BASIC CONFIGURATION COURSE

FROM SWITCHES ARUBA

Content
BASIC CONFIGURATION COURSE FROM SWITCHES ARUBA............................................1
Content............................................................................................................................................1
1. Initial configuration....................................................................................................................1
Aruba 5406Rz12# menu........................................................................................................3
Aid...............................................................................................................................................4
Help by context...........................................................................................................................5
Autocomplete..............................................................................................................................5
See previous command................................................................................................................5
To repeat commands you can write down the line number and the repeat command................5
2. Local and remote management access configuration..............................................................8
3. Security settings.....................................................................................................................11
4. VLANs...................................................................................................................................14
•.........................................................................................................................................................16
5. Added Link Settings.................................................................................................................19
1.

1. Initial configuration.

Port nomenclature.
They are ports numbered 1-24 or 1-48. Odds on top, evens on the bottom. With
10/100/1000 ports or with mini-SFP/SFP+ (1/10G) transceivers.
 Console port
Dual-personality
ports
--------------------I-
ááááááááááh ■■
vvvvvv *««•«• a
20 10/100/1000 Base-T Ports
Out-of-Band GE port

Forms of access to the equipment

In-band Management traffic goes with user traffic. IP, mask and
default Gateway are required to connect to the device
over the network. Access is done through terminal
software (Putty, Teraterm) and using SSH, Telnet, via
the Web, or through a management station using the
SNMP protocol.
Safer form of access for device management. Connects
Out-of-band through console port.

Out-of-Band
In-Band management Out-of-Band
port

.8 fa * -i J 3888888 fa«. Ml ' Direct serial

Ethernet connection to
connection console port

He

Access via Console port

Wear program of
emulation (teraterm, putty)
for command interface (CLI)
access
Automatic speed detection
Standard configuration:
9600 bps 8 data bits
No parity
1 stop bit
No flow control

Console port lock

ArubaOS(config)# console idle-timeout <0-7200>
After the allotted time (0 to 7200 seconds) the console port is blocked.

Initial access
Aruba switches by default do not have a username or password. Initial configuration must
be performed through the console by writing the commands MENU () or SETUP (config
menu).

Aruba 5406Rz12# menu

• Operator: Allows read access to statistics and settings
• Manager: Allows full access.

Access levels
The switch can be accessed with one of the user types:
Access Level CLI Prompt Description
Operator Switch> View statistics and configuration information
Manager Switch# Begin switch configuration
Switch(config)# Make configuration changes
Global setting
Context Settings Switch(<content>)# Make configuration changes in a specific context,
Examples: such as vlans, one or more ports, etc.
Switch(vlan-1)#
Switch(ospf)#

sensitive help

Command line Description

? or Help See description of available commands
<string>? Commands that start with certain characters
<string>[Tab] Autocomplete

Aid
ArubaOS# ?
Exec commands:
<1-99> Session number to resume
access-enable Create a temporary Access-List entry access-profile Apply
user-profile to interface copy Copy from one file to another
 debug Debugging functions (see also 'undebug')

Help by context

call ccm-manager CD
clock
copy

ArubaOS#c
clear
cns configure connect

ArubaOS# copy ? command-output Specify a CLI command to copy output of.

config Copy named configuration file. core-dump Copy coredump file from
flash. crash-data Copy the switch crash data file.

Autocomplete

Using the TAB key you complete a command if there is no other command with the same
letters.

Switch# conf <TAB> Switch# configure

See previous command

With the history command you can review and reexecute previous commands.

ArubaOS# show history 6 sh vers 5 sh hardware 4 display hotkey 3 exit 2

enable 1 show interfaces

To repeat commands you can write down the line number and the repeat
command.

ArubaOS(config)# repeat <index-number> [ count <number-of-repeats>]

ArubaOS# repeat 1 count 2 (Repeat command 1 twice)

Basic configuration
Name an Aruba switch
ArubaOS# config
ArubaOS(config)# hostname <switch-name> ArubaOS(config)# hostname myswitch
myswitch(config)#

IP address assignment
By default, only vlan 1 exists. All ports belong to this vlan. An IP address can be assigned
to the switch in this vlan using the following commands:
ArubaOS(config)# vlan 1
ArubaOS(vlan-1)# ip address <ip-address> / <subnet-mask>
ArubaOS(config)# vlan 1
ArubaOS(vlan-1)# ip address 192.168.1.254/24

Layer 3 switches can have multiple addresses in different vlans. To remove a network
address, use the no ip address command
When the switch is layer 2, it must have a Gateway address to access the different
networks that are not connected to the switch.
ArubaOS(config)# ip default-gateway <ip-address>

The commands are carried out in RAM memory. You can view the configuration with the
command:
ArubaOS# show running-config

To save changes use the command:

Switch# write memory

You can use command abbreviations such as wr m or wr mem.

