On Fri, Sep 17, 2010 at 2:41 AM, Rohyans, Aaron <[email protected]> wrote: > As compared to HP’s “Clustering” which allows you to manage a stack of up > to 16 switches via one IP address *individually* through the master switch > (which is manually elected).
HP's current stuff (going back at least to 2005) is called "stacking", not "clustering". You do have to manually designate the "commander" (master), but given that their stacking doesn't use special cables, I think that's fair (would you want every switch you put on a network automatically turning themselves into a stack?). Once you've designated a commander, you can configure it to auto-grab members. You can hot add/remove members. > Each switch is its own unit with individual > configuration and provisioning – including VLANs, software, etc. This is correct. Given how diverse stack members can be, I think that's unavoidable. You can't run the same software image on completely different models/generations for Cisco, can you? > Connections are via ‘uplinks’ to other switches, which rely on STP to manage > stack resiliency. Yes. You don't need special cables or modules or protocols; it's standard networking, with standard link aggregation and control. This means your stack is as flexible as your network; your "stack" can actually be quite physically separated. You can even put non-HP switches in-between your HP stack members. > Mixing 10/100 w/ GigaE switches in a cluster is not > possible…. At least, not that I’m aware of. It is absolutely possible. You can also mix several generations and configurations (e.g., 4000M with a 2810) in a single stack. > …As compared to HP ProCurve’s Buffers/Chipsets which are based on Broadcom’s > latest generation of ASIC. Citation needed. HP makes their own ASICs as far as I know; they even have a brand name, "ProVision". > It is widely known that these chipsets have an > inherent flaw (referred to as N+1 buffer overflowing) http://www.google.com/search?q=+%22N%2B1+buffer+overflowing%22 http://www.google.com/search?q=+%22N%2B1+buffer+overflow%22 No matches for either. If it's so widely known, you would think there would be mention of it *somewhere* on the Internet. > o Voice VLAN… Voice traffic can be shielded from data traffic and > broadcast storms (this feature exists in ProCurve switches, but for sake of > argument, I’m including it here) Just for the sake of argument, I'll point out that we're doing this on our ProCurve's right now. > o Granular QoS… QoS allowing you to map/tag (and even ‘re-tag’) specific > traffic to specific queues… prioritize buffers/system resources for > servicing voice traffic... Check. Doing that now. > Not to mention advanced queuing/congestion > avoidance algorithms that take network efficiency down to the port level > (alleviating upstream routers)… I can certainly configure QoS on per-port basis. > Shaped Round Robin queuing (servicing > traffic buffers proportionally to administratively defined weights while > “buffering” traffic in order to achieve more accurate line-rate), and > Weighted Random Early Detection (TCP congestion avoidance by dropping > packets at pre-defined thresholds so as to alleviate TCP Synchronization). I'll admit you're over my head here. I don't know if that's possible or not. > I can even go so far as to protect the Control-Plane of the switch through > QoS ... Check. Configure the management VLAN with highest priority. > Modular QoS… using the techniques described above, I am no longer > limited to applying a “global” QoS policy to the switch (as I am with HP > switches). Policies can be defined per-port or per traffic class… thus > servicing different ports/traffic using different thresholds/queues/etc. The ProCurve command would be something like: interface 5 qos priority 3 > ... Cisco-approved best practice QoS templates for converged network > solutions .. Bingo! (As in, "buzzword bingo".) > SmartPorts – offer Cisco switches the ability to identify IP Phones/PCs > attached to a single access port and dynamically configure themselves as a > trunk port – providing for features such as the Voice VLAN and 802.1p based > QoS (to the end-user… not just on switch-to-switch or switch-to-router > uplinks – as is the case with HP switches). Our IP phones are plugged into our ProCurve switches. The switches use LLDP MED to configure the phones with their VLAN IDs and priorities. Voice traffic is given priority over data traffic from the PCs daisy-chained off the phones. There's no need to configure the switch port as a "trunk port" because ProCurve's aren't limited by Cisco's artificial "trunk port" concept; you can configure VLAN behavior however you want, on each individual port. > o DHCP Snooping – ability of the switch to prevent rogue/unwanted DHCP > servers from entering the network so as to thwart MiTM attacks, or general > mischief caused by end-users. "How to configure DHCP Snooping on ProCurve switches" http://h40060.www4.hp.com/procurve/uk/en/pdfs/application-notes/AN-S12_ProCurve-DHCP-snooping-final.pdf > o Port Security – ability of the switch to “learn” the MAC addresses tied > to particular ports… and thus, limit the amount of MAC addresses allowed on > such ports (think DHCP starvation attacks, or CAM overflows) Check. The ProCurve command is, appropriately enough, "port-security". For example: port-security 1 learn-mode static action send-disable > o ARP Snooping – ability of the switch (reliant on DHCP Snooping) to > prevent hosts from masquerading themselves as different IP/MAC combinations… > think MiTM again here. This is part of the port-security stuff. > o Source Guarding – ability of the switch (reliant on DHCP Snooping and > Port Security) to verify correct IP/MAC/Port combinations for all connected > hosts. Ibid. > o Private VLANs – ability of the switch to create private “broadcast” > domains within a normal VLAN so as to segment traffic from one user to > another I recall coming across a reference on how to do this on HP's higher-end-than-mine switches, but it's 3 AM here and I can't find it right now. > o Storm Control – ability of the switch to suppress > Broadcast/Multicast/Unicast storms on particular ports so as to alleviate > upstream devices in times of congestion. interface 5 broadcast-limit 50 > o Layer 2 End-to-End encryption (MACSec) – traffic is encrypted upon > ingress into the network, transported to its destination and un-encrypted > upon egress… now you’re even safe from a Wireshark capture. I've never touched HP's net security products so I wouldn't know. They do have stuff in that space. > o 802.1x (yes, I know ProCurves have this as well) – user-based NAC Why do you keep listing things ProCurve has when you were asked for a list of things Cisco has but ProCurve does not? > o Network resiliency through STP enhancements such as Root Guard (prevents > rogue switches from introducing themselves as Root Bridges), Loop Guard > (prevents unidirectional traffic flows and/or lack of BPDU reception from > causing STP recalculations), Portfast (skip Listening, Learning, and go > straight to Forwarding), etc. HP's STP does have loop detection and fast start. I dunno about "root guard"; might, might not. Your track record at this point is so horrible I'm not going to bother checking; it's pretty clear you have no idea what you're talking about when it comes to what ProCurve can and can't do. > With the exception of 802.1x, ProCurve switches, (more often > than not) simply cannot keep unwanted users off of my network, or even from > tampering with my network. Again, that's flat out wrong. See above for numerous cases where ProCurve does indeed implement the things you're asking for. > Wouldn’t it be nice to view *all* stack switch configurations natively in > one output as a single/unified/logical unit? Rather than logging into each > switch individually to manage *individual* configurations? Yes, it would. At least you found *something* Cisco can do that ProCurve can't. > How about stack member inter-connects? ProCurve switches require you to use > access ports (yes, I know some of these ports are physically located on the > back of the chassis) to interconnect the cluster… Dude, that stuff was phased out years and years ago. When was the last time you actually used a ProCurve switch? I'm getting the feeling you used an HP switch once in 1998 and haven't looked at them since. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
