0% found this document useful (0 votes)

3 views

Lab_Guide

The document is a lab guide for AOS-CX Switching Fundamentals, detailing various lab activities and tasks related to network switching and configuration. It includes instructions for testing lab connectivity, initial setup, VLAN configuration, spanning tree protocols, link aggregation, and more, aimed at providing hands-on experience with HPE Aruba networking equipment. The guide also contains legal notices, acknowledgments, and information about open source code related to the product.

Uploaded by

Nay Martínez

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

3 views

Lab_Guide

Uploaded by

Nay Martínez

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 374

AOS-CX Switching

Fundamentals

LAB GUIDE
Version: 24.31

Switching Series
© Copyright 2024 Hewlett Packard Enterprise Development LP. The information contained herein is subject to change without notice.
The only warranties for Hewlett Packard Enterprise products and services are set forth in the express warranty statements accom-
panying such products and services. Nothing herein should be construed as constituting an additional warranty.

Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein.

Open Source Code

This product includes code licensed under the GNU General Public License, the GNU Lesser General Public License, and/or certain other
open source licenses. A complete machine-readable copy of the source code corresponding to such code is available upon request. This
offer is valid to anyone in receipt of this information and shall expire three years following the date of the final distribution of this
product version by Hewlett Packard Enterprise Company. To obtain such source code, send a check or money order in the amount of US
$10.00 to:

Hewlett Packard Enterprise Company

1701 E Mossy Oaks Rd
Spring, TX 77389
USA

Notices
The information contained herein is subject to change without notice. The only warranties for Hewlett Packard Enterprise products and
services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be con-
strued as constituting an additional warranty. Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions
contained herein.

Confidential computer software. Valid license from Hewlett Packard Enterprise required for possession, use, or copying. Consistent with
FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items
are licensed to the U.S. Government under vendor's standard commercial license.

Links to third-party websites take you outside the Hewlett Packard Enterprise website. Hewlett Packard Enterprise has no control over
and is not responsible for information outside the Hewlett Packard Enterprise website.

Acknowledgments
All third-party marks are property of their respective owners.
Contents

Contents

Contents i
Lab 1: Testing lab connectivity 1
Task 1-1: Aruba Training Lab access 3
Task 1-2: Testing connectivity 4
Lab 2: Initial setup 7
Task 2-1: Reset switches to factory default 7
Task 2-2: Explore the AOS-CX switch CLI 11
Task 2-3: Configure initial settings 26
Task 2-4: Create and explore checkpoints 31
Lab 3.1: Configure a VLAN 35
Task 3.1-1: Assign PCs to VLAN 11 35
Task 3.1-2: Explore MAC address table 39
Task 3.1-3: Save your configurations 46
Lab 3.2: Add a second switch to the topology 49
Task 3.2-1: Configure initial settings on Access-2 49
Task 3.2-2: Enable link between access switches 54
Task 3.2-3: Assign PCs to VLAN 11 61
Task 3.2-4: Save your configurations 64
Lab 3.3: Add a core switch to the topology 67
Task 3.3-1: Add Core-1 to the topology 68
Task 3.3-2: Adding a second VLAN 74
Task 3.3-3: Save your configurations 82
Lab 4.1: Rapid Spanning Tree Protocol 83
Task 4.1-1: Add the redundant core switch and redundant links 84
Task 4.1-2: Verify the topology 89
Task 4.1-3: Test link failure 100

Contents i
Task 4.1-4: Save your configurations 103
Lab 4.2: Deploying MSTP 105
Task 4.2-1: Configure an MST region 106
Task 4.2-2: Load balancing 109
Task 4.2-3: Save your configurations 120
Lab 4.3: Explore broadcast storm effects (optional) 121
Task 4.3-1: Pre-lab setup 121
Task 4.3-2: Create Layer 2 loop 124
Task 4.3-3: Contain a broadcast storm 129
Task 4.3-4: Preventing loops 130
Task 4.3-5: Save your configurations 132
Task 4.3-6: Revert Access-1 and Access-2 configuration 133
Lab 5: Link aggregation between core switches 135
Task 5-1: Configure manual link aggregation 136
Task 5-2: Configure dynamic link aggregation 142
Task 5-3: Save your configurations 148
Lab 6.1: Create an HPE Aruba Networking Virtual Switching
Framework stack 151
Task 6.1-1: Deploy a VSF stack 152
Task 6.1-2: Configure distributed link aggregation 160
Task 6.1-3: Save your configurations 169
Lab 6.2: Configure an HPE Aruba Networking Virtual Switching
eXtension environment 171
Task 6.2-1: Configure VSX 172
Task 6.2-2: Distributed LAG 179
Task 6.2-3: Save your configurations 186
Lab 6.3: Maintaining the VSF stack 189
Task 6.3-1: Secondary member 189
Task 6.3-2: Split brain detection 193
Task 6.3-3: Save your configurations 202

ii Contents
Contents
Lab 7: Layer 3 services 203
Task 7-1: Inter-VLAN routing 204
Task 7-2: Explore end-to-end packet delivery 212
Task 7-3: Add redundancy to the core layer 227
Task 7-4: Save your configurations 235
Lab 8: Static routes 237
Task 8-1: Add links to ISPs 238
Task 8-2: Adding static routes 240
Task 8-3: Redundancy with floating routes 247
Task 8-4: Save your configurations 252
Lab 9.1: Open Shortest Path First 255
Task 9.1-1: OSPF single area between cores 256
Task 9.1-2: Add the server switch 262
Task 9.1-3: Advertise LAN segments 273
Task 9.1-4: Testing services 276
Task 9.1-5: Save your configurations 281
Lab 9.2: OSPF advanced settings (optional) 283
Task 9.2-1: Cost-based path manipulation (traffic engineering) 283
Task 9.2-2: Passive interfaces 291
Task 9.2-3: Define point-to-point networks 297
Task 9.2-4: Make router ID routable 301
Task 9.2-5: Default network injection 303
Task 9.2-6: Save your configurations 308
Lab 10: Quality of Service 309
Task 10-1: Default QoS switch configuration 309
Task 10-2: Explore QoS markings 314
Task 10-3: Save your configurations 319
Lab 11: Network access security 321
Task 11-1: Prepare the environment 322
Task 11-2: RADIUS server setup 328

Contents iii
Task 11-3: Basic 802.1X authentication with a single user 330
Task 11-4: MAC-based authentication 341
Task 11-5: Save your configurations 343
Lab 12: Secure management access 345
Task 12-1: Management port 346
Task 12-2: Role Based Access Control 349
Task 12-3: RADIUS-based management 353
Task 12-4: Explore the AOS-CX Web UI 357
Task 12-5: Save your configurations 366

iv Contents
Lab 1: Testing lab connectivity

Lab 1: Testing lab connectivity

The HPE Aruba Networking Remote Training Lab provides you with the equipment you need for com-
pleting several lab activities. You should know the purpose of and access procedures to this equipment.
Objectives
After completing this lab, you will have all the information needed to support the hands-on labs in this
course.
Lab information
Your class has been assigned a pod and table numbers.
Your instructor will give you the information to access the specific remote lab. All students will have dif-
ferent logins. You will write down the information on your access to the remote lab in this section.
n Record your username and password login to the remote lab:
l Username: ___________
l Password: ___________
n Record your table number:
l Pod: ____________
l Table: ________________
Lab topology
The following lab topology will be used for your practical activities:

Lab 1: Testing lab connectivity 1

Lab equipment
The equipment needed to perform the labs successfully is as follows:
n PC1: This client is used for traffic analysis, connectivity testing, accessing the Web UI of your
switches, and accessing the CLI over the SSH of core switches and routers.
n PC3: This client is used for connectivity testing.
n PC4: This client is used for connectivity testing.
n Access-1 switch: This is a CX 6300 Series switch, one of your access switches.
n Access-2 switch: This is a CX 6300 Series switch, one of your access switches.
n Core-1 switch: This is a CX 8325 Series switch, one of your core switches.
n Core-2 switch: This is a CX 8325 Series switch, one of your core switches.
n OOBM switch: You have NO access to this switch.
n Router A: This is a router between the campus and internet.
n Router B: This is a router providing redundant and secondary access to the internet.
n Data center switch: This is a shared resource, and you will access it over an SSH session.

2
n Windows server: You have NO access to this server, but you will access its webpage and down-
load files running TFTP from PC1.
n HPE Aruba Networking ClearPass (CPPM): You have NO access to this sever, but you will use it
as an AAA server for your switches.

Task 1-1: Aruba Training Lab access

Objectives
In this task, you will verify your connectivity to the remote lab and ensure successful login, confirming
access to your remote lab equipment.
Steps
1. On your local computer, launch a web browser and enter the Aruba Training Lab web portal at
the URL: https://arubatraininglab.computerdata.com.
2. Enter your username and password (if you do not have one, ask your instructor for the cre-
dentials), and click the Sign in button.

Lab 1: Testing lab connectivity

3. Once logged in, you will be placed in the Remote Lab dashboard.

Task 1-1: Aruba Training Lab access 3

Task 1-2: Testing connectivity
Objectives
Test the connectivity and authentication credentials for each device. Working from the Aruba Training
Lab diagram, you will connect to and log into the access switches and your client PCs.
You will start learning to connect to the switch console using the Remote Lab dashboard.
Steps
1. At the remote lab topology, right-click the Access-1 switch icon and select Open Console.

2. A new browser tab should open with a blank, black screen.

3. Press Enter a couple of times, and you will see a user prompt.
4. Log in using admin and <no password – just press Enter>.
6300 login: admin
Password:
Last login: 2024-03-26 18:33:04 from the console
User "admin" has logged in 4 times in the past 30 days
6300#

5. Repeat steps 2 to 5 and connect to Access-2, Core-1, and Core-2.

TIP: You can keep each device connection in a separate browser tab and switch
between them instead of visiting the topology each time you want to open a new con-
nection.

4 Task 1-2: Testing connectivity

Connecting to remote VMs
You will now learn to connect to the remote desktops.
6. Right-click the PC1 desktop icon and select Open desktop.

Lab 1: Testing lab connectivity

A new browser tab will open with the remote desktop.

Task 1-2: Testing connectivity 5

It may take a few minutes for the PC desktop to come up. Also, if your Aruba Training
Lab has been idle for a while after you log in, you may need to log out of the lab inter-
face and log back in and then relaunch the desktop.

7. Repeat step 7 to connect to PC3 and PC4.

If you cannot connect to one of those devices, let your instructor know or open a Lab
support ticket.

You have completed Lab 1!

6 Task 1-2: Testing connectivity

Lab 2: Initial setup

BigStartup is a small business that just started operations a few months ago. The owners have deter-
mined the need to rent a small portion of a nearby building's floor (the East Wing) from Cheap4Rent
Properties to house a new group of employees they just hired. These employees will use Windows PCs
and have a few networking connectivity requirements in their daily operations, such as printing and file
sharing. Because of this, you have been contacted to provide network consulting services and take care
of configuring and managing the switching equipment that BigStartup recently purchased.
Objectives
After completing this lab, you will be able to:
n Set your gear in factory values.
n Navigate through the AOS-CX CLI.
n Define a hostname on the Access-1 switch.
n Disable unused interfaces.
n Save the device's configuration and create checkpoints.
Lab topology

Task 2-1: Reset switches to factory default

Objectives
In this lab, you will verify that the Access-1 switch has the factory default configuration, simulating a
brand-new switch.

Lab 2: Initial setup 7

3. Once logged in, you will be placed in the Remote Lab dashboard.

4. At the remote lab topology, right-click the Access-1 switch icon and select Open Console.

8 Task 2-1: Reset switches to factory default

5. Log in to the switch using the following credentials:
n Username: admin
n Password: <no password—just press Enter>
Pod 54 Table 14 6300-A
6300 login: admin
Password:
Last login: 2024-03-26 18:40:35 from the console
User "admin" has logged in 5 times in the past 30 days
6300#

6. Verify that there is no saved configuration by entering the show startup-config command.
6300# show startup-config
startup-config doesn't exist

Lab 2: Initial setup

It is expected to receive the output "startup-config doesn't exist."
7. If you see a configuration displayed on your switch, it means that there is a previous con-
figuration that needs to be deleted before you can proceed with the labs. In this case, move to
step 8. However, if you receive a message stating that the configuration does not exist, you can
move on to step 12.
Sample output of a switch with a previously saved configuration:
6300# show startup-config
Startup configuration:
!
!Version ArubaOS-CX FL.10.13.1000
!export-password: default
!
ssh server vrf default
ssh server vrf mgmt

Task 2-1: Reset switches to factory default 9

vsf secondary-member 2
vsf member 1
type jl668a
link 1 1/1/26-1/1/27
link 2 1/1/25
vlan 1
spanning-tree
interface mgmt
no shutdown
ip dhcp
interface 1/1/1
<<Omitted output>>

8. Delete the saved configuration by entering the erase startup-config command; answer y to the
question to confirm the action.
6300# erase startup-config
This will clear all non-VSF configurations from the startup-config. Additionally,
if any VSF member is not present in the stack, this command will remove the VSF
configurations of such members as well.

Erase checkpoint startup-config ? (y/n): y

9. Repeat the command to show the startup configuration: show startup-config.

6300# show startup-config
startup-config doesn't exist

Notice that the saved configuration no longer exists.

10. Even though the saved configuration was erased, any configurations made are still active at the
switch's running configuration. To delete the current configuration and ensure that your switch is
at the factory default state, reboot your switch with the boot system command, answer n (no) to
the prompt to save the configuration, and answer y (yes) to confirm the reboot action.
6300# boot system
Checking if the configuration needs to be saved...

Do you want to save the current configuration (y/n)? n

Checking for updates needed to programmable devices...

Done checking for updates.

1 non-failsafe device(s) also need to be updated.

Please run the 'allow-unsafe-updates' command to enable these updates.

This will reboot the entire switch and render it unavailable

until the process is complete.

10 Task 2-1: Reset switches to factory default

Continue (y/n)? y
The system is going down for reboot.

11. Wait a couple of minutes for your switch to boot.

12. Using the remote lab interface, connect to Access-2, Core-1, and Core-2 and repeat steps 5 to 10
to ensure all the switches are at the factory default state.

Task 2-2: Explore the AOS-CX switch CLI

Objectives
In this task, you will explore and familiarize yourself with the AOS-CX switch CLI. Do not be afraid to try
out different commands on the CLI: you will learn by experimenting!
Steps
1. Using the Remote Lab dashboard, open a console connection to Access-1.
2. Log in with the following credentials:
n Username: admin
n Password: <no password – just press Enter>
6300 login: admin
Password:
Last login: 2024-03-26 18:33:04 from the console
User "admin" has logged in 4 times in the past 30 days
6300#

Notice that, once logged in, you will be placed in the manager context indicated by
the switch prompt followed by a #.

Operator context (>)

Lab 2: Initial setup

The operator context (>) enables you to execute commands to view—but not
change—the configuration. The operator context requires the least user privilege to
execute commands. In command descriptions, this context is listed as: Operator (>)
Switch prompt example
switch>

Manager context (#)

From the manager context (#), you can execute commands that do not require sav-
ing changes to the configuration. In command descriptions, this context is listed as:
Manager (#)
Switch prompt example
switch#

Task 2-2: Explore the AOS-CX switch CLI 11

Navigating to the manager context (#)
To navigate to the manager command context (#), do one of the following:
n Log in to the switch CLI with a user ID that has the administrator role.
n From the operator context (>), enter the enable command. You must have
administrator authority to enter the enable command.
switch> enable
switch#
n From the configuration context (config), enter either the exit or the end com-
mand.
For example:
switch(config)# exit
switch#

Global configuration context (config)

From the global configuration context (config), you can execute commands that
change the configuration of the switch. In command descriptions, this context is lis-
ted as: config
Switch prompt example
switch(config)#

Navigating to the config context

To navigate to the config command context, do one of the following:
n From the manager context (#), enter the configure terminal command:
switch# configure terminal
switch(config)#
n From a child configuration context, enter the exit command.
For example:
switch(config-vlan-100)# exit
switch(config)#

3. Press the question mark (?) key to show the available commands that you can execute in the cur-
rent command context.
6300# ?
aruba-central Configure Aruba-Central
auto-confirm Disables user confirmation, and executes the operation
without prompting
boot Reboot all or part of the system; configure default boot
parameters
checkpoint Checkpoint information

12 Task 2-2: Explore the AOS-CX switch CLI

clear Reset functions
configure Configuration from vty interface
container Configure a container for add-on applications
copy Copy data or files to/from the switch
debug Configure debug logging
diagnostics Change diagnostic commands availability
disable Turn off privileged mode command
end End current mode and change to enable mode
erase Erase device information or files
erps ERPS Configuration.
exit Exit current mode and change to previous mode
feature-pack Manage software feature pack subscriptions
https-server HTTPS Server management
issu Perform an in-service software upgrade
led Set LED state
list Print command list
macsec Configure the MAC Security (MACsec) protocol
member VSF member selection
mfgread read MFG EEPROM
mfgwrite write MFG EEPROM
mtrace Multicast traceroute for tracing multicast routing path
from a receiver to a source
no Negate a command or set its defaults
page Enable page break
ping Send ping requests to test network connectivity
ping6 Send IPv6 ping requests to test network connectivity
port-access Port based network access.
repeat Repeat a list of commands from history
secure-mode Set the secure mode setting. Requires a zeroization to
change modes
show Show running system information
ssh Configure SSH.
start-shell Start Bash shell

Lab 2: Initial setup

switch Execute switch commands
terminal-monitor Enables Terminal-monitor
top Top command
traceroute Trace the route to a device on the network
traceroute6 Trace the route to a device on the network
usb Commands to control the USB Port
vsf Virtual Switching Framework (VSF) commands
write Write running configuration to memory, network, or terminal
6300#

The commands displayed by the help are respective to the current context level
(manager). Page through the commands available at this level. Some important com-
mands are included.

Task 2-2: Explore the AOS-CX switch CLI 13

n show, which enables you to examine current configuration parameters
n copy, which enables you to back up the switch configuration
n ping and traceroute, which are connectivity test tools

4. List the parameters available for the show command by typing show followed by ?.
6300# show ?
aaa Authentication, Authorization and Accounting
access-list Access control list (ACL)
accounting Show local accounting information
active-gateway Show active gateway settings
alias Short names configured for a set of commands
allow-unsafe-updates Show allowed non-failsafe updates
allow-unsupported-transceiver Show unsupported transceiver information
app-recognition Show application recognition information
arp Show IPv4 addresses from neighbor table
<<Omitted output>>

5. Enter the disable command.

6300# disable
6300>

How has the prompt changed?

Answer: This turns manager mode (context) on, taking you to the operator context. This means
only basic commands with no control over the device will be available.
6. Press the ? key to show the commands you can execute in the operator command context.
6300> ?
clear Reset functions
container Configure a container for add-on applications
enable Turn on privileged mode command
exit Exit current mode and change to previous mode
led Set LED state
list Print command list
mtrace Multicast traceroute for tracing multicast routing path from a
receiver to a source
no Negate a command or set its defaults
page Enable page break
ping Send ping requests to test network connectivity
ping6 Send IPv6 ping requests to test network connectivity
repeat Repeat a list of commands from history
show Show running system information
top Top command
traceroute Trace the route to a device on the network

14 Task 2-2: Explore the AOS-CX switch CLI

traceroute6 Trace the route to a device on the network
user User account

Available commands in both manager and operator contexts are different. This is
used as basic role-based access control for defining what operators can do when
logged into the device.

7. Type enable and press Enter, which will turn privileged mode back on.
6300> enable
6300#

8. Type co, then press the Tab key twice to list commands that start with "co":
6300# co [tab] [tab]

What does the CLI display?

Answer: the CLI will display any commands starting with "co".
9. Type conf followed by a single [tab] press.
6300# configure

What has just happened to the command?

Answer: As no other command starts with "conf," the switch completes the configure command.

You can execute any command as soon as you have entered an unambiguous char-
acter string. For instance, conf [Enter] will have the same effect as configure [Enter].

10. Press the Enter key. This takes you to the global configuration mode, where you can start mak-

Lab 2: Initial setup

ing changes that take immediate effect upon the device's configuration.
6300# configure
6300(config)#

11. Press the ? key to show the available commands that you can execute in the global config mode.
6300(config)# ?
aaa Configure Authentication, Authorization and
Accounting feature
access-list Access control list (ACL)
alias Create a short name for the specified
command(s).
allow-unsafe-updates Allow non-failsafe updates of programmable
devices
allow-unsupported-transceiver Allow unsupported transceivers
app-recognition Enable and configure application recognition

Task 2-2: Explore the AOS-CX switch CLI 15

apply Apply a configuration record
aruba-central Configure Aruba-Central
banner Customize login banner
<<Omitted output>>

You can notice how commands available here are different than in previous CLI
modes due the configuration nature of them.

12. Type interface 1/1/1, then press Enter. You will be moved to the interface sub configuration
mode.
6300(config)# interface 1/1/1
6300(config-if)#

13. Press the ? key. Again, you will see a different list of available commands for this subcontext.
6300(config-if)# ?
aaa Configure Authentication, Authorization and
Accounting feature
app-recognition Configure application recognition parameters
apply Apply a configuration record
arp Configure ARP commands
bfd Set BFD configuration
cdp Configure CDP operating mode
client Configure network client monitoring
description Add an interface description
dhcpv4-snooping Configure DHCPv4-Snooping
dhcpv6-snooping Configure DHCPv6-Snooping
downshift-enable Enable automatic speed downshift

14. Type end and press Enter.

6300(config-if)# end
6300#

What has just happened to the command prompt?

Answer: By entering end on any context level, the switch prompt will return to the operator con-
text.
15. Next, you will enter a command that is invalid and then fix issues with it by using the command-
recall feature. Enter this command exactly as shown: show hitory.
6300# show hitory
Invalid input: hitory

16. Recall the command by pressing the Up arrow key.

17. Go to the beginning of the command with the CTRL+a shortcut.
18. Go to the end of the command line with the CTRL+e shortcut.

16 Task 2-2: Explore the AOS-CX switch CLI

19. With the Left and Right arrow keys, move your cursor to the correct position in "hitory" and
place the letter "s".
20. Press the Enter key at any time (no matter where your cursor is) to execute the command.
6300# show history
6 disable
5 enable
4 conf
3 int 1/1/1
2 end
1 show hitory

Repeating commands can be a useful way to enter similar commands more quickly, as
well as to correct mistakes in commands.

21. Enter show system and press the ? key.

6300# show system ?
interface-group Show interface group information
inventory Show installed hardware information
resource-utilization Utilization metrics of various system resources
serviceos Display serviceOS information
<cr>
6300# show system

The options available under show system are displayed. Notice the <cr> at the end.
This means that you can execute the command without supplying any further para-
meters.

22. View the system resource utilization on the switch.

6300# show system resource-utilization

Lab 2: Initial setup

System Resources:
Processes : 262
CPU usage(%) : 4
CPU usage(% average over 1 minute): 6
CPU usage(% average over 5 minute): 6
Memory usage(%) : 18
Open FD's : 2470
Storage 1: Endurance utilization = 0-10% (mmc-type-a), 0-10% (mmc-type-b), Health =
normal

Data written to various partitions since boot

Nos : 72 MB
Log : 6 MB
Coredump : 4 KB
Security : 664 KB

Task 2-2: Explore the AOS-CX switch CLI 17

Selftest : 4 KB
Swap : 0 KB

Storage partition usage(%)

Nos : 20
Log : 2
Coredump : 1
Security : 1
Selftest : 1

ProcessCPU Usage(%)Memory Usage(%) Open FD's

-------------------------------------------------------------------------
(sd-pam) 0 0 7
aaautilscfgd 0 0 11
acctd 0 0 8
<<Omitted output>>

You will notice that a long output automatically populates, overrunning the screen
and not allowing you to read the first lines. You can use the page command to display
subsequent command outputs in portions, which gives you the ability to control
when to display the next page by pressing the space bar.

23. Use the page command followed by show system resource-utilization.

6300# page
6300# show system resource-utilization

System Resources:
Processes : 253
CPU usage(%) : 25
CPU usage(% average over 1 minute): 13
CPU usage(% average over 5 minute): 8
Memory usage(%) : 18
Open FD's : 2470
Storage 1: Endurance utilization = 0-10% (mmc-type-a), 0-10% (mmc-type-b), Health =
normal

Data written to various partitions since boot

Nos : 73 MB
Log : 6 MB
Coredump : 4 KB
Security : 720 KB
Selftest : 4 KB
Swap : 0 KB

Storage partition usage(%)

Nos : 20
Log : 2

18 Task 2-2: Explore the AOS-CX switch CLI

Coredump : 1
Security : 1
-- MORE --, next page: Space, next line: Enter, quit: q

Now, the show commands break the output using the number of lines in the current
terminal window. You may manually enter the number of lines to be displayed at
once.

What are the current CPU and memory utilization of the switch?

Alternatively, you can use the top CPU and top memory commands to display these
numbers. A key difference between the show system resource-utilization and top
commands is that top commands list higher resources using commands first. Also,
the output displays the processes' ID and status, and the user runs the command (the
system or a real user logged into the device).
High CPU utilization is a symptom of an unstable process or situation happening in
the system, such a Layer 2, Layer 3, or layer 7 loop.

24. Press the space key a few times to scroll all the way down, or press the q key.
25. Try the show system command. This version of the command will also show the current host-
name, description SNMP contact and location, serial number, base MAC address, up time, and so
forth.
6300# show system
Hostname : 6300
System Description : FL.10.13.1000
System Contact :
System Location :

Lab 2: Initial setup

Vendor : Aruba
Product Name : JL668A 6300F 24G 4SFP56 Sw
Chassis Serial Nbr : SG01KN701M
Base MAC Address : 104f58-fc1440
ArubaOS-CX Version : FL.10.13.1000

Time Zone : UTC

Up Time : 3 hours, 53 minutes

CPU Util (%) : 1
CPU Util (% avg 1 min) : 5
CPU Util (% avg 5 min) : 5
Memory Usage (%) : 18

What is the current hostname?

Task 2-2: Explore the AOS-CX switch CLI 19

Answer: 6300
What is the chassis serial number?

Answer: It depends on your switch information. The previous example is showing the serial num-
ber as SG01KN701M.
What is the system base MAC address?

Answer: It depends on your switch information. The previous example is showing the MAC
adddress 104f58-fc1440.
What is the system up time?

Answer: It depends on your switch information. The previous example is showing the up time as
3 hours, 53 minutes.
26. Enter the list command.
6300# list
show hostname
show domain-name
list
configure { terminal }
disable
exit
end
page
page <2-1000>
no page
show running-config {all}
show session-timeout
start-shell
auto-confirm
no auto-confirm
diagnostics
no diagnostics
show history {timestamp}
repeat { id <A:1-500>|count <1-1000>|delay <1-1000> }
show vrf
show vrf VRF
show dhcp client vendor-class-identifier
show ztp information
-- MORE --, next page: Space, next line: Enter, quit: q

20 Task 2-2: Explore the AOS-CX switch CLI

The list command shows the right syntax for all commands available at the current
context along with their variants and extensions. This can be helpful for discovering
new commands and previewing their different forms.

27. Enter the show version command.

6300# show version
-----------------------------------------------------------------------------
ArubaOS-CX
(c) Copyright 2017-2024 Hewlett Packard Enterprise Development LP
-----------------------------------------------------------------------------
Version : FL.10.13.1000
Build Date : 2024-01-29 21:09:42 UTC
Build ID : ArubaOS-CX:FL.10.13.1000:7720573f9b1b:202401292046
Build SHA : 7720573f9b1b321e9916f3bd11b5fcf426fd5238
Hot Patches :
Active Image : primary

Service OS Version : FL.01.14.0002

BIOS Version : FL.01.0002

What main AOS-CX code version is running in the system?

Answer: FL.10.13.1000
28. Enter the show images command.
6300# show images
---------------------------------------------------------------------------
ArubaOS-CX Primary Image
---------------------------------------------------------------------------
Version : FL.10.13.1000

Lab 2: Initial setup

Size : 1036 MB
Date : 2024-01-29 21:09:42 UTC
SHA-256 : 8c9ef264a59c66932fec49163b13ce7d0294b498b972e8c4eed1dc19314021a6

---------------------------------------------------------------------------
ArubaOS-CX Secondary Image
---------------------------------------------------------------------------
Version : FL.10.05.0021
Size : 642 MB
Date : 2020-10-29 10:36:02 PDT
SHA-256 : 4c795e8c9eec5952645ded19cf9a2018deb545c7ed0221f32a1a5bd0d64ee5f6

Default Image : primary

Boot Profile Timeout : 5 seconds

------------------------------------------------------

Task 2-2: Explore the AOS-CX switch CLI 21

Management Module 1/1 (Active)
------------------------------------------------------
Active Image : primary
Service OS Version : FL.01.14.0002
BIOS Version : FL.01.0002

How many images does the system support?

Answer: Two images are supported: primary and secondary. Keep in mind that either one can be
set as active for the switch boot process.
What is the default image?

Answer: It depends on your switch configuration. The example above is showing the primary
image as active.
29. Enter the show capacities command.
6300# show capacities
System Capacities:
Capacities Name Value
----------------------------------------------------------------------------------------
<<Omitted output>>
Maximum number of entries in an Access Control List 8000
Maximum number of entries in a class 1000
Maximum number of entries in an Object Group 1024
Maximum number of entries in a policy 128
<<Omitted output>>
Maximum number of classifier policies configurable in a system 4000
Maximum number of IPv4 neighbors(# of ARP entries) supported in the system 49152
Maximum number of IPv6 neighbors(# of ND entries) supported in the system 49152
Maximum number of Keychains supported in the system 64
Maximum number of Keys supported in a single Keychain 64
Maximum number of Keys supported in the system 4096
Maximum number of L2 MAC addresses supported in the system 32768
<<Omitted output>>
Maximum number of routes (IPv4+IPv6) on the system 66046
Maximum number of IPv4 routes on the system 65536
Maximum number of IPv6 routes with prefix 0-64 61440
Maximum number of IPv6 routes with prefix 65-127 510
Maximum number of VLANs supported in the system 4094
Maximum number of VLAN Translation rules supported 4000
<<Omitted output>>

What is the maximum number of access control entries per access list supported in the system?

Answer: 8000
What is the maximum number of MAC addresses supported in the system?

22 Task 2-2: Explore the AOS-CX switch CLI

Answer: 32,768
What is the maximum number of IP routes (IPv4 and IPv6 combined) supported in the system?

Answer: 66,046
What is the maximum number of VLANs supported in the system?

Answer: 4094

A similar command, show capacities-status displays similar information plus the

amount of resources/entries already consumed by the current device state.

Note that the system capacity varies based on the switch model. HPE Aruba Net-
working switch families CX 6400 Series, CX 8100 Series, CX 8300 Series, CX 9300
Series, and CX 10000 Series can be configured with a profile. System profiles set the
overall capabilities and capacities of the switch based on the selected profile used at
boot time. System profiles set capacities such as that of the hardware forwarding
table.
System profiles provide you with the flexibility to configure switches based on their
location in the network (for example, core, spine, leaf). When a switch boots without a
profile specifically configured, it boots with the default profile. When a switch is con-
figured with a non-default profile, the switch requires a reboot for the profile to be
applied.
Examples of profiles supported by the CX 8100 Series, CX 83xx Series, CX 9300 Ser-

Lab 2: Initial setup

ies, and CX 10000 Series are:
n L3-agg: Optimizes for Layer 3 forwarding with more table space allocated to
host (ARP/ND) entries.
n L3-core (the default on the CX 8320 Series): Optimizes for Layer 3 forwarding
with more table space allocated to route entries.
n Leaf (the default on the CX 8325 Series, CX 9300 Series, and CX 10000
Series): Optimizes for Layer 2 forwarding with more table space allocated to
overlay host entries (VXLAN).
n Spine: Optimizes for Layer 3 forwarding with more table space allocated to
route entries.

30. Execute the show interface 1/1/1 command.

Task 2-2: Explore the AOS-CX switch CLI 23

6300# show interface 1/1/1

Interface 1/1/1 is up
Admin state is up
Link state: up for 3 days (since Thu Mar 28 15:12:51 UTC 2024)
Link transitions: 1
Description:
Persona:
Hardware: Ethernet, MAC Address: 10:4f:58:fc:14:67
MTU 1500
Type 1GbT
Full-duplex
qos trust none
Speed 1000 Mb/s
Auto-negotiation is on
Energy-Efficient Ethernet is disabled
Flow-control: off
Error-control: off
MDI mode: MDI
VLAN Mode: access
Access VLAN: 1
Rate collection interval: 300 seconds

Rate RX TX Total (RX+TX)

---------------- -------------------- -------------------- --------------------
Mbits / sec 0.00 0.00 0.00
KPkts / sec 0.00 0.00 0.00
Unicast 0.00 0.00 0.00
Multicast 0.00 0.00 0.00
Broadcast 0.00 0.00 0.00
Utilization % 0.00 0.00 0.00

Statistic RX TX Total
---------------- -------------------- -------------------- --------------------
Packets 0 317196 317196
Unicast 0 0 0
Multicast 0 231115 231115
Broadcast 0 86081 86081
Bytes 0 61423830 61423830
Jumbos 0 0 0
Dropped 0 0 0
Pause Frames 0 0 0
Errors 0 0 0
CRC/FCS 0 n/a 0
Collision n/a 0 0
Runts 0 n/a 0
Giants 0 n/a 0

24 Task 2-2: Explore the AOS-CX switch CLI

What is the interface type?

Answer: 1GbT, it means, 1 Gigabit Ethernet base-T.

31. Now try the show interface 1/1/28 command.
6300# show interface 1/1/28

Interface 1/1/28 is down

Admin state is up
State information: Waiting for link
Link state: down for 4 days (since Thu Mar 28 15:12:51 UTC 2024)
Link transitions: 0
Description:
Persona:
Hardware: Ethernet, MAC Address: 10:4f:58:fc:14:4d
MTU 1500
Type 10G-DAC1 / 10G SFP+ 1m DAC
Full-duplex
qos trust none
Speed 0 Mb/s
Auto-negotiation is off
Flow-control: off
Error-control: off
VLAN Mode: access
Access VLAN: 1
Rate collection interval: 300 seconds
<<Omitted output>>

What is the interface type?

Answer: 10G-DAC1 / 10G SFP+ 1m DAC; it is a 10 Gigabit Direct Attach Cable with 1 meter

Lab 2: Initial setup

length.

Interfaces 1/1/25 to 1/1/28 in a 24-port switch model and 1/1/49 to 1/1/52 in a 48-
port switch model are SPF+ 25 Gig capable interfaces that support either trans-
ceivers or Direct Attached Cables (DACs). In this case, port 28 has a 10 Gig DAC
attached.

32. Execute the show interface transceiver command.

6300# show interface transceiver
-------------------------------------------------------------------------
Port Type Product Serial Part
Number Number Number
-------------------------------------------------------------------------
1/1/25 10G-DAC1 J9281D CN99KBZDX3 8121-1300

Task 2-2: Explore the AOS-CX switch CLI 25

1/1/26 10G-DAC1 J9281D CN99KBZC4H 8121-1300
1/1/27 10G-DAC1 J9281D CN99KBZC6P 8121-1300
1/1/28 10G-DAC1 J9281D CN99KBZCDD 8121-1300

Task 2-3: Configure initial settings

Objectives
In this task, you will explore the AOS-CX configuration script and make minor customization changes,
such as setting a hostname, setting interface descriptions, and disabling unused ports. You will also ask
the system to display the event log contents.
Steps
1. Using the Remote lab dashboard, open a console connection to Access-1.
2. Log in with the following credentials:
n Username: admin
n Password: <no password – just press Enter>
3. Issue the show running-config command to display the current configuration of the system.
6300# show running-config
Current configuration:
!
!Version ArubaOS-CX FL.10.13.1000
!export-password: default
!
!
!
!
!
!
ssh server vrf default
ssh server vrf mgmt
vsf secondary-member 2
vsf member 1
type jl668a
link 1 1/1/26-1/1/27
link 2 1/1/25
vlan 1
spanning-tree
interface mgmt
no shutdown
ip dhcp
interface 1/1/1
no shutdown
no routing
vlan access 1

26 Task 2-3: Configure initial settings

interface 1/1/2
no shutdown
no routing
vlan access 1

<<Omitted output>>

interface 1/1/27
no shutdown
interface 1/1/28
no shutdown
no routing
vlan access 1
interface vlan 1
ip dhcp
!
!
!
!
!
https-server vrf default
https-server vrf mgmt

You will notice that most portions of the configuration are shown by listing the
switch ports and their settings. The code version and actual admin account are listed
first.

4. Enter the configuration context by entering the configure terminal command.

6300# configure terminal
6300(config)#

5. Change the switch's hostname to Access-1.

Lab 2: Initial setup

6300(config)# hostname Access-1
Access-1(config)#

Notice that the device prompt has change to the new hostname, Access-1.

6. Apply the console session timeout to one day (1440 minutes) to prevent a logout during the lab
activities.
Access-1(config)# session-timeout 1440

7. Use the show interface brief command for displaying a table of ports and their more relevant
settings.
Access-1(config)# show interface brief
------------------------------------------------------------------------------------------
Port Native Mode Type Enabled Status Reason Speed Description
VLAN (Mb/s)

Task 2-3: Configure initial settings 27

------------------------------------------------------------------------------------------
1/1/1 1 access 1GbT yes up 1000 --
1/1/2 1 access 1GbT yes down Waiting for link -- --
1/1/3 1 access 1GbT yes up 1000 --
1/1/4 1 access 1GbT yes down Waiting for link -- --

<<Omitted output>>

1/1/24 1 access 1GbT yes down Waiting for link -- --

1/1/25 -- VSF 10G-DAC1 yes down Waiting for link -- --
1/1/26 -- VSF 10G-DAC1 yes down Waiting for link -- --
1/1/27 -- VSF 10G-DAC1 yes down Waiting for link -- --
1/1/28 1 access 10G-DAC1 yes down Waiting for link -- --
vlan1 -- -- -- yes up -- --

What are the port's Mode values?

Answer: Port modes show the port's operational mode. Access ports transmit and receive a
single untagged VLAN. Trunk ports can carry multiple tagged VLANS in the same link. VSF ports
stack switches using VEF.
What ports are enabled?

Answer: By default, all ports are enabled on CX 6000 Series switches.

Notice that the CX 6000 Series switch family has all their ports configured as Layer 2
interfaces and enabled by default. Meanwhile, all CX 8xxx Series, CX 9300 Series, and
CX 10000 Series switches have administratively disabled ports and are configured as
routed ports.

8. You will now disable switch ports, to simulate a single switch topology using the switch Access-1
and two clients.

9. Configure or disable a single port. Eenter the interface configuration context by entering the
interface 1/1/2 command.
Access-1(config)# interface 1/1/2
Access-1(config-if)#

28 Task 2-3: Configure initial settings

10. Disable the port with the shutdown command and return to the configuration context by entering
exit.
Access-1(config-if)# shutdown
Access-1(config-if)# exit
Access-1(config)#

To configure a contiguous port range by entering the interface <LOW_PORT_NUM>-

<HIGH_PORT_NUM> command. For example, interface 1/1/4-1/1/6 will allow the con-
figuration of interfaces 1/1/4, 1/1/5, and 1/1/6 all at once.

11. Disable ports 1/1/4 to 1/1/24.

Access-1(config)# interface 1/1/4-1/1/24
Access-1(config-if-<1/1/4-1/1/28>)# shutdown
Access-1(config-if-<1/1/4-1/1/28>)#
Access-1(config)#

12. Disable ports 1/1/25, 1/1/26, 1/1/27 and, 1/1/28.

Access-1(config)# interface 1/1/25
Access-1(config-if)# shutdown
Access-1(config-if)# interface 1/1/26
Access-1(config-if)# shutdown
Access-1(config-if)# interface 1/1/27
Access-1(config-if)# shutdown
Access-1(config-if)# interface 1/1/28
Access-1(config-if)# shutdown
Access-1(config-if)# exit

13. Enter the show interface brief command again.

Access-1(config)# show interface brief
--------------------------------------------------------------------------------------------
Port Native Mode Type Enabled Status Reason Speed Description

Lab 2: Initial setup

VLAN (Mb/s)
--------------------------------------------------------------------------------------------
1/1/1 1 access 1GbT yes up 1000 --
1/1/2 1 access 1GbT no down Administratively down -- --
1/1/3 1 access 1GbT yes up 1000 --
1/1/4 1 access 1GbT no down Administratively down -- --

<<Omitted output>>

1/1/25 1 access 10G-DAC1 no down Administratively down -- --

1/1/26 1 access 10G-DAC1 no down Administratively down -- --
1/1/27 1 access 10G-DAC1 no down Administratively down -- --
1/1/28 1 access 10G-DAC1 no down Administratively down -- --
vlan1 -- -- -- yes up -- --

What are the Enabled, Status, and Reason values for ports 1/1/27 and 1/1/28 now?

Task 2-3: Configure initial settings 29

Answer: "no," "down," and "Administratively down," meaning that they were disabled (shut down)
by the administrator.
14. Verify the switch event log with the show events -r -n 10 command.
Access-1(config)# show events -r -n 10
---------------------------------------------------
Event logs from current boot
---------------------------------------------------
2024-04-01T19:20:04.699018+00:00 Access-1 lldpd[3912]: Event|106|LOG_INFO|CDTR|1|LLDP
neighbor 90:20:c2:c0:25:00 deleted
on 1/1/21
2024-04-01T19:19:55.236444+00:00 Access-1 lldpd[3912]: Event|106|LOG_INFO|CDTR|1|LLDP
neighbor 90:20:c2:c0:5c:00 deleted
on 1/1/22
2024-04-01T19:18:02.046584+00:00 Access-1 hpe-mstpd[4140]: Event|2006|LOG_INFO|CDTR|1|CST -
Root changed from 4096: 90:2
0:c2:c0:25:00 to 32768: 10:4f:58:fc:14:40
2024-04-01T19:18:01.944398+00:00 Access-1 intfd[813]: Event|404|LOG_INFO|UKWN|1|Link status
for interface 1/1/22 is down
- Administratively down
2024-04-01T19:18:01.934688+00:00 Access-1 intfd[813]: Event|404|LOG_INFO|UKWN|1|Link status
for interface 1/1/21 is down
- Administratively down<<Omitted output>>

What link stats messages can you see at the top related to ports 1/1/27 and 1/1/28?

Answer: The link status for interfaces 1/1/21 and 1/1/22 is now Administratively down.
What other messages in the event log do you get?

Answer: LLDP neighbors were deleted.

You should see notifications informing you that Link Layer Discover Protocol (LLDP)
neighbors have been deleted because the ports have been disabled. Also, since AOS-
CX switches periodically attempt to contact the Aruba Activate Cloud service and the
switch has no internet connectivity, the device complains that the service is unreach-
able.
The usage of additional parameters could filter many show commands. In this
example, the -r parameter makes the show output start with more recent events first.
and -n ten only displays the last 10 entries in the log.

15. Define interface descriptions for ports 1/1/1 and 1/1/3. Do not leave interface 1/1/3 yet.
Access-1(config)# interface 1/1/1
Access-1(config-if)# description To_PC1

30 Task 2-3: Configure initial settings

Access-1(config-if)# interface 1/1/3
Access-1(config-if)# description To_PC3

Navigating between interface contexts is possible without returning to the con-

figuration context. The CLI help will not complete the command, as this is not a com-
mand available at the context level.

16. At the interface 1/1/3 context level, enter the show running-config current-context com-
mand.
Access-1(config-if)# show running-config current-context
interface 1/1/3
description To_PC3
no shutdown
no routing
vlan access 1
exit

This command is a shortcut for displaying only the commands available at the con-
text/subcontext level. Get used to it, since it is of great use when configuring and
editing ports, protocols, access control lists, and so forth.

17. Enter the show interface 1/1/3 command, followed by | include Description.
Access-1(config-if)# show interface 1/1/1 | include Description
Description: To_PC1

Lab 2: Initial setup

to the absence of output.

18. Enter end to return to the manager context.

Access-1(config-if)# end
Access-1#

Task 2-4: Create and explore checkpoints

Objectives
You have made some configuration changes in 6300-A; now is a good time to keep those changes
stored in the system and protect them from any power cycle events. Next, you will explore checkpoints,
see how they are created, and make your own to save your progress.

Task 2-4: Create and explore checkpoints 31

Steps
1. Using the Remote lab dashboard, open a console connection to Access-1.
2. Log in with the following credentials:
n Username: admin
n Password: <no password – just press Enter>
3. Verify the existing checkpoints.
Access-1# show checkpoint
NAME TYPE WRITER DATE(YYYY/MM/DD) IMAGE VERSION
CPC20240401194222_Access-1_6300 latest System 2024-04-01T19:42:22Z FL.10.13.1000
CPC20240401191802_Access-1_6300 checkpoint System 2024-04-01T19:18:02Z FL.10.13.1000
CPC20240401190614_Access-1_6300 checkpoint System 2024-04-01T19:06:14Z FL.10.13.1000
CPC20240401183236_Access-1_6300 checkpoint System 2024-04-01T18:32:36Z FL.10.13.1000
Access-1#

How many entries did you get?

Answer: It depends on your switch and previous students. It may vary from a few to dozens.

AOS-CX systems are 100% database driven. This means that configuration scripts
you save are stored in a local database instead of a regular configuration file. The
database is periodically tracked and whenever the changes are made, they will be
automatically stored after a five minute idle period. Any new configuration change,
followed by a five minute idle period, will create a new checkpoint that can later be
used to back up or restore the running configuration state of the system.
On demand checkpoints can be generated by saving the running configuration or cre-
ating custom checkpoints.

Notice that those are sample outputs. Results may vary between switches depending
on the use of the switch and activities.

4. Save the current switch configuration using the write memory command.
Access-1# write memory
Copying configuration: [Success]
Access-1#

5. List the switch checkpoints again.

Access-1# show checkpoint
NAME TYPE WRITER DATE(YYYY/MM/DD) IMAGE VERSION
startup-config startup User 2024-04-01T20:11:21Z FL.10.13.1000
CPC20240401194222_Access-1_6300 latest System 2024-04-01T19:42:22Z FL.10.13.1000
CPC20240401191802_Access-1_6300 checkpoint System 2024-04-01T19:18:02Z FL.10.13.1000

32 Task 2-4: Create and explore checkpoints

CPC20240401190614_Access-1_6300 checkpoint System 2024-04-01T19:06:14Z FL.10.13.1000
CPC20240401183236_Access-1_6300 checkpoint System 2024-04-01T18:32:36Z FL.10.13.1000

Is there any new checkpoint?

What is its name?

Answer: Yes, checkpoint startup-config was created.

6. Create a checkpoint called Lab2 using the running configuration as the source.
Access-1# copy running-config checkpoint Lab2
Copying configuration: [Success]
Access-1#

7. List the switch checkpoints one more time.

Access-1# show checkpoint
NAME TYPE WRITER DATE(YYYY/MM/DD) IMAGE VERSION
Lab2 latest User 2024-04-01T20:13:50Z FL.10.13.1000
startup-config startup User 2024-04-01T20:11:21Z FL.10.13.1000
CPC20240401194222_Access-1_6300 checkpoint System 2024-04-01T19:42:22Z FL.10.13.1000
CPC20240401191802_Access-1_6300 checkpoint System 2024-04-01T19:18:02Z FL.10.13.1000
CPC20240401190614_Access-1_6300 checkpoint System 2024-04-01T19:06:14Z FL.10.13.1000
CPC20240401183236_Access-1_6300 checkpoint System 2024-04-01T18:32:36Z FL.10.13.1000

8. Now make a checkpoint called Lab2_final using the running-config as the source.
Access-1# copy running-config checkpoint Lab2_final
Copying configuration: [Failure]
Cannot create duplicate checkpoint, configuration already exists in checkpoint Lab3
Access-1#

AOS-CX cannot have two different configuration snapshots with identical contents in

Lab 2: Initial setup

its database (that would not be resource efficient). If you want to rename a check-
point, then you will have to delete it first, then create a new one.

9. Erase checkpoint Lab2 and confirm by entering y.

Access-1# erase checkpoint Lab2
Erase checkpoint Lab2 ? (y/n): y

10. Try creating the Lab2_final checkpoint again.

Access-1# copy running-config checkpoint Lab2_final
Copying configuration: [Success]

11. List the switch checkpoints one more time.

Access-1# show checkpoint
NAME TYPE WRITER DATE(YYYY/MM/DD) IMAGE VERSION
Lab2_final latest User 2024-04-01T20:18:56Z FL.10.13.1000

Task 2-4: Create and explore checkpoints 33

startup-config startup User 2024-04-01T20:11:21Z FL.10.13.1000
CPC20240401194222_Access-1_6300 checkpoint System 2024-04-01T19:42:22Z FL.10.13.1000
CPC20240401191802_Access-1_6300 checkpoint System 2024-04-01T19:18:02Z FL.10.13.1000
CPC20240401190614_Access-1_6300 checkpoint System 2024-04-01T19:06:14Z FL.10.13.1000
CPC20240401183236_Access-1_6300 checkpoint System 2024-04-01T18:32:36Z FL.10.13.1000

Keeping track of when checkpoints are created is important during regular main-
tenance tasks. This is the reason configuring all switches with a Network Time Pro-
tocol (NTP) server is important.
Since IP connectivity is not enabled yet, you will continue working without setting up
an NTP server and trust the system clock for now. NTP configuration will be covered
in a later module.

You have completed Lab 2!

34 Task 2-4: Create and explore checkpoints

Lab 3.1: Configure a VLAN

At this point, the Access-1 switch is up and running and ready for configuration. The next task in your
initial network deployment will be to place wired employees in a custom VLAN to enable inter-user com-
munication.
Objectives
After completing this lab, you will be able to:
n Create a custom VLAN and assign it to access ports.
n Configure clients with static IP addresses.
n Explore the switch MAC address table.
Lab topology
The following lab topology will be used for your practical activities:

Task 3.1-1: Assign PCs to VLAN 11

Objectives
In this task, you will create the employee VLAN and configure Windows PCs with IP addresses of the
corresponding IP segment according to the network design. Then you will verify IP connectivity
between clients and explore the MAC address table.
Steps
1. On your local computer, launch a web browser and enter the Aruba Training Lab web portal at
the URL: https://arubatraininglab.computerdata.com.
2. Log in using the credentials provided to you.
3. Launch a remote console to Access-1.

Lab 3.1: Configure a VLAN 35

4. Log in to the switch using the following credentials:
n Username: admin
n Password: <no password - just press Enter>
5. Use the show vlan command to display the current VLANs configured in the switch. You should
only see VLAN 1 assigned to all ports, which is the switch's default setting.
Access-1# show vlan

6. Create VLAN 11 and name it Employees.

Access-1# configure terminal
Access-1(config)# vlan 11
Access-1(config-vlan-11)# name Employees
Access-1(config-vlan-11)# exit
Access-1(config)#

7. Check the switch VLANs.

Access-1(config)# show vlan

-------------------------------------------------------------------------------
VLAN Name Status Reason Type Interfaces

-------------------------------------------------------------------------------
1 DEFAULT_VLAN_1 up ok default 1/1/1-1/1/28
11 Employees down no_member_port static

Is the output reflecting your previous configuration change?

Answer: Yes, one VLAN was added.

What is the newly created VLAN status?

Answer: Down.
What caused the new VLAN to have this status?

Answer: There are no interfaces assigned to that VLAN.

36 Task 3.1-1: Assign PCs to VLAN 11

Since the VLAN has not been assigned to any enabled physical port, the status is
down. No MAC address learning process is happening in the switch for that VLAN.

8. Assign VLAN 11 to interfaces 1/1/1 and 1/1/3 as an access VLAN.

Access-1(config)# interface 1/1/1
Access-1(config-if)# vlan access 11
Access-1(config-if)# interface 1/1/3
Access-1(config-if)# vlan access 11
Access-1(config-if)# exit

9. Try the show vlan command again.

Access-1(config)# show vlan

----------------------------------------------------------------------------------------
VLAN Name Status Reason Type Interfaces
----------------------------------------------------------------------------------------
1 DEFAULT_VLAN_1 down no_member_forwarding default 1/1/2,1/1/4-1/1/28
11 Employees up ok static 1/1/1,1/1/3

What is the VLAN 11 status now?

Answer: Up.

Currently, only ports 1/1/1 and 1/1/3 are up. When you replaced VLAN 1 with VLAN
11 on the ports, both VLANs will still appear, but VLAN 1 is no longer associated
with any port in the up state. Therefore, VLAN 1's status was changed to down.

10. Enter the show vlan port 1/1/1 command.

Access-1(config)# show vlan port 1/1/1

-------------------------------------------------------------------------------
VLAN Name Mode Mapping
-------------------------------------------------------------------------------
11 Employees access port

What VLAN is present on the interface and what is its mode?

Answer: VLAN 11 in access (untagged) mode.

Lab 3.1: Configure a VLAN

11. Enter the show vlan summary command. This command shows the VLAN count in the system.
Access-1(config)# show vlan summary
Number of existing VLANs : 2
Number of static VLANs : 2

Task 3.1-1: Assign PCs to VLAN 11 37

Number of dynamic VLANs : 0
Number of port-access VLANs: 0

12. Enter the show interface 1/1/1 command. You will be able to see the VLAN ID and VLAN Mode
at the bottom of the command.
Access-1(config)# show interface 1/1/1

Interface 1/1/1 is up
Admin state is up
Link state: up for 5 days (since Thu Mar 28 15:12:51 UTC 2024)
Link transitions: 1
Description: To_PC1
Persona:
Hardware: Ethernet, MAC Address: 10:4f:58:fc:14:67
MTU 1500
Type 1GbT
Full-duplex
qos trust none
Speed 1000 Mb/s
Auto-negotiation is on
Energy-Efficient Ethernet is disabled
Flow-control: off
Error-control: off
MDI mode: MDI
VLAN Mode: access
Access VLAN: 11
Rate collection interval: 300 seconds
<<Omitted output>>

13. Finally, try the show interface brief command followed by a filtering option | begin 5 Port.
Access-1(config)# show interface brief | begin 5 Port
Port Native Mode Type Enabled Status Reason Speed Description
VLAN (Mb/s)
------------------------------------------------------------------------------------------------
1/1/1 11 access 1GbT yes up 1000 To_PC-1
1/1/2 1 access 1GbT no down Administratively down -- --
1/1/3 11 access 1GbT yes up 1000 To_PC3

The pipe (|) command filters the output of show commands according to the criteria
specified by the include, exclude, count, begin, or redirect parameters.
Strings of characters that follow the filtering tool (for example, "Port" in the previous
example) are case sensitive. Incorrect capitalization may lead to the absence of out-
put or other unexpected results.
In the previous example, information will be filtered out, listing only the lines that
include the "Port" string along with the five subsequent lines.

What is the value under Native VLAN for ports 1/1/1 and 1/1/3 versus 1/1/2?

38 Task 3.1-1: Assign PCs to VLAN 11

Answer: Ports 1/1/1 and 1/1/3 use VLAN 11 as the native VLAN, while port 1/1/2 uses VLAN 1
as the native VLAN.

Task 3.1-2: Explore MAC address table

Objectives
In this second task, you will statically define IP addresses to PC1 and PC3, so they can achieve intra-
VLAN Layer 3 connectivity, and users on those machines can start collaborating to run their company's
daily operations.
Steps
1. Using the Remote Lab dashboard, connect to PC1.

2. Click the windows icon on the top left corner, then type control panel. Windows will auto-
matically display all items matching the string.
3. Click the top result (Control Panel). A new window will display.

4. In the Control Panel, click View network status and tasks under Network and Internet.
Lab 3.1: Configure a VLAN

Task 3.1-2: Explore MAC address table 39

5. Click Change adapter settings in the left-hand options.

6. Double-click Lab NIC to access the NIC Status window.

If NIC was disabled (grayed out), then you will have to double-click it twice, first to
enable it then a second time to access the NIC Status window.

There is an interface called "Do NOT Touch!" Repeat with me: "Do not touch!" If
changes are made to that NIC (like modifying the IP address or disabling the inter-
face), the access to this virtual machine will be disrupted. Only the lab support team
will be able to recover the system, and that process may delay your lab progress.

40 Task 3.1-2: Explore MAC address table

7. In the Lab NIC Status window, click Properties.

8. In the Lab NIC Properties section, select Internet Protocol Version 4 (TCP/IPv4), then click
Properties.

9. In Internet Protocol Version 4 (TCP/IPv4) Properties, select Use the following IP address:
under the General tab. Then enter the following configuration:
n IP address: 10.1.11.101
n Subnet mask: 255.255.255.0
n Click OK.
Lab 3.1: Configure a VLAN

Task 3.1-2: Explore MAC address table 41

10. Click Close to close Lab NIC Properties.
11. To confirm the new IP address, open a command prompt by using the icon available on the PC1
taskbar or by clicking the Windows icon and typing command.

12. In the Command Prompt window, type ipconfig and press Enter. This command will display the
IPv4 settings of all NICs in the system.

42 Task 3.1-2: Explore MAC address table

13. Type ipconfig -all and press Enter. This command displays additional information like DNS serv-
ers, IP addresses (if configured), and the NIC's physical address (MAC).

Lab 3.1: Configure a VLAN

Task 3.1-2: Explore MAC address table 43

What is PC1's Lab NIC MAC address?

Answer: It depends on the local VM attributes; take note of your VM's physical address.
This is the typical IP address configuration process in a Windows system. You will now repeat it
on PC3.
14. Using the Remote Lab dashboard, connect to PC3.
15. Repeat steps 3 to 10 and configure the following IP address on PC3:
n IP address: 10.1.11.103
n Subnet mask: 255.255.255.0
16. If there is any OOBM NIC on PC3, disable it by right-clicking the OOBM NIC and selecting
Disable.
17. Repeat steps 11 to 13 to check PC3's IP address and MAC address.
What is PC3's Lab NIC MAC address?

