HP Aruba 2930F Series Management And Configuration Manual Download Page 637 | Manualshive

Page: 637 / 775

background image

Primary user role:

Configured on switch

Secondary user role:

Configured on controller

• Both primary and secondary role can be either statically configured or downloaded from the ClearPass.

NOTE:

This feature is only available for:

• ClearPass 6.7.0 onward

• Aruba Controller Version 8.3.0 onward

◦ To support Downloadable User Roles on controller, a new VSA (

HP-CPPM-Seconday-Role

)

is introduced in ClearPass 6.7.0, which contains the secondary user role name.

◦ To use the Reserved VLAN mode in 16.08, a minimum version of 8.4 is required on the

Controller.

The Aruba switch downloads user policies from ClearPass using downloadable user roles. This makes the
ClearPass a centralized point to administer user policy to the access switch and minimize user configuration on
the Aruba switch. For downloadable user roles to work appropriately, the signing Certificate Authority (CA) of the
ClearPass HTTPS certificate must be added to the Aruba switch and marked as trusted. With ArubaOS-Switch
16.08, there is an automated way to download the CA certificate of ClearPass. Please refer to the

Access

Security Guide

on using this feature.

ClearPass Sample Configuration

aaa authorization user-role name "<role-name>"
vlan-id <vlan id> tunneled-node-server-redirect VSA

When the primary user role is downloaded onto the switch and the secondary user role is downloaded onto the
controller:

Chapter 18 Dynamic Segmentation

637

«
...
635
636
637
638
639
...
»

Summary of Contents for Aruba 2930F Series

Page 1: ...Aruba 2930F 2930M Management and Configuration Guide for ArubaOS Switch 16 08 Part Number 5200 5486a Published January 2019 Edition 2 ...

Page 2: ...ware Computer Software Documentation and Technical Data for Commercial Items are licensed to the U S Government under vendor s standard commercial license Links to third party websites take you outside the Hewlett Packard Enterprise website Hewlett Packard Enterprise has no control over and is not responsible for information outside the Hewlett Packard Enterprise website Acknowledgments Intel Itan...

Page 3: ...r authentication mode and key value CLI 42 Configuring a trusted key 43 Associating a key with an SNTP server CLI 44 Enabling SNTP client authentication 44 Configuring unicast and broadcast mode for authentication 45 Viewing SNTP authentication configuration information CLI 45 Saving configuration files and the include credentials command 46 SNTP unicast time polling with multiple SNTP servers 48 ...

Page 4: ...nfiguring port mode CLI 77 Enabling or disabling flow control CLI 78 Port shutdown with broadcast storm 80 Viewing broadcast storm 80 SNMP MIB 81 Multicast Storm Control 83 Overview 83 fault finder multicast storm 84 fault finder multicast storm action 86 show logging 87 Restrictions 88 Configuring auto MDIX 88 Manual override 89 Configuring auto MDIX CLI 89 Using friendly optional port names 90 C...

Page 5: ...o PoE traffic 107 PoE operation 107 Configuration options 107 PD support 108 Power priority operation 108 When is power allocation prioritized 108 How is power allocation prioritized 109 Configuring PoE operation 109 Disabling or re enabling PoE port operation 109 Enabling support for pre standard devices 109 Configuring the PoE port priority 110 Controlling PoE allocation 110 Manually configuring...

Page 6: ...wing existing port trunk groups WebAgent 142 Trunk group operation using LACP 142 Default port operation 145 LACP notes and restrictions 147 802 1X Port based access control configured on a port 147 Port security configured on a port 147 Changing trunking methods 147 Static LACP trunks 147 Dynamic LACP trunks 147 VLANs and dynamic LACP 148 Blocked ports with older devices 148 Spanning Tree and IGM...

Page 7: ... configuration 175 Enabling or disabling jumbo traffic on a VLAN 176 Configuring a maximum frame size 177 Configuring IP MTU 177 SNMP implementation 177 Displaying the maximum frame size 177 Operating notes for maximum frame size 178 Troubleshooting 178 A VLAN is configured to allow jumbo frames but one or more ports drops all inbound jumbo frames 178 A non jumbo port is generating Excessive under...

Page 8: ...6 Restrictions 216 UDLD configuration commands 216 Show commands 217 RMON generated when user changes UDLD mode 217 LLDP 218 General LLDP operation 218 LLDP MED 218 Packet boundaries in a network topology 219 LLDP operation configuration options 219 Enable or disable LLDP on the switch 219 Enable or disable LLDP MED 219 Change the frequency of LLDP packet transmission to neighbor devices 219 Chang...

Page 9: ...formation 247 Effect of 802 1X Operation 247 Neighbor data can remain in the neighbor database after the neighbor is disconnected 247 Mandatory TLVs 248 LLDP and CDP data management 248 LLDP and CDP neighbor data 248 CDP operation and commands 249 Viewing the current CDP configuration of the switch 249 Viewing the current CDP neighbors table of the switch 250 Enabling and Disabling CDP Operation 2...

Page 10: ...erver 266 Number of ping packets 266 dhcp server ping 266 Save DHCP server automatic bindings 267 dhcp server database 267 DHCP server and SNMP notifications 267 snmp server enable traps 267 Conflict logging on a DHCP server 267 dhcp server conflict logging 268 Enable the DHCP server on a VLAN 268 dhcp server 268 Clear commands 268 clear dhcp server conflicts 268 Reset all DHCP server and BOOTP co...

Page 11: ...vent log 287 DHCPv6 event messages 291 Chapter 10 Zero Touch Provisioning with AirWave and Central 293 ZTP with AirWave 293 DHCP based ZTP with AirWave 293 Configuring DHCP based ZTP with AirWave 294 DHCP server configuration for DHCP based ZTP 295 Limitations 309 Best Practices 309 Configure AirWave details manually 309 amp server 310 debug ztp 312 Stacking support 312 Disabling ZTP 312 Image Upg...

Page 12: ... 344 Troubleshooting TFTP download failures 345 Downloading from a server to flash using TFTP CLI 346 Enabling TFTP CLI 347 Configuring the switch to download software automatically from a TFTP server using auto TFTP CLI 347 Use USB to transfer files to and from the switch 348 Using SCP and SFTP 348 Enabling SCP and SFTP 349 Disabling TFTP and auto TFTP for enhanced security 350 Enabling SSH V2 re...

Page 13: ...tacking switches 367 Standalone switches 368 Crash file options 368 Flight Data Recorder FDR 368 USB 369 usb port 369 show usb port 369 Downloading switch software using USB 370 Prerequisites 370 Copying using USB 370 copy flash usb 370 copy usb command file 371 Chapter 12 Monitoring and Analyzing Switch Operation 373 Overview 373 Switch and network operations 373 Status and counters data 374 show...

Page 14: ...how mac address 399 show mac address MAC ADDRESS detail 399 Finding the port connection for a specific device on a VLAN 400 Determining whether a specific device is connected to the selected port 400 MSTP data 401 show spanning tree 401 IP IGMP status 402 show ip igmp 402 VLAN information 404 show vlan 404 Configuring local mirroring 405 Local mirroring sessions 406 Traffic direction criteria 406 ...

Page 15: ...ewing resource usage for mirroring policies 423 Viewing the mirroring configurations in the running configuration file 424 Compatibility mode 424 Traffic mirroring overview 425 Mirroring overview 425 Mirroring destinations 426 Mirroring sources and sessions 426 Mirroring sessions 426 Mirroring session limits 427 Selecting mirrored traffic 427 Mirrored traffic destinations 427 Local destinations 42...

Page 16: ...cess servers or other devices 460 Duplicate IP addresses 460 Duplicate IP addresses in a DHCP network 460 The switch has been configured for DHCP Bootp operation but has not received a DHCP or Bootp reply 461 802 1Q Prioritization problems 461 Ports configured for non default prioritization level 1 to 7 are not performing the specified action 461 Addressing ACL problems 461 ACLs are properly confi...

Page 17: ...ver s IP address is correctly configured in the switch 468 MSTP and fast uplink problems 468 Broadcast storms appearing in the network 468 STP blocks a link in a VLAN even though there are no redundant links in that VLAN 468 Fast uplink troubleshooting 469 SSH related problems 469 Switch access refused to a client 469 Executing IP SSH does not enable SSH on the switch 469 Switch does not detect a ...

Page 18: ...guration 515 Debug command 517 Debug messages 517 Debug destinations 519 Logging command 520 Configuring a syslog server 521 Adding a description for a Syslog server 523 Adding a priority description 524 Configuring the severity level for Event Log messages sent to a syslog server 524 Configuring the system module used to select the Event Log messages sent to a syslog server 525 Enabling local com...

Page 19: ...ommands 551 Job at delay enable disable 551 Show job 552 Show job Name 552 Chapter 15 Configuration backup and restore without reboot 554 Overview 554 Benefits of configuration restore without reboot 554 Recommended scenarios 554 Use cases 554 Switching to a new configuration 555 Rolling back to a stable configuration using job scheduler 556 Commands used in switch configuration restore without re...

Page 20: ... panel security diagnostic reset serial console 584 Serial console error messages 585 Chapter 17 IP Service Level Agreement 586 Overview 586 How IP SLA works 588 Configuration commands 588 no ip sla ID 588 ip sla ID clear 589 no ip sla ID history size 590 no ip sla ID icmp echo 590 no ip sla ID udp echo 590 no ip sla ID tcp connect 590 no ip sla ID monitor threshold config 591 no ip sla ID monitor...

Page 21: ...ks 621 Licensing Requirements 622 Dependencies 623 Simplifying User Based Tunneling with Reserved VLAN 624 Configuration and show commands 625 Commands to configure a tunneled node server on the switch 625 Show commands 629 Commands to configure VLAN ID in user role 635 Tunneled Node profile on a Mobility Controller and Cluster 636 Using User Roles with User Based Tunneling 636 User Based Tunnelin...

Page 22: ...lldp mad ipv4 661 Show commands 662 show vsf 662 show vsf detail 662 show vsf link 665 show vsf link detail 667 show vsf member 669 show vsf topology 671 show vsf topology detail 672 show vsf topology change history 673 show vsf lldp mad 673 show vsf vlan mad 674 show vsf trunk designated forwarder 675 show cpu 675 show power over ethernet 676 show system information 677 show system information vs...

Page 23: ... Use Case 4 Adding a switch to a stack 711 Use Case 5 Stack split and merge 712 Chapter 21 Simplifying Wireless and IoT Deployments 713 Overview 713 Auto configuring Aruba APs 713 Associating a device with a profile 713 device profile name 713 device profile type 715 device profile type device name 716 show device profile 716 show command device profile status 717 show device profile config 718 sh...

Page 24: ... 736 Configuring an OOBM IPv4 default gateway 736 Configuring an IPv6 default gateway for OOBM devices 737 oobm ipv6 default gateway 737 oobm member ipv6 default gateway 737 IPv6 default router preferences 738 ipv6 nd ra router preference 738 OOBM show commands 739 Showing the global OOBM and OOBM port configuration 739 Showing OOBM IP configuration 739 Showing OOBM ARP information 740 show oobm i...

Page 25: ...PE username configuration 759 Enable disable CWMP 760 Show commands 760 CWMP configuration and status query 760 Event logging 761 System logging 761 Status control commands 762 Configuration backup and restore without reboot 764 Limitations 766 Blocking of configuration from other sessions 766 Smart Rate Technology 767 Show Smart Rate port 767 Rate Limiting GMB features when Fast Connect SmartRate...

Page 26: ... vlan x vlan x indicates the vlan context of config where x represents the VLAN ID For example switch vlan 128 switch eth x eth x indicates the interface context of config where x represents the interface For example switch eth 48 switch Stack Stack indicates that stacking is enabled switch Stack config Stack config indicates the config context while stacking is enabled switch Stack stacking Stack...

Page 27: ...meP time synchronization You can either manually assign the switch to use a TimeP server or use DHCP to assign the TimeP server In either case the switch can get its time synchronization updates from only one designated TimeP server This option enhances security by specifying which time server to use SNTP time synchronization SNTP provides three operating modes Broadcast mode The switch acquires t...

Page 28: ...all timesync configurations on the device timep Updates the system clock using TIMEP sntp Updates the system clock using SNTP timep or sntp Updates the system clock using TIMEP or SNTP default ntp Updates the system clock using NTP Example switch config timesync sntp Update the system clock using SNTP timep Update the system clock using TIMEP timep or sntp Update the system clock using TIMEP or SN...

Page 29: ...d parameter or the CLI timesync command DHCP When TimeP is selected as the time synchronization method the switch attempts to acquire a TimeP server IP address via DHCP If the switch receives a server address it polls the server for updates according to the TimeP poll interval If the switch does not receive a TimeP server IP address it cannot perform time synchronization updates Manual When TimeP ...

Page 30: ...ronization method switch config show timep Timep Configuration Time Sync Mode Sntp TimeP Mode Disabled Manual Server Address 10 10 28 100 Poll Interval min 720 720 Syntax show management Helps you to easily examine and compare the IP addressing on the switch It lists the IP addresses for all time servers configured on the switch plus the IP addresses and default gateway for all VLANs configured on...

Page 31: ...meP mode Syntax no timesync Disables the time protocol Enabling TimeP in manual mode CLI Like DHCP mode configuring TimeP for manual mode enables TimeP However for manual operation you must also specify the IP address of the TimeP server The switch allows only one TimeP server Syntax timesync timep Selects TimeP Syntax ip timep manual ip addr Activates TimeP in manual mode with a specified TimeP s...

Page 32: ...protocol Syntax timesync timep Selects TimeP Syntax ip timep manual ip addr Activates TimeP in manual mode with a specified TimeP server Syntax no ip timep Disables TimeP NOTE To change from one TimeP server to another you must use the no ip timep command to disable TimeP mode the reconfigure TimeP in manual mode with the new server IP address Example To select TimeP and configure it for manual op...

Page 33: ...ation Example To change the poll interval to 60 minutes switch config ip timep interval 60 Disabling time synchronization without changing the TimeP configuration CLI Syntax no timesync Disables time synchronization by changing the Time Sync Mode configuration to Disabled This halts time synchronization without changing your TimeP configuration The recommended method for disabling time synchroniza...

Page 34: ...either SNTP TIMEP NTP or None as the time synchronization method SNTP Mode Disabled The Default SNTP does not operate even if specified by the Menu interface Time Sync Method parameter or the CLI timesync command Unicast Directs the switch to poll a specific server for SNTP time synchronization Requires at least one server address Broadcast Directs the switch to acquire its time synchronization fr...

Page 35: ...onfigure the switch with SNTP as the time synchronization method then enable SNTP in broadcast mode with the default poll interval show sntp lists the following SNTP configuration when SNTP is the selected time synchronization method switch config show sntp SNTP Configuration Time Sync Mode Sntp SNTP Mode Unicast Poll Interval sec 720 719 Priority SNTP Server Address Protocol Version 1 2001 db8 21...

Page 36: ...n10 Priority SNTP Server Address Protocol Version 1 2001 db8 215 60ff fe79 8980 7 2 10 255 5 24 3 3 fe80 123 vlan10 3 Default Gateway 10 0 9 80 VLAN Name MAC Address IP address DEFAULT_VLAN 001279 88a100 Disabled VLAN10 001279 88a100 10 0 10 17 Configuring enabling or disabling the SNTP mode Enabling the SNTP mode means to configure it for either broadcast or unicast mode Remember that to run SNTP...

Page 37: ...these two commands for minimal SNTP broadcast configuration Syntax timesync sntp Selects SNTP as the time synchronization method Syntax sntp broadcast Configures broadcast as the SNTP mode Example Suppose that time synchronization is in the factory default configuration TimeP is the currently selected time synchronization method Complete the following Procedure 1 View the current time synchronizat...

Page 38: ...SNTP for unicast mode enables SNTP However for unicast operation you must also specify the IP address of at least one SNTP server The switch allows up to three unicast servers You can use the Menu interface or the CLI to configure one server or to replace an existing unicast server with another To add a second or third server you must use the CLI For more on SNTP operation with multiple servers se...

Page 39: ...r version default 3 Configuring SNTP for unicast operation switch config show sntp SNTP Configuration Time Sync Mode Sntp SNTP Mode Unicast Poll Interval sec 720 720 Priority SNTP Server Address Protocol Version 1 2001 db8 215 60ff fe79 8980 7 2 10 255 5 24 3 3 fe80 123 vlan10 3 In this Example the Poll Interval and the Protocol Version appear at their default settings Both IPv4 and IPv6 addresses...