Factory default
To reset the device to factory parameters, use the command:

Switch# erase startup-config

When the command is confirmed using the Y key, the computer restarts and remains with
the initial configuration.

Interface configuration

Default configuration:
• Interfaces are enabled by default.
• Speed, duplex and MDI are in auto.
• All interfaces belong to Vlan 1

Interfaces can be configured one by one or globally within the context menu like this:

ArubaOS(config)# interface <port-list> <interface-command>

ArubaOS(config)# interface 1-5 enable

Or this way:

ArubaOS(config)# interface <port-list>

ArubaOS(eth-<port-id>)# <interface-command>

ArubaOS(config)# interface 1-5

ArubaOS(eth-1-5)# enable

Enable or disable interfaces

The ports are enabled by default. To enable them enable and disable disable .

ArubaOS(config)# interface < port-list > [ disable | enable ]

Or this way:

ArubaOS(config)# interface < port-list >

ArubaOS(eth-<port-id>)# disable | enable

ArubaOS(config)# interface 1.5 disable

Set port speed and duplex

By default, Aruba ports auto-negotiate speed and duplex. However, it can be modified like
this:

ArubaOS(config)# interface <port-list> speed-duplex <setting>

The speed-duplex parameters depend on the device and are a combination of the port
speed like this: auto-10, 10-full, 10-half, 100-full, 100-half, auto, auto-100, 1000-full and
auto-1000 .

MDI-X Configuration

The copper ports on the Aruba switch can automatically detect the type of cable (straight
through or crossover) with a connected device. However it is possible to force the ports
for special conditions like this:

ArubaOS(config)# interface <port-list> mdix-mode < auto-mdix | mdi | mdix >

MDI It is equivalent to direct connection

MDI-X It is equivalent to cross connection
Auto-MDIX is automatic negotiation

Assign names to interfaces

Interfaces can be named with an indication of their function that can be more easily
identified in the configuration, through the command:

ArubaOS(config)# interface <port-list> name <port-name-string>

To see the names of the interfaces, use the following commands: show name : list the
ports with their name
show interface <port-number>: Displays the interfaces and their names show running-
config : displays the complete configuration

Switch# show name

Port Names
Port Type Name

1 10/100TX Finance server

2 10/100TX HR Server
3 10/100TX HR VLAN
4 10/100TX HR VLAN
5 10/100TX Finance VLAN
6 10/100TX Finance VLAN

2. Local and remote management access configuration.

Access via ssh and telnet are enabled by default. Aruba switches support SSH V1 and V2
for remote management between management computers and active computers. SSH
provides functions like telnet, but SSH provides encrypted transactions. Username and
password are required for authentication. The ip ssh command enables or disables the
parameters that the switch uses for transactions with clients.

ssh configuration

ArubaOS(config)# crypto key generate ssh rsa bits <key-size>

ArubaOS(config)# ip ssh [ version 2 ]
ArubaOS(config)# no telnet-server

The size of the key bits are 512, 768 and 1024. The switch automatically generates the
keys when it reboots.
You can configure access using AAA authentication like this:

ArubaOS(config)# aaa authentication ssh enable { local | tacacs | radius >

[ local | none ]

Configuring web access.

Access via web is allowed by default, however the information is unencrypted.

Communication between the switch and the management station can be secured with
SSL v3 and TLS. SSL provides all web functions but encrypted. To do this you require:
• Create public key.
• Generate a self-signed certificate or obtain a certificate from a certification
authority
• Enable ssl
• Optional disable http
These are the commands:

ArubaOS(config)# crypto key generate cert [ rsa ] bits < 512 | 768 |
1024>
ArubaOS(config)# crypto host-cert generate self-signed
ArubaOS(config)# web-management ssl
ArubaOS(config)# no web-management

Network Management Protocol (SNMP)

The SNMP protocol allows you to manage and monitor a variety of devices from a central
station. Using SNMP you can make configurations for an entire network. SNMP can also
monitor conditions such as down interfaces, available links, link problems, and network
management.
It consists of three parts:
• Managed device that has read or read-write communities.
• The agent is the software located on the managed device that performs the
translation of SNMP messages using a management information base (MIB).
• The management station that runs software that monitors and manages the
network.
Types of messages:
• GET (bring information – read) and SET (send information – write)
• Traps (notifications)
SNMP versions
SNMP version 1/2c: Less secure
SNMP version 3: More secure.
They use writing and reading communities.
SNMPV3

Designed to improve the security of SNMP v1 and V2c It has the same structure defined
in SNMP v1 and V2c.