Answer: It depends on the local VM attributes; take note of your VM's physical address.

44 Task 3.1-2: Explore MAC address table

18. From the PC3 command prompt, ping PC1's IP address (10.1.11.101). The ping should be suc-
cessful.

19. Using the Remote Lab dashboard, open the Access-1 console.
20. Verify the switch's MAC address table.
Access-1(config)# show mac-address-table
MAC age-time : 300 seconds
Number of MAC addresses : 2

MAC Address VLAN Type Port

--------------------------------------------------------------
00:50:56:b1:18:2e 11 dynamic 1/1/3
00:50:56:b1:88:25 11 dynamic 1/1/1

What entries are listed in the output?

Answer: Two entries, one for PC1 on port 1/1/1 and one for PC3 on port 1/1/3.
21. Using the output information, write down the client's MAC addresses in the following table, along
with the ports and VLAN IDs.

Lab 3.1: Configure a VLAN

PC MAC Address Port VLAN

PC1

Task 3.1-2: Explore MAC address table 45

PC MAC Address Port VLAN

PC3

Were these MAC addresses discovered on the ports where you expected them?

Answer: Yes, as per the lab topology, PC1 is connected to port 1/1/1 and PC3 is connected to
port 1/1/3.

There are multiple forms of the show mac-address-table command that can be used
for displaying only entries that match a certain criteria, such as an address learned in
a particular VLAN or port, or learned dynamically versus configured statically in the
MAC table. Press the ? key at the end of the command for displaying the options.
Access-1(config)# show mac-address-table ?
address Show a specific MAC address
count Show the number of MAC addresses
detail Show detailed MAC address entry information
dynamic Show learned MAC addresses
interface Show MAC addresses for a specific interface
lockout Show MAC lockout address information
mac-move Show MAC address move information
port Show MAC addresses for a specific port
static Show static MAC address information
unsorted Show entries unsorted for faster initial output
vlan Show MAC addresses for specific VLANs
<cr>

Task 3.1-3: Save your configurations

Objectives
You will now proceed to save your configurations and create checkpoints. Please note that final lab
checkpoints may be used in later activities.
Steps
1. Navigate to the Access-1 switch console.
2. Return to the operator context level by entering the end command.
Access-1(config)# end
Access-1#

3. Save the current configuration.

Access-1# write memory
Copying configuration: [Success]

46 Task 3.1-3: Save your configurations

4. Using a checkpoint, create a configuration backup. Please create your check point with the fol-
lowing name: Lab3-1_final.
Access-1# copy running-config checkpoint Lab3-1_final
Copying configuration: [Success]

You have completed Lab 3.1!

Lab 3.1: Configure a VLAN

Task 3.1-3: Save your configurations 47

[This page intentionally left blank]

48 Task 3.1-3: Save your configurations

Lab 3.2: Add a second switch to the topology

Good news! BigStartup seems to be a successful business, and management has decided to hire more
personnel. More ports are required, and it is time to add a second switch. You have been asked to make
an onsite visit to integrate the second switch and span the employee VLAN.
Objectives
After completing this lab, you will be able to:
n Enable an Inter-Switch Link (ISL).
n Configure trunk ports by enabling 802.1Q tagging on them.
n Extend the broadcast domain.
n Enable inter-switch client communication.
Lab topology
The following lab topology will be used for your practical activities:

Task 3.2-1: Configure initial settings on Access-2

Objectives
In this task, you will define the initial settings for Access-2 and disable all ports but the one for the Win-
dows client. Then you will move to PC4 and assign an IP address to its NIC.
Steps
1. On your local computer, launch a web browser and enter the Aruba Training Lab web portal at
the URL: https://arubatraininglab.computerdata.com.

Lab 3.2: Add a second switch to the topology 49

2. Log in using the credentials provided to you.
3. Launch a remote console to Access-2.
4. Log in to the switch using the following credentials:
n Username: admin
n Password: <no password - just press Enter>
5. Enter the manager context; configure a hostname, and a session timeout of 1440 minutes.
6300# configure terminal
6300(config)# hostname Access-2
Access-2(config)# session-timeout 1440
Access-2(config)#

6. Disable all ports.

Access-2(config)# interface 1/1/1-1/1/28
Access-2(config-if-<1/1/1-1/1/28>)# shutdown
wAccess-2(config-if-<1/1/1-1/1/28>)# exit
Access-2(config)#

7. Enable interface 1/1/4 and set a description (this interface is connected to PC4).
Access-2(config)# interface 1/1/4
Access-2(config-if)# no shutdown
Access-2(config-if)# description To_PC4
Access-2(config-if)# exit

PC4 Config
8. Using the Remote Lab dashboard, open a remore desktop connection to PC4.
9. Click the Windows icon on the top left corner, then type control panel. Windows will auto-
matically display all items matching the string.
10. Click the top result (Control Panel). A new window will pop up.

11. In the Control Panel, click View network status and tasks under Network and Internet.

50 Task 3.2-1: Configure initial settings on Access-2

12. Click Change adapter settings in the left-hand options.

13. Double-click Lab NIC to access the NIC Status window.

If the NIC was disabled (grayed out), then you will have to double-click it twice, first
to enable it, then a second time to access the NIC Status window.

There is an interface called "Do NOT Touch!" Repeat with me: "Do not touch!" If
changes are made to that NIC (like modifying the IP address or disabling the inter-
Lab 3.2: Add a second switch to the

face), the access to this virtual machine will be disrupted. Only the lab support team
will be able to recover the system, and that process may delay your lab progress.
topology

Task 3.2-1: Configure initial settings on Access-2 51

14. In the Lab NIC Status window, click Properties.

15. In the Lab NIC Properties section, select Internet Protocol Version 4 (TCP/IPv4), then click
Properties.

16. In Internet Protocol Version 4 (TCP/IPv4) Properties, select Use the following IP address:
under the General tab. Then enter the following configuration:

52 Task 3.2-1: Configure initial settings on Access-2

n IP address: 10.1.11.104
n Subnet mask: 255.255.255.0
n Click OK.

17. Click Close to close Lab NIC Properties.

18. To confirm the new IP address, open a command prompt by clicking the Windows icon and typing
command.
19. Ping PC3's IP address (10.1.11.103).

Was the ping successful? Lab 3.2: Add a second switch to the

Answer: No. The ping should fail.

Why?
topology

Task 3.2-1: Configure initial settings on Access-2 53

Answer: The ping is not successful because the destination IP address belongs to a device that is
physically plugged into another switch (Access-1). Access-1 and Access-2 are not currently con-
nected. Provisioning the ISL in the next task will fix this issue.

When the destination IP address is within the source's IP segment and the ping test
result is "Destination host unreachable," it means that the Layer 3 to Layer 2 address
resolution using Address Resolution Protocol (ARP) has failed and the ICMP echo
message was not sent at all. However, if the result is "timeout," it means that the host
was able to resolve the destination's MAC and the ICMP packet was sent, but there is
no reply coming back.

Task 3.2-2: Enable link between access switches

Objectives
In this task, you will enable an Ethernet connection between access switches using a DAC in order to
increase the number of ports on the network. Next, you will explore the information that Link Layer Dis-
covery Protocol (LLDP) can provide. In this task you will:
n Deploy a switch-to-switch link.
n Use LLDP to discover neighbors and look at detailed neighbor's information.
n Explore the switches' MAC address tables.
Steps
1. Using the Remote Lab dashboard, launch a remote console to Access-1.
2. Enable interface 1/1/28.
Access-1# configure terminal
Access-1(config)# interface 1/1/28
Access-1(config-if)# no shut
Access-1(config-if)# exit
Access-1(config)#

3. Navigate to the Access-2 console tab on your browser.

4. Enable interface 1/1/28 on Access-2.
Access-2(config)# interface 1/1/28
Access-2(config-if)# no shutdown
Access-2(config-if)# exit
Access-2(config)#

5. Confirm interface 1/1/28 came up using the show interface brief command followed by the fil-
ter | exclude down.
Access-2(config)# show interface brief | exclude down
------------------------------------------------------------------------------------------

54 Task 3.2-2: Enable link between access switches

Port Native Mode Type Enabled Status Reason Speed Description
VLAN (Mb/s)
------------------------------------------------------------------------------------------
1/1/4 1 access 1GbT yes up 1000 To_PC4
1/1/28 1 access 10G-DAC1 yes up 10000 --
vlan1 -- -- -- yes up -- --

The pipe (|) command filters the output of show commands according to the criteria
specified by the include, exclude, count, begin, or redirect parameters.
Strings of characters that follow the filtering tool (for example, "down" in the com-
mand above) are case sensitive. Typing the wrong capitalization may lead to the
absence of output.
Using the filter "exclude down," the information will be filtered out, listing all the lines
except those containing the "down" string.

Is port 1/1/28 up?

Answer: Yes, port 1/1/28 is now up (active).

What are port 1/1/4's and port 1/1/28's speeds?

Answer: Port 1/1/4 is running at 1000 Mbps (1 Gbps), port 1/1/28 is running at 10,000 Mbps
(10 Gbps).

In wired networking, it is common practice to use faster-speed links for connections

between switches than those to the clients. The best practice for switch-to-switch
connections is to limit oversubscription ratios to 24:1 or less (depending on the
traffic generated by the endpoints). The intention of having faster links for uplinks is
to avoid congestion that may lead to poor performance and dropped packets.

6. Next, you will use LLDP to analyze the information the protocol can provide regarding what
device is connected to specific interfaces. Issue the show lldp configuration command.
Access-2(config)# show lldp configuration

LLDP Global Configuration

Lab 3.2: Add a second switch to the

=========================

LLDP Enabled : YesLLDP Transmit Interval : 30

LLDP Hold Time Multiplier : 4
topology

LLDP Transmit Delay Interval : 2

LLDP Reinit Time Interval : 2
LLDP Trap Enabled : No

Task 3.2-2: Enable link between access switches 55

TLVs Advertised
===============

Management Address
Port Description
Port VLAN-ID
System Capabilities
System Description
System Name
OUI
Port VLAN-Name
Dot1 Link Aggregation

LLDP Port Configuration

=======================

PORT TX-ENABLED RX-ENABLED INTF-TRAP-ENABLED

--------------------------------------------------------------------------
1/1/1 Yes Yes Yes
1/1/2 Yes Yes Yes
1/1/3 Yes Yes Yes
1/1/4 Yes Yes Yes
<<Omitted output>>
1/1/28 Yes Yes Yes
mgmt Yes Yes Yes

LLDP is on by default on AOS-CX switches.

What is the current LLDP state?

Answer: LLDP is enabled (active).

What are the transmit interval and hold time multiplier values?

Answer: The transmit interval is 30 seconds, and the hold time multiplier is 4.
What are the LLDP transmit and receive modes on all of the ports?

Answer: The default mode for LLDP receive (RX) and transmit (TC) is enabled.
7. Issue the show lldp local device command. This will show the information the local device
shares/advertises with LLDP messages.
Access-2(config)# show lldp local-device

56 Task 3.2-2: Enable link between access switches

Global Data
===========

Chassis-ID : 10:4f:58:f6:84:80
System Name : Access-2
System Description : Aruba JL668A FL.10.13.1000
Management Address : 10:4f:58:f6:84:80
Capabilities Available : Bridge, Router
Capabilities Enabled : Bridge, Router
TTL : 120
Management Address VLAN:

Port Based Data

===============

Port-ID : 1/1/4
Port-Desc : "To_PC4"
Port Mgmt-Address : 10:4f:58:f6:84:80
Port VLAN ID : 1
Maximum Frame Size: 1500
Parent Interface : interface 1/1/4

Port-ID : 1/1/28
Port-Desc : "1/1/28"
Port Mgmt-Address : 10:4f:58:f6:84:80
Port VLAN ID : 1
Maximum Frame Size: 1500
Parent Interface : interface 1/1/28

Port-ID : mgmt
Port-Desc : "mgmt"
Port Mgmt-Address : 10:4f:58:f6:84:80

What is the System Description?

Answer: Aruba JL668A FL.10.13.1000.

What are the available capabilities supported by the system?

Answer: Bridge, Router.

Lab 3.2: Add a second switch to the

AOS-CX systems have IP routing service enabled by default and cannot be disabled.
This means they will automatically populate entries in the routing table for whatever
topology

IP segment is configured within Layer 3 ports (either physical or logical) and start

Task 3.2-2: Enable link between access switches 57

moving packets at Layer 3 between those segments. IP routing cannot be disabled in
these systems.

8. To view the remote side LLDP info, enter the show lldp neighbor-info command.
Access-2(config)# show lldp neighbor-info

LLDP Neighbor Information

=========================

Total Neighbor Entries : 2

Total Neighbor Entries Deleted : 2
Total Neighbor Entries Dropped : 0
Total Neighbor Entries Aged-Out : 2

LOCAL-PORT CHASSIS-ID PORT-ID PORT-DESC TTL SYS-NAME

------------------------------------------------------------------------------------
1/1/28 10:4f:58:fc:14:40 1/1/28 1/1/28 120 Access-1

mgmt 00:23:89:bb:73:4a GigabitEthernet3/0/8 T14-6300-B-OOBM 120 P54-OOBM-Fanout

9. Based on the last two outputs (show lldp local-device and show lldp neighbor-info), find
the following information:

10. Navigate to the Access-1 console.

11. Issue the show lldp neighbor-info command. You should see only one entry in the output.
Access-1(config)# show lldp neighbor-info

LLDP Neighbor Information

=========================

Total Neighbor Entries : 2

Total Neighbor Entries Deleted : 2
Total Neighbor Entries Dropped : 0
Total Neighbor Entries Aged-Out : 2

LOCAL-PORT CHASSIS-ID PORT-ID PORT-DESC TTL SYS-NAME

-----------------------------------------------------------------------------------------------------------
1/1/28 10:4f:58:f6:84:80 1/1/28 1/1/28 120 Access-2

58 Task 3.2-2: Enable link between access switches

mgmt 00:23:89:bb:73:4a GigabitEthernet2/0/24 T14-6300-A-OOBM 120 P54-OOBM-Fanout

Does the entry match the Chassis ID and System Name seen in step 9?

Answer: Yes.
What is the local port?

Answer: Port 1/1/28.

What is the remote port?

Answer: Port 1/1/28.

12. Try the same command, but specify the local interface number at the end of the command.
Access-1(config)# show lldp neighbor-info 1/1/28

Port : 1/1/28
Neighbor Entries : 1
Neighbor Entries Deleted : 0
Neighbor Entries Dropped : 0
Neighbor Entries Aged-Out : 0
Neighbor System-Name : Access-2
Neighbor System-Description : Aruba JL668A FL.10.13.1000
Neighbor Chassis-ID : 10:4f:58:f6:84:80
Neighbor Management-Address : 10:4f:58:f6:84:80
Chassis Capabilities Available : Bridge, Router
Chassis Capabilities Enabled : Bridge, Router
Neighbor Port-ID : 1/1/28
Neighbor Port-Desc : 1/1/28
Neighbor Port VLAN ID : 1
Neighbor Port VLAN Name : DEFAULT_VLAN_1
Neighbor Port MFS : 1500
Link aggregation supported : Yes
Link aggregation enabled : No
Aggregation port ID : 0
TTL : 120
Lab 3.2: Add a second switch to the

Neighbor Mac-Phy details

Neighbor Auto-neg Supported : true
Neighbor Auto-Neg Enabled : false
topology

Neighbor Auto-Neg Advertised : Other

Neighbor MAU type : 10 GIGBASEER

Task 3.2-2: Enable link between access switches 59

Neighbor EEE information : DOT3
Neighbor TX Wake time : 0 us
Neighbor RX Wake time : 0 us
Neighbor Fallback time : 0 us
Neighbor TX Echo time : 0 us
Neighbor RX Echo time : 0 us

This version of the command displays the detailed data of the neighbor just like the
show lldp local-device command used earlier on Access-2.

Understanding LLDP and the information it provides can help you verify and
troubleshoot Layer 1 communication between devices.

13. Now that you are sure about which ports are used, you are ready to set the interface descrip-
tions. Set descriptions on both switches' interface 1/1/28.
14. Configure the Access-1 interface as follows:
Access-1(config)# interface 1/1/28
Access-1(config-if)# description To_Access-2_port-28
Access-1(config-if)# exit

15. Navigate to the Access-2 console and configure interface 1/1/28.

Access-2(config)# interface 1/1/28
Access-2(config-if)# description To_Access-2_Port-28
Access-2(config-if)# exit

16. Navigate back to the PC4 remote desktop session.

17. Ping PC3's IP address (10.1.11.103).

Was the ping successful?

Answer: No, the ping was not successful.

Why?

60 Task 3.2-2: Enable link between access switches

Answer: Even though a link between both switches has been enabled, the ping still fails. In order
to better understand why, you should explore the MAC address table of either switch. Let's do it
on Access-1.
18. Open a console session to Access-1 and enter the show mac-address-table command.
Access-1(config)# show mac-address-table
MAC age-time : 300 seconds
Number of MAC addresses : 4

MAC Address VLAN Type Port

--------------------------------------------------------------
10:4f:58:f6:84:80 1 dynamic 1/1/28
00:50:56:b1:d6:e3 1 dynamic 1/1/28
00:50:56:b1:18:2e 11 dynamic 1/1/3
00:50:56:b1:88:25 11 dynamic 1/1/1

This output may give you more entries than the ones in example above (that is, PC1).
Ignore all but the interfaces to PC3 and PC4.

What port and VLAN are PC3 seen on?

Answer: 00:50:56:b1:18:2e. Notice that the MAC address in your lab should be different as each
host has a unique physical address.
What port and VLAN are PC4 seen on?

Answer: As you can see, both PCs are on different ports (which is expected) and on different
VLANs. PC4 is seen on VLAN 1 because that is the only VLAN that exists on Access-2 and the
only VLAN it forwards in its 1/1/28 interface.

As seen in this step, understanding the fundamentals of Layer 2 forwarding and

exploring the MAC address table of switches are key tools for troubleshooting the
lack of connectivity between two endpoints.

Task 3.2-3: Assign PCs to VLAN 11

Lab 3.2: Add a second switch to the

Objectives
After finding the root cause that prevents communication between two endpoints, it is time to apply a
topology

configuration that solves the issue. You will proceed now to extend VLAN 11 to the Access-2 switch.

Task 3.2-3: Assign PCs to VLAN 11 61

Steps
1. Navigate to the Access-1 console.
2. Configure Access-1's interface 1/1/28 as a trunk link that permits VLANs 1 and 11.
Access-1(config)# interface 1/1/28
Access-1(config-if)# vlan trunk allowed 1,11
Access-1(config-if)# exit

3. Verify trunk interfaces.

Access-1(config)# show interface trunk

-------------------------------------------------------------------------
Port Native VLAN Trunk VLANs
-------------------------------------------------------------------------
1/1/28 1 1,11

4. Navigate to the Access-2 console.

5. Verify the Access-2 VLANs.
Access-2(config)# show vlan

------------------------------------------------------------------------------------------
VLAN Name Status Reason Type Interfaces

------------------------------------------------------------------------------------------
1 DEFAULT_VLAN_1 up ok default 1/1/1-1/1/28

Note that you have not created VLAN 11 on Access-2.

6. Create VLAN 11 and name it Employees.
Access-2(config)# vlan 11
Access-2(config-vlan-11)# name Employees
Access-2(config-vlan-11)# exit

7. Configure Access-2 interface 1/1/28 as the trunk, allowing VLAN 11.

Access-2(config)# interface 1/1/28
Access-2(config-if)# vlan trunk allowed 1,11
Access-2(config-if)# exit

8. Configure interface 1/1/4 as an access port in VLAN 11.

Access-2(config)# interface 1/1/4
Access-2(config-if)# vlan access 11
Access-2(config-if)# exit

9. Confirm VLAN 11 is now a member of ports 1/1/1 and 1/1/28.

Access-2(config)# show vlan 11

------------------------------------------------------------------------
VLAN Name Status Reason Type Interfaces

62 Task 3.2-3: Assign PCs to VLAN 11

-------------------------------------------------------------------------
11 Employees up ok static 1/1/4,1/1/28

10. Display the trunk interfaces. You should have only one trunk port.
Access-2(config)# show interface trunk

-------------------------------------------------------------------------
Port Native VLAN Trunk VLANs
-------------------------------------------------------------------------
1/1/28 1 1,11

11. Navigate back to PC4 and, using the command prompt, ping the PC3 IP address (10.1.11.103).

The ping should be successful.

You will now explore the MAC address tables of both switches and trace the MAC addresses of
each station in order to confirm they are learned in the expected ports and VLANs.
12. Verify the MAC address table of both Access-1 and Access-2.
Access-1
Access-1(config)# show mac-address-table
MAC age-time : 300 seconds
Number of MAC addresses : 4

MAC Address VLAN Type Port

--------------------------------------------------------------
10:4f:58:f6:84:80 1 dynamic 1/1/28
00:50:56:b1:d6:e3 11 dynamic 1/1/28
00:50:56:b1:18:2e 11 dynamic 1/1/3
00:50:56:b1:88:25 11 dynamic 1/1/1
Lab 3.2: Add a second switch to the

Access-2
Access-2(config)# show mac-address-table
MAC age-time : 300 seconds
topology

Number of MAC addresses : 4

MAC Address VLAN Type Port

Task 3.2-3: Assign PCs to VLAN 11 63

--------------------------------------------------------------
10:4f:58:fc:14:40 1 dynamic 1/1/28
00:50:56:b1:d6:e3 11 dynamic 1/1/4
00:50:56:b1:18:2e 11 dynamic 1/1/28
00:50:56:b1:88:25 11 dynamic 1/1/28

13. Based on your outputs, fill out the fields:

Access-1
MAC address Port VLAN

PC3 (MAC):
PC4 (MAC):

Access-2
MAC address Port VLAN

PC3 (MAC):
PC4 (MAC):

Task 3.2-4: Save your configurations

Objectives
You will now proceed to save your configurations and create checkpoints. Please note that final lab
checkpoints may be used in later activities.
Steps
1. Save the Access-1 and Access-2 configurations.
Access-1
Access-1(config)# end
Access-1# write memory
Copying configuration: [Success]

64 Task 3.2-4: Save your configurations

Access-2
Access-2(config)# end
Access-2# write memory
Copying configuration: [Success]

2. Back up the current Access switches' configuration as a custom checkpoint called Lab3-2_final.
Access-1
Access-1# copy running-config checkpoint Lab3-2_final
Copying configuration: [Success]

Access-2
Access-2# copy running-config checkpoint Lab3-2_final
Copying configuration: [Success]

You have completed Lab 3.2!

Lab 3.2: Add a second switch to the

topology

Task 3.2-4: Save your configurations 65

[This page intentionally left blank]

66 Task 3.2-4: Save your configurations

Lab 3.3: Add a core switch to the topology

After a few months in business, BigStartup seems to have a promising forecast. Sales are growing and
more employees are being hired. The company is urgently investigating renting the West Wing of the
floor. Management is considering the implications of expansion and what effect it will have on the net-
work.
They have approached you for advice and you have recommended the insertion of a core switch, fol-
lowing a two-tier design that can assure future growth with no complexity (instead of a daisy chain-
based topology). You suggest a CX 8325 Series switch, which assures a consistent OS across the board,
high port density, unprecedent throughput, and no blocking switching.
Objectives
After completing this lab, you will be able to:
n Deploy a core switch to the topology.
n Configure uplinks as trunk ports by enabling 802.1Q.
n Add a new VLAN for another user's type.
n Enable a DHCP server on Access-1.
Lab topology
The following lab topology will be used for your practical activities:

Lab 3.3: Add a core switch to the topology 67

Task 3.3-1: Add Core-1 to the topology
Objectives
In this task, you will change the switching topology and enable ports on the access switches that have
been connected to the CX 8325 Series core switch that resides in the building's MDF. You will also con-
figure the core switch side of the links and validate the topology.
CX 8xxx Series switch platforms come with disabled routed ports by default. You will need to set ports
in bridge mode and enable ports.
Steps
1. On your local computer, launch a web browser and enter the Aruba Training Lab web portal at
the URL: https://arubatraininglab.computerdata.com.
2. Log in using the credentials provided to you.
3. Launch a remote console to Access-1.
4. Disable port 1/1/28.
Access-1# configure terminal
Access-1(config)# interface 1/1/28

68 Task 3.3-1: Add Core-1 to the topology

Access-1(config-if)# shutdown
Access-1(config-if)# exit

5. Configure interface 1/1/25 as a trunk port allowing VLANs 1 and 11.

Access-1(config)# interface 1/1/25
Access-1(config-if)# description To_Core-1
Access-1(config-if)# vlan trunk allowed 1,11
Access-1(config-if)# no shutdown
Access-1(config-if)# exit

6. Using the Remote Lab dashboard, launch a remote console to Access-2.

Access-2# configure terminal
Access-2(config)# interface 1/1/28
Access-2(config-if)# shutdown
Access-2(config-if)# exit

7. Configure interface 1/1/25 as a trunk port allowing VLANs 1 and 11.

Access-2(config)# interface 1/1/25
Access-1(config-if)# description To_Core-1
Access-2(config-if)# vlan trunk allowed 1,11
Access-2(config-if)# no shutdown
Access-2(config-if)# exit

8. Using the Remote Lab dashboard, launch a remote console to Core-1.

9. Log in to the switch using the following credentials:
n Username: admin
n Password: <no password - just press Enter>
10. Your switch should be at the default configuration. Verify it with the show running-config com-
mand.
8325# show running-config
Current configuration:
!
!Version ArubaOS-CX GL.10.13.1000
!export-password: default
profile leaf
!
ssh server vrf mgmt
vlan 1
interface mgmt
no shutdown
Lab 3.3: Add a core switch to the

ip dhcp
!
https-server vrf mgmt
topology

Task 3.3-1: Add Core-1 to the topology 69

The show running-config command does not display the switch's default con-
figuration. Therefore, there is not much to see in a factory defaulted switch.

11. If your switch has preexisting configurations, reset it with steps 11a and 11b, if not, proceed to
step 12.
a. Erase startup-config.
8325# erase startup-config
Erase checkpoint startup-config ? (y/n): y

b. Reboot your switch and wait for it restart.

8325# boot system
Checking if the configuration needs to be saved...

Do you want to save the current configuration (y/n)? n

Checking for updates needed to programmable devices...

Done checking for updates.

This will reboot the entire switch and render it unavailable

until the process is complete.
Continue (y/n)? y

12. Modify the hostname to Core-1 and the session timeout to 1440 minutes.
8325# configure terminal
8325(config)# hostname Core-1
Core-1(config)# session-timeout 1440

13. Verify the Core-1 interfaces' statuses.

Core-1(config)# show interface brief
--------------------------------------------------------------------------------------------------------
Port Native Mode Type Enabled Status Reason Speed Description
VLAN (Mb/s)
--------------------------------------------------------------------------------------------------------
1/1/1 -- routed 10G-DAC1 no down Group speed mismatch -- --
1/1/2 -- routed 10G-DAC1 no down Group speed mismatch -- --
1/1/3 -- routed -- no down No XCVR installed -- --
1/1/4 -- routed -- no down No XCVR installed -- --
1/1/5 -- routed 1G-BT no down Group speed mismatch -- --
1/1/6 -- routed -- no down No XCVR installed -- --
1/1/7 -- routed 1G-BT no down Group speed mismatch -- --
1/1/8 -- routed -- no down No XCVR installed -- --

<<Omitted output>>

1/1/45 -- routed 25G-DAC0.65 no down Administratively down -- --

1/1/46 -- routed 25G-DAC0.65 no down Administratively down -- --
1/1/47 -- routed 25G-DAC0.65 no down Administratively down -- --
1/1/48 -- routed -- no down No XCVR installed -- --

What is the mode of the switch ports?

70 Task 3.3-1: Add Core-1 to the topology

Answer: Routed.
Which ports are enabled?

Answer: None of the ports are enabled.

CX 8xxx Series, CX 9300 Series, and CX 10000 Series switches have interfaces con-
figured as routed ports and disabled by default.

14. Enable ports 1/1/1 to 1/1/56 and configure as bridged ports.

Core-1(config)# interface 1/1/1-1/1/56
Core-1(config-if-<1/1/1-1/1/2>)# no routing
Core-1(config-if-<1/1/1-1/1/2>)# no shutdown
Core-1(config-if-<1/1/1-1/1/2>)# exit

15. Verify the Core-1 interfaces' statuses one more time.

Core-1(config)# show interface brief
--------------------------------------------------------------------------------------------------------
Port Native Mode Type Enabled Status Reason Speed Description
VLAN (Mb/s)
--------------------------------------------------------------------------------------------------------
1/1/1 1 access 10G-DAC1 yes down Group speed mismatch -- --
1/1/2 1 access 10G-DAC1 yes down Group speed mismatch -- --
1/1/3 1 access -- yes down No XCVR installed -- --
1/1/4 1 access -- yes down No XCVR installed -- --
1/1/5 1 access 1G-BT yes down Group speed mismatch -- --
1/1/6 1 access -- yes down No XCVR installed -- --
1/1/7 1 access 1G-BT yes down Group speed mismatch -- --
<<Omitted output>>

What is the mode of the switch ports?

Answer: Access
Are ports enabled?

Answer: Yes
Why are ports 1 and 2 still down? (see the Reason column)
Lab 3.3: Add a core switch to the

Answer: There is a group speed mismatch. By default, CX 8325 Series switches have ports con-
figured for 25 Gbps. In this lab, we are using 1 Gbps and 10 Gbps. Therefore, port groups need to
topology

be configured to work with 1 and 10 Gbps.

16. Verify the Core-1 interface groups.

Task 3.3-1: Add Core-1 to the topology 71

Core-1(config)# show system interface-group
------------------------------------------------
Group Speed Member Ports Mismatched Ports
------------------------------------------------
1 25g 1/1/1-1/1/12 1/1/1-1/1/2,1/1/5,1/1/7
2 25g 1/1/13-1/1/24
3 25g 1/1/25-1/1/36
4 25g 1/1/37-1/1/48

Notice that all mismatched ports belong to group 1, which contains ports 1/1/1 to
1/1/12. The choice between 1/10 Gbps and 25 Gbps is done by a port group, mean-
ing that you are not allowed to mix 1 Gbps and 10 Gbps ports with 25 Gbps ports in
the same port group at the same time. For other switch families, check the datasheet
for interface group information.

17. Change the port-group 1 config to 1/10Gbps.

Core-1(config)# system interface-group 1 speed 10g
This command will disable any transceivers in the group that do not support
the new speed and may disrupt the network.

Continue (y/n)? y

18. Verify the Core-1 interfaces' statuses. Interfaces 1/1/1 and 1/1/2 should have their status as up.
Core-1(config)# show interface brief
--------------------------------------------------------------------------------------------------------
Port Native Mode Type Enabled Status Reason Speed Description
VLAN (Mb/s)
--------------------------------------------------------------------------------------------------------
1/1/1 1 access 10G-DAC1 yes up 10000 --
1/1/2 1 access 10G-DAC1 yes up 10000 --
1/1/3 1 access -- yes down No XCVR installed -- --
1/1/4 1 access -- yes down No XCVR installed -- --
1/1/5 1 access 1G-BT yes up 1000 --
1/1/6 1 access -- yes down No XCVR installed -- --
1/1/7 1 access 1G-BT yes up 1000 --
1/1/8 1 access -- yes down No XCVR installed -- --
<<Omitted output>>

Note that interfaces 1/1/5, 1/1/7, and 1/1/8 are also active.
19. Disable interfaces 1/1/5, 1/1/7, and 1/1/8 since they are not used in this lab.
Core-1(config)# interface 1/1/5,1/1/7,1/1/8
Core-1(config-if-<1/1/5,1/1/7,1/1/8>)# shutdown
Core-1(config-if-<1/1/5,1/1/7,1/1/8>)# exit

20. Use the show lldp neighbor-info command to validate that Access-1 and Access-2 are con-
nected to ports 1 and 2 respectively.
Core-1(config)# show lldp neighbor-info

LLDP Neighbor Information

=========================

72 Task 3.3-1: Add Core-1 to the topology

Total Neighbor Entries : 3
Total Neighbor Entries Deleted : 1
Total Neighbor Entries Dropped : 0
Total Neighbor Entries Aged-Out : 1

LOCAL-PORT CHASSIS-ID PORT-ID PORT-DESC TTL SYS-NAME

-----------------------------------------------------------------------------------------------------------
1/1/1 10:4f:58:fc:14:40 1/1/25 1/1/25 120 Access-1
1/1/2 10:4f:58:f6:84:80 1/1/25 1/1/25 120 Access-2

mgmt 00:23:89:bb:73:4a GigabitEthernet2/0/8 T14-8325-A-OOBM 120 P54-OOBM-Fanout

21. Add descriptions to the interfaces.

Core-1(config)# interface 1/1/1
Core-1(config-if)# description To_Access-1_Port-25
Core-1(config-if)# interface 1/1/2
Core-1(config-if)# description To_Access-2_Port-25
Core-1(config-if)# exit

Now that the connection between Core-1, Access-1, and Access-2 is enabled and active, it is time
for you to add VLAN 11 to the core switch and allow the transit of VLAN 11 through uplinks.

Lab 3.3: Add a core switch to the

topology

22. Navigate to the Core-1 console and create VLAN 11.

Task 3.3-1: Add Core-1 to the topology 73

Core-1(config)# vlan 11
Core-1(config-vlan-11)# name Employees
Core-1(config-vlan-11)# exit

23. Allow VLAN 11 on ports 1/1/1 and 1/1/2.

Core-1(config)# interface 1/1/1-1/1/2
Core-1(config-if-<1/1/1-1/1/2>)# vlan trunk allowed 1,11
Core-1(config-if-<1/1/1-1/1/2>)# exit

24. Using the Remote Lab dashboard, open a remote desktop connection to PC1, open the command
prompt, and start a ping to PC4.

The ping should be successful.

Task 3.3-2: Adding a second VLAN

Objectives
After more hiring, BigStartup is now interested in improving privacy and traffic separation between reg-
ular employees and managers. They are asking you if there is any way you can achieve that with net-
working devices they already have. You can improve privacy and traffic separation by adding another
VLAN.
The next steps will be focused on creating VLAN 12 for managers across all switches and moving PC1
and PC4 into that broadcast domain.

74 Task 3.3-2: Adding a second VLAN

Steps
1. Launch a remote console to Access-1.
2. Create VLAN 12 and name it Managers.
Access-1(config)# vlan 12
Access-1(config-vlan-12)# name Managers
Access-1(config-vlan-12)# exit

3. Configure interface 1/1/1 as access port for VLAN 12 and add VLAN 12 to the list of allowed
VLANs on trunk port 1/1/25.
Access-1(config)# interface 1/1/1
Access-1(config-if)# vlan access 12
Access-1(config-if)# interface 1/1/25
Access-1(config-if)# vlan trunk allowed 12
Access-1(config-if)# exit
Lab 3.3: Add a core switch to the

4. Verify that VLAN 12 is allowed on interfaces 1/1/1 and 1/1/25.

Access-1(config)# show vlan 12
topology

--------------------------------------------------------------------------------------------
----
VLAN Name Status Reason Type
Interfaces

Task 3.3-2: Adding a second VLAN 75

--------------------------------------------------------------------------------------------
----
12 Managers up ok static
1/1/1,1/1/25

5. Launch a remote console to Access-2.

6. Create VLAN 12 and name it Managers.
Access-2(config)# vlan 12
Access-2(config-vlan-12)# name Managers
Access-2(config-vlan-12)# exit

7. Configure interface 1/1/4 as access port for VLAN 12 and add VLAN 12 to the list of allowed
VLANs on trunk port 1/1/25.
Access-2(config)# interface 1/1/4
Access-2(config-if)# vlan access 12
Access-2(config-if)# interface 1/1/25
Access-2(config-if)# vlan trunk allowed 12
Access-2(config-if)# exit

8. Verify that VLAN 12 is allowed on interfaces 1/1/1 and 1/1/25.

Access-2(config)# show vlan 12

--------------------------------------------------------------------------------------------
----
VLAN Name Status Reason Type
Interfaces
--------------------------------------------------------------------------------------------
----
12 Managers up ok static
1/1/4,1/1/25

9. Launch a remote console to Core-1.

10. Create VLAN 12 and name it Managers.
Core-1(config)# vlan 12
Core-1(config-vlan-12)# name Managers
Core-1(config-vlan-12)# exit

11. Configure ports 1/1/1 and 1/1/2 to allow VLAN 12.

Core-1(config)# interface 1/1/1-1/1/2
Core-1(config-if-<1/1/1-1/1/2>)# vlan trunk allowed 12
Core-1(config-if-<1/1/1-1/1/2>)# exit

12. Verify VLAN 12.

Core-1(config)# show vlan 12

-------------------------------------------------------------------------------------------
VLAN Name Status Reason Type Interfaces

76 Task 3.3-2: Adding a second VLAN

-------------------------------------------------------------------------------------------
12 Managers up ok static 1/1/1-1/1/2

13. Navigate to the PC1 remote desktop.

14. Click the Windows icon on the top left corner, then type control panel. Windows will auto-
matically display all items matching the string.
15. Click the top result (Control Panel). A new window will pop up.

16. In the Control Panel, click View network status and tasks under Network and Internet.

17. Click Change adapter settings on the left options.

Lab 3.3: Add a core switch to the

topology

18. Double-click Lab NIC to access the NIC status window.

Task 3.3-2: Adding a second VLAN 77

19. In the Lab NIC status window, click the Properties button.

20. In the Lab NIC Properties section, select Internet Protocol Version 4 (TCP/IPv4), then click the
Properties button.

78 Task 3.3-2: Adding a second VLAN

21. In Internet Protocol Version 4 (TCP/IPv4) Properties, select Use the following IP address under
the General tab. Then enter the following configuration:
a. IP address: 10.1.12.101
b. Subnet mask: 255.255.255.0
c. Click OK, then click Close.
22. Open the command prompt and use ipconfig -all to confirm the new IP address.

Take note of PC1's MAC address:

23. Navigate to the PC4 remote desktop and repeat steps 14 to 22 to configure the following
IP address:
n IP address: 10.1.12.104
n Subnet mask: 255.255.255.0
24. Open a command prompt and ping PC1's new IP address (10.1.12.101).
Lab 3.3: Add a core switch to the
topology

Task 3.3-2: Adding a second VLAN 79

The ping should be successful.
25. Now ping PC3's IP address (10.1.11.103).

Was the ping successful?

Answer: Pinging PC3 will fail because it is now in a different network.

26. Display the ARP table using the arp -a command and look for the 10.1.12.101 entry.

80 Task 3.3-2: Adding a second VLAN

Is the PC1 MAC address in the entry the same one you recorded in step 22?

Answer: Yes.

You might also see a 10.X.11.101 entry associated with the same MAC. That is an old
record from the time PC1 and PC4 were both in VLAN X11; this entry will eventually
expire.

27. Navigate back to Access-1.

28. Verify the MAC address table.
Access-1(config)# show mac-address-table
MAC age-time : 300 seconds
Number of MAC addresses : 3

MAC Address VLAN Type Port

--------------------------------------------------------------
10:4f:58:f6:84:80 1 dynamic 1/1/25
00:50:56:b1:88:25 12 dynamic 1/1/1
00:50:56:b1:d6:e3 12 dynamic 1/1/25
Lab 3.3: Add a core switch to the

If you do not get an entry mapped to port 1/1/3, artificially generate some traffic on
PC3 to let Access-1 relearn its MAC address. A single ping to 10.X.11.101 is enough.
It will work even if the ping is unsuccessful.
topology

Task 3.3-2: Adding a second VLAN 81

Task 3.3-3: Save your configurations
Objectives
You will now proceed to save your configurations and create checkpoints. Notice that final lab check-
points might be used by later activities.
Steps
1. Save the Access-1, Access-2, and Core-1 configurations.
Access-1
Access-1(config)# write memory
Copying configuration: [Success]

Access-2
Access-2(config)# write memory
Copying configuration: [Success]

Core-1
Core-1(config)# write memory
Copying configuration: [Success]

2. Back up the current Access-1, Access-2, and Core-1 configuration as a custom checkpoint called
Lab3-3_final.
Access-1
Access-1(config)# copy running-config checkpoint Lab3-3_final
Copying configuration: [Success]

Access-2
Access-2(config)# copy running-config checkpoint Lab3-3_final
Copying configuration: [Success]

Core-1
Core-1(config)# copy running-config checkpoint Lab3-3_final
Copying configuration: [Success]

You have completed Lab 3.3!

82 Task 3.3-3: Save your configurations

Lab 4.1: Rapid Spanning Tree Protocol

Your integration of the core switch has been successful and has made the network more scalable.
However, you know that relying on a single-core switch can be risky since it is a single point of failure. If
an uplink or the core itself goes down, all business operations can be disrupted. You shared your con-
cern with the BigStartup management during a conversation, and they agreed with you. As a result,
they acquired a second CX 8325 Series switch. A few weeks later, the switch arrived and was connected
to Core-1.
Objectives
After completing this lab, you will be able to:
n Add a redundant core switch.
n Enable redundant links.
n Verify the spanning tree functionality.
n Find the root bridge.
n Discover the Common Spanning Tree (CST) topology.
Lab topology
The following lab topology will be used for your practical activities:

Lab 4.1: Rapid Spanning Tree Protocol 83

Task 4.1-1: Add the redundant core switch and redundant links
Objectives
In this task, you will add a fourth component to the topology: Core-2. First, you will make sure that the
core and access switches are running spanning tree. Next, you will prepare port 1/1/26 on both access
switches to act as uplinks to Core-2 and enable them.
Finally, you will confirm that the connectivity between hosts is still in place.
Steps
1. On your local computer, launch a web browser and enter the Aruba Training Lab web portal at
the URL: https://arubatraininglab.computerdata.com.
2. Log in using the credentials provided to you.
3. Launch a remote console to Core-1.
4. Log in to the switch using the following credentials:
n Username: admin
n Password: <no password - just press Enter>
5. Verify the STP state.
Core-1# show spanning-tree
Spanning-tree is disabled

84 Task 4.1-1: Add the redundant core switch and redundant links
Lab 4.1: Rapid Spanning Tree
Protocol
AOS-CX switches from the CX 8xxx Series, CX 9300 Series, and CX 10000 Series
have spanning tree disabled by default.

6. Enable spanning tree.

Core-1# configure terminal
Core-1(config)# spanning-tree

7. Verify the STP state.

Core-1(config)# show spanning-tree
Spanning tree status : Enabled Protocol: MSTP

MST0
Root ID Priority : 32768
MAC-Address: 10:4f:58:f6:84:80
Hello time(in seconds):2 Max Age(in seconds):20
Forward Delay(in seconds):15

Bridge ID Priority : 32768

MAC-Address: 44:5b:ed:67:d3:00
Hello time(in seconds):2 Max Age(in seconds):20
Forward Delay(in seconds):15

Port Role State Cost Priority Type BPDU-Tx BPDU-Rx TCN-Tx TCN-Rx
------------ ------------ ---------- ------- ---------- ----------- --------- -------- -------- -------
1/1/1 Designated Forwarding 2000 128 P2P 23 2 2 0
1/1/2 Root Forwarding 2000 128 P2P Bound 6 19 4 0
<<Omitted output>>

Once enabled, what is the STP mode running on AOS-CX switches?

Answer: MSTP
8. Using the Remote Lab dashboard, launch a console connection to Core-2.
9. Log in to the switch using the following credentials:
n Username: admin
n Password: <no password - just press Enter>
10. Enter the basic configuration, such as the hostname, session timeout, port-group speed, and
interfaces configuration as follow:
8325# configure terminal
8325(config)# hostname Core-2
Core-2(config)# session-timeout 1440
Core-2(config)# system interface-group 1 speed 10
This command will disable any transceivers in the group that do not support
the new speed and may disrupt the network.

Continue (y/n)? y
Core-2(config)# interface 1/1/1-1/1/56
Core-2(config-if-<1/1/1-1/1/56>)# no routing

Task 4.1-1: Add the redundant core switch and redundant links 85
no Core-2(config-if-<1/1/1-1/1/56>)# no shutdown
Core-2(config-if-<1/1/1-1/1/56>)# exit
Core-2(config)# interface 1/1/5,1/1/7
Core-2(config-if-<1/1/5,1/1/7>)# shutdown
Core-2(config-if-<1/1/5,1/1/7>)# exit
Core-2(config)# interface 1/1/1
Core-2(config-if)# description To_Access-1_Port-26
Core-2(config-if)# interface 1/1/2
Core-2(config-if)# description To_Access-2_Port-26
Core-2(config-if)# exit

11. Enable STP.

Core-2(config)# spanning-tree

12. Verify the STP state.

Core-2(config)# show spanning-tree
Spanning tree status : Enabled Protocol: MSTP

MST0
Root ID Priority : 32768
MAC-Address: 10:4f:58:f6:84:80
Hello time(in seconds):2 Max Age(in seconds):20
Forward Delay(in seconds):15

Bridge ID Priority : 32768

MAC-Address: 90:20:c2:c0:bc:00
Hello time(in seconds):2 Max Age(in seconds):20
Forward Delay(in seconds):15

Port Role State Cost Priority Type BPDU-Tx BPDU-Rx TCN-Tx TCN-Rx
-------- --------- ------- ------ --------- ------- --------- -------- ------- -------
1/1/1 Disabled Down 20000 128 P2 0 0 0 0
<<Omitted output>>

13. Using the Remote Lab dashboard, launch a console connection to Access-1.
14. Allow VLANs 11 and 12 on port 1/1/26.
Access-1# configure terminal
Access-1(config)# interface 1/1/26
Access-1(config-if)# vlan trunk allowed 1,11,12
Access-1(config-if)# no shutdown
Access-1(config-if)# description To_Core-2_Port-1
Access-1(config-if)# exit

15. On the Access-1 switch, use LLDP to discover which Core-2 remote port is connected to inter-
face 1/1/26. This will be port 1/1/1.
Access-1(config)# show lldp neighbor-info

LLDP Neighbor Information

=========================

86 Task 4.1-1: Add the redundant core switch and redundant links
Lab 4.1: Rapid Spanning Tree
Total Neighbor Entries : 3

Protocol
Total Neighbor Entries Deleted : 3
Total Neighbor Entries Dropped : 0
Total Neighbor Entries Aged-Out : 3

LOCAL-PORT CHASSIS-ID PORT-ID PORT-DESC TTL SYS-NAME

----------------------------------------------------------------------------------------------
1/1/25 44:5b:ed:67:d3:00 1/1/1 To_Access-1_Port-25 120 Core-1

1/1/26 90:20:c2:c0:bc:00 1/1/1 To_Access-1_Port-26 120 Core-2

mgmt 00:23:89:bb:73:4a GigabitEthernet2/0/24 T14-6300-A-OOBM 120 P54-OOBM-Fanout

16. Using the Remote Lab dashboard, launch a console connection to Access-2.
17. Allow VLANs 11 and 12 on port 1/1/26.
Access-2# configure terminal
Access-2(config)# interface 1/1/26
Access-2(config-if)# vlan trunk allowed 1,11,12
Access-2(config-if)# no shutdown
Access-2(config-if)# description To_Core-2_Port-2
Access-2(config-if)# exit
Access-2(config)#

18. On the Access-2 switch, use LLDP to discover which Core-2 remote port is connected to inter-
face 1/1/26. This will be port 1/1/2.
Access-2(config)# show lldp neighbor-info

LLDP Neighbor Information

=========================

Total Neighbor Entries : 3

Total Neighbor Entries Deleted : 3
Total Neighbor Entries Dropped : 0
Total Neighbor Entries Aged-Out : 3

LOCAL-PORT CHASSIS-ID PORT-ID PORT-DESC TTL SYS-NAME

-----------------------------------------------------------------------------------------------
1/1/25 44:5b:ed:67:d3:00 1/1/2 To_Access-2_Port-25 120 Core-1

1/1/26 90:20:c2:c0:bc:00 1/1/2 To_Access-2_Port-26 120 Core-2

mgmt 00:23:89:bb:73:4a GigabitEthernet3/0/8 T14-6300-B-OOBM 120 P54-OOBM-Fanout

You have prepared the access switches' uplinks. Now, you will prepare the connections between
the cores and their downlinks.
19. Navigate to the Core-1 console tab and use LLDP to discover which ports are connected
between Core-1 and Core-2.
Core-1(config)# show lldp neighbor-info

LLDP Neighbor Information

=========================

Total Neighbor Entries : 6

Total Neighbor Entries Deleted : 1
Total Neighbor Entries Dropped : 0

Task 4.1-1: Add the redundant core switch and redundant links 87
Total Neighbor Entries Aged-Out : 1

LOCAL-PORT CHASSIS-ID PORT-ID PORT-DESC TTL SYS-NAME

---------------------------------------------------------------------------------------------
1/1/1 10:4f:58:fc:14:40 1/1/25 To_Core-1_Port-1 120 Access-1

1/1/2 10:4f:58:f6:84:80 1/1/25 1/1/25 120 Access-2

1/1/45 90:20:c2:c0:bc:00 1/1/45 1/1/45 120 Core-2

1/1/46 90:20:c2:c0:bc:00 1/1/46 1/1/46 120 Core-2

1/1/47 90:20:c2:c0:bc:00 1/1/47 1/1/47 120 Core-2

mgmt 00:23:89:bb:73:4a GigabitEthernet2/0/8 T14-8325-A-OOBM 120 P54-OOBM-Fanout

What are the Core-1 local ports?

Answer: 1/1/45, 1/1/46, and 1/1/47.

What are the Core-2 remote ports?

Answer: 1/1/45, 1/1/46, and 1/1/47.

20. Disable port 1/1/47; it will not be used in this lab.
Core-1(config)# interface 1/1/47
Core-1(config-if)# shutdown
Core-1(config-if)# exit

21. Allow VLAN 11 and 12 on ports 1/1/45 and 1/1/46.

Core-1(config)# interface 1/1/45-1/1/46
Core-1(config-if-<1/1/45-1/1/46>)# vlan trunk allowed 1,11,12
Core-1(config-if-<1/1/45-1/1/46>)# exit

22. Navigate to the Core-2 console tab.

23. Create VLANs 11 and 12.
Core-2(config)# vlan 11
Core-2(config-vlan-11)# name Employees
Core-2(config-vlan-11)# vlan 12
Core-2(config-vlan-12)# name Managers
Core-2(config-vlan-12)# exit

24. Allow VLANs 11 and 12 on ports 1/1/1 and 1/1/2.

Core-2(config)# interface 1/1/1-1/1/2
Core-2(config-if-<1/1/1-1/1/2>)# vlan trunk allowed 1,11,12
Core-2(config-if-<1/1/1-1/1/2>)# exit

25. Allow VLANs 11 and 12 on ports 1/1/45 and 1/1/46.

88 Task 4.1-1: Add the redundant core switch and redundant links
Lab 4.1: Rapid Spanning Tree
Core-2(config)# interface 1/1/45-1/1/46

Protocol
Core-2(config-if-<1/1/45-1/1/46>)# vlan trunk allowed 1,11,12
Core-2(config-if-<1/1/45-1/1/46>)# exit

Task 4.1-2: Verify the topology

Objectives
Obtain and record the Bridge ID (BID) of the switches, then identify designated bridges for each link
and locate the root bridge as well as link costs. This information will allow you to draw the current
logical CST topology.
Steps
1. Navigate to the Access-1 console.
2. Use the show spanning-tree command to get the switch MAC address and priority.
Access-1(config)# show spanning-tree
Spanning tree status : Enabled Protocol: MSTP

MST0
Root ID Priority : 32768
MAC-Address: 10:4f:58:f6:84:80
Hello time(in seconds):2 Max Age(in seconds):20
Forward Delay(in seconds):15

Bridge ID Priority : 32768MAC-Address: 10:4f:58:fc:14:40

Hello time(in seconds):2 Max Age(in seconds):20
Forward Delay(in seconds):15
<<Omitted output>>

IMPORTANT: Some of the command output depends on your switch hardware. For
example, the system MAC address is unique to your equipment.

What is the switch's MAC address?

Answer: This is relative to your switch. In this example, the switch's MAC address is:
10:4f:58:fc:14:40.
What is the switch priority?

Answer: The switch priority is 32768.

You can obtain the BID by concatenating the switch priority value with the switch
MAC address—for example, 32768:10:4f:58:fc:14:40 for the output in the example.

Task 4.1-2: Verify the topology 89

3. Use this information to determine the Bridge ID of Access 1 and write down the value in Figure
4.1-1.
4. Repeat step 2 on Access-2, Core-1, and Core-2. Take note of each switch priority and MAC
address.
Access-2
Access-2(config)# show spanning-tree
Spanning tree status : Enabled Protocol: MSTP

MST0
Root ID Priority : 32768
MAC-Address: 44:5b:ed:67:d3:00
Hello time(in seconds):2 Max Age(in seconds):20
Forward Delay(in seconds):15

Bridge ID Priority : 32768

MAC-Address: 10:4f:58:f6:84:80
Hello time(in seconds):2 Max Age(in seconds):20
Forward Delay(in seconds):15

Core-1
Core-1(config)# show spanning-tree
Spanning tree status : Enabled Protocol: MSTP

MST0
Root ID Priority : 32768
MAC-Address: 44:5b:ed:67:d3:00
Hello time(in seconds):2 Max Age(in seconds):20
Forward Delay(in seconds):15

Bridge ID Priority : 32768

MAC-Address: 44:5b:ed:67:d3:00
Hello time(in seconds):2 Max Age(in seconds):20
Forward Delay(in seconds):15

Core-2
Core-2(config)# show spanning-tree
Spanning tree status : Enabled Protocol: MSTP

MST0
Root ID Priority : 32768
MAC-Address: 44:5b:ed:67:d3:00
Hello time(in seconds):2 Max Age(in seconds):20
Forward Delay(in seconds):15

Bridge ID Priority : 32768

MAC-Address: 90:20:c2:c0:bc:00

90 Task 4.1-2: Verify the topology

Lab 4.1: Rapid Spanning Tree
Hello time(in seconds):2 Max Age(in seconds):20

Protocol
Forward Delay(in seconds):15

Which switch is acting as the root bridge? (Compare the BID to the Root ID.)

Answer: The result may vary since each lab has a set of switches with different MAC addresses.
In this example, Core-1 was selected as the root due to its MAC address having the lowest num-
bers.
Notice that all the switches have the same priority on their factory config.
5. Navigate to the Core-1 console and configure its priority to become the root bridge.
Core-1(config)# spanning-tree priority 1

6. Navigate to the Core-2 console and configure its priority to become a secondary root bridge.
Core-2(config)# spanning-tree priority 2

Configuring the second smallest priority on Core-2 aims to ensure that, in case of a
general failure on Core-1, Core-2 will assume the root bridge role.

7. Repeat the show spanning-tree command on all switches and take note of the BID of each
switch.

Figure 4.1-1: BIDs, designated bridges, and costs

8. Move back to Access-1 and run the show spanning-tree command.
Access-1(config)# show spanning-tree | begin Port
Port Role State Cost Priority Type BPDU-Tx BPDU-Rx TCN-Tx TCN-Rx
--------- ------------- ---------- -------- --------- ------ --------- -------- -------- -------
1/1/1 Designated Forwarding 20000 128 P2P 820099 0 0 0
1/1/2 Disabled Down 20000 128 P2P 0 0 0 0
1/1/3 Designated Forwarding 20000 128 P2P 820118 0 0 0
1/1/4 Disabled Down 20000 128 P2P 0 0 0 0
<<Omitted output>>

Task 4.1-2: Verify the topology 91

What are the path costs of the ports?

Answer: 20,000

The link path cost is relevant because it is used as a metric for calculating the Root
Path Cost (RPC) for each non-root bridge's port. The port RPC is calculated by taking
the RPC announcement in an incoming BDPU and adding it to the link path cost of
the port that receives the BPDU. This is equivalent to adding up the link path cost of
each link between the local switch to the root bridge. If two or more ports have paths
to the root bridge, the one with the lowest RPC is the one that will be chosen as the
root port.
RSTP (802.1r) and MST (802.1w) use path costs defined in the 802.1t standard,
which is an update of the legacy STP (802.1D). 802.1t defines the following path
costs based on link speeds:

Link speed Value

100 Mbps 200,000

1 Gbps 20,000
10 Gbps 2,000
100 Gbps 200

9. Issue the show spanning-tree detail command. The output will be very long.

The show spanning-tree detail command displays the role and state of the ports,
similar to the show spanning-tree command, with the addition of which switch is the
designated bridge for each link, the number of transitions to forwarding state, and
the number of BPDUs being exchanged.

10. Now try a filtered version of the show spanning-tree detail command in order to find the des-
ignated bridge on each uplink.
Access-1(config)# show spanning-tree detail | begin "Port 1/1/25"
Port 1/1/25 id 25
Designated root has priority :4096 Address: 44:5b:ed:67:d3:00
Designated bridge has priority :4096 Address: 44:5b:ed:67:d3:00
Designated port id :1
Number of transitions to forwarding state : 5
Bpdus sent 23, received 513259
TCN_Tx: 12, TCN_Rx: 23

Port 1/1/26 id 26
Designated root has priority :4096 Address: 44:5b:ed:67:d3:00
Designated bridge has priority :8192 Address: 90:20:c2:c0:bc:00
Designated port id :1
Number of transitions to forwarding state : 4

92 Task 4.1-2: Verify the topology

Lab 4.1: Rapid Spanning Tree
Bpdus sent 12, received 34179

Protocol
TCN_Tx: 7, TCN_Rx: 15

What is the switch's BID of the designated bridge on port 1/1/25 (port connected to Core-1)?

Answer: 4096 Address: 44:5b:ed:67:d3:00

What is the designated port ID and who owns it?

Answer: Port 1 (1/1/1), Core-1

What is the switch's BID of the designated bridge on port 1/1/26 (port connected to Core-2)?

Answer: 8192 Address: 90:20:c2:c0:bc:00

What is the designated port ID and who owns it?