Page 40: ... from the poll interval parameter used for Timep operation Example To change the poll interval to 300 seconds switch config sntp 300 Changing the SNTP server priority CLI You can choose the order in which configured servers are polled for getting the time by setting the server priority Syntax sntp server priority 1 3 ip address Specifies the order in which the configured servers are polled for get...

Page 41: ...how sntp SNTP Configuration Time Sync Mode Disabled SNTP Mode Broadcast Poll Interval sec 720 720 Disabling the SNTP Mode If you want to prevent SNTP from being used even if it is selected by timesync configure the SNTP mode as disabled Syntax no sntp Disables SNTP by changing the SNTP mode configuration to Disabled Example If the switch is running SNTP in unicast mode with an SNTP server at 10 28...

Page 42: ...A maximum of 8 sets of key id and key value can be configured on the switch Among the keys that have been configured one key or a set of keys must be configured as trusted Only trusted keys are used for SNTP authentication If the SNTP server requires authentication one of the trusted keys has to be associated with the SNTP server SNTP client authentication must be enabled on the Switch If client a...

Page 43: ...c server is configured on the switch so that the SNTP client communicates with the specified server to get the date and time In broadcast mode the SNTP client switch checks the size of the received packet to determine if it is authenticated If the broadcast packet is authenticated the key id value is checked to see if the same key id value is configured on the SNTP client switch If the switch is c...

Page 44: ...emove the authentication key Default No key is associated with any server by default priority Specifies the order in which the configured servers are polled for getting the time version num Specifies the SNTP software version to use and is assigned on a per server basis The version setting is backwards compatible For example using version 3 means that the switch accepts versions 1 through 3 Defaul...

Page 45: ... must be associated with one of the SNTP servers To edit or remove the associated key id information or SNTP server information SNTP authentication must be disabled Broadcast Directs the switch to acquire its time synchronization from data broadcast by any SNTP server to the network broadcast address The switch uses the first server detected and ignores any others However if the Poll Interval conf...

Page 46: ...ckets 0 SNTP Server Address Auth Failed Pkts 10 10 10 1 0 fe80 200 24ff fec8 4ca8 0 Saving configuration files and the include credentials command You can use the include credentials command to store security information in the running config file This allows you to upload the file to a TFTP server and then later download the file to the switches on which you want to use the same settings For more...

Page 47: ...a TFTP server for later use The SNTP authentication information is not saved and is not present in the retrieved configuration files as shown in the following Example Retrieved configuration file when include credentials is not configured switch config copy tftp startup config 10 2 3 44 config1 Switch reboots Startup configuration timesync sntp sntp broadcast sntp 50 sntp server priority 1 10 10 1...

Page 48: ... in the list without success it sends an error message to the Event Log and reschedules to try the address list again after the configured Poll Interval time has expired If there are already three SNTP server addresses configured on the switch and you want to use the CLI to replace one of the existing addresses with a new one you must delete the unwanted address before you configure the new one Di...

Page 49: ...h re orders the address priority Example To delete the primary address in the above Example and automatically convert the secondary address to primary switch config no sntp server 10 28 227 141 SNTP messages in the Event Log If an SNTP time change of more than three seconds occurs the switch s Event Log records the change SNTP time changes of less than three seconds do not appear in the Event Log ...

Page 50: ... on system time Commands The following commands allow the user to configure NTP or show NTP configurations timesync ntp This command is used to update the system clock using NTP Syntax timesync ntp Description Update the system clock using NTP ntp This command selects the operating mode of the NTP client Syntax ntp broadcast unicast Options broadcast Sets ntp client to operate in broadcast mode un...

Page 51: ...igurations on this device Continue y n ntp enable This command is used to enable or disable NTP on the switch Syntax ntp enable Example switch config ntp enable Enable disable NTP Description Enable or disable NTP Use no to disable NTP Restrictions Validation Error Warning Prompt If timeSync is in SNTP or Timep when NTP is enabled Timesync is not configured to NTP When timesync is NTP and ntp is e...

Page 52: ...94967295 Set the authentication key id Switch config ntp authentication key id 1 authentication mode Set the NTP authentication mode trusted Set this authentication key as trusted Switch config ntp authentication key id 1 authentication mode trusted md5 Authenticate using MD5 Switch config ntp authentication key id 1 authentication mode trusted md5key value Set the NTP authentication key Switch co...

Page 53: ...with the client Up to eight servers can be configured as the maximum Restrictions The range for a maximum number of NTP associations is 1 8 Example Switch config ntp max associations Maximum number of NTP associations Switch config ntp max associations 1 8 Enter the number Restrictions Validation Error Warning Prompt When the number of configured NTP servers is more than the max associations value...

Page 54: ...translate to 2 raised to 5 or 32 min poll min poll val Configures the minimum time intervals in seconds Range is 4 17 burst Enables burst mode iburst Enables initial burst mode version Sets version 1 4 Usage A maximum of 8 NTP servers can be configured Example switch config ntp server Allow the software clock to be synchronized by an NTP time server broadcast Operate in broadcast mode unicast Oper...

Page 55: ...ig ntp server IP ADDR key key id prefer maxpoll number minpoll number iburst Restrictions Validation Error Warning Prompt If authentication key id not configured Authentication key id has not been configured If Key id is not marked as trusted Key id is not trusted When min poll value is more than max poll value NTP max poll value should be more than min poll value ntp server key id Syntax ntp serv...

Page 56: ...n to the NTP multicast packets Restrictions Validation Error Warning Prompt If ipv6 is not enabled on vlan interface IPv6 address not configured on the VLAN debug ntp This command is used to display debug messages for NTP Syntax debug ntp event packet Options event Displays event log messages related to NTP packets Displays NTP packet messages Description Enable debug logging Use no to disable deb...

Page 57: ...ive heartbeat Trap name resulting in send notification periodically as defined by ntpEntHeartbeatInterval to indicate that the NTP entity is still alive all Enable all traps Usage The traps defined below are generated as the result of finding an unusual condition while parsing an NTP packet or a processing a timer event Note that if more than one type of unusual condition is encountered while pars...

Page 58: ...s Switch config show ntp statistics NTP Global statistics information NTP In Packets 100 NTP Out Packets 110 NTP Bad Version Packets 4 NTP Protocol Error Packets 0 switch config show ntp statistics NTP Global statistics information NTP In Packets 100 NTP Out Packets 110 NTP Bad Version Packets 4 NTP Protocol Error Packets 0 show ntp status Syntax Description Show the status of NTP show ntp status ...

Page 59: ... 000 0 000 55 21 56 2 16 u 1024 0 0 000 0 000 0 000 23 56 13 1 3 u 209 1024 377 54 936 6 159 12 688 91 34 255 216 4 u 132 1024 377 1 391 0 978 3 860 Switch config show ntp associations detail IP ADDR NTP association information IP address 172 31 32 2 Peer Mode Server Status Configured Insane Invalid Peer Poll Intvl 64 Stratum 5 Root Delay 137 77 sec Ref Assoc ID 0 Root Dispersion 142 75 Associatio...

Page 60: ...c key and username password should be configured for a successful two factor authentication If public key is configured and username is not configured Username and password should be configured for a successful two factor authentication If the username is configured and public key is not configured Public key should be configured for a successful two factor authentication If ssh server certificate...

Page 61: ...ser tries to SSH into another system using ssh ip hostname command a message displays SSH client is not supported when the two factor authentication is enabled If timeSync is in SNTP or Timep when NTP is enabled Timesync is not configured to NTP If timesync is NTP and NTP is enabled and we try to change timesync to SNTP Disable NTP before changing timesync to SNTP or TIMEP If we try to configure N...

Page 62: ...or authentication for SSH session W 01 01 15 18 24 03 03399 ssh The privilege level for the user with the SSH key conflicts with the user configured RMON_SSH_TWO_FACTOR_AUTH_FAIL W 01 01 15 18 24 03 03398 ssh s Examples W 01 01 15 18 24 03 03398 ssh The two factor authentication for SSH session failed due to the failure in public key authentication W 01 01 15 18 24 03 03398 ssh The two factor auth...

Page 63: ...able disable no ptp enable disable Description Enable updating of IEEE 1588 PTP packets The feature is disabled by default The no form of this command is the same as ptp disable NOTE This feature is available on the 2930M and only in standalone It is disabled for stacks Command context interface Parameters enable When the ptp command is enabled ports that support IEEE 1588 will operate in end to e...

Page 64: ...rt list Description Show IEEE 1588 PTP status Command context Operator Parameters port list Specifies the ports for which to show PTP status Example switch show ptp Status and Counters Precision Time Protocol Port PTP Config PTP Status RX Count TX Count 1 1 Disabled Inactive 0 0 1 2 Disabled Inactive 0 0 1 3 Disabled Inactive 0 0 1 4 Disabled Inactive 0 0 1 5 Disabled Inactive 0 0 1 6 Disabled Ina...

Page 65: ...e usage on a switch configured for ACLs QoS RADIUS based authentication and other features The Rules Used columns show that ACLs VT mirroring and other features For example Management VLAN have been configured globally or per VLAN because identical resource consumption is displayed for each port range in the switch If ACLs were configured per port the number of rules used in each port range would ...

Page 66: ...element in the switch that manages QoS mirroring and ACL policies as well as other software features using the rules that you configure Resource usage in the policy enforcement engine is based on how these features are configured on the switch Resource usage by dynamic port ACLs is determined as follows Dynamic port ACLs configured by a RADIUS server for an authenticated client determine the curre...

Page 67: ...eatures Internal dedicated purpose resources include the following features Per port ingress and egress rate limiting through the CLI using rate limit in out Per port or per VLAN priority or DSCP through the CLI using qos priority or qos dscp Per protocol priority through the CLI using qos protocol The Available columns display the resources available for additional feature use The IDM column show...

Page 68: ...y indicate that insufficient resources are available for the features configured for the client in the RADIUS server To troubleshoot check the event log Throttling or blocking of newly detected clients with high rate of connection requests as defined by the current VT configuration The switch continues to generate Event Log notifications and SNMP trap notification if configured for new instances o...

Page 69: ...ow tech receivers command in the CLI The show tech transceivers command on page 76 Table 3 Status and parameters for each port type Status or parameter Description Enabled Yes default The port is ready for a network connection No The port will not operate even if properly connected in a network Use this setting For example if the port needs to be shut down for diagnostic purposes or while you are ...

Page 70: ...with Cat 3 cabling Cat 5 cabling is required for 100 Mbps links 10HDx 10 Mbps half duplex 10FDx 10 Mbps full duplex Auto 100 Uses 100 Mbps and negotiates with the port at the other end of the link for other port operation features Auto 10 100 Allows the port to establish a link with the port at the other end at either 10 Mbps or 100 Mbps using the highest mutual speed and duplex mode available Onl...

Page 71: ...es Enabled The port uses 802 3x link layer flow control generates flow control packets and processes received flow control packets With the port mode set to Auto the default and flow control enabled the switch negotiates flow control on the indicated port If the port mode is not set to Auto or if flow control is disabled on the port flow control is not used Note that flow control must be enabled o...

Page 72: ... B4 100 1000T No Yes Down 1000FDx Auto off 0 B5 100 1000T No Yes Down 1000FDx Auto off 0 B6 100 1000T No Yes Down 1000FDx Auto off 0 The show interfaces config command listing switch config show interfaces config Port Settings Port Type Enabled Mode Flow Ctrl MDI B1 100 1000T Yes Auto 10 100 Disable Auto B2 100 1000T Yes Auto Disable Auto B3 100 1000T Yes Auto Disable Auto B4 100 1000T Yes Auto Di...

Page 73: ...te show commands displaying the information that you want to see in any order you want by using the custom option Syntax show interfaces custom port list column list Select the information that you want to display Supported columns are shown in the table below Table 4 Supported columns what they display and examples Parameter column Displays Examples port Port identifier A2 type Port type 100 1000...

Page 74: ...racters of the name All remaining characters are truncated NOTE Each field has a fixed minimum width to be displayed If you specify a field width smaller than the minimum width the information is displayed at the minimum width For example if the minimum width for the Name field is 4 characters and you specify Name 2 the Name field displays 4 characters You can enter parameters in any order There i...

Page 75: ...IST command This option is used to display port diagnostics on a Smart Rate port only If the command is run on a non Smart Rate port a message similar to Port A1 This command is only applicable to Smart Rate ports is displayed The show interface PORT LIST smartrate command can be used to retrieve the physical layer link diagnostics information for the smartrate ports As part of 802 3bz implementat...

Page 76: ... shows sample output from the show tech transceivers command NOTE Part column below enables you to determine the manufacturer for a specified transceiver and revision number The show tech transceivers command switch show tech transceivers Transceiver Technical Information Port Type Prod Serial Part 21 1000SX J4858B CN605MP23K 22 1000LX J4859C H11E7X 2157 2345 23 non operational 25 10GbE CX4 J8440A...

Page 77: ...uto 100 1000 full Note that in the above Syntax you can substitute int for interface for example int port list Specifies the port s data transfer speed and mode Does not use the no form of the command Default auto The 10 100 auto negotiation feature allows a port to establish a link with a port at the other end at either 10 Mbps or 100 Mbps using the highest mutual speed and duplex mode available ...

Page 78: ...erfaces brief command listing example Also the port speed duplex mode must be set to Auto the default To disable flow control on some ports while leaving it enabled on other ports just disable it on the individual ports you want to exclude You can find more information on flow control in the Status and parameters for each port type table Syntax no interface port list flow control Enables or disabl...

Page 79: ... Intrusion MDI Flow Bcast Port Type Alert Enabled Status Mode Mode Ctrl Limit A1 10GbE T No Yes Up 1000FDx NA on 0 A2 10GbE T No Yes Down 10GigFD NA on 0 A3 10GbE T No Yes Down 10GigFD NA on 0 A4 10GbE T No Yes Down 10GigFD NA on 0 A5 10GbE T No Yes Down 10GigFD NA off 0 A6 10GbE T No Yes Down 10GigFD NA off 0 A7 10GbE T No Yes Down 10GigFD NA off 0 A8 10GbE T No Yes Down 10GigFD NA off 0 switch c...

Page 80: ...der broadcast storm ethernet port list action warn warn and disable seconds percent percent pps rate To remove the current configuration of broadcast storm on a port use Syntax no fault finder broadcast storm ethernet port list broadcast storm Configure broadcast storm control pps Rising threshold level in number of broadcast packets per second percent Rising threshold level as a percentage of ban...

Page 81: ...able Timer Disable Timer Left A1 No Up none switch config show fault finder broadcast storm Port Bcast Storm Port Status Rising Threshold Action Disable Timer Disable Timer Left A1 Yes Up 75 warn SNMP MIB SNMP support will be provided through the following MIB objects hpicfFfBcastStormControlPortConfig OBJECT IDENTIFIER hpicfFaultFinder 5 hpicfFfBcastStormControlPortConfigTable OBJECT TYPE syntax ...

Page 82: ...tormControlMode OBJECT TYPE Syntax Integer disabled 1 Bcastrisinglevelpercent 2 Bcastrisinglevelpps 3 max access read write status current description The broadcast storm control mode of a port A value of disable 1 indicates that no rising threshold value is set for broadcast storm traffic on this port A value of bcastrisinglevelpercent 2 indicates that the rising threshold rate for broadcast stor...

Page 83: ...lue set on that port DEFVAL none hpicfFfBcastStormControlPortConfigEntry 5 hpicfFfBcastStormControlPortDisableTimer OBJECT TYPE Syntax Unsigned32 0 604800 Units seconds max access read write status current Description This object specifies the time period for which the port remains in disabled state A port is disabled when broadcast traffic reaches the threshold value set on that port This time pe...

Page 84: ... sensitivity Configure the fault sensitivity level switch config fault finder multicast storm ethernet PORT LIST Enter a port number a list of ports or all for all ports switch config fault finder multicast storm ethernet 1 1 action Configure the action taken when a multicast storm is detected switch config fault finder multicast storm ethernet 1 1 action warn Log an event only warn and disable Lo...