Data integrity and authentication algorithm and key

SNMP V1 and V2c configuration.

Read-only access (GET)

• ArubaOS(config)# snmp-server community <community-string> operator
restricted
Write-Read Access (SET)
 • ArubaOS(config)# snmp-server community <community-string> manager
unrestricted
Send notifications (Trap)
• ArubaOS(config)# snmp-server host <ip-address> <community-name>

SNMPV3 Configuration

Basic configuration
ArubaOS(config)# snmpv3 enable
ArubaOS(config)# snmpv3 only (If only snmpv3 is desired)
ArubaOS(config)# snmpv3 restricted-access (only allows V3 computers)

SNMP V3 User Configuration

ArubaOS(config)# snmpv3 user <username> [ auth < md5 | sha > <auth-pwd> priv
< des | aes > <priv-pwd>]

AOS(config)# snmpv3 user Miriam auth sha securepassword priv aes securepassword
Configure SNMP V3 Group
ArubaOS(config)# snmpv3 group <group-name> user <username> secmodel { ver1 |
ver2c | ver3 }

3. Security settings.

You can access switches using one of two types of users:

Users Rights
Manager Manager mode (full read-write access) «*

Operator mode (limited read-only commands)

Operator

Manager: Makes configurations and has read and write permissions.

Operator: You can view statistics and configuration information.
Users can connect locally or remotely.
Locally, users and passwords are stored on the switch.
Remotely,
Local andusers and passwords are stored on an external server.
remote
Configuring the switch to control Access Management Control.
authentication.
Local remote RADIUS server
Reset password locally. (Authentication
server)
Switch
• Clear button: switch (NAS)
•Erases passwords
• Disable clear button: no front-panel-security password-clear

Clear and Reset

buttons
to e g8Ees8sa s =Hes8888
management
station a.
management
station
sk_w.n
Aruba switches have two buttons Reset and Clear.
The Reset button is used to reset the switch while it is powered on. This action restarts
the computer and runs a self-test.
The Clear button It is used to delete passwords. When pressed by a
Second, delete any password that has been configured for console access.
Pressing Clear and then Reset can clear the computer's settings.
It is possible to disable the clear and reset buttons with the following commands:

ArubaOS (config)# no front-panel-security password-clear ArubaOS(config) # [no] front-

panel-security factory-reset If the clear button is disabled, passwords cannot be cleared.

Restricted access with local passwords

Passwords are automatically encrypted.

There are two users: Operator and Manager. To configure them, the following commands
are used:
ArubaOS(config)# password operator
New password for manager: <password>
Please retype new password for manager: <password>
ArubaOS(config)# password manager
New password for manager: <password>

Please retype new password for manager: <password>

Once set, it can only be accessed with a username and password.

Access Restriction with AAA

To set AAA authentication use the following commands:

ArubaOS(config)# aaa authentication
[ telnet | console | website | ssh ]
[ login | enable ]
[ radius | tacacs | local | local radius | local tacacs ]

With this command you define the access method (console, telnet, web, ssh), the access
method (operator or manager) and where to find the username and password.

If you define local passwords, you can define usernames like this:

ArubaOS(config)# password [ operator | manager ] user-name <name>

This is an example of AAA configuration.

ArubaOS(config)# aaa authentication telnet login radius local ArubaOS(config)#

radius-server host 192.168.1.253 key mysecretkey ArubaOS(config)# password
manager user-name Richard
Role Based Access Control (RBAC)

The RBAC allows users to restrict commands or access levels.

In the laboratory a description of commands to use it will be made.

Management VLANs and IP-authorized administrators

By default there is no restriction on which users can access the equipment remotely. If your switch has
multiple VLANs, you can choose one for management and only users in that VLAN can access the switch:
ArubaOS(config)# management-vlan <vlan-id>

You can also restrict access to the equipment, allowing only selected IPs to manage it.