Answer: port ID 1 (1/1/1), Core-2

11. Move to Access-2 and repeat step 11.
Access-2(config)# show spanning-tree detail | begin "Port 1/1/25"
Port 1/1/25 id 25
Designated root has priority :4096 Address: 44:5b:ed:67:d3:00
Designated bridge has priority :4096 Address: 44:5b:ed:67:d3:00
Designated port id :2
Number of transitions to forwarding state : 3
Bpdus sent 510989, received 2891
TCN_Tx: 9, TCN_Rx: 22

Port 1/1/26 id 26
Designated root has priority :4096 Address: 44:5b:ed:67:d3:00
Designated bridge has priority :8192 Address: 90:20:c2:c0:bc:00
Designated port id :2
Number of transitions to forwarding state : 2
Bpdus sent 31742, received 2877
TCN_Tx: 7, TCN_Rx: 12

What is the switch's BID of the designated bridge on port 1/1/25 (port connected to Core-1)?

Answer: 4096 Address: 44:5b:ed:67:d3:00

What is the designated port ID and who owns it?

Answer: Port ID 2 (1/1/2), Core-1

What is the switch's BID of the designated bridge on port 1/1/26 (port connected to Core-2)?

Task 4.1-2: Verify the topology 93

Answer: 8192 Address: 90:20:c2:c0:bc:00
What is the designated port ID and who owns it?

Answer: Port ID 2 (1/1/2), Core-2

12. Move to Core-2 and verify ports 1/1/45 and 1/1/46.
Core-2(config)# show spanning-tree detail | begin "Port 1/1/45"
Port 1/1/45 id 45
Designated root has priority :4096 Address: 44:5b:ed:67:d3:00
Designated bridge has priority :4096 Address: 44:5b:ed:67:d3:00
Designated port id :45
Number of transitions to forwarding state : 3
Bpdus sent 24, received 35493
TCN_Tx: 18, TCN_Rx: 12

Port 1/1/46 id 46
Designated root has priority :4096 Address: 44:5b:ed:67:d3:00
Designated bridge has priority :4096 Address: 44:5b:ed:67:d3:00
Designated port id :46
Number of transitions to forwarding state : 3
Bpdus sent 22, received 35490
TCN_Tx: 8, TCN_Rx: 12

What is the switch's BID of the designated bridge on port 1/1/45?

Answer: 4096 Address: 44:5b:ed:67:d3:00

What is the designated port ID and who owns it?

Answer: Port ID 45 (1/1/45), Core-1

What is the switch's BID of the designated bridge on port 1/1/46?

Answer: 4096 Address: 44:5b:ed:67:d3:00

What is the designated port ID and who owns it?

Answer: Port ID 46 (1/1/46), Core-1

13. Write down the designated bridge of these links on Figure 4.1-1.
At this point, you have obtained enough information to accurately determine the root bridge, the
roles of ports from the root bridge to all the other switches, and to draw the CST topology. Let's
start with the root bridge and ports' roles identification.

94 Task 4.1-2: Verify the topology

Lab 4.1: Rapid Spanning Tree
Protocol
Bridge role assignment
Bridge role assignment is aligned with the following rules:
Rule 1: In a topology with redundant switch ports, the switch with lowest BID (bridge
priority + MAC address) is elected root bridge.
Rule 2: A switch is considered to be closer to the root bridge if it has the lowest RPC
from the root port and lowest BID combination. On a switch-to-switch link, a des-
ignated bridge is the switch that is closest to the root bridge while the other switch
will be a non-designated bridge.
Rule 3: The root bridge is always the designated bridge for all its links.
Rule 4: On a link connected to a collision domain where there is only one switch run-
ning STP, that switch will be the designated bridge for that link.
Port role assignment
Port role assignment follows the following rules:
Rule 5: On a switch-to-switch link, the port in the designated bridge side will be
chosen as a designated port, unless there is a local loop on the same switch. In that
case, the interface with the lowest port ID will be the designated port and the other
will be the blocked port.
Rule 6: If a non-root bridge has only one switch-to-switch link, then the port used for
that link is the root port.
Rule 7: If a non-root bridge has two or more switch-to-switch links to different
remote devices, then:
a) The one with the lowest RPC is the root port. In case of a tie of two or more links
with the same RPC, the one whose upstream switch is considered closest to the root
bridge will be the root port.
b) For any other links on which this switch was elected the designated bridge, the
interface will be chosen as the designated port.
Rule 8: If a non-designated bridge has two or more links with equal RPC to the same
designated bridge, then the local interface that connects the neighbor with the low-
est port ID will be selected as the root port.
Rule 9: Any other interface on links where the local switch was not elected the des-
ignated bridge will be considered an alternate port.
As a side note, the final state of designated and root ports is forwarding, unless there
is a security feature triggering an action like root-guard, bpdu-protection, or loop-
guard, in which case it will be either blocking or inconsistent.

Task 4.1-2: Verify the topology 95

The alternate port's final state will always be discarding.

Based on recorded information, which is the root bridge? Remember that the root bridge is the
switch with the lowest BID.

Answer: Core-1
What was the BID component that made this switch the root bridge, the MAC address or the pri-
ority value?

Answer: The priority value.

Which switch will become root if the current one fails?

Answer: Core-2, as it has the second lowest priority.

14. Label the root bridge on Figure 4.1-2.
15. All root bridges' ports are designated ports. Tag them as DP on Figure 4.1-2—Rule 3.
16. Each access switch has two ports with different RPCs. The one with the lowest value (20,000) is
the root port (either port 25 or 26); tag them as RP—Rule 7a.
17. The non-root core switch has two connections to the root. Since both have the same RPC value
(20,000), the local port connected to the neighbor's interface with the lowest port ID will be the
RP (interface 1/1/45)—Rule 8
18. On the other link between the non-root core switch and Access-1, one of them is considered to
be closest to the root. That is the designated bridge; tag its port as DP.—Rule 2, Rule 7b.
19. Repeat step 16 for the connection between the non-root bridge core switch and Access-2.
20. Last, both port access switches have one or two ports that are the only STP speaker (1/1/1 and
1/1/3 in Access-1 and 1/1/4 in Access-2). Therefore, access switches will be designated bridges
for those ports, and the interfaces considered designated ports; tag them as DP—Rule 4.
21. Any other interface will be considered an alternate port. Draw an X on them to indicate the
blocked link—Rule 9.

96 Task 4.1-2: Verify the topology

Lab 4.1: Rapid Spanning Tree
Protocol
Figure 4.1-2: Devices and ports roles
At this point, you have a good idea of how the topology should look. In the next steps, this ana-
lysis will be validated.
22. On Core-2, run the show spanning-tree command.
Core-2(config)# show spanning-tree
Spanning tree status : Enabled Protocol: MSTP

MST0
Root ID Priority : 4096
MAC-Address: 44:5b:ed:67:d3:00
Hello time(in seconds):2 Max Age(in seconds):20
Forward Delay(in seconds):15

Bridge ID Priority : 8192

MAC-Address: 90:20:c2:c0:bc:00
Hello time(in seconds):2 Max Age(in seconds):20
Forward Delay(in seconds):15

<<Omitted output>>

What is the BID of the CST (MST0) root bridge?

Answer: Priority : 4096, MAC-Address: 44:5b:ed:67:d3:00

Does the CST root bridge in the output match the one that you identified in Figure 4.1-2?

Answer: Yes, it should match.

Task 4.1-2: Verify the topology 97

The root bridge election result was not random. By assigning low priority values of
4096 to Core-1 and 8192 to Core-2, Core-1 is elected root and Core-2 becomes the
backup in case of failure. This is a best practice because at the data plane, the root
acts as transport for traffic coming and going to devices connected to non-root
bridges.

23. On the access switches, use filtered versions of the show spanning-tree command for validating
the roles of the ports.
Access-1
Access-1(config)# show spanning-tree | exclude Disabled
Spanning tree status : Enabled Protocol: MSTP

MST0
Root ID Priority : 4096
MAC-Address: 44:5b:ed:67:d3:00
Hello time(in seconds):2 Max Age(in seconds):20
Forward Delay(in seconds):15

Bridge ID Priority : 32768

MAC-Address: 10:4f:58:fc:14:40
Hello time(in seconds):2 Max Age(in seconds):20
Forward Delay(in seconds):15

Port Role State Cost Priority Type BPDU-Tx BPDU-Rx TCN-Tx TCN-Rx
-------- ------------ ---------- ------- --------- ---------- -------- -------- ------- ------
1/1/1 Designated Forwarding 20000 128 P2P 825074 0 0 0
1/1/3 Designated Forwarding 20000 128 P2P 825093 0 0 0
1/1/25 Root Forwarding 2000 128 P2P Bound 23 517214 12 23
1/1/26 Alternate Blocking 2000 128 P2P Bound 12 38134 7 15

Access-2
Access-2(config)# show spanning-tree | exclude Disabled
Spanning tree status : Enabled Protocol: MSTP

MST0
Root ID Priority : 4096
MAC-Address: 44:5b:ed:67:d3:00
Hello time(in seconds):2 Max Age(in seconds):20
Forward Delay(in seconds):15

Bridge ID Priority : 32768

MAC-Address: 10:4f:58:f6:84:80
Hello time(in seconds):2 Max Age(in seconds):20
Forward Delay(in seconds):15

Port Role State Cost Priority Type BPDU-Tx BPDU-Rx TCN-Tx TCN-Rx
-------- ------------ ---------- ------- --------- ---------- -------- -------- ------- ------
1/1/4 Designated Forwarding 20000 128 P2P 566544 0 0 0
1/1/25 Root Forwarding 2000 128 P2P Bound 510989 6281 9 22
1/1/26 Alternate Blocking 2000 128 P2P Bound 31742 6267 7 12

Do the outputs match your Figure 4.1-2 results?

98 Task 4.1-2: Verify the topology

Lab 4.1: Rapid Spanning Tree
Answer: Yes, they should match.

Protocol
If they do not, it may be because some of the ports are either down or the access
switches' priorities are not 32768. Fix that portion of the configuration before mov-
ing forward.

24. On Core-1 and Core-2, use filtered versions of the show spanning-tree command for validating
the roles of the ports. Look specifically for ports 1/1/1, 1/1/2, 1/1/45, and 1/1/46.
Core-1
Core-1(config)# show spanning-tree | exclude Disabled
Spanning tree status : Enabled Protocol: MSTP

MST0
Root ID Priority : 4096
MAC-Address: 44:5b:ed:67:d3:00
This bridge is the root
Hello time(in seconds):2 Max Age(in seconds):20
Forward Delay(in seconds):15

Bridge ID Priority : 4096

MAC-Address: 44:5b:ed:67:d3:00
Hello time(in seconds):2 Max Age(in seconds):20
Forward Delay(in seconds):15

Port Role State Cost Priority Type BPDU-Tx BPDU-Rx TCN-Tx TCN-Rx
-------- ------------ ---------- -------- ---------- ------- -------- -------- ------- -------
1/1/1 Designated Forwarding 2000 128 P2P 39514 14 21 9
1/1/2 Designated Forwarding 2000 128 P2P 6500 33029 21 7
1/1/45 Designated Forwarding 800 128 P2P 39222 29 15 14
1/1/46 Designated Forwarding 800 128 P2P 39004 242 16 6

Core-2
Core-2(config)# show spanning-tree | exclude Disabled
Spanning tree status : Enabled Protocol: MSTP

MST0
Root ID Priority : 4096
MAC-Address: 44:5b:ed:67:d3:00
Hello time(in seconds):2 Max Age(in seconds):20
Forward Delay(in seconds):15

Bridge ID Priority : 8192

MAC-Address: 90:20:c2:c0:bc:00
Hello time(in seconds):2 Max Age(in seconds):20
Forward Delay(in seconds):15

Port Role State Cost Priority Type BPDU-Tx BPDU-Rx TCN-Tx TCN-Rx
-------- ------------ ---------- -------- --------- ---------- --------- -------- ------- ------
1/1/1 Designated Forwarding 2000 128 P2P 38404 12 15 6
1/1/2 Designated Forwarding 2000 128 P2P 6499 31742 14 5
1/1/45 Root Forwarding 800 128 P2P Bound 24 39013 18 12
1/1/46 Alternate Blocking 800 128 P2P Bound 22 39010 8 12

Do the outputs match your figure Figure 4.1-2 results?

Task 4.1-2: Verify the topology 99

Answer: Yes, they should match.

Figure 4.1-3: Expected port status

Task 4.1-3: Test link failure

Objectives
After discovering the CST topology, you should have a good idea of how traffic flows. You will now test
how resilient the network is to a failure of any uplink.
Steps
1. From the Remote Lab dashboard, launch a remote desktop to PC1.
2. Start a continuous ping to PC4 (10.1.12.104). The ping should be successful.

At this point and based on Figure 4.1-3 in the previous task, traffic is flowing from
PC1 to Access-1 → Access-1 to Core-1 (using the port 1/1/25 to 1/1/1 link) →
Core-1 to Access-2 (using the port 1/1/2 to 1/1/25 link) → Access-2 to PC4. You

100 Task 4.1-3: Test link failure

Lab 4.1: Rapid Spanning Tree
Protocol
will now modify the topology and analyze the traffic path.

Figure 4.1-4: CST topology

3. Move to Access-1 and use the show spanning-tree command to verify the current root port. It
should be 1/1/25.
Access-1(config)# show spanning-tree | include Root
Root ID Priority : 4096
1/1/25 Root Forwarding 2000 128 P2P Bound
23 518369 12 23

4. Disable port 1/1/25.

Access-1(config)# interface 1/1/25
Access-1(config-if)# shutdown
Access-1(config-if)# exit
Access-1(config)#

5. Verify the new root port; it should be port 1/1/26.

Access-1(config)# show spanning-tree | include Root
Root ID Priority : 4096
1/1/26 Root Forwarding 2000 128 P2P Bound
14 39344 9 15

6. Move back to PC1 and verify the ping.

Is the ping still running?

Task 4.1-3: Test link failure 101

Answer: Yes, the ping should continue as the alternate path is now active.
7. Stop pinging (press Ctrl+c). How many packets did you lose?

Answer: A very low packet loss is expected from 0 to 1.

8. What is the traffic flow now?

Answer: Traffic is now flowing from PC1 to Access-1 → Access-1 to Core-2 (using the port
1/1/26 to 1/1/1 link) → Core-2 to Core-1 (using the port 1/1/45 link) → Core-1 to Access-2
(using the port 1/1/2 to 1/1/25 link) → Access-2 to PC4, as seen in Figure 4.1-5.

Figure 4.1-5: CST topology after failure

9. Move to Access-1 and re-enable port 1/1/25. The topology should return to normal.

102 Task 4.1-3: Test link failure

Lab 4.1: Rapid Spanning Tree
Access-1(config)# interface 1/1/25

Protocol
Access-1(config-if)# no shutdown
Access-1(config-if)# exit
Access-1(config)# show spanning-tree | include Root
Root ID Priority : 4096
1/1/25 Root Forwarding 2000 128 P2P Bound
23 518393 12 23

Task 4.1-4: Save your configurations

Objectives
You will now proceed to save your configurations and create checkpoints. Notice that final lab check-
points might be used by later activities.
Steps
1. Save the current access and core switches' configuration in the startup checkpoint.
Access-1
Access-1(config)# write memory
Copying configuration: [Success]

Access-2
Access-2(config)# write memory
Copying configuration: [Success]

Core-1
Core-1(config)# write memory
Copying configuration: [Success]

Core-2
Core-2(config)# write memory
Copying configuration: [Success]

2. Back up the current access switches' configuration, as a custom checkpoint called Lab4-1_final.
Access-1
Access-1(config)# copy running-config checkpoint Lab4-1_final
Copying configuration: [Success]

Access-2
Access-2(config)# copy running-config checkpoint Lab4-1_final
Copying configuration: [Success]

Core-1
Core-1(config)# copy running-config checkpoint Lab4-1_final
Copying configuration: [Success]

Task 4.1-4: Save your configurations 103

Core-2
Core-2(config)# copy running-config checkpoint Lab4-1_final
Copying configuration: [Success]

You have completed Lab 4.1!

104 Task 4.1-4: Save your configurations

Lab 4.2: Deploying MSTP

Surprisingly enough, two days after the second core was deployed at BigStartup, a fiber connection was
broken in the MDF. This affected the Access-1 main uplink; however, your previous STP configuration
avoided any network disruption. BigStartup (your customer) only realized there was a failure in the link
when they received notification from the management software. Your customer is very satisfied with
your advice. Your business relationship and their trust in you is growing.
Nonetheless, the failover event made BigStartup management wonder: Are the uplinks in an idle state
when there is no failure? Are there connections that normally do not forward any traffic? Is it possible
to share the load across those uplinks?
When you were asked those questions, the answer was "yes" to all of them. You went on to explain
there is a version of the STP protocol that not only provides loop avoidance and fast failover but also
provides load sharing, and that it could be easily deployed. It is called Multiple Instance Spanning Tree
Protocol (MSTP). The next morning, you received a request to deploy the solution.
Objectives
After completing this lab, you will be able to:
n Deploy an MST region configuration.
n Draw per-instance topologies.
n Validate the load sharing effect.
Lab topology
The following lab topology will be used for your practical activities:

Lab 4.2: Deploying MSTP 105

Task 4.2-1: Configure an MST region
Objectives
In this task, you will deploy the MST region configuration, including two instances on your switches.
Then, you will explore the current core's priority values and confirm that all switches agree on the root
bridge in each Instance.
Steps
1. Using the Remote Lab dashboard, launch a remote console to Core-1.
2. Display the current MST region configuration.
Core-1(config)# show spanning-tree mst-config
MST configuration information
MST config ID : 44:5b:ed:67:d3:00
MST config revision : 0
MST config digest : AC36177F50283CD4B83821D8AB26DE62
Number of instances : 0

Instance ID Member VLANs

--------------- ----------------------------------
0 1-4040

Notice that all VLANs are mapped to instance 0 (CST) by default, and the region
name is equal to the switch MAC address.

3. Configure an MST region named CXF and create two new instances: instance 1 mapped to VLAN
11 and instance 2 mapped to VLAN 12.

106 Task 4.2-1: Configure an MST region

Lab 4.2: Deploying MSTP
Core-1(config)# spanning-tree config-name CXF
Core-1(config)# spanning-tree config-revision 1
Core-1(config)# spanning-tree instance 1 vlan 11
Core-1(config)# spanning-tree instance 2 vlan 12

4. Verify the new MST regions' configuration.

Core-1(config)# show spanning-tree mst-config
MST configuration information
MST config ID : CXF
MST config revision : 1
MST config digest : BE0284D20F4D46A8DA89C5D9B3B4F78A
Number of instances : 2

Instance ID Member VLANs

--------------- ----------------------------------
0 1-10,13-4040
1 11
2 12

Note the differences, such as the region name, revision level, and instances 1 and 2.

5. Navigate to the Core-2 console.

6. Display the current MST region configuration.
Core-2(config)# show spanning-tree mst-config
MST configuration information
MST config ID : 90:20:c2:c0:bc:00
MST config revision : 0
MST config digest : AC36177F50283CD4B83821D8AB26DE62
Number of instances : 0

Instance ID Member VLANs

--------------- ----------------------------------
0 1-4040

7. Core-2 has the default MST configuration. Repeat the step 3 configuration on Core-2.
Core-2(config)# spanning-tree config-name CXF
Core-2(config)# spanning-tree config-revision 1
Core-2(config)# spanning-tree instance 1 vlan 11
Core-2(config)# spanning-tree instance 2 vlan 12

8. Navigate to the Access-1 console.

9. Verify the MST configuration.
Access-1(config)# show spanning-tree mst-config
MST configuration information
MST config ID : 10:4f:58:fc:14:40
MST config revision : 0

Task 4.2-1: Configure an MST region 107

MST config digest : AC36177F50283CD4B83821D8AB26DE62
Number of instances : 0

Instance ID Member VLANs

--------------- ----------------------------------
0 1-4094

What are the default config ID and revision number?

Answer: That value is specific to each deployment. In this example, the config ID is:
10:4f:58:fc:14:40.
What is the default VLAN to Instance mapping?

Answer: Instance 0 has VLANs 1 to 4094 mapped to it.

10. Navigate to the Access-2 console.
11. Verify the MST configuration.
Access-2(config)# show spanning-tree mst-config
MST configuration information
MST config ID : 10:4f:58:f6:84:80
MST config revision : 0
MST config digest : AC36177F50283CD4B83821D8AB26DE62
Number of instances : 0

Instance ID Member VLANs

--------------- ----------------------------------
0 1-4094

What are the default config ID and revision number?

Answer: That value is specific to each deployment. In this example, the config ID is:
10:4f:58:f6:84:80.
What is the default VLAN to instance mapping?

Answer: Instance 0 has VLANs 1 to 4094 mapped to it.

As you can see, the sccess switches' configuration is different from the core switches
and although Access-1 and Access-2 share the same dDigest (result of having all
VLANs mapped to Instance 0), they do not share the region ID or revision number.
Therefore, they belong to different regions

108 Task 4.2-1: Configure an MST region

Lab 4.2: Deploying MSTP
Switches that do not share a common region configuration will belong to different
regions. If this is the case, then they will run RSTP, negotiate roles within the CST,
and form part of the CST topology only. They will lack any MST-based load sharing
support. In this type of design, root and designated ports will forward traffic for all
VLANs, and similarly, alternate ports will discard traffic from all VLANs.

12. Navigate to the Access-1 console.

13. Configure MST.
Access-1(config)# spanning-tree config-name CXF
Access-1(config)# spanning-tree config-revision 1
Access-1(config)# spanning-tree instance 1 vlan 11
Access-1(config)# spanning-tree instance 2 vlan 12

14. Navigate to the Access-2 console.

15. Configure MST.
Access-2(config)# spanning-tree config-name CXF
Access-2(config)# spanning-tree config-revision 1
Access-2(config)# spanning-tree instance 1 vlan 11
Access-2(config)# spanning-tree instance 2 vlan 12

16. You should have the same MST configuration on Core-1, Core-2, Access-1, and Access-2, cre-
ating a single MSTP region.

Task 4.2-2: Load balancing

Objectives
In this task, you will start by verifying the active links for each instance. Then, you will configure pri-
orities on Core-1 and Core-2 for MST instances 1 and 2 to provide the expected load balancing
between links.

Task 4.2-2: Load balancing 109

Steps
1. You will start by identifying the Instance 1 root bridge, designated ports, root ports, and
alternate ports (blocking ports). Take note of your findings in the following figure.

Figure 4.2-1: Instance 1 switch and port roles

Enter DP on designated ports, RP on root ports, and ALT on alternate ports.

2. Using the Remote Lab dashboard, launch a remote console to Core-1.

3. Verify the Instance 1 (MST1) and take note of port roles, BID, and Root ID on Figure 4.2-1.
Core-1(config)# show spanning-tree mst 1| exclude Disabled

#### MST1
Vlans mapped: 11
Bridge Address:44:5b:ed:67:d3:00 Priority:32768
Root Address:10:4f:58:f6:84:80 Priority:32768
Port:1/1/2, Cost:2000, Rem Hops:19

110 Task 4.2-2: Load balancing

Lab 4.2: Deploying MSTP
1/1/45 Designated Forwarding 800 128 P2P 78566 52 51 24
1/1/46 Designated Forwarding 800 128 P2P 78348 267 53 6

Topology change flag : True

Number of topology changes : 49
Last topology change occurred : 3786 seconds ago

4. Repeat step 3 on Core-2, Access-1, and Access-2.

Core-2
Core-2(config)# show spanning-tree mst 1 | exclude Disabled

#### MST1
Vlans mapped: 11
Bridge Address:90:20:c2:c0:bc:00 Priority:32768
Root Address:10:4f:58:f6:84:80 Priority:32768
Port:1/1/2, Cost:2000, Rem Hops:19

Port Role State Cost Priority Type BPDU-Tx BPDU-Rx TCN-Tx TCN-Rx
-------- ------------ ---------- ------ ---------- ------- -------- -------- ------- ------
1/1/1 Designated Forwarding 2000 128 P2P 78228 91 55 8
1/1/2 Root Forwarding 2000 128 P2P 46329 34139 62 5
1/1/45 Alternate Blocking 800 128 P2P 47 78829 28 48
1/1/46 Alternate Blocking 800 128 P2P 47 78827 8 49

Topology change flag : True

Number of topology changes : 23
Last topology change occurred : 4750 seconds ago

Access-1
Access-1(config)# show spanning-tree mst 1 | exclude Disabled

#### MST1
Vlans mapped: 11
Bridge Address:10:4f:58:fc:14:40 Priority:32768
Root Address:10:4f:58:f6:84:80 Priority:32768
Port:1/1/25, Cost:4000, Rem Hops:18

Port Role State Cost Priority Type BPDU-Tx BPDU-Rx TCN-Tx TCN-Rx
-------- ------------ ---------- ------ ---------- ------- -------- -------- ------- ------
1/1/1 Designated Forwarding 20000 128 P2P 865238 0 0 0
1/1/3 Designated Forwarding 20000 128 P2P 865257 0 0 0
1/1/25 Root Forwarding 2000 128 P2P 99 557055 30 49
1/1/26 Alternate Blocking 2000 128 P2P 91 78323 13 55

Topology change flag : True

Number of topology changes : 6
Last topology change occurred : 4947 seconds ago

Task 4.2-2: Load balancing 111

Access-2
Access-2(config)# show spanning-tree mst 1| exclude Disabled

#### MST1
Vlans mapped: 11
Bridge Address:10:4f:58:f6:84:80 Priority:32768
Root Address:10:4f:58:f6:84:80 Priority:32768
Port:0, Cost:0, Rem Hops:20

Port Role State Cost Priority Type BPDU-Tx BPDU-Rx TCN-Tx TCN-Rx
-------- ------------ ---------- ------ ---------- ------- -------- -------- ------- ------
1/1/4 Designated Forwarding 20000 128 P2P 606682 0 0 0
1/1/25 Designated Forwarding 2000 128 P2P 513496 46431 25 50
1/1/26 Designated Forwarding 2000 128 P2P 34250 46437 11 60

Topology change flag : True

Number of topology changes : 3
Last topology change occurred : 4968 seconds ago

Notice that results may vary based on switch specifics such as the MAC address.

Note that the Instance 1 root bridge may be any switch in the topology, including one
of your access switches. Remember that the entire topology converges towards the
root bridge, and links will be blocked based on that. What may generate a bottleneck
is where too much traffic must traverse an access switch and a sub-optimal path.

5. Now verify Instance 2 (MST2) on all switches and take notes in Figure 4.2-2.
Core-1
Core-1(config)# show spanning-tree mst 2| exclude Disabled

#### MST2
Vlans mapped: 12
Bridge Address:44:5b:ed:67:d3:00 Priority:32768
Root Address:10:4f:58:f6:84:80 Priority:32768
Port:1/1/2, Cost:2000, Rem Hops:19

Port Role State Cost Priority Type BPDU-Tx BPDU-Rx TCN-Tx TCN-Rx
-------- ------------ ---------- ------ ---------- ------- -------- -------- ------- ------
1/1/1 Designated Forwarding 2000 128 P2P 81331 90 48 27
1/1/2 Root Forwarding 2000 128 P2P 48650 37756 49 23
1/1/45 Designated Forwarding 800 128 P2P 81378 52 51 24
1/1/46 Designated Forwarding 800 128 P2P 81160 267 53 6

Topology change flag : True

112 Task 4.2-2: Load balancing

Lab 4.2: Deploying MSTP
Number of topology changes : 45
Last topology change occurred : 9411 seconds ago

Core-2
Core-2(config)# show spanning-tree mst 2 | exclude Disabled

#### MST2
Vlans mapped: 12
Bridge Address:90:20:c2:c0:bc:00 Priority:32768
Root Address:10:4f:58:f6:84:80 Priority:32768
Port:1/1/2, Cost:2000, Rem Hops:19

Port Role State Cost Priority Type BPDU-Tx BPDU-Rx TCN-Tx TCN-Rx
-------- ------------ ---------- ------ ---------- ------- -------- -------- ------- ------
1/1/1 Designated Forwarding 2000 128 P2P 80563 91 55 8
1/1/2 Root Forwarding 2000 128 P2P 48664 36474 62 5
1/1/45 Alternate Blocking 800 128 P2P 47 81164 28 48
1/1/46 Alternate Blocking 800 128 P2P 47 81162 8 49

Topology change flag : True

Number of topology changes : 19
Last topology change occurred : 9419 seconds ago

Access-1
Access-1(config)# show spanning-tree mst 2 | exclude Disabled

#### MST2
Vlans mapped: 12
Bridge Address:10:4f:58:fc:14:40 Priority:32768
Root Address:10:4f:58:f6:84:80 Priority:32768
Port:1/1/25, Cost:4000, Rem Hops:18

Port Role State Cost Priority Type BPDU-Tx BPDU-Rx TCN-Tx TCN-Rx
-------- ------------ ---------- ------ ---------- ------- -------- -------- ------- ------
1/1/1 Designated Forwarding 20000 128 P2P 867478 0 0 0
1/1/3 Designated Forwarding 20000 128 P2P 867497 0 0 0
1/1/25 Root Forwarding 2000 128 P2P 99 559295 30 49
1/1/26 Alternate Blocking 2000 128 P2P 91 80563 13 55

Topology change flag : True

Number of topology changes : 5
Last topology change occurred : 9429 seconds ago

Access-2
Access-2(config)# show spanning-tree mst 2| exclude Disabled

#### MST2
Vlans mapped: 12

Task 4.2-2: Load balancing 113

Bridge Address:10:4f:58:f6:84:80 Priority:32768
Root Address:10:4f:58:f6:84:80 Priority:32768
Port:0, Cost:0, Rem Hops:20

Port Role State Cost Priority Type BPDU-Tx BPDU-Rx TCN-Tx TCN-Rx
-------- ------------ ---------- ------ ---------- ------- -------- -------- ------- ------
1/1/4 Designated Forwarding 20000 128 P2P 608912 0 0 0
1/1/25 Designated Forwarding 2000 128 P2P 515726 48661 25 50
1/1/26 Designated Forwarding 2000 128 P2P 36480 48667 11 60

Topology change flag : True

Number of topology changes : 2

Figure 4.2-2: Instance 2 switch and port roles

Note that instances 1 and 2 are using the same root bridge, and the same ports
(alternate ports) block traffic for both instances. Therefore, there is no load bal-
ancing between links.

6. To fix that, configure Core-1 as the root bridge for instance 1 and Core-2 as the root bridge for
instance 2.
Core-1
Core-1(config)# spanning-tree instance 1 priority 1

114 Task 4.2-2: Load balancing

Lab 4.2: Deploying MSTP
Core-2
Core-2(config)# spanning-tree instance 2 priority 1

7. Configure Core-1 as the secondary root for instance 2 and Core-2 as the secondary root for
instance 1.
Core-1
Core-1(config)# spanning-tree instance 2 priority 2

Core-2
Core-2(config)# spanning-tree instance 1 priority 2

8. Verify instance 1 (MST1) on all switches one more time.

Core-1
Core-1(config)# show spanning-tree mst 1| exclude Disabled

#### MST1
Vlans mapped: 11
Bridge Address:44:5b:ed:67:d3:00 Priority:4096
Root Address:44:5b:ed:67:d3:00 Priority:4096
Port:0, Cost:0, Rem Hops:20

Port Role State Cost Priority Type BPDU-Tx BPDU-Rx TCN-Tx TCN-Rx
-------- ------------ ---------- ------ ---------- ------- -------- -------- ------- ------
1/1/1 Designated Forwarding 2000 128 P2P 81965 95 48 27
1/1/2 Designated Forwarding 2000 128 P2P 49285 37951 49 23
1/1/45 Designated Forwarding 800 128 P2P 82012 496 51 24
1/1/46 Designated Forwarding 800 128 P2P 81794 711 53 6

Topology change flag : True

Number of topology changes : 53
Last topology change occurred : 896 seconds ago

Core-2
Core-2(config)# show spanning-tree mst 1 | exclude Disabled

#### MST1
Vlans mapped: 11
Bridge Address:90:20:c2:c0:bc:00 Priority:8192
Root Address:44:5b:ed:67:d3:00 Priority:4096
Port:1/1/45, Cost:800, Rem Hops:19

Port Role State Cost Priority Type BPDU-Tx BPDU-Rx TCN-Tx TCN-Rx
-------- ------------ ---------- ------ ---------- ------- -------- -------- ------- ------
1/1/1 Designated Forwarding 2000 128 P2P 81487 101 55 8
1/1/2 Designated Forwarding 2000 128 P2P 49588 36672 62 5
1/1/45 Root Forwarding 800 128 P2P 785 82087 28 48
1/1/46 Alternate Blocking 800 128 P2P 787 82088 8 49

Task 4.2-2: Load balancing 115

Topology change flag : True
Number of topology changes : 30
Last topology change occurred : 8 seconds ago

Access-1
Access-1(config)# show spanning-tree mst 1 | exclude Disabled

#### MST1
Vlans mapped: 11
Bridge Address:10:4f:58:fc:14:40 Priority:32768
Root Address:44:5b:ed:67:d3:00 Priority:4096
Port:1/1/25, Cost:2000, Rem Hops:19

Port Role State Cost Priority Type BPDU-Tx BPDU-Rx TCN-Tx TCN-Rx
-------- ------------ ---------- ------ ---------- ------- -------- -------- ------- ------
1/1/1 Designated Forwarding 20000 128 P2P 868130 0 0 0
1/1/3 Designated Forwarding 20000 128 P2P 868149 0 0 0
1/1/25 Root Forwarding 2000 128 P2P 104 559949 30 49
1/1/26 Alternate Blocking 2000 128 P2P 96 81218 13 55

Topology change flag : True

Number of topology changes : 8
Last topology change occurred : 949 seconds ago

Access-2
Access-2(config)# show spanning-tree mst 1| exclude Disabled

#### MST1
Vlans mapped: 11
Bridge Address:10:4f:58:f6:84:80 Priority:32768
Root Address:44:5b:ed:67:d3:00 Priority:4096
Port:1/1/25, Cost:2000, Rem Hops:19

Port Role State Cost Priority Type BPDU-Tx BPDU-Rx TCN-Tx TCN-Rx
-------- ------------ ---------- ------ ---------- ------- -------- -------- ------- ------
1/1/4 Designated Forwarding 20000 128 P2P 609571 0 0 0
1/1/25 Root Forwarding 2000 128 P2P 515911 49323 25 50
1/1/26 Alternate Blocking 2000 128 P2P 36667 49329 11 60

Topology change flag : False

Number of topology changes : 4
Last topology change occurred : 971 seconds ago

Which switch is now the root bridge for instance 1?

Answer: Core-1

116 Task 4.2-2: Load balancing

Lab 4.2: Deploying MSTP
Which ports are blocked on each switch?

Answer: Core-2: Port 1/1/46; Access-1: 1/1/26; Access-2: 1/1/26

The following topology is expected for instance 1:

Figure 4.2-3: Instance 1 topology

9. Verify instance 2 (MST2) on all switches.
Core-1
Core-1(config)# show spanning-tree mst 2| exclude Disabled

#### MST2
Vlans mapped: 12
Bridge Address:44:5b:ed:67:d3:00 Priority:8192
Root Address:90:20:c2:c0:bc:00 Priority:4096
Port:1/1/45, Cost:800, Rem Hops:19

Port Role State Cost Priority Type BPDU-Tx BPDU-Rx TCN-Tx TCN-Rx
-------- ------------ ---------- ------ ---------- ------- -------- -------- ------- ------
1/1/1 Designated Forwarding 2000 128 P2P 82320 100 48 27
1/1/2 Designated Forwarding 2000 128 P2P 49639 37956 49 23
1/1/45 Root Forwarding 800 128 P2P 82366 851 51 24
1/1/46 Alternate Blocking 800 128 P2P 82151 1068 53 6

Topology change flag : True

Number of topology changes : 53
Last topology change occurred : 140 seconds ago

Task 4.2-2: Load balancing 117

Core-2
Core-2(config)# show spanning-tree mst 2 | exclude Disabled

#### MST2
Vlans mapped: 12
Bridge Address:90:20:c2:c0:bc:00 Priority:4096
Root Address:90:20:c2:c0:bc:00 Priority:4096
Port:0, Cost:0, Rem Hops:20

Port Role State Cost Priority Type BPDU-Tx BPDU-Rx TCN-Tx TCN-Rx
-------- ------------ ---------- ------ ---------- ------- -------- -------- ------- ------
1/1/1 Designated Forwarding 2000 128 P2P 81572 101 55 8
1/1/2 Designated Forwarding 2000 128 P2P 49673 36672 62 5
1/1/45 Designated Forwarding 800 128 P2P 870 82172 28 48
1/1/46 Designated Forwarding 800 128 P2P 872 82173 8 49

Topology change flag : True

Number of topology changes : 27
Last topology change occurred : 188 seconds ago

Access-1
Access-1(config)# show spanning-tree mst 2 | exclude Disabled

#### MST2
Vlans mapped: 12
Bridge Address:10:4f:58:fc:14:40 Priority:32768
Root Address:90:20:c2:c0:bc:00 Priority:4096
Port:1/1/26, Cost:2000, Rem Hops:19

Port Role State Cost Priority Type BPDU-Tx BPDU-Rx TCN-Tx TCN-Rx
-------- ------------ ---------- ------ ---------- ------- -------- -------- ------- ------
1/1/1 Designated Forwarding 20000 128 P2P 868492 0 0 0
1/1/3 Designated Forwarding 20000 128 P2P 868511 0 0 0
1/1/25 Alternate Blocking 2000 128 P2P 109 560316 30 49
1/1/26 Root Forwarding 2000 128 P2P 101 81585 13 55

Topology change flag : True

Number of topology changes : 9
Last topology change occurred : 216 seconds ago

Access-2
Access-2(config)# show spanning-tree mst 2| exclude Disabled

#### MST2
Vlans mapped: 12
Bridge Address:10:4f:58:f6:84:80 Priority:32768
Root Address:90:20:c2:c0:bc:00 Priority:4096

118 Task 4.2-2: Load balancing

Lab 4.2: Deploying MSTP
Port:1/1/26, Cost:2000, Rem Hops:19

Port Role State Cost Priority Type BPDU-Tx BPDU-Rx TCN-Tx TCN-Rx
-------- ------------ ---------- ------ ---------- ------- -------- -------- ------- ------
1/1/4 Designated Forwarding 20000 128 P2P 609943 0 0 0
1/1/25 Alternate Blocking 2000 128 P2P 515916 49700 25 50
1/1/26 Root Forwarding 2000 128 P2P 36672 49706 11 60

Topology change flag : True

Number of topology changes : 6
Last topology change occurred : 262 seconds ago

Which switch is now the root bridge for instance 2?

Answer: Core-2
Which ports are blocked on each switch?

Answer: Core-1: Port 1/1/46; Access-1: 1/1/25; Access-2: 1/1/25

The following topology is expected for instance 2:

Notice that the active links from instance 2 converge to Core-2, while the active links
for instance 1 converge to Core-1, balancing the traffic between core switches and
uplinks.

Task 4.2-2: Load balancing 119

Task 4.2-3: Save your configurations
Objectives
You will now proceed to save your configurations and create checkpoints. Notice that final lab check-
points might be used by later activities.
Steps
1. Save the current access and core switches' configuration in the startup checkpoint.
Access-1
Access-1(config)# write memory
Copying configuration: [Success]

Access-2
Access-2(config)# write memory
Copying configuration: [Success]

Core-1
Core-1(config)# write memory
Copying configuration: [Success]

Core-2
Core-2(config)# write memory
Copying configuration: [Success]

2. Back up the current access switches' configuration as a custom checkpoint called Lab4-2_final.
Access-1
Access-1(config)# copy running-config checkpoint Lab4-2_final
Copying configuration: [Success]

Access-2
Access-2(config)# copy running-config checkpoint Lab4-2_final
Copying configuration: [Success]

Core-1
Core-1(config)# copy running-config checkpoint Lab4-2_final
Copying configuration: [Success]

Core-2
Core-2(config)# copy running-config checkpoint Lab4-2_final
Copying configuration: [Success]

You have completed Lab 4.2!

120 Task 4.2-3: Save your configurations

Lab 4.3: Explore broadcast storm effects (optional)

In a previous module, you were introduced to the potential problems that a Layer 2 loop can bring. In
this lab activity, you will intentionally create one by creating a dual-home topology between the two
access switches and removing spanning tree. Also, you will use two alternative methods for containing
and preventing such loops that can be used in addition to spanning tree.
Objectives
After completing this lab, you will be able to:
n Create a redundant topology.
n Force a Layer 2 loop and create a broadcast and multicast storm.
n Find evidence of the Layer 2 loop.
n Prevent loops using loop-protect.
Lab topology
The following lab topology will be used for your practical activities:

Task 4.3-1: Pre-lab setup

Objectives
In this activity, you will isolate Access-1 and Access-2 from the rest of the network, then enable a dual
homed topology using ports 27 and 28.

Lab 4.3: Explore broadcast storm effects (optional) 121

Steps
1. Using the Remote Lab dashboard, launch a remote console to Access-1.
2. Disable ports 1/1/25 and 1/1/26.
Access-1(config)# interface 1/1/25-1/1/26
Access-1(config-if-<1/1/25-1/1/26>)# shutdown
Access-1(config-if-<1/1/25-1/1/26>)# exit

3. Enable ports 1/1/27 and 1/1/28.

Access-1(config)# interface 1/1/27-1/1/28
Access-1(config-if-<1/1/27-1/1/28>)# no shutdown
Access-1(config-if-<1/1/27-1/1/28>)# exit

4. Allow VLANs 11 and 12 on ports 1/1/27 and 1/1/28.

Access-1(config)# interface 1/1/27-1/1/28
Access-1(config-if-<1/1/27-1/1/28>)# vlan trunk allowed 11,12
Access-1(config-if-<1/1/27-1/1/28>)# exit

5. Navigate to the Access-2 console.

6. Disable ports 1/1/25 and 1/1/26.
Access-2(config)# interface 1/1/25-1/1/26
Access-2(config-if-<1/1/25-1/1/26>)# shutdown
Access-2(config-if-<1/1/25-1/1/26>)# exit

7. Enable ports 1/1/27 and 1/1/28.

Access-2(config)# interface 1/1/27-1/1/28
Access-2(config-if-<1/1/27-1/1/28>)# no shutdown
Access-2(config-if-<1/1/27-1/1/28>)# exit

8. Allow VLANs 11 and 12 on ports 1/1/27 and 1/1/28.

Access-2(config)# interface 1/1/27-1/1/28
Access-2(config-if-<1/1/27-1/1/28>)# vlan trunk allowed 11,12
Access-2(config-if-<1/1/27-1/1/28>)# exit

9. Verify that interfaces 1/1/25 and 1/1/26 are disabled and interfaces 1/1/27 and 1/1/28 are
enabled and active.
Access-2(config)# show interface brief | begin 1/1/25
1/1/25 1 trunk 10G-DAC1 no down Administratively down -- --
1/1/26 1 trunk 10G-DAC1 no down Administratively down -- To_Core-2_Port-2
1/1/27 1 trunk 10G-DAC1 yes up 10000 To_Access-2_Port-27
1/1/28 1 trunk 10G-DAC1 yes up 10000 To_Access-2_Port-28

Remember that you are about to create a Layer 2 loop, which has the potential to
affect the entire network. In order to limit the effects, you have to make sure that
both uplinks 1/1/25 and 1/1/26 are down. Do not proceed if this is not the case.

122 Task 4.3-1: Pre-lab setup

Lab 4.3: Explore broadcast storm
effects (optional)
10. Increase the Access-2 spanning tree priority to 15 (61440). This will make Access-1 the root
bridge and force Access-2 to choose a root and alternate port.
Access-2(config)# spanning-tree priority 15

11. Use the show spanning-tree command and look at ports 1/1/27 and 1/1/28.
Access-2(config)# show spanning-tree | exclude Disabled
Spanning tree status : Enabled Protocol: MSTP

MST0
Root ID Priority : 32768
MAC-Address: 10:4f:58:fc:14:40
Hello time(in seconds):2 Max Age(in seconds):20
Forward Delay(in seconds):15

Bridge ID Priority : 61440

MAC-Address: 10:4f:58:f6:84:80
Hello time(in seconds):2 Max Age(in seconds):20
Forward Delay(in seconds):15

Port Role State Cost Priority Type BPDU-Tx BPDU-Rx TCN-Tx TCN-Rx
--------- ------------- ---------- -------- --------- ------ --------- -------- -------- -------
1/1/4 Designated Forwarding 20000 128 P2P 612697 0 0 0
1/1/27 Root Forwarding 2000 128 P2P 197 16 5 7
1/1/28 Alternate Blocking 2000 128 P2P 44624 19 4 8

Number of topology changes : 27

Last topology change occurred : 24 seconds ago

What interface is the root port?

Answer: Port 1/1/27.

Was interface is the alternate port?

Answer: Port 1/1/28.

12. Since the current Access-1 and Access-2 configurations will be used later, create checkpoints
now.
13. Back up the current access switches' configuration as a custom checkpoint called Lab4-3_task1_
done.
Access-1
Access-1(config)# copy running-config checkpoint Lab4-3_task1
Copying configuration: [Success]

Access-2
Access-2(config)# copy running-config checkpoint Lab4-3_task1
Copying configuration: [Success]

Task 4.3-1: Pre-lab setup 123

Task 4.3-2: Create Layer 2 loop
Objectives
In this task, you will create a Layer 2 loop and a broadcast/multicast storm as a consequence of that.
Then you will witness the symptoms and gather logs that document its presence.
Steps
1. Using the Remote Lab dashboard, launch a remote console to Access-1.
2. Clear 1/1/27 and 1/1/28 interfaces' statistics. Then display those interfaces' statistics.
Access-1(config)# clear interface 1/1/27 statistics
Access-1(config)# clear interface 1/1/28 statistics
Access-1(config)# show interface 1/1/27-1/1/28 statistics
---------------------------------------------------------------------------------------------------------------------------------------
--------------
Interface RX Bytes RX Packets RX Drops TX Bytes TX Packets TX Drops RX Broadcast RX Multicast TX Broadcast TX Multicast RX
Pause TX Pause
---------------------------------------------------------------------------------------------------------------------------------------
--------------
1/1/27 1600 10 0 1575 10 0 0 10 0 10 0
0
1/1/28 1158 7 0 1141 7 0 0 7 0 7 0
0
Access-1(config)#

In total, how many broadcast and multicast packets has 1/1/27 received since the count was last
cleared?

Answer: That value is specific to each deployment. In this example, 10 multicast packets were
sent and received.
In total, how many broadcast and multicast packets has 1/1/28 received since the count was last
cleared?

Answer: That value is specific to each deployment. In this example, seven multicast packets were
sent and received.
3. Wait a minute, then repeat step 2.
Access-1(config)# show interface 1/1/27-1/1/28 statistics
---------------------------------------------------------------------------------------------------------------------------------------
--------------
Interface RX Bytes RX Packets RX Drops TX Bytes TX Packets TX Drops RX Broadcast RX Multicast TX Broadcast TX Multicast RX
Pause TX Pause
---------------------------------------------------------------------------------------------------------------------------------------
--------------
1/1/27 26841 169 0 28391 174 0 1 168 6 168 0
0
1/1/28 26629 166 0 28267 171 0 1 165 6 165 0
0
Access-1(config)#

How many total broadcast and multicast packets do you see on both interfaces?

124 Task 4.3-2: Create Layer 2 loop

Lab 4.3: Explore broadcast storm
effects (optional)
Answer: That value is specific to each deployment. In this example, 168 multicast packets were
sent and received.
Have the number of packet statistics grown by dozens, hundreds, or thousands?

Answer: That value is specific to each deployment. In this example, 165 multicast packets were
sent and received.
4. Access PC4, open the command prompt, and issue the ipconfig -all command and record
PC4's MAC address.

5. Run a continuous ping to PC1's IP address (10.1.12.101). The ping should be successful.
6. Navigate back to the Access-2 console.
7. Enable spanning tree BPDU filtering on interfaces 1/1/27 and 1/1/28.

BPDU filtering is a feature that prevents a switch from sending or receiving spanning
tree BPDUs. When enabling the feature on ports 1/1/27 and 1/1/28, you will prevent
Access-2 from processing incoming Access-1's BPDUs, and also Access-1 will no
longer receive Access-2's BPDUs. This will cause, after few seconds, a transition.
Connecting a device with BPDU filtering enabled to an access switch in order to cre-
ate a Layer 2 loop is a well-known Denial of Service (DoS) attack. Later, in task 3, you
will learn an effective way of protecting your network against this threat.

Access-2(config)# interface 1/1/27-1/1/28

Access-2(config-if-<1/1/27-1/1/28>)# spanning-tree bpdu-filter
[1/1/27] This filter command allows the port to go into a continuous
forwarding mode and spanning tree will not interfere, even if
the port would cause a loop to form in the network topology.
If you suddenly experience high traffic load, shutdown the
port and remove the applicable filter configuration under
interface context using the following CLI command(s):

Task 4.3-2: Create Layer 2 loop 125

no spanning-tree bpdu-filter
no spanning-tree rpvst-filter
[1/1/28] This filter command allows the port to go into a continuous
forwarding mode and spanning tree will not interfere, even if
the port would cause a loop to form in the network topology.
If you suddenly experience high traffic load, shutdown the
port and remove the applicable filter configuration under
interface context using the following CLI command(s):
no spanning-tree bpdu-filter
no spanning-tree rpvst-filter
Access-2(config-if-<1/1/27-1/1/28>)# exit

8. Use the show spanning-tree command and look at current 1/1/27 and 1/1/28 interfaces' state
in Access-2. They will now be in Forwarding mode.
Access-2(config)# show spanning-tree | include Forwarding
1/1/4 Designated Forwarding 20000 128 P2P 655858 0 0 0
1/1/27 Designated Forwarding 2000 128 P2P 43312 43131 5 7
1/1/28 Designated Forwarding 2000 128 P2P 87739 43134 4 8

Does this create a Layer 2 loop?

Answer: There should now be a loop and a broadcast storm. You will now gather evidence of its
presence.
9. Move back to Access-1.
10. Wait a minute and display the Access-1 interface statistics again.
Access-1(config)# show interface 1/1/27-1/1/28 statistics
---------------------------------------------------------------------------------------------------------------------------------------
--------------
Interface RX Bytes RX Packets RX Drops TX Bytes TX Packets TX Drops RX Broadcast RX Multicast TX Broadcast TX
Multicast RX Pause TX Pause
---------------------------------------------------------------------------------------------------------------------------------------
---------------------
1/1/27 25226928109 340409519 0 175180720055 2570100044 38348805 267030943 80 7069778 204
0 0
1/1/28 175061716363 2568350145 0 25361773859 342392388 716378 7069983 78 267030766 202
0 0

How many more broadcast and multicast packets combined do you have now on each interface?

Answer: That value is specific to each deployment. In this example, Broadcast went from a few
entries to millions of packets.

The large increment of broadcast and multicast packets in a short period of time is
one piece of evidence of a broadcast storm. It is the result of a loop.

11. Move back to PC4 and look at the connectivity test.

126 Task 4.3-2: Create Layer 2 loop

Lab 4.3: Explore broadcast storm
effects (optional)
Is the ping working flawlessly?

Answer: The ping should stop working.

The lack of connectivity in the affected devices is one of the main symptoms of a
broadcast storm.

12. Stop the ping.

13. Move to the Access-1 console tab.
14. Enable Layer 2 MAC event debugs (L2MAC event debugs), set the buffer as the debug
destination, then enable paging.
Access-1(config)# debug l2mac event
Access-1(config)# debug destination buffer
Access-1(config)# page

Task 4.3-2: Create Layer 2 loop 127

If your MAC address includes letters as part of the hexadecimal notation, then make
sure to type them in lower case as in the example above: "a9:86".

Are there any events describing MAC address learning on interface 1/1/27 first, then 1/1/28
later?

Answer: Yes, it is observed that the PC1 MAC address is being learned on port 1/1/28 and then
on port 1/1/27 a few times.

A MAC address learning of flapping between all interfaces involved in the loop is
another piece of evidence of a broadcast storm. The affected interfaces are not neces-
sarily the ones where the client is connected!

16. Display the system information.

Access-1(config)# show system
Hostname : Access-1
System Description : FL.10.13.1000
System Contact :
System Location :

Vendor : Aruba
Product Name : JL668A 6300F 24G 4SFP56 Sw
Chassis Serial Nbr : SG01KN701M
Base MAC Address : 104f58-fc1440
ArubaOS-CX Version : FL.10.13.1000

Time Zone : UTC

Up Time : 3 weeks, 4 hours, 35 minutes

CPU Util (%) : 25

CPU Util (% avg 1 min) : 21
CPU Util (% avg 5 min) : 20
Memory Usage (%) : 19

What is the current CPU utilization?

Answer: That value is relative to each system and time. Check the CPU utilization on your
Access-1 output. In this example, Access-1 had 25% CPU utilization.

128 Task 4.3-2: Create Layer 2 loop

Lab 4.3: Explore broadcast storm
effects (optional)
If a CPU increase is not that evident, then you can also try the same verification com-
mand on Access-2.
If you remember from Lab 2, average utilization was always below 10%. The final
indication of a broadcast storm is high CPU utilization.

Task 4.3-3: Contain a broadcast storm

Objectives
In this task, you will enable a port-based feature called rate filtering that controls the number of broad-
cast and multicast packets per second. It is important to know that the Layer 2 loop will still be present,
but we are considerably attenuating its effects.
Steps
1. Using the Remote Lab dashboard, launch a remote console to Access-1.
2. Enable rate filtering for broadcast and multicast traffic allowing a maximum of 75 packets per
second on ports 1/1/27 and 1/1/28.
Access-1(config)# interface 1/1/27-1/1/28
Access-1(config-if-<1/1/27-1/1/28>)# rate-limit broadcast 75 pps
Access-1(config-if-<1/1/27-1/1/28>)# rate-limit multicast 75 pps

3. Display the system CPU utilization.

Access-1(config-if-<1/1/27-1/1/28>)# show system | include CPU
CPU Util (%) : 11
CPU Util (% avg 1 min) : 12
CPU Util (% avg 5 min) : 14

What is the current CPU utilization now?

Answer: That value is relative to each system and time. Check the CPU utilization on your
Access-1 output. In this example, Access-1 had 11% CPU utilization.

A rate limit is a good protection mechanism when connecting devices that you do not
control to your network that you do not control.

4. Next, you will test another feature that might be of use for preventing loops. To test its effects,
you will have to remove rate filtering in order to re-create the unstable situation.
5. Remove rate-limit related commands.
Access-1(config-if-<1/1/27-1/1/28>)# no rate-limit broadcast
Access-1(config-if-<1/1/27-1/1/28>)# no rate-limit multicast

6. Wait a few seconds, then verify the system CPU; it should have risen once more.

Task 4.3-3: Contain a broadcast storm 129

Access-1(config-if-<1/1/27-1/1/28>)# show system | include CPU
CPU Util (%) : 21
CPU Util (% avg 1 min) : 11
CPU Util (% avg 5 min) : 8

Task 4.3-4: Preventing loops

Objectives
In this task, you will deploy loop-protect, which blocks ports involved in loops. Although this feature is
intended to be in place before the loop happens, applying it now will demonstrate its ability to bring
the network back to normal.
Steps
1. Using the Remote Lab dashboard, launch a remote console to Access-1.
2. Enable loop-protect in ports 1/1/27 and 1/1/28, then set tx-rx-disable as the loop-protect
action. The feature will take effect immediately.
Access-1(config)# interface 1/1/27-1/1/28
Access-1(config-if-<1/1/27-1/1/28>)# loop-protect
Access-1(config-if-<1/1/27-1/1/28>)# loop-protect action tx-rx-disable

3. Display interfaces where loop-protect has detected loops.

Access-1(config-if-<1/1/27-1/1/28>)# show loop-protect loop-detected

Status and Counters - Loop Protection Information

Transmit Interval : 5 (sec)

Port Re-enable Timer : Disabled
Loop Detected Trap : Disabled

Interface 1/1/27
Loop-protect enabled : Yes
Action on loop detection : TX RX disable
Loop detected count : 1
Loop detected : Yes
Detected on VLAN : 1
Detected at : 2024-04-18T20:13:07
Interface status : down

Interface 1/1/28
Loop-protect enabled : Yes
Action on loop detection : TX RX disable
Loop detected count : 1
Loop detected : Yes
Detected on VLAN : 1
Detected at : 2024-04-18T20:13:07
Interface status : down

130 Task 4.3-4: Preventing loops

Lab 4.3: Explore broadcast storm
effects (optional)
What interfaces are listed in the output?

Answer: Interfaces 1/1/27 and 1/1/28

Have loops been detected on them?

Answer: Yes
What are the interfaces' statuses now?

Answer: The interfaces are down.

In the previous example, the switch was able to detect the loop on both ports
simultaneously. However, it is also possible to have the switch detecting the loop on
one of the ports first and blocking it before detecting it on the other.

4. Use the show interface brief command for displaying the current state of ports 1/1/27 and
1/1/28.
(config-if-<1/1/27-1/1/28>)# show interface brief | exclude Administratively
----------------------------------------------------------------------------------------------
Port Native Mode Type Enabled Status Reason Speed Description
VLAN (Mb/s)
----------------------------------------------------------------------------------------------
1/1/1 12 access 1GbT yes up 1000 To_PC1
1/1/3 11 access 1GbT yes up 1000 To_PC3
1/1/27 1 trunk 10G-DAC1 yes down Network loop detected -- --
1/1/28 1 trunk 10G-DAC1 yes down Network loop detected -- To_Access-2_port-28
vlan1 -- -- -- yes down -- --

Are ports 1/1/27 and 1/1/28 administratively enabled?

Answer: No, they are enabled.

What is the status of the ports?

Answer: Both ports are down.

What is the reason behind this status?

Answer: A network loop is detected.