Page 85: ...n 50 warn and disable 10 1 9 Yes Down 50 warn and disable 10 1 10 Yes Down 50 warn and disable 10 1 11 Yes Down 50 warn and disable 10 1 12 Yes Down 50 warn and disable 10 Configure ports 1 1 to 1 5 for multicast storm control and warn and disable the ports after 100 seconds with a rising threshold of 20 switch config fault finder multicast storm ethernet 1 1 1 5 action warn and disable 100 percen...

Page 86: ...es switch config fault finder multicast storm action warn sensitivity Configure the fault sensitivity level switch config fault finder multicast storm action warn sensitivity low Low sensitivity medium Medium sensitivity high High sensitivity switch config fault finder multicast storm action warn and disable sensitivity Configure the fault sensitivity level switch config fault finder multicast sto...

Page 87: ...dccf00 member 1 flexible module A type JL081A exit hostname switch fault finder multicast storm sensitivity high action warn and disable fault finder multicast storm 1 1 action warn and disable 100 percent 20 fault finder multicast storm 1 2 action warn and disable 100 percent 20 fault finder multicast storm 1 3 action warn and disable 100 percent 20 fault finder multicast storm 1 4 action warn an...

Page 88: ...able for any of the connections the port makes the necessary adjustments to accommodate either one for correct operation The following port types on your switch support the IEEE 802 3ab standard which includes the Auto MDI MDI X feature 10 100 TX xl module ports 100 1000 T xl module ports 10 100 1000 T xl module ports Using the above ports If you connect a copper port using a straight through cabl...

Page 89: ...pply only to copper port switches using twisted pair copper Ethernet cables For information about auto MDIX see Configuring auto MDIX on page 88 Syntax interface port list mdix mode auto mdix mdi mdix auto mdix The automatic default setting This configures the port for automatic detection of the cable either straight through or crossover mdi The manual mode setting that configures the port for con...

Page 90: ...e Auto A2 10GbE T Yes Auto Disable MDI A3 10GbE T Yes Auto Disable MDIX A4 10GbE T Yes Auto Disable Auto A5 10GbE T Yes Auto Disable Auto A6 10GbE T Yes Auto Disable Auto A7 10GbE T Yes Auto Disable Auto A8 10GbE T Yes Auto Disable Auto Displaying the current MDI operating mode switch config show interfaces brief Status and Counters Port Status Intrusion MDI Flow Bcast Port Type Alert Enabled Stat...

Page 91: ... an invalid input error The switch interprets a blank space as a name terminator In a port listing not assigned indicates that the port does not have a name assignment other than its fixed port number To retain friendly port names across reboots you must save the current running configuration to the startup config file after entering the friendly port names In the CLI use the write memory command ...

Page 92: ...ort data CLI You can display friendly port name data in the following combinations Syntax show name Displays a listing of port numbers with their corresponding friendly port names and also quickly shows you which ports do not have friendly name assignments show name data comes from the running config file Syntax show interface port number Displays the friendly port name if any along with the traff...

Page 93: ...port names in per port statistics listings CLI Syntax show interface port number Includes the friendly port name with the port s traffic statistics listing A friendly port name configured to a port is automatically included when you display the port s statistics output If you configure port A1 with the name O Connor_10 25 101 43 the show interface output for this port appears similar to the follow...

Page 94: ... listing of all interfaces ports configured with non default settings Excludes ports that have neither a friendly port name nor any other non default configuration settings See Listing of the startup config file with a friendly port name configured and saved on page 94 to configure port A1 with a friendly port name Notice that the command sequence saves the friendly port name for port A1 in the st...

Page 95: ... if a fiber breaks in one direction a fiber port may assume the link is still good because the other direction is operating normally and continue to send traffic on the connected ports UDLD enabled ports however will prevent traffic from being sent across a bad link by blocking the ports in the event that either the individual transmitter or receiver for that connection fails Ports enabled for UDL...

Page 96: ...mmand Default UDLD disabled Syntax link keepalive interval interval Determines the time interval to send UDLD control packets The interval parameter specifies how often the ports send a UDLD packet You can specify from 10 to 100 in 100 ms increments where 10 is 1 second 11 is 1 1 seconds and so on Default 50 5 seconds Syntax link keepalive retries num Determines the maximum number of retries to se...

Page 97: ...alive retries CLI By default a port waits 5 seconds to receive a health check reply packet from the port at the other end of the link If the port does not receive a reply the port tries four more times by sending up to four more health check packets If the port still does not receive a reply after the maximum number of retries the port goes down You can change the maximum number of keepalive attem...

Page 98: ...h the VLAN configuration of the port Viewing UDLD information CLI Syntax show link keepalive Displays all the ports that are enabled for link keepalive Syntax show link keepalive statistics Displays detailed statistics for the UDLD enabled ports on the switch Syntax clear link keepalive statistics Clears UDLD statistics This command clears the packets sent packets received and transitions counters...

Page 99: ...s configured as links to monitor LtM and when these ports lose link with their partners UFD will disable the set of ports configured as links to disable LtD When an uplink port goes down UFD enables the switch to auto disable the specific downlinks connected to the NICs This allows the NIC teaming software to detect link failure on the primary NIC port and fail over to the secondary NIC in the tea...

Page 100: ...Figure 9 Teamed NICs in conjunction with UFD Figure 10 Teamed NICs with a failed uplink NOTE The state of the LtD is purely governed by the state of the LtM and is independent of the physical state of the ports in the LtD 100 Aruba 2930F 2930M Management and Configuration Guide for ArubaOS Switch 16 08 ...

Page 101: ...vided for higher layers like CLI and SNMP which will determine if a port list can be an LtM or LtD The API will handle the platform specific details and ensure a uniform code flow for blade and other switch families Switches do not have a clear distinction between uplink and downlink ports so some of the points listed above may not be applicable UFD enable disable uplink failure detection Syntax u...

Page 102: ...e L type j9992a snmp server community public unrestricted oobm ip address dhcp bootp exit uplink failure detection uplink failure detection track 1 links to monitor A8 links to disable A6 delay 100 vlan 1 name DEFAULT_VLAN untagged A1 A8 L1 L21 ip address dhcp bootp ipv6 enable ipv6 address dhcp full exit To set delay value to 2 switch config uplink failure detection track 1 delay 2 To set delay v...

Page 103: ...lays switch config show uplink failure detection Uplink Failure Detection Information UFD Enabled Yes Track Monitored Links to LtM LtD LtM LtD Delay ID Links Disable State State Lacp Key Lacp Key sec 1 Trk1 A4 Up Up 100 2 A5 A6 Down Auto Disabled 0 Error log Cause UFD will log messages in the following scenarios Admin status change When an UFD LtD delay expires as a result the LtD link is brought ...

Page 104: ...witch Series usb port Syntax usb port no usb port Description Enables the USB port The no form of the command disables the USB port and any access to the device Command context Config show usb port Syntax show usb port Description Displays the status of the USB port It can be enabled disabled or not present Command context operator Usage One of the following messages indicates the presence or abse...

Page 105: ...switch show usb port USB port status enabled USB port power status power on USB device detected in port Chapter 3 Port Status and Configuration 105 ...

Page 106: ...on can help you to plan your PoE installation If you use multiple VLANs in your network or if you have concerns about network security you should read the first two topics If your PoE installation comes close to or is likely to exceed the system s ability to supply power to all devices that may request it then you should also read the third topic If it is unlikely that your installation will even ...

Page 107: ...he titled Quality of Service Managing Bandwidth More Effectively in the advanced traffic management guide for your switch PoE operation Using the commands described in this chapter you can Enable or disable PoE operation on individual ports Monitor PoE status and performance Configure a non default power threshold for SNMP and Event Log reporting of PoE consumption on either all PoE ports on the s...

Page 108: ...nfigure the poe allocate by option to either value or class all of the power configured is allocated to the port For PoE not PoE while 17 watts must be available for a PoE module on the switch to begin supplying power to a port with a PD connected 17 watts per port is not continually required if the connected PD requires less power For example with 20 watts of PoE power remaining available on a mo...

Page 109: ...dual PoE ports Enable support for pre standard devices Change the PoE priority level on individual PoE ports Change the threshold for generating a power level notice Manually allocate the amount of PoE power for a port by usage value or class Allocate PoE power based on the link partner s capabilities via LLDP Disabling or re enabling PoE port operation Syntax no interface port list power over eth...

Page 110: ... ports at this level are provisioned before the Low priority PoE ports are provisioned Low Default Specifies the third priority PoE support for port list The active PoE ports at this level are provisioned only if there is power available after provisioning any active PoE ports at the higher priority levels Controlling PoE allocation The default option for PoE allocation is usage which is what a PD...

Page 111: ... the PSE Example To allocate by class for ports 6 to 8 switch config int 6 8 PoE allocate by class Manually configuring PoE power levels You can specify a power level in watts allocated for a port by using the value option This is the maximum amount of power that will be delivered To configure a port by value Procedure 1 Set the PoE allocation by entering the poe allocate by value command switch c...

Page 112: ... 112 Figure 12 PoE power value set too low for the PD switch config int A7 poe value 4 switch config show power over ethernet A7 Status and Counters Port Power Status for port A7 Power Enable Yes LLDP Detect enabled Priority low Configured Type AllocateBy value Value 4 W Detection Status fault 1 Power Class 2 Over Current Cnt 1 MPS Absent Cnt 0 Power Denied Cnt 2 Short Cnt 0 Voltage 55 1 V Current...

Page 113: ...threshold level in either direction PoE power usage either increasing or decreasing triggers the notice The default setting is 80 A per slot power threshold that applies to an individual PoE module installed in the designated slot This setting acts as a trigger for sending a notice when the module in the specified slot exceeds or goes below a specific level of PoE power consumption NOTE Some switc...

Page 114: ...ification thresholds for different PoE modules installed in the switch For example you could set the power threshold for a PoE module in slot A to 75 and the threshold for the module in slot B to 68 by executing the following two commands switch config power over ethernet slot a threshold 75 switch config power over ethernet slot b threshold 68 NOTE The last threshold command affecting a given slo...

Page 115: ...dly query the PD to discover the power needs of the PD Communication over the data link layer allows finer control of power allotment which makes it possible for the PSE to supply dynamically the power levels needed by the PD Using LLDP is optional for the PSE but mandatory for a Type 2 PD that requires more than 12 95 watts of power If the power needed by the PD is not available that port is shut...

Page 116: ... No redundancy PoE Power Status No redundancy Available 300 W Used 0 W Remaining 300 W Module A Power Available 300 W Used 5 W Remaining 295 W POE Power Power Alloc Alloc Actual Configured Detection Power Port Enable Priority By Power Power Type Status Class A1 Yes low usage 17 W 0 0 W Phone1 Delivering 1 A2 Yes low usage 17 W 0 0 W Searching 0 A3 Yes low usage 17 W 0 0 W Searching 0 A4 Yes low us...

Page 117: ...how lldp info local device A1 LLCP Local Port Information Detail Port A1 PortType local PortId 1 PortDesc A1 Pvid 1 Poe Plus Information Detail Poe Device Type Type2 PSE Power Source Primary Power Priority low PD Requested Power Value 20 Watts PSE Actual Power Value 20 Watts Remote power information on page 117 shows the remote device power information using the show lldp info remote device port l...

Page 118: ...is enabled again it causes a temporary power drop This event is also recorded in the event log An Example message looks like the following W 08 04 13 13 36 31 02771 ports Port A1 PoE power dropped Exceeded physical classification due to change in classification type LLDP process enabled Viewing the global PoE power status of the switch Syntax show power over ethernet brief ethernet port list slot ...

Page 119: ... Status No redundancy Chassis power over ethernet Total Available Power 600 W Total Failover Power 300 W Total Redundancy Power 0 W Total Used Power 9 W 6W Total Remaining Power 591 W Internal Power 1 300W POE Connected 2 300W POE Connected 3 Not Connected 4 Not Connected External Power EPS1 Not Connected EPS2 Not Connected Viewing PoE status on all ports Syntax show power over ethernet brief Disp...

Page 120: ...12 95 watts can be drawn by the PD Default class 1 0 44 to 3 84 watts 2 3 84 to 6 49 watts 3 6 49 to 12 95 watts 4 For PoE up to 25 5 watts can be drawn by the PD The show power over ethernet brief displays this output show power over ethernet brief command output switch config show power over ethernet brief Status and Counters System Power Status System Power Status No redundancy PoE Power Status...

Page 121: ...icated port either PoE support is disabled or PoE power is enabled but the PoE module does not have enough power available to supply the port s power needs Fault The switch detects a problem with the connected PD Other Fault The switch has detected an internal fault that prevents it from supplying power on that port Over Current Cnt Shows the number of times a connected PD has attempted to draw mo...

Page 122: ...pe AllocateBy value Value 17 W Detection Status Delivering Power Class 2 Over Current Cnt 0 MPS Absent Cnt 0 Power Denied Cnt 0 Short Cnt 0 Voltage 55 1 V Current 154 mA Power 8 4 W Status and Counters Port Power Status for port A7 Power Enable Yes LLDP Detect disabled Priority low Configured Type AllocateBy value Value 17 W Detection Status Searching Power Class 0 Over Current Cnt 0 MPS Absent Cn...

Page 123: ...t Switch R0M68A 24 Smart Rate ports 1 2 5 5GbE Some of the advantages of 802 3bt support includes Reduced power loss since power is transferred from PSE to PD over all 4 pairs of wires Backward compatible with 802 3af and 802 3at PDs Support for Dual Signature PDs Require the PD to draw a minimum amount of power to keep the connection active 10mA minimum load 802 3bt allows for smaller MPS pulse c...

Page 124: ...ault switch configuration CLI configuration is not required when the PDs are 802 3bt compliant or 802 3af or 802 3at compliant Troubleshooting non compliant PDs If the new Class 5 8 PDs support LLDP power negotiation the default switch configuration does not require additional CLI configuration changes However if the new Class 5 8 PDs do not support LLDP or need the maximum PoE power at initial po...

Page 125: ...SE capable of only 30W If required a class 5 8 PD can power up with 30W and operate in reduced functionality modes Some Class 5 8 PDs may require their full requested power The PD can power up and shut down when exceeding iCut 33W in Class4 Type 2 switches Ensure that the PSE port supports the same or higher Class than the connected PD Class for interoperability You can continue to use Cat5e cable...

Page 126: ... PSE TLV Configured dot3 MED PD Requested Power Value 0 0 W PSE TLV Sent Type dot3 MED LLDP Detect Enabled PD TLV Sent Type dot3 LLDP Dual Signature Information PSE Allocated Power Value A 20 0 W PSE Allocated Power Value B 20 0 W PD Requested Power Value A 20 0 W PD Requested Power Value B 20 0 W Power Information PSE Voltage 54 0 V PSE Reserved Power 3 2 W PD Amperage Draw 57 mA PD Power Draw 3 ...

Page 127: ...ted Power Value 8 3 W PSE TLV Configured dot3 MED PD Requested Power Value 0 0 W PSE TLV Sent Type dot3 MED LLDP Detect Disabled PD TLV Sent Type n a Power Information PSE Voltage 54 0 V PSE Reserved Power 9 0 W PD Amperage Draw 151 mA PD Power Draw 8 4 W Example of show lldp info loc remote port A Dual Signature PD is connected to the 2930M 3bt switch LLDP Local Port Information Detail Port 1 1 P...

Page 128: ...Switch 2920 then select the device from the list and click on Product manuals Click on the User guide link under Manuals 128 Aruba 2930F 2930M Management and Configuration Guide for ArubaOS Switch 16 08 ...

Page 129: ...It is important to note that ports on both ends of a port trunk group must have the same mode speed and duplex and flow control settings NOTE Link connections The switch does not support port trunking through an intermediate non trunking device such as a hub or using more than onemedia type in a port trunk group Similarly for proper trunk operation all links in the same trunk group must have the s...

Page 130: ...ffic distribution again The LACP option also offers a standby link capability which enables you to keep links in reserve for service if one or more of the original active links fails See Trunk group operation using LACP on page 142 Trunk configuration methods Dynamic LACP trunk The switch automatically negotiates trunked links between LACP configured ports on separate devices and offers one dynami...

Page 131: ...ey A2 Active A2 Down No Success 500 500 A3 Active A3 Down No Success 500 500 An interface configured with a different LACP key switch config int A5 lacp active switch config int A5 lacp key 250 switch show lacp LACP LACP Trunk Port LACP Admin Oper Port Enabled Group Status Partner Status Key Key A1 Active Dyn1 Up Yes Success 100 100 A2 Active Dyn1 Up Yes Success 100 100 A3 Active Dyn1 Up Yes Succe...

