How-To: Init HPE FF5700 FlexFabric Switches

Left alone by some consultants, which charged a lot and did not accomplish to much, I ended up configuring FF5700 felx fabric switches myself. Some of the insights, other posts will follow.

To start with the basic initialization settings, configuring management access and doing initial firmware maintenance. After unpacking the switch and mounting fans and power supplies connect through the serial console – although there is dhcp client running on the switch which probably allows you to gain management access over the network. Remember there is a Gigabit- Ethernet- Port on the backside of the switch, dedicated for management access only. The console port is adjacent. Default serial settings are 9600/n/1/n as with any other HPE switch.

After the boot procedure press enter and you have access to the switch. Elevate your access level to configuration mode with:

system-view

To start with I actually disable the DHCP client and activate LLDP for further use.

undo dhcp enable
lldp global enable

After that prepare the desired VLANs according to whatever you later use. I strictly recommend leaving the default VLAN untouched, leaving the Primary VLAN ID on 1 and transport that untagged on any switch to switch link, but remove all access and server ports from the default VLAN. Particular the interoperability between different HPE networking switch families or other vendors improves this way, you gain some operational security without bothering yourself with the primary VLAN mechanisms and BPDU traffic in switch to switch communication, like e.g. in Spanning Tree and many many more protocols.

VLAN assignments may happen like this:

vlan 1
name DEFAULT_VLAN
quit
vlan 2
name ADMINLAN
quit
vlan 3
name SERVERS
quit
vlan 4
name ISCSI
quit
...

By naming the VLANs their numbers are blocked and assigned and you have a speaking reference according to their use. Later status information will then report 802.1Q encapsulation which as a command is not used in this system.

By chance, the trailing command quit leaves the according management context to the previous level.

By now the fans shall have spin up and make a lot of noise. By configuring it to a dedicated airflow, this shall spin down. Configure the prefered fan direction according to the setup in the rack, besides the example there is the option power-to-port to be configured.


fan prefer-direction slot 1 port-to-power

Next step you shall activate the IP-Ethernet management interface with the example network of 192.168.1.0/24.


interface M-GigabitEthernet0/0/0
description Management_GigE
ip address 192.168.1.254 255.255.255.0
quit

Netmasks may be written either in the full four octet 255.255.255.0 format as well as in CIDR as /24. And presumably you may define the according default route to ensure access-ability of the management network.


ip route-static 0.0.0.0 0 192.168.1.1

You may ping now the device but as well you may fail trying to log in. Therefore the according access line permissions and user credentials shall be configured first. The following User setup creates a user called manager with according credentials. Note, that although during configuration you may define the password in clear text, within the running configuration the password will be written down as hash. Sample configuration looks like:


local-user manager class manage
password simple PASSWORD123
service-type ssh https
authorization-attribute user-role network-admin
authorization-attribute user-role network-operator
quit

Additionally the SSH service needs to be enabled and the user permitted to use SSH to login.


ssh server enable
ssh user manager service-type all authentication-type password
quit

Now the access still does not yet work since the access lines are not yet assigned. An appropriate definition for virtual terminal sessions therefore with SSH access and an idle timeout of 10 minutes looks like:


line vty 0 4
authentication-mode scheme
user-role network-admin
protocol inbound ssh
idle-timeout 600 0
quit

Now you may try logging in as manager on your FF5700 switch. If you successfully logged in try to set two more operational parameters, the operational mode as standard bridge in this setting and the possibility to recover passwords, which is provided afaik through the not yet configured web interface.


system-working-mode StandardBridge
password-recovery enable

Your switch now shall be able to be used as switch, and the according port configurations will follow within a dedicated post.

Nevertheless within the scope of a proper system initialization a first time system maintenance shall be performed. First step backup the configuration to TFTP, in this case on a host with the IP 192.168.1.123. To perform this operation make sure that you leave the elevated configuration context system-view with quit:


backup startup-configuration to 192.168.1.123 sw254-20170310-init.cfg

Providing that the same host stores the latest firmware revision, downloaded from HPE the firmware binary is downloaded to the switch filesystem before validation and writing to flash.


tftp 192.168.1.123 get 5700-CMW710-R2432P01.ipe

This is as of today the latest firmware revision, notes on firmwares follow in dedicated posts. Having the firmware staged it may be written to the flash, preparing the boot loader of the FF5700.


boot-loader file flash:/5700-CMW710-R2432P01.ipe slot 1 main

After successfull writing verify the image is written properly and if yes reboot.


display boot-loader
reboot

Note that display boot-loader indicates which software is stored in the flash and not which one is running. After the reboot with:


display version

it can be verified that the new software version is actually running.

Given these steps you should be able to manage your switch and have the latest firmware up and running. Please check the website of HPE to get the latest firmware available.

Kyp.F.

Leave a Reply