5. Display the system CPU utilization; you will see how the value has normalized again.
Access-1(config-if-<1/1/27-1/1/28>)# show system | include CPU
CPU Util (%) : 1

Task 4.3-4: Preventing loops 131

CPU Util (% avg 1 min) : 5
CPU Util (% avg 5 min) : 4

6. You will now proceed to remove the loop.

7. Remove loop-protect from ports 1/1/27 and 1/1/28.
Access-1(config-if-<1/1/27-1/1/28>)# no loop-protect
Access-1(config-if-<1/1/27-1/1/28>)# no loop-protect action

8. Disable ports 1/1/27 and 1/1/28, then re-enable them. This will remove the "Network loop detec-
ted" state and bring them back on.
Access-1(config-if-<1/1/27-1/1/28>)# shutdown
Access-1(config-if-<1/1/27-1/1/28>)# no shutdown
Access-1(config-if-<1/1/27-1/1/28>)# exit

9. Navigate to the Access-2 console tab.

10. Remove BPDU filtering from ports 1/1/27 and 1/1/28.
Access-2(config)# interface 1/1/27-1/1/28
Access-2(config-if-<1/1/27-1/1/28>)# no spanning-tree bpdu-filter
Access-2(config-if-<1/1/27-1/1/28>)# exit

Task 4.3-5: Save your configurations

Access-2
Access-2(config)# write memory
Copying configuration: [Success]

2. Back up the current access switches' configuration as a custom checkpoint called Lab4-3_final.
Access-1
Access-1(config)# copy running-config checkpoint Lab4-3_final
Copying configuration: [Success]

Access-2
Access-2(config)# copy running-config checkpoint Lab4-3_final
Copying configuration: [Success]

132 Task 4.3-5: Save your configurations

Lab 4.3: Explore broadcast storm
effects (optional)
Task 4.3-6: Revert Access-1 and Access-2 configuration
Objectives
In this task, you will revert the Access-1 and Access-2 switch configuration to the Lab4.2 checkpoint.
Steps
1. Restore configuration checkpoint Lab4-2_final on Access-1 and Access-2.
Access-1
Access-1(config)# copy checkpoint Lab4-2_final running-config
Copying configuration: [Success]

Access-2
Access-2(config)# copy checkpoint Lab4-2_final running-config
Copying configuration: [Success]

You have completed Lab 4.3!

Task 4.3-6: Revert Access-1 and Access-2 configuration 133

[This page intentionally left blank]

134 Task 4.3-6: Revert Access-1 and Access-2 configuration

Lab 5: Link aggregation between core switches

After successfully deploying MST-based load sharing on links between core switches, you have been
monitoring the bandwidth utilization of links in ports 45 and 46 and have calculated an average of 10%
utilization of one link versus 55% of the other. Although neither link is congested yet, the BigStartup
administrator would like to find a better way to share the load among links.
Although moving VLANs from one instance to the other looks like a good solution and might work in
the short term, this is not a scalable option because nothing guarantees that traffic patterns will not
change tomorrow, in a week, or a few months from now.
The network administrator has approached you and asked for advice. You propose deploying link aggre-
gation since load sharing is not VLAN-based but hash-based (based on Layer 2 or Layer 3 source and
destination addresses), which commonly leads to more even resource utilization.
Objectives
After completing this lab, you will be able to:
n Deploy static link aggregation.
n Understand the nature of transient loops when creating static aggregations.
n Monitor LAG interfaces in AOS-CX.
Lab topology
The following lab topology will be used for your practical activities:

Lab 5: Link aggregation between core switches 135

Task 5-1: Configure manual link aggregation
Objectives
In this task, you will configure a static Link Aggregation Group (LAG) between core switches to improve
load balancing and link utilization.
Steps
1. On your local computer, launch a web browser and enter the Aruba Training Lab web portal at
the URL: https://arubatraininglab.computerdata.com.
2. Log in using the credentials provided to you.
3. Launch a remote console to Core-1.
4. Log in to the switch using the following credentials:
n Username: admin
n Password: <no password - just press Enter>
5. Create a LAG 256 interface and apply a description. This will be used as a logical Layer 2 con-
nection between cores.

136 Task 5-1: Configure manual link aggregation

Core-1# configure terminal
Core-1(config)# interface lag 256
Core-1(config-lag-if)# description To_Core-2_Ports-45&46

6. Disable routing and enable the interface.

Core-1(config-lag-if)# no routing
Core-1(config-lag-if)# no shutdown

7. Allow VLANs 11 and 12.

Lab 5: Link aggregation between

Core-1(config-lag-if)# vlan trunk allowed 11,12

8. Create a port range with interfaces 1/1/45 and 1/1/46, and make these two ports members of

core switches
LAG 256.
Core-1(config-lag-if)# interface 1/1/45-1/1/46
Core-1(config-if-<1/1/45-1/1/46>)# lag 256
Core-1(config-if-<1/1/45-1/1/46>)# exit

9. Display detailed information about LAG 256.

Core-1(config)# show interface lag 256
Aggregate lag256 is up
Admin state is up
Description : To_Core-2_Ports-45&46
MAC Address : 44:5b:ed:67:d3:00
Aggregated-interfaces : 1/1/45 1/1/46
Aggregation-key : 256
Speed : 50000 Mb/s
qos trust none
VLAN Mode: native-untagged
Native VLAN: 1
Allowed VLAN List: 11-12
L3 Counters: Rx Disabled, Tx Disabled

Statistic RX TX Total
---------------- -------------------- -------------------- --------------------
Packets 222909 393126 616035
Unicast 6344 12375 18719
Multicast 216251 378779 595030
Broadcast 314 1972 2286
Bytes 34695063 75190794 109885857
Jumbos 0 11768 11768
Dropped 0 0 0
Filtered 192305 195 192500
Pause Frames 0 0 0
Errors 0 0 0
CRC/FCS 0 n/a 0
Collision n/a 0 0
Runts 0 n/a 0
Giants 0 n/a 0

What is the state of LAG 256?

Task 5-1: Configure manual link aggregation 137

Answer: Up.
What are the member ports?

Answer: 1/1/45 and 1/1/46.

What is the speed of the link?

Answer: 50,000 Mbps.

How is that speed determined?

Answer: Combining the speeds of ports 45 and 46.

What VLANs are forwarding traffic on this LAG?

Answer: VLANs 11 and 12 are allowed.

How many packets are being sent and received?

Answer: This is relative to each device. In this example, 616,035 packets were transmitted.
Are all these packets generated by the continuous ping you are running?

Answer: No, as other packets are transmitted, such as LLDP.

Right now, interface LAG 256 is up because the previous configuration has created a
local static aggregation that does not depend on any control plane protocol-based
negotiation with the remote end (Core-2). However, this has data plane implications;
the number of sent and received packets are not the result of a continuous ping. The
question is: What else can be creating that amount of traffic? After all, you are in the
middle of a maintenance window and nobody else is working in the network.

10. Connect to the PC1 remote desktop.

11. Start a continuous ping to PC4 (10.1.12.104).

138 Task 5-1: Configure manual link aggregation

Lab 5: Link aggregation between
core switches
Be patient getting a failed ping result. Since the lab environment has just a few sta-
tions and not all of them are sending broadcast traffic, it may take some time before
pings fail. In fact, it is possible that ICMP traffic does not fail at all, especially if core
switches are CX 83xx Series. Nonetheless, this issue shows up right away on a pro-
duction network, where hundreds of endpoints are connected.
You are experiencing a transient Layer 2 loop. When you configured static link aggre-
gation, on Core-1 it started sending every single frame to Core-2 on either port 45 or
46 based on a load sharing mechanism that uses source and destination IPs (or
source and destination MACs in the absence of IP headers) as input and gives a hash
result as output—either 0 or 1, which represent port 45 and 46 respectively. This
includes the BPDUs, since at the STP level, LAG 256 is a single logical port.
Core-2 is not running static aggregation yet, and its STP processes see two physical
ports instead of one and Core-2 only receives BPDUs on one of these ports. After a
few seconds, the lack of BPDUs in one port forces it to transition its role to Desig-
nated (as if it was an interface connected to an endpoint) while the other interface
becomes the root. These events happen on instances 0 and 1 because on instance 2,
both ports on Core-2 are already designated.

Task 5-1: Configure manual link aggregation 139

In both cases, Core-2's ports eventually move to the Forwarding mode. The problem
appears when Core-1 forwards a broadcast, multicast, or unknown unicast frame
across the LAG. It uses one of the physical links, and when Core-2 receives it, it for-
wards the traffic to all interfaces the VLAN belongs to, including the second link back
to Core-1.

This means Core-2 is looping some frames back to Core-1, including the BPDUs it
relays. This causes MAC address flapping. Also, each broadcast or multicast Core-2
receives in its downlinks will be sent across both ports 45 and 46, generating duplic-
ated frames. That is why pings either stopped or were inconsistent.
The solution is to disable one of the ports (preferably the former alternate port),
before starting the static aggregation configuration, and re-enable it once it is done
on both sides.
Another potential loop situation can take place when configuring static aggregation
in access switches' uplinks that terminate on different non-related/non-stacked phys-
ical devices.
Therefore, before configuring static aggregation, you must verify the following:
n All LAG member ports except one are disabled on one side.
n Confirm cabling is correct and involves two switching entities only.

Since you are already facing the issue, you will begin by removing the transient loop. Then, you
will complete Core-2's portion of the setup.
12. Stop the continuous ping.

140 Task 5-1: Configure manual link aggregation

13. Connect to the Core-2 console.
14. Create LAG 256 on Core-2.
Core-2# configure terminal
Core-2(config)# interface lag 256
Core-2(config-lag-if)# description To_Core-1_Ports-45&46
Core-2(config-lag-if)# no routing
Core-2(config-lag-if)# no shutdown

Lab 5: Link aggregation between

Core-2(config-lag-if)# vlan trunk allowed 11,12
Core-2(config-lag-if)# exit

15. Configure interfaces 1/1/45 and 1/1/46 as member ports of LAG 256.

core switches
Core-2(config)# interface 1/1/45-1/1/46
Core-2(config-if-<1/1/45-1/1/46>)# lag 256
Core-2(config-if-<1/1/45-1/1/46>)# exit

16. Verify LAG 256.

Core-2(config)# show interface lag 256

Aggregate lag256 is up
Admin state is up
Description : To_Core-1_Ports-45&46
MAC Address : 90:20:c2:c0:bc:00
Aggregated-interfaces : 1/1/45 1/1/46
Aggregation-key : 256
Speed : 50000 Mb/s
qos trust none
VLAN Mode: native-untagged
Native VLAN: 1
Allowed VLAN List: 11-12
L3 Counters: Rx Disabled, Tx Disabled

Statistic RX TX Total
---------------- -------------------- -------------------- --------------------
Packets 396533 227938 624471
Unicast 12375 6354 18729
Multicast 382181 221241 603422
Broadcast 1977 343 2320
Bytes 75724543 35481958 111206501
Jumbos 11768 0 11768
Dropped 0 0 0
Filtered 355317 1333 356650
Pause Frames 0 0 0
Errors 0 0 0
CRC/FCS 0 n/a 0
Collision n/a 0 0
Runts 0 n/a 0
Giants 0 n/a 0

Is LAG 256 working normally?

Task 5-1: Configure manual link aggregation 141

Answer: Yes.

Task 5-2: Configure dynamic link aggregation

Objectives
When LAG 256 was created between both core switches, BigStartup saw the value of the technology
and asked about other potential use cases. When you mentioned link aggregations can be used
between switches, routers, firewalls, and servers, the customer became more interested. They asked if it
is possible to deploy aggregated links without any chance of loops and if you could demonstrate the
technology.
In this task, you will configure a LACP-based LAG between core switches. After completing this lab, you
will be able to:
n Deploy LACP-based link aggregation.
n Demonstrate the benefits of LACP versus static aggregation.
Steps
1. On your local computer, launch a web browser and enter the Aruba Training Lab web portal at
the URL: https://arubatraininglab.computerdata.com.
2. Log in using the credentials provided to you.
3. Launch a remote console to Core-1.
4. Delete LAG 256.
Core-1(config)# no interface lag 256

5. Launch a remote console to Core-2.

6. Delete LAG 256.
Core-2(config)# no interface lag 256

7. Navigate back to the Core-1 console.

8. Create a LAG 256 interface and apply a description. This will be used as a logical Layer 2 con-
nection between cores.
Core-1(config)# interface lag 256
Core-1(config-lag-if)# description To_Core-2_Ports-45&46

9. Disable routing and enable the interface.

Core-1(config-lag-if)# no routing
Core-1(config-lag-if)# no shutdown

10. Configure the LACP mode to active and LACP rate to fast.
Core-1(config-lag-if)# lacp mode active
Core-1(config-lag-if)# lacp rate fast

142 Task 5-2: Configure dynamic link aggregation

LACP operating modes
LACP can operate in active or passive mode.
n Active mode: When the LACP is operating in active mode on either end of a
link, both ports can send PDUs. The "active" LACP initiates an LACP con-
nection by sending LACPDUs. The "passive" LACP will wait for the remote end
to initiate the link.

Lab 5: Link aggregation between

n Passive mode: When the LACP is operating in passive mode on a local member
port and as its peer port, both ports cannot send PDUs.

core switches
Two peer ports operating in passive mode will never establish an LACP link.
For an LACP LAG, one side must have LACP in active mode and the peer must have
an LACP configuration of active or passive mode. If you do not enable LACP on a
LAG, it is treated as a static LAG and the peer cannot negotiate LACP with the LAG.
LACP rate
The lacp rate command sets an LACP heartbeat interval and timeout timer.
n It specifies the heartbeat request to every second, and the timeout period is a
three-consecutive-heartbeat loss that is three seconds.
n It specifies the heartbeat request to every 30 seconds. The timeout period is a
three-consecutive-heartbeat loss that is 90 seconds, which is the default set-
ting.

11. Allow VLANs 11 and 12.

Core-1(config-lag-if)# vlan trunk allowed 1,11,12

12. Create a port range with interfaces 1/1/45 and 1/1/46, and make these two ports members of
LAG 256.
Core-1(config-lag-if)# interface 1/1/45-1/1/46
Core-1(config-if-<1/1/45-1/1/46>)# lag 256
Core-1(config-if-<1/1/45-1/1/46>)# no shutdown
Core-1(config-if-<1/1/45-1/1/46>)# exit

13. Launch a remote console to Core-2.

14. Enable ports 1/1/45 and 1/1/46.
Core-2(config)# interface 1/1/45-1/1/46
Core-2(config-if-<1/1/45-1/1/46>)# no shutdown
Core-2(config-if-<1/1/45-1/1/46>)# exit

Task 5-2: Configure dynamic link aggregation 143

Note that enabling the ports before having the entire configuration in place is not a
best practice. In this lab, we are doing it to test the LACP capabilities of controlling a
loop when one of the peer switches does not have the proper configuration.

15. Navigate back to the Core-1 console tab.

16. Display detailed information about LAG 256.
Core-1(config)# show lag 256
System-ID : 44:5b:ed:67:d3:00
System-priority : 65534

Aggregate lag256 is up
Admin state is up
Description : To_Core-2_Ports-45&46
Type : normal
Lacp Fallback : Disabled
MAC Address : 44:5b:ed:67:d3:00
Aggregated-interfaces : 1/1/45 1/1/46
Aggregation-key : 256
Aggregate mode : active
Hash : l3-src-dst
LACP rate : fast
Speed : 50000 Mb/s
Mode : trunk

What is the state of LAG 256?

Answer: Up.
What are the member ports?

Answer: 1/1/45 and 1/1/46.

Notice that LAG 256 appears to be active and operational from the LAG point of
view.

17. Verify the LACP status of the link aggretation.

Core-1(config)# show lacp interfaces

State abbreviations :
A - Active P - Passive F - Aggregable I - Individual
S - Short-timeout L - Long-timeout N - InSync O - OutofSync
C - Collecting D - Distributing
X - State m/c expired E - Default neighbor state

144 Task 5-2: Configure dynamic link aggregation

Actor details of all interfaces:
----------------------------------------------------------------------------------
Intf Aggr Port Port State System-ID System Aggr Forwarding
Name Id Pri Pri Key State
----------------------------------------------------------------------------------
1/1/45 lag256 46 1 ASFOE 44:5b:ed:67:d3:00 65534 256 up
1/1/46 lag256 47 1 ASFOE 44:5b:ed:67:d3:00 65534 256 up

Lab 5: Link aggregation between

Partner details of all interfaces:
----------------------------------------------------------------------------------

core switches
Intf Aggr Port Port State System-ID System Aggr
Name Id Pri Pri Key
----------------------------------------------------------------------------------
1/1/45 lag256 0 0 PLFOEX 00:00:00:00:00:00 0 0
1/1/46 lag256 0 0 PLFOEX 00:00:00:00:00:00 0 0
Core-1(config)#

What state flags for the local switch (actor details) were triggered by LACP?

Answer: Flags A, S, F, O, and E.

What is the meaning of each state flag (abbreviation)?

Answer: A - Active, S - Short-timeout, F - Aggregable, O - OutofSync, and E - Default neighbor

state.
What state flags for the remote switch (partner details) were triggered by LACP?

Answer: P, L, F, O, E, and X.
What is the meaning of each state flag (abbreviation)?

Answer: P - Passive, L - Long-timeout, F - Aggregable, O - OutofSync, E - Default neighbor state,

and X - State m/c expired.

Notice that the flags O—OutofSync and X—Expired indicate that LACP has detected
problems and that the LAG is not active. Also, the lack of flags C—Collecting and D—
Distributing indicates that no data frames are being received or sent on those inter-
faces. This is a protective measure from LACP to avoid loops in the network.

Task 5-2: Configure dynamic link aggregation 145

Interface state description
n A - Active. An active LACP interface.
n C - Collecting. Data frames are received through the aggregate link and sent
onto the intended destination.
n D - Distributing. Data frames are transmitted through the aggregate link to
reach the intended destination.
n F - Aggregable. The link can be used as part of an aggregate.
n E - Default. neighbor state The link has the default state of the neighbor
switch.
n I - Individual. The link is used as an individual link.
n L - Long-timeout. With the long timeout, an LACPDU is sent every 30 seconds.
If no response comes from its partner after three LACPDUs are sent (90
seconds), a timeout event occurs. The LACP state machine then transitions to
the appropriate state based on its current state.
n N - InSync. The physical port is connected to the aggregate port that was last
chosen by the logical election. The state variable selected is still true.
n O - OutofSync. The hardware might be out of sync with the modified protocol
information. If the hardware also has a status of Collecting, do not transmit
frames because they will be misdelivered.
n P - Passive. The port participates in the protocol, as long as it has an active
partner.
n S - Short-timeout. In the short timeout configuration, an LACPDU is sent every
second. If no response comes from its partner after three LACPDUs are sent, a
timeout event occurs. The LACP state machine then transitions to the appro-
priate state based on its current state.
n X - State m/c expired. The "current while" timer has expired. The "current
while" timer then restarts with the short-timeout enabled.

18. Navigate to the Core-2 console.

19. Create Lag 256.
Core-2(config)# interface lag 256
Core-2(config-lag-if)# description To_Core-1_Ports-45&46
Core-2(config-lag-if)# no routing
Core-2(config-lag-if)# no shutdown
Core-2(config-lag-if)# lacp mode active
Core-2(config-lag-if)# lacp rate fast
Core-2(config-lag-if)# vlan trunk allowed 1,11,12

146 Task 5-2: Configure dynamic link aggregation

20. Create a port range with interfaces 1/1/45 and 1/1/46, and make these two ports members of
LAG 256.
Core-2(config-lag-if)# interface 1/1/45-1/1/46
Core-2(config-if-<1/1/45-1/1/46>)# lag 256
Core-2(config-if-<1/1/45-1/1/46>)# no shutdown
Core-2(config-if-<1/1/45-1/1/46>)# exit

21. Repeat the show lacp interfaces command one more time.

Lab 5: Link aggregation between

Core-2(config)# show lacp interfaces

State abbreviations :

core switches
A - Active P - Passive F - Aggregable I - Individual
S - Short-timeout L - Long-timeout N - InSync O - OutofSync
C - Collecting D - Distributing
X - State m/c expired E - Default neighbor state

Actor details of all interfaces:

----------------------------------------------------------------------------------
Intf Aggr Port Port State System-ID System Aggr Forwarding
Name Id Pri Pri Key State
----------------------------------------------------------------------------------
1/1/45 lag256 46 1 ASFNCD 90:20:c2:c0:bc:00 65534 256 up
1/1/46 lag256 47 1 ASFNCD 90:20:c2:c0:bc:00 65534 256 up

Partner details of all interfaces:

----------------------------------------------------------------------------------
Intf Aggr Port Port State System-ID System Aggr
Name Id Pri Pri Key
----------------------------------------------------------------------------------
1/1/45 lag256 46 1 ASFNCD 44:5b:ed:67:d3:00 65534 256
1/1/46 lag256 47 1 ASFNCD 44:5b:ed:67:d3:00 65534 256

Notice that the LACP states are different. States O and X were removed, and states
N—InSync, C—Collecting, and D—Distributing were added, which means that your
LAG 256 is now functional.

22. Issue the show spanning-tree command.

Core-2(config)# show spanning-tree | exclude Disabled
Spanning tree status : Enabled Protocol: MSTP

MST0
Root ID Priority : 4096
MAC-Address: 44:5b:ed:67:d3:00
Hello time(in seconds):2 Max Age(in seconds):20
Forward Delay(in seconds):15

Bridge ID Priority : 8192

MAC-Address: 90:20:c2:c0:bc:00

Task 5-2: Configure dynamic link aggregation 147

Hello time(in seconds):2 Max Age(in seconds):20
Forward Delay(in seconds):15

Port Role State Cost Priority Type BPDU-Tx BPDU-Rx TCN-Tx TCN-Rx
-------- -------------- ---------- ---------- ---------- ------------ ---------- ---------- --------- -------
1/1/1 Designated Forwarding 2000 128 P2P 224076 1757 69 16
1/1/2 Designated Forwarding 2000 128 P2P 192230 38326 72 12
lag256 Root Forwarding 800 64 P2P 195 193 2 1

Number of topology changes : 84

Last topology change occurred : 384 seconds ago

What is the spanning tree state of ports 1/1/45, 1/1/46, and LAG 256?

Answer: Forwarding state.

Ports 1/1/45 and 1/1/46 are not listed, while LAG 256 is the root. When LAG 256
was created and ports 1/1/45 and 1/1/46 became part of it, then spanning tree
stopped considering the physical interfaces in its calculations and started using LAG
1 instead.

23. Run the show lacp aggregates command.

Core-2(config)# show lacp aggregates

Aggregate name : lag256

Interfaces : 1/1/45 1/1/46
Heartbeat rate : Fast
Hash : l3-src-dst
Aggregate mode : Active

What is the current (default) hashing algorithm?

Answer: Layer 3, source and destination (l3-src-dst).

Task 5-3: Save your configurations

Objectives
You will now proceed to save your configurations and create checkpoints. Notice that final lab check-
points might be used by later activities.
Steps
1. Save the current access and core switches' configuration in the startup checkpoint.
Core-1
Core-1(config)# write memory
Copying configuration: [Success]

148 Task 5-3: Save your configurations

Core-2
Core-2(config)# write memory
Copying configuration: [Success]

2. Back up the current access switches' configuration as a custom checkpoint called Lab5_final.
Core-1
Core-1(config)# copy running-config checkpoint Lab5_final

Lab 5: Link aggregation between

Copying configuration: [Success]

Core-2

core switches
Core-2(config)# copy running-config checkpoint Lab5_final
Copying configuration: [Success]

You have completed Lab 5!

Task 5-3: Save your configurations 149

[This page intentionally left blank]

150 Task 5-3: Save your configurations

Lab 6.1: Create an HPE Aruba Networking Virtual
Switching Framework stack

Lab 6.1: Create an HPE Aruba Networking Virtual Switching Framework stack
It has been one year since BigStartup started the business, and increased profits are making it possible
to open additional offices. This new project for additional offices begins next month, and they want you
to take care of the entire network deployment. This project will take several months, and you might not
be able to assist with Level 1 support. You suggest handing over control of the access switches to an
internal staff member. They are not very experienced in networking and do not feel confident man-
aging multiple independent switches.
To simplify the deployment, you plan to create a single stack of switches using a technology called HPE
Aruba Networking Virtual Switching Framework (VSF) so that the internal staff member will only need
to deal with one logical unit.
Objectives
After completing this lab, you will be able to:
n Create a VSF stack.
n Define stack roles.
n Verify VSF topology.
n Configure distributed link aggregation.
Lab topology
The following lab topology will be used for your practical activities:

Lab 6.1: Create an HPE Aruba Networking Virtual Switching Framework stack 151
Task 6.1-1: Deploy a VSF stack
Objectives
You are about to create a VSF stack. This involves rebooting one of the units, which might affect users
connected to it. Although you know the process will take no more than five minutes, you have reques-
ted a 30-minute maintenance window. To further minimize the inconvenience, you have scheduled the
maintenance window during lunch.
In this task, you will create a VSF stack with both access switches using port 1/1/28. Then you will
explore the stack properties and normalize the port configuration on member 2.
Steps
1. On your local computer, launch a web browser and enter the Aruba Training Lab web portal at
the URL: https://arubatraininglab.computerdata.com.
2. Log in using the credentials provided to you.
3. Launch a remote console to PC4.
4. Open the command prompt and start a continuos ping to PC1 (10.1.12.101). The ping should be
successful.

152 Task 6.1-1: Deploy a VSF stack

5. Open a console session to Access-1.
6. Enable interface 1/1/28.
Access-1# configure terminal
Access-1(config)# interface 1/1/28
Access-1(config-if-vsf)# no shutdown
Access-1(config-if-vsf)# exit

7. Create VSF link 1 using port 1/1/28.

Access-1(config)# vsf member 1

Lab 6.1: Create an HPE Aruba

Networking Virtual Switching
Access-1(vsf-member-1)# link 1 1/1/28
Access-1(vsf-member-1)# exit

8. Open a console session to Access-2.

9. Enable port 1/1/28.
Access-2# configure terminal
Access-2(config)# interface 1/1/28
Access-2(config-if-vsf)# no shutdown
Access-2(config-if-vsf)# exit

10. Create VSF link 1 using port 1/1/28.

Access-2(config)# vsf member 1
Access-2(vsf-member-1)# link 1 1/1/28
Access-2(vsf-member-1)# exit

11. Renumber the switch to vsf member 2. You will be prompted to save the configuration and
reboot the unit. Answer y.
Access-2(config)# vsf renumber-to 2
This will save the VSF configuration and reboot the switch.
Do you want to continue (y/n)? y

12. The system will reboot and be back online after a few minutes.
13. Log in with admin and no password (leave empty and press Enter).
Access-2 login: admin
Password:
Last login: 2024-04-24 19:19:12 from the console
User "admin" has logged in 3 times in the past 30 days
member-2#

Task 6.1-1: Deploy a VSF stack 153

What is the new prompt shown in the switch’s CLI?

Answer: Member-2.
14. Move back to Access-1.
15. Run the show vsf command.
Access-1(config)# show vsf

Force Autojoin : Disabled

Autojoin Eligibility Status: Not Eligible
MAC Address : 10:4f:58:fc:14:40
Egress Shape Rate : None
Secondary :
Topology : Chain
Status : No Split
Split Detection Method : None

Mbr Mac Address type Status

ID
--- ------------------- -------------- ---------------
1 10:4f:58:fc:14:40 JL668A Conductor
2 10:4f:58:f6:84:80 JL668A Member

What is the stack’s MAC address?

Answer: 10:4f:58:fc:14:40 (conductor MAC address)

What is the topology used in the stack?

Answer: Chain
How many members are part of the stack?

Answer: Two
Does the stack MAC address match any of the members' addresses?

Answer: Yes
Whose?

Answer: Access-1 MAC address

154 Task 6.1-1: Deploy a VSF stack

What is status (role) of Member 1?

Answer: Conductor
What is status (role) of Member 2?

Answer: Member
16. Run the detailed version of the output.
Access-1(config)# show vsf detail
VSF Stack
MAC Address : 10:4f:58:fc:14:40
Secondary :
Topology : chain
Status : No Split
Split Detection Method : None
Software Version : FL.10.13.1000
Force Autojoin : Disabled

Lab 6.1: Create an HPE Aruba

Networking Virtual Switching
Autojoin Eligibility Status : Not Eligible
Autojoin Ineligibility Reason: Configuration changes detected
Name : Aruba-VSF-6300
Contact :
Location :

Member ID : 1
MAC Address : 10:4f:58:fc:14:40
Type : JL668A
Model : 6300F 24-port 1GbE and 4-port SFP56 Switch
Status : Conductor
ROM Version : FL.01.14.0002
Serial Number : SG01KN701M
Uptime : 3 weeks, 6 days, 4 hours, 21 minutes
CPU Utilization : 10%
Memory Utilization : 20%
VSF Link 1 : Up, connected to peer member 2, link 1
VSF Link 2 :

Member ID : 2
MAC Address : 10:4f:58:f6:84:80
Type : JL668A
Model : 6300F 24-port 1GbE and 4-port SFP56 Switch
Status : Member
ROM Version : FL.01.14.0002
Serial Number : SG01KN701K
Uptime : 4 minutes
CPU Utilization : 5%

Task 6.1-1: Deploy a VSF stack 155

Memory Utilization : 8%
VSF Link 1 : Up, connected to peer member 1, link 1
VSF Link 2 :

What is the switch type (part number) of both members?

Answer: JL688A
What is the switch type (model) of both members?

Answer: 6300F 24-port 1GbE and 4-port SFP56 Switch

What is the CPU and memory utilization of Member 1?

Answer: That value varies based on the switch load. In this example, Member 1 was using 10% of
its CPU and 20% of its memory.
What is the CPU and memory utilization of Member 2?

Answer: That value varies based on the switch load. In this example, Member 2 was using 5% of
its CPU and 8% of its memory.
17. Use the show vsf topology command for looking at logical connections between members.
Access-1(config)# show vsf topology
Conductor
+-------+ +-------+
| 2 |1==1| 1 |
+-------+ +-------+

What is the logical link that connects both units?

Answer: VSF link 1 was used between Members 1 and 2.

18. Run the show vsf link command for displaying the physical port members of logical link 1.
Access-1(config)# show vsf link

VSF Member 1

Link Peer Peer

Link State Member Link Interfaces
---- ---------- ------- ------ ---------------------------
1 up 2 1 1/1/28

156 Task 6.1-1: Deploy a VSF stack

VSF Member 2

Link Peer Peer

Link State Member Link Interfaces
---- ---------- ------- ------ ---------------------------
1 up 1 1 2/1/28

What ports are used in Member 1 for creating VSF link 1?

Answer: Port 1/1/28.

What ports are used in Member 2 for creating VSF link 1?

Answer: Port 2/1/28.

Both members are now part of the same logical stack. They share the same control plane and
management plane, although the data plane is distributed among them. It means that the phys-
ical interfaces of both units can be managed by the Conductor.

Lab 6.1: Create an HPE Aruba

Networking Virtual Switching
19. Run the show interface brief command and confirm you can see ports of both members.
Access-1(config)# show interface brief
--------------------------------------------------------------------------------------------------------
Port Native Mode Type Enabled Status Reason Speed Description
VLAN (Mb/s)
--------------------------------------------------------------------------------------------------------
1/1/1 12 access 1GbT yes up 1000 To_PC1
1/1/2 1 access 1GbT no down Administratively down -- --
1/1/3 11 access 1GbT yes up 1000 To_PC3
1/1/4 1 access 1GbT no down Administratively down -- --
1/1/5 1 access 1GbT no down Administratively down -- --
<<Omitted output>>
1/1/24 1 access 1GbT no down Administratively down -- --
1/1/25 1 trunk 10G-DAC1 yes up 10000 To_Core-1_Port-1
1/1/26 1 trunk 10G-DAC1 yes up 10000 To_Core-2_Port-1
1/1/27 1 access 10G-DAC1 no down Administratively down -- --
1/1/28 -- VSF 10G-DAC1 yes up 10000 To_Access-2_port-28
2/1/1 1 access 1GbT yes down Waiting for link -- --
2/1/2 1 access 1GbT yes down Waiting for link -- --
2/1/3 1 access 1GbT yes down Waiting for link -- --
2/1/4 1 access 1GbT yes up 1000 --
2/1/5 1 access 1GbT yes down Waiting for link -- --
<<Omitted output>>
2/1/20 1 access 1GbT yes down Waiting for link -- --
2/1/21 1 access 1GbT yes up 1000 --
2/1/22 1 access 1GbT yes up 1000 --
2/1/23 1 access 1GbT yes down Waiting for link -- --
2/1/24 1 access 1GbT yes down Waiting for link -- --
2/1/25 1 access 10G-DAC1 yes up 10000 --
2/1/26 1 access 10G-DAC1 yes up 10000 --
2/1/27 1 access 10G-DAC1 yes down Waiting for link -- --
2/1/28 -- VSF 10G-DAC1 yes up 10000 --
vlan1 -- -- -- yes up -- --

Can you see the ports of Member 1 and Member 2?

Task 6.1-1: Deploy a VSF stack 157

Answer: Yes.
What is the mode of interfaces used for the VSF link?

Answer: VSF mode.

These interfaces lost their previous configuration, moved to routed ports, and are
now exclusively used for VSF. Due to their routed mode properties, Layer 2 loops can-
not be created through them.

What VLANs are assigned to ports 1/1/1 and 1/1/3 (PC1 and PC3)?

Answer: Port 1/1/1 VLAN 12, port 1/1/3 VLAN 11.

What VLAN is assigned to port 2/1/4 (PC4)?

Answer: VLAN 1.
What is the port mode of interfaces 1/1/25 and 1/1/26 (uplinks of Member 1)?

Answer: Trunk.
What is the port mode of interfaces 2/1/25 and 2/1/26 (uplinks of Member 2)?

Answer: Access.
20. Move back to PC4. Is the ping still going?

158 Task 6.1-1: Deploy a VSF stack

When Member 2 came back from rebooting and joined the stack, it lost its previous
configuration, wiping the ports’ settings out and putting them in default values. This
process is obviously affecting PC4, which can no longer access the internet.
You realize you only have 10 minutes left before the maintenance window is over. So,
you better hurry up and restore the configuration on those ports!
Do not panic! You do not have to create the VLANs or spanning tree configuration all
over again; they are already part of the global VSF stack configuration that Member

Lab 6.1: Create an HPE Aruba

Networking Virtual Switching
1 manages. The only thing you must do is provision the ports properly.

21. Move back to Access-1.

22. Disable all of Member 2’s ports except for the VSF connection.
Access-1(config)# interface 2/1/1-2/1/27
Access-1(config-if-<2/1/1-2/1/27>)# shutdown
Access-1(config-if-<2/1/1-2/1/27>)# exit

23. Enable Member 2’s uplinks to Core-1 and Core-2 and allow VLANs 1, 11 and 12 across interfaces
2/1/25 and 2/1/26.
Access-1(config)# interface 2/1/25-2/1/26
Access-1(config-if-<2/1/25-2/1/26>)# no shutdown
Access-1(config-if-<2/1/25-2/1/26>)# vlan trunk allowed 1,11,12
Access-1(config-if-<2/1/25-2/1/26>)# exit

24. Enable the port that connects to PC4 (2/1/4), then make it a member of VLAN 12.
Access-1(config)# interface 2/1/4
Access-1(config-if)# no shutdown
Access-1(config-if)# vlan access 12
Access-1(config-if)# exit

Well done! You have restored connectivity in record time! Now that the urgency is over, you can
change the hostname of the system to something more appropriate.
25. Change the hostname to Access-VSF.
Access-1(config)# hostname Access-VSF
Access-VSF(config)#

Task 6.1-1: Deploy a VSF stack 159

26. Move back to PC4. Is the ping working now?

Answer: Yes, the ping should work.

27. Stop the ping.

Task 6.1-2: Configure distributed link aggregation

Objectives
Right now, the VSF stack is up and running. However, because of your spanning tree knowledge, you
know that only two out of the four uplinks are actively in use: 1/1/25 is the root port for Instance 1 and
the alternate for Instance 2, while 1/1/26 is the root port for Instance 2 and the alternate on Instance 1.
The other two uplinks, 2/1/21 and 2/1/22, alternate between both instances.
Therefore, you must complete the deployment by configuring link aggregation between the stack and
both cores.
You will first create LAG 1 in both the VSF stack and Core-1, and then LAG 2 in Core-2 and the VSF
stack.

160 Task 6.1-2: Configure distributed link aggregation

Lab topology

Lab 6.1: Create an HPE Aruba

Networking Virtual Switching
Steps
1. Launch a remote console to PC4.
2. Open the command prompt and start a continuos ping to PC1 (10.1.12.101). The ping should be
successful.

3. Open a console session to Access-VSF: Member 2 (formerly known as Access-2).

4. Press the question mark (?). You will get the help as the output.
member-2# ?
clear Reset functions
diagnostics Change diagnostic commands availability
erase Erase device information or files
exit Exit current mode and change to previous mode

5. Type show followed by a ?. You will get the show command’s help as the output.
member-2# show ?
allow-unsafe-updates Show allowed non-failsafe updates
images Show the version of software stored in the Primary and
Secondary image locations
needed-updates Show needed updates of programmable devices
tech Display output of a predefined command sequence used by
technical support
terminal-monitor Displays Terminal-monitor status
version Displays switch version
vsf Show VSF information

Are the available commands and options the same that you would see in the Conductor or a non-
stacked switch?

Answer: Member switches have limited commands available, as the commander switch executes
the management and control plane.
6. Run the member 1 command, which will take you to Member 1’s (the Conductor) CLI.
member-2# member 1
Users are not allowed to access the conductor's console from member/standby

Member switches are not allowed to manage the stack nor access or manage the con-
ductor switch.

7. Connect to the Access-1 console and enter the member 2 command. When prompted for a pass-
word, simply press Enter.
Access-VSF# member 2
[email protected]'s password:

Last login: 2024-04-26 14:49:03 from 172.17.17.1

User "admin" has logged in 6 times in the past 30 days

8. Press the question mark (?). You will get the help as the output.

162 Task 6.1-2: Configure distributed link aggregation

member-2# ?
clear Reset functions
diagnostics Change diagnostic commands availability
erase Erase device information or files
exit Exit current mode and change to previous mode
list Print command list
member VSF member selection
no Negate a command or set its defaults
page Enable page break
show Show running system information
start-shell Start Bash shell
terminal-monitor Enables Terminal-monitor
top Top command

Note that the Conductor switch has more command options when accessing member
switches. This is especially useful for troubleshooting.

9. Enter exit to return to the Access-1 console.

member-2# exit

Lab 6.1: Create an HPE Aruba

Networking Virtual Switching
Access-VSF#

10. Create LAG 1 with the following settings:

n Description: To-Core-1
n Allowed VLANs: 1, 11 and 12
n LACP rate: fast
n LACP mode: active
n Enabled: yes
Access-VSF# configure terminal
Access-VSF(config)# interface lag 1
Access-VSF(config-lag-if)# description To-Core-1
Access-VSF(config-lag-if)# vlan trunk allowed 1,11,12
Access-VSF(config-lag-if)# lacp mode active
Access-VSF(config-lag-if)# lacp rate fast
Access-VSF(config-lag-if)# no shutdown
Access-VSF(config-lag-if)# exit

11. Associate ports 1/1/25 and 2/1/25 to LAG 1.

Access-VSF(config)# interface 1/1/25,2/1/25
Access-VSF(config-if-<1/1/25,2/1/25>)# lag 1
Access-VSF(config-if-<1/1/25,2/1/25>)# no shut
Access-VSF(config-if-<1/1/25,2/1/25>)# exit

12. Connect to the Core-1 console and create LAG 1 with the following settings:

13. Associate ports 1/1/1 and 1/1/2 to LAG 1.

Core-1(config)# interface 1/1/1-1/1/2
Core-1(config-if-<1/1/1-1/1/2>)# no routing
Core-1(config-if-<1/1/1-1/1/2>)# no shutdown
Core-1(config-if-<1/1/1-1/1/2>)# lag 1
Core-1(config-if-<1/1/1-1/1/2>)# exit

14. Verify LAG 1.

Core-1(config)# show lacp interfaces

Actor details of all interfaces:

----------------------------------------------------------------------------------
Intf Aggr Port Port State System-ID System Aggr Forwarding
Name Id Pri Pri Key State
----------------------------------------------------------------------------------
1/1/1 lag1 2 1 ASFNCD 44:5b:ed:67:d3:00 65534 1 up
1/1/2 lag1 3 1 ASFNCD 44:5b:ed:67:d3:00 65534 1 up
1/1/45 lag256 46 1 ASFNCD 44:5b:ed:67:d3:00 65534 256 up
1/1/46 lag256 47 1 ASFNCD 44:5b:ed:67:d3:00 65534 256 up

Partner details of all interfaces:

164 Task 6.1-2: Configure distributed link aggregation

1/1/2 lag1 90 1 ASFNCD 10:4f:58:fc:14:40 65534 1
1/1/45 lag256 46 1 ASFNCD 90:20:c2:c0:bc:00 65534 256
1/1/46 lag256 47 1 ASFNCD 90:20:c2:c0:bc:00 65534 256

Distributed LAGs are possible since VSF stacked switches act as a single switch for
the data, management, and control planes, simulating a connection between your
switches.

Lab 6.1: Create an HPE Aruba

Networking Virtual Switching
15. Now, connect to Access-1 to configure a LAG between the access VSF and Core-2.
16. Create LAG 2 with the following settings:
n Description: To-Core-2
n Allowed VLANs: 1, 11 and 12
n LACP rate: fast
n LACP mode: active
n Enabled: yes
Access-VSF(config)# interface lag 2
Access-VSF(config-lag-if)# description To-Core-2
Access-VSF(config-lag-if)# vlan trunk allowed 1,11,12
Access-VSF(config-lag-if)# lacp mode active
Access-VSF(config-lag-if)# lacp rate fast
Access-VSF(config-lag-if)# no shutdown
Access-VSF(config-lag-if)# exit

17. Associate ports 1/1/26 and 2/1/26 to LAG 2.

Task 6.1-2: Configure distributed link aggregation 165

Access-VSF(config)# interface 1/1/26,2/1/26
Access-VSF(config-if-<1/1/26,2/1/26>)# lag 2
Access-VSF(config-if-<1/1/26,2/1/26>)# no shutdown
Access-VSF(config-if-<1/1/26,2/1/26>)# exit

18. Connect to the Core-2 console and create LAG 2 with the following settings:
n Description: To-Access-VSF
n Allowed VLANs: 1, 11 and 12
n LACP rate: fast
n LACP mode: active
n Enabled: yes
Core-2(config)# interface lag 2
Core-2(config-lag-if)# description To-Access-VSF
Core-2(config-lag-if)# no routing
Core-2(config-lag-if)# vlan trunk allowed 1,11,12
Core-2(config-lag-if)# lacp mode active
Core-2(config-lag-if)# lacp rate fast
Core-2(config-lag-if)# no shutdown
Core-2(config-lag-if)# exit

19. Associate ports 1/1/1 and 1/1/2 to LAG 2.

Core-2(config)# interface 1/1/1-1/1/2
Core-2(config-if-<1/1/1-1/1/2>)# no routing
Core-2(config-if-<1/1/1-1/1/2>)# no shutdown
Core-2(config-if-<1/1/1-1/1/2>)# lag 2
Core-2 (config-if-<1/1/1-1/1/2>)# exit

20. Verify LAG 2.

Core-2(config)# show lacp interfaces

Actor details of all interfaces:

----------------------------------------------------------------------------------
Intf Aggr Port Port State System-ID System Aggr Forwarding
Name Id Pri Pri Key State
----------------------------------------------------------------------------------
1/1/1 lag2 2 1 ASFNCD 90:20:c2:c0:bc:00 65534 2 up
1/1/2 lag2 3 1 ASFNCD 90:20:c2:c0:bc:00 65534 2 up
1/1/45 lag256 46 1 ASFNCD 90:20:c2:c0:bc:00 65534 256 up
1/1/46 lag256 47 1 ASFNCD 90:20:c2:c0:bc:00 65534 256 up

166 Task 6.1-2: Configure distributed link aggregation

Partner details of all interfaces:
----------------------------------------------------------------------------------
Intf Aggr Port Port State System-ID System Aggr
Name Id Pri Pri Key
----------------------------------------------------------------------------------
1/1/1 lag2 27 1 ASFNCD 10:4f:58:fc:14:40 65534 2
1/1/2 lag2 91 1 ASFNCD 10:4f:58:fc:14:40 65534 2
1/1/45 lag256 46 1 ASFNCD 44:5b:ed:67:d3:00 65534 256
1/1/46 lag256 47 1 ASFNCD 44:5b:ed:67:d3:00 65534 256

A simplified view of your topology should look like the following picture. Notice that
a complex topology with several links was drastically simplified by using VSF and
LACP.

Lab 6.1: Create an HPE Aruba

Networking Virtual Switching
Verify the STP topology
21. Now check the current topology. Connect to the Access-1 console and check MSTP MST 1.
Access-VSF(config)# show spanning-tree mst 1 | exclude Down

#### MST1
Vlans mapped: 11
Bridge Address:10:4f:58:fc:14:40 Priority:32768
Root Address:02:01:00:00:00:01 Priority:4096
Port:lag1, Cost:2000, Rem Hops:19

Task 6.1-2: Configure distributed link aggregation 167

2/1/4 Designated Forwarding 20000 128 P2P 84467 0 0 0
lag1 Root Forwarding 2000 64 P2P 10 3539 5 15
lag2 Alternate Blocking 2000 64 P2P 14 638 2 6

Topology change flag : True

Number of topology changes : 43
Last topology change occurred : 106 seconds ago

22. Check MSTP MST 2.

Access-VSF(config)# show spanning-tree mst 2 | exclude Down

#### MST2
Vlans mapped: 12
Bridge Address:10:4f:58:fc:14:40 Priority:32768
Root Address:90:20:c2:c0:bc:00 Priority:4096
Port:lag2, Cost:2000, Rem Hops:19

Port Role State Cost Priority Type BPDU-Tx BPDU-Rx TCN-Tx TCN-Rx
---------- -------------- ---------- -------- ---------- ------------ ---------- --------- -------- ----------
1/1/1 Designated Forwarding 20000 128 P2P 342268 0 0 0
1/1/3 Designated Forwarding 20000 128 P2P 342268 0 0 0
2/1/4 Designated Forwarding 20000 128 P2P 84464 0 0 0
lag1 Alternate Blocking 2000 64 P2P 10 3534 5 13
lag2 Root Forwarding 2000 64 P2P 9 634 2 4

Topology change flag : False

Number of topology changes : 50
Last topology change occurred : 2 seconds ago

Your logical topology should match the following picture:

168 Task 6.1-2: Configure distributed link aggregation

Lab 6.1: Create an HPE Aruba
Networking Virtual Switching
23. Connect to the PC4 remote desktop.
Is the ping still running?

Answer: Yes, the ping should work.

Task 6.1-3: Save your configurations

Objectives
You will now proceed to save your configurations and create checkpoints. Notice that final lab check-
points might be used by later activities.

Task 6.1-3: Save your configurations 169

Steps
1. Save the current access and core switches’ configuration in the startup checkpoint.
Access-1
Access-VSF(config)# write memory
Copying configuration: [Success]

Core-1
Core-1(config)# write memory
Copying configuration: [Success]

Core-2
Core-2(config)# write memory
Copying configuration: [Success]

2. Back up the current access switches’ configuration as a custom checkpoint called Lab6-1_final.
Access-1
Access-VSF(config)# copy running-config checkpoint Lab6-1_final
Copying configuration: [Success]

Note that you need to create a single checkpoint for Access-1 and Access-2 as they
now behave as a single logical switch.

Core-1
Core-1(config)# copy running-config checkpoint Lab6-1_final
Copying configuration: [Success]

Core-2
Core-2(config)# copy running-config checkpoint Lab6-1_final
Copying configuration: [Success]

You have completed Lab 6.1!

170 Task 6.1-3: Save your configurations

Lab 6.2: Configure an HPE Aruba Networking
Virtual Switching eXtension environment

Lab 6.2: Configure an HPE Aruba Networking Virtual Switching eXtension environment
The BigStartup management team was amazed by the improvements in redundancy, performance, and
simplicity VSF and LAGs added to the network. In order to improve network availability and redun-
dancy, you have proposed to BigStartup to implement HPE Aruba Networking Virtual Switching eXten-
sion (VSX) on core switches, allowing the virtualization of the Layer 2 forwarding plane for distributed
link aggregation. It will also allow the implementation of redundancy features such as Active Gateway.
BigStartup accepted your proposal.
A senior network engineer has provided you with the configuration template you should use.

VSX allows the virtualization of a switch pair. This solution lets the switches present as one
virtualized switch in critical areas. Through the virtualization of the control plane of two
switches, they function as one device at Layer 2 and as independent devices at Layer 3.
From a datapath perspective, each device does an independent forwarding lookup to
decide how to handle the traffic. Some forwarding databases, such as MAC and ARP tables,
are synchronized between the two devices using a proprietary VSX control plane. Some of
the forwarding databases are built independently by each switch.
VSX implementation is covered in detail in the professional-level switching course.

Objectives
After completing this lab, you will be able to:
n Configure the Inter-Switch Link (ISL).
n Configure VSX Sync.
n Configure VSX keepalive.
Lab topology
The following lab topology will be used for your practical activities:

Lab 6.2: Configure an HPE Aruba Networking Virtual Switching eXtension environment 171
Task 6.2-1: Configure VSX
Objectives
In this task, you will configure the VSX between Core-1 and Core-2.
Steps
1. On your local computer, launch a web browser and enter the Aruba Training Lab web portal at
the URL: https://arubatraininglab.computerdata.com.
2. Log in using the credentials provided to you.
3. Launch a remote console to Core-1.
4. Verify LAG 256, created in the previous lab.
Core-1# configure terminal
Core-1(config)# show lacp interfaces

Actor details of all interfaces:

----------------------------------------------------------------------------------

172 Task 6.2-1: Configure VSX

Intf Aggr Port Port State System-ID System Aggr Forwarding
Name Id Pri Pri Key State
----------------------------------------------------------------------------------
1/1/45 lag256 46 1 ASFNCD 44:5b:ed:67:d3:00 65534 256 up
1/1/46 lag256 47 1 ASFNCD 44:5b:ed:67:d3:00 65534 256 up

Partner details of all interfaces:

----------------------------------------------------------------------------------
Intf Aggr Port Port State System-ID System Aggr
Name Id Pri Pri Key
----------------------------------------------------------------------------------
1/1/45 lag256 46 1 ASFNCD 90:20:c2:c0:bc:00 65534 256
1/1/46 lag256 47 1 ASFNCD 90:20:c2:c0:bc:00 65534 256

5. Verify the current LAG 256 configuration.

Core-1(config)# interface lag 256
Core-1(config-lag-if)# show running-config current-context
interface lag 256
description To_Core-2_Ports-45&46

Lab 6.2: Configure an HPE Aruba

Networking Virtual Switching
no shutdown
no routing
vlan trunk native 1
vlan trunk allowed 11-12
lacp mode active
lacp rate fast

6. Change LAG 256 to allow all VLANs.

Core-1(config-lag-if)# vlan trunk allowed all
Core-1(config-lag-if)# exit

Allowing all VLANs in a trunk is only recommended between a VSX pair of switches.
On uplink, the best practice is to allow only VLANs required on that link.

7. Launch a remote console to Core-2 and repeat steps 4 to 6.

Core-2# configure terminal
Core-2(config)# show lacp interfaces

Actor details of all interfaces:

----------------------------------------------------------------------------------
Intf Aggr Port Port State System-ID System Aggr Forwarding

Task 6.2-1: Configure VSX 173

Name Id Pri Pri Key State
----------------------------------------------------------------------------------
1/1/45 lag256 46 1 ASFNCD 90:20:c2:c0:bc:00 65534 256 up
1/1/46 lag256 47 1 ASFNCD 90:20:c2:c0:bc:00 65534 256 up

Partner details of all interfaces:

Configuring the ISL

8. Using the Remote Lab dashboard, connect to the Core-1 console.
9. Configure Core-1 as a VSX primary switch.
Core-1(config)# vsx
Core-1(config-vsx)# system-mac 02:01:00:00:00:01
Core-1(config-vsx)# inter-switch-link lag 256
Core-1(config-vsx)# role primary
Core-1(config-vsx)# vsx-sync vsx-global
Core-1(config-vsx)# exit
Core-1(config)# virtual-mac 02:01:00:00:00:01

10. Using the Remote Lab dashboard, connect to the Core-2 console.
11. Configure VSX on Core-2.
Core-2(config)# vsx
Core-2(config-vsx)# system-mac 02:01:00:00:00:01
Core-2(config-vsx)# inter-switch-link lag 256
Core-2(config-vsx)# role secondary
Core-2(config-vsx)# exit
Core-2(config)# virtual-mac 02:01:00:00:00:01

Switch roles
Each VSX switch must be configured with a role—primary or secondary. The roles do
not indicate which device is forwarding traffic at a given time as VSX is an active-
active forwarding solution. The roles are used to determine which device stays active
when there is a VSX split, such as when the ISL goes down, and for determining the

174 Task 6.2-1: Configure VSX

direction of configuration sync. If the VSX ISL goes down, the primary switch keeps
forwarding traffic while the secondary switch blocks ports from participating in the
VSX LAGs.
System MAC
The common system MAC address is used for preventing traffic disruptions when the
primary switch is restored after the secondary switch. A primary switch might be
restored after the secondary switch in scenarios, such as:
n A primary switch hardware replacement.
n A power outage with the primary switch restored after the secondary switch is
restored.
When the primary switch is restored after the secondary switch, a traffic disruption
might occur when the ISL starts to sync because the MAC system address changes
from the secondary switch to the primary switch for the LACP. To avoid the traffic
disruption, set the common system MAC address by entering the system-mac <MAC-

Lab 6.2: Configure an HPE Aruba

ADDR> command. This command creates a common system MAC address between the

Networking Virtual Switching

two VSX switches. This common system MAC address prevents a traffic disruption
when the secondary switch comes up before the primary switch. If the common sys-
tem MAC access is enabled, the secondary switch uses the common system MAC
address instead of its own system MAC address, which prevents a traffic loss.
The system MAC address also maintains the same MSTP bridge ID across VSX
switches, which act as a single switch.

12. Verify the VSX status.

Core-2(config)# show vsx status
VSX Operational State
---------------------
ISL channel : In-Sync
ISL mgmt channel : operational
Config Sync Status : In-Sync
NAE : peer_reachable
HTTPS Server : peer_reachable

Attribute Local Peer

------------ -------- --------
ISL link lag256 lag256
ISL version 2 2
System MAC 02:01:00:00:00:01 02:01:00:00:00:01
Platform 8325 8325
Software Version GL.10.13.1000 GL.10.13.10

Task 6.2-1: Configure VSX 175

Notice that the ISL channel is "In-Sync," the ISL mgmt channel is "operational," and
the Confg Sync Status is "In-Sync." This means that your VSX pair of switches are
working properly.

VSX configuration sync

VSX configuration synchronization simplifies VSX solution management, reducing mis-
configuration and drift across VSX peer switches. With configuration synchronization enabled,
the primary peer configuration is synced to the secondary peer. This synchronization is con-
trolled in an opt-in manner by enabling VSX synchronization on a section of the configuration.
You will now enable configuration sync for your core VSX.
13. Using the Remote Lab dashboard, connect to the Core-1 console.
14. Configure VSX configuration sync for global VSX features and spanning tree to ensure those con-
figurations are synchronized between Core-1 and Core-2. As needed, you will add new con-
figurations to be synchronized in the upcoming labs.
Core-1(config)# vsx
Core-1(config-vsx)# vsx-sync vsx-global
Core-1(config-vsx)# vsx-sync stp-global
Core-1(config-vsx)# exit

15. Navigate to the Core-2 console and check if the configuration sync command was auto-
matically added.
Core-2(config)# show running-config | begin vsx
vsx
system-mac 02:01:00:00:00:01
inter-switch-link lag 256
role secondary
vsx-sync stp-global vsx-global
!
!
https-server vrf mgmt

VSX keepalive
Keepalive is a Layer 3 interface that is used to exchange heartbeats between VSX peer switches.
The heartbeats are exchanged by using the User Datagram Protocol (UDP) and port 7678
(default). During an ISL failure, VSX switches use their keepalive connection to determine if both
VSX switches are up and running. This configuration helps the VSX switches find alternative
paths to the ISL link in the network so the two VSX switches can continue to stay in sync.
Configure each VSX peer switch with a keepalive connection to the other VSX peer switch. This
connection is established over a routed network (IPv4 currently) and is not required to be a ded-
icated peer-to-peer link unlike ISL. Keepalive packets are UDP-based.

176 Task 6.2-1: Configure VSX

Make sure that the VSX peer switches have Layer 3 reachability for keepalive interfaces through
directly connected interfaces or routed through the upstream Layer 3 network. The source of
keepalive interfaces can be a Layer 3 interface (router port), a loopback interface, or a Switch Vir-
tual Interface (SVI). An SVI is a logical Layer 3 interface configured per VLAN (one-to-one map-
ping) that performs all Layer 3 processing for packets to or from all switch ports associated with
that VLAN.
In the case of CX 6400 Series and CX 8400 Series switches, it is highly recommended to use
keepalive and ISL on different line cards. A single point of failure on a line card that has keepalive
and ISL configuration might cause split brain.
In this lab, you will use interfaces 45 and 46 as the ISL link and interface 47 as the keepalive
interface.

Lab 6.2: Configure an HPE Aruba

Networking Virtual Switching
16. Navigate to the Core-1 console.
17. Create a new VRF named KA.
Core-1(config)# vrf KA
Core-1(config-vrf)# interface 1/1/47
Core-1(config-if)# routing
Core-1(config-if)# vrf attach KA
Core-1(config-if)# ip address 10.1.15.1/30
Core-1(config-if)# no shutdown
Core-1(config-if)# exit

It is recommended that a VRF be used to completely separate the keepalive subnet

from the network. You will learn more about VRFs in the Implementing AOS-CX
Switching course.