Page 132: ...u want an LACP trunk group to operate in a VLAN other than the default VLAN and GVRP is disabled See VLANs and dynamic LACP on page 148 You want to use a monitor port on the switch to monitor an LACP trunk For more information see Trunk group operation using LACP on page 142 Trunk non protocol Provides manually configured static only trunking to Most Switches and routing switches are not running t...

Page 133: ...able Flow control Flow Ctrl LACP is a full duplex protocol See Trunk group operation using LACP on page 142 Trunk configuration All ports in the same trunk group must be the same trunk type LACP or trunk All LACP ports in the same trunk group must be either all static LACP or all dynamic LACP A trunk appears as a single port labeledDyn1 for an LACP dynamic trunk or Trk1 for a static trunk of type ...

Page 134: ...art of the listing See A port trunk in a Spanning Tree listing example IP multicast protocol IGMP A static trunk of any type appears in the IGMP configuration display and you can configure IGMP for a static trunk in the same way that you would configure IGMP on a non trunked port Note that the switch lists the trunk by name such as Trk1 and does not list the individual ports in the trunk Also crea...

Page 135: ...ta listing for all LAN ports in the switch Example In a switch where ports A4 and A5 belong to Trunk 1 and ports A7 and A8 belong to Trunk 2 you have the options shown in Listing specific ports belonging to static trunks on page 135 and A show trunk listing without specifying ports on page 136 for displaying port data for ports belonging to static trunks Using a port list specifies for switch port...

Page 136: ... Active A3 Down No Success 0 300 A4 Passive A4 Down No Success 0 0 A5 Passive A5 Down No Success 0 0 A6 Passive A6 Down No Success 0 0 For a description of each of the above listed data types see table LACP port status data Dynamic LACP Standby Links Dynamic LACP trunking enables you to configure standby links for a trunk by including more than eight ports in a dynamic LACP trunk configuration Whe...

Page 137: ...the maximum number of trunk groups you can configure on the switch An individual trunk can have up to eight links with additional standby links if you re using LACP You can configure trunk group types as follows Trunk Type Trunk Group Membership TrkX Static DynX Dynamic LACP Yes Yes Trunk Yes No The following examples show how to create different types of trunk groups Syntax trunk port list trk1 t...

Page 138: ... the links on port list are configured as LACP passive this command enables a dynamic LACP trunk group on port list Example This Example uses ports C4 and C5 to enable a dynamic LACP trunk group switch config interface c4 c5 lacp active Removing ports from a dynamic LACP trunk group To remove a port from dynamic LACP trunk operation you must turn off LACP on the port On a port in an operating dyna...

Page 139: ...ured threshold is performed after a minute and the trunk state will be decided accordingly The trunk will be up and the traffic will be forwarded though the LACP trunk during this period NOTE If the minimum active links are configured without enable timer configuration the LACP trunk disabled by the feature will remain down until the operator explicitly disables and re enables the port or triggers...

Page 140: ...er a number Switch eth Trk11 lacp min active links 5 WARNING This configuration can result in disabling the trunk if the number of active links in the trunk drops below the configured threshold Continue y n y lacp enable timer Syntax lacp enable timer value no lacp enable timer value Description Configures the timer on expiry of which the member links disabled by LACP min active links functionalit...

Page 141: ...5 120 Trk12 3 356 show running configuration switch show running config Running configuration hpStack_KB Configuration Editor Created on release KB 16 08 0000x Ver 14 0f 6f f8 1d fb 7f bf bb ff 7c 59 fc 7b ff ff fc ff ff 3f ef 60 stacking member 1 type JL074A mac address ecebb8 117400 member 1 flexible module A type JL079A member 2 type JL074A mac address ecebb8 1d1580 member 2 flexible module A t...

Page 142: ...removed without any warning Viewing existing port trunk groups WebAgent While the WebAgent does not enable you to configure a port trunk group it does provide a view of an existing trunk group To view any port trunk groups 1 In the navigation pane click Interface 2 Click Port Info Config The trunk information for the port displays in the Port Properties box Trunk group operation using LACP The swi...

Page 143: ...In most cases trunks configured for LACP on the switches operate as described in the following table Chapter 5 Port Trunking 143 ...

Page 144: ...port Group name The ports on both ends of each link have compatible mode settings speed and duplex The port on one end of each link must be configured for LACP Active and the port on the other end of the same link must be configured for either LACP Passive or LACP Active For Example Either of the above link configurations allows a dynamic LACP trunk link Backup Links A maximum of eight operating l...

Page 145: ...ge corresponding to the maximum number of trunks the switch allows See Port trunk features and operation for the maximum number of trunk groups allowed on the switches Displaying static LACP trunk data To list the configuration and status for a static LACP trunk use the CLI show lacp command To list a static LACP trunk with its assigned ports use the CLI show trunk command or display the menu inte...

Page 146: ...ief trunk negotiation or a configuration error such as differing port speeds on the same link or trying to connect the switch to more trunks than it can support See Trunk configuration protocols Some older devices are limited to four ports in a trunk When eight LACP enabled ports are connected to one of these older devices four ports connect but the other four ports are blocked Standby The port is...

Page 147: ...sive is configured the switch removes the LACP configuration displays a notice that LACP is disabled on the port and enables port security on that port For example switch config port security a17 learn mode static address limit 2 LACP has been disabled on secured port s switch config The switch does not allow you to configure LACP on a port on which port security is enabled For example switch conf...

Page 148: ...locked Port Status is Blocked It can take a few seconds for the switch to discover the current status of the ports Blocked ports with LACP switch eth B1 B8 show lacp LACP PORT LACP TRUNK PORT LACP LACP NUMB ENABLED GROUP STATUS PARTNER STATUS B1 Active Dyn1 Up Yes Success B2 Active Dyn1 Up Yes Success B3 Active Dyn1 Up Yes Success B4 Active Dyn1 Up Yes Success B5 Active Dyn1 Blocked Yes Failure B6...

Page 149: ...by LACP links are ignored Trunk group operation using the trunk option This method creates a trunk group that operates independently of specific trunking protocols and does not use a protocol exchange with the device on the other end of the trunk With this choice the switch simply uses the SA DA method of distributing outbound traffic across the trunked ports without regard for how that traffic is...

Page 150: ...rwise traffic is transmitted across the same path as shown in the figure below That is if Client A attached to Switch 1 sends five packets of data to Server A attached to Switch 2 the same link is used to send all five packets The SA DA address pair for the traffic is the same The packets are not evenly distributed across any other existing links between the two switches they all take the same pat...

Page 151: ...k load balancing using port layers allows the use of TCP UDP source and destination port number for trunk load balancing This is in addition to the current use of source and destination IP address and MAC addresses Configuration of Layer 4 load balancing would apply to all trunks on the switch Only non fragmented packets will have their TCP UDP port number used by load balancing This ensures that ...

Page 152: ...0 1000T Trk1 Trunk 42 100 1000T Trk1 Trunk Note in Running config file when L4 based trunk load balancing is enabled on page 152 that in if L4 trunk load balancing is enabled a line appears in the running config file If it is not enabled nothing appears as this is the default and the default values are not displayed Running config file when L4 based trunk load balancing is enabled switch config sh...

Page 153: ...entication client session Applying rate limiting to desirable traffic is not recommended For further details see RADIUS Authentication and Accounting in the access security guide for your switch The switches also support ICMP rate limiting to mitigate the effects of certain ICMP based attacks ICMP traffic is necessary for network routing functions For this reason blocking all ICMP traffic is not r...

Page 154: ... port Hewlett Packard Enterprise recommends using the port list disable command instead of configuring a rate limit of 0 You can configure a rate limit from either the global configuration level or from the port context level For example either of the following commands configures an inbound rate limit of 60 on ports 3 5 switch config int 3 5 rate limit all in percent 60 switch eth 3 5 rate limit ...

Page 155: ... latest Management and Configuration Guide for your switch The show running command displays the currently applied setting for any interfaces in the switch configured for all traffic rate limiting and ICMP rate limiting The show config command displays this information for the configuration currently stored in the startup config file Note that configuration changes performed with the CLI but not f...

Page 156: ...mited port there can be enough back pressure to hold high priority inbound traffic from the upstream device or application to a rate that is lower than the configured rate limit In this case the inbound traffic flow does not reach the configured rate and lower priority traffic is not forwarded into the switch fabric from the rate limited port This behavior is termed head of line blocking and is a ...

Page 157: ...09 ICMP rate limiting In IP networks ICMP messages are generated in response to either inquiries or requests from routing and diagnostic functions These messages are directed to the applications originating the inquiries In unusual situations if the messages are generated rapidly with the intent of overloading network circuits they can threaten network availability This problem is visible in denia...

Page 158: ...ampus though similar rate limit thresholds are applicable to other network environments On edge interfaces where ICMP traffic should be minimal a threshold of 1 of available bandwidth should be sufficient for most applications On core interfaces such as switch to switch and switch to router a maximum threshold of 5 should be sufficient for normal ICMP traffic Normal ICMP traffic levels should be t...

Page 159: ...s mode metering accuracy is limited at low values For example less than 45 Kbps This is to allow metering to function well at higher media speeds such as 10 Gbps For information on using ICMP rate limiting and all traffic rate limiting on the same interface seeUsing both ICMP rate limiting and all traffic rate limiting on the same interface on page 159 Using both ICMP rate limiting and all traffic...

Page 160: ...bled 2 kbps 100 3 5 4 1 5 1 6 Disabled Disable The show running command displays the currently applied setting for any interfaces in the switch configured for all traffic rate limiting and ICMP rate limiting The show config command displays this information for the configuration currently stored in the startup config file Note that configuration changes performed with the CLI but not followed by a...

Page 161: ...ic on the rate limited interfaces may be lower than configured because the total traffic load requested to the outbound interface exceeds the interface s bandwidth and thus some requested traffic may be held off on inbound Monitoring mirroring ICMP rate limited interfaces If monitoring is configured packets dropped by ICMP rate limiting on a monitored interface are still forwarded to the designate...

Page 162: ... and Event Log messages on page 161 The port number included in the command corresponds to the internal number the switch maintains for the designated port and not the port s external identity To match the port s external slot number to the internal port number use the walkmib ifDescr command as shown in the following example Matching internal port numbers to external port numbers switch walkmib i...

Page 163: ...raffic Only the amount of traffic specified by the percent is forwarded Default Disabled If you want to set a limit of 50 on inbound broadcast traffic for port 3 you can first enter interface context for port 3 and then execute the rate limit command as shown in Inbound broadcast rate limiting of 50 on port 3 on page 163 Only 50 of the inbound broadcast traffic will be forwarded Inbound broadcast ...

Page 164: ...abled Disabled No override Operating Notes The following information is displayed for each installed transceiver Port number on which transceiver is installed Type of transceiver Product number Includes revision letter such as A B or C If no revision letter follows a product number this means that no revision is available for the transceiver Part number Allows you to determine the manufacturer for...

Page 165: ...s or static trunks you can use the default minimum bandwidth settings for each outbound priority queue or a customized bandwidth profile It is also possible to disable the feature entirely The switch services per port outbound traffic in a descending order of priority that is from the highest priority to the lowest priority By default each port including each port in a static trunk offers eight pr...

Page 166: ...ues that do not have a minimum configured Normally this will not altogether halt lower priority traffic on the network but will likely cause delays in the delivery of the lower priority traffic The sum of the GMB settings for all outbound queues on a given port or static trunk cannot exceed 100 Impacts of QoS queue configuration on GMB operation The section Configuring GMB for outbound traffic on ...

Page 167: ...arve lower priority queues which can slow or halt lower priority traffic in the network You can configure bandwidth minimums from either the global configuration level as shown above or from the port or static trunk context level For information on outbound port queues see Per port outbound priority queues Syntax no int port list trk_ bandwidth min output 0 100 strict 0 100 Select a minimum bandwi...

Page 168: ...g 0 for a queue can result in that queue being starved if any higher queue becomes over subscribed and is then given all unused bandwidth The switch applies the bandwidth calculation to the link speed the port or trunk is currently using For example if a 10 100 Mbs port negotiates to 10 Mbps on the link it bases its GMB calculations on 10 Mbps not 100 Mbps Use show bandwidth output port list trk_ ...

Page 169: ...th available on the port Either of the following commands configures ports 1 through 5 with bandwidth settings Switch config int 1 5 bandwidth min output 2 3 30 10 10 10 15 strict Switch interface 1 5 bandwidth min output 2 3 30 10 10 10 15 strict Viewing the current GMB configuration This command displays the per port GMB configuration in the running config file Syntax show bandwidth output port ...

Page 170: ...nown destination MAC addresses The switch floods the unicast packets to all interfaces that are members of the VLAN An attacker can bring down the network by sending out packets to random destination MAC addresses and hence it is important to rate limit traffic with unknown destination addresses You can rate limit the unknown unicast traffic per port level in either percent or kbps mode rate limit...

Page 171: ...s to show information for switch eth 2 show rate limit unknown unicast 2 Unknown Unicast Traffic Rate Limit Maximum Port Inbound Limit Mode 2 10 rate limit unknown unicast in kbps Syntax interface port list rate limit unknown unicast in kbps rate Description Sets a rate limit for unicast flood traffic Command context interface Parameters in Sets a rate limit for incoming unicast flood traffic perc...

Page 172: ...ound Limit Mode 1 100 kbps 2 Disabled Disabled 3 Disabled Disabled 4 Disabled Disabled 5 Disabled Disabled 6 Disabled Disabled 7 Disabled Disabled 8 Disabled Disabled 9 Disabled Disabled 10 Disabled Disabled 11 Disabled Disabled 12 Disabled Disabled 13 Disabled Disabled 14 Disabled Disabled 15 Disabled Disabled 16 Disabled Disabled show rate limit unknown unicast Syntax show rate limit unknown uni...

Page 173: ...onfigured for jumbo traffic the switch enables that port to receive jumbo traffic If you remove a port from a jumbo enabled VLAN the switch disables jumbo traffic capability on the port only if the port is not currently a member of another jumbo enabled VLAN This same operation applies to port trunks Jumbo traffic sources A port belonging to a jumbo enabled VLAN can receive inbound jumbo frames th...

Page 174: ...with the sole purpose of enabling jumbo traffic on the desired ports while leaving the other ports on the switch disabled for jumbo traffic That is VLAN 100 VLAN 200 VLAN 300 Ports 6 10 11 15 6 7 12 and 13 Jumbo enabled No No Yes If there are security concerns with grouping the ports as shown for VLAN 300 you can either use source port filtering to block unwanted traffic paths or create separate j...

Page 175: ...o the startupconfig file Viewing the current jumbo configuration Syntax show vlans Lists the static VLANs configured on the switch and includes a Jumbo column to indicate which VLANs are configured to support inbound jumbo traffic All ports belonging to a jumbo enabled VLAN can receive jumbo traffic For more information see Configuring a maximum frame size on page 177 See Figure Figure 20 Example ...

Page 176: ...LAN Enabling or disabling jumbo traffic on a VLAN Syntax vlan vid jumbo no vlan vid jumbo Configures the specified VLAN to allow jumbo frames on all ports on the switch that belong to that VLAN If the VLAN is not already configured on the switch vlan vid jumbo also creates the VLAN A port belonging to one jumbo VLAN can receive jumbo frames through any other VLAN statically configured on the switc...

Page 177: ...982 Syntax jumbo ip mtu size Globally sets the IP MTU size Values range between 1500 and 9198 bytes This value must be 18 bytes less than the value of max frame size Default 9198 bytes SNMP implementation Jumbo maximum frame size The maximum frame size for jumbos is supported with the following proprietary MIB object hpSwitchMaxFrameSize OBJECT TYPE This is the value of the global max frame size s...

Page 178: ... is actually operating at a speed lower than 1 Gbps for the other switches it drops inbound jumbo frames For example if a port is configured for Auto mode speed duplex auto but has negotiated a 7 Mbps speed with the device at the other end of the link the port cannot receive inbound jumbo frames To determine the actual operating speed of one or more ports view the Mode field in the output for the ...

Page 179: ...m Sensitivity This policy directs the switch to send alerts related to network problems to the Alert Log If you want to be notified of problems which cause a noticeable slowdown on the network use this setting Low Sensitivity This policy directs the switch to send only the most severe alerts to the Alert Log This policy is most effective on a network where there are normally a lot of problems and ...

