6125XLG console/aux port access for IRF renumber

Posted on June 14, 2014 by Peter Debruyne

For HP Blade enclosures, the 6125XLG can be used as a non-blocking 10G blade server access switch with 4x40G uplink ports. Since it is based on Comware 7 (very similar to the 5900AF model, but in a blade switch form factor), 2x 6125XLG switches in the blade enclosure can be configured to operate in a single IRF system.

20140613-6125xlg-front

 

 

 

 

The basic IRF configuration would be:

  • 6125XLG-1: set IRF priority and configure physical interfaces as IRF-ports
  • 6125XLG-2: change member id, reboot, set IRF priority and configure physical interfaces as IRF-ports

The renumber of the member ID (which controls the interface numbering, like ten2/0/1) is typically done through a console connection.

There are 2 serial connections available on the 6125XLG:

  • con0: external console port, this is the traditional console port
  • aux0: internal console port, accessible through the HP Blade enclosure Onboard Administrator.

The network admin can open a connection to the OA and then use the

 # replace X with the interconnect bay number of the switch
connect interconnect X

command to access the internal serial (aux) port of the switch.

The serial connection number from switch point of view (con0 / aux0) is derived from the IRF member ID (ID-1), so an switch with IRF member ID 2 would see the numbers changed to con1 and aux1.  This allows the network administrator of an IRF system to control the serial port of each member individually (and they can be used concurrently).

The problem

The challenge can come from the default security settings of the aux serial ports. The default aux0 port allows full network-admin access to perform the configuration. However, when the aux port number changes e.g. to aux1, it receives a default aux port configuration, which does not permit management (until the network admin configures the authentication mode).

So if a network administrator uses the OA (HP Blade enclosure onboard administrator) to renumber a switch and reboots the switch, he will connect now through the aux1 interface. And this has a default aux port configuration which does not permit access anymore (“login failed” messages when attempting to access the port, since no authentication mode has been configured).

When the network administrator would physically access the switch and use the external console port, it would still work, since the default con-x serial port does permit full management access. However, this may cost you a trip to the data center.

The solution

Back to the OA: so if the network admin wants to complete the configuration remotely using an IP connection with the OA, he has to ensure that the aux port will accept management connections after the renumber has taken place.

This can be achieved by changing the default line configuration, which will be used by “new” or renumbered aux ports:

line class aux
 authentication-mode none
 user-role network-admin

When above lines are configured before the unit renumber and reboot, the switch will allow connections through the new aux port (using the OA) so the network admin can complete the configuration.

Credit: Thanks to Remi Batist to notify me about the challenge and the default line class configuration option.

This entry was posted in Uncategorized. Bookmark the permalink.

Leave a comment