18. Connect to the Core-2 console and create the KA VRF.

Core-2(config)# vrf KA
Core-2(config-vrf)# interface 1/1/47
Core-2(config-if)# routing
Core-2(config-if)# vrf attach KA
Core-2(config-if)# ip address 10.1.15.2/30

Task 6.2-1: Configure VSX 177

Core-2(config-if)# no shutdown
Core-2(config-if)# exit

19. Test Core-2 to Core-1 communication using the KA VRF.

Core-2(config)# ping 10.1.15.1 vrf KA
PING 10.1.15.1 (10.1.15.1) 100(128) bytes of data.
108 bytes from 10.1.15.1: icmp_seq=1 ttl=64 time=13.5 ms
108 bytes from 10.1.15.1: icmp_seq=2 ttl=64 time=0.190 ms
108 bytes from 10.1.15.1: icmp_seq=3 ttl=64 time=0.186 ms
108 bytes from 10.1.15.1: icmp_seq=4 ttl=64 time=0.169 ms
108 bytes from 10.1.15.1: icmp_seq=5 ttl=64 time=0.156 ms

--- 10.1.15.1 ping statistics ---

5 packets transmitted, 5 received, 0% packet loss, time 4108ms
rtt min/avg/max/mdev = 0.156/2.832/13.459/5.313 ms

Notice that, by default, any packet leaving the switch will be transmitted by the
"default VRF." To transmit a ping using the KA VRF, the vrf KA command needs to be
appended to the ping command.

20. Navigate to the Core-1 console and configure the VSX keepalive.
Core-1(config)# vsx
Core-1(config-vsx)# keepalive peer 10.1.15.2 source 10.1.15.1 vrf KA
Core-1(config-vsx)# exit

21. Navigate to the Core-2 console and configure the VSX keepalive.
Core-2(config)# vsx
Core-2(config-vsx)# keepalive peer 10.1.15.1 source 10.1.15.2 vrf KA
Core-2(config-vsx)# exit

22. Verify the VSX keepalive.

Core-2(config)# show vsx brief
ISL State : In-Sync
Device State : Peer-Established
Keepalive State : Keepalive-Established
Device Role : Secondary
Number of Multi-chassis LAG interfaces : 0

Now both switches are using interface 1/1/47 and VRF KA for keepalive. If ISL inter-
faces go down but both switches remain up, switches will be able to avoid a split
brain.

178 Task 6.2-1: Configure VSX

Lab debrief
In this lab, you have configured a VSX pair using switches Core-1 and Core-2. This allows both
switches to act as a single switch in the Layer 2 perspective, allowing distributed LAGs to be con-
figured and avoiding loops. For Layer 3 and other services, both switches remain independent.
VSX is an advanced feature and is covered in detail in the Implementing AOS-CX Switching
course.

Task 6.2-2: Distributed LAG

Objectives
In this task, you will configure a single LAG between the VSX core and the VSF access switches. This
will provide better link utilization due to link aggregation load sharing and simplify the topology visu-
alization and management.
Lab topology

Lab 6.2: Configure an HPE Aruba

Networking Virtual Switching

Task 6.2-2: Distributed LAG 179

4. Delete LAG 1.
Core-1(config)# no interface lag 1

5. Recreate a LAG 1 as a multichassis (distributed) LAG.

Core-1(config)# interface lag 1 multi-chassis
Core-1(config-lag-if)# description To-Access-VSF
Core-1(config-lag-if)# no shutdown
Core-1(config-lag-if)# no routing
Core-1(config-lag-if)# vlan trunk allowed 1,11-12
Core-1(config-lag-if)# lacp mode active
Core-1(config-lag-if)# lacp rate fast
Core-1(config-lag-if)# exit

When using a VSX pair of switches, a multichassis LAG can be established to

aggregate interfaces from both switches. This is possible because the VSX pair of
switches behaves as a single switch in the Layer 2 perspective. VSX LAGs span both
aggregation switches, meaning that the two switches appear as one device to partner
downstream or upstream devices, or both, when forming a LAG with the VSX pair. To
achieve this, the two switches synchronize their databases and states over a user-
configured link referred to as an Inter-Switch Link (ISL).

You cannot change the mode of a multichassis LAG without removing the mul-
tichassis LAG first. To change a preexisting VSX LAG to a static VSX LAG, first
remove the VSX LAG with the no interface lag <LAG-ID> command. Then, enter
the interface lag <LAG-ID> multichassis static command.

6. Assign interfaces 1/1/1 and 1/1/2 to the new LAG.

Core-1(config)# interface 1/1/1-1/1/2
Core-1(config-if-<1/1/1-1/1/2>)# no shutdown
Core-1(config-if-<1/1/1-1/1/2>)# no routing
Core-1(config-if-<1/1/1-1/1/2>)# lag 1
Core-1(config-if-<1/1/1-1/1/2>)# exit

7. Navigate to Core-2 and delete LAG 2.

Core-2(config)# no interface lag 2

8. Create LAG 1 as a multichassis LAG.

Core-2(config)# interface lag 1 multi-chassis
Core-2(config-lag-if)# description To-Access-VSF
Core-2(config-lag-if)# no shutdown
Core-2(config-lag-if)# no routing
Core-2(config-lag-if)# vlan trunk allowed 1,11-12
Core-2(config-lag-if)# lacp mode active

180 Task 6.2-2: Distributed LAG

Core-2(config-lag-if)# lacp rate fast
Core-2(config-lag-if)# exit

Notice that the same LAG ID should be used for multichassis (VSX) LAGs on both
VSX switches.

9. Assign interfaces 1/1/1 and 1/1/2 to the new LAG 1.

Core-2(config)# interface 1/1/1-1/1/2
Core-2(config-if-<1/1/1-1/1/2>)# no shutdown
Core-2(config-if-<1/1/1-1/1/2>)# no routing
Core-2(config-if-<1/1/1-1/1/2>)# lag 1
Core-2(config-if-<1/1/1-1/1/2>)# exit

10. Navigate back to the Core-1 console and verify LAG 1.

Core-1# show lacp interfaces

State abbreviations :
A - Active P - Passive F - Aggregable I - Individual

Lab 6.2: Configure an HPE Aruba

S - Short-timeout L - Long-timeout N - InSync O - OutofSync

Networking Virtual Switching

C - Collecting D - Distributing
X - State m/c expired E - Default neighbor state

Actor details of all interfaces:

----------------------------------------------------------------------------------
Intf Aggr Port Port State System-ID System Aggr Forwarding
Name Id Pri Pri Key State
----------------------------------------------------------------------------------
1/1/1 lag1(mc) 1 1 ASFNCD 02:01:00:00:00:01 65534 1 up
1/1/2 lag1(mc) 2 1 ASFNCD 02:01:00:00:00:01 65534 1 up
1/1/45 lag256 46 1 ASFNCD 44:5b:ed:67:d3:00 65534 256 up
1/1/46 lag256 47 1 ASFNCD 44:5b:ed:67:d3:00 65534 256 up

Partner details of all interfaces:

----------------------------------------------------------------------------------
Intf Aggr Port Port State System-ID System Aggr
Name Id Pri Pri Key
----------------------------------------------------------------------------------
1/1/1 lag1(mc) 26 1 ASFNCD 10:4f:58:fc:14:40 65534 1
1/1/2 lag1(mc) 90 1 ASFNCD 10:4f:58:fc:14:40 65534 1
1/1/45 lag256 46 1 ASFNCD 90:20:c2:c0:bc:00 65534 256
1/1/46 lag256 47 1 ASFNCD 90:20:c2:c0:bc:00 65534 256

Note that all interfaces are up and running and state flags shows LAG 1 as healthy.

Task 6.2-2: Distributed LAG 181

11. One benefit of the VSX integration is the possibility of checking the status of the partner switch
from the local console. To do so, append vsx-peer to a show command, and you will get the
results of the show command in the VSX partner switch. Check LAG 1 on Core-2 from the Core-1
console.
Core-1# show lacp interfaces vsx-peer

Actor details of all interfaces:

----------------------------------------------------------------------------------
Intf Aggr Port Port State System-ID System Aggr Forwarding
Name Id Pri Pri Key State
----------------------------------------------------------------------------------
1/1/1 lag1(mc) 1001 1 ASFO 02:01:00:00:00:01 65534 1 lacp-block
1/1/2 lag1(mc) 1002 1 ASFO 02:01:00:00:00:01 65534 1 lacp-block
1/1/45 lag256 46 1 ASFNCD 90:20:c2:c0:bc:00 65534 256 up
1/1/46 lag256 47 1 ASFNCD 90:20:c2:c0:bc:00 65534 256 up

Partner details of all interfaces:

----------------------------------------------------------------------------------
Intf Aggr Port Port State System-ID System Aggr
Name Id Pri Pri Key
----------------------------------------------------------------------------------
1/1/1 lag1(mc) 27 1 ASFN 10:4f:58:fc:14:40 65534 2
1/1/2 lag1(mc) 91 1 ASFN 10:4f:58:fc:14:40 65534 2
1/1/45 lag256 46 1 ASFNCD 44:5b:ed:67:d3:00 65534 256
1/1/46 lag256 47 1 ASFNCD 44:5b:ed:67:d3:00 65534 256

Notice that LAG 1 is not active (notice the "LACP-block" state, meaning that LACP
detected an inconsistency and blocked the ports to avoid a loop. This is correct
because the access VSF has two LAGs now pointing to Core-1 and another one to
Core-2.

182 Task 6.2-2: Distributed LAG

Lab 6.2: Configure an HPE Aruba
Networking Virtual Switching
12. Navigate to the Core-2 console and verify LAG 1.
Core-2(config)# show lacp interfaces

Actor details of all interfaces:

----------------------------------------------------------------------------------
Intf Aggr Port Port State System-ID System Aggr Forwarding
Name Id Pri Pri Key State
----------------------------------------------------------------------------------
1/1/1 lag1(mc) 1001 1 ASFO 02:01:00:00:00:01 65534 1 lacp-block
1/1/2 lag1(mc) 1002 1 ASFO 02:01:00:00:00:01 65534 1 lacp-block
1/1/45 lag256 46 1 ASFNCD 90:20:c2:c0:bc:00 65534 256 up
1/1/46 lag256 47 1 ASFNCD 90:20:c2:c0:bc:00 65534 256 up

Partner details of all interfaces:

----------------------------------------------------------------------------------
Intf Aggr Port Port State System-ID System Aggr
Name Id Pri Pri Key

Task 6.2-2: Distributed LAG 183

----------------------------------------------------------------------------------
1/1/1 lag1(mc) 27 1 ASFN 10:4f:58:fc:14:40 65534 2
1/1/2 lag1(mc) 91 1 ASFN 10:4f:58:fc:14:40 65534 2
1/1/45 lag256 46 1 ASFNCD 44:5b:ed:67:d3:00 65534 256
1/1/46 lag256 47 1 ASFNCD 44:5b:ed:67:d3:00 65534 256

Compare the output with the output you received on Core-1 when using the vsx-
peer command. The outputs are the same.

13. To fix it, connect to Access-1 and delete LAG 2.

Access-VSF(config)# no int lag 2

14. Add interfaces 1/1/26 and 2/1/26 to LAG 1.

Access-VSF(config)# interface 1/1/26,2/1/26
Access-VSF(config-if-<1/1/26,2/1/26>)# lag 1
Access-VSF(config-if-<1/1/26,2/1/26>)# exit

15. Verify Lag 1 on the access VSF.

Access-VSF(config)# show lacp interfaces

Actor details of all interfaces:

----------------------------------------------------------------------------------
Intf Aggr Port Port State System-ID System Aggr Forwarding
Name Id Pri Pri Key State
----------------------------------------------------------------------------------
1/1/25 lag1 26 1 ASFNCD 10:4f:58:fc:14:40 65534 1 up
1/1/26 lag1 27 1 ASFNCD 10:4f:58:fc:14:40 65534 1 up
2/1/25 lag1 90 1 ASFNCD 10:4f:58:fc:14:40 65534 1 up
2/1/26 lag1 91 1 ASFNCD 10:4f:58:fc:14:40 65534 1 up

Partner details of all interfaces:

----------------------------------------------------------------------------------
Intf Aggr Port Port State System-ID System Aggr
Name Id Pri Pri Key
----------------------------------------------------------------------------------
1/1/25 lag1 1 1 ASFNCD 02:01:00:00:00:01 65534 1
1/1/26 lag1 1001 1 ASFNCD 02:01:00:00:00:01 65534 1
2/1/25 lag1 2 1 ASFNCD 02:01:00:00:00:01 65534 1
2/1/26 lag1 1002 1 ASFNCD 02:01:00:00:00:01 65534 1

16. Navigate back to the Core-2 console and verify LAG 1.

184 Task 6.2-2: Distributed LAG

Core-2(config)# show lacp interfaces

Actor details of all interfaces:

----------------------------------------------------------------------------------
Intf Aggr Port Port State System-ID System Aggr Forwarding
Name Id Pri Pri Key State
----------------------------------------------------------------------------------
1/1/1 lag1(mc) 1001 1 ASFNCD 02:01:00:00:00:01 65534 1 up
1/1/2 lag1(mc) 1002 1 ASFNCD 02:01:00:00:00:01 65534 1 up
1/1/45 lag256 46 1 ASFNCD 90:20:c2:c0:bc:00 65534 256 up
1/1/46 lag256 47 1 ASFNCD 90:20:c2:c0:bc:00 65534 256 up

Partner details of all interfaces:

Lab 6.2: Configure an HPE Aruba

Networking Virtual Switching
----------------------------------------------------------------------------------
Intf Aggr Port Port State System-ID System Aggr
Name Id Pri Pri Key
----------------------------------------------------------------------------------
1/1/1 lag1(mc) 27 1 ASFNCD 10:4f:58:fc:14:40 65534 1
1/1/2 lag1(mc) 91 1 ASFNCD 10:4f:58:fc:14:40 65534 1
1/1/45 lag256 46 1 ASFNCD 44:5b:ed:67:d3:00 65534 256
1/1/46 lag256 47 1 ASFNCD 44:5b:ed:67:d3:00 65534 256

Notice that all interfaces are now active. Now, logically, the topology has no loops or
blocked links since it simulates two switches with a single (virtual) logic connection.
Logical view

Task 6.2-2: Distributed LAG 185

Lab debrief
In this lab, you configured a distributed Link Aggregation Group between the core VSX pair of
switches and the access VSF stack. This drastically simplifies the network and improves link and
switch utilization, as no links are blocked by STP and the LAG load-balancing algorithm provides
better link utilization across multiple links.

Task 6.2-3: Save your configurations

Objectives
You will now proceed to save your configurations and create checkpoints. Notice that final lab check-
points might be used by later activities.
Steps
1. Save the current core and Access-1 switches’ configurations in the startup checkpoint.
Core-1
Core-1(config)# write memory
Copying configuration: [Success]

Core-2
Core-2(config)# write memory
Copying configuration: [Success]

186 Task 6.2-3: Save your configurations

Access-1
Access-VSF(config)# write memory
Copying configuration: [Success]

2. Back up the current core and Access-1 switches’ configurations as a custom checkpoint called
Lab6-2_final.
Core-1
Core-1(config)# copy running-config checkpoint Lab6-2_final
Copying configuration: [Success]

Core-2
Core-2(config)# copy running-config checkpoint Lab6-2_final
Copying configuration: [Success]

Access-1
Access-VSF(config)# copy running-config checkpoint Lab6-2_final
Copying configuration: [Success]

You have completed Lab 6.2!

Lab 6.2: Configure an HPE Aruba

Networking Virtual Switching

Task 6.2-3: Save your configurations 187

[This page intentionally left blank]

188 Task 6.2-3: Save your configurations

Lab 6.3: Maintaining the VSF stack

After deploying VSF and centralizing both the control and management planes, the next phase is to
assure there is no single point of failure that could prevent the stack from working. This is done by
enabling two main features: standby member and split detection. In order to test these features, Big-
Startup has authorized another maintenance window.
Objectives
After completing this lab, you will be able to:
n Increase the stack resiliency by adding a standby member.
n Provide stack stability using split detection.
n Validate the proper performance of the features.
Lab topology
The following lab topology will be used for your practical activities:

Task 6.3-1: Secondary member

Objectives
Once the stack is created and traffic is flowing, the next step is to maintain the stack and make sure it is
as stable as possible.

Lab 6.3: Maintaining the VSF stack 189

Currently, there is a single conductor taking care of the management and control plane
duties. If that switch happens to fail, then the stack will lose its main point of control and
the whole stack goes down, getting stuck in the boot process as seen in the followign con-
sole output.
[ OK ] Started PVNET namespace move script.
[FAILED] Failed to start HPE Credential Manager.
See 'systemctl status hpe-credmgr.service' for details.
[ OK ] Reached target VSF Discovery System.
[ OK ] Started HA Type Check Service.
[ OK ] Reached target Check HA Target to Boot.
[ OK ] Stopped HPE Credential Manager.
Starting HPE Credential Manager...

[FAILED] Failed to start HPE Credential Manager.

See 'systemctl status hpe-credmgr.service' for details.
[ OK ] Stopped HPE Credential Manager.
Starting HPE Credential Manager...

In order to break this loop, the only alternative is to invoke the recovery mode by pressing
the Ctrl+c key sequence, taking the members into recovery mode.
**********************************************************************
WARNING! Entering emergency support login mode. This mode is for
support use only and the system will not be fully operational.
The system must be rebooted to restore full operation.
**********************************************************************
T11-Access-VSF login: admin
Password:

recovery#

In such cases, you have to recover the conductor and "reboot" the member. Otherwise, you
would have to set the switches into factory default using the vsf-factory-reset recovery
context command and configure them all over again.
recovery# ?
boot Reboot all or part of the system; configure default
bootparameters
copy Copy data or files to/from the switch
erase Erase device information or files
exit Exit current mode and change to previous mode
list Print command list
show Show running system information
start-shell Start Bash shell
vsf-factory-reset Clear all VSF configurations and boot as the primaryswitch
recovery#

190 Task 6.3-1: Secondary member

In order to prevent this situation from happening, you can assign (in advance) the
"standby" role (secondary member) to any other member of the stack. Once assigned, upon
failure of the conductor, the standby member will take over the conductor role.

In this lab, you will assign the standby role to Member 2 and simulate a failure on Member 1.
Steps
1. On your local computer, launch a web browser and enter the Aruba Training Lab web portal at
the URL: https://arubatraininglab.computerdata.com.
2. Log in using the credentials provided to you.
3. Open a console session to Access-1.
4. Assign the standby member role. Member 2 will reboot.
Access-VSF(config)# vsf secondary-member 2
This will save the configuration and reboot the specified switch.
Do you want to continue (y/n)? y

Lab 6.3: Maintaining the VSF stack

5. After a few minutes, issue the show vsf and show vsf topology commands to see the new role
assigned to Member 2.
Access-VSF(config)# show vsf

Force Autojoin : Disabled

Autojoin Eligibility Status: Not Eligible
MAC Address : 10:4f:58:fc:14:40
Egress Shape Rate : None
Secondary : 2
Topology : Chain
Status : No Split
Split Detection Method : None

Mbr Mac Address type Status

ID
--- ------------------- -------------- ---------------
1 10:4f:58:fc:14:40 JL668A Conductor
2 10:4f:58:f6:84:80 JL668A Standby
Access-VSF(config)# show vsf topology
Standby Conductor
+-------+ +-------+
| 2 |1==1| 1 |
+-------+ +-------+

6. You will now simulate a failure on Access-1 by rebooting it. Access-2 should assume the Con-
ductor role. Reboot Access-1.

Task 6.3-1: Secondary member 191

Access-VSF(config)# vsf member 1 reboot
The conductor switch will reboot and the standby will become the conductor.
Do you want to continue (y/n)? y

7. Navigate to the Access-2 console and log in. Enter the show vsf command.
Access-VSF# show vsf

Force Autojoin : Disabled

Autojoin Eligibility Status: Not Eligible
MAC Address : 10:4f:58:fc:14:40
Egress Shape Rate : None
Secondary : 2
Topology : Standalone
Status : Active Fragment
Split Detection Method : None

Mbr Mac Address type Status

ID
--- ------------------- -------------- ---------------
1 JL668A Not Present
2 10:4f:58:f6:84:80 JL668A Conductor

What is the topology?

Answer: Standalone.
What is the status of the fragment?

Answer: Active Fragment.

What role does the member have?

Answer: Conductor.

First, notice that the Access-2 console is now operational. At the end of Lab 6.1, it
was restricted to a small set of commands due to its "member" state in the VSF stack.
Notice that Member 1's status is not present, and Access-2 is now the Conductor
switch for the stack.

8. Wait until Access-1 recovers, then repeat the previous step.

Access-VSF# show vsf

Force Autojoin : Disabled

192 Task 6.3-1: Secondary member

Autojoin Eligibility Status: Not Eligible
MAC Address : 10:4f:58:fc:14:40
Egress Shape Rate : None
Secondary : 2
Topology : Chain
Status : No Split
Split Detection Method : None

Mbr Mac Address type Status

ID
--- ------------------- -------------- ---------------
1 10:4f:58:fc:14:40 JL668A Standby
2 10:4f:58:f6:84:80 JL668A Conductor

What role did Member 1 get when it came back?

Answer: Standby.

Lab 6.3: Maintaining the VSF stack

The conductor role in VSF is not preemptable; the current conductor remains the con-
ductor.

9. Issue the vsf switchover command for restoring the conductor role to Member 1 as the con-
ductor switch.
Access-VSF# vsf switchover
This will cause an immediate switchover to the standby
and the conductor will reboot.
Do you want to continue (y/n)? y

10. Move to the Access-1 console. You will see that due to the "switchover" event, any previous con-
sole session that Member 1 had was closed and you will have to log in again.

Task 6.3-2: Split brain detection

Objectives
After a Conductor failure, the standby member switch or fragment remains alive. This is because the
fragment senses when the links to the conductor go down and assumes the conductor went down as
well. However, what would happen if connections between the two devices fail rather than the Con-
ductor switch? You will discover what happens in the next task.
Steps
1. On your local computer, launch a web browser and enter the Aruba Training Lab web portal at
the URL: https://arubatraininglab.computerdata.com.
2. Log in using the credentials provided to you.

Task 6.3-2: Split brain detection 193

3. Launch a remote desktop connection to PC4.
4. Open the command prompt and start a continuous ping to PC1 (10.1.12.101). The ping should
be successful.

5. Navigate to the Access-1 console and disable the physical port of the VSF link. This will trigger a
split brain event.
Access-VSF# configure terminal
Access-VSF(config)# interface 1/1/28
Access-VSF(config-if-vsf)# shutdown
This may cause the stack to split.

Continue (y/n)? y

6. Navigate to the PC4 remote desktop.

How is the ping behaving?

Answer: The connectivity was lost.

7. Move back to the Access-1 console and check VSF.
Access-VSF(config-if-vsf)# show vsf

194 Task 6.3-2: Split brain detection

Force Autojoin : Disabled
Autojoin Eligibility Status: Not Eligible
MAC Address : 10:4f:58:fc:14:40
Egress Shape Rate : None
Secondary : 2
Topology : Standalone
Status : Active Fragment
Split Detection Method : None

Mbr Mac Address type Status

ID
--- ------------------- -------------- ---------------
1 10:4f:58:fc:14:40 JL668A Conductor
2 JL668A Not Present

Note that, for Access-1, Access-2 is not present.

8. Navigate to the Access-2 console, log in, and check the VSF status.

Lab 6.3: Maintaining the VSF stack

Access-VSF# show vsf

Force Autojoin : Disabled

Autojoin Eligibility Status: Not Eligible
MAC Address : 10:4f:58:fc:14:40
Egress Shape Rate : None
Secondary : 2
Topology : Standalone
Status : Active Fragment
Split Detection Method : None

Mbr Mac Address type Status

ID
--- ------------------- -------------- ---------------
1 JL668A Not Present
2 10:4f:58:f6:84:80 JL668A Conductor

Note that Access-2 has the Conductor role and marked Access-1 as Not Present. This
means that both switches—Access-1 and Access-2, believed to be the Conductor
switches—keep their interfaces up, including LAG 1.

9. Navigate to the Core-1 console and verify the LACP interfaces.

Core-1# show lacp interfaces

State abbreviations :
A - Active P - Passive F - Aggregable I - Individual

Task 6.3-2: Split brain detection 195

S - Short-timeout L - Long-timeout N - InSync O - OutofSync
C - Collecting D - Distributing
X - State m/c expired E - Default neighbor state

Actor details of all interfaces:

----------------------------------------------------------------------------------
Intf Aggr Port Port State System-ID System Aggr Forwarding
Name Id Pri Pri Key State
----------------------------------------------------------------------------------
1/1/1 lag1(mc) 1 1 ASFNCD 02:01:00:00:00:01 65534 1 up
1/1/2 lag1(mc) 2 1 ASFNCD 02:01:00:00:00:01 65534 1 up
1/1/45 lag256 46 1 ASFNCD 44:5b:ed:67:d3:00 65534 256 up
1/1/46 lag256 47 1 ASFNCD 44:5b:ed:67:d3:00 65534 256 up

Partner details of all interfaces:

----------------------------------------------------------------------------------
Intf Aggr Port Port State System-ID System Aggr
Name Id Pri Pri Key
----------------------------------------------------------------------------------
1/1/1 lag1(mc) 26 1 ASFNCD 10:4f:58:fc:14:40 65534 1
1/1/2 lag1(mc) 90 1 ASFNCD 10:4f:58:fc:14:40 65534 1
1/1/45 lag256 46 1 ASFNCD 90:20:c2:c0:bc:00 65534 256
1/1/46 lag256 47 1 ASFNCD 90:20:c2:c0:bc:00 65534 256

10. Verify the Core-2 LACP interfaces by appending vsx-peer to the command.
Core-1# show lacp interfaces vsx-peer

Actor details of all interfaces:

----------------------------------------------------------------------------------
Intf Aggr Port Port State System-ID System Aggr Forwarding
Name Id Pri Pri Key State
----------------------------------------------------------------------------------
1/1/1 lag1(mc) 1001 1 ASFNCD 02:01:00:00:00:01 65534 1 up
1/1/2 lag1(mc) 1002 1 ASFNCD 02:01:00:00:00:01 65534 1 up
1/1/45 lag256 46 1 ASFNCD 90:20:c2:c0:bc:00 65534 256 up
1/1/46 lag256 47 1 ASFNCD 90:20:c2:c0:bc:00 65534 256 up

Partner details of all interfaces:

----------------------------------------------------------------------------------
Intf Aggr Port Port State System-ID System Aggr

196 Task 6.3-2: Split brain detection

Name Id Pri Pri Key
----------------------------------------------------------------------------------
1/1/1 lag1(mc) 27 1 ASFNCD 10:4f:58:fc:14:40 65534 1
1/1/2 lag1(mc) 91 1 ASFNCD 10:4f:58:fc:14:40 65534 1
1/1/45 lag256 46 1 ASFNCD 44:5b:ed:67:d3:00 65534 256
1/1/46 lag256 47 1 ASFNCD 44:5b:ed:67:d3:00 65534 256

As you may see in the outputs, LAG 1 is active on both core switches as well on
access switches.
The problem you are experiencing is a result of having two stack fragments (Member
1 and Member 2) both acting as conductors and using not only the same con-
figuration, but also the same Layer 3 and Layer 2 addressing. Therefore, they are
sending identical LACP data units on the interfaces that are configured to be part of
the same LAG.
Since the core switches receive these incoming LACP data units as normal, they are
not aware of any failure and maintain their LAGs and forward traffic across them as
usual, based on the source and destination IP addresses.

Lab 6.3: Maintaining the VSF stack

Core-1# show lacp aggregates lag1

Aggregate name : lag1 (multi-chassis)

Interfaces : 1/1/1 1/1/2
Peer interfaces : 1/1/1 1/1/2
Heartbeat rate : Fast
Hash : l3-src-dst
Aggregate mode : Active

Depending on what hash result the core switches calculate for each of the pings, the
traffic path could use a link to any of the four links.
The problem arises when one of the core switches receives a packet. Instead of send-
ing it straight to the access switch where the destination resides, it sends the packet
to the wrong switch as a result of the hashing algorithm. For example, if sending a
packet to PC1 through the Access-2 switch, then Access-2, not having any physical
connection to PC1, has no option but to drop the packet.
Although some traffic flows might work, many others will not. The unpredictable
nature of this outcome makes the network unusable when split brain takes place.

If your connectivity test from PC4 to PC1 is still working successfully, then it is likely
that the behavior explained previously is taking place on another of your pings.

11. Move back to the Access-1 console connection.

12. Enable the port of the VSF link. Member-2 will merge and reboot.

Task 6.3-2: Split brain detection 197

Access-VSF(config-if-vsf)# no shutdown
Access-VSF(config-if-vsf)# exit

13. Navigate back to the Access-2 console connection. You will notice the member switch will reboot
as part of the re-merge process.
Access-VSF#
Apr 29 21:56:22 vsfd[835]: RebootLibPh1: Reboot reason: Reboot of Member ID 2,
Lost merge

Split detection
Now you will enable management-port-based, split brain detection. When this feature is enabled,
the conductor and standby member will exchange broadcast-based heartbeats when they sense
a failure in the VSF links. If the standby member does not receive any of these messages, then it
concludes that the conductor itself has failed, not just the VSF links. Therefore, it keeps working
as normal. However, if the conductor is alive and continues to advertise split detect messages,
then the standby member’s fragment changes its status to Inactive and disables all its ports
except the management and VSF interfaces. This isolates it from the rest of the network and pre-
vents the cores from sending traffic to it.
Although this behavior will affect every endpoint connected to the inactive fragment, those con-
nected to the active one will not have any connection loss and will always be able to establish
connections with any destination in the network, with the exception of clients connected directly
to the inactive fragment.
14. Move back to the Access-1 console.
15. Enable split-detection.
T11-Access-VSF(config)# vsf split-detect mgmt

16. Enter the show vsf command and confirm Split Detection Method is mgmt.
Access-VSF(config)# show vsf

Force Autojoin : Disabled

Autojoin Eligibility Status: Not Eligible
MAC Address : 10:4f:58:fc:14:40
Egress Shape Rate : None
Secondary : 2
Topology : Chain
Status : No Split
Split Detection Method : mgmt

Mbr Mac Address type Status

ID
--- ------------------- -------------- ---------------
1 10:4f:58:fc:14:40 JL668A Conductor
2 10:4f:58:f6:84:80 JL668A Standby

198 Task 6.3-2: Split brain detection

17. Disable the physical port of the VSF link. This will trigger split-detect messages from the standby
member.
Access-VSF(config-if-vsf)# shutdown
This may cause the stack to split.

Continue (y/n)? y

18. Verify the VSF status.

Access-VSF(config-if-vsf)# show vsf

Force Autojoin : Disabled

Autojoin Eligibility Status: Not Eligible
MAC Address : 10:4f:58:fc:14:40
Egress Shape Rate : None
Secondary : 2
Topology : Standalone
Status : Active Fragment
Split Detection Method : mgmt

Lab 6.3: Maintaining the VSF stack

Mbr Mac Address type Status
ID
--- ------------------- -------------- ---------------
1 10:4f:58:fc:14:40 JL668A Conductor
2 JL668A In Other Fragment

What is the status of the fragment?

Answer: Active Fragment.

What is the status of Member 2?

19. Answer: In Other Fragment.

20. Navigate to the Access-2 console and verify the VSF status.
Access-VSF login: admin
Password:
Last login: 2024-04-29 19:50:37 from the console
User "admin" has logged in 2 times in the past 30 days
Access-VSF# show vsf

Force Autojoin : Disabled

Autojoin Eligibility Status: Not Eligible
MAC Address : 10:4f:58:fc:14:40
Egress Shape Rate : None
Secondary : 2

Task 6.3-2: Split brain detection 199

Topology : Standalone
Status : Inactive Fragment
Split Detection Method : mgmt

Mbr Mac Address type Status

ID
--- ------------------- -------------- ---------------
1 JL668A In Other Fragment
2 10:4f:58:f6:84:80 JL668A Conductor

What is the status of the fragment?

Answer: Conductor.
What is the status of Member 2?

Answer: In Other Fragment.

21. Use the show interface brief command and look for the status of both uplinks and the con-
nection to PC4.
Access-VSF# show interface brief | exclude no
------------------------------------------------------------------------------------------
Port Native Mode Type Enabled Status Reason Speed Description
VLAN (Mb/s)
------------------------------------------------------------------------------------------
2/1/4 12 access 1GbT yes down Disabled by VSF -- --
2/1/25 1 trunk 10G-DAC1 yes down Disabled by VSF -- --
2/1/26 1 trunk 10G-DAC1 yes down Disabled by VSF -- --
2/1/28 -- VSF 10G-DAC1 yes down Waiting for link -- --
vlan1 -- -- -- yes down -- --
lag1 1 trunk -- yes down -- auto To-Core-1

What is the status of these ports?

Answer: Disabled by VSF.

What is the reason?

Answer: When a split brain is detected, segments where the conductor is not present will disable
its interfaces to avoid a split brain from happening.

200 Task 6.3-2: Split brain detection

To avoid a split-brain situation, switches in a segment different from the Conductor
switch will disable its interfaces. This ensures that the conductor segment keeps its
connectivity and avoids any unexpected behavior of LAGs. In this case, only devices
connected to Access-2 have lost their communications, but all devices connected to
Access-1 kept their connectivity.

Lab 6.3: Maintaining the VSF stack

22. Go back to the Access-1 console and enable port 1/1/28 (VSF link).
Access-VSF(config-if-vsf)# no shutdown
Access-VSF(config-if-vsf)# exit

23. Wait a couple of minutes for Access-2 to reboot, and verify that it has joined the stack again.
Access-VSF(config)# show vsf

Force Autojoin : Disabled

Autojoin Eligibility Status: Not Eligible
MAC Address : 10:4f:58:fc:14:40
Egress Shape Rate : None
Secondary : 2
Topology : Chain
Status : No Split
Split Detection Method : mgmt

Mbr Mac Address type Status

ID
--- ------------------- -------------- ---------------
1 10:4f:58:fc:14:40 JL668A Conductor
2 10:4f:58:f6:84:80 JL668A Standby

Task 6.3-2: Split brain detection 201

Task 6.3-3: Save your configurations
Objectives
You will now proceed to save your configurations and create checkpoints. Note that final lab check-
points might be used by later activities.
Steps
1. Save the current access and core switches’ configuration in the startup checkpoint.
Access-1
Access-VSF(config)# write memory
Copying configuration: [Success]

2. Back up the current access switches’ configuration as a custom checkpoint called Lab6-3_final.
Access-1
Access-VSF(config)# copy running-config checkpoint Lab6-3_final
Copying configuration: [Success]

You have completed Lab 6.3!

202 Task 6.3-3: Save your configurations

Lab 7: Layer 3 services

As the network grows, BigStartup has realized the need for communications between departments. Ser-
vices such as Zoom conferencing, remote printing, remote assistance, and internet access move traffic
across VLANs. To meet this new requirement, you have suggested enabling inter-VLAN routing rather
than reverting to a single VLAN design. This enables the connectivity level your customer is looking for
and allows for blocking forbidden connection attempts using traffic filters (routed access control lists).
You will enable Layer 3 functions on one of your core switches. Then, the TCP IP stack on each client
and host will require a default gateway IP address to enable using Layer 3 functions to deliver the pack-
ets destined for non-local segments.
Objectives
After completing this lab, you will be able to:
n Assign IP addresses to SVIs.
n Enable inter-VLAN routing.
n Run traffic analysis using Wireshark.
n Describe the end-to-end packet delivery.
n Add redundancy to the core layer.
Lab topology
The following lab topology will be used for your practical activities:

Lab 7: Layer 3 services 203

Task 7-1: Inter-VLAN routing
Objectives
In this lab, you will configure a switched virtual interface (SVI), also know as Interface VLAN, to enable
the inter-VLAN communication.
Steps
1. On your local computer, launch a web browser and enter the Aruba Training Lab web portal at
the URL: https://arubatraininglab.computerdata.com.
2. Log in using the credentials provided to you.
3. Using the Remote Lab dashboard, open a console connection to Core-1.
4. Verify the existing VLANs on Core-1.
Core-1(config)# show vlan

--------------------------------------------------------------------------------
VLAN Name Status Reason Type Interfaces
--------------------------------------------------------------------------------
1 DEFAULT_VLAN_1 up ok default 1/1/3-1/1/44,1/1/48-1/1/56,
lag256
11 Employees up ok static lag1,lag256
12 Managers up ok static lag1,lag256

204 Task 7-1: Inter-VLAN routing

5. VLANs 1 (default), 11 (Employees), and 12 (Managers) should be present. Check for IP inter-
faces with the show ip interface brief command.
Core-1(config)# show ip interface brief

The empty (blank) output means that no IP interfaces were created.

6. Create an SVI for VLANs 11 and 12.

Core-1(config)# interface vlan 11
Core-1(config-if-vlan)# ip address 10.1.11.1/24
Core-1(config-if-vlan)# exit
Core-1(config)# interface vlan 12
Core-1(config-if-vlan)# ip address 10.1.12.1/24
Core-1(config-if-vlan)# exit

7. Verify the Core-1 IP interfaces.

Core-1(config)# show ip interface brief
Interface IP Address Interface Status
link/admin
vlan11 10.1.11.1/24 up/up

vlan12 10.1.12.1/24 up/up

Notice that you now have IP interfaces created and active.

8. Verify the Core-1 routing table.

Core-1(config)# show ip route

Displaying ipv4 routes selected for forwarding

Lab 7: Layer 3 services

Origin Codes: C - connected, S - static, L - local
R - RIP, B - BGP, O - OSPF, D - DHCP
Type Codes: E - External BGP, I - Internal BGP, V - VPN, EV - EVPN
IA - OSPF internal area, E1 - OSPF external type 1
E2 - OSPF external type 2

VRF: default

Prefix Nexthop Interface VRF(egress) Origin/ Distance/ Age

Type Metric
-----------------------------------------------------------------------------------------
10.1.11.0/24 - vlan11 - C [0/0] -

10.1.11.1/32 - vlan11 - L [0/0] -

10.1.12.0/24 - vlan12 - C [0/0] -

10.1.12.1/32 - vlan12 - L [0/0] -

Task 7-1: Inter-VLAN routing 205

Total Route Count : 4

How many entries (routes) you can see?

Answer: Four.
If you have not created any routes, why do you have four routes?

Four prefixes are published in the routing table after assigning the IP addresses.
They were automatically created as connected networks, meaning that the local
switch has interfaces connected to those networks. Remember that routing is
enabled by default on AOS-CX switches.
The routes with prefix length 32 are considered local and reference the IP addresses
just configured in the SVIs.
The /24 prefixes are the connected subnets discovered from having an interface with
an IP in those segments.
IP prefixes are expressed using the following format:
PREFIX/PREFIX_LENGTH, vrf VRF_NAME
via OUTBOUND_INTERFACE, [DISTANCE/METRIC], ROUTING_PROCESS
Notice: they all contain vrf "default." VRF stands for Virtual Routing and Forwarding,
the control plane virtual routing table the system uses to move traffic at Layer 3 in
the data plane. AOS-CX has two built-in VRFs: mgmt for management traffic and
default for data traffic. You will learn more about VRF in the upcoming modules.

9. Launch a remote console to PC4.

10. Open the command prompt and start a continuous ping to PC3 (10.1.11.103). The ping should
fail.

Why has the ping failed?

206 Task 7-1: Inter-VLAN routing

11. To investigate why the ping has failed, enter the ipconfig command at the PC4 command
prompt.

Notice that your VMs have no gateway configured. Gateways are used to reach other
networks and subnets.

12. Configure a gateway on PC4 using the following steps:

a. Right-click the network icon and select Open Network & Internet settings.

b. Click Change adapter options.

Lab 7: Layer 3 services

Task 7-1: Inter-VLAN routing 207

c. Right-click Lab NIC and select Properties.

d. Select Internet Protocol Version 4 (TCP/IPv4) and click Properties.

208 Task 7-1: Inter-VLAN routing

e. Enter 10.1.12.1 as the default gateway, click OK, and click OK one more time.

Lab 7: Layer 3 services

f. If you receive a prompt about being discoverable by other PCs, click Yes.

Task 7-1: Inter-VLAN routing 209

13. Open the PC4 command prompt and start a ping to Core-1 VLAN 12 SVI (10.1.12.1). The ping
should succeed.

14. Start a ping to Core-1 SVI 11 (10.1.11.1). The ping should succeed.

15. Now try to ping PC3 (10.1.11.103). The ping should fail.

Why did the ping to PC3 fail?

Answer: As you observed, PC4 was able to ping SVI 11, which resides on VLAN 11—the same
VLAN PC3 is connected to.
This is happening because PC3 has no gateway address, meaning PC4 knows how to reach PC3.
As you have tested using Core-1 as a gateway, PC4 was even able to ping VLAN 11. But PC3 has
no routes on how to answer that request to PC4, which is connected to another network (VLAN
12).
16. Repeat step 12 on PC3 and configure 10.1.11.1 as the default gateway address.

210 Task 7-1: Inter-VLAN routing

17. Repeat step 12 on PC1 and configure 10.1.12.1 as the default gateway address.
18. On PC1, open a command prompt and ping PC3 (10.1.11.103). The ping should succeed.

19. Navigate to the PC3 remote desktop, open a command prompt, and start a ping to PC1
(10.1.12.101) and PC4 (10.1.12.104). The ping should succeed.

Lab 7: Layer 3 services

Task 7-1: Inter-VLAN routing 211

Task 7-2: Explore end-to-end packet delivery
Objectives
In this part of the lab, you will explore end-to-end packet delivery. You will examine Ethernet and IP
headers, their addressing, and some of their fields using an open source traffic analysis tool called Wire-
shark. Wireshark will become an essential component of your networking troubleshooting tool kit.
Steps
1. On your local computer, launch a web browser and enter the Aruba Training Lab web portal at
the URL: https://arubatraininglab.computerdata.com.
2. Log in using the credentials provided to you.
3. Using the Remote Lab dashboard, open a console connection to Core-1.
4. Clear ARP entries using the clear arp command.
Core-1(config)# clear arp
Performing "clear arp" will result in traffic disruption.
Do you want to continue? (y/n)? y

5. Navigate to the PC4 desktop.

6. Click the windows icon (start menu) and type in Cmd and select Run as Administrator in the
menu that appears.

212 Task 7-2: Explore end-to-end packet delivery

7. To accept the following Windows warning, click Yes.

8. Run the arp -d command to flush the ARP table in the host.

9. Run the arp -a command to display the ARP table in the host.

Lab 7: Layer 3 services

10. Open Wireshark from a shortcut on the desktop.

Task 7-2: Explore end-to-end packet delivery 213

11. Double-click the Lab NIC entry. That will begin the packet capture on that interface.

You will see gratuitous ARP messages coming from 10.1.12.1 (Core-1).

Address Resolution Protocol (ARP) is a protocol that assists in IP Layer 3 to Eth-

ernet/802.11 Layer 2 address resolution. When devices create an IP packet, they
always have to find out the MAC address of the next hop (either the IP gateway when
the Layer 3 destination is in a remote segment, or the destination host if it happens
to be in the local segment of the sender). An IP packet cannot be sent out to the phys-
ical medium (copper, radio frequency, or fiber) without a data link layer header. A
data link layer header requires an address in order to be forwarded at Layer 2 (for
example, Ethernet MAC, Frame Relay DCI, 802.11 BSSID, and so forth).
AOS-CX advertises GARP packets every 25 seconds on the interfaces that have IP
addresses. This updates any IP neighbor’s ARP table and provides the resolution
information in advance. However, operating systems like Microsoft Windows ignore
these packets for security reasons.

214 Task 7-2: Explore end-to-end packet delivery

12. In the filter, enter (arp && not arp.isgratuitous) || ip.addr == 10.1.11.103 and press Enter.
That will instruct Wireshark to only display ARP non-gratuitous messages and IP packets that
include PC3’s IP address.

13. Move to the PC3 desktop.

14. Repeat steps 6 to 9 to erase the ARP table.

15. Start Wireshark, monitoring LAB NIC, and apply a filter looking for 10.1.12.104 (PC4). Filter: (arp
&& not arp.isgratuitous) || ip.addr == 10.1.12.104.

Lab 7: Layer 3 services

16. Run a custom ping on the command prompt using the following command: ping -n 1
10.1.12.104. This command will trigger a single ICMP echo towards PC4’s IP address.

Task 7-2: Explore end-to-end packet delivery 215

17. Stop the Wireshark capture by clicking the stop icon on both workstations (PC3 and PC4).

18. To begin the analysis, keep in mind what devices are involved in the packet forwarding. Use the
following topology for reference.

216 Task 7-2: Explore end-to-end packet delivery

In Wireshark, you will see six frames in the capture. Two of them are ICMP (pink packets) and the
four in yellow are ARP.

Packets might be in a different order because there are limited resources assigned to
client VMs. Nonetheless, the following explanation should help you know the order in
which packets are sent.

Lab 7: Layer 3 services

19. Select the packet for which the Destination equals "Broadcast"; that is an ARP request. Then look
at the Packet Details section. You will see three gray rows: the first is the summary of the packet,
the second is the Layer 2 header, and the third is the actual ARP payload.

Task 7-2: Explore end-to-end packet delivery 217

20. Select the Ethernet Layer 2 header and expand it.

What is the destination MAC address?

Answer: ff:ff:ff:ff:ff:ff:ff:ff (Broadcast MAC address).

What is the source MAC address?

Answer: This information varies on each VM. Find your local value on Wireshark. In this example,
the source MAC address is 00:50:56:b1:18:2e.
What is the Ethertype value?

Answer: ARP (0x0006).

The destination MAC is all Fs, which is the broadcast MAC address, while the source
is PC3’s MAC address. The Ethertype value is 0x0806 or ARP. This alerts the Layer 2
process to what kind of protocol or header comes next.
In Ethernet encapsulation, the destination MAC address is one of the first values in
the packet. This helps the Layer 2 switch start the forwarding decision and pro-
cessing of the frame as soon as it ingresses on the inbound port. This drastically
enhances the throughput of the device.

21. Expand and select the third row (ARP Payload). This is an ARP request.

218 Task 7-2: Explore end-to-end packet delivery

What are the sender MAC and IP addresses?

Answer: It depends on your local environment. In this example the sender MAC is:
00:50:56:b1:18:e2
Who do they belong to?

Answer:PC3
What are the target MAC and IP addresses?

Answer: The target IP is: 10.1.11.1. The MAC address is: 00:00:00:00:00:00
Why is the MAC address all zeros?

Lab 7: Layer 3 services

Answer: It is a Layer 2 broadcast.
What is the main purpose of this packet?

Answer: Discover the gateway MAC address.

The destination of the packet is not a local segment (10.1.11.103). Therefore, PC3
cannot reach it directly using Layer 2 but needs to send it to the default gateway
(10.1.11.1). The default gateway will take the packet and route it out using Layer 3.

Task 7-2: Explore end-to-end packet delivery 219

To do this, PC3 has to take the ICMP echo request (from the ping command) and
return it to Core-1 on VLAN X11. The IP header of the ICMP echo request will remain
untouched; however, it has to be encapsulated with an Ethernet Layer 2 header to
forward it.
In order to achieve this, PC3 needs to know Core-1’s MAC address so it can complete
the Ethernet header generation. This process is known as Layer 3 to Layer 2 address
resolution and requires ARP. Since you initially deleted PC3’s ARP table, it must send
out an ARP request first. This packet uses the broadcast destination MAC address in
order to assure it reaches all devices in the common VLAN.
When the broadcast is received by Access-1, it floods it across all ports in STP For-
warding mode for VLAN 11 except the sending port (port 3). Even though this is a
broadcast packet, Access-2 does not decapsulate and process it beyond Layer 2
because the Ethertype 0x0806 tells the switch that an ARP packet will follow. Since
ARP is an IP protocol (Layer 3) and Access-1 is not currently running Layer 3, there
is no reason to keep inspecting the packet.
Core-1 receives the packet on port 1 or LAG 256, depending on the hash algorithm
from LAG 1. Core-1 broadcasts the packet on all ports in Forwarding mode on VLAN
11. When the packet is received by Core-2 and Access-2, they just drop it.
When Core-1 looks at the Ethertype (ARP), it inspects the header at Layer 3 because
IP is running on interface VLAN 11. After inspecting the ARP request, Core-1 recog-
nizes the payload is asking for its own IP and prepares the reply.
Simplified topology for better visualization

22. Select the ARP reply frame.

220 Task 7-2: Explore end-to-end packet delivery

In the Ethernet header, what are the destination and source MAC addresses?

What kind of packet is this: Unicast, Broadcast, or Multicast?

In the ARP header, what are the sender MAC and IP addresses?

What are the target MAC and IP addresses?

What is the main purpose of this packet?

Lab 7: Layer 3 services

The Core-1 ARP reply is a regular unicast packet with the Layer 2 destination
address of PC3’s MAC. The packet is received by Access-1. Access-1 uses its MAC
Address table to forward the packet to port 3 and deliver it to PC3.
When examining the Layer 3 payload, PC3 recognizes this is the expected reply and
uses the contents (sender IP and MAC address) to generate an entry in its ARP table.
At this point, PC3 has completed the required Layer 2 to Layer 3 address resolution.
Now it can generate the Layer 2 header of the ICMP echo packet that it sends out.

23. Select the echo (ping) request entry (frame #6 in the following figure), then expand the IP and
ICMP headers.

Task 7-2: Explore end-to-end packet delivery 221

In the Ethernet header, what is the Ethertype value?

What encapsulation is that?

What is the Layer 2 destination address?

What is the Layer 2 source address?

From the IP header, what is the Layer 3 source address?

What is the Layer 3 destination address?

Why are the Layer 2 and Layer 3 source addresses the same device, while the Layer 2 and
Layer 3 destination addresses are different devices?

222 Task 7-2: Explore end-to-end packet delivery

At the time the ICMP echo request packet is generated, the Layer 3 destination
address is the host you want to ping (PC4). However, PC4 it is not present in VLAN
11, so the packet has to be handed over to Core-1 (the default gateway of PC3). This
makes Core-1 the Layer 2 destination of the frame.

What is the Time to Live value?

Time to Live is the maximum number of Layer 3 boundaries the packet will be able to
cross before getting dropped.

What is the protocol value?

PC4
24. Move to PC4.
25. In Wireshark, select the packet where its destination equals "Broadcast" and expand the Address
Resolution Protocol row in the Packet Details section.

Lab 7: Layer 3 services

In the ARP header, what are the sender MAC and IP addresses?

What do they belong to?

What are the target MAC and IP addresses?

What is the main purpose of this packet?

Task 7-2: Explore end-to-end packet delivery 223

When Core-1 received the ICMP packet and decapsulated it up to Layer 3, it looked
into the destination IPv4 address. Core-1 determines it is not the IP destination of
the packet and must move the packet between VLANs (inter-VLAN routing).
To route between VLANs, Core-1 examines its routing table. It looks for an entry with
an IP prefix or network that includes the destination IP address. If several entries are
found, then the longest match (the more specific route) is used. In the current rout-
ing table, there is a valid entry—10.1.12.0/24—out of VLAN 12 that Core-1 can use.
It is a connected route.
Core-1 is now like PC3 at the beginning of the process. It knows which outbound
Layer 3 interface to use, but it must create the Layer 2 header. Therefore, it needs to
perform another Layer 2/Layer 3 address resolution requesting PC4’s MAC address.
Core-1 creates the ARP request where the target IP address is 10.1.12.104 and
sends it as a broadcast flood tagged in VLAN 12. Access-2 receives a copy and deliv-
ers it to PC4.

26. Select the ARP reply from PC4 to Core-2 (frame #3 in the following figure).

224 Task 7-2: Explore end-to-end packet delivery

What is the source MAC address?

When PC4 generates the ARP reply, this goes to Core-1. Core-1 updates its ARP table and is
ready to deliver the ICMP echo message.
27. Select the ICMP echo message (frame #4 in the following figure), and focus on the Layer 2 and
Layer 3 addresses.

Lab 7: Layer 3 services

What are the Layer 2 destination and source addresses?

How did they change from step 23?

What are the Layer 3 destination and source addresses?

Did they change from step 23?

Task 7-2: Explore end-to-end packet delivery 225

After creating the Layer 2 header with PC4’s MAC address and looking into its MAC
address table, Core-1 is ready to forward the packet using LAG 10 as the outbound
interface for the unicast packet. When leaving Core-1, the packet crosses Core-2,
Access-2, and finally gets to PC4.
This new version of the packet has the Core-1 MAC address as its Layer 2 source
address rather than its destination address (as it was in step 17), and PC4 is now the
new destination address. Layer 2 addresses change at each routing hop.

28. Select the second ARP request and inspect its contents.

Before replying, PC4 (as Core-1 and PC3 before it) needs to add its gateway MAC
address to its ARP table. That triggers the ARP request seen in this image. In entry
number 8, PC4 gets an ARP reply back from Core-1.

29. Select the ICMP (ping) reply.

226 Task 7-2: Explore end-to-end packet delivery

When PC4 completes the encapsulation step, it sends the packet to Core-1. Again,
Core-1 has to perform an ARP lookup to add the PC3 MAC address. After encap-
sulating the packet, Core-1 forwards the ICMP echo reply to PC3 and the process
ends.

30. Close Wireshark in both PCs.

Task 7-3: Add redundancy to the core layer

Objectives
The management team of BigStartup asked you about the consequences of Core-1's failure since it is
responsible for routing the entire network's traffic. After conducting some research, you have dis-

Lab 7: Layer 3 services

covered that one of the VSX features is Active Gateway. It provides default gateway redundancy for
hosts. You then got in touch with a senior consultant, who provided the configuration script for Active
Gateway.

Task 7-3: Add redundancy to the core layer 227

Lab topology

Now, you will simulate a Core-1 failure by rebooting it.

5. Connect to the Core-1 console. Save the configuration and then reboot it.
Core-1# write memory
Copying configuration: [Success]

228 Task 7-3: Add redundancy to the core layer

Core-1# boot system
Checking if the configuration needs to be saved...

Checking for updates needed to programmable devices...

Done checking for updates.

This will reboot the entire switch and render it unavailable

until the process is complete.
Continue (y/n)? y
The system is going down for reboot.

May 3 20:59:38 hpe-mgmtmd[933107]: RebootLibPh1: Reboot reason: Reboot requested

by user

6. Navigate back to PC4 and notice that the pings are failing, even though there are alternative
paths between PC4 and PC3.

7. Wait for Core-1 to become active again. The ping should start to work again.
8. To start the VSX active gateway configuration, you will start by adding IP interfaces to Core-2.
9. Connect to the Core-2 console and add the IP address to interface VLAN 11 and 12.
Core-2# configure terminal
Core-2(config)# interface vlan 11
Core-2(config-if-vlan)# ip addres 10.1.11.2/24

Lab 7: Layer 3 services

Core-2(config-if-vlan)# interface vlan 12
Core-2(config-if-vlan)# ip addres 10.1.12.2/24
Core-2(config-if-vlan)# exit

10. To simulate a failed switch, navigate back to the Core-1 console and reboot the switch.
Core-1(config)# boot system
Checking if the configuration needs to be saved...

Checking for updates needed to programmable devices...

Done checking for updates.

This will reboot the entire switch and render it unavailable

until the process is complete.
Continue (y/n)? y
The system is going down for reboot.

Task 7-3: Add redundancy to the core layer 229

May 6 17:36:25 hpe-mgmtmd[381308]: RebootLibPh1: Reboot reason: Reboot requested
by user

11. Navigate to the PC4 remote desktop. Is the ping still working?

Why is the ping failing, even though you have a redundant Layer 3 switch available?

Answer: PC4 points at the Core-1 IP address as the default gateway; therefore, it has no external
connectivity while Core-1 is unreachable.
12. Stop the ping and enter the ipconfig command. Check the Lab NIC interface gateway.

Note that PC3 and PC4 point to the Core-1 IP address as the default gateway, which
means that, in case of Core-1 failure, they lose access to other networks. Also, notice
that, even though there is an alternative path, hosts cannot detect a gateway failure
and converge to a secondary gateway.

230 Task 7-3: Add redundancy to the core layer

13. Restart the continuous ping from PC4 to PC3. As soon as Core-1 finishes the boot process, the
ping should work.

14. To provide gateway redundancy, HPE has developed the VSX active gateway feature. This fea-
ture allows both switches in a VSX pair to use the same virtual IP address and MAC address to
actively route host traffic, bringing not only redundancy but also load balance.

Lab 7: Layer 3 services

15. Navigate to the Core-1 console and configure active gateway for VLANs 11 and 12 as follows.
Core-1# configure terminal
Core-1(config)# interface vlan 11
Core-1(config-if-vlan)# active-gateway ip 10.1.11.254 mac 02:01:00:00:00:01
Core-1(config-if-vlan)# interface vlan 12

Task 7-3: Add redundancy to the core layer 231

Core-1(config-if-vlan)# active-gateway ip 10.1.12.254 mac 02:01:00:00:00:01
Core-1(config-if-vlan)# exit

Notice that both VLANs use the same virtual MAC address, which is the same as the
switch's virtual-mac. This is a best practice that saves switch resources on running
multiple virtual MAC addresses.

16. Navigate to the Core-2 console and configure active gateway for VLANs 11 and 12 as follows.
Core-2(config)# interface vlan 11
Core-2(config-if-vlan)# active-gateway ip 10.1.11.254 mac 02:01:00:00:00:01
Core-2(config-if-vlan)# interface vlan 12
Core-2(config-if-vlan)# active-gateway ip 10.1.12.254 mac 02:01:00:00:00:01
Core-2(config-if-vlan)# exit

Notice that both switches use the same active gateway IP and MAC address. It helps
the client devices as they do not need to change their ARP table to point to a sec-
ondary/redundant gateway.