Page 180: ...arning and then disable a port on which there is a high collision or drop rate you could configure these options switch config fault finder over bandwidth sensitivity high action warn and disable To set Fault Finder with a medium sensitivity to issue a warning about excessive CRC or alignment errors on a port you could configure these options switch config fault finder bad cable sensitivity medium...

Page 181: ...Jabbers are packets longer than the MTU Fragments packets shorter than they should be 65 2110 3614 1 10 000 IncomingOne Fragments 20 secs20 secs If jabbers total sensitivity 10 000 Or If fragment count in the last 20 seconds sensitivity Bad cable Excessive CRC alignment errors 6 21 36 1 10 000 Incoming 20 secs If CRC and alignment errors total sensitivity 10 000 Too Long Cable Excessive late colli...

Page 182: ...00 8525 One Multicast Packet 1 sec If the average per second of multicast packets in the last 20 seconds sensitivity Duplex mismatch HDx 6 21 36 1 10 000 Outgoing 20 sec If late collisions total sensitivity 10 000 Duplex mismatch FDx 6 21 36 1 10 000 Incoming 20 sec If CRC and alignment errors total sensitivity 10 000 Link flap Excessive transitions between link up and link down states 4 7 11 One ...

Page 183: ...st be sensitivity 10 000 to trigger an alert 2 CRC errors total 15 3500 00043 3 Sensitivity 10 000 6 10 000 0006 4 00043 is not greater than or equal to 0006 so an alert is not triggered Chapter 6 Port Traffic Controls 183 ...

Page 184: ...rsion of this guide is available on the Networking website For information on the Management VLAN feature see the section The Secure Management VLAN in the Static Virtual LANs VLANs chapter of the Advanced traffic management guide for your switch SNMP management features SNMP management features on the switch include SNMP version 1 version 2c or version 3 over IP Security via configuration of SNMP...

Page 185: ... configure the switch ensure that the DHCP Bootp process provides the IP address See DHCP Bootp Operation Once you have configured an IP address the main steps for configuring SNMPv3 access management features are the following Procedure 1 Enable SNMPv3 for operation on the switch see Enabling SNMPv3 on page 186 2 Configure the appropriate SNMP users see SNMPv3 users on page 187 3 Configure the ap...

Page 186: ...d the switch rejects all non SNMPv3 messages Syntax no snmpv3 only Enabling or disabling restrictions from all non SNMPv3 agents to read only access Syntax no snmpv3 restricted access Viewing the operating status of SNMPv3 Syntax show snmpv3 enable Viewing status of message reception of non SNMPv3 messages Syntax show snmpv3 only Viewing status of write messages of non SNMPv3 messages Syntax show ...

Page 187: ... also create a second user with SHA authentication and DES privacy To use SNMPv3 on the switch you must configure the users that will be assigned to different groups Procedure 1 Configure users in the User Table with the snmpv3 user command To view the list of configured users enter the show snmpv3 user command see Adding users on page 188 2 Assign users to Security Groups based on their security ...

Page 188: ...must be 6 to 32 characters and is mandatory when you configure authentication priv des aes With privacy the switch supports DES 56 bit and AES 128 bit encryption Defaults to DES Only AES 128 bit and DES 56 bit encryption are supported as privacy protocols Other non standard encryption algorithms such as AES 172 AES 256 and 3 DES are not supported PRIV_PASS The privacy password priv_pass must be 6 ...

Page 189: ...more details on the MIBs access for a given group see Group access levels on page 190 Figure 24 Example of assigning users to groups Syntax no snmpv3 group Assigns or removes a user to a security group for access rights to the switch To delete an entry all the following three parameters must be included in the command group group_name Identifies the group that has the privileges that will be assig...

Page 190: ...er1 ManagerReadView DiscoveryView comoperatorrw Ver2c or Ver1 OperatorReadView OperatorReadView comoperatorr Ver2c or Ver1 OperatorReadView DiscoveryView Table 20 SNMPv3 Params and Group Configs Combinations SNMPv3 Params SNMPv3 group Snmpv3 user config noauth no authentication and no privacy operatornoauth snmpv3 user user1 auth authentication and no privacy managerpriv managerauth operatorauth o...

Page 191: ...vileges but special mappings can be added with the snmpv3 community command see Mapping SNMPv3 communities CLI on page 191 Mapping SNMPv3 communities CLI SNMP commuities are supported by the switch to allow management applications that use version 2c or version 1 to access the switch For more details see SNMPv3 communities on page 191 Syntax no snmpv3 community Maps or removes a mapping of a commu...

Page 192: ...w and either restricted or unrestricted write access Using SNMP requires that the switch have an IP address and subnet mask compatible with your network Listing community names and values CLI This command lists the data for currently configured SNMP community names along with trap receivers and the setting for authentication traps see SNMP notifications on page 194 Syntax show snmp server communit...

Page 193: ...d community from the switch operator manager Optionally assigns an access level At the operator level the community can access all MIB objects except the CONFIG MIB At the manager level the community can access all MIB objects restricted unrestricted Optionally assigns MIB access type Assigning the restricted type allows the community to read MIB variables but not to set them Assigning the unrestr...

Page 194: ...t the following notifications are enabled on a switch Manager password changes SNMP authentication failure Link change traps when the link on a port changes from up to down linkDown or down to up linkUp Port security web MAC or 802 1X authentication failure Invalid password entered in a login attempt through a direct serial Telnet or SSH connection Inability to establish a connection with the RADI...

Page 195: ...TY_NAME trap level all critical not info debug none command to set the level of traps to send to the community Thresholds A switch automatically sends all messages created when a system threshold is reached to the network management station that configured the threshold regardless of the trap receiver configuration SNMP trap receivers Use the snmp server host command to configure a trap receiver t...

Page 196: ...inform Optional Configures the switch to send SNMPv2 inform requests when certain events occur For more information see Enabling SNMPv2c informs CLI Table 21 Security levels for Event Log messages sent as traps Security Level Action None default Sends no Event Log messages All Sends all Event Log messages Not Info Sends all Event Log messages that are not for information only Critical Sends only E...

Page 197: ...B 16 06 0000x Ver 13 03 f8 1c fb 7f bf bb ff 7c 59 fc 7b ff ff fc ff ff 3f ef 05 hostname switch module 1 type jl071x flexible module A type JL081A interface A1 speed duplex auto 100 exit snmp server community public unrestricted oobm ip address dhcp bootp exit vlan 1 name DEFAULT_VLAN untagged 1 24 A1 A4 ip address dhcp bootp ipv6 enable ipv6 address dhcp full exit rmonlog set threshold 45 The fo...

Page 198: ...Removed Example For port 1 the command would be as follows Switch show mac notify traps 1 Displays the following information 1 Aged SNMPv2c informs On a switch enabled for SNMPv2c you can use the snmp server host inform command Enabling SNMPv2c informs CLI on page 199 to send inform requests when certain events occur When an SNMP Manager receives an inform request it can send an SNMP response back...

Page 199: ...mmand as shown in the following image note indication of inform Notify Type in bold Display of SNMPv2c inform configuration switch config show snmp server SNMP Communities Community Name MIB View Write Access public Manager Unrestricted Trap Receivers Link Change Traps Enabled on Ports All All Address Community Events Sent Notify Type Retry Timeout 15 28 333 456 guest All inform 3 15 Excluded MIBs...

Page 200: ... internally in SNMPv3 commands To delete a notification to tag mapping enter no snmpv3 notify notify_name notify notify_name Specifies the name of an SNMPv3 notification configuration tagvalue tag_name Specifies the name of a tag value used in other SNMPv3 commands such as snmpv3 targetaddress params taglist tag_name in Step 5 type Specifies the notification type as inform or trap By default the n...

Page 201: ...ional Specifies a range of IP addresses as destinations for notification messages Default 0 retries value Optional Number of times a notification is retransmitted if no response is received Range 1 255 Default 3 timeout value Optional Time in millisecond increments allowed to receive a response from the target before notification packets are retransmitted Range 0 2147483647 Default 1500 15 seconds...

Page 202: ...nfiguration Network security notifications By default a switch is enabled to send the SNMP notifications listed in Supported Notifications on page 194 when a network security event For example authentication failure occurs However before security notifications can be sent you must first configure one or more trap receivers or SNMPv3 management stations as described in Configuring an SNMP trap rece...

Page 203: ...e following notifications are enabled in the default configuration The notification sends a trap arp protect Traps for Dynamic ARP Protection auth server fail Traps reporting authentication server unreachable dhcp server Traps for DHCP Server dhcp snooping Traps for DHCP Snooping dhcpv6 snooping Set the traps for DHCPv6 snooping dyn ip lockdown Traps for Dynamic Ip Lockdown dyn ipv6 lockdown Enabl...

Page 204: ...eivers Link Change Traps Enabled on Ports All A1 A24 Traps Category Current Status SNMP Authentication Extended Password change Enabled Login failures Enabled Port Security Enabled Authorization Server Contact Enabled DHCP Snooping Enabled Dynamic ARP Protection Enabled Dynamic IP Lockdown Enabled Address Community Events Sent Notify Type Retry Timeout 15 255 5 225 public All trap 3 15 2001 0db8 0...

Page 205: ...205 Syntax no snmp server response source dst ip of request ipv4 addr ipv6 addr loopback 0 7 Specifies the source IP address of the SNMP response PDU The default SNMP response PDU uses the IP address of the active interface from which the SNMP response was sent as the source IP address The no form of the command resets the switch to the default behavior compliant with rfc 1517 Default Interface IP...

Page 206: ...in SNMP traps RFC 1517 The values configured with the snmp server response source and snmp server trap source commands are applied globally to all interfaces that are sending SNMP responses or SNMP trap PDUs Only the source IP address field in the IP header of the SNMP response PDU can be changed Only the source IP address field in the IP header and the SNMPv1 Agent Address field of the SNMP trap ...

Page 207: ...fications Example In the following Example the show snmp server command output shows that the switch has been configured to send SNMP traps and notifications to management stations that belong to the public red team and blue team communities Figure 28 Display of SNMP notification configuration Hardware events and traps Current default traps The default event scenarios for currently generated traps...

Page 208: ...king Module insertion detected Reboot required 552 Warning Stacking module Removal W 06 20 16 09 19 43 00552 chassis ST1 CMDR Stacking Module removal detected Reboot required Enabling and disabling traps Action Command Disable both the log and trap setMib eventType event_Id i 1 to disable both log Trap Enable log only setMib eventType event_Id i 2 to allow only log Enable both the log and trap Def...

Page 209: ...Removing a slot module Event Id 67 Inserting transceiver Event Id 405 Chapter 7 Configuring for Network Management Applications 209 ...

Page 210: ...Removing a transceiver 210 Aruba 2930F 2930M Management and Configuration Guide for ArubaOS Switch 16 08 ...

Page 211: ...dresses learned on the specified ports exceeds the configured learned count value To configure the mac count notify option on a port or ports enter this command When the configured number of MAC addresses is exceeded the learned count a trap is sent Syntax no mac count notify traps port list learned count Configures mac count notify traps on the specified ports or all for the entire switch The no ...

Page 212: ...or sending a trap Configuring mac count notify traps from the interface context switch config interface 5 Switch eth 5 mac count notify traps 35 The show snmp server traps command displays whether the MAC Address Count feature is enabled or disabled Information about SNMP traps including MAC address count being Enabled Disabled switch config show snmp server traps Trap Receivers Link Change Traps ...

Page 213: ...net statistics Alarm and Event groups from the Switch Manager network management software CLI configured sFlow with multiple instances sFlow can also be configured via the CLI for up to three distinct sFlow instances once enabled an sFlow receiver destination can be independently configured for full flow sampling and counter polling CLI configured sFlow instances may be saved to the startup config...

Page 214: ...tance command Viewing sFlow Configuration and Status CLI The following sFlow commands allow you to display sFlow configuration and status through the CLI Viewing sFlow destination information on page 214 is an example of sflow agent information Syntax show sflow agent Displays sFlow agent information The agent address is normally the IP address of the first VLAN configured The show sflow agent com...

Page 215: ...Flow sampling and polling on the switch as shown in the following example You can specify a list or range of ports for which to view sampling information Figure 29 Example Viewing sFlow sampling and polling information NOTE The sampling and polling instances noted in parentheses coupled to a specific receiver instance are assigned dynamically and so the instance numbers may not always match The ke...

Page 216: ... blocked State unblockedPeer State blocked Inform PeerState unblockedPeer State unblocked Regular UDLD TX delta is the time when the unblock event occurs on local side Restrictions There is no support available when configuring this mode from the web and menu interface There are no new packet types are introduced with UDLD There are no new UDLD timers being introduced UDLD configuration commands S...

Page 217: ...tempt is 4 Show commands Syntax switch config show link keepalive Sample output Total link keepalive enabled ports 8 Keepalive Retries 4 Keepalive Interval 5 sec Keepalive Mode verify then forward Physical Keepalive Adjacent UDLD Port Enabled Status Status Switch VLAN 1 Yes down off line 000000 000000 untagged 2 Yes down off line 000000 000000 untagged 3 Yes down off line 000000 000000 untagged 4 ...

Page 218: ...es 2 Using the information learned in step 1 to find and read the neighbor devices Neighbors tables to learn about additional devices and so on Also by using show commands to access the switch s neighbor database for information collected by an individual switch system administrators can learn about other devices connected to the switch including device type capability and some configuration infor...

Page 219: ...ble LLDP operation Enable or disable LLDP MED In the default configuration for the switches LLDP MED is enabled by default Requires that LLDP is also enabled For more information see LLDP MED media endpoint discovery on page 233 Change the frequency of LLDP packet transmission to neighbor devices On a global basis you can increase or decrease the frequency of outbound LLDP advertisements Change th...

Page 220: ...iguration all outbound LLDP packets include this information in the TLVs transmitted to neighbor devices However you can configure LLDP advertisements on a per port basis to omit some of this information Configuring a remote management address for outbound LLDP advertisements CLI on page 228 Table 23 Data available for basic LLDP advertisements Data type Configuration options Default Description T...

Page 221: ... Chassis ID TLV 3 Populated with data captured internally by the switch For more on these data types refer to the IEEE P802 1AB Standard 4 Subelement of the Port ID TLV 5 Subelement of the Remote Management Address TLV 6 Subelement of the System Capability TLV Remote management address The switch always includes an IP address in its LLDP advertisements This can be either an address selected by a d...

Page 222: ...e lowest order IP address configured on the VLAN with the lowest VID If the qualifying VLAN does not have an IP address the port advertises 127 0 0 1 as its IP address For example if the port is a member of the default VLAN VID 1 and there is an IP address configured for the default VLAN the port advertises this IP address In the default operation the IP address that LLDP uses can be an address ac...

Page 223: ...ig Displays the LLDP global configuration LLDP port status and SNMP notification status For information on port admin status see Configuring per port transmit and receive modes CLI on page 228 show lldp config produces the following display when the switch is in the default LLDP configuration Viewing the general LLDP configuration switch config show lldp config LLDP Global Configuration LLDP Enabl...

Page 224: ...n page 228 Figure 30 Per port configuration display Configuring Global LLDP Packet Controls The commands in this section configure the aspects of LLDP operation that apply the same to all ports in the switch LLDP operation on the switch Enabling LLDP operation the default causes the switch to Use active LLDP enabled ports to transmit LLDP packets describing itself to neighbor devices Add entries t...

Page 225: ...1 that is 4 x 1 5 If you want to change the delay interval use the setmib command Time to Live for transmitted advertisements The Time to Live value in seconds for all LLDP advertisements transmitted from a switch is controlled by the switch that generates the advertisement and determines how long an LLDP neighbor retains the advertised data before discarding it The Time to Live value is the resul...

Page 226: ...mand fails Depending on the current refresh interval setting it may be necessary to increase the refresh interval before using this command to increase the delay interval Example To change the delay interval from 2 seconds to 8 seconds when the refresh interval is at the default 30 seconds you must first set the refresh interval to a minimum of 32 seconds 32 4 x 8 as shown in the following image F...

Page 227: ...rtisement received on the port from an LLDP neighbor Default Disabled For information on configuring trap receivers in the switch see SNMP notifications on page 194 Example This command enables SNMP notification on ports 1 5 switch config lldp enable notification 1 5 Changing the minimum interval for successive data change notifications for the same neighbor If LLDP trap notification is enabled on...

