing

This is the easiest/fastest option. For this to work, the SSH server on the switch must be enabled.

SSH-based flash:

scp /path/to/image root@switch-ip:/os/secondary

Allow a minute or two for the connection to timeout, and the ssh session to finish cleanly.

ore info

TFTP Flashing

One option is to put the firmware on a TFTP server accessible from the switch. To do this, install the tftpd package, and add the default tftp location to /etc/inetd.conf, and start the tftpd server.

To flash the Openflow-enabled firmware:

copy tftp flash tftp_server_ip K_14_XX_opfl_0_9.swi secondary

USB Flashing

Another (faster) options is to flash the firmware via USB. Copy the firmware to the top level of the USB drive, insert it into the switch, then run:

copy usb flash <filename> secondary

Common Configuration

Think of OpenFlow as a feature that can be enabled or disabled on a specific VLAN. Each VLAN can have a unique instance of OpenFlow, connecting to a different controller. The first step is to create a VLAN and assign some ports to that VLAN. The default VLAN is 1; <vlan_id>’s can be anything between 2 and 4095. Note that any switch changes require that you be in config mode.

VLAN Configuration

Enter the configuration mode (required to make any changes!):

config

Display the currently defined VLANs:

show vlan

Display the configuration and ports of a specific VLAN:

show vlan <vlan_id>

Create a VLAN:

vlan <vlan_id> name openflow

Delete a VLAN:

no vlan <vlan_id>

Add port(s) to the VLAN:

vlan <vlan_id> untagged <ports>

Restore default VLAN for port(s):

vlan 1 untagged <ports>

Remove VLAN from port(s) (must be tied to another VLAN):

vlan <vlan_id> untagged <ports>

Most commands accept a single port, comma-separated list, or dash-delimited range. Examples of <ports>:

A1 
A1,A2,A3
A1-B2 # covers A1..A24,B1..B2 assuming 24-port linecards

Openflow Configuration (required)

Once you’ve set up a VLAN, you need to enable and configure an OpenFlow instance on that VLAN.

Show the set of configured OpenFlow instances:

show openflow

Enter the VLAN for the instance you’d like to configure:

vlan <vlan_id>

Show the Openflow configuration, including configurable state, controller connectivity, and switch MAC addr:

show openflow <vlan_id>

Set the controller string (6633 is NOX’s default port):

openflow <vlan_id> controller tcp:<ip_addr>:<tcp_port>

Enable/disable Openflow:

openflow <vlan_id> {enable/disable}

OpenFlow Configuration (optional)

Reducing the maximum backoff interval can be useful for tests, where you want all switches to connect quickly to the controller. For a deployment, a larger backoff value makes sense, so that the network and controller are not flooded with requests for new control connections. Set backoff (max interval between connection attempts in second, 1-60):

openflow <vlan_id> backoff <backoff>

The rate limit for Openflow’s hardware path (Kbps per linecard)

openflow hw-rate <rate>

The packet rate limit for Openflow’s software path (packets/sec per line card).

openflow sw-rate <rate>

Optionally, you can add a passive listening port, useful for pulling info from dpctl while NOX is running. This feature currently has no security protections. To add a passive listening port:

openflow <vlan_id> listener ptcp:<tcp_port>

Show current OpenFlow firmware revision:

show openflow version

Other Commands

Show current firmware revision:

show version

Show memory and CPU usage info”

show system

Show configuration:

show running-config

Prevent unwanted packets (highly recommended):

lldp admin-status [dataports] disable
no spanning-tree

Show LLDP/spanning tree configuration:

show lldp config
show spanning-tree

Reboot:

reload

Save configuration:

write memory

Crash Recovery

At boot, it is possible to select which firmware to use from the serial console (9600 baud).

If you corrupt the primary flash, say, by a botched SCP download, and the switch tries to reboot into that corrupted image, you’ll need to replace the script on the switch.

Remote Debugging

Remote Console Access

If you have an HP in a closet and no PC there, or nearby, a nice solution that enables remote debug is to combine a Cat5-to-USB extender with a USB-to-serial adapter. We have this set up in the wiring closet next to the FLASH lab. The following components work:

USB-toCat5 extender ($40)

USB-to-serial adapter ($20):

Mini gender changer ($4):

The limit is 150 feet of Cat5e cable.

dpctl

The HP supports a passive listening port per OpenFlow instance. This is super-useful when you want to debug an individual switch without going through the controller.

Add a listener port:

openflow listener ptcp:6633

Then use dpctl. Examples:

dpctl dump-tables tcp:<switch>:<port>
dpctl dump-flows tcp:<switch>:<port>
dpctl add-flow  tcp:<switch>:<port> 'in_port=104 actions=output:98'

If you use 6633 as the passive port, the OpenFlow Wireshark plugin will display the messages by default.

Capabilities

The HP now supports hardware forwarding. According to HP engineers, specifying following 7-tuples (for the actions forward to port, drop and “normal”) can enable hardware forwarding:

TCP/IP 5-tuple (src ip, dst ip, nw-prot, src-port, dst-port)
incoming physical port
vlan number (set to openflow's vlan number)

Thus, if the MAC Ethertype has to be IPv4 (and the VLAN is the Openflow VLAN), other fields can be exact match or wildcard. We can “wildcard” 2 fields of the 10 tuples, the MAC SA and the MAC DA, i.e. we pretend they don’t exist.

Consequently, if you send a full 10 tuple exact match with both MAC SA and MAC DA specified as exact match, it will go to HW.