17. Change the PC3 gateway to VLAN 11's active gateway IP address (10.1.11.254).

18. Change the PC4 gateway to VLAN 12's active gateway IP address (10.1.12.254).

232 Task 7-3: Add redundancy to the core layer

19. Check if the PC4 to PC3 ping is still working.

20. Connect to the Core-1 console, save the configuration, and reboot the switch.
Core-1(config)# write memory
Core-1(config)# boot system
Checking if the configuration needs to be saved...

Checking for updates needed to programmable devices...

Done checking for updates.

Lab 7: Layer 3 services

This will reboot the entire switch and render it unavailable
until the process is complete.
Continue (y/n)? y
The system is going down for reboot.

May 6 18:20:33 hpe-mgmtmd[12797]: RebootLibPh1: Reboot reason: Reboot requested

by user

21. Navigate back to PC4; the ping should work normaly during Core-1's reboot.
22. Wait for Core-1 to reboot and become active, then save the configuration and reboot Core-2.
Core-2(config)# write memory
Copying configuration: [Success]
Core-2(config)# boot system
Checking if the configuration needs to be saved...

Checking for updates needed to programmable devices...

Task 7-3: Add redundancy to the core layer 233

Done checking for updates.

1 non-failsafe device(s) also need to be updated.

Please run the 'allow-unsafe-updates' command to enable these updates.

This will reboot the entire switch and render it unavailable

until the process is complete.
Continue (y/n)? y
The system is going down for reboot.

May 6 18:18:16 hpe-mgmtmd[1311194]: RebootLibPh1: Reboot reason: Reboot requested

by user

23. Navigate back to PC4. Has the ping stopped?

As PC3 and PC4 point to the active gateway's virtual IP, a failed switch does not dis-
rupt the gateway services for hosts.

24. As you may note, no ping was lost during Core-1 or Core-2 reboot due to the VSX active gateway
technology.

Note that VSX is an advanced feature covered in detail in the Implementing AOS-CX
Switching course.

234 Task 7-3: Add redundancy to the core layer

Task 7-4: Save your configurations
Objectives
You will now proceed to save your configurations and create checkpoints. Notice that final lab check-
points might be used by later activities.
Steps
1. Save the current access and core switches’ configuration in the startup checkpoint.
Access-1
Access-VSF(config)# write memory
Copying configuration: [Success]

Core-1
Core-1(config)# write memory
Copying configuration: [Success]

Core-2
Core-2(config)# write memory
Copying configuration: [Success]

2. Back up the current access switches’ configuration as a custom checkpoint called Lab7-1_final.
Access-1
No checkpoint is needed as no changes were made.
Core-1
Core-1(config)# copy running-config checkpoint Lab7-1_final
Copying configuration: [Success]

Core-2

Lab 7: Layer 3 services

Core-2(config)# copy running-config checkpoint Lab7-1_final
Copying configuration: [Success]

You have completed Lab 7!

Task 7-4: Save your configurations 235

[This page intentionally left blank]

236 Task 7-4: Save your configurations

Lab 8: Static routes

The goal of the following tasks is to complete the dual-homed internet service deployment for Big-
Startup. The customer wants load balancing across both carriers and redundancy in case of failure.
They want assurance that if either link fails, traffic can still go out through the alternate ISP. This will
require the configuration of static and floating routes, which you will apply on the core switches.
Objectives
After completing this lab, you will be able to:
n Configure core switches to perimeter firewall links using a /30 prefix.
n Configure static routes.
n Add a default route into the routing table for providing internet access.
n Manipulate administrative distances in order to configure floating routes.
n Validate proper load sharing and failover.

An IP prefix is an aggregation of IP addresses and is usually used to refer to an IP network

or subnet in general.

Lab topology
The following lab topology will be used for your practical activities:

Lab 8: Static routes 237

For simplicity, the remote lab is using virtual AOS-CX switches to simulate the internet
routers. This allows you to configure and interact with those devices without learning a new
CLI or interface.

Task 8-1: Add links to ISPs

Objectives
In this lab, you will configure the connections from Core-1 and Core-2 to the internet routers (Router-A
and Router-B).
Steps
1. On your local computer, launch a web browser and enter the Aruba Training Lab web portal at
the URL: https://arubatraininglab.computerdata.com.
2. Log in using the credentials provided to you.
3. Using the Remote Lab dashboard, open a console connection to Core-1.
4. Verify interface 1/1/7's state.

238 Task 8-1: Add links to ISPs

Core-1 login: admin
Password:
Last login: 2024-05-06 18:22:40 from the console
User "admin" has logged in 5 times in the past 30 days
Core-1# show interface 1/1/7 brief
-----------------------------------------------------------------------------------------
Port Native Mode Type Enabled Status Reason Speed Description
VLAN (Mb/s)
-----------------------------------------------------------------------------------------
1/1/7 1 access 1G-BT no down Administratively down -- --

Notice that interface 1/1/7 is administratively down.

5. Enable interface 1/1/7.

Core-1# configure terminal
Core-1(config)# interface 1/1/7
Core-1(config-if)# no shutdown

6. Configure interface 1/1/7 as a routed port and assign IP address 10.1.250.2/30.

Core-1(config-if)# routing
Core-1(config-if)# ip address 10.1.250.2/30
Core-1(config-if)# exit

AOS-CX switches support port operation in routing or bridging mode. In this step,
you are using a routed port, as you have a single L3 connection between Router-A
and Core-1. By entering the routing command, you set the interface to act as a
routed (Layer 3) interface. Use the no routing command to configure an interface as
a bridged interface.

7. Test the connectivity from Core-1 to Router-A. The ping should succeed.
Core-1(config)# ping 10.1.250.1
PING 10.1.250.1 (10.1.250.1) 100(128) bytes of data.
108 bytes from 10.1.250.1: icmp_seq=1 ttl=64 time=1.64 ms
108 bytes from 10.1.250.1: icmp_seq=2 ttl=64 time=1.92 ms
108 bytes from 10.1.250.1: icmp_seq=3 ttl=64 time=1.71 ms
108 bytes from 10.1.250.1: icmp_seq=4 ttl=64 time=1.60 ms
108 bytes from 10.1.250.1: icmp_seq=5 ttl=64 time=1.78 ms

--- 10.1.250.1 ping statistics ---

5 packets transmitted, 5 received, 0% packet loss, time 4005ms
rtt min/avg/max/mdev = 1.598/1.731/1.921/0.113 ms
Lab 8: Static routes

8. Using the Remote Lab dashboard, connect to the Core-2 console.

9. Enable interface 1/1/7.

Task 8-1: Add links to ISPs 239

Core-2# configure terminal
Core-2(config)# interface 1/1/7
Core-2(config-if)# no shutdown

10. Configure interface 1/1/7 as a routed port and assign IP address 10.1.250.6/30.
Core-2(config-if)# routing
Core-2(config-if)# ip address 10.1.250.6/30
Core-2(config-if)# exit

11. Test the connectivity from Core-2 to Router-B. The ping should succeed.
Core-2(config)# ping 10.1.250.5
PING 10.1.250.1 (10.1.250.1) 100(128) bytes of data.
108 bytes from 10.1.250.5: icmp_seq=1 ttl=64 time=1.64 ms
108 bytes from 10.1.250.5: icmp_seq=2 ttl=64 time=1.92 ms
108 bytes from 10.1.250.5: icmp_seq=3 ttl=64 time=1.71 ms
108 bytes from 10.1.250.5: icmp_seq=4 ttl=64 time=1.60 ms
108 bytes from 10.1.250.5: icmp_seq=5 ttl=64 time=1.78 ms

--- 10.1.250.5 ping statistics ---

5 packets transmitted, 5 received, 0% packet loss, time 4005ms
rtt min/avg/max/mdev = 1.598/1.731/1.921/0.113 ms

Task 8-2: Adding static routes

Objectives
Right now, the links between the core switches and internet routers are up and running; however, inter-
net access is not available yet. In this task, you will add static routes in order to send all non-local traffic
to the carriers that will take care of the delivery process. Core-1 will be pointing to Router-A (ISP1) and
Core-2 will point to Router-B (ISP2) in order to achieve load balancing and high availability.
Steps
1. On your local computer, launch a web browser and enter the Aruba Training Lab web portal at
the URL: https://arubatraininglab.computerdata.com.
2. Log in using the credentials provided to you.
3. Using the Remote Lab dashboard, open a console connection to Core-1.
4. Enable BFD and create a static default route (also known as 0s prefix) pointing to Router-A.
Core-1(config)# bfd
Core-1(config)#ip route 0.0.0.0/0 10.1.250.1 bfd

Bidirectional Forwarding Detection

Due to the remote lab design, Router-A and Router-B may not detect a link failure, as
they are virtual switches running inside a server and the physical state of a port is
not detected by then. In this lab, you will add Bidirectional Forwarding Design (BFD)

240 Task 8-2: Adding static routes

to your static routes, allowing switches to detect a failure in the communication and
trigger the route change. BFD is out of the scope of this training and is explained in
detail in the professional level course. For more information, check the High Avail-
ability Guide available at the HPE Networking Support Portal
(https://networkingsupport.hpe.com).

5. Use the show ip route command and validate the route is listed.
Core-1(config)# show ip route

Displaying ipv4 routes selected for forwarding

Origin Codes: C - connected, S - static, L - local

R - RIP, B - BGP, O - OSPF, D - DHCP
Type Codes: E - External BGP, I - Internal BGP, V - VPN, EV - EVPN
IA - OSPF internal area, E1 - OSPF external type 1
E2 - OSPF external type 2

VRF: default

Prefix Nexthop Interface VRF(egress)

Origin/ Distance/ Age
Type Metric
-----------------------------------------------------------------------------------------
0.0.0.0/0 10.1.250.1 1/1/7 - S [1/0] 00h:01m:07s
10.1.11.0/24 - vlan11 - C [0/0] -
10.1.11.1/32 - vlan11 - L [0/0] -
10.1.12.0/24 - vlan12 - C [0/0] -
10.1.12.1/32 - vlan12 - L [0/0] -
10.1.250.0/30 - 1/1/7 - C [0/0] -
10.1.250.2/32 - 1/1/7 - L [0/0] -

Total Route Count : 7

What is the metric value and what is it for?

Answer: 1
What is the distance value and what is it for?

Answer: 0

Administrative distance: The routing switch uses this parameter to compare routes
Lab 8: Static routes

learned by different routing methods. It indicates how reliable the router considers
the method through which it discovered the route; a lower value indicates a more
trustworthy route. Administrative distance is not a factor if you are using only static

Task 8-2: Adding static routes 241

routes. However, if you are using static routing in conjunction with a routing protocol
such as OSPFv3 to provide routes to an identical destination, the routing switch
selects the route with the lowest administrative distance. Where the default admin-
istrative distances are used, a static route normally supersedes a dynamic route to
the same destination because the former has the lowest default administrative dis-
tance and metric.
Metric: The routing switch uses this parameter to compare routes to identical des-
tinations learned by the same routing protocol. The metric is the cost of sending
traffic on a given route and is based on various criteria:
n Link conditions (bandwidth, delay, reliability)
n Organizational policies (monetary cost, autonomous systems that a packet
must traverse). Each routing protocol has its own method for computing a
route's metric. For static routes, the metric defaults to 1 and is not con-
figurable.

6. Ping the 8.8.8.8 IP address to test access to the internet. The ping should be successful.
Core-1(config)# ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 100(128) bytes of data.
108 bytes from 8.8.8.8: icmp_seq=1 ttl=64 time=0.042 ms
108 bytes from 8.8.8.8: icmp_seq=2 ttl=64 time=0.047 ms
108 bytes from 8.8.8.8: icmp_seq=3 ttl=64 time=0.046 ms
108 bytes from 8.8.8.8: icmp_seq=4 ttl=64 time=0.047 ms
108 bytes from 8.8.8.8: icmp_seq=5 ttl=64 time=0.045 ms

--- 8.8.8.8 ping statistics ---

5 packets transmitted, 5 received, 0% packet loss,

Since there is no prefix in the routing table for the 8.8.8.8 IP address, what prefix is taking care of
routing this traffic?

Remote labs do not have access to the internet. We are using a couple of loopback
interfaces on Router-C to simulate external networks. Therefore, pinging to another
IP address from the internet will not work.

7. Navigate to the Core-2 console.

8. Verify the Core-2 routing table.
Core-2(config)# show ip route

Displaying ipv4 routes selected for forwarding

242 Task 8-2: Adding static routes

VRF: default

Prefix Nexthop Interface VRF(egress)

Origin/ Distance/ Age
Type Metric
-----------------------------------------------------------------------------------------
10.1.11.0/24 - vlan11 - C [0/0] -
10.1.11.2/32 - vlan11 - L [0/0] -
10.1.12.0/24 - vlan12 - C [0/0] -
10.1.12.2/32 - vlan12 - L [0/0] -
10.1.250.4/30 - 1/1/7 - C [0/0] -
10.1.250.6/32 - 1/1/7 - L [0/0] -

Total Route Count : 6

Why is there no default route on Core-2?

Answer: No static routes were created on Core-2.

Even though Core-1 and Core-2 are part of a VSX pair, the management and control
planes are independent on both switches. This means that each device has its own
configuration. It provides VSX flexibility and improved resiliency. Configuration syn-
chronization can be manually enabled on a feature-by-feature basis; VSX is explained
in detail in the Implementing AOS-CX Switching course.

9. Create a static default route (also known as 0s prefix) pointing to Router-B.

Core-2(config)# bfdCore-2(config)#ip route 0.0.0.0/0 10.1.250.5 bfd

10. Use the show ip route command and validate the route is listed.
Core-2(config)# show ip route

Displaying ipv4 routes selected for forwarding

Origin Codes: C - connected, S - static, L - local

R - RIP, B - BGP, O - OSPF, D - DHCP
Type Codes: E - External BGP, I - Internal BGP, V - VPN, EV - EVPN
IA - OSPF internal area, E1 - OSPF external type 1
E2 - OSPF external type 2
Lab 8: Static routes

VRF: default

Prefix Nexthop Interface VRF(egress) Origin/ Distance/ Age

Type Metric

Task 8-2: Adding static routes 243

-----------------------------------------------------------------------------------------
0.0.0.0/0 10.1.250.5 1/1/7 - S [1/0] 00h:00m:10s
10.1.11.0/24 - vlan11 - C [0/0] -
10.1.11.2/32 - vlan11 - L [0/0] -
10.1.12.0/24 - vlan12 - C [0/0] -
10.1.12.2/32 - vlan12 - L [0/0] -
10.1.250.4/30 - 1/1/7 - C [0/0] -
10.1.250.6/32 - 1/1/7 - L [0/0] -

Total Route Count : 7

11. Ping the 8.8.8.8 IP address to test access to the internet. The ping should be successful.
Core-2(config)# ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 100(128) bytes of data.
108 bytes from 8.8.8.8: icmp_seq=1 ttl=64 time=0.039 ms
108 bytes from 8.8.8.8: icmp_seq=2 ttl=64 time=0.044 ms
108 bytes from 8.8.8.8: icmp_seq=3 ttl=64 time=0.038 ms
108 bytes from 8.8.8.8: icmp_seq=4 ttl=64 time=0.042 ms
108 bytes from 8.8.8.8: icmp_seq=5 ttl=64 time=0.042 ms

--- 8.8.8.8 ping statistics ---

5 packets transmitted, 5 received, 0% packet loss, time 4092ms
rtt min/avg/max/mdev = 0.038/0.041/0.044/0.002 ms

12. Navigate to the PC3 console and open the command prompt.
13. Ping the 8.8.8.8 IP address.

Is the ping successful?

Answer: No, pings are failing.

Use the tracert command to track where the communication stops.

244 Task 8-2: Adding static routes

Notice that after reaching the gateway, all other attempts have failed.
There could be many reasons why the ping is not working:
n An ACL in the router that filters the packets out.
n The lack of Network Address Translation (NAT), which sends the packets with
the original source IP address, making it impossible for the destination to prop-
erly respond back to you from the internet.
n A missing route for your local segment (10.1.0.0/16) in the router equipment,
causing it to drop the returning traffic or route it somewhere else.
At this point, any of them is possible. However, since Core-1 was able to reach the
8.8.8.8 address, then it is most likely that the router does not contain your prefix in
its routing table. After all, you must remember that when testing access from Core-1,
packets had the 10.250.1.2/30 source IP address, a segment Router-A implicitly
knows (connected network). On the other hand, packets sent by PC3 had the
10.1.11.103 address. Therefore, you must make sure the carrier has this route in
their device pointing to Core-1’s IP address as the next hop.
You have contacted the router administrator and asked if their device was set up
properly, ensuring, at a minimum, the 10.1.11.0/24 and 10.1.12.0/24 prefixes were
included in its routing table. After validating the request, the router administrator
realizes that the on-site device is using its own 0s prefix to forward traffic to those
segments.
Router-A# show ip route 10.1.11.0

Displaying ipv4 routes selected for forwarding

'[x/y]' denotes [distance/metric]

Lab 8: Static routes

0.0.0.0/0, vrf default

via 10.1.250.18, [1/0], static

Task 8-2: Adding static routes 245

To solve this, you request the router administrator to add network 10.1.0.0/16 point-
ing to the 10.1.250.2 IP address (Core-1) as the next hop.

Configuring Router-A (ISP-1) and Router-B (ISP-2)

In the following steps, you will pretend to be the internet router administrator and
add return routes to Router-A and Router-B. Notice that, for simplicity, remote labs
use two virtual AOS-CX switches to mimic routers.

14. Using the remote lab interface, connect to Router-A. Log in using the following credentials:
n Username: admin
n Password: Aruba123!
15. Configure the missing static route: 10.1.0.0/16 via 10.1.250.2.
Router-A# configure terminal
Router-A(config)# ip route 10.1.0.0/16 10.1.250.2 bfd

You will learn more about Bidirectional Forwarding Detection (BFD) in the next task.

16. Using the remote lab interface, connect to Router-B. Log in using the following credentials:
n Username: admin
n Password: Aruba123!
17. Configure the missing static route: 10.1.0.0/16 via 10.1.250.2.
Router-B# configure terminal
Router-B(config)# ip route 10.1.0.0/16 10.1.250.6 bfd

18. Navigate back to PC3 and start a ping to 8.8.8.8. The ping should succeed.

246 Task 8-2: Adding static routes

Task 8-3: Redundancy with floating routes
Objectives
Your current deployment has proven more efficient. However, it still has a weak point—it contains
single points of failure. If the link to ISP1 fails (Router-A), then users being routed by Core-1 lose inter-
net access. A similar result would occur with clients routed by Core-2 if ISP2 fails (Router-B). The solu-
tion to this is the creation of static floating routes.
In this task, you will create a second prefix pointing to the other core on each core. However, these pre-
fixes will have a lower preference because of an increased administrative distance. When the main inter-
net link on either core is active, then the floating routes are not present in the routing table and are not
used. However, if the connection to either carrier goes down, the main route vanishes, and the floating
route is inserted and makes the switch route data traffic through its neighbor.
Steps
1. Using the Remote Lab dashboard, connect to the PC3 remote desktop.
2. Start the command prompt and issue a continuous ping to 8.8.8.8. The ping should succeed.

Due to the utilization of link aggregation between the access switches stacked with VSF and the
core switches, any link could be used to transport the ping packets from PC3 to the core layer.
Also, due to the use of VSX active gateway, the core switch that receives the traffic will route it
forward. The combination creates a highly available and redundant environment. You will now
find which core switch is routing packets from PC3 to 8.8.8.8 and simulate an internet link failure.
3. Open a console connection to Core-1 and disable port 1/1/7.
Core-1 login: admin
Password:
Last login: 2024-05-13 12:52:39 from the console
User "admin" has logged in 7 times in the past 30 days
Core-1# configure terminal
Core-1(config)# interface 1/1/7
Lab 8: Static routes

Core-1(config-if)# shutdown

4. Navigate back to PC3.

Task 8-3: Redundancy with floating routes 247

a. Check if the ping is still working. If the ping has stopped, it means that Router-A (ISP-1)
was being used to route PC3 traffic to the internet. Then proceed to step 5.
b. If the ping is still working, re-enable interface 1/1/7 on Core-1.
Core-1(config-if)# no shutdown

c. Connect to the Core-2 console and disable port 1/1/7.

Core-2 login: admin
Password:
Last login: 2024-05-13 12:52:39 from the console
User "admin" has logged in 7 times in the past 30 days
Core-2# configure terminal
Core-2(config)# interface 1/1/7
Core-2(config-if)# shutdown
Core-2(config-if)# exit

Notice that, even though you have a redundant connection, the communication was
broken since each core switch has no alternative route in case the default route to
the internet fails.

As the name suggests, static routes are static and not aware of changes in the net-
work. They are only removed/disabled when the interface used to reach the next hop
or the exit interface goes down. To create redundancy using static routes, you may
create a floating static route, which is a second route using another next hop or exit
interface and a higher administrative distance. This way, if the primary route fails, it
will be deactivated, and the second route will take place.

5. Navigate back to PC3. The ping should not work now.

248 Task 8-3: Redundancy with floating routes

Even though you could use existing Layer 3 interfaces between Core-1 and Core-2, you will cre-
ate an L3 transport network between them, keeping this traffic separate from the users' SVIs.
6. Navigate to the Core-1 console connection and create a VLAN 10, assigning IP address
10.1.10.1/30 to the VLAN interface (SVI).
Core-1(config)# vlan 10
Core-1(config-vlan-10)# description Core-1_to_Core-2_SVI
Core-1(config-vlan-10)# interface vlan 10
Core-1(config-if-vlan)# ip address 10.1.10.1/30
Core-1(config-if-vlan)# exit

7. Navigate to Core-2 and repeat VLAN 10 creation.

Core-2(config)# vlan 10
Core-2(config-vlan-10)# description Core-2_to_Core-1_SVI
Core-2(config-vlan-10)# interface vlan 10
Core-2(config-if-vlan)# ip address 10.1.10.2/30
Core-2(config-if-vlan)# exit

8. Test the communication.

Core-2(config)# ping 10.1.10.1
PING 10.1.10.1 (10.1.10.1) 100(128) bytes of data.
108 bytes from 10.1.10.1: icmp_seq=1 ttl=64 time=0.180 ms
108 bytes from 10.1.10.1: icmp_seq=2 ttl=64 time=0.338 ms
108 bytes from 10.1.10.1: icmp_seq=3 ttl=64 time=0.175 ms
108 bytes from 10.1.10.1: icmp_seq=4 ttl=64 time=0.180 ms
108 bytes from 10.1.10.1: icmp_seq=5 ttl=64 time=0.187 ms

--- 10.1.10.1 ping statistics ---

5 packets transmitted, 5 received, 0% packet loss, time 4075ms
rtt min/avg/max/mdev = 0.175/0.212/0.338/0.063 ms

Since you have not added VLAN 10 to any port, how are Core-1 and Core-2 able to ping their
respective VLAN 10 addresses?
Lab 8: Static routes

Answer: VLAN 10 was automatically permitted on LAG 256 as it was configured to allow all
VLANs.

Task 8-3: Redundancy with floating routes 249

When creating LAG 256, which is used as VSX LAG between Core-1 and Core-2, it
was configured allowing all VLANs to be transmitted.
Core-1(config)# show vlan 10

-----------------------------------------------------------------------
VLAN Name Status Reason Type Interfaces
-----------------------------------------------------------------------
10 VLAN10 up ok static lag256

9. Navigate back to Core-1 and create a floating default route pointing to Core-2 (10.1.10.2).
Core-1(config)# ip route 0.0.0.0/0 10.1.10.2 distance 10

10. Navigate to Core-2 and create a floating default route pointing to Core-1 (10.1.10.1).
Core-2(config)# ip route 0.0.0.0/0 10.1.10.1 distance 10

Creating identical routes on two Layer 3 devices pointing to each other may lead to
Layer 3 loops. In our scenario, that would occur if both ISP links go down. In this
unlikely case, if Core-1 receives traffic to the internet, it would use Core-2 as the next
hop. Core-2, in the absence of its main internet link, would then send traffic back to
Core-1, which would repeat the same process over and over.
Although there is a built-in Layer 3 loop attenuation mechanism in the IP header,
Time to Live (TTL), monitoring the validity of the floating route through Service
Level Agreements* (SLAs)-based tracking is always recommended in order to pre-
vent this issue from happening. Otherwise, loop packets would consume data plane
resources before they die.

11. Verify the routing table of the core switch where you have interface 1/1/7 disabled.
Core-X(config)# show ip route

Displaying ipv4 routes selected for forwarding

Origin Codes: C - connected, S - static, L - local

R - RIP, B - BGP, O - OSPF, D - DHCP
Type Codes: E - External BGP, I - Internal BGP, V - VPN, EV - EVPN
IA - OSPF internal area, E1 - OSPF external type 1
E2 - OSPF external type 2

VRF: default

Prefix Nexthop Interface VRF(egress)

Origin/ Distance/ Age
Type Metric
-----------------------------------------------------------------------------------------
0.0.0.0/0 10.1.10.2 vlan10 - S [10/0] 00h:32m:59s
10.1.10.0/30 - vlan10 - C [0/0] -
10.1.10.1/32 - vlan10 - L [0/0] -

250 Task 8-3: Redundancy with floating routes

10.1.11.0/24 - vlan11 - C [0/0] -
10.1.11.1/32 - vlan11 - L [0/0] -
10.1.12.0/24 - vlan12 - C [0/0] -
10.1.12.1/32 - vlan12 - L [0/0] -

Total Route Count : 7

As the link to Router-A is inactive, what is the default gateway now?

Answer: The "redundant" Core switch, VLAN 10 address.

12. Navigate back to the PC3 desktop. The ping should be working.

The use of static floating routes is helpful for small environments with just a few
routes. In larger environments, dynamic IP routing protocols such as OSPF are recom-
mended. As an alternative to floating routes, you can combine static routes with
either BGP conditional advertisement or IGP default route injection. This approach
prevents Layer 3 loops entirely. You will examine the IGP default route injection
approach in the next lab.

13. Navigate to the core switch where you have interface 1/1/7 disabled, and enable interface 1/1/7.
Core-X(config)# interface 1/1/7
Core-X(config-if)# no shutdown
Core-X(config-if)# exit
Core-X(config)# show interface brief | include 1/1/7
1/1/7 -- routed 1G-BT yes up
1000 --

14. Verify the routing one more time.

Core-X(config)# show ip route

Displaying ipv4 routes selected for forwarding

Lab 8: Static routes

Origin Codes: C - connected, S - static, L - local

R - RIP, B - BGP, O - OSPF, D - DHCP
Type Codes: E - External BGP, I - Internal BGP, V - VPN, EV - EVPN
IA - OSPF internal area, E1 - OSPF external type 1

Task 8-3: Redundancy with floating routes 251

E2 - OSPF external type 2

VRF: default

Prefix Nexthop Interface VRF(egress) Origin/ Distance/ Age

Type Metric
-----------------------------------------------------------------------------------------
0.0.0.0/0 10.1.250.1 1/1/7 - S [1/0] 00h:36m:32s
10.1.10.0/30 - vlan10 - C [0/0] -
10.1.10.1/32 - vlan10 - L [0/0] -
10.1.11.0/24 - vlan11 - C [0/0] -
10.1.11.1/32 - vlan11 - L [0/0] -
10.1.12.0/24 - vlan12 - C [0/0] -
10.1.12.1/32 - vlan12 - L [0/0] -
10.1.250.0/30 - 1/1/7 - C [0/0] -
10.1.250.2/32 - 1/1/7 - L [0/0] -

Total Route Count : 9

Why is the route between cores no longer shown?

Answer: The routing table only shows the active routes. Since the routes to Router-A and
Router-B have better distances, they are active, and therefore, they are displayed in the show ip
route output.

Only the optimal routes are imported to the switch routing table. As the route
through Core-2 has a higher administrative cost, it is not loaded to the routing table
until no other route to the same destination and with a better administrative distance
is available.

Task 8-4: Save your configurations

Objectives
You will now proceed to save your configurations and create checkpoints. Notice that final lab check-
points might be used by later activities.
Steps
1. Save the current access and sore switches’ configuration in the startup checkpoint.
Access-1
Access-VSF(config)# write memory
Copying configuration: [Success]

252 Task 8-4: Save your configurations

Core-1
Core-1(config)# write memory
Copying configuration: [Success]

Core-2
Core-2(config)# write memory
Copying configuration: [Success]

2. Back up the current access switches’ configuration as a custom checkpoint called Lab8_final.
Access-1
No checkpoint is needed as no changes were made.
Core-1
Core-1(config)# copy running-config checkpoint Lab8_final
Copying configuration: [Success]

Core-2
Core-2(config)# copy running-config checkpoint Lab8_final
Copying configuration: [Success]

You have completed Lab 8!

Lab 8: Static routes

Task 8-4: Save your configurations 253

[This page intentionally left blank]

254 Task 8-4: Save your configurations

Lab 9.1: Open Shortest Path First

This morning, while drinking your coffee and browsing your email, you notice a message from Big-
Startup titled: "PO: Professional Services – Server Switch Integration". A few hours later, you meet your
customer and find out that the servers they ordered months ago have finally arrived, along with a data
center grade CX 8325 Series switch intended for connecting them. Although another supplier,
NetAmateur, will be in charge of implementing that switch, they want you to take care of the core part.
They also plan to expand and extend the network to remote locations in the following years, and they
will want these locations to be able to access the servers. You have advised them that this is a good
time to design and deploy a dynamic routing protocol called Open Shortest Path First (OSPF).
Objectives
After completing this lab, you will be able to:
n Define an OSPF router ID.
n Create an area and assign it to interfaces.
n Build neighbor relationships.
n Validate OSPF learned prefixes.
n Deploy the DHCP helper role.
Lab topology
The following lab topology will be used for your practical activities:

Lab 9.1: Open Shortest Path First 255

Task 9.1-1: OSPF single area between cores
Objectives
You are about to run an OSPF single area deployment on your core switches. This includes defining a
unique router ID, enabling the process and mapping it to a VRF, creating an OSPF area, and assigning it
to interfaces. You will begin with the link between cores.
Once the tasks are completed, you will proceed with neighbor discovery validation.

Steps
1. On your local computer, launch a web browser and enter the Aruba Training Lab web portal at
the URL: https://arubatraininglab.computerdata.com.
2. Log in using the credentials provided to you.
3. Using the Remote Lab dashboard, open a console connection to Core-1.
4. Create a loopback interface.
Core-1 login: admin
Password:
Last login: 2024-05-16 15:22:24 from the console
User "admin" has logged in 10 times in the past 30 days
Core-1# configure terminal

256 Task 9.1-1: OSPF single area between cores

Lab 9.1: Open Shortest Path First
Core-1(config)# interface loopback 0
Core-1(config-loopback-if)# ip address 10.1.1.1/32
Core-1(config-loopback-if)# exit

The use of loopback interfaces on routed environments is considered a best practice,

as these virtual interfaces do not rely on the status of a physical port to be active,
allowing remote access and management even when a physical interface fails.

5. Create the OSPF process 1.

Core-1(config)# router ospf 1

Each VRF has up to eight OSPF process instances.

6. Assign router ID 101.1.1 and create area 0.

Core-1(config-ospf-1)# router-id 10.1.1.1
Core-1(config-ospf-1)# area 0

7. Enable the OSPF process.

Core-1(config-ospf-1)# enable
Core-1(config-ospf-1)# exit

At this point, OSPF is up and running in Core-1. However, it is not sending hello mes-
sages yet because you have not enabled it on any interfaces. You will now enable it
on the link to Core-2.

8. Enable OSPF process 1 and area 0 on VLAN 10.

Core-1(config)# interface vlan 10
Core-1(config-if-vlan)# ip ospf 1 area 0
Core-1(config-if-vlan)# exit

9. Review the OSPF process state.

Core-1(config)# show ip ospf
VRF : default Process : 1
----------------------------------------------------

RouterID : 10.1.1.1OSPFv2 : Enabled

BFD : Disabled SPF Start Interval : 200 ms
SPF Hold Interval : 1000 ms SPF Max Wait Interval : 5000 ms
LSA Start Time : 5000 ms LSA Hold Time : 0 ms
LSA Max Wait Time : 0 ms LSA Arrival : 1000 ms
External LSAs : 0 Checksum Sum : 0
ECMP : 4 Reference Bandwidth : 100000 Mbps
Area Border : false AS Border : false
GR Status : Enabled GR Interval : 120 sec
GR State : inactive GR Exit Status : none

Task 9.1-1: OSPF single area between cores 257

GR Helper : Enabled GR Strict LSA Check : Enabled
GR Ignore Lost I/F : Disabled
Summary address:

Area Total Active

------------------------------
Normal 1 1
Stub 0 0
NSSA 0 0

Area : 0.0.0.0
----------------
Area Type : NormalStatus : Active
Total Interfaces : 1 Active Interfaces : 1
Passive Interfaces : 0 Loopback Interfaces : 0
SPF Calculation Count : 3
Area ranges :
Number of LSAs : 1 Checksum Sum : 17789

What routing ID is this OSPF router using?

Answer: 10.1.1.1.
What is the state of the protocol?

Answer: Enabled.
How many areas are created and what is the area ID?

Answer: One normal area.

How many LSAs have been created?

Answer: One.
What LSA type do you think it is?

Right now, Core-1 is sending hello messages out of Interface VLAN 10; however,
there is no other OSPF router on that segment yet. You will proceed to deploy the
counterpart on Core-2.

10. Using the Remote Lab dashboard, open a console connection to Core-2.
11. Create a loopback interface.

258 Task 9.1-1: OSPF single area between cores

Lab 9.1: Open Shortest Path First
Core-2(config)# interface loopback 0
Core-2(config-loopback-if)# ip address 10.1.1.2/32
Core-2(config-loopback-if)# exit

12. Configure OSPF process 1 and area 0.

Core-2(config)# router ospf 1
Core-2(config-ospf-1)# router-id 10.1.1.2
Core-2(config-ospf-1)# area 0
Core-2(config-ospf-1)# enable
Core-2(config-ospf-1)# exit

13. Activate OSPF process 1 area 0 for VLAN 10.

Core-2(config)# interface vlan 10
Core-2(config-if-vlan)# ip ospf 1 area 0
Core-2(config-if-vlan)# exit

14. Check if Core-2 has OSPF neighbors.

Core-2(config)# show ip ospf neighbors
VRF : default Process : 1
===================================================

Total Number of Neighbors : 1

Neighbor ID Priority State Nbr Address Interface

-------------------------------------------------------------------------
10.1.1.1 1 FULL/DR 10.1.10.1 vlan10

15. For more details on the neighbor, enter the show ip ospf neighbor detail command.
Core-2(config)# show ip ospf neighbors detail
VRF : default Process : 1
---------------------------------------------------------

Router-Id : 10.1.1.1 Area Id : 0.0.0.0

Interface : vlan10 Address : 10.1.10.1
State : FULL Neighbor Priority : 1
DR : 10.1.10.1BDR : 10.1.10.2
Dead Timer Due : 00:00:37 Options : 0x42
Retransmission Queue Length : 0
Time Since Last State Change : 00h:03m:23s

What neighbor has Core-2 discovered? List the router ID.

Answer: Core-1. Router ID 10.1.1.1.

What is the adjacency state?

Answer: Full

Task 9.1-1: OSPF single area between cores 259

What is the Designated Router (DR) and what is the Backup Designated Router (BDR)?

Core-1 (10.1.1.1) is the DR, and Core-2 (10.1.1.2) is the BDR.

Since both nodes have a default priority of 1, how was DR elected?

Answer: Core-1 was configured first, therefore it won the election as DR. When Core-2 joined,
since there was a DR already, it was elected the BDR.

In an OSPF network having two or more routers, one router is elected to serve as the
DR and another router to act as the BDR. All other routers in the area forward their
routing information to the DR and BDR, and the DR forwards this information to all
routers in the network. This action minimizes the amount of repetitive information
that is forwarded on the network by eliminating the need for each individual router in
the area to forward its routing information to all other routers in the network. If the
area includes multiple networks, each network elects its own DR and BDR.
In an OSPF network with no DR and no BDR, the neighboring router with the highest
priority is elected the DR, and the router with the next highest priority is elected the
BDR. If the DR goes off-line, the BDR automatically becomes the DR, and the router
with the next highest priority then becomes the new BDR. If multiple routing switches
on the same OSPF network are declaring themselves DRs, both priority and router ID
are used to select the DR and BDRs.
Priority is configurable using the ip ospf priority command at the interface level.
If two neighbors share the same priority, the router with the highest router ID is elec-
ted as the DR. The router with the next highest router ID is elected as the BDR.

16. Display the router LSAs that Core-2 knows.

Core-2(config)# show ip ospf lsdb router
OSPF Router with ID (10.1.1.2) (Process ID 1 VRF default)
==========================================================

Router Link State Advertisements (Area 0.0.0.0)

------------------------------------------------

LSID ADV Router Age Seq# Checksum Link Count

-------------------------------------------------------------------------------
10.1.1.1 10.1.1.1 1011 0x80000002 0x00007335 1
10.1.1.2 10.1.1.2 1010 0x80000002 0x00007134 1

How many router LSAs are shown?

260 Task 9.1-1: OSPF single area between cores

Lab 9.1: Open Shortest Path First
Answer: Two router LSAs are listed.
What are the Link State IDs?

Answer: 10.1.1.1 and 10.1.1.2.

Who created those LSAs?

Answer: Core-1 (10.1.1.1) and Core-2 (10.1.1.2).

17. Display the network LSAs that Core-2 knows.
Core-2(config)# show ip ospf lsdb network
OSPF Router with ID (10.1.1.2) (Process ID 1 VRF default)
==========================================================

Network Link State Advertisements (Area 0.0.0.0)

-------------------------------------------------

LSID ADV Router Age Seq# Checksum

--------------------------------------------------------------
10.1.10.1 10.1.1.1 1084 0x80000001 0x0000f925

How many network LSAs are shown?

Answer: One network LSA.

What is the Link State ID?

Answer: 10.1.10.1.
Who created those LSAs?

Answer: Core-1 (10.1.1.1).

18. Navigate back to Core-1 and display Core-1's LSAs.
Core-1(config)# show ip ospf lsdb
OSPF Router with ID (10.1.1.1) (Process ID 1 VRF default)
==========================================================

Router Link State Advertisements (Area 0.0.0.0)

------------------------------------------------

LSID ADV Router Age Seq# Checksum Link Count

-------------------------------------------------------------------------------
10.1.1.1 10.1.1.1 1258 0x80000002 0x00007335 1

Task 9.1-1: OSPF single area between cores 261

10.1.1.2 10.1.1.2 1259 0x80000002 0x00007134 1

Network Link State Advertisements (Area 0.0.0.0)

-------------------------------------------------

LSID ADV Router Age Seq# Checksum

--------------------------------------------------------------
10.1.10.1 10.1.1.1 1263 0x80000001 0x0000f925

Are these LSAs similar to the ones that Core-2 has?

Answer: Yes.

In order to confirm if they are the same version, you have to compare the LSID and
sequence number.

How many links do each of them announce?

Answer: One link (network LSA).

Right now, only one link is contained within the router LSA (10.1.10.0/30).

Task 9.1-2: Add the server switch

Objectives
The next phase in this integration will be to build the interconnection with the server switch using the
two links that have already been plugged in. You will use interface 1/1/8 on each core.
Remember that you will only take care of core switch configuration, while the server switch is being con-
figured by another partner.

262 Task 9.1-2: Add the server switch

Lab 9.1: Open Shortest Path First
Steps
1. On your local computer, launch a web browser and enter the Aruba Training Lab web portal at
the URL: https://arubatraininglab.computerdata.com.
2. Log in using the credentials provided to you.
3. Using the Remote Lab dashboard, open a console connection to Core-1.
4. Configure interface 1/1/8.
Core-1(config)# interface 1/1/8
Core-1(config-if)# description To_server-Switch
Core-1(config-if)# routing
Core-1(config-if)# ip address 10.1.250.9/30
Core-1(config-if)# exit

5. Test Core-1 to Server Switch communication. The ping should work.

Core-1(config)# ping 10.1.250.10
PING 10.1.250.10 (10.1.250.10) 100(128) bytes of data.
108 bytes from 10.1.250.10: icmp_seq=1 ttl=64 time=1.81 ms
108 bytes from 10.1.250.10: icmp_seq=2 ttl=64 time=1.75 ms
108 bytes from 10.1.250.10: icmp_seq=3 ttl=64 time=1.82 ms
108 bytes from 10.1.250.10: icmp_seq=4 ttl=64 time=1.68 ms
108 bytes from 10.1.250.10: icmp_seq=5 ttl=64 time=2.48 ms

--- 10.1.250.10 ping statistics ---

5 packets transmitted, 5 received, 0% packet loss, time 4005ms
rtt min/avg/max/mdev = 1.680/1.908/2.480/0.290 ms

6. Activate OSPF process 1 area 0 on interface 1/1/8.

Core-1(config)# interface 1/1/8
Core-1(config-if)# ip ospf 1 area 0
Core-1(config-if)# exit

7. Display the list of neighbors Core-1 has now.

Task 9.1-2: Add the server switch 263

Core-1(config)# show ip ospf neighbors
VRF : default Process : 1
===================================================

Total Number of Neighbors : 2

Neighbor ID Priority State Nbr Address Interface

-------------------------------------------------------------------------
10.1.1.3 1 FULL/BDR 10.1.250.10 1/1/8

10.1.1.2 1 FULL/BDR 10.1.10.2 vlan10

Did you discover any new neighbors?

Answer: Yes.
Who?

Answer: Neighbor ID 10.1.1.3 (Server switch).

8. Navigate to the Core-2 console.
9. Configure interface 1/1/8.
Core-2(config)# interface 1/1/8
Core-2(config-if)# description To_server-Switch
Core-2(config-if)# routing
Core-2(config-if)# ip address 10.1.250.13/30
Core-2(config-if)# exit

10. Test Core-2 to Server Switch communication. The ping should work.
Core-2(config)# ping 10.1.250.14
PING 10.1.250.14 (10.1.250.14) 100(128) bytes of data.
108 bytes from 10.1.250.14: icmp_seq=1 ttl=64 time=13.3 ms
108 bytes from 10.1.250.14: icmp_seq=2 ttl=64 time=1.99 ms
108 bytes from 10.1.250.14: icmp_seq=3 ttl=64 time=2.04 ms
108 bytes from 10.1.250.14: icmp_seq=4 ttl=64 time=1.95 ms
108 bytes from 10.1.250.14: icmp_seq=5 ttl=64 time=1.86 ms

--- 10.1.250.14 ping statistics ---

5 packets transmitted, 5 received, 0% packet loss, time 4002ms
rtt min/avg/max/mdev = 1.864/4.227/13.295/4.534 ms

11. Activate OSPF process 1 area 0 on interface 1/1/8.

Core-2(config)# interface 1/1/8
Core-2(config-if)# ip ospf 1 area 0
Core-2(config-if)# exit

12. Display the list of neighbors Core-2 has now.

264 Task 9.1-2: Add the server switch

Lab 9.1: Open Shortest Path First
Core-2(config)# show ip ospf neighbors
VRF : default Process : 1
===================================================

Total Number of Neighbors : 1

Neighbor ID Priority State Nbr Address Interface

-------------------------------------------------------------------------
10.1.1.1 1 FULL/DR 10.1.10.1 vlan10

How many entries are listed?

Answer: One.
Is there any device missing?

Answer: Yes, Server Switch is not showing as a neighbor.

13. Confirm OSPF is properly enabled on interface 1/1/8.
Core-2(config)# show ip ospf interface 1/1/8
Codes: DR - Designated router BDR - Backup Designated router

Interface 1/1/8 is up, line protocol is up

-------------------------------------------

VRF : default Process : 1

IP Address : 10.1.250.13/30 Area : 0.0.0.0
Status : Up Network Type : Broadcast
Hello Interval : 10 sec Dead Interval : 40 sec
Transit Delay : 1 sec Retransmit Interval : 5 sec
BFD : Disabled Link Speed : 1000 Mbps
Cost Configured : NA Cost Calculated : 100
State/Type : DR Router Priority : 1
DR : 10.1.250.13 BDR : No
Link LSAs : 0 Checksum Sum : 0
Authentication : No Passive : No

By looking at the configuration, it seems everything is in order. You will most likely
have to look at packet statistics in order to see what packets are being exchanged
between Core-2 and Server Switch.

14. Display the OSPF packet statistics for interface 1/1/8.

Core-2(config)# show ip ospf statistics interface 1/1/8
OSPF Process ID 1 VRF default, interface 1/1/8 statistics (cleared 0h0m9s ago)
================================================================================

Task 9.1-2: Add the server switch 265

Tx Hello Packets : 11 Rx Hello Packets : 0
Tx Hello Bytes : 704 Rx Hello Bytes : 0
Tx DD Packets : 0 Rx DD Packets : 0
Tx DD Bytes : 0 Rx DD Bytes : 0
Tx LS Request Packets : 0 Rx LS Request Packets : 0
Tx LS Request Bytes : 0 Rx LS Request Bytes : 0
Tx LS Update Packets : 0 Rx LS Update Packets : 0
Tx LS Update Bytes : 0 Rx LS Update Bytes : 0
Tx LS Ack Packets : 0 Rx LS Ack Packets : 0
Tx LS Ack Bytes : 0 Rx LS Ack Bytes : 0

Total Number of State Changes : 10

Number of LSAs : 0
LSA Checksum Sum : 0
Total Transmit Failures : 0
Total OSPF Packets Discarded : 2

Reason Packets Dropped

----------------------------------------------
Invalid type 0
Invalid length 0
Invalid checksum 0
Invalid version 0
Bad or unknown source 0
Area mismatch 0
Self-originated 0
Duplicate router ID 0
Interface standby 0
Total Hello packets dropped 5
Network Mask mismatch 0
Hello interval mismatch 5
Dead interval mismatch 0
Options mismatch 0
MTU mismatch 0
Neighbor ignored 0
Authentication errors 0
Type mismatch 0
Authentication failures 0
Wrong protocol 0
Resource failures 0
Bad LSA length 0
Bad DD packets 0
Others 5

Total LSAs Ignored : 0

Bad Type : 0
Bad Length : 0
Invalid Data : 0

266 Task 9.1-2: Add the server switch

Lab 9.1: Open Shortest Path First
Invalid Checksum : 0

Has Core-2 received any hello packets?

Answer: The number of packets on your output may vary depending on how long it took you to
enter the show command. In the example, five hello packets were received.
Has Core-2 dropped any hello packets?

Answer: Yes.
Why?

Answer: Core-2 has dropped hello packets because of a hello interval mismatch. Although you
know Core-2 is running the default value of 10 seconds, you are not certain what interval value
Server Switch is using. You will have to run debugs in order to find out.
15. Clear the debug buffers.
Core-2(config)# clear debug buffer
Core-2(config)#

What information is the show debug displaying?

Answer: Debug output shows mismatched hello packets are being received.
Is there any complaint about contents in hello messages?

Answer: The hello timer on received packets is configured for 20 seconds, while the local hello
timer is configured for 10 seconds.

Task 9.1-2: Add the server switch 267

The output is clear; the incoming hello packet's interval is two times the usual one.
Since this is a parameter that must match between two OSPF routers, the mismatch
prevents the neighbor relationship from forming. When you share this information
with the partner deploying the server switch (NetAmateur), you realize they are not
an expert in the matter and do not understand what you are asking. However, they
allow you to fix what you need to make this integration work.

17. To connect to the server switch, you will use PC1. Using the Remote Lab dashboard, launch a
remote desktop connection to PC1.
18. Launch PuTTY using the icon in the desktop area.

19. Select the Server Switch session, click Load, and then click Open.

20. Log in using Username: admin/Aruba123!

21. Validate the current OSPF hello timer on interface 1/1/8.
ServerSwitch login: admin
Password:

268 Task 9.1-2: Add the server switch

Lab 9.1: Open Shortest Path First
Last login: 2024-05-16 20:19:51 from the console
User "admin" has logged in 24 times in the past 30 days
ServerSwitch# show ip ospf interface 1/1/2
Codes: DR - Designated router BDR - Backup Designated router

Interface 1/1/2 is up, line protocol is up

-------------------------------------------

VRF : default Process : 1

IP Address : 10.1.250.14/30 Area : 0.0.0.0
Status : Up Network Type : Broadcast
Hello Interval : 20 sec Dead Interval : 40 sec
Transit Delay : 1 sec Retransmit Interval : 5 sec
BFD : Disabled Link Speed : 1000 Mbps
Cost Configured : NA Cost Calculated : 100
State/Type : DR Router Priority : 1
DR : 10.1.250.14 BDR : No
Link LSAs : 0 Checksum Sum : 0

Authentication : No Passive : No

What is the current hello timer value?

Answer: 20 seconds.
22. Decrease the hello interval from 20 to 10 seconds on interface 1/1/2.
ServerSwitch# configure terminal
ServerSwitch(config)# interface 1/1/2
ServerSwitch(config-if)# ip ospf hello-interval 10
ServerSwitch(config-if)# exit

23. Navigate back to the Core-2 console.

24. Display the neighbors again. Server Switch should be there.
Core-2(config)# show ip ospf neighbors
VRF : default Process : 1
===================================================

Total Number of Neighbors : 2

Neighbor ID Priority State Nbr Address Interface

-------------------------------------------------------------------------
10.1.1.3 1 FULL/DR 10.1.250.14 1/1/8

10.1.1.1 1 FULL/DR 10.1.10.1 vlan10

Did you discover any new neighbors?

Answer: Yes.

Task 9.1-2: Add the server switch 269

Who?

Answer: Neighbor ID 10.1.1.3 (Server Switch)

25. Display the routing table, including only the newly learned OSPF prefixes.
Core-2(config)# show ip route ospf

Displaying ipv4 routes selected for forwarding

Origin Codes: C - connected, S - static, L - local

R - RIP, B - BGP, O - OSPF, D - DHCP
Type Codes: E - External BGP, I - Internal BGP, V - VPN, EV - EVPN
IA - OSPF internal area, E1 - OSPF external type 1
E2 - OSPF external type 2

VRF: default

Prefix Nexthop Interface VRF(egress)Origin/ Distance/ Age

Type Metric
----------------------------------------------------------------------------------------------
10.1.1.3/32 10.1.250.14 1/1/8 - O [110/100] 00h:13m:06s
10.1.250.8/30 10.1.10.1 vlan10 - O [110/200] 00h:13m:06s
10.1.250.14 1/1/8 - [110/200] 00h:13m:06s
10.254.1.0/24 10.1.250.14 1/1/8 - O [110/200] 00h:13m:06s

Total Route Count : 3

Right now, core switches have each other and have Server Switch as a neighbor.
Therefore, they should be receiving link state updates that include the server’s seg-
ment.

Which networks have Core-2 discovered?

Answer: 10.1.1.3/32 and 10.254.1.0/24.

Which networks is Server Switch a next hop for?

Answer: Server Switch (10.1.250.14) is the next hop for 10.1.1.3/32 and 10.254.1.0/24, its loop-
back and the servers’ segment respectively.
What are the administrative distance and metric for those segments?

Answer: For 10.1.1.3, administrative distance = 110, metric = 100. For 10.254.1.0/24, admin-
istrative distance = 110, metric = 200.

270 Task 9.1-2: Add the server switch

Lab 9.1: Open Shortest Path First
26. Navigate back to Core-1.
27. Display the routing table, including only the newly learned OSPF prefixes.
Core-1(config)# show ip route ospf

Displaying ipv4 routes selected for forwarding

Origin Codes: C - connected, S - static, L - local

R - RIP, B - BGP, O - OSPF, D - DHCP
Type Codes: E - External BGP, I - Internal BGP, V - VPN, EV - EVPN
IA - OSPF internal area, E1 - OSPF external type 1
E2 - OSPF external type 2

VRF: default

Prefix Nexthop Interface VRF(egress)Origin/ Distance/ Age

Type Metric
----------------------------------------------------------------------------------------------
10.1.1.3/32 10.1.250.10 1/1/8 - O [110/100] 18h:19m:50s
10.1.250.12/30 10.1.250.10 1/1/8 - O [110/200] 18h:11m:16s
10.1.10.2 vlan10 - [110/200] 18h:11m:16s
10.254.1.0/24 10.1.250.10 1/1/8 - O [110/200] 18h:20m:00s

Total Route Count : 3

What is the next-hop IP address for those networks learned from the server switch?

Answer: 10.1.250.10 - Server Switch IP address.

Based on the outputs, both cores are using their direct link to the server switch to
reach segments that are beyond it.
This also means that traffic arriving on Core-1 to be routed to the server switch will
be forwarded using Core-1 interface 1/1/8, and traffic arriving on Core-2 to be
routed to the server switch will be forwarded using Core-2 interface 1/1/8.

Task 9.1-2: Add the server switch 271

You will now run some connectivity tests.
28. Navigate to the Core-1 console.
29. Start a ping to Server Switch loopback IP address (10.1.1.3). The ping should be sucessful.
Core-1(config)# ping 10.1.1.3
PING 10.1.1.3 (10.1.1.3) 100(128) bytes of data.
108 bytes from 10.1.1.3: icmp_seq=1 ttl=64 time=2.17 ms
108 bytes from 10.1.1.3: icmp_seq=2 ttl=64 time=1.82 ms
108 bytes from 10.1.1.3: icmp_seq=3 ttl=64 time=1.23 ms
108 bytes from 10.1.1.3: icmp_seq=4 ttl=64 time=1.11 ms
108 bytes from 10.1.1.3: icmp_seq=5 ttl=64 time=1.86 ms

--- 10.1.1.3 ping statistics ---

5 packets transmitted, 5 received, 0% packet loss, time 4003ms
rtt min/avg/max/mdev = 1.106/1.638/2.170/0.403 ms

30. Ping the Windows server IP address (10.254.1.21). The ping should be successful.
Core-1(config)# ping 10.254.1.21
PING 10.254.1.21 (10.254.1.21) 100(128) bytes of data.
108 bytes from 10.254.1.21: icmp_seq=1 ttl=127 time=6.73 ms
108 bytes from 10.254.1.21: icmp_seq=2 ttl=127 time=2.02 ms
108 bytes from 10.254.1.21: icmp_seq=3 ttl=127 time=2.11 ms
108 bytes from 10.254.1.21: icmp_seq=4 ttl=127 time=1.59 ms
108 bytes from 10.254.1.21: icmp_seq=5 ttl=127 time=2.29 ms

--- 10.254.1.21 ping statistics ---

272 Task 9.1-2: Add the server switch

Lab 9.1: Open Shortest Path First
5 packets transmitted, 5 received, 0% packet loss, time 4005ms
rtt min/avg/max/mdev = 1.586/2.946/6.731/1.906 ms

31. Navigate to PC3.

32. Ping the Windows server (10.254.1.21).

Was the ping successful?

Answer: No.
33. Run a traceroute towards the Windows server.

Was it successful?

Answer: No.
Why?

Answer: Traffic is failing for the same reason the first test to the internet failed in the previous
lab. Communications are bidirectional; it is not enough to know how to reach the remote
destination, but is also necessary that the other end knows how to send the replies back.

Task 9.1-3: Advertise LAN segments

Objectives
In this activity, you will advertise your LAN prefixes so Server Switch knows how to reach the client
PCs.

Task 9.1-3: Advertise LAN segments 273

Steps
1. On your local computer, launch a web browser and enter the Aruba Training Lab web portal at
the URL: https://arubatraininglab.computerdata.com.
2. Log in using the credentials provided to you.
3. Using the Remote Lab dashboard, open a console connection to Core-1.
4. Enable OSPF process 1 area 0 on VLANs 11 and 12.
Core-1(config)# interface vlan 11-12
Core-1(config-if-vlan-<11-12>)# ip ospf 1 area 0
Core-1(config-if-vlan-<11-12>)# exit

5. Enable OSPF process 1 area 0 on interface loopback 0.

Core-1(config)# interface loopback 0
Core-1(config-loopback-if)# ip ospf 1 area 0
Core-1(config-loopback-if)# exit

Advertising the loopback interface, which is also used as the router ID, is considered
a best practice. It allows network administrators to easily reach a remote router
without needing to remember each interface's IP address.

6. Check the router LSAs.

Core-1(config)# show ip ospf 1 lsdb router
OSPF Router with ID (10.1.1.1) (Process ID 1 VRF default)
==========================================================

Router Link State Advertisements (Area 0.0.0.0)

------------------------------------------------

LSID ADV Router Age Seq# Checksum Link Count

-------------------------------------------------------------------------------
10.1.1.1 10.1.1.1 826 0x80000034 0x0000347d 5
10.1.1.2 10.1.1.2 1288 0x80000030 0x0000a03c 2
10.1.1.3 10.1.1.3 1292 0x8000002c 0x00006fde 4

How many router LSAs do you have now?

Answer: Three.
Who do they belong to?

Answer: Core-1, Core-2, and Server Switch.

How many links are counted for Core-1?

274 Task 9.1-3: Advertise LAN segments

Lab 9.1: Open Shortest Path First
Answer: Five.
What links do they correspond to?