Page 228: ...port on the switch include both mandatory and optional data Mandatory Data An active LLDP port on the switch always includes the mandatory data in its outbound advertisements LLDP collects the mandatory data and except for the Remote Management Address you cannot use LLDP commands to configure the actual data Chassis Type TLV subelement Chassis ID TLV Port Type TLV subelement Port ID TLV Remote Ma...

Page 229: ...Default Enabled system_name For outbound LLDP advertisements this TLV includes an alphanumeric string showing the assigned name of the system Default Enabled system_descr For outbound LLDP advertisements this TLV includes an alphanumeric string describing the full name and version identification for the hardware type software version and networking application of the system Default Enabled system_...

Page 230: ...information on using the CLI to display port speed and duplex information seeViewing the current port speed and duplex configuration on a switch port on page 244 Configuring support for port speed and duplex advertisements CLI For more information see Support for port speed and duplex advertisements on page 230 Syntax no lldp config port list dot3TlvEnable macphy_config Options macphy_config MAC P...

Page 231: ... to be advertised Enabling the VLAN ID TLV Switch config lldp config a1 dot1TlvEnable port vlan id Viewing the TLVs advertised The show commands display the configuration of the TLVs The command show lldp config lists the TLVs advertised for each port as shown in the following examples Displaying the TLVs for a port switch config show lldp config a1 LLDP Port Configuration Detail Port A1 AdminStat...

Page 232: ...lities Supported bridge router System Capabilities Enabled bridge router Port VLAN ID 200 Remote Management Address Type ipv4 Address 192 168 1 1 SNMP support The LLDP EXT DOT1 MIB has the corresponding MIB variables for the Port VLAN ID TLV The TLV advertisement can be enabled or disabled using the MIB object lldpXdot1ConfigPortVlanTxEnable in the lldpXdot1ConfigPortVlanTable The port VLAN ID TLV...

Page 233: ...rk Automatic deployment of convergence network policies voice VLANs Layer 2 CoS priority and Layer 3 QoS priority Configurable endpoint location data to support the Emergency Call Service ECS such as Enhanced 911 service 999 112 Detailed VoIP endpoint data inventory readable via SNMP from the switch Power over Ethernet PoE status and troubleshooting support via SNMP support for IP telephony networ...

Page 234: ... LLDP MED framework Any LLDP MED endpoint device belongs to one of the following three classes Class 1 generic endpoint devices These devices offer the basic LLDP discovery services network policy advertisement VLAN ID Layer 2 802 1p priority and Layer 3 DSCP priority and PoE management This class includes such devices as IP call controllers and communication related servers Class 2 media endpoint...

Page 235: ...switch detects a new LLDP MED device on a port it transmits one LLDP MED advertisement per second out the port for the duration of the fast start count interval In most cases the default setting should provide an adequate fast start count interval Default 5 seconds NOTE This global command applies only to ports on which a new LLDP MED device is detected It does not override the refresh interval se...

Page 236: ...LAN ID TLV through this port Policy elements These policy elements may be statically configured on the switch or dynamically imposed during an authenticated session on the switch using a RADIUS server and 802 1X or MAC authentication Web authentication does not apply to VoIP telephones and other telecommunications devices that are not capable of accessing the switch through a Web browser The QoS a...

Page 237: ... devices to autoconfigure the voice network policy advertised by the switch This also enables the use of SNMP applications to troubleshoot statically configured endpoint network policy mismatches Default Enabled Network policy is advertised only for ports that are configured as members of the voice VLAN If the port belongs to more than one voice VLAN the voice VLAN with the lowest numbered VID is ...

Page 238: ...e the following command show lldp info remote device port list For more information on this command see page A 60 To display the current PoE configuration on the switch use the following commands show power brief port list show power port list Location data for LLDP MED devices You can configure a switch port to advertise location data for the switch itself the physical wall jack location of the e...

Page 239: ...of address information COUNTRY STR A two character country code as defined by ISO 3166 Some examples include FR France DE Germany and IN India This field is required in a civic addr command For a complete list of country codes visit http www iso org WHAT A single digit number specifying the type of device to which the location data applies 0 Location of DHCP server 1 Location of switch 2 Location ...

Page 240: ...he second entry in the type value pair CA VALUE Some examples of CA TYPE specifiers include 3 city 6 street name 25 building name Range 0 255 For a sample listing of CA TYPE specifiers see Some location codes used in CA TYPE fields CA VALUE This is the second entry in a type value pair and is an alphanumeric string containing the location information corresponding to the immediately preceding CA T...

Page 241: ...sion 4 floor 27 street 6 room number 28 street suffix 18 1 The code assignments in this table are examples from a work in progress the internet draft titled Dynamic Host Configuration Protocol DHCPv4 and DHCPv6 Option for Civic Addresses Configuration Information draft ietf geopriv dhcp civil 06 dated May 30 2005 For the actual codes to use contact the PSAP or other authority responsible for speci...

Page 242: ...list Without the port list option displays the global switch information and the per port information currently available for populating outbound LLDP advertisements With the port list option displays only the following port specific information that is currently available for outbound LLDP advertisements on the specified ports PortType PortId PortDesc NOTE This command displays the information av...

Page 243: ...are no LLDP configurable IP addresses available The default per port information content for ports 1 and 2 switch config show lldp info local 1 2 LLDP Local Port Information Detail Port 1 PortType local PortId 1 PortDesc 1 Port 2 PortType local PortId 2 PortDesc 2 Displaying the current port speed and duplex configuration on a switch port You can compare port speed and duplex information for a swi...

Page 244: ... different links using the same VLAN In this case spanning tree should be invoked to prevent a network topology loop Note that LLDP packets travel on links that spanning tree blocks for other traffic types With the port list option provides a listing of the LLDP data that the switch has detected in advertisements received on the specified ports For descriptions of the various types of information ...

Page 245: ...hbor detection activity on the switch plus data on the number of frames sent received and discarded per port The per port LLDP statistics command enhances the list of per port statistics provided by the global statistics command with some additional per port LLDP statistics Global LLDP Counters Neighbor Entries List Last Updated The elapsed time since a neighbor was last added or deleted New Neigh...

Page 246: ... 247 This can also be an indication of advertisement formatting problems in the neighbor device Frames Invalid The total number of invalid LLDP advertisements received on the port An invalid advertisement can be caused by header formatting problems in the neighbor device TLVs Unrecognized The total number of LLDP TLVs received on a port with a type value in the reserved range This can be caused by...

Page 247: ... on the switch One IP address advertisement per port LLDP advertises only one IP address per port even if multiple IP addresses are configured by lldp config port list ipAddrEnable on a given port 802 1Q VLAN Information LLDP packets do not include 802 1Q header information and are always handled as untagged packets Effect of 802 1X Operation If 802 1X port security is enabled on a port and a conn...

Page 248: ...bor the switch stores this information as two separate entries if the advertisements have different chassis ID and port ID information If the chassis and port ID information are the same the switch stores this information as a single entry That is LLDP data overwrites the corresponding CDP data in the neighbor database if the chassis and port ID information in the LLDP and CDP advertisements recei...

Page 249: ... information about adjacent CDP devices but does not generate CDP packets When a CDP enabled switch receives a CDP packet from another CDP device it enters that device s data in the CDP Neighbors table along with the port number where the data was received and does not forward the packet The switch also periodically purges the table of any entries that have expired The hold time for any data entry...

Page 250: ... devices that the switch has detected by receiving their CDP packets CDP neighbors table listing switch config show cdp neighbors CDP neighbors information Port Device ID Platform Capability 1 Accounting 0030c1 7fcc40 J4812A Switch S 2 Resear 1 1 0060b0 889e43 J4121A Switch S 4 Support 0060b0_761a45 J4121A Switch S 7 Marketing 0030c5_33dc59 J4313A Switch S 12 Mgmt NIC 099a05 09df9b NIC Model X666 ...

Page 251: ...es information such as software version device capabilities and voice VLAN information between directly connected devices such as a VOIP phone and a switch When the Cisco VOIP phone boots up or sometimes periodically it queries the switch and advertises information about itself using CDPv2 The switch receives the VOIP VLAN Query TLV type 0x0f from the phone and then immediately sends the voice VLA...

Page 252: ...ciated with that port NOTE Not recommended for phones that support LLDP MED pre standard voice Enables CDP compatible voice VLAN discovery with pre standard VoIP phones admin status Sets the port in either transmit and receive mode or receive mode only Default tx rx port list Sets this port in transmit and receive mode or receive mode only rxonly Enable receive only mode of CDP processing tx_rx En...

Page 253: ...andle CDP packets by filtering out the MAC address learns from untagged VLAN traffic from IP phones This means that normal protocol processing occurs for the packets but the addresses associated with these packets is not learned or reported by the software address management components This enhancement also filters out the MAC address learns from LLDP and 802 1x EAPOL packets on untagged VLANs The...

Page 254: ...rtised by a neighboring switch and the PVID of the switch port which receives the LLDP advertisement Logging is an LLDP feature that allows detection of possible vlan leakage between adjacent switches However if these events are logged too frequently they can overwhelm the log buffer and push relevant logging data out of log memory making it difficult to troubleshoot another issue Logging is disab...

Page 255: ...stem and networking software supported in the device The value equals the sysDescr object if the LAN device supports RFC 3418 System capabilities TLV Indicates primary functions of the device and if they are enabled in the device Management address TLV Indicates the addresses of the local LLDP agent Other remote managers can use this address to obtain information related to the local device The co...

Page 256: ...nt Usage lldp config port_num basicTlvEnable management_addr Show commands Use the command show running config to view the lldp configuration Example switch show running config Running configuration no lldp config 1 basicTlvEnable management_addr Example switch show lldp config 1 LLDP Port Configuration Detail Port 1 AdminStatus Tx_Rx Tx_Rx NotificationEnabled False False Med Topology Trap Enabled...

Page 257: ...ls The DHCP server will require at least one valid pool to start DHCP options On a DHCP server an IP pool is configured with various options These options signify additional information about the network Options are supported with explicit commands such as boot file Option codes that correspond to explicit commands can not be configured with a generic option command the generic option command requ...

Page 258: ...requires a network statement to be configured on a pool Authoritative dummy pools A dummy pool without the range statement can be configured and made authoritative A dummy pool allows static bind entries which do not have matching dynamic pools with network statements to be configured By creating a dummy pool on a DHCP server the support for DHCPinform packets will not be actively serving the clie...

Page 259: ...CPv4 configuration commands DHCPv4 server dhcp server Syntax no dhcp server enable disable Description Use this command to nable disable the DHCPv4 server in a switch Defaults to disabled Parameters and options no Removes all DHCPv4 server configurations enable Enables the DHCPv4 server on the device The no form of this command disable Disables the DHCPv4 server on the device DHCP address pool nam...

Page 260: ...de type NetBIOS node type for a Microsoft DHCPv4 client network Subnet IP and mask of the DHCPv4 server address pool option Raw DHCPv4 server options range Range of IP addresses for the DHCPv4 server address pool static bind Static binding information for the DHCPv4 server address pool tftp server Configure a TFTP server for the DHCPv4 server address pool Validations Validation Error Warning Promp...

Page 261: ... with DHCP ACK or NACK as appropriate for all the received DHCP REQUEST and DHCP INFORM packets belonging to the subnet Non authoritative DHCP INFORM packets received from the clients on a non authoritative pool will be ignored Parameters and options authoritative Configure the DHCP server authoritative for a pool DHCP client boot file bootfile name Syntax no bootfile name FILENAME Description Spe...

Page 262: ... IP address in the DHCP pool Lease time is infinite for static pools The default lease period is one day Parameters and options DD HH MM Enter lease period Lease Lease period of an IP address NetBIOS WINS servers Syntax no netbios name server IP ADDR STR IP ADDR2 IP ADDR8 Description Configure the DHCP pool for the NetBIOS WINS servers that are available to a Microsoft DHCP client List all IP addr...

Page 263: ... options broadcast Broadcast node hybrid Hybrid node mixed Mixed node peer to peer Peer to peer node Subnet and mask network Syntax no network ip addr mask lenght Description Configure the DHCPv4 server pool subnet and mask for the DHCP server address pool Range is configured to enable pool Parameters and options ip addr mask lenght Interface IP address mask DHCP server options Configure DHCP serv...

Page 264: ... server IP ADDR STR IP ADDR2 IP ADDR8 43 no option 43 ascii ascii string hex hex string ip IP ADDR STR IP ADDR2 IP ADDR8 46 no netbios node type broadcast hybrid mixed peer to peer 60 no option 60 ascii ascii string hex hex string ip IP ADDR STR IP ADDR2 IP ADDR8 66 no tftp server server name ASCII STR 67 no bootfile name filename 138 no option 138 ascii ascii string hex hex string ip IP ADDR STR ...

Page 265: ... the DHCPv4 server address pool Manual bindings are IP addresses that have been manually mapped to the MAC addresses of hosts that are found in the DHCP database Manual bindings are just special address pools There is no limit on the number of manual bindings but you can only configure one manual binding per host pool Parameters and options ip Specify client IP address static bind Static binding i...

Page 266: ... DHCP address pool Parameters and options server ip TFTP server IP addresses for the DHCPv4 server address pool ip addr Specify TFTP server IP address Number of ping packets dhcp server ping Syntax no dhcp server ping packets 0 10 timeout 0 10 Description Specify in the global configuration context the number of ping packets the DHCP server will send to the pool address before assigning the addres...

Page 267: ... lease database file file URL Format tftp ip address filename database Specifies DHCPv4 database agent and the interval between database updates and database transfers timeout Seconds to wait for the transfer before failing ascii str Database URL 15 86400 Delay in seconds 0 86400 Timeout in seconds DHCP server and SNMP notifications snmp server enable traps Syntax no snmp server enable traps dhcp ...

Page 268: ...server on a VLAN Parameters and options dhcp server Enable DHCPv4 server on a VLAN Clear commands clear dhcp server conflicts Syntax clear dhcp server conflicts IP ADDR Description Reset DHCPv4 server conflicts database If IP address is specified reset only that conflict Parameters and options dhcp server Clears theDHCPv4 server information ip addr Specify the IP address whose conflict is to be cl...

Page 269: ...ddress of the binding is to be cleared Show commands show dhcp server Syntax show dhcp server binding conflicts database statistics pool POOL NAME Description Show DHCPv4 server global configuration information for the device Parameters and options binding Display the DHCPv4 server address bindings on the device conflicts Display address conflicts found by a DHCPv4 server when addresses are offere...

Page 270: ...lobally DHCP server is disabled globally The DHCP server configurations are deleted The DHCP server configurations are deleted Decline from client when server assigns an illegal Ipv6 address s Decline offer from x server of x because the address is illegal DHCP server is enabled on a specific VLAN DHCP server is enabled on VLAN d DHCP server is disabled on a specific VLAN DHCP server is disabled o...

Page 271: ...failure is printed as argument Failed to write the binding database to s Error s Invalid bindings are found in the database at the specified URL Invalid binding database at s The specified VLAN does not have a matching IP pool configured This occurs when the DHCP server is enabled on the specified VLAN but no IP pool is configured with a network IP matching the VLAN network IP VLAN d does not have...

Page 272: ...tive bindings d Free bindings d Low threshold reached for the specified pool Count of Active bindings and Free bindings are printed as arguments Low threshold reached for pool s Active bindings d Free bindings d No active VLAN with an IP address is available to read binding database from the configured URL No active Vlan with an IP address available to read binding database 272 Aruba 2930F 2930M M...

Page 273: ...dress option is included for each client DHCPv6 relays agents include Option 79 for all message types when enabled The message types are solicit request confirm decline renew rebind release and information request DHCPv6 provides additional information for event debugging and logging related to the client at the server NOTE All cascading relay agents simply encapsulate the message received and rel...

Page 274: ...tch will support only 8 DHCPv6 snooping enabled VLANs when Dynamic IPv6 Lockdown feature is enabled If the VLAN which is being configured for DHCPv6 Snooping has a Smart Link enabled port Cannot configure DHCPv6 Snooping on a VLAN containing Smart Link ports If a VLAN is being configured as a Smart Link protected VLAN and DHCPv6 Snooping is enabled on it Cannot configure a VLAN as a protected VLAN...