ArubaOS(config)# ip authorized-managers <ip-address> 255.255.255.255

Configuring SSH
Since Telnet is insecure, it is necessary to configure SSH to encrypt communications with
the switch remotely. To do this, keys are generated that are used to perform encryption. It
is possible to access remotely via emulation programs such as Putty or teraterm. To
access remotely, HPE recommends that you have at least one Manager user and access
via SSH. It can be encrypted with 512, 768 or 1024 bytes.
To configure it, use the following commands:

crypto key generate ssh rsa bits 1024

ip ssh [ version 2 ]
not telnet-server
write memory

4. VLANs

• Definitions: switch
• Broadcast domain
• Layer 3 subnet (IP subnet)
• Different departments of a company
• Logical grouping of users
• Advantages
• Contains broadcasts
• Increases security
• Improves management of network
infrastructure

Vlans enable a group of users to group together logically regardless of their physical
location. Helps control bandwidth usage within a network by allowing users to be grouped
by function, location, department, etc. It also helps improve network security. Users of the
same VLAN can communicate without any problem, but if they want to access another
VLAN they must do so through a routing device. Additional functions of VLANs include
broadcast containment, security, and the creation of flexible user groups.

Switches and VLANs:

There are two types of topologies in a network. The physical topology that indicates how
users connect to the equipment and these to each other.
The other is the Logical topology that indicates how signals travel in the network.
Below are two samples of the topologies,

physical
topology;

Logical Topology

VLANs are defined in the 802.1Q standard, which indicates the fields and how they
are used to travel through the network. This is an open standard, which adds a
label or tag to each frame that will travel through the network and that label is
removed when delivering the traffic to its destination.

In Aruba, a port that allows tagged frames is called a tagged port.

 TPID
2
byte

User Priority |
3

Identification of vlans

On HPE switches all ports belong to VLAN 1 by default. The traffic is received at an
access port and is called untagged. If the port carries more than one VLAN, it is
called tagged.

ARUBA Terminology

Untagged Port (Access Port)

•
 • Tagged Port (Trunk Port)
VLAN Configuration

By default all ports are access (untagged)

A port can only be a member of a vlan if it is access
By default all ports are assigned to VLAN 1 or VLAN default
When a VLAN is deleted all ports return to VLAN 1
Aruba switches allow you to limit the number of active VLANs.
To create a vlan, use the command:
(config)# vlan xxxx
To name vlan
(config)# vlan <vid> name <vlan-name>
Verification commands
show vlans
show vlans 30
show vlans port <port-id>

vlan routing
( config)# ip routing
(config)# vlan <vid | vlan-name> ip address <ip-address>/<subnet-bits>
(config)# ip routing
(config)# vlan 10 ip address 10.1.10.1/24
(config)# vlan 10 ip address 10.1.10.1 255.255.255.0
Write memory

Assignment of access ports to a vlan

ArubaOS(config)# vlan <vid | vlan-name> untag <port-list>

EITHER
ArubaOS(config)# vlan <vid | vlan-name>
ArubaOS(vlan-id)# untag <port-list>

Assignment of tagged ports to a VLAN

The switches require sending more than one VLAN between them, which is
why the ports are configured as Tagged. These ports carry one or more tagged
VLANs and one untagged VLAN.
 The configuration is done this way:

ArubaOS(config)# vlan <vid | vlan-name> tag <port-list>

EITHER
ArubaOS(config)# vlan <vid | vlan-name>
 ArubaOS(vlan-id)# tagged <port-list>
VLAN Configuration Example:

SwitchX(config) # vlan 20
SwitchX(vlan-20)# name Network
SwitchX(vlan-20)# untagged a3-a4
SwitchX(vlan-20)4 tag a7
SwitchX(vlan-20)# exit
SwitchX(config)* vlan 30
SwitchX(vlan-30)# name Green
SwitchX(vlan-30)f untagged al-a2
SwitchX(vlan-30)t tagged a7

SwitchY(config)• vlan 20
SwitchY(vlan-20)t name Network
SwitchY(vlan-20)# untagged to
SwitchY(vlan-20)* tagged to5
SwitchY(vlan-20)# exit
SwitchY(config)# vlan 30
SwitchY(vlan-30)# name Green
SwitchY(vlan-30)# untagged a2
SwitchX(vlan-30)* tagged a5
SwitchY(vlan-20)# exit
SwitchY(config)# vlan 40
Ports 1-6: Untagged Ports 1-4: Untagged SwitchY(vlan-40)• name White
Port 7: Network VLAN Port 5: Network VLAN SwitchY(vlan-40)# untagged a3-a4
Untagged / Untagged /
Green VLAN Tagged Green VLAN Tagged

VLAN
verification
• Commands:
ArubaOS# show vlans 30 Information - VLAN 30
• show vlans Status and Counters - VLAN
• show vlans <vid> VLAN ID : 30 Name : VLAN30
• show vlans port <port-id> Status : Port-based Voice :
No Jumbo : No

ArubaOS# show vlans Status and Counters -

VLAN Information Port Information Mode Unknown VLAN Status
Maximum VLANs to support : 256
Primary VLAN : DEFAULT_VLAN Management 1 untagged Learn Up
VLAN : 21 Tagged Learn Up

VLAN ID Name I Status Voice Jumbo

1 DEFAULT_VLAN I Port-based No No
30 VLAN30 I Port-based No No

There are commands to verify vlans configuration.