Answer: Core-1 is currently advertising five networks corresponding to: Interface VLAN 10, 11,
and 12, Interface 1/1/8, and Loopback 0.
7. Confirm segments 10.1.11.0/24 and 10.2.12.0/24 are now part of the OSPF routing process.
Core-1(config)# show ip ospf routes
Codes: i - Intra-area route, I - Inter-area route
E1 - External type-1, E2 - External type-2

OSPF Process ID 1 VRF default, Routing Table

---------------------------------------------

Total Number of Routes : 8

10.1.1.3/32 (i) area: 0.0.0.0

via 10.1.250.10 interface 1/1/8, cost 100 distance 110
10.1.10.0/30 (i) area: 0.0.0.0
directly attached to interface vlan10, cost 100 distance 110
10.1.11.0/24 (i) area: 0.0.0.0
directly attached to interface vlan11, cost 100 distance 110
10.1.12.0/24 (i) area: 0.0.0.0
directly attached to interface vlan12, cost 100 distance 110
10.1.250.8/30 (i) area: 0.0.0.0
directly attached to interface 1/1/8, cost 100 distance 110
10.1.250.12/30 (i) area: 0.0.0.0
via 10.1.10.2 interface vlan10, cost 200 distance 110
10.1.250.12/30 (i) area: 0.0.0.0
via 10.1.250.10 interface 1/1/8, cost 200 distance 110
10.254.1.0/24 (i) area: 0.0.0.0
via 10.1.250.10 interface 1/1/8, cost 200 distance 110

8. Navigate to the Core-2 console.

9. Enable OSPF process 1 area 0 on VLANs 11, 12, and Loopback 0.
Core-2(config)# interface vlan 11-12
Core-2(config-if-vlan-<11-12>)# ip ospf 1 area 0
Core-2(config-if-vlan-<11-12>)# exit
Core-2(config)# interface loopback 0
Core-2(config-loopback-if)# ip ospf 1 area 0
Core-2(config-loopback-if)# exit

Task 9.1-3: Advertise LAN segments 275

Task 9.1-4: Testing services
Objectives
In this activity, you will start using one of the services that users in VLANs 11 and 12 have been wait-
ing for: DHCP.
Since Layer 3 connectivity has been enabled all the way from the LAN segments up to the server’s
VLAN, you can easily receive DHCP Discover messages at the core switch and relay them up to the
server. For redundancy, you will do it on both cores.
Steps
1. On your local computer, launch a web browser and enter the Aruba Training Lab web portal at
the URL: https://arubatraininglab.computerdata.com.
2. Log in using the credentials provided to you.
3. Using the Remote Lab dashboard, open a console connection to Core-1.
4. Enable the DHCP relay (IP helper) function.
Core-1(config)# interface vlan 11-12
Core-1(config-if-vlan-<11-12>)# ip helper-address 10.254.1.21
Core-1(config-if-vlan-<11-12>)# exit

5. Navigate to the Core-2 console.

6. Enable the DHCP relay (IP helper) function.
Core-2(config)# interface vlan 11-12
Core-2(config-if-vlan-<11-12>)# ip helper-address 10.254.1.21
Core-2(config-if-vlan-<11-12>)# exit

Testing IP helper and server access

7. Navigate to the PC3 remote desktop connection.
8. Click the start menu icon and type control panel. Windows will automatically display all items
matching the string. Click Control Panel.

276 Task 9.1-4: Testing services

Lab 9.1: Open Shortest Path First
9. In the Control Panel, click View network status and tasks under Network and Internet.

10. Click Lab NIC under Access type: Connections. A new window will pop up.

Task 9.1-4: Testing services 277

11. In the Lab NIC Status window, click Properties.

12. In the Lab NIC Properties section, select Internet Protocol Version 4 (TCP/IPv4), then click
Properties.

278 Task 9.1-4: Testing services

Lab 9.1: Open Shortest Path First
13. In Internet Protocol Version 4 (TCP/IPv4) Properties, select Obtain an IP address auto-
matically under the General tab.
14. Select Obtain DNS server address automatically.
15. Click OK.

16. Click Close.

17. In the Lab NIC window, click Details….

Task 9.1-4: Testing services 279

A Network Connection Details window will be displayed.

.
What connection-specific DNS sufix did you get?

Answer: 10.254.1.21.
What IP address and subnet mask did you get?

Answer: 255.255.255.0.
What IPv4 address was assigned to PC3?

Answer: 10.1.11.103.
18. Click Close.

280 Task 9.1-4: Testing services

Lab 9.1: Open Shortest Path First
19. Navigate to PC4 and repeat steps 8 to 18 to set up PC4 for DHCP.

Task 9.1-5: Save your configurations

Objectives
You will now proceed to save your configurations and create checkpoints. Notice that final lab check-
points might be used by later activities.
Steps
1. Save the current access and core switches’ configurations in the startup checkpoint.
Core-1
Core-1(config)# write memory
Copying configuration: [Success]

Core-2
Core-2(config)# write memory
Copying configuration: [Success]

2. Back up the current access switches’ configuration as a custom checkpoint called Lab9-1-final.
Core-1
Core-1(config)# copy running-config checkpoint Lab9-1-final
Copying configuration: [Success]

Core-2
Core-2(config)# copy running-config checkpoint Lab9-1-final
Copying configuration: [Success]

You have completed Lab 9.1!

Task 9.1-5: Save your configurations 281

[This page intentionally left blank]

282 Task 9.1-5: Save your configurations

Lab 9.2: OSPF advanced settings (optional)

BigStartup also wants to enable symmetric routing, deterministic load balancing on links to the server
switch, and eliminate the risk of Layer 3 loops for traffic to the internet. Remember, dual floating routes
for internet access deployed on core switches in Lab 8 do offer redundancy but also introduce the
chance of loops if both ISPs go down. Management also wants to prevent users from receiving OSPF-
related packets.
You have been asked to optimize the configuration on the core switch pair. Locally, all these changes
are OSPF-related.
Objectives
After completing this lab, you will be able to:
n Manipulate paths.
n Create loopback interfaces.
n Enable passive interfaces.
n Change the network type to point-to-point.
n Inject a default prefix through OSPF.

Task 9.2-1: Cost-based path manipulation (traffic engineering)

Objectives
In this activity, you will analyze the OSPF link costs and routing table and validate the traffic paths to
and from the servers.
Steps
1. On your local computer, launch a web browser and enter the Aruba Training Lab web portal at
the URL: https://arubatraininglab.computerdata.com.
2. Log in using the credentials provided to you.
3. Using the Remote Lab dashboard, open a console connection to Core-1.
4. Display the OSPF interfaces. Focus on interfaces' costs.
Core-1(config)# show ip ospf interface brief
OSPF Process ID 1 VRF default
==============================

Total Number of Interfaces: 5

Lab 9.2: OSPF advanced settings (optional) 283

Flags: P - Passive A - Active

Interface Area IP Address/Mask Cost State Status Flags

---------------------------------------------------------------------------------
1/1/8 0.0.0.0 10.1.250.9/30 100 DR Up A
loopback0 0.0.0.0 10.1.1.1/32 0 Loopback Up A
vlan10 0.0.0.0 10.1.10.1/30 100 DR Up A
vlan11 0.0.0.0 10.1.11.1/24 100 DR Up A
vlan12 0.0.0.0 10.1.12.1/24 100 DR Up A

5. Write down the costs for these four interfaces in Figure 9.2-1.

Figure 9.2-1: OSPF interface cost

6. Navigate to Core-2.
7. Display the OSPF interfaces.
Core-2(config)# show ip ospf interface brief
OSPF Process ID 1 VRF default
==============================

Total Number of Interfaces: 5

Flags: P - Passive A - Active

Interface Area IP Address/Mask Cost State Status Flags

---------------------------------------------------------------------------------
1/1/8 0.0.0.0 10.1.250.13/30 100 BDR Up A
loopback0 0.0.0.0 10.1.1.2/32 0 Loopback Up A
vlan10 0.0.0.0 10.1.10.2/30 100 BDR Up A
vlan11 0.0.0.0 10.1.11.2/24 100 BDR Up A
vlan12 0.0.0.0 10.1.12.2/24 100 BDR Up A

284 Task 9.2-1: Cost-based path manipulation (traffic engineering)

Lab 9.2: OSPF advanced settings
(optional)
8. Confirm Core-1 and Core-2 use the same link costs they have in common (VLAN 10, 11, and 12).
Then write down in Figure 9.2-1 the link cost to Server Switch (10.2.250.13/30).

The only missing link cost is the Server segment. However, you were told that cost is
25.
This information can be used to predict traffic paths. For Core-2, there are two
options for reaching the servers: the path via Core-1 with a total cost of 225
(100+100+25) or the path through Server Switch with a total cost of 125 (100+25).
When running OSPF, if there are two paths of the same type (intra-area OSPF in this
case), the one with the lowest cost is preferred and published in both the OSPF rout-
ing table and also in the VRF (or global) routing table. Therefore, Core-2 uses the
server switch interface 1/1/2 (10.1.250.114) as its next hop.
Core-2(config)# show ip route ospf

Displaying ipv4 routes selected for forwarding

Origin Codes: C - connected, S - static, L - local

R - RIP, B - BGP, O - OSPF, D - DHCP
Type Codes: E - External BGP, I - Internal BGP, V - VPN, EV - EVPN
IA - OSPF internal area, E1 - OSPF external type 1
E2 - OSPF external type 2

VRF: default

Prefix Nexthop Interface VRF(egress)Origin/ Distance/ Age

Type Metric
-----------------------------------------------------------------------------------------------
10.1.1.1/32 10.1.10.1 vlan10 - O [110/100] 02h:47m:22s
10.1.12.1 vlan12 - [110/100] 02h:47m:22s
10.1.11.1 vlan11 - [110/100] 02h:47m:22s
10.1.1.3/32 10.1.250.14 1/1/8 - O [110/100] 00h:14m:09s
10.1.250.8/30 10.1.10.1 vlan10 - O [110/200] 00h:14m:09s
10.1.12.1 vlan12 - [110/200] 00h:14m:09s
10.1.250.14 1/1/8 - [110/200] 00h:14m:09s
10.1.11.1 vlan11 - [110/200] 00h:14m:09s
10.254.1.0/24 10.1.250.14 1/1/8 - O [110/125] 00h:14m:09s

Total Route Count : 4

Task 9.2-1: Cost-based path manipulation (traffic engineering) 285

Likewise, Core-1 will use the path with the lowest cost. This is through interface
1/1/8.

Server Switch, on the other hand, has two options for reaching VLANs 11 and 12. It
can use Core-1 or Core-2. Each has a total cost of 200. You can inspect the routing
table to validate this.

9. Using the Remote Lab dashboard, connect to PC1.

10. Using the icon on the desktop, open PuTTY.
11. Load the Server Switch session and click Open.
12. Log in with the username admin and password Aruba123!.
13. Display the routing table.
ServerSwitch# show ip route

286 Task 9.2-1: Cost-based path manipulation (traffic engineering)

Lab 9.2: OSPF advanced settings
Displaying ipv4 routes selected for forwarding

(optional)
Origin Codes: C - connected, S - static, L - local
R - RIP, B - BGP, O - OSPF, D - DHCP
Type Codes: E - External BGP, I - Internal BGP, V - VPN, EV - EVPN
IA - OSPF internal area, E1 - OSPF external type 1
E2 - OSPF external type 2

VRF: default

Prefix Nexthop Interface VRF(egress)

Origin/ Distance/ Age
Type Metric
-----------------------------------------------------------------------------------------------
10.1.1.1/32 10.1.250.9 1/1/1 - O [110/100] 03h:57m:14s
10.1.1.2/32 10.1.250.13 1/1/2 - O [110/100] 00h:32m:25s
10.1.1.3/32 - loopback0 - L [0/0] -
10.1.10.0/30 10.1.250.9 1/1/1 - O [110/200] 00h:32m:25s
10.1.250.13 1/1/2 - [110/200] 00h:32m:25s
10.1.11.0/24 10.1.250.9 1/1/1 - O [110/200] 00h:32m:25s
10.1.250.13 1/1/2 - [110/200] 00h:32m:25s
10.1.12.0/24 10.1.250.9 1/1/1 - O [110/200] 00h:32m:25s
10.1.250.13 1/1/2 - [110/200] 00h:32m:25s
10.1.250.8/30 - 1/1/1 - C [0/0] -
10.1.250.10/32 - 1/1/1 - L [0/0] -
10.1.250.12/30 - 1/1/2 - C [0/0] -
10.1.250.14/32 - 1/1/2 - L [0/0] -
10.254.1.0/24 - 1/1/3 - C [0/0] -
10.254.1.254/32 - 1/1/3 - L [0/0] -

Total Route Count : 12

How many next hops do the 10.1.11.0/24 and 10.1.12.0/24 networks have?

Answer: Two.
What is the cost in both cases?

Answer: Administrative distance = 110, metric = 200.

Task 9.2-1: Cost-based path manipulation (traffic engineering) 287

Server Switch has two alternatives for sending traffic to the LAN segments and will
perform Equal Cost Multipath (ECMP) to balance the load using a flow-based
algorithm. Unfortunately, you do not have control of those decisions, and it might
lead to asymmetric multi-hop routing, which in turn can generate delay and jitter.
Also, if a firewall appliance is to be deployed between the LAN segments and the
servers, then it is important that connection flows always use the same interface
inbound and outbound, otherwise the firewall could drop valid traffic.

Manipulating route cost

Your customer desires more control over what path the traffic is using. As the administrator, you
can influence routing decisions by manually changing the costs and making some paths more pre-
ferred.
To make traffic use VLAN 11 on Core-1, reduce the cost Core-1 advertises for the VLAN 11 link
in its router LSA. This will make Server Switch calculate a lower overall path cost through Core-1
versus Core-2.
To make traffic use VLAN 12 on Core-2, reduce the cost Core-2 advertises for the VLAN 12 link
in its router LSA. This will make Server Switch calculate a lower overall path cost through Core-2
versus Core-1.
14. Navigate to the Core-2 console.
15. Reduce the OSPF cost on interface VLAN 12 to 50.

288 Task 9.2-1: Cost-based path manipulation (traffic engineering)

Lab 9.2: OSPF advanced settings
Core-2(config)# interface vlan 12

(optional)
Core-2(config-if-vlan)# ip ospf cost 50
Core-2(config-if-vlan)# exit

16. Use the show ip ospf interface command for validating the change. Notice how the output
says the new value was configured.
Core-2(config)# show ip ospf interface vlan12
Codes: DR - Designated router BDR - Backup Designated router

Interface vlan12 is up, line protocol is up

--------------------------------------------

VRF : default Process : 1

IP Address : 10.1.12.2/24 Area : 0.0.0.0

Status : Up Network Type : Broadcast

Hello Interval : 10 sec Dead Interval : 40 sec

Transit Delay : 1 sec Retransmit Interval : 5 sec
BFD : Disabled Link Speed : 1000 Mbps
Cost Configured : 50 Cost Calculated : 50
State/Type : BDR Router Priority : 1
DR : 10.1.12.1 BDR : 10.1.12.2
Link LSAs : 0 Checksum Sum : 0
Authentication : No Passive : No

17. Navigate to the Core-1 console.

18. Reduce the OSPF cost on interface VLAN 11 to 50.
Core-1(config)# interface vlan 11
Core-1(config-if-vlan)# ip ospf cost 50
Core-1(config-if-vlan)# exit

19. Using PC1, connect to Server Switch using PuTTY.

20. Check the routing table, especially the routes to VLANs 11 and 12 (10.1.11.0/24 and
10.1.12.0/24).
ServerSwitch# show ip route

Displaying ipv4 routes selected for forwarding

Origin Codes: C - connected, S - static, L - local

R - RIP, B - BGP, O - OSPF, D - DHCP
Type Codes: E - External BGP, I - Internal BGP, V - VPN, EV - EVPN
IA - OSPF internal area, E1 - OSPF external type 1
E2 - OSPF external type 2

VRF: default

Prefix Nexthop Interface VRF(egress)

Task 9.2-1: Cost-based path manipulation (traffic engineering) 289

10.1.1.3/32 - loopback0 - L [0/0] -
10.1.10.0/30 10.1.250.9 1/1/1 - O [110/200] 00h:59m:44s
10.1.250.13 1/1/2 - [110/200] 00h:59m:44s
10.1.11.0/24 10.1.250.9 1/1/1 - O [110/150] 00h:01m:59s
10.1.12.0/24 10.1.250.13 1/1/2 - O [110/150] 00h:04m:15s
10.1.250.8/30 - 1/1/1 - C [0/0] -
10.1.250.10/32 - 1/1/1 - L [0/0] -
10.1.250.12/30 - 1/1/2 - C [0/0] -
10.1.250.14/32 - 1/1/2 - L [0/0] -
10.254.1.0/24 - 1/1/3 - C [0/0] -
10.254.1.254/32 - 1/1/3 - L [0/0] -

Total Route Count : 12

How many next hops do the 10.1.11.0/24 and 10.1.12.0/24 networks have?

Answer: One.
What is the total cost to those prefixes?

Answer: Metric = 150.

Testing redundancy
You will now disable the interface between Core-1 and Server Switch to simulate a failure and
observe IP routing convergence.
21. Navigate to the Core-1 console.
22. Disable interface 1/1/8.
Core-1(config)# interface 1/1/8
Core-1(config-if)# shutdown

Since Server Switch is virtual, the physical interface remains up. Server Switch has
not sensed the failure yet. You will have to wait 40 seconds before moving forward,
which is the value of the dead timer.
In production scenarios, you would normally rely on BFD to detect down neighbors
regardless of the state of the physical media. BFD is covered in the Implementing
AOS-CX Switching course.

23. Using PC1, go back to Server Switch.

24. Display the routing table.
ServerSwitch# show ip route

Displaying ipv4 routes selected for forwarding

Origin Codes: C - connected, S - static, L - local

R - RIP, B - BGP, O - OSPF, D - DHCP
Type Codes: E - External BGP, I - Internal BGP, V - VPN, EV - EVPN
IA - OSPF internal area, E1 - OSPF external type 1

290 Task 9.2-1: Cost-based path manipulation (traffic engineering)

Lab 9.2: OSPF advanced settings
E2 - OSPF external type 2

(optional)
VRF: default

Prefix Nexthop Interface VRF(egress) Origin/ Distance/ Age

Type Metric
-----------------------------------------------------------------------------------------------
10.1.1.1/32 10.1.250.13 1/1/2 - O [110/150] 00h:00m:54s
10.1.1.2/32 10.1.250.13 1/1/2 - O [110/100] 01h:04m:19s
10.1.1.3/32 - loopback0 - L [0/0] -
10.1.10.0/30 10.1.250.13 1/1/2 - O [110/200] 00h:00m:54s
10.1.11.0/24 10.1.250.13 1/1/2 - O [110/200] 00h:00m:54s
10.1.12.0/24 10.1.250.13 1/1/2 - O [110/150] 00h:08m:50s
10.1.250.8/30 - 1/1/1 - C [0/0] -
10.1.250.10/32 - 1/1/1 - L [0/0] -
10.1.250.12/30 - 1/1/2 - C [0/0] -
10.1.250.14/32 - 1/1/2 - L [0/0] -
10.254.1.0/24 - 1/1/3 - C [0/0] -
10.254.1.254/32 - 1/1/3 - L [0/0] -

Total Route Count : 12

What is the next hop now?

Answer: Core-2.
What is the total cost to that prefix?

Answer: Metric = 200.

25. Navigate back to the Core-1 console.
26. Enable interface 1/1/8.
Core-1(config-if)# no shutdown
Core-1(config-if)# exit

Task 9.2-2: Passive interfaces

Objectives
When enabling OSPF on a Layer 3 interface, there will be two immediate results. First, the link’s seg-
ment gets included in the router LSA. Second, the router will start advertising hello packets periodically
based on the hello interval configured for that interface.
However, there are links where sending those messages is not necessary and can even introduce secu-
rity risks.
That is the case with the LAN segments where hosts reside. Since hello messages use local link scoped
multicast packets for both hellos and link state updates, any host will receive those messages when
they are sent out on the VLAN. If somebody is running packet analysis software, they could see the con-
tents and perform a reconnaissance attack, a DoS attack, or a man in the middle attack.

Task 9.2-2: Passive interfaces 291

By suppressing hello messages on VLANs 11 and 12, you will improve security as well as control plane
and data plane performance. Data plane performance is improved by preventing the segments from
being considered "transit" networks.
Steps
1. On your local computer, launch a web browser and enter the Aruba Training Lab web portal at
the URL: https://arubatraininglab.computerdata.com.
2. Log in using the credentials provided to you.
3. Using the Remote Lab dashboard, connect to PC3.
4. Open Wireshark; there should be a shortcut on the desktop.
5. Double-click the Lab NIC entry. That will begin the packet capture on that interface.

6. In the filter type ospf and press Enter. That will instruct Wireshark to only present OSPF packets.
Wait a few seconds, and you will start to see hello packets every 10 seconds.

292 Task 9.2-2: Passive interfaces

Lab 9.2: OSPF advanced settings
(optional)
Although not the main goal of this task, you can leverage our captures and analyze
one of the hello packets for academic purposes.

7. Stop the capture, select one of the packets, and expand the transport header row (Open Shortest
Path First), then OSPF Hello Packet underneath.

What protocol version it is?

Answer: Two.
What packet type are you watching?

Task 9.2-2: Passive interfaces 293

Answer: Hello packet (1).
What is the source address?

Answer: 10.1.1.1.
What is the area ID?

Answer: 0.0.0.0 (Backbone).

What are the authentication type and data?

Answer: Null (0) - No authentication configured.

What is the network mask, and why is it included?

Answer: 255.255.255.0.
What is the dead interval?

Answer: 40 seconds.
What is included in the neighbor list?

Answer: Core-2 (10.1.1.2) as active neighbor.

There are a few attributes within the hello messages that are critical for successfully
establishing neighbor relationships.
n Attributes that must be different: Router ID
n Attributes that must be identical: Version, Area #, Authentication type and
data, Area flags, Subnet mask, Hello and Dead intervals
n Attributes that can be the same or different: Priority, Designated and Backup
Designated routers, and Neighbor List
When a neighbor relationship is not coming up between two OSPF routers that reside
within the same segment, step back and check these values before looking at any-
thing else.

8. Navigate back to the Core-1 console.

9. Verify the link state database.

294 Task 9.2-2: Passive interfaces

Lab 9.2: OSPF advanced settings
Core-1(config)# show ip ospf lsdb

(optional)
OSPF Router with ID (10.1.1.1) (Process ID 1 VRF default)
==========================================================

Router Link State Advertisements (Area 0.0.0.0)

------------------------------------------------

LSID ADV Router Age Seq# Checksum Link Count

-------------------------------------------------------------------------------
10.1.1.1 10.1.1.1 606 0x80000043 0x0000f8ab 5
10.1.1.2 10.1.1.2 1453 0x80000040 0x0000f2a6 5
10.1.1.3 10.1.1.3 612 0x8000003a 0x00008703 4

Network Link State Advertisements (Area 0.0.0.0)

-------------------------------------------------

LSID ADV Router Age Seq# Checksum

--------------------------------------------------------------
10.1.10.1 10.1.1.1 527 0x80000034 0x00009358
10.1.11.1 10.1.1.1 1317 0x80000009 0x0000f022
10.1.12.1 10.1.1.1 1378 0x80000008 0x0000e72b
10.1.250.10 10.1.1.3 612 0x80000001 0x00004bd6
10.1.250.14 10.1.1.3 1189 0x80000003 0x000029f1

How many router LSAs do you count?

Answer: Three router LSAs.

How many network LSAs do you count?

Answer: Five network LSAs.

10. Enter the show ip ospf neighbors command.
Core-1(config)# show ip ospf neighbors
VRF : default Process : 1
===================================================

Total Number of Neighbors : 4

Neighbor ID Priority State Nbr Address Interface

-------------------------------------------------------------------------
10.1.1.3 1 FULL/DR 10.1.250.10 1/1/8

10.1.1.2 1 FULL/BDR 10.1.10.2 vlan10

10.1.1.2 1 FULL/BDR 10.1.11.2 vlan11

Task 9.2-2: Passive interfaces 295

10.1.1.2 1 FULL/BDR 10.1.12.2 vlan12

How many neighbors does Core-1 have?

Answer: There are four entries, even though there are just two real neighbors: Core-2 (10.1.1.2)
and Server Switch (10.1.1.3).
11. Set the SVIs of VLAN 11 and 12 passive interfaces.
Core-1(config)# interface vlan 11-12
Core-1(config-if-vlan-<11-12>)# ip ospf passive
Core-1(config-if-vlan-<11-12>)# exit

12. Display the neighbor list again.

Core-1(config)# show ip ospf neighbors
VRF : default Process : 1
===================================================

Total Number of Neighbors : 2

Neighbor ID Priority State Nbr Address Interface

-------------------------------------------------------------------------
10.1.1.3 1 FULL/DR 10.1.250.10 1/1/8

10.1.1.2 1 FULL/BDR 10.1.10.2 vlan10

How many neighbors does Core-1 have now?

Answer: Two.
13. Navigate to the Core-2 console.
14. Set the SVIs of VLAN 11 and 12 passive interfaces.
Core-2(config)# interface vlan 11-12
Core-2(config-if-vlan-<11-12>)# ip ospf passive
Core-2(config-if-vlan-<11-12>)# exit

15. Move back to PC3.

16. Start a new capture, then wait a minute. You will notice there are no more OSPF packets showing
up.

296 Task 9.2-2: Passive interfaces

Lab 9.2: OSPF advanced settings
(optional)
17. Go back to the Core-1 console.
18. Look at the link state database again.
Core-1(config)# show ip ospf lsdb
OSPF Router with ID (10.1.1.1) (Process ID 1 VRF default)
==========================================================

Router Link State Advertisements (Area 0.0.0.0)

------------------------------------------------

LSID ADV Router Age Seq# Checksum Link Count

-------------------------------------------------------------------------------
10.1.1.1 10.1.1.1 401 0x80000044 0x00006c66 5
10.1.1.2 10.1.1.2 213 0x80000042 0x000024a4 5
10.1.1.3 10.1.1.3 1205 0x8000003a 0x00008703 4

Network Link State Advertisements (Area 0.0.0.0)

-------------------------------------------------

LSID ADV Router Age Seq# Checksum

--------------------------------------------------------------
10.1.10.1 10.1.1.1 1120 0x80000034 0x00009358
10.1.250.10 10.1.1.3 1205 0x80000001 0x00004bd6
10.1.250.14 10.1.1.3 1782 0x80000003 0x000029f1

How many network LSAs can you count?

Answer: Three.
Why do you have that number?

Answer: You have two fewer LSAs than before because as soon as the core switches stop seeing
each other, VLAN 11 and VLAN 12’s segments shift to stub. From OSPF’s topology perspective,
both networks will be seen as individually connected behind both switches.

Task 9.2-3: Define point-to-point networks

Objectives
You learned in the OSPF module that, when enabling OSPF on routers in a multiaccess network such as
Ethernet or multipoint WAN networks (either physical or virtual), there will be a DR and BDR election.
This election is needed in order to reduce the number of adjacencies within a segment where multiple
routers are deployed. However, it is not necessary if there are only two routers.

Task 9.2-3: Define point-to-point networks 297

This process lasts the time defined by the wait interval (usually similar to the dead interval) that covers
the amount of time between the links coming up and the DR being elected. That means that no adja-
cency can happen in that link before this process completes, which in turn delays the convergence in
critical situations such as after a power outage.
Multiaccess networks have another characteristic, which is their subnet masks are not announced
within the router LSA, but in the network LSA. Therefore, additional LSAs must be created to properly
share the topology information, which in turn adds overhead to the overall route selection process
when using Dijkstra's algorithm.
If only two routers are present in the segment, DR election is not needed. Nevertheless, it happens
because of the type of network. However, if the administrator knows that no other OSPF devices will be
inserted into that broadcast domain, the network type can be changed to point to point.
In point-to-point networks, as soon as two neighbors discover each other, they begin the LSA exchange
immediately and achieve the full adjacency state faster. This not only improves the convergence time
but also makes the routers include the segment’s subnet mask in their router LSA. This eliminates the
need for a network LSA for that link since there will not be a DR to create it.
In this lab, you will change VLAN 10 and interface 1/1/8 on both cores to point-to-point.

298 Task 9.2-3: Define point-to-point networks

Lab 9.2: OSPF advanced settings
Core-1(config)# interface 1/1/8

(optional)
Core-1(config-if)# ip ospf network point-to-point
Core-1(config-if)# exit

5. Look at the neighbor relationships and focus on the one with the Server Switch.
Core-1(config)# show ip ospf neighbors
VRF : default Process : 1
===================================================

Total Number of Neighbors : 2

Neighbor ID Priority State Nbr Address Interface

-------------------------------------------------------------------------
10.1.1.3 n/a FULL 10.1.250.10 1/1/8
10.1.1.2 1 FULL/BDR 10.1.10.2 vlan10

What is Core-1’s priority on port 1/1/8?

Answer: N/A—No priority assigned.

What is Core-1’s role?

Answer: There is no role. Since the link is point to point, no DR election will happen from Core-
1’s perspective. Since the priority value loses relevance, it is omitted from the hello messages.
6. Change the interface VLAN 10 network type to point-to-point.
Core-1(config)# interface vlan 10
Core-1(config-if-vlan)# ip ospf network point-to-point
Core-1(config-if-vlan)# exit

7. Navigate to the Core-2 console.

8. Change interfaces VLAN 10 and 1/1/8 network types to point-to-point.
Core-2(config)# interface vlan 10
Core-2(config-if-vlan)# ip ospf network point-to-point
Core-2(config-if-vlan)# interface 1/1/8
Core-2(config-if)# ip ospf network point-to-point
Core-2(config-if)# exit

9. Look at the neighbor relationships.

Core-2(config)# show ip ospf neighbors
VRF : default Process : 1
===================================================

Total Number of Neighbors : 2

Neighbor ID Priority State Nbr Address Interface

Task 9.2-3: Define point-to-point networks 299

-------------------------------------------------------------------------
10.1.1.3 n/a FULL 10.1.250.14 1/1/8

10.1.1.1 n/a FULL 10.1.10.1 vlan10

10. Navigate to PC1 and using PuTTY connect to Server Switch.

11. Change interfaces 1/1/1 and 1/1/2 network types to point-to-point.
ServerSwitch# configure terminal
ServerSwitch(config)# interface 1/1/1-1/1/2
ServerSwitch(config-if-<1/1/1-1/1/2>)# ip ospf network point-to-point
ServerSwitch(config-if-<1/1/1-1/1/2>)# exit

12. Close the PuTTY session.

13. Navigate back to Core-2.
14. Verify Core-2 LSDB.
Core-2(config)# show ip ospf lsdb
OSPF Router with ID (10.1.1.2) (Process ID 1 VRF default)
==========================================================

Router Link State Advertisements (Area 0.0.0.0)

------------------------------------------------

LSID ADV Router Age Seq# Checksum Link Count

-------------------------------------------------------------------------------
10.1.1.1 10.1.1.1 65 0x8000004c 0x0000438c 7
10.1.1.2 10.1.1.2 66 0x8000004a 0x00008d39 7
10.1.1.3 10.1.1.3 62 0x80000042 0x00006426 6

How many LSAs do you have?

What type are they?

Answer: You have three type 1 (Router) LSAs.

15. Compare the output with what you saw in Task 2, Step 18.
How many LSAs were suppressed and what kind were they?

Answer: You had three type 1 (Router) LSAs and three type 2 (Network) LSAs.
16. Inspect the routing table and focus on OSPF prefixes.
Core-2(config)# show ip route ospf

Displaying ipv4 routes selected for forwarding

Origin Codes: C - connected, S - static, L - local

300 Task 9.2-3: Define point-to-point networks

Lab 9.2: OSPF advanced settings
R - RIP, B - BGP, O - OSPF, D - DHCP

(optional)
Type Codes: E - External BGP, I - Internal BGP, V - VPN, EV - EVPN
IA - OSPF internal area, E1 - OSPF external type 1
E2 - OSPF external type 2

VRF: default

Prefix Nexthop Interface VRF(egress) Origin/ Distance/ Age

Type Metric
----------------------------------------------------------------------------------------------
10.1.1.1/32 10.1.10.1 vlan10 - O [110/100] 00h:12m:45s
10.1.1.3/32 10.1.250.14 1/1/8 - O [110/100] 00h:08m:28s
10.1.250.8/30 10.1.250.14 1/1/8 - O [110/200] 00h:08m:28s
10.1.10.1 vlan10 - [110/200] 00h:08m:28s
10.254.1.0/24 10.1.250.14 1/1/8 - O [110/125] 00h:08m:28s

Total Route Count : 4

Task 9.2-4: Make router ID routable

Objectives
Due to the uniqueness of the OSPF router ID within an autonomous system, It is sometimes useful to
use it as a system IP address in order to quickly check the availability of the system by pinging it, or in
the case of devices that do not support a management interface, point to that IP address whenever
management is required.
Steps
1. On your local computer, launch a web browser and enter the Aruba Training Lab web portal at
the URL: https://arubatraininglab.computerdata.com.
2. Log in using the credentials provided to you.
3. Using the Remote Lab dashboard, open a console connection to Core-1.
4. Enable OSPF on loopback interface.
Core-1# configure terminal
Core-1(config)# interface loopback 0
Core-1(config-loopback-if)# ip ospf 1 area 0
Core-1(config-loopback-if)# exit

5. Using the Remote Lab dashboard, open a console connection to Core-2.

6. Enable OSPF on loopback interface.
Core-2# configure terminal
Core-2(config)# interface loopback 0
Core-2(config-loopback-if)# ip ospf 1 area 0
Core-2(config-loopback-if)# exit

7. Use the show ip ospf lsdb command for validating the new number of links announced on
Core-2’s LSA.
Core-2# show ip ospf lsdb lsid 10.1.1.2
OSPF Router with ID (10.1.1.2) (Process ID 1 VRF default)

Task 9.2-4: Make router ID routable 301

==========================================================

Router Link State Advertisements (Area 0.0.0.0)

------------------------------------------------

LSID ADV Router Age Seq# Checksum Link Count

-------------------------------------------------------------------------------
10.1.1.2 10.1.1.2 716 0x800000d0 0x000080bf 7

Notice that the number of links has increased from six to seven after the interface
loopback was added to the OSPF area.

8. Using the Remote Lab dashboard, connect to PC3.

9. Open the command prompt and try to ping the Core-1 loopback (10.1.1.1) and Server Switch
loopback (10.1.1.3). The ping should work.

Note that OSPF was already activated on the Server Switch loopback by the
NetAmateur consultant.

10. Display the OSPF routing table. You should see Core-1’s Router ID value listed in the output.
Core-2# show ip route ospf

Displaying ipv4 routes selected for forwarding

Origin Codes: C - connected, S - static, L - local

R - RIP, B - BGP, O - OSPF, D - DHCP
Type Codes: E - External BGP, I - Internal BGP, V - VPN, EV - EVPN
IA - OSPF internal area, E1 - OSPF external type 1

302 Task 9.2-4: Make router ID routable

Lab 9.2: OSPF advanced settings
E2 - OSPF external type 2

(optional)
VRF: default

Prefix Nexthop Interface VRF(egress) Origin/ Distance/ Age

Type Metric
----------------------------------------------------------------------------------------------
10.1.1.1/32 10.1.10.1 vlan10 - O [110/100] 02d:20h:37m
10.1.1.3/32 10.1.250.14 1/1/8 - O [110/100] 02d:20h:32m
10.1.250.8/30 10.1.250.14 1/1/8 - O [110/200] 02d:20h:32m
10.1.10.1 vlan10 - [110/200] 02d:20h:32m
10.254.1.0/24 10.1.250.14 1/1/8 - O [110/125] 02d:20h:32m

Total Route Count : 4

Task 9.2-5: Default network injection

Objectives
In Lab 8, you configured static floating routes to enable redundancy while running load sharing across
both internet links. You warned your customer that this solution may lead to potential Layer 3 loops if
both ISPs go down.
Now that OSPF is in place, the injection of a default route through the protocol is possible in both core
switches. That will replace the floating one. Since OSPF has a local administrative distance of 110 and
static routing has 1, this newly injected prefix will remain ignored unless the main 0.0.0.0/0 static entry
vanishes after a link failure.
The main advantage of this method versus floating routes is that Core-2 will not send this particular
link state update if the default prefix is not present in the VRF routing table. This means if Core-2 loses
its main internet link and the static route goes down, the OSPF prefix will be withdrawn.
This mechanism makes a Layer 3 loop impossible even if enabled on both core switches.

Default route injection uses external LSAs (LSA type 5). These LSAs are covered in more
detail in the Implementing AOS-CX Switching course.

In this task, you will first remove floating routes and replace them with OSPF default route injection.
Then, you will see what happens.
Steps
1. On your local computer, launch a web browser and enter the Aruba Training Lab web portal at
the URL: https://arubatraininglab.computerdata.com.
2. Log in using the credentials provided to you.
3. Using the Remote Lab dashboard, open a console connection to Core-2.
Core-2# configure terminal
Core-2(config)# router ospf 1
Core-2(config-ospf-1)# default-information originate
Core-2(config-ospf-1)# exit

Task 9.2-5: Default network injection 303

The default-information originate command configures OSPF to advertise the
default route (0.0.0.0/0) to its neighbors if it is present in the routing table.

4. Navigate to the Core-1 console.

5. Look for default route configuration lines mapped to your VRF.
Core-1(config)# show running-config | include "ip route"
ip route 0.0.0.0/0 10.1.250.1 bfd
ip route 0.0.0.0/0 10.1.10.2 distance 10

When running show command filtering tools, the matching string is typically a single
word. However, you can match multiple words if you quote them all between " " char-
acters as in the example above, where we are looking for lines that contain the "ip
route" string.

6. Remove the default floating route.

Core-1(config)# no ip route 0.0.0.0/0 10.1.10.2 distance 10

7. Display the OSPF routing table.

Core-1(config)# show ip ospf routes
Codes: i - Intra-area route, I - Inter-area route
E1 - External type-1, E2 - External type-2

OSPF Process ID 1 VRF default, Routing Table

---------------------------------------------

Total Number of Routes : 10

0.0.0.0/0 (E2)
via 10.1.10.2 interface vlan10, cost 1 distance 110
10.1.1.2/32 (i) area: 0.0.0.0
via 10.1.10.2 interface vlan10, cost 100 distance 110
10.1.1.3/32 (i) area: 0.0.0.0
via 10.1.250.10 interface 1/1/8, cost 100 distance 110
10.1.10.0/30 (i) area: 0.0.0.0
directly attached to interface vlan10, cost 100 distance 110
10.1.11.0/24 (i) area: 0.0.0.0
directly attached to interface vlan11, cost 50 distance 110
10.1.12.0/24 (i) area: 0.0.0.0
directly attached to interface vlan12, cost 100 distance 110
10.1.250.8/30 (i) area: 0.0.0.0
directly attached to interface 1/1/8, cost 100 distance 110
10.1.250.12/30 (i) area: 0.0.0.0
via 10.1.10.2 interface vlan10, cost 200 distance 110
10.1.250.12/30 (i) area: 0.0.0.0

304 Task 9.2-5: Default network injection

Lab 9.2: OSPF advanced settings
via 10.1.250.10 interface 1/1/8, cost 200 distance 110

(optional)
10.254.1.0/24 (i) area: 0.0.0.0
via 10.1.250.10 interface 1/1/8, cost 125 distance 110

Is there any default route learned by the protocol?

Answer: Yes.
8. Look for the 0.0.0.0/0 prefix in the routing table.
Core-1(config)# show ip route 0.0.0.0

VRF: default

Prefix : 0.0.0.0/0 VRF(egress) : -

Nexthop : 10.1.250.1 Interface : 1/1/7
Origin : static Type : -
Distance : 1 Metric : 0
Age : 06d:03h:34m Tag : 0
Encap Type : - Encap Details : -

How was the prefix learned?

Answer: It was imported from a static route.

What is the next hop?

Answer: 10.1.250.1 (Router-A).

9. Disable interface 1/1/7.
Core-1(config)# interface 1/1/7
Core-1(config-if)# shutdown

10. Once more, look for the 0.0.0.0/0 prefix in the routing table.
Core-1(config-if)# show ip route 0.0.0.0

VRF: default

Prefix : 0.0.0.0/0 VRF(egress) : -

Nexthop : 10.1.10.2 Interface : vlan10
Origin : ospf Type : ospf_type2_ext
Distance : 110 Metric : 1
Age : 00h:09m:36s Tag : 0
Encap Type : - Encap Details : -

How was the prefix learned?

Task 9.2-5: Default network injection 305

Answer: OSPF.
What is the next hop?

Answer: 10.1.10.2 (Core-2).

This new route can be used to forward traffic in case ISP1 fails.

Next, you will simulate a failure on the link to ISP2 and see what happens to the injected route.
11. Navigate back to the Core-2 console.
12. Remove the default floating route.
Core-2(config)# no ip route 0.0.0.0/0 10.1.10.1 distance 10

13. Disable port 1/1/7.

Core-2(config)# interface 1/1/7
Core-2(config-if)# shutdown

14. Confirm Core-2 has no default prefixes in the VRF routing table.
Core-2(config-if)# show ip route 0.0.0.0

No ipv4 routes configured

Now validate that default route injection stops taking place because Core-2 does not have a
route injection entry in the VRF table.
15. Navigate back to the Core-1 console.
16. Look for the prefix 0.0.0.0/0 in the routing table.
Core-1(config-if)# show ip route 0.0.0.0

No ipv4 routes configured

Is there any default route in the VRF routing table?

Answer: No.
17. Take a look into the OSPF process’s routing table.
Core-1(config-if)# show ip ospf routes 0.0.0.0/0
Codes: i - Intra-area route, I - Inter-area route
E1 - External type-1, E2 - External type-2

OSPF Process ID 1 VRF default, Routing Table for prefixes 0.0.0.0/0

--------------------------------------------------------------------

Total Number of Routes : 0

306 Task 9.2-5: Default network injection

Lab 9.2: OSPF advanced settings
(optional)
Is there a zero prefix?

Answer: No.
Why?

Answer: No next-hop or exit interfaces are up for any default route, so they are not activated.
18. Now restore the ISP1 link and enable the route injection in Core-1, as well as confirming that
Core-2 is now learning the route via Core-1.
19. Enable interface 1/1/7.
Core-1(config-if)# no shutdown
Core-1(config-if)# exit

20. Enable the default route injection on Core-1.

Core-1(config)# router ospf 1
Core-1(config-ospf-1)# default-information originate
Core-1(config-ospf-1)# exit

21. Navigate back to the Core-2 console.

22. Look for the 0.0.0.0/0 prefix in the routing table.
Core-2(config-if)# show ip route 0.0.0.0

VRF: default

Prefix : 0.0.0.0/0 VRF(egress) : -

Nexthop : 10.1.10.1 Interface : vlan10
Origin : ospf Type : ospf_type2_ext
Distance : 110 Metric : 1
Age : 00h:02m:44s Tag : 0
Encap Type : - Encap Details : -

Is there any default route in the VRF routing table?

Answer: Yes.
What is the next hop?

Answer: 10.1.10.1 (Core-1).

23. Enable interface 1/1/7.
Core-2(config-if)# no shutdown
Core-2(config-if)# exit

Task 9.2-5: Default network injection 307

Task 9.2-6: Save your configurations
Objectives
You will now proceed to save your configurations and create checkpoints. Notice that final lab check-
points might be used by later activities.
Steps
1. Save the current access and core switches’ configuration in the startup checkpoint.
Core-1
Core-1(config)# write memory
Copying configuration: [Success]

Core-2
Core-2(config)# write memory
Copying configuration: [Success]

2. Back up the current access switches’ configuration as a custom checkpoint called Lab9-2-final.
Core-1
Core-1(config)#copy running-config checkpoint Lab9-2-finalCopying configuration:
[Success]

Core-2
Core-2(config)#copy running-config checkpoint Lab9-2-finalCopying configuration:
[Success]

You have completed Lab 9.2!

308 Task 9.2-6: Save your configurations

Lab 10: Quality of Service

As BigStartup's business grows, so do the network and the number of applications. You have been
asked to ensure the network is ready to prioritize traffic for sensitive applications such as voice and
videoconferencing that will be implemented in the near future.
Objectives
After completing this lab, you will be able to:
n Explore AOS-CX Quality of Service (QoS) options.
n Observe QoS marking.
Lab topology
The following lab topology will be used for your practical activities:

Task 10-1: Default QoS switch configuration

Objectives
In this task, you will explore the default QoS configuration on AOS-CX switches.
Steps
1. On your local computer, launch a web browser and enter the Aruba Training Lab web portal at
the URL: https://arubatraininglab.computerdata.com.
2. Log in using the credentials provided to you.
3. Using the Remote Lab dashboard, open a console connection to Core-1.
4. Verify the default QoS Class of Service (CoS) map.

Lab 10: Quality of Service 309

Core-1(config)# show qos cos-map
code_point local_priority color name
---------- -------------- ------- ----
0 1 green Best_Effort
1 0 green Background
2 2 green Excellent_Effort
3 3 green Critical_Applications
4 4 green Video
5 5 green Voice
6 6 green Internetwork_Control
7 7 green Network_Control

This table is used by the switch to map the received traffic with different priorities to
the switch local priority (LP). Notice that 802.1P (or CoS) has eight different pri-
orities and is part of the 802.1Q (VLAN tag) header. This means that CoS traffic
marking is only possible on tagged (trunk) links.
Notice as well that, by default, CoS values 2 to 7 match a local priority with the same
number. CoS priority 0, which is used as the default traffic priority, is mapped to local
priority 1, and CoS 1 is mapped to local priority 0. This allows network administrators
to classify some traffic as less critical (less priority) than the default network traffic.

5. Verify the default QoS DSCP map.

Core-1(config)# show qos dscp-map
DSCP code_point local_priority color name
-------- ---------- -------------- ------- ----
000000 0 1 green CS0
000001 1 1 green
000010 2 1 green
000011 3 1 green
000100 4 1 green
000101 5 1 green
000110 6 1 green

<<Omitted output>>

111000 56 7 green CS7

111001 57 7 green
111010 58 7 green
111011 59 7 green
111100 60 7 green
111101 61 7 green
111110 62 7 green
111111 63 7 green

310 Task 10-1: Default QoS switch configuration

Note that DSCP has 64 different priorities, giving network administrators more flex-
ibility and granularity when marking and prioritizing different network traffic. Unlike
CoS, the DSCP value resides in the Type of Service (ToS) field in the IP header, mean-
ing that it does not need the traffic to be tagged, and that marking may be used on
routed environments.

6. Verify which queue profile is in use.

Lab 10: Quality of Service

Core-1(config)# show qos queue-profile
profile_status profile_name
-------------- ------------
applied factory-default

7. Verify the QoS queue profile factory-default.

Core-1(config)# show qos queue-profile factory-default
queue_num local_priorities name
--------- ---------------- ----
0 0 Scavenger_and_backup_data
1 1
2 2
3 3
4 4
5 5
6 6
7 7

Queue profile configuration is responsible for matching each local priority value to an
output queue, allowing the network administrator one more option to manipulate
traffic priority.
Once traffic is classified by the CoS, DSCP values, or QoS policy, it will receive a local
precedence value mapped to the port queues (output queues).

8. Verify the QoS interface queues.

Core-1(config)# show interface queues
Interface 1/1/1 is up
Admin state is up
Tx Bytes Tx Packets Tx Drops Tx Byte Depth Recent Peak Depth
Q0 0 0 0 0 0
Q1 1393182 18171 0 512 0
Q2 0 0 0 0 0
Q3 0 0 0 0 0
Q4 0 0 0 0 0
Q5 0 0 0 0 0
Q6 325686 3595 0 256 0
Q7 90196952 667909 0 512 512

Task 10-1: Default QoS switch configuration 311

<<Omitted output>>

Once traffic is classified by the CoS, DSCP values, or QoS policy, it will receive a local
precedence value mapped to the port queues (output queues).
As you have learned, each port on an AOS-CX switch has eight queues, numbered
from 0 to 7, where higher-numbered queues should have better priority to be trans-
mitted, looking to avoid congestion, traffic loss, latency, and jitter.
This output shows the number of bytes transmitted by each queue from each switch
port.

9. Verify the default QoS schedule profile.

Core-1(config)# show qos schedule-profile
profile_status profile_name
-------------- ------------
applied factory-default
complete strict

a. Verify the factory-default schedule profile.

Core-1(config)# show qos schedule-profile factory-default
Queue Maximum Bandwidth Burst
Number Algorithm Weight Bandwidth Units (KB)
------- -------------- ------- ---------- ---------- ----------
0 dwrr 1
1 dwrr 1
2 dwrr 1
3 dwrr 1
4 dwrr 1
5 dwrr 1
6 dwrr 1
7 dwrr 1

Once the traffic is queued, it is time for the switch to use the queue man-
agement algorithm to select in which order packets will be transmitted. As you
may see, the default algorithm for switches is DWRR (deficit-weighted round
robin). Remember that different switch families may support different
algorithms. For more information, check the QoS guide for your specific switch
at the HPE Networking Support Portal (https://networkingsupport.hpe.com/).
Some of the most used/supported algorithms are:
n Strict priority queue (SPQ): Strict priority services all packets waiting in
a queue before servicing the packets in lower priority queues.

312 Task 10-1: Default QoS switch configuration

n Deficit-weighted round robin (DWRR) allocates available bandwidth
among all non-empty queues according to their weights.

Notice that at the time of this writing, the CX 8325 Series with software
release 10.13.1000 has DWRR selected for all queues.

10. Verify the default QoS trust.

Lab 10: Quality of Service

Core-1(config)# show qos trust
qos trust none

What is the default trust mode?

Answer: None.

Traffic priorities for networks can be carried in VLAN tags, using the CoS Priority
Code Point (PCP), or in IP packet headers, using the Differentiated Services Code
Point (DSCP). Whether these priorities affect how traffic is serviced depends on how
QoS trust mode is configured on the switch. QoS trust mode specifies how the switch
assigns local priority values to ingress packets. Trust mode can be set globally for all
interfaces, or individually for each interface. By default, trust mode is set to none,
meaning that any QoS information in the packet (CoS or DSCP) is ignored, and local
priority values are assigned from the CoS map value for code point 0. An exception to
this can be configured, allowing a QoS remark to be applied to DSCP values when
trust mode is none. When trust mode is set to CoS or DSCP, the switch translates the
QoS settings in VLAN tags (for CoS) or the DS field in an IP header (for DSCP) to
local priority values on the switch. Translation is controlled by the CoS map or DSCP
map tables.

11. Change the default QoS trust mode to DSCP.

Core-1(config)# qos trust dscp

12. Verify the global QoS Trust configuration one more time.
Core-1(config)# show qos trust
qos trust dscp

As you have non-tagged and routed links in your topology, the best practice is to set
the trust mode to DSCP, allowing frames to be classified by every switch in the path.

13. Repeat the previous step and set the QoS Trust mode to DSCP on Core-1 and Access-VSF
switches.

Task 10-1: Default QoS switch configuration 313

Why is it recommended to configure the trust level on every switch in the topology?

Answer: QoS prioritization happens on every host in the path. Leaving switches with no or bad
QoS configuration may cause frames to not receive the appropriate service (low latency, low jit-
ter, and no packet loss).

Task 10-2: Explore QoS markings

Objectives
In this task, you will use Wireshark to explore the DSCP mark on IP packets. You will also use Access-1
to generate ICMP (ping) packets to PC3 and mark them with different priorities.
Steps
1. On your local computer, launch a web browser and enter the Aruba Training Lab web portal at
the URL: https://arubatraininglab.computerdata.com.
2. Log in using the credentials provided to you.
3. Using the Remote Lab dashboard, open a console connection to Access-1.
4. Log in using the following credentials: Admin/no password.
5. Clear interface 1/1/3 statistics.
Access-VSF#clear interface 1/1/3 statistics

6. Review the current queue statistics on port 1/1/3; this is the port connected to PC3. Most queues
should have statistics that are close to 0.
Access-VSF#show interface 1/1/3 queuesInterface 1/1/3 is up
Admin state is up
Tx Bytes Tx Packets Tx Drops
Q0 0 0 0
Q1 0 0 0
Q2 0 0 0
Q3 0 0 0
Q4 0 0 0
Q5 0 0 0
Q6 0 0 0
Q7 465 3 0

7. Using the Remote Lab dashboard, open a remote connection to PC3.

8. Start the Wireshark app.

314 Task 10-2: Explore QoS markings

Lab 10: Quality of Service
9. Double-click Lab NIC to start the packet capture.

10. On the display filter, type icmp and press Enter.

11. Using the remote lab desktop, connect to the Core-1 console.
12. Start a ping to PC3 (10.1.11.103). The ping should be successful.
Core-1(config)# ping 10.1.11.103
PING 10.1.11.103 (10.1.11.103) 100(128) bytes of data.
108 bytes from 10.1.11.103: icmp_seq=1 ttl=128 time=0.723 ms
108 bytes from 10.1.11.103: icmp_seq=2 ttl=128 time=0.724 ms
108 bytes from 10.1.11.103: icmp_seq=3 ttl=128 time=0.655 ms
108 bytes from 10.1.11.103: icmp_seq=4 ttl=128 time=0.741 ms
108 bytes from 10.1.11.103: icmp_seq=5 ttl=128 time=0.732 ms

Task 10-2: Explore QoS markings 315

--- 10.1.11.103 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4099ms
rtt min/avg/max/mdev = 0.655/0.715/0.741/0.030 ms

13. Navigate back to PC3 and stop the Wireshark capture.

14. Click the packet with the source IP of Core-1 (10.1.11.1) and open the Internet Protocol and Dif-
ferentiated Services Codepoint sections. Check the DSCP value. Since no configuration was
done, this should be Default (0) at this point.

15. Navigate back to the Access-1 console and verify the interface 1/1/3 counters.
Access-VSF# show interface 1/1/3 queues
Interface 1/1/3 is up
Admin state is up
Tx Bytes Tx Packets Tx Drops
Q0 0 0 0
Q1 954 8 0
Q2 0 0 0
Q3 0 0 0
Q4 0 0 0
Q5 0 0 0
Q6 0 0 0
Q7 5314 34 0

316 Task 10-2: Explore QoS markings

The PC may be generating some other traffic, so the statistics will typically have
some variation.

Notice the increment in Q1 (Queue 1). As you have noticed in step 14, there was no priority mark-
ing on the packets. Why was Queue 1 selected?

Lab 10: Quality of Service

As you have learned in the previous lab, the default DSCP to Local Priority map
assigns Priority 1 to Best Effort (DSCP value 0), leaving priority and Queue 0 for
background traffic, which is traffic with less priority than the default network traffic.

16. Navigate back to PC3 and start the Wireshark trace. Click Continue without Saving to start the
trace.

17. Navigate back to Core-1.

18. Send traffic marked with voice DSCP (46).
Core-1(config)# ping 10.1.11.103 tos 184
PING 10.1.11.103 (10.1.11.103) 100(128) bytes of data.
108 bytes from 10.1.11.103: icmp_seq=1 ttl=128 time=0.866 ms
108 bytes from 10.1.11.103: icmp_seq=2 ttl=128 time=0.724 ms
108 bytes from 10.1.11.103: icmp_seq=3 ttl=128 time=0.623 ms
108 bytes from 10.1.11.103: icmp_seq=4 ttl=128 time=0.692 ms
108 bytes from 10.1.11.103: icmp_seq=5 ttl=128 time=0.505 ms

--- 10.1.11.103 ping statistics ---

5 packets transmitted, 5 received, 0% packet loss, time 4130ms
rtt min/avg/max/mdev = 0.505/0.682/0.866/0.118 ms

Task 10-2: Explore QoS markings 317

On anAOS-CXswitch, the administrator can enter the TOS value that should be used
for the outgoing ICMP packets.
The binary value for DSCP 46 is 101110.
The IP TOS field has two extra bits at the end, so the complete value is 10111000.
Converted into decimals, this results in value 184.

19. On PC3, verify the received marked traffic. In Wireshark, stop the trace and verify the incoming
DSCP value of the ICMP request (make sure to select a request, not the reply).

20. On Access-1, check interface 1/1/3 queues.

Access-VSF# show interface 1/1/3 queues
Interface 1/1/3 is up
Admin state is up
Tx Bytes Tx Packets Tx Drops
Q0 0 0 0
Q1 130120305 1605125 0
Q2 0 0 0
Q3 0 0 0
Q4 0 0 0
Q5 750 5 0
Q6 0 0 0
Q7 165531140 1058546 0

Which queue was assigned to traffic marked with DSCP 46, also know as Expedited Forwarding
(EF)?

318 Task 10-2: Explore QoS markings

Answer: Queue 5.

Notice that Queue 5 had an increment in its statistics.

Why was Queue 5 selected?

Answer: Due to the QoS DSCP-map.

Lab 10: Quality of Service

21. Review the QoS DSCP.
Access-VSF# show qos dscp-map
DSCP code_point local_priority cos color name
-------- ---------- -------------- --- ------- ----
000000 0 1 green CS0
000001 1 1 green
000010 2 1 green
000011 3 1 green

<<Omitted output>>

101101 45 5 green
101110 46 5 green EF
101111 47 5 green

<<Omitted output>>

22. Verify the QoS queue profile factory-default, which assigns an output queue to each local pri-
ority.
Access-VSF# show qos queue-profile factory-default
queue_num local_priorities name
--------- ---------------- ----
0 0 Scavenger_and_backup_data
1 1
2 2
3 3
4 4
5 5
6 6
7 7

Task 10-3: Save your configurations

Objectives
You will now proceed to save your configurations and create checkpoints. Notice that final lab check-
points might be used by later activities.

Task 10-3: Save your configurations 319

Steps
1. Save the current access and core switches’ configuration in the startup checkpoint.
Core-1
Core-1(config)# write memory
Copying configuration: [Success]

2. Back up the current access switches’ configuration as a custom checkpoint called Lab10-final.
Core-1
Core-1(config)#copy running-config checkpoint Lab10-final
Copying configuration: [Success]

You have completed Lab 10!