Page 275: ... trusted port as a Smart Link port dhcpv6 snooping authorized server Syntax no dhcpv6 snooping authorized server IPV6 ADDRESS Description Configure authorized DHCPv6 servers For DHCPv6 snooping to allow a server to client packet to be forwarded it must be received on a trusted port from an authorized server If no authorized servers are configured all server addresses are valid ddhcpv6 snooping dat...

Page 276: ...t mode is not supported dhcpv6 snooping max bindings Syntax no dhcpv6 snooping max bindings PORT LIST 1 8192 Description Configure the maximum number of binding addresses allowed per binding anchor A binding anchor is a unique attribute that can be associated with a client address Parameters and options max bindings Configuring maximum number of binding addresses allowed per port If the max bindin...

Page 277: ...e because the number of static bindings on the port exceeds the maximum binding value If a port on which max binding is enabled is being put into a trunk Cannot add a port to a trunk group when DHCPv6 Snooping Maxbinding is configured on that port If a trunk has max bindings configured on it And the trunk is being removed Cannot remove the port s from the trunk group because DHCPv6 Snooping max bi...

Page 278: ...Prompt If dhcp snooping not enabled globally DHCPv6 snooping is disabled debug security dhcpv6 snooping Syntax debug security dhcpv6 snooping config event packet Description Enable debug for DHCPv6 snooping Parameters and options config Debug DHCPv6 snooping configuration event Debug a DHCPv6 snooping event packet Debug DHCPv6 snooping by packet ipv6 source lockdown ethernet Syntax no ipv6 source ...

Page 279: ...mic Ipv6 lockdown is enabled If Binding limits are exceeded Cannot enable Dynamic Ipv6 Lockdown on ports s as manual binding limits are exceeded If lockdown is being enabled on an interface which is part of a dynamic trunk LACP Cannot configure Dynamic Ipv6 Lockdown on interface s it is a Dynamic trunk If lock down is being configured on a mesh port Cannot configure Dynamic Ipv6 Lockdown on a logi...

Page 280: ...Invalid input s Verify whether the mac address is valid Invalid input s Verify whether the ipv6 address is valid Invalid input s Verify whether the port number is valid on the device Module not present for port or invalid port port num If any other addresses other than global unicast address are entered Invalid Ipv6 address If the ipv6 address entered is not a unicast Only Ipv6 unicast addresses a...

Page 281: ... to a link local address To bind another link local address delete the existing binding If a binding exists for a particular client in the BST and the same binding is being configured for another port The IPv6 source binding already exists for another port If the switch total limit for bindings is exceeded Cannot add the IPv6 source binding because the number of source bindings exceeds the maximum...

Page 282: ...s Validation Error Warning Prompt If dhcpv6 snooping not enabled DHCPv6 snooping is disabled show dhcpv6 snooping bindings Syntax show dhcpv6 snooping bindings Description Show dhcpv6 snooping binding entries This would show both dynamic and static binding entries Validation rules Validation Error Warning Prompt If dhcpv6 snooping not enabled DHCPv6 snooping is disabled show dhcpv6 snooping statis...

Page 283: ...IPv6 Lockdown Bindings Port IPv6 Address Vlan MAC Not Address in HW A1 3000 abbb 1234 3456 1234 1234 1234 1234 1 123456 789101 Yes F23 300 ab 2 4092 abcdef 123455 No show ipv6 source lockdown status Syntax show ipv6 source lockdown status Description Used to show IPV6 source lockdown status per port Parameters and options source lockdown Show dynamic IPv6 Lockdown Show dynamic IPv6 Lockdown config...

Page 284: ...led Login failures Enabled Port Security Enabled Authorization Server Contact Enabled DHCP Snooping Enabled DHCPv6 Snooping Out of Resource Enabled DHCPv6 Snooping Errant Replies Enabled Dynamic ARP Protection Enabled Dynamic IP Lockdown Enabled Dynamic IPv6 Lockdown Out of Resource Enabled Dynamic IPv6 Lockdown Violations Enabled Startup Config change Disabled Running Config Change Disabled MAC a...

Page 285: ...trunking consistency parameters Syntax show distributed trunking consistency parameters global PIM SM Description Display global peer consistency details If the platforms do not match an error message similar to inconsistant criteria is returned Parameters and options global Display global peer consistency details PIM SM Display PIM SM peer consistency details Show distributed trunking consistency...

Page 286: ...P Snooping Max Binding Configured on Local Yes Ports Max Bindings Trk2 6 DHCP Snooping Max Binding Configured on Peer No Feature pim sm show distributed trunking consistency parameters global feature pim sm PIM SM Enabled VLANs on Local 20 30 PIM SM Enabled VLANs on Peer 20 30 show dhcpv6 relay Syntax show dhcpv6 relay Description Displays the DHCPv6 relay configuration Cannot be configured from t...

Page 287: ...untrusted port for s RMON_DSNOOPV6_UNAUTHORIZED_SERVER s Unauthorized server s detected on port s RMON_DSNOOPV6_UNAUTHORIZED_SERVER_SUSP s Ceasing unauthorized server logs for s RMON_DSNOOPV6_BAD_RELEASE s Illegal IPv6 release from 02X 02X 02X 02X 02X 02X on port s Address leased to other client or not leased s RMON_DSNOOPV6_BAD_RELEASE_SUSP s Ceasing the log messages for the illegal IPv6 release ...

Page 288: ...m binding configured on that port RMON_DSNOOPV6_EVENT_BINDINGS_EQUALS_MAXBIND_SUSP s Ceasing the log messages for bindings on port that equals max binding value for s RMON_DSNOOPV6_EVENT_MAXBIND_BELOW_BINDINGS s The number of bindings on the port s exceeds the maximum binding configured on that port RMON_DSNOOPV6_EVENT_MAXBIND_BELOW_BINDINGS_SUSP s Ceasing the log messages for bindings on port tha...

Page 289: ...r duplicate IPv6 offers for s RMON_DSNOOPV6_ILLEGAL_LEASE s Dropped the IPv6 offer from s because the offered address is illegal s RMON_DSNOOPV6_ILLEGAL_LEASE_SUSP s Ceasing the log messages for illegal IPv6 offers for s RMON_DSNOOPV6_INVALID_PACKET s Invalid DHCPv6 packet s s RMON_DSNOOPV6_INVALID_PACKET_SUSP s Ceasing the log messages for invalid DHCPv6 packets for s RMON_DSNOOPV6_DIPLDV6_PORT_R...

Page 290: ...wn VLAN d on port s not enough HW resources RMON_DIPLDV6_VIOLATION Access denied s s port s d packets received since last log RMON_DIPLDV6_DHCPV6_REQUEST_DROPPED DHCPV6 REQUEST dropped for 02x 02x 02x 02x 02x 02x port s unable to add the binding a port or switch limit was reached RMON_DIPLDV6_VIOLATION_ON_VLAN Access was denied on VLAN d d packets received since last log RMON_DSNOOPV6_CONFLICT_IN_...

Page 291: ...P transfer of binding state table is a success or failure TFTP of BST from the dsnoopv6 device is successful failed When a DIPLDv6 enabled port is removed from a DsnoopV6 enabled vlan Port u is removed from a dhcpv6 snooped VLAN When DsnoopV6 is disabled globally which makes DIPLDv6 no longer configured Dhcpv6 snooping disabled globally dynamic Ipv6 lockdown also disabled When DsnoopV6 is disabled...

Page 292: ... are detected on a VLAN Access was denied on VLAN d d packets received since last log When max binding limit is reached on a Port Max binding limit reached on Port s 292 Aruba 2930F 2930M Management and Configuration Guide for ArubaOS Switch 16 08 ...

Page 293: ... as switches access points and controllers directly to the site of usage With ZTP even a nontechnical user for example store manager in a retail chain or a class teacher in a school can deploy devices at site When the devices are connected to AirWave or Central ZTP automatically sets up the required firmware and configurations and services without the need for technical expertise on site ZTP with ...

Page 294: ... ZTP on OOBM interface ipv6 enable and ipv6 address dhcp full commands are enabled by default on OOBM interface 3 After the AirWave details are verified and configured the switch initiates the check in into the AirWave server using the HTTPS communication The AirWave configuration must be in the following format Group Topfolder folder1 AMP IP shared secret 4 From 16 08 if AirWave is reachable thro...

Page 295: ...ablished between the branches and the Corporate HQ to secure the management traffic For more information refer the Activate based ZTP with AirWave NOTE If IPsec tunnel is required for AirWave the switch requires Aruba Mobility Controller IP address which is provided through ZTP with DHCP Option 138 CAPWAP DHCP server configuration for DHCP based ZTP You can configure the DHCP server for AirWave us...

Page 296: ...2 Select Roles DHCP Server w2k8 IPv4 3 Right click IPv4 and select Set Predefined Options 296 Aruba 2930F 2930M Management and Configuration Guide for ArubaOS Switch 16 08 ...

Page 297: ...he Predefined Options and Values screen is displayed Click Add 5 Enter the Name any Data type select String Code enter 60 and Description any Chapter 10 Zero Touch Provisioning with AirWave and Central 297 ...

Page 298: ...Value enter the String ArubaInstantAP The string is case sensitive and must be ArubaInstantAP 8 Click OK 9 Under IPv4 expand Scope Right click Scope Options and select Configure Options 298 Aruba 2930F 2930M Management and Configuration Guide for ArubaOS Switch 16 08 ...

Page 299: ... hp2920 90 1 1 10 admin The ASCII value has the following format Group Topfolder AMP IP shared secret 11 To add subdirectories use the following format Group Topfolder folder1 AMP IP shared secret 12 Under the General tab select 060 AirWave Click OK Chapter 10 Zero Touch Provisioning with AirWave and Central 299 ...

Page 300: ...the following information option CAPWAP code 138 array of ip address ddns update style ad hoc subnet 192 168 20 0 netmask 255 255 255 0 option tftp server name 192 168 20 5 option routers 192 168 20 31 option ntp servers 192 168 20 5 option domain name Airport option domain name servers 192 168 20 5 option CAPWAP 171 0 0 3 option 43 171 0 0 100 range 192 168 20 10 192 168 20 30 300 Aruba 2930F 293...

Page 301: ...6 2001 5000 2001 5090 Some 64 prefixes available for Prefix Delegation RFC 3633 3ffe 501 ffff 100 3ffe 501 ffff 111 64 prefix6 2001 2001 3 64 option dhcp6 name servers 2001 6001 2001 6002 option dhcp6 vendor opts 00 00 B8 5C HPE enterprise number 00 64 00 35 suboption 100 length of AW string below hex values are for this ascii string group folder 2001 212 secret 67 72 6f 75 70 3a 66 6f 6c 64 65 72...

Page 302: ... DHCP server for IPv4 do the following steps NOTE Use these steps to configure ZTP for every switch by selecting a different Vendor Class for each type of switch This method is not applicable for ZTP through OOBM Procedure 1 From the Start menu select Server Manager 2 Select Roles DHCP Server w2k8 IPv4 302 Aruba 2930F 2930M Management and Configuration Guide for ArubaOS Switch 16 08 ...

Page 303: ...3 Right click IPv4 and select Define Vendor Classes 4 The DHCP Vendor Classes window is displayed Click Add Chapter 10 Zero Touch Provisioning with AirWave and Central 303 ...

Page 304: ...Vendor Class Id J9729A 2920 24G PoE Switch dslforum org 7 From the New Class window enter the desired Display name any and the Description any For the ASCII field enter the exact value that you got by executing the show command performed in the previous step In this example Hewlett Packard Enterprise J9729A 2920 24G PoE Switch dslforum org 304 Aruba 2930F 2930M Management and Configuration Guide f...

Page 305: ...ons 10 From the Predefined Options and Values window select Option class The Option Class displayed is the one that you configured under DHCP Vendor Class In this example the Option Class is switch Chapter 10 Zero Touch Provisioning with AirWave and Central 305 ...

Page 306: ...the Predefined Options and Values window enter the Value String In this example enter hpeSwitch hp2920 90 1 1 10 admin The String has the following format Group Topfolder AMP IP shared secret 15 To add sub folders use the following format Group Topfolder folder1 AMP IP shared secret 306 Aruba 2930F 2930M Management and Configuration Guide for ArubaOS Switch 16 08 ...

Page 307: ...s and select Configure Options 18 From the Scope Options window a Select the Advanced tab b Under Vendor class select the desired switch In this example switch c Select the 146 switch option d Click OK Chapter 10 Zero Touch Provisioning with AirWave and Central 307 ...

Page 308: ...on ArubaInstantAP cfg code 144 text option ArubaInstantAP img code 145 text option ArubaInstantAP org code 146 text option CAPWAP code 138 array of ip address ddns update style ad hoc subnet 192 168 20 0 netmask 255 255 255 0 option tftp server name 192 168 20 5 option routers 192 168 20 31 option ntp servers 192 168 20 5 option domain name Airport option domain name servers 192 168 20 5 308 Aruba...

Page 309: ...upported by VSF Best Practices Implement ZTP in a secure and private environment Any public access may compromise the security of the switch as follows Since ZTP is enabled only on the factory default configuration of the switch DHCP snooping is not enabled The Rogue DHCP server must be manually managed The DHCP offer is in plain data without encryption Therefore the offer can be listened by any d...

Page 310: ...p IP ADDR IPv6 ADDR group GROUP folder FOLDER secret SECRET no amp server Description The amp server command configures AirWave Management Platform AMP IP address group folder and shared secret for triggering the device registration with AMP The amp server command supports both the IPv4 and IPv6 addresses Switch cannot be provisioned simultaneously with IPv4 and IPv6 AirWave addresses NOTE The amp...

Page 311: ...2222 1a2f 1a2b group GROUPNAME STR AMP server group name Switch config amp server ip 2001 1db8 3cd4 1115 1111 2222 1a2f 1a2b group grp21 folder AMP server folder name Switch config amp server ip 2001 1db8 3cd4 1115 1111 2222 1a2f 1a2b group grp21 folder FOLDERNAME STR AMP server folder name Switch config amp server ip 2001 1db8 3cd4 1115 1111 2222 1a2f 1a2b group grp21 folder fld21 secret AMP serv...

Page 312: ...support The ZTP process for stacked switches with AirWave is similar to the one for the standalone switch with the exception that only the commander in the stack checks in with AirWave Disabling ZTP ZTP is disabled if you make any of the following changes to the switch configuration Enter the switch configuration mode using the configure terminal command Enter into Menu and exit without doing any ...

Page 313: ...P server messages To display the AMP server debug messages enter switch debug ztp To print the debug messages to the terminal enter switch debug destination session Activate based ZTP with AirWave ZTP with Activate is used in the following scenarios to help switches check in through the Internet with public facing instances of Airwave Deployments where administrators do not have a DHCP server to c...

Page 314: ... This feature supports secure communication between the switch and Aruba mobility controller VPN concentrator for AirWave traffic The switch also provides the necessary support for ZTP by establishing a secure tunnel between the switch and AirWave which are provided by a DHCP server or Activate IPsec ensures that communication between the switch and AirWave server management traffic is protected b...

Page 315: ...e device before establishing the connection to AirWave If the controller IP is not provided the switch will try to establish a direct connection to AirWave If the controller IP is present the switch auto configures and initiates an IPsec tunnel interface Once the tunnel is established the Aruba controller provides an inner IP which the switch will then use as source IP to send any AirWave bound tr...

Page 316: ... If the existing IPsec session is lost the switch is able to establish a new IPsec tunnel session with a backup controller secondary controller Backup controller support for IPsec tunnel The switch supports two controllers with all the services such as ClearPass Syslog DNS and AirWave In such scenarios a controller functions as a backup controller 1 aruba vpn is modified to support backup controll...

Page 317: ...pe is amp after five consecutive AirWave check in failures the existing tunnel is destroyed and an IPsec tunnel is established with the other controller NOTE ZTP continues to support existing DHCP options for AirWave or Controller IP discovery You can configure both the primary and backup controllers IP in DHCP Chapter 10 Zero Touch Provisioning with AirWave and Central 317 ...

Page 318: ...es Airwave CPPM Syslog etc Services Airwave CPPM Syslog etc Restrictions 1 Priority based failover is not supported 2 When there is a failover to backup controller the primary controller will not try to re establish the IPsec session when it becomes active 3 Failover to the other either primary or secondary controller results in data loss All the existing application sessions in the switch will be...