- Show vlans: shows all configured switch vlans
- Show vlans <vlan-id> - Shows ports' membership to a vlan
- Show vlans port <port-id> detail: Shows the membership of a port, with
details if it is tagged or untagged.
 - Show ip: Shows IP interfaces. If it is routed and the default Gateway defined.
Configuring IP addressing in a VLAN

To assign an IP address to a VLAN, use the following commands:

ArubaOS(config)# vlan <vid | vlan-name> tag <port-list>
EITHER
ArubaOS(config)# vlan <vid | vlan-name>
ArubaOS(vlan-id)# tagged <port-list>

ArubaOS(config)# vlan 10 ip address 10.1.10.1/24

5. Added Link Settings

Aggregate links are the joining of two or more layer 2 interfaces with similar
characteristics to increase bandwidth. Among its benefits are:
- improving load balancing
- Requires little configuration
- Greater bandwidth
- Provides redundancy
- Requires little tuning
- It is a logical interface between two devices.
 Among the requirements to create an added link are:
- They must operate at the same speed
- They must operate in the same full duplex or half-duplex mode
- They must be the same medium fiber or UTP cable
- It is recommended that they have the same settings, such as VLAN
membership, Quality of Service, etc.
- Maximum 8 links added
o Manual 8 links
o LACP: 8 active links and 8 backup links
- Distributed links. 2 active links
Manually added links
The connections of the added links can be formed manually (static) or
dynamically.
The static aggregate link is manually configured and maintained by the
administrator. This only recognizes ports that are configured as part of the link.
When configured statically, the switches do not send any type of communication
between themselves. An advantage is that it sets up very quickly. The
disadvantage is that it does not have link backup. Another disadvantage is
making configuration errors.
Dynamic added links
• Link Aggregation Control Protocol (LACP) = IEEE 802.1 AX (formerly
802.3ad)
• LACP data units (LACPDUs) determine active links for the aggregation
• Advantages and disadvantages:
• Advantage: Assurance that links are connected to the same peer, are part of the
same aggregation, and are compatible
•Disadvantage: More complex to configure and troubleshoot

Do the system
ID and key
match?
System ID and
key
The dynamic aggregate link is automatically established and maintained by a
protocol between the two switches. The most used protocol is LACP 802.3ad or
802.1AX.
The advantage of the link configured in this way is that the protocol verifies that
the ports are compatible, the change when there is a failure is automatic.
The main disadvantage of LACP is that it is more complex and difficult to find a
fault than two devices without LACP.
Manual added link configuration (static)

To configure an aggregate link, the following commands are used:

ArubaOS(config)# trunk <port-list> <trunk-name> {lacp | trunk}
The word trunk must be used, followed by the ports, a name of the virtual
interface that uses the name of trk1, trk2, trk3, etc.
This is an example

ArubaOS(config)# trunk 21-22 trk1 trunk

It is using Trunk ports 21 and 22. The trunk interface is used.

For the assignment of a link added to a vlan it is like this:

ArubaOS(config)# vlan 10 tagged trk1

Verification of added links

 The following verification commands are used:
Show trunk – to check added links
Show lacp: helps verify the operation of the switch ports.
Show log lacp: allows you to view the links added with LACP.

6. HOW TO SEARCH FOR A MAC ON AN ARUBA SWITCH BY "SHOW MAC-ADDRESS" AND BY

ARP IN ARUBA AND COMWARE

Search by mac address

First
Ping the address you are looking for.
Show mac-address

show mac-address a1-a4,a6

show mac-address vlan 100
or menu, 1. Status and counters… 5. vlan address table
Search by IP address
Show arp
Ping xx.xx.xx.xx
Show arp

7. HOW TO SEARCH FOR A SWITCH BY LLDP IN ARUBA

ProVi sion-1# show 11 dp info remote-device

LLDP Remote Devices Information

Local Port 1 1 ChassisId PortId PortDeser

SysName
1 1 2c 59 65 11 f5 00 13 13 HP-CORE
19 1 7» 28 76 7b 7c Gg... Gigabi. ,,
ProVision-1# show ll dp info remote-device
ethernet] PORT-LI$T Show local or remote device information for
the specified ports.
cer

Enable lldp
(config)# lldp run

Search for lldp

show lldp info remote-device