320 Task 10-3: Save your configurations

Lab 11: Network access security

BigStartup is expanding and has rented additional space to expand its office and create meeting rooms
for clients and suppliers. However, a manager recently noticed that a guest was able to connect their
laptop to the network during a meeting and access local resources and the internet. As a result, a solu-
tion was needed to manage network access. The proposed solution involved implementing HPE Aruba
Networking ClearPass along with 802.1X and MAC authentication, and this proposal has been
approved.
You have partnered with NetAmateur to send a senior network engineer to configure the ClearPass
server, and they provided you with the switch configuration scripts.
Objectives
After completing this lab, you will be able to:
n Implement 802.1X and MAC authentication on AOS-CX switches.
n Test and monitor 802.1X and MAC authentication.
Lab topology
The following lab topology will be used for your practical activities:

Lab 11: Network access security 321

Task 11-1: Prepare the environment
Objectives
As you prepare the network to implement 802.1X and MAC authentication, a management subnet is
required, allowing access layer switches to reach the RADIUS server.
In this task, you will create a new VLAN and subnet for network management and authentication.

322 Task 11-1: Prepare the environment

Steps

Lab 11: Network access security

1. On your local computer, launch a web browser and enter the Aruba Training Lab web portal at
the URL: https://arubatraininglab.computerdata.com.
2. Log in using the credentials provided to you.
3. Using the Remote Lab dashboard, open a console connection to Core-1.
4. Log in.
5. Create VLAN 254 and assign IP address 10.1.254.1/24 to VLAN 254 SVI.
Core-1 login: admin
Password:
Last login: 2024-05-24 18:49:56 from the console
User "admin" has logged in 13 times in the past 30 days
Core-1# configure terminal
Core-1(config)# vlan 254
Core-1(config-vlan-254)# vsx-sync
Core-1(config-vlan-254)# name MGMT
Core-1(config-vlan-254)# interface vlan 254
Core-1(config-if-vlan)# description MGMT
Core-1(config-if-vlan)# ip address 10.1.254.1/24
Core-1(config-if-vlan)# ip ospf 1 area 0
Core-1(config-if-vlan)# ip ospf passive
Core-1(config-if-vlan)# exit

The vsx-sync command entered in the VLAN context enables the VSX pair of
switches to synchronize this VLAN configuration across both switches. You will learn
more about VSX in the Implementing AOS-CX Switching course.

Task 11-1: Prepare the environment 323

6. Using the Remote Lab dashboard, connect to Core-2 console.
7. Log in.
8. Verify Core-2's VLANs.
Core-2 login: admin
Password:
Last login: 2024-05-23 17:58:50 from the console
User "admin" has logged in 8 times in the past 30 days
Core-2# show vlan

-----------------------------------------------------------------------------
VLAN Name Status Reason Type Interfaces
-----------------------------------------------------------------------------
1 DEFAULT_VLAN_1 up ok default 1/1/3-1/1/6,1/1/9-1/1/44,
1/1/48-1/1/56,lag256
10 VLAN10 up ok static lag256
11 Employees up ok static lag1,lag256
12 Managers up ok static lag1,lag256
254 MGMT up ok static lag256

VLAN 254 was not configured on Core-2. Why is it present in the system?

Answer: Due to the vsx-sync command entered on Core-1 (step 5), VLAN 254 was synchronized
between Core-1 and Core-2.
9. Configure VLAN 254's SVI.
Core-2# configure terminal
Core-2(config)# interface vlan 254
Core-2(config-if-vlan)# description MGMT
Core-2(config-if-vlan)# ip address 10.1.254.2/24
Core-2(config-if-vlan)# ip ospf 1 area 0
Core-2(config-if-vlan)# ip ospf passive

10. Test Core-2 to Core-1 communication over VLAN 254. The ping should succeed.
Core-2(config-if-vlan)# ping 10.1.254.1
PING 10.1.254.1 (10.1.254.1) 100(128) bytes of data.
108 bytes from 10.1.254.1: icmp_seq=1 ttl=64 time=13.0 ms
108 bytes from 10.1.254.1: icmp_seq=2 ttl=64 time=0.195 ms
108 bytes from 10.1.254.1: icmp_seq=3 ttl=64 time=0.146 ms
108 bytes from 10.1.254.1: icmp_seq=4 ttl=64 time=0.186 ms
108 bytes from 10.1.254.1: icmp_seq=5 ttl=64 time=0.202 ms

--- 10.1.254.1 ping statistics ---

5 packets transmitted, 5 received, 0% packet loss, time 4103ms
rtt min/avg/max/mdev = 0.146/2.741/12.977/5.117 ms

11. Configure VSX active gateway to provide gateway redundancy for VLAN 254.

324 Task 11-1: Prepare the environment

Core-2(config-if-vlan)# active-gateway ip mac 02:01:00:00:00:01
Core-2(config-if-vlan)# active-gateway ip 10.1.254.254
Core-2(config-if-vlan)# exit

12. Navigate back to the Core-1 console.

13. Configure VSX active gateway to provide gateway redundancy for VLAN 254.
Core-1(config)# interface vlan 254
cy for VLAN 254.-vlan)# active-gateway ip mac 02:01:00:00:00:01
Core-1(config-if-vlan)# active-gateway ip 10.1.254.254
Core-1(config-if-vlan)# exit

14. Add VLAN 254 to the allowed VLANs on LAG 1.

Core-1(config)# interface lag 1
Core-1(config-lag-if)# vsx-sync vlans
Core-1(config-lag-if)# vlan trunk allowed 254
Core-1(config-lag-if)# exit

15. Check if Core-2 has synced the allowed VLANs on LAG 1.

Core-1(config)# show running-config interface lag 1 vsx-peer

By appending the vsx-peer to the display command, you receive the output from the
partner switch for the particular show command entered.

16. Using the Remote Lab dashboard, connect to the Access-1 console.
17. Log in.
18. Create VLAN 254 and configure SVI.
Access-VSF(config)# vlan 254
Access-VSF(config-vlan-254)# name MGMT
Access-VSF(config-vlan-254)# interface vlan 254
Access-VSF(config-if-vlan)# description MGMT
Access-VSF(config-if-vlan)# ip address 10.1.254.3/24
Access-VSF(config-if-vlan)# exit

19. Allow VLAN 254 on LAG 1.

Access-VSF(config)# interface lag 1
Access-VSF(config-lag-if)# vlan trunk allowed 254

Task 11-1: Prepare the environment 325

20. Verify LAG 1's configuration.
Access-VSF(config-lag-if)# show running-config current-context
interface lag 1
description To-Core-1
no shutdown
no routing
vlan trunk native 1
vlan trunk allowed 11-12,254
lacp mode active
lacp rate fast
Access-VSF(config-lag-if)# exit

21. Test communication to the Core-1 (10.1.254.1), Core-2 (10.1.254.2), and Active gateway
(10.1.254.254) IPs. The ping should succeed.
Access-VSF(config)# ping 10.1.254.1 repetitions 2
PING 10.1.254.1 (10.1.254.1) 100(128) bytes of data.
108 bytes from 10.1.254.1: icmp_seq=1 ttl=64 time=22.7 ms
108 bytes from 10.1.254.1: icmp_seq=2 ttl=64 time=0.183 ms

--- 10.1.254.1 ping statistics ---

2 packets transmitted, 2 received, 0% packet loss, time 1002ms
rtt min/avg/max/mdev = 0.183/11.423/22.663/11.240 ms
Access-VSF(config)# ping 10.1.254.2 repetitions 2
PING 10.1.254.2 (10.1.254.2) 100(128) bytes of data.
108 bytes from 10.1.254.2: icmp_seq=1 ttl=64 time=12.9 ms
108 bytes from 10.1.254.2: icmp_seq=2 ttl=64 time=0.213 ms

--- 10.1.254.2 ping statistics ---

2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 0.213/6.568/12.923/6.355 ms
Access-VSF(config)# ping 10.1.254.254 repetitions 2
PING 10.1.254.254 (10.1.254.254) 100(128) bytes of data.
108 bytes from 10.1.254.254: icmp_seq=1 ttl=64 time=19.0 ms
108 bytes from 10.1.254.254: icmp_seq=2 ttl=64 time=0.210 ms

--- 10.1.254.254 ping statistics ---

2 packets transmitted, 2 received, 0% packet loss, time 1000ms
rtt min/avg/max/mdev = 0.210/9.628/19.046/9.418 ms

22. Test connectivity from Access-VSF to the AD server: 10.254.1.21.

Access-VSF(config)# ping 10.254.1.21
ping4: connect: Network is unreachable

23. Verify the Access-VSF routing table.

Access-VSF(config)# show ip route

Displaying ipv4 routes selected for forwarding

326 Task 11-1: Prepare the environment

VRF: default

Prefix Nexthop Interface VRF(egress)

Origin/ Distance/ Age
Type Metric
----------------------------------------------------------------------------------------
10.1.254.0/24 - vlan254 - C [0/0] -
10.1.254.3/32 - vlan254 - L [0/0] -

Total Route Count : 2

Notice that you have no external routes configured.

24. Configure a default route pointing to the VLAN 254 active gateway IP.

Lab 11: Network access security

Access-VSF(config)# ip route 0.0.0.0/0 10.1.254.254

25. Verify the IP routing table one more time.

Access-VSF(config)# show ip route

Displaying ipv4 routes selected for forwarding

Origin Codes: C - connected, S - static, L - local

R - RIP, B - BGP, O - OSPF, D - DHCP
Type Codes: E - External BGP, I - Internal BGP, V - VPN, EV - EVPN
IA - OSPF internal area, E1 - OSPF external type 1
E2 - OSPF external type 2
Flags: F - FIB-optimized route

VRF: default

Prefix Nexthop Interface VRF(egress) Origin/ Distance/ Age

Type Metric
-----------------------------------------------------------------------------------------------
0.0.0.0/0 10.1.254.254 vlan254 - S [1/0] 00h:00m:04s
10.1.254.0/24 - vlan254 - C [0/0] -
10.1.254.3/32 - vlan254 - L [0/0] -

Total Route Count : 3

26. Try to ping the AD server (10.254.1.21). The ping should succeed.
Access-VSF(config)# ping 10.254.1.21
PING 10.254.1.21 (10.254.1.21) 100(128) bytes of data.
108 bytes from 10.254.1.21: icmp_seq=1 ttl=126 time=10.6 ms
108 bytes from 10.254.1.21: icmp_seq=2 ttl=126 time=2.37 ms
108 bytes from 10.254.1.21: icmp_seq=3 ttl=126 time=2.18 ms
108 bytes from 10.254.1.21: icmp_seq=4 ttl=126 time=2.34 ms
108 bytes from 10.254.1.21: icmp_seq=5 ttl=126 time=2.06 ms

Task 11-1: Prepare the environment 327

--- 10.254.1.21 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4006ms
rtt min/avg/max/mdev = 2.058/3.905/10.577/3.337 ms

Task 11-2: RADIUS server setup

Objectives
In this task, Access-VSF will be configured as a RADIUS client using the ClearPass server (10.254.1.23)
as the AAA RADIUS server.

328 Task 11-2: RADIUS server setup

Access-VSF(config)# ping 10.254.1.23
PING 10.254.1.23 (10.254.1.23) 100(128) bytes of data.
108 bytes from 10.254.1.23: icmp_seq=1 ttl=62 time=2.32 ms
108 bytes from 10.254.1.23: icmp_seq=2 ttl=62 time=1.55 ms
108 bytes from 10.254.1.23: icmp_seq=3 ttl=62 time=1.78 ms
108 bytes from 10.254.1.23: icmp_seq=4 ttl=62 time=2.10 ms
108 bytes from 10.254.1.23: icmp_seq=5 ttl=62 time=2.07 ms

--- 10.254.1.23 ping statistics ---

5 packets transmitted, 5 received, 0% packet loss, time 4005ms
rtt min/avg/max/mdev = 1.549/1.962/2.322/0.269 ms

5. Define a new RADIUS host for the ClearPass server.

Access-VSF(config)#radius-server host 10.254.1.23 key plaintext aruba123

6. Define a new server group, and add the previously defined CPPM host.
Access-VSF(config)# aaa group server radius cppm
Access-VSF(config-sg)# server 10.254.1.23
Access-VSF(config-sg)# exit

Lab 11: Network access security

7. Enable RADIUS accounting to this server group, enable interim accounting, and set the interim
accounting to five minutes.
Access-VSF(config)# aaa accounting port-access start-stop interim 5 group cppm

Enabling interim accounting will ensure that the switch updates the RADIUS server
about the connected devices every five minutes and ensure that ClearPass has a view
of the currently connected devices in the network.

8. Enable the Change of Authorization (CoA) processing on the switch.

Access-VSF(config)# radius dyn-authorization client 10.254.1.23 secret-key
plaintext aruba123 replay-protection disable
Access-VSF(config)# radius dyn-authorization enable

Change of Authorization (CoA) is also known as RFC 3576 support or dynamic

authorization. It allows the RADIUS server (ClearPass) to send a message to the
switch to request an update in the authorization or reauthentication. It is also used to
update authorization attributes assigned to the device, such as VLANs or ACLs.

replay-protection disable indicates that the timestamp of the CoA packet will not
be inspected by the switch. In a real deployment, the replay protection should be
enabled. The default allowed time difference between the RADIUS host and the
switch is 300 seconds. Since in the lab, the time of the switch and CPPM may not be
in sync, the replay protection is disabled.

Task 11-2: RADIUS server setup 329

Task 11-3: Basic 802.1X authentication with a single user
Objectives
In this task, PC3 (connected to Access-1) will be performing 802.1X authentication.

Steps
1. On your local computer, launch a web browser and enter the Aruba Training Lab web portal at
the URL: https://arubatraininglab.computerdata.com.
2. Log in using the credentials provided to you.
3. Using the Remote Lab dashboard, open a console connection to Access-1.
4. Enable 802.1X authentication on the switch and ensure it is using the previously defined RADIUS
server group.
Access-VSF(config)# aaa authentication port-access dot1x authenticator radius
server-group cppm
Access-VSF(config)# aaa authentication port-access dot1x authenticator enable

5. Navigate to the interface 1/1/3 context, configure the 802.1X authenticator context, and enable
802.1X on the port.

330 Task 11-3: Basic 802.1X authentication with a single user

Access-VSF(config)# interface 1/1/3
Access-VSF(config-if)# aaa authentication port-access dot1x authenticator
Access-VSF(config-if-dot1x-auth)# enable
Access-VSF(config-if-dot1x-auth)# exit
Access-VSF(config-if)# exit

6. Using the Remote Lab dashboard, connect to PC3.

7. Try to ping the AD server (10.254.1.21). The ping should fail.

8. Navigate back to the Access-1 console.

9. Verify the AAA client status with the show aaa authentication port-access dot1x

Lab 11: Network access security

authenticator interface all client-status command.
Client 00:50:56:b1:18:2e, -, 1/1/3
=========================================

Authentication Details
----------------------
Status : Authenticating
Type : Pass-Through
EAP-Method : -
Auth Failure reason :
Time Since Last State Change : 18s

Authentication Statistics
-------------------------
Authentication : 1
Authentication Timeout : 0
EAP-Start While Authenticating : 0
EAP-Logoff While Authenticating : 0
Successful Authentication : 0
Failed Authentication : 0
Re-Authentication : 0
Successful Re-Authentication : 0
Failed Re-Authentication : 0
EAP-Start When Authenticated : 0
EAP-Logoff When Authenticated : 0

Task 11-3: Basic 802.1X authentication with a single user 331

Note that the status is authenticating, as the switch expects the client to authen-
ticate. However, as PC3 is not configured for 802.1X authentication, it will never pass
that phase, meaning it has no network access.

10. On PC3 (connected to port 1/1/3 of Access-1), make sure that the Windows service Wired
AutoConfig is running, as it is not started by default. Open a command prompt with admin-
istrator rights.

11. If a User Account Control window is displayed, click Yes.

12. Enter the net start dot3svc command.

Now you will configure the Lab NIC for 802.1X authentication.
13. Right-click the network icon (top right corner) and select Open Network & Internet settings.

332 Task 11-3: Basic 802.1X authentication with a single user

14. Click Change adapter options.

Lab 11: Network access security

Note that Lab NIC is showing an "Authentication failed" state.

15. Double-click to open the Lab NIC properties. Click the Authentication tab and ensure that
Enable IEEE 802.1X authentication is selected.

Task 11-3: Basic 802.1X authentication with a single user 333

16. Make sure Microsoft: Protected EAP (PEAP) is selected as the authentication method. Then
open Settings for the PEAP method and uncheck Verify the server's identity by validating the
certificate.

17. Click Configure next to the EAP-MSCHAP v2 method. Make sure the option Automatically use
my Windows logon name and password (and domain if any) is unchecked.
18. Click OK to close the window.

334 Task 11-3: Basic 802.1X authentication with a single user

19. Click OK to close the Protected EAP Properties.

Lab 11: Network access security

20. Click Additional Settings, check Specify authentication mode, and select User authentication.

21. Click Save credentials to enter the credentials.

n Username: employee
n Password: aruba123

Task 11-3: Basic 802.1X authentication with a single user 335

22. Click OK to save the credentials. Click OK to close the Advanced settings.
23. Uncheck the Remember my credentials for this connection each time I'm logged on and Fall-
back to unauthorized network access.

24. Click OK to close Lab NIC Properties.

Notice that you no longer have the authentication error status on Lab NIC.

25. Open the command prompt and ping the AD server (10.254.1.21). The ping should succeed.

336 Task 11-3: Basic 802.1X authentication with a single user

26. Navigate back to the Access-1 console.
27. On the switch, check the authenticated clients. Take note of the MAC address of the authen-
ticated client.
Access-VSF(config)# show aaa authentication port-access dot1x authenticator
interface all client-status

Client 00:50:56:b1:18:2e, employee, 1/1/3

=========================================

Lab 11: Network access security

Authentication Details
----------------------
Status : Authenticated
Type : Pass-Through
EAP-Method : PEAP
Auth Failure reason :
Time Since Last State Change : 133s

Authentication Statistics
-------------------------
Authentication : 1
Authentication Timeout : 0
EAP-Start While Authenticating : 0
EAP-Logoff While Authenticating : 0
Successful Authentication : 1
Failed Authentication : 0
Re-Authentication : 0
Successful Re-Authentication : 0
Failed Re-Authentication : 0
EAP-Start When Authenticated : 0
EAP-Logoff When Authenticated : 0
Re-Auths When Authenticated : 0
Cached Re-Authentication : 0

28. Review the MAC address table. The client's MAC address should have been added by port-
access-security.
Access-VSF(config)# show mac-address-table
MAC age-time : 300 seconds

Task 11-3: Basic 802.1X authentication with a single user 337

Number of MAC addresses : 12

MAC Address VLAN Type Port

--------------------------------------------------------------
00:50:56:b1:18:2e 11 port-access-security 1/1/3
90:20:c2:c0:bc:00 11 dynamic lag1
02:01:00:00:00:01 11 dynamic lag1
44:5b:ed:67:d3:00 11 dynamic lag1
90:20:c2:c0:bc:00 12 dynamic lag1
00:50:56:b1:d6:e3 12 dynamic 2/1/4
00:50:56:b1:88:25 12 dynamic 1/1/1
02:01:00:00:00:01 12 dynamic lag1
44:5b:ed:67:d3:00 12 dynamic lag1
90:20:c2:c0:bc:00 254 dynamic lag1
02:01:00:00:00:01 254 dynamic lag1

OPTIONAL: Check ClearPass logs.

29. Navigate back to PC3.
30. Open Chrome.
31. Navigate to ClearPass (10.254.1.23).

32. If a certificate warning is displayed, click ADVANCED.

33. Then click Proceed to 10.254.1.21.

338 Task 11-3: Basic 802.1X authentication with a single user

Note that in a real-world environment, public certificates are recommended. In this
lab, we are using self-signed certificates for simplicity.

Lab 11: Network access security

34. Click ClearPass Policy Manager.

35. Log in with the following credentials:

n Username: readonly
n Password: aruba123

Task 11-3: Basic 802.1X authentication with a single user 339

36. On the left side, select Monitoring, then under Live Monitoring, click Access Tracker.

Note that you have entries for the user employee with login status as ACCEPT.

37. You may close the PC3 browser now.

340 Task 11-3: Basic 802.1X authentication with a single user

Task 11-4: MAC-based authentication
Objectives
In this lab activity, you will configure MAC authentication. While MAC authentication is not a secure
authentication method, it will be required in most networks since there will typically be some devices
that cannot perform 802.1X authentication, such as printers, IP phones, and IoT devices. Enabling MAC
authentication allows you to authenticate every connected device through 802.1X or MAC authen-
tication.

Lab 11: Network access security

Steps
1. On your local computer, launch a web browser and enter the Aruba Training Lab web portal at
the URL: https://arubatraininglab.computerdata.com.
2. Log in using the credentials provided to you.
3. Using the Remote Lab dashboard, open a console connection to Access-1.
4. Configure the switch to use the RADIUS server HPE Aruba Networking ClearPass Policy Manager
Platform for MAC authentication. Enter the aaa authentication port-access mac-auth radius
server-group cppm command.

Task 11-4: MAC-based authentication 341

Access-VSF(config)# aaa authentication port-access mac-auth radius server-group
cppm

5. To enable MAC authentication globally on the switch, enter the aaa authentication port-
access mac-auth enable command.
Access-VSF(config)# aaa authentication port-access mac-auth enable

6. Enter the interface 2/1/4 context (connected to PC4). Then enter the MAC-auth context and
enable MAC authentication on the port.
Access-VSF(config)# interface 2/1/4
Access-VSF(config-if)# aaa authentication port-access mac-auth
Access-VSF(config-if-macauth)# enable
Access-VSF(config-if-macauth)# exit
Access-VSF(config-if)# exit

ClearPass has already been provisioned with PC4 MAC address to allow its authen-
tication using MAC authentication.

7. Verify that the MAC address of PC4 is now authenticated. The ClearPass system has been con-
figured to allow access for PC4's MAC address.
Access-VSF(config)# show aaa authentication port-access mac-auth interface 2/1/4
client-status

Port Access Client Status Details

Client 00:50:56:b1:d6:e3, 005056b1d6e3, 2/1/4

=========================================

Authentication Details
----------------------
Status : Authenticated
Auth-Method : chap
Auth Failure reason :
Time Since Last State Change : 17s

Authentication Statistics
-------------------------
Authentication : 1
Authentication Timeout : 0
Successful Authentication : 1
Failed Authentication : 0
Re-Authentication : 0
Successful Re-Authentication : 0
Failed Re-Authentication : 0
Re-Auths When Authenticated : 0
Cached Re-Authentication : 0

342 Task 11-4: MAC-based authentication

It may take a few moments for PC4 to generate some traffic; repeat the previous com-
mand until the authentication shows up. Optionally, connect to PC4, start a command
prompt, and ping the AD server (10.254.1.21).

8. Confirm the MAC address on the port is now dynamically learned reviewing the MAC address
table.
Access-VSF(config)# show mac-address-table
MAC age-time : 300 seconds
Number of MAC addresses : 12

MAC Address VLAN Type Port

Lab 11: Network access security

90:20:c2:c0:bc:00 12 dynamic lag1
00:50:56:b1:88:25 12 dynamic 1/1/1
02:01:00:00:00:01 12 dynamic lag1
44:5b:ed:67:d3:00 12 dynamic lag1
02:01:00:00:00:01 254 dynamic lag1
44:5b:ed:67:d3:00 254 dynamic lag1
90:20:c2:c0:bc:00 254 dynamic lag1

9. Using the Remote Lab dashboard, connect to PC4.

10. Start a ping to the AD server (10.254.1.21). The ping should work.

Task 11-5: Save your configurations

Objectives
You will now proceed to save your configurations and create checkpoints. Notice that final lab check-
points might be used by later activities.

Task 11-5: Save your configurations 343

Steps
1. Save the current access and core switches’ configurations in the startup checkpoint.
Core-1
Core-1(config)# write memory
Copying configuration: [Success]

Core-2
Core-2(config)# write memory
Copying configuration: [Success]

Access-1
Access-VSF(config)# write memory
Copying configuration: [Success]

2. Back up the current access switches’ configuration as a custom checkpoint called Lab11-final.
Core-1
Core-1(config)#copy running-config checkpoint Lab11-finalCopying configuration:
[Success]

Core-2
Core-2(config)#copy running-config checkpoint Lab11-finalCopying configuration:
[Success]

Access-1
Access-VSF(config)#copy running-config checkpoint Lab11-finalCopying configuration:
[Success]

You have completed Lab 11!

344 Task 11-5: Save your configurations

Lab 12: Secure management access

After deploying the network switches and instructing the staff member how to gain console access to
the system, you get a few queries from them and their manager. They commented that going to the IDF
every time a change is needed consumes a considerable amount of time. They ask if remote access is
possible since they have it with the core switches. Additionally, they are interested in any graphical
interface alternatives for monitoring system parameters like CPU, memory, ports, and stack status.
After the meeting, the manager commented behind closed doors that they are aware of the technician’s
limited training and want to restrict the technician’s configuration tasks to provisioning the first nine
ports of each stack member into the proper VLAN.
Objectives
After completing this lab, you will be able to:
n Enable remote access management.
n Enable local command authorization.
n Deploy RADIUS-based AAA Role-Based Access Control.
n Explore AOS-CX web-based UI.
Lab topology
The following lab topology will be used for your practical activities:

Lab 12: Secure management access 345

Task 12-1: Management port
Objectives
The BigStartup management team asked you to present the remote management (CLI and Web
UI) options for AOS-CX switches. In the previous lab, you configured a management VLAN that allows
in-band remote management. You decided to demonstrate the Out-of-Band Management (OOBM)
option using the management port.
You will assign an IP address to the management port in this task. Remember, this port belongs to an
exclusive management-specific VRF. Unlike regular data VRFs, where either static or dynamic routing is
supported, the management one uses a default gateway as if it were a host.

346 Task 12-1: Management port

Lab topology

The use of OOBM networks is common in data centers. However, in campus environments,
it is not as common due to the increased cost of having a separate network (including wir-
ing and switches) just for management. Nonetheless, in certain industries such as oil and
other critical environments, OOBM may still be used for campus deployments.

Steps

Lab 12: Secure management access

RESTRICTED RIGHTS LEGEND

Confidential computer software. Valid license from Hewlett Packard Enterprise
Development LP required for possession, use, or copying. License found at
https://www.arubanetworks.com/assets/legal/EULA.pdf
Access-VSF login: admin
Password:
Access-VSF# configure terminal

Task 12-1: Management port 347

Access-VSF(config)# interface mgmt
Access-VSF(config-if-mgmt)# ip static 10.251.1.3/24

6. Assign 10.251.1.254 and 10.254.1.22 as the gateway and DNS servers, respectively.
Access-VSF(config-if-mgmt)# default-gateway 10.251.1.254
Access-VSF(config-if-mgmt)# nameserver 10.254.1.22
Access-VSF(config-if-mgmt)# exit

7. Display the mgmt VRF.

Access-VSF(config)# show vrf mgmt
VRF Configuration:
------------------
VRF Name : mgmt
use "show interface mgmt" for mgmt interfaces

Notice that none of the switch interfaces are listed as the only port allowed in the
mgmt VRF, which is the management port.

8. Display the mgmt interface.

Access-VSF(config)# show interface mgmt
Address Mode: static
Admin State: up
Link State: up
Mac Address: 10:4f:58:fc:14:41
IPv4 address/subnet-mask: 10.251.1.3/24
Default gateway IPv4: 10.251.1.254
IPv6 address/prefix:
IPv6 link local address/prefix: fe80::6adb:896e:383f:218/64
Default gateway IPv6:
Primary Nameserver: 10.254.1.22
Secondary Nameserver:
Tertiary Nameserver:

9. Ping the default gateway (10.251.1.254). The ping should be successful.

Access-VSF(config)# ping 10.251.1.254 vrf mgmt
PING 10.251.14.254 (10.251.14.254) 100(128) bytes of data.
108 bytes from 10.251.1.254: icmp_seq=1 ttl=64 time=0.051 ms
108 bytes from 10.251.1.254: icmp_seq=2 ttl=64 time=0.046 ms
108 bytes from 10.251.1.254: icmp_seq=3 ttl=64 time=0.050 ms
108 bytes from 10.251.1.254: icmp_seq=4 ttl=64 time=0.049 ms
108 bytes from 10.251.1.254: icmp_seq=5 ttl=64 time=0.049 ms

--- 10.251.1.254 ping statistics ---

5 packets transmitted, 5 received, 0% packet loss, time 4101ms
rtt min/avg/max/mdev = 0.046/0.049/0.051/0.001 ms

10. Display the SSH servers on all VRFs.

348 Task 12-1: Management port

Access-VSF(config)# show ssh server all-vrfs | include SSH
SSH server configuration on VRF default :
IP Version : IPv4 and IPv6 SSH Version : 2.0
SSH server configuration on VRF mgmt :
IP Version : IPv4 and IPv6 SSH Version : 2.0

What VRFs have an SSH server?

Answer: The default and mgmt VRFs.

11. Display the SSH servers on all VRFs.
Access-VSF(config)# show https-server

HTTPS Server Configuration

----------------------------
VRF : default, mgmt

REST Access Mode : read-write

Max sessions per user : 6

Session idle timeout : 20

Session absolute timeout : 480

What VRFs have an HTTPS server?

Answer: The default and mgmt VRFs.

Lab 12: Secure management access

In CX 6000 Series switches, SSH and HTTPS services are running by default in both
the mgmt and default VRFs; however, in the case of CX 8xxx Series, CX 9300 Series,
and CX 10000 Series, these services are only running in the mgmt VRF.
Also, REST Access mode is read-write in the CX 6000 Series platforms, while in the
higher-series platforms, it begins as "read-only."

Task 12-2: Role Based Access Control

Objectives
The next step is to comply with your customer’s desire to use Role Based Access Control (RBAC) to
enable local command authorization. That is achieved by creating user groups and local user accounts
in AOS-CX. In this task, you will define a list of allowed commands. You will leverage the power of Regu-
lar Expressions (REGEX) to reduce the number of lines needed for the task.

Task 12-2: Role Based Access Control 349

Regular expressions are text strings used for describing a search pattern; they are con-
sidered the next step in the evolution of wildcards. Several features and tools in net-
working, IT, engineering, science, and so forth use REGEX for matching strings. You might
find it useful to start learning about them.

Steps
1. Using the Remote Lab dashboard, open a console connection to Access-1.
2. Create a user group called "port-prov," then allow the following:
a. Access to the global configuration context.
b. Access to the first nine ports on both VSF members.
c. Change VLAN membership on those ports.
d. Enable ports.
e. Display a list of interfaces, VLANs, and user information.
Access-VSF(config)# user-group port-prov
Access-VSF(config-usr-grp-port-prov)# permit cli command "configure terminal"
Access-VSF(config-usr-grp-port-prov)# permit cli command "interface [1-2]/1/[1-9]$"
Access-VSF(config-usr-grp-port-prov)# permit cli command "vlan acces"
Access-VSF(config-usr-grp-port-prov)# permit cli command "no shutdown"
Access-VSF(config-usr-grp-port-prov)# permit cli command "show interface brief"
Access-VSF(config-usr-grp-port-prov)# permit cli command "show user information"
Access-VSF(config-usr-grp-port-prov)# permit cli command "show vlan"
Access-VSF(config-usr-grp-port-prov)# exit

Defining commands of different user groups support REGEX. For example, in the
second rule, [1-2] means that the character could take either the value 1 or 2. Like-
wise, [1-9] represents any number in the range between 1 and 9, and "$" means this
is the end of the line, and nothing else can follow.

3. Display the user groups.

Access-VSF(config)# show user-group
GROUP NAME GROUP TYPE INCLUDED GROUP NUMBER OF RULES
-------------- -------------- ------------------ -------------------
administrators built-in n/a n/a
auditors built-in n/a n/a
operators built-in n/a n/a
port-prov configuration -- 7

In addition to "port-prov," what groups are listed?

Answer: The default groups: administrators, auditors, and operators.

350 Task 12-2: Role Based Access Control

The "operator" context enables you to execute commands to view, but not change,
the configuration. This group has privilege level 1.
Users with "auditor" rights have access to show accounting, events, and logging com-
mands and the ability to use copy show commands to direct output onto a USB or
remote storage. The prompt for this kind of session is auditor>. This group has priv-
ilege level 19.
The administrator group grants "manager" access (full access) to every aspect of the
system. This group has privilege level 15.

4. Display the details of your group. You will notice all the rules you have defined with sequence
numbers in steps of 10.
Access-VSF(config)# show user-group port-prov
User Group Summary
==================
Name : port-prov
Type : configuration
Included Group : --
Number of Rules : 7

User Group Rules

================
SEQUENCE NUM ACTION COMMAND COMMENT
------------- ---------- -------------------------------- ---------------------
10 permit configure terminal

20 permit interface [1-2]/1/[1-9]$

Lab 12: Secure management access

30 permit vlan acces

40 permit no shutdown

50 permit show interface brief

60 permit show vlan

70 permit show user information

5. Create the cxf-local user account with password aruba123. Map the account to the port-prov
group you just created.
Access-VSF(config)# user cxf-local group port-prov password plaintext aruba123

6. Display the local user list. You will see only two accounts.
Access-VSF(config)# show user-list
USER GROUP

Task 12-2: Role Based Access Control 351

---------------------------------------
admin administrators
cxf-local port-prov

Although the scenario is asking for secure RBAC, the "admin" account should remain
untouched with no password. This eases the assistance and reset procedures that
the lab help desk might need to run.

7. Navigate to the PC1 remote desktop.

8. Open PuTTY.
9. Run an SSH session to the management IP address of Access-VSF (10.251.1.3).

10. If you receive a security alert window, click Accept.

11. Log in with the following credentials:

n Username: cxf-local
n Password: aruba123
login as: cxf-local
Pre-authentication banner message from server:
|
| (C) Copyright 2017-2024 Hewlett Packard Enterprise Development LP

<<Output omitted>>

352 Task 12-2: Role Based Access Control

[email protected]'s password: aruba123
Access-VSF#

12. Try the show user information command. You shall see the user you are using for this session
and the user group it belongs to.
Access-VSF# show user information
Username : cxf-local
Authentication type : local
User group : port-prov
User privilege level : N/A
User login session : ssh

13. Move port 2/1/4 to VLAN 11.

Access-VSF# configure terminal
Access-VSF(config)# interface 2/1/4
Access-VSF(config-if)# vlan access 11
Access-VSF(config-if)# exit

14. Display VLAN 11 and confirm port 2/1/4 is there.

Access-VSF(config)# show vlan 11

15. Try to display the running configuration.

Access-VSF(config)# show running-config
Cannot execute command. Command not allowed.

16. Access LAG 1 interface, then port 1/1/10.

Lab 12: Secure management access

Access-VSF(config)# interface lag 1
Cannot execute command. Command not allowed.
Access-VSF(config)# interface 1/1/10
Cannot execute command. Command not allowed.

17. Move interface 2/1/4 back to VLAN 12.

Access-VSF(config)# interface 2/1/4
Access-VSF(config-if)# vlan access 12
Access-VSF(config-if)# exit

Task 12-3: RADIUS-based management

Objectives
After testing the command-based authorization with your customer and demonstrating the power of
this management control, you explain that local accounts are not always the best option, especially with
fast-growing networks like BigStartup. Operator accounts must be created at every switch, and the

Task 12-3: RADIUS-based management 353

system does not scale well, especially when a password change or account revocation is required. There-
fore, you offer to deploy a ClearPass demo to give them a taste of account centralization and demon-
strate ClearPass's power.
In this task, you will enable RADIUS-based authentication for SSH and HTTPS sessions.
Steps
1. Using the Remote Lab dashboard, open a console connection to Access-1.
2. Verify the current RADIUS server configuration.
Access-VSF(config)# show radius-server
Unreachable servers are preceded by *
******* Global RADIUS Configuration *******

Shared-Secret: None
Timeout: 5
Auth-Type: pap
Retries: 1
Initial TLS Connection Timeout: 30
TLS Timeout: 5
Tracking Time Interval (seconds): 300
Tracking Retries: 1
Tracking User-name: radius-tracking-user
Tracking Password: None
Status-Server Time Interval (seconds): 300
Number of Servers: 1
AAA Server Status Trap: Disabled

---------------------------------------------------------------------------
SERVER NAME | TLS | PORT | VRF

---------------------------------------------------------------------------
10.254.1.23 | | 1812 | default

---------------------------------------------------------------------------

A RADIUS server was previously configured for the 802.1X and MAC authentication
labs.

3. Set the RADIUS group, then the local username database as authentication groups for SSH ser-
vices.
Access-VSF(config)# aaa authentication login ssh group cppm local
Access-VSF(config)#aaa authentication login https-server group cppm local

354 Task 12-3: RADIUS-based management

It is best a practice to have a local database backup for a remote authentication
group when configuring AAA management access. This prevents locking out the
administrator’s account if the AAA server fails or becomes unreachable.

4. Using the Remote Lab dashboard, connect to PC3.

5. Open PuTTY and connect to the Access-1 MGMT VLAN (254) IP address using SSH.

6. Log in using the following credentials:

n Username: cxfadmin
n Password: aruba123

Those credentials were previously created on ClearPass, giving administrative access

to that user.

Lab 12: Secure management access

<< Output omitted >>

End of banner message from server

[email protected]'s password: aruba123
Last login: 2024-06-07 18:31:27 from 10.1.11.103
User "cxfadmin" has logged in 1 time in the past 30 days
Access-VSF#

7. Check the user information.

Access-VSF# show user
user user-group user-list
Access-VSF# show user information
Username : cxfadmin
Authentication type : RADIUS
User group : administrators

Task 12-3: RADIUS-based management 355

User privilege level : 15
User login session : ssh

What is the authentication type?

Answer: RADIUS.
To what user group does the user belong?

Answer: Administrators.
What is the privilege level?

Answer: Level 15
8. On PC3, open a web browser and navigate to ClearPass: https://10.254.1.23/tips.
9. Authenticate using the following credentials:
n Username: readonly
n Password: aruba123

10. Navigate to Monitoring > Access Tracker.

356 Task 12-3: RADIUS-based management

11. Note that cxfadmin entries are listed as accepted. Open the first entry for cxfadmin.
12. Navigate through the Summary, Input, and Output tabs to see more about the ClearPass service
process.
13. You may now close the ClearPass browser window.

Task 12-4: Explore the AOS-CX Web UI

Objectives
Your customer’s final request is to use a graphical interface for monitoring the system. You invite the
executives from BigStartup to explore AOS-CX Web User Interface.

Lab 12: Secure management access

Steps
1. Using the Remote Lab dashboard, connect to PC3.
2. On PC3, open a web browser and navigate to the Access-VSF management VLAN IP address
(10.1.254.3).
3. A "Not secure" warning message will be displayed. Click HIDE ADVANCED, then click Proceed to
10.1.254.3 (unsafe).

Task 12-4: Explore the AOS-CX Web UI 357

The warning message is displayed since the factory default certificate is self-signed.
In a production environment, a certificate should be installed on every switch.

4. Click OK at the login banner.

5. Log in with the following credentials:

n Username: admin
n Password: aruba123

358 Task 12-4: Explore the AOS-CX Web UI

You will be taken to the Overview page.

Lab 12: Secure management access

What is the firmware version running in the stack?

Answer: 10.13.1000.
Are there any new logs?

Answer: It depends on your equipment; the example shows no logs.

What is the CPU utilization on each stack member?

Task 12-4: Explore the AOS-CX Web UI 359

Answer: It depends on your switch status; the example shows about 12% CPU utilization on
Access-1 and 5% on Access-2.
6. Scroll down.

What is the memory utilization on each stack member?

Answer: It depends on your equipment; the example shows about 20% memory utilization on
Access-1 and 10% on Access-2.
What are the serial numbers of both units?

What percentage of interfaces are down?

Are there any thermal or fan alarms?

Answer: No thermal or fan alarms are expected.

7. Click the VSF hyperlink. That will take you to the VSF page.

360 Task 12-4: Explore the AOS-CX Web UI

8. Scroll down.

What physical ports are being used for the logical VSF link? Lab 12: Secure management access

Answer: Interface 1/1/28.

9. Expand Diagnostics, then click Ping.

Task 12-4: Explore the AOS-CX Web UI 361

10. Type 10.1.254.1 as the IPv4 Target and click PING. The ping should be successful.

11. Scroll down to see the results.

362 Task 12-4: Explore the AOS-CX Web UI

12. Navigate to Diagnostics > Show Tech.
13. Click GENERATE. This will create the "Show Tech" support file.

Lab 12: Secure management access

14. Click EXPORT. This will download the file through the browser. The file will show up at the bot-
tom of the browser.

Task 12-4: Explore the AOS-CX Web UI 363

When opening a Technical Assistance Center (TAC) support case, one of the pieces
of information they will ask for first is this output. It is always a good practice to gen-
erate it and download it in advance.

15. Click the gear icon in the top right corner, then select V10.13 API. This will open another browser
tab and display the AOS-CX REST API documentation.

364 Task 12-4: Explore the AOS-CX Web UI

Lab 12: Secure management access
Switches running the AOS-CX software are fully programmable with a Rep-
resentational State Transfer (REST) API, allowing easy integration with other devices
both on premises and in the cloud. This programmability, combined with the
HPE Aruba Networking Network Analytics Engine, accelerates a network admin-
istrator’s understanding and response to network issues.
The AOS-CX REST API enables programmatic access to the AOS-CX configuration
and state database at the heart of the switch. By using a structured model, changes
to the content and formatting of the CLI output do not affect the programs you write.
And, because the configuration is stored in a structured database instead of a text
file, rolling back changes is easy. This reduces the risk of downtime and performance
issues.

Task 12-4: Explore the AOS-CX Web UI 365

Task 12-5: Save your configurations
Objectives
You will now proceed to save your configurations and create checkpoints. Notice that final lab check-
points might be used by later activities.
Steps
1. Save the current access switches’ configuration in the startup checkpoint.
Access-1
Access-VSF(config)# write memory
Copying configuration: [Success]

2. Back up the current access switches’ configuration as a custom checkpoint called Lab12-final.
Access-1
Access-VSF(config)#copy running-config checkpoint Lab12-finalCopying configuration:
[Success]

You have completed Lab 12!

366 Task 12-5: Save your configurations

Hourglass Workout Program by Luisagiuliet 2
76% (21)
Hourglass Workout Program by Luisagiuliet 2
51 pages
12 Week Program: Summer Body Starts Now
89% (45)
12 Week Program: Summer Body Starts Now
70 pages
Knee Ability Zero Now Complete As A Picture Book 4 PDF Free
94% (68)
Knee Ability Zero Now Complete As A Picture Book 4 PDF Free
49 pages
Read People Like A Book by Patrick King-Edited
61% (72)
Read People Like A Book by Patrick King-Edited
12 pages
Livingood, Blake - Livingood Daily Your 21-Day Guide To Experience Real Health
77% (13)
Livingood, Blake - Livingood Daily Your 21-Day Guide To Experience Real Health
260 pages
Cheat Code To The Universe
94% (77)
Cheat Code To The Universe
34 pages
Facial Gains Guide (001 081)
91% (45)
Facial Gains Guide (001 081)
81 pages
Curse of Strahd
95% (467)
Curse of Strahd
258 pages
The Psychiatric Interview - Daniel Carlat
91% (34)
The Psychiatric Interview - Daniel Carlat
473 pages
The Borax Conspiracy
91% (57)
The Borax Conspiracy
14 pages
The Secret Language of Attraction
86% (107)
The Secret Language of Attraction
278 pages
How To Develop and Write A Grant Proposal
83% (541)
How To Develop and Write A Grant Proposal
17 pages
Workbook For The Body Keeps The Score
88% (52)
Workbook For The Body Keeps The Score
111 pages
KamaSutra Positions
78% (69)
KamaSutra Positions
55 pages
7 Hermetic Principles
93% (29)
7 Hermetic Principles
3 pages
27 Feedback Mechanisms Pogil Key
77% (13)
27 Feedback Mechanisms Pogil Key
6 pages
Frank Hammond - List of Demons
92% (92)
Frank Hammond - List of Demons
3 pages
DEX401 SP24v1 en Exercise Guide
No ratings yet
DEX401 SP24v1 en Exercise Guide
487 pages
Phone Codes
78% (27)
Phone Codes
5 pages
36 Questions That Lead To Love
91% (35)
36 Questions That Lead To Love
3 pages
Fortinet SD Wan Lab Guide For Fortios 72
No ratings yet
Fortinet SD Wan Lab Guide For Fortios 72
204 pages
100 Questions To Ask Your Partner
80% (35)
100 Questions To Ask Your Partner
2 pages
The 36 Questions That Lead To Love - The New York Times
94% (34)
The 36 Questions That Lead To Love - The New York Times
3 pages
Satanic Calendar
25% (55)
Satanic Calendar
4 pages
The 36 Questions That Lead To Love - The New York Times
95% (21)
The 36 Questions That Lead To Love - The New York Times
3 pages
Jeffrey Epstein39s Little Black Book Unredacted PDF
75% (12)
Jeffrey Epstein39s Little Black Book Unredacted PDF
95 pages
14 Easiest & Hardest Muscles To Build (Ranked With Solutions)
100% (7)
14 Easiest & Hardest Muscles To Build (Ranked With Solutions)
27 pages
FortiGate Infrastructure 7.2 Lab Guide-Online
No ratings yet
FortiGate Infrastructure 7.2 Lab Guide-Online
123 pages
ALCHEMIST
64% (14)
ALCHEMIST
4 pages
1001 Songs
70% (70)
1001 Songs
1,798 pages
Fortigate Infrastructure Lab Guide: Do Not Reprint © Fortinet
91% (11)
Fortigate Infrastructure Lab Guide: Do Not Reprint © Fortinet
143 pages
Network Security All-in-one: ASA Firepower WSA Umbrella VPN ISE Layer 2 Security
From Everand
Network Security All-in-one: ASA Firepower WSA Umbrella VPN ISE Layer 2 Security
Redouane MEDDANE
No ratings yet
The 4 Hour Workweek, Expanded and Updated by Timothy Ferriss - Excerpt
23% (954)
The 4 Hour Workweek, Expanded and Updated by Timothy Ferriss - Excerpt
38 pages
Zodiac Sign & Their Most Common Addictions
63% (30)
Zodiac Sign & Their Most Common Addictions
9 pages
Fortinet Enterprise Firewall Lab Guide For Fortios 72
No ratings yet
Fortinet Enterprise Firewall Lab Guide For Fortios 72
158 pages
ECMS2 2.0 Fast Lane LAB Guide 2.0.5
No ratings yet
ECMS2 2.0 Fast Lane LAB Guide 2.0.5
125 pages
CCIE Security v6 CLC LAB1.2
100% (1)
CCIE Security v6 CLC LAB1.2
67 pages
Security Specialization Detail Sheet - EN
No ratings yet
Security Specialization Detail Sheet - EN
5 pages
Juniper Lab Guide
No ratings yet
Juniper Lab Guide
186 pages
Ultimate Test Drive Azure Workshop Guide
No ratings yet
Ultimate Test Drive Azure Workshop Guide
82 pages
70 412.moac - Lab.manual
100% (2)
70 412.moac - Lab.manual
304 pages
CXF-Contents
No ratings yet
CXF-Contents
6 pages
ASD Self-Paced 8.1.6 Lab Manual v2.14 PDF
No ratings yet
ASD Self-Paced 8.1.6 Lab Manual v2.14 PDF
164 pages
MCSE 2012 Lab Guide PDF
No ratings yet
MCSE 2012 Lab Guide PDF
611 pages
Zscaler for Users - Advanced (EDU 202) Lab Guide_v.1.2_20231018
No ratings yet
Zscaler for Users - Advanced (EDU 202) Lab Guide_v.1.2_20231018
146 pages
SNA Assignment PDF
No ratings yet
SNA Assignment PDF
45 pages
A Comparison of Multiprotocol Label Switching (MPLS) and Openflow Communication Protocols
No ratings yet
A Comparison of Multiprotocol Label Switching (MPLS) and Openflow Communication Protocols
337 pages
Manual_NHA2478601-00_lite_configuration_user_manual
No ratings yet
Manual_NHA2478601-00_lite_configuration_user_manual
255 pages
Linux Systems and Network Administration
100% (1)
Linux Systems and Network Administration
96 pages
Objectifs LPIC2 v4.5
No ratings yet
Objectifs LPIC2 v4.5
38 pages
DEX401 WI25v1 en Exercise Guide (2)
No ratings yet
DEX401 WI25v1 en Exercise Guide (2)
472 pages
rs20 PDF
No ratings yet
rs20 PDF
228 pages
Tripp Lite Manual 2
No ratings yet
Tripp Lite Manual 2
285 pages
User Manual: Basic Configuration Industrial ETHERNET (Gigabit) Switch RS20/RS30/RS40, MS20/MS30, OCTOPUS
No ratings yet
User Manual: Basic Configuration Industrial ETHERNET (Gigabit) Switch RS20/RS30/RS40, MS20/MS30, OCTOPUS
202 pages
User Manual: Basic Configuration Industrial ETHERNET Gigabit Switch RS20/RS30, MS20/MS30, Power MICE, MACH 4000, OCTOPUS
No ratings yet
User Manual: Basic Configuration Industrial ETHERNET Gigabit Switch RS20/RS30, MS20/MS30, Power MICE, MACH 4000, OCTOPUS
196 pages
ENCORE (350-401) Video Training Series: With Kevin Wallace and Charles Judd
No ratings yet
ENCORE (350-401) Video Training Series: With Kevin Wallace and Charles Judd
4 pages
Enterprise Firewall 7.2 Lab Guide-Online U
No ratings yet
Enterprise Firewall 7.2 Lab Guide-Online U
158 pages
CISCO AS5x00 Study Guide PDF
No ratings yet
CISCO AS5x00 Study Guide PDF
182 pages
Juniper Demo Practical Lab Manual
No ratings yet
Juniper Demo Practical Lab Manual
59 pages
Ccna Icnd1 Labs PDF
No ratings yet
Ccna Icnd1 Labs PDF
99 pages
0608 Interconnecting Cisco Networking Devices Part 1
No ratings yet
0608 Interconnecting Cisco Networking Devices Part 1
99 pages
Dcuci Ver4.0 Lab Guide
No ratings yet
Dcuci Ver4.0 Lab Guide
158 pages
Fortigate Infrastructure Lab Guide: Do Not Reprint © Fortinet
No ratings yet
Fortigate Infrastructure Lab Guide: Do Not Reprint © Fortinet
143 pages
Ol8 Relnotes8 9
No ratings yet
Ol8 Relnotes8 9
143 pages
Reference Manual: Web-Based Interface Industrial ETHERNET (Gigabit) Switch RS20/RS30/RS40, MS20/MS30, OCTOPUS
No ratings yet
Reference Manual: Web-Based Interface Industrial ETHERNET (Gigabit) Switch RS20/RS30/RS40, MS20/MS30, OCTOPUS
214 pages
Barracuda Email Security Gateway Foundation Student Guide
No ratings yet
Barracuda Email Security Gateway Foundation Student Guide
218 pages
SPADVROUTE101LG
No ratings yet
SPADVROUTE101LG
132 pages
HCIA-Datacom V1.0 Lab Guide
No ratings yet
HCIA-Datacom V1.0 Lab Guide
161 pages
2 - Spadvroute 1.0 - Lab Guide
No ratings yet
2 - Spadvroute 1.0 - Lab Guide
132 pages
701ServerSQL en PDF
No ratings yet
701ServerSQL en PDF
115 pages
User Manual - Basic - Config - Ind - Ether - RS20 - RS30
No ratings yet
User Manual - Basic - Config - Ind - Ether - RS20 - RS30
198 pages
UM BasicConfig L3P Rel40 en
No ratings yet
UM BasicConfig L3P Rel40 en
240 pages
Ultimate Test Drive: Virtualized Data Center
No ratings yet
Ultimate Test Drive: Virtualized Data Center
52 pages
Upgrading Your Skills To MCSA: Windows Server 2016: Official Microsoft Learning Product
No ratings yet
Upgrading Your Skills To MCSA: Windows Server 2016: Official Microsoft Learning Product
5 pages
GEPON OLT WEB User Manual v2.3
No ratings yet
GEPON OLT WEB User Manual v2.3
125 pages
Nutanix_for_XC_Series_Deployment_and_Configuration_5_x_Lab_Guide
No ratings yet
Nutanix_for_XC_Series_Deployment_and_Configuration_5_x_Lab_Guide
145 pages
Configure and Verify NAT
No ratings yet
Configure and Verify NAT
2 pages
Ol8 Relnotes8 10
No ratings yet
Ol8 Relnotes8 10
153 pages
RH436 RHEL5u4 en 11 20091130
100% (1)
RH436 RHEL5u4 en 11 20091130
388 pages
CCNA Routing & Switching Lab Workbook - Free CCNA Workbook
0% (1)
CCNA Routing & Switching Lab Workbook - Free CCNA Workbook
3 pages
COMP555 Spring Lab#4
No ratings yet
COMP555 Spring Lab#4
4 pages
RM CLI HiOS-09200 Overview en
No ratings yet
RM CLI HiOS-09200 Overview en
462 pages
FortiGate Infrastructure 6.0 Lab Guide V2-Online-Unlocked
100% (1)
FortiGate Infrastructure 6.0 Lab Guide V2-Online-Unlocked
147 pages
Modern Multithreading: Implementing, Testing, and Debugging Multithreaded Java and C++/Pthreads/Win32 Programs
From Everand
Modern Multithreading: Implementing, Testing, and Debugging Multithreaded Java and C++/Pthreads/Win32 Programs
Richard H. Carver
No ratings yet
Advanced Penetration Testing for Highly-Secured Environments: The Ultimate Security Guide
From Everand
Advanced Penetration Testing for Highly-Secured Environments: The Ultimate Security Guide
Allen Lee
4.5/5 (6)
CCNA Exam Excellence: Study Guide & Practice Tests
From Everand
CCNA Exam Excellence: Study Guide & Practice Tests
SUJAN
No ratings yet
Some Tutorials in Computer Networking Hacking
From Everand
Some Tutorials in Computer Networking Hacking
Dr. Hidaia Mahmood Alassouli
No ratings yet
CCNA Exam Focus: Study Guide with Practice Tests
From Everand
CCNA Exam Focus: Study Guide with Practice Tests
SUJAN
No ratings yet
Hallo Kubernetes: Container, Orchestration, Management, and Monitoring
From Everand
Hallo Kubernetes: Container, Orchestration, Management, and Monitoring
Agus Kurniawan
No ratings yet
CCNA Certification Study Guide Volume 2: Exam 200-301 v1.1
From Everand
CCNA Certification Study Guide Volume 2: Exam 200-301 v1.1
Todd Lammle
5/5 (1)
Email Security
No ratings yet
Email Security
24 pages
BALINTEC C.J.G. Detailed Lesson Plan
No ratings yet
BALINTEC C.J.G. Detailed Lesson Plan
12 pages
5G in Bullets - Flow - of - Data - Sample
100% (2)
5G in Bullets - Flow - of - Data - Sample
3 pages
Amigos Por Siempre
No ratings yet
Amigos Por Siempre
5 pages
PLANET CABLE Application Form PDF
100% (1)
PLANET CABLE Application Form PDF
2 pages
BRKSEC-2170 Router Security Strategies Securing IP Network Traffic Planes
No ratings yet
BRKSEC-2170 Router Security Strategies Securing IP Network Traffic Planes
95 pages
OpenVox D210/DE210/D410/DE410 Series PRI Card Datasheet
No ratings yet
OpenVox D210/DE210/D410/DE410 Series PRI Card Datasheet
1 page
Getting Started With Pcloud PDF
No ratings yet
Getting Started With Pcloud PDF
14 pages
TK PM4 SCD 01 PDF
No ratings yet
TK PM4 SCD 01 PDF
13 pages
Packet Fragmentation
No ratings yet
Packet Fragmentation
15 pages
Specification of STGI-7100I S IP Gateway Server
No ratings yet
Specification of STGI-7100I S IP Gateway Server
4 pages
Android: An Open Handset Alliance Project
No ratings yet
Android: An Open Handset Alliance Project
18 pages
Citizen Journalism Lesson
No ratings yet
Citizen Journalism Lesson
10 pages
Payment Gateways in India
No ratings yet
Payment Gateways in India
14 pages
VPN Configuration For DSR1000AC - Windows 10 - Android - iOS Device (0816134832)
No ratings yet
VPN Configuration For DSR1000AC - Windows 10 - Android - iOS Device (0816134832)
13 pages
Cybervictimization, Depression, Suicidal Ideation, and Addictive Behavior Toward Social Media
No ratings yet
Cybervictimization, Depression, Suicidal Ideation, and Addictive Behavior Toward Social Media
13 pages
Comandos Smartolt Zte Mikrotik
No ratings yet
Comandos Smartolt Zte Mikrotik
4 pages
Raspberry Pi Retropie Manual
No ratings yet
Raspberry Pi Retropie Manual
9 pages
Chapter 7.SPEAKING - Techology
No ratings yet
Chapter 7.SPEAKING - Techology
18 pages
(Type Here) University of La Salette Inc. Santiago City College of Information Technology
No ratings yet
(Type Here) University of La Salette Inc. Santiago City College of Information Technology
7 pages
The Ultimate Guide To Bootstrapping A Hardware Startup
No ratings yet
The Ultimate Guide To Bootstrapping A Hardware Startup
22 pages
Apcd 5050 A
No ratings yet
Apcd 5050 A
64 pages
VDL Readme 7.0
No ratings yet
VDL Readme 7.0
28 pages
LTE TDD B2268HS Quick Start Guide
No ratings yet
LTE TDD B2268HS Quick Start Guide
28 pages
Ringo Antenna 6m
No ratings yet
Ringo Antenna 6m
10 pages
The Global Battle Over Net Neutrality: Interactive Session: Organizations
No ratings yet
The Global Battle Over Net Neutrality: Interactive Session: Organizations
2 pages
Wan Introduction: © 2006 Cisco Systems, Inc. All Rights Reserved. Cisco Public ITE I Chapter 6
No ratings yet
Wan Introduction: © 2006 Cisco Systems, Inc. All Rights Reserved. Cisco Public ITE I Chapter 6
37 pages
Students Perception of Online Dating An Exploratory Investigation
No ratings yet
Students Perception of Online Dating An Exploratory Investigation
19 pages