Page 319: ... refer http www arubanetworks com techdocs ArubaOS_63_Web_Help Content ArubaFrameStyles Control_Plane Whitelists_on_Campus_and_Remote_APs htm 2 Add an IP address pool that can be assigned to switch after tunnel creation The IP range must not overlap with the interfaces IP on the controller ip local pool ipsec 2 0 0 100 2 0 0 255 3 Create access lists that permit AirWave traffic and assign them to ...

Page 320: ...traffic Secure ZTP is not supported IP_addr IP address of the VPN Usage switch config aruba vpn type switch config aruba vpn type amp switch config aruba vpn type amp peer ip switch config aruba vpn type any NOTE When you configure aruba vpn type as any the switch creates a tunnel and updates the inner ip You can create routes using the ip route command for next hop as aruba vpn sends management t...

Page 321: ...ntax show ip route Description Show the IP route show ip route show ip route IP Route Entries Destination Gateway VLAN Type Sub Type Metric Dist 0 0 0 0 0 192 168 20 31 1 static 250 1 2 0 0 9 32 aruba vpn static 1 1 2 0 0 108 32 aruba vpn connected 1 0 127 0 0 0 8 reject static 0 0 127 0 0 1 32 lo0 connected 1 0 192 168 20 0 24 DEFAULT_VLAN 1 connected 1 0 The inner IP received from the Aruba Cont...

Page 322: ...a vpn tunnel Tunnel Status Enabled Source Address 192 168 20 10 Destination Address 171 0 0 3 Mode IPsec IPv4 TOS Value from IPv4 header TTL 64 IPv6 Disabled MTU 1280 Current Tunnel Status Tunnel State Up Destination Address Route 0 0 0 0 0 Next Hop IP 192 168 20 31 Next Hop Interface vlan 1 Next Hop IP Link Status Up Source Address Configured on vlan 1 IP Datagrams Received 11 IP Datagrams Transm...

Page 323: ... 3301 Key Size 0 Remaining key Size 0 Usage show crypto ipsec statistics show running configuration Syntax show running configuration NOTE IP route or tunnel interface will not be displayed in show run as they are auto created show running configuration show running config Running configuration JL258A Configuration Editor Created on release XX XX XX XXXX Ver 11 10 9b 3f bf bb ef 7c 59 fc 6b fb 9f ...

Page 324: ... being provisioned Router Firewall Activate Secure connection Corporate HQ Branch 2 Branch 1 Secure connection Secure connection Aruba Central Servers The workflow is as follows 1 The switches being provisioned in branches boot and connect to the Activate on the cloud 2 Based on administrator s provisioning such as folder rule the device is placed in the appropriate folder before being redirected ...

Page 325: ...cted back to Central Aruba Central Configuration manually In factory default switches ZTP with Central is turned ON ZTP can be disabled in the following scenarios Switches with edited configuration Switches where the administrator has explicitly turned off ZTP with Central In any of the mentioned scenarios an administrator can manually configure Aruba Central using the aruba central command Activa...

Page 326: ...tivate software update enable disable Description Enables or disables the Activate software update Activate software update is enabled by default Options disable Disables the Activate software update enable Enables the Activate software update Example Switch will check with activate for every seven days for latest image available and RMON logs will be generated I 10 25 16 14 04 27 05219 activate A...

Page 327: ... Aruba Activate server secondary Update secondary software image using the Aruba Activate server Example switch activate software update update This command will save the current configuration update the selected software image and reboot the system to the selected partition Continue y n y 000M show activate software update Syntax show activate software update Description Show the configuration an...

Page 328: ...NS Lookup NA Proxy Server DNS Lookup NA Activate Connection Status NA Error Reason NA Connected to Activate post DNS resolution and got Central URL switch config show activate provision Configuration and Status Activate Provision Service Activate Provision Service Enabled Activate Server Address device arubanetworks com Activation Key ZAELQSRB NTP HTP Time Sync Status Time sync from NTP Activate D...

Page 329: ...on Service Activate Provision Service Enabled Activate Server Address device arubanetworks com Activation Key ZAELQSRB NTP HTP Time Sync Status Time sync from NTP Activate DNS Lookup Success Proxy Server DNS Lookup NA Activate Connection Status Success Error Reason NA Unsuccessful Activate connection due to unresolved Activate server address switch config show activate provision Configuration and ...

Page 330: ...n obtained using Aruba Activate the system will connect to an Aruba Central server The system will obtain configuration updates and most local configuration commands will be disabled This mode is enabled by default Enter support mode to enable all configuration commands Normally when the system is connected to an Aruba Central server the configuration is updated from that server and most local con...

Page 331: ...uba Central service Use of this mode may invalidate the configuration provisioned through Aruba Central server Continue y n Troubleshooting You can troubleshoot switches by using the SSH connection and the device logs available in AirWave For a list of all RMON message refer to Event Log Messages Guide of your switch You can enable the debug logging with the debug ztp command see debug ztp Show ar...

Page 332: ...TCP read error Malformed packet received or the SSL socket is closed 3 CLOUD_TCP_READ_TIMEOUT_ERR ERR_TCP_READ_TIM EOUT TCP timeout Server is taking longer time to respond Check the server reachability 4 CLOUD_TLS_ERR ERR_SSL TLS error Verify if the device or system certificate is valid 5 CLOUD_TLS_CERT_VAL_ERR ERR_SSL_CERT_VAL IDATION_FAILED Certificate validation failed Verify if it is correctly...

Page 333: ...tions to server Disconnect the device and connect back 15 CLOUD_TLS_NO_CIPHER_MATCH ERR_SSL_NO_CIPHE R_MATCH Cipher suites are not common between device and server 16 CLOUD_TLS_UNKNOWN_CA ERR_SSL_UNKNOWN_ CERTIFICATE_AUTH ORITY Server certificate is not issued by a trusted CA 17 CLOUD_TLS_NO_SELF_SIGNET_CERT ERR_SSL_NO_SELF_ SIGNED_CERTIFICA TES Server presented a self signed certificate This cert...

Page 334: ... log for Activate Provision Error Reason field is added in the switch firmware as part of Aruba Central Onboarding Feature from 16 07 Error reason log helps in debugging switch firmware for central connectivity failure Following table shows the list of error reasons Preprocessor Directive Error Reason ACTIVATE_RESP_FAIL_CODE Activate provision fails because of invalid response received from server...

Page 335: ... network device Syntax interface PORT LIST device type network device no interface PORT LIST device type network device Description Configures the type of device and identifies a port connected with a network infrastructure device such as switch AP router The switch will not report the client entries on the port to Central The no form of this command removes the configuration of type of the device...

Page 336: ...ts to the intended destinations Limitations HTTPS proxy is not supported Authenticating the HTTP proxy is not supported HTTP proxy support is only for IPv4 endpoints Configuring ZTP When the switch is provisioned for Central or Controller switch is managed once it is connected to the public network In case the user wants to reach the public network through the proxy then the IP address of the prox...

Page 337: ...ring these packets reach the switch If AirWave must work without proxy then AirWave IP is bypassed explicitly Support for Aruba ClearPass For downloading a user role from ClearPass switch initiates HTTPS connection with ClearPass If the proxy is configured proxy server is used to reach ClearPass When ClearPass is deployed with Aruba controller ClearPass must be explicitly exempted from proxy Add t...

Page 338: ...cp client vendor specific Vendor Class Id J9854A 2530 24G PoE 2SFP Switch Processing of Vendor Specific Configuration is enabled 3 Add Displayed name and Description for the New Vendor Class in the ASCII field add J9854A 2530 24G PoE 2SFP Switch value exactly obtained from the switch otherwise the option may not work 338 Aruba 2930F 2930M Management and Configuration Guide for ArubaOS Switch 16 08...

Page 339: ... Select option class as the newly defined vendor class click ADD and enter the following information for Proxy details a Name Proxy b Data Type String c Code 148 d Description Proxy details Chapter 10 Zero Touch Provisioning with AirWave and Central 339 ...

Page 340: ... options and select Configure options Go to Advanced tab select the vendor class from the menu as the newly defined class New suboptions that are added appears Check 148 and add Proxy details in string value field in the format as mentioned http web proxy in ABCcorp net 8080 or http 192 168 50 18 3128 Check 144 and add configuration filename in string value field optional 340 Aruba 2930F 2930M Man...

Page 341: ...er options 7 Now restart the DHCP service and download new DHCP attributes in the switch you can check that the proxy details are correctly downloaded in the switch using the show proxy config command Chapter 10 Zero Touch Provisioning with AirWave and Central 341 ...

Page 342: ...ort number for the proxy server Example switch config proxy server http web proxy au abccorp net 3128 switch config proxy server http 192 168 0 6 8080 proxy exception ip host Syntax proxy exception ip host ip addr mask length hostname no proxy exception ip host ip addr mask length hostname Description Configures an IPv4 address mask length and URL to the list of IP address and host which can be re...

Page 343: ...tp Proxy Configuration details Server URL http web proxy au abccorp net 3128 Manually configured exceptions No Exception 1 192 168 0 10 12 2 http web proxy au abdcorp net 3128 Automatically added exceptions No Exception 1 2 0 0 9 NOTE On configuring IPsec tunnel Airwave IP is automatically added as an exception in the switch The IPsec tunnel is configured directly over the network bypassing the HT...

Page 344: ... on the software it was using before the download NOTE Downloading new switch software does not change the current switch configuration The switch configuration is contained in separate files that can also be transferred See Transferring switch configurations on page 358 In most cases if a power failure or other cause interrupts a flash image download the switch reboots with the image previously s...

Page 345: ...f download failures include Incorrect or unreachable address specified for the TFTP Server parameter This may include network problems Incorrect VLAN Incorrect name specified for the Remote File Name parameter or the specified file cannot be found on the TFTP server This can also occur if the TFTP server is a UNIX machine and the case upper or lower for the filename on the server does not match th...

Page 346: ...IP address of 10 28 227 103 to primary flash Procedure 1 Execute copy as shown below The command to download an OS switch software switch copy tftp flash 10 28 227 103 k0800 swi The primary OS Image will be deleted continue y n y 1 01431K 2 1This message means that the image you want to upload will replace the image currently in primary flash 2Dynamic counter continually displays the number of byt...

Page 347: ... NOTE Usage notes To disable all TFTP client or server operation on the switch except for the auto TFTP feature enter the no tftp client server command When IP SSH file transfer is used to enable SCP and SFTP functionality on the switch this disables TFTP client and server functionality Once ip ssh file transfer is enabled TFTP and auto TFTP cannot be re enabled from the CLI When TFTP is disabled ...

Page 348: ...nd from the switch The switch s USB port labeled as Aux Port allows the use of a USB flash drive for copying configuration files to and from the switch Operating rules and restrictions Unformatted USB flash drives must first be formatted on a PC Windows FAT format For devices with multiple partitions only the first partition is supported Devices with secure partitions are not supported If they alr...

Page 349: ... you try to issue commands such as create or remove using SFTP the switch server returns an error message You can use SFTP just as you would TFTP to transfer files to and from the switch but with SFTP your file transfers are encrypted and require authentication so they are more secure than they would be using TFTP SFTP works only with SSH version 2 SSH v2 NOTE SFTP over SSH version 1 SSH v1 is not...

Page 350: ...th SFTP enabled switch config ip ssh filetransfer Tftp and auto tftp have been disabled 1 switch config sho run Running configuration J9091A Configuration Editor Created on release xx 15 xx hostname Switch module 1 type J8702A module 2 type J702A vlan 1 name DEFAULT_VLAN untagged A1 A24 B1 B24 ip address 10 28 234 176 255 255 240 0 exit ip ssh filetransfer 2 no tftp enable password manager passwor...

Page 351: ...SCP or SFTP commands to safely transfer files or issue commands to the switch NOTE Any attempts to use SCP or SFTP without using ip ssh filetransfer cause the SCP or SFTP session to fail Depending on the client software in use you will receive an error message on the originating console for Example IP file transfer not enabled on the switch Disabling secure file transfer switch config no ip ssh fi...

Page 352: ... file system displaying all of its available files and folders No file or directory creation is permitted by the user Files may be only uploaded or downloaded according to the permissions mask All of the necessary files the switch needs are already in place on the switch You do not need to nor can you create new files The switch supports one SFTP session or one SCP session at a time All files have...

Page 353: ...t may appear in the log depending on the type of session that is running SSH SCP or SFTP ssh read error Bad file number session aborted I 01 01 90 00 06 11 00636 ssh sftp session from ffff 10 0 12 35 W 01 01 90 00 06 26 00641 ssh sftp read error Bad file number session aborted I 01 01 90 00 09 54 00637 ssh scp session from ffff 10 0 12 35 W 01 01 90 ssh scp read error Bad file number session abort...

Page 354: ...k drive in the PC The terminal emulator you are using includes the Xmodem binary transfer feature For example in the HyperTerminal application included with Windows NT you would use the Send File option in the Transfer drop down menu Downloading to primary or secondary flash using Xmodem and a terminal emulator CLI Syntax copy xmodem flash primary secondary Downloads a software file to primary or ...

Page 355: ... guide for your switch Switch to switch download You can use TFTP to transfer a software image between two switches of the same series The CLI enables all combinations of flash location options Downloading the OS from another switch CLI Where two switches in your network belong to the same series you can download a software image between them by initiating a copy tftp command from the destination ...

Page 356: ...dary flash in a destination switch you would execute the following command in the destination switch s CLI Switch to switch from either flash in source to either flash in destination switch copy tftp flash 10 29 227 13 flash os secondary secondary Device will be rebooted do you want to continue y n y 00184K Using AirWave to update switch software AirWave can be used to update switch products For f...

Page 357: ...ocedure 1 Execute the following command switch copy xmodem flash Press Enter and start XMODEM on your host 2 After you see the above prompt press Enter 3 Execute the terminal emulator commands to begin the file transfer Copying diagnostic data copy command log Syntax copy command log sftp tftp usb xmodem Description This command copies the Command Log content to a remote host or to a serially conn...

Page 358: ...E For greater security you can perform all TFTP operations using SFTP as described in the section Using SCP and SFTP on page 348 You can also use the include credentials command to save passwords secret keys and other security credentials in the running config file For more information see the section on Saving Security Credentials in a Config File in the access security guide for your switch TFTP...

Page 359: ...custom command is executed the commands in the custom file are executed instead of the hard coded list of commands If no custom file is found the current hard coded list is executed This list contains commands to display data such as the image stamp running configuration boot history port settings and so on Syntax copy tftp show tech ipv4 or ipv6 address filename Copies a customized command file t...

Page 360: ...t you copy from the switch to the USB device switch copy usb startup config MyConfig Xmodem Copying a configuration file to a serially connected PC or UNIX workstation CLI To use this method the switch must be connected via the serial port to a PC or UNIX workstation You will need to Determine a filename to use Know the directory path you will use to store the configuration file Syntax copy startu...

Page 361: ...le on the switch For more information see Multiple Configuration Files in the basic operation guide for your switch Example To copy a configuration file from a PC serially connected to the switch Procedure 1 Execute the following command switch copy xmodem startup config pc Device will be rebooted do you want to continue y n y Press Enter and start XMODEM on your host 2 After you see the above pro...

Page 362: ...tory of the server identified by ip addr unix pc The type of workstation used for serial Telnet or SSH access to the switch CLI Depending on the ACL commands used this action does one of the following in the running config file Creates a new ACL Replaces an existing ACL See Creating an ACL Offline in the Access Control Lists ACLs in the latest access security guide for your switch Adds to an exist...

Page 363: ...55 0 0 0 0 255 255 255 255 exit 1This message indicates that the show running command just above it is not an ACL command and will be ignored by the switch 2Manually executing the show running from the CLI indicates that the file was implemented creating ACL 155 in the switch s running configuration Xmodem Uploading an ACL command file from a serially connected PC or UNIX workstation CLI Syntax co...

Page 364: ...ions Destination Operation note Flash n a SFTP For transfer of crash files via SFTP the destination directory must exist on the SFTP server with write permissions File creation is not mandatory as files are automatically created with the chassis serial number suffix to the filename when using SFTP TFTP For transfer of crash files via TFTP the destination directory along with the file names core du...

Page 365: ... Copy custom default config file event log Copy event log file fdr log Copy FDR og file from the switch to an SFTP TFTP server or xmodem terminal flash Copy the switch system image file SFTP server Copy data from a SFTP server startup config Copy in flash configuration file ssh client known hosts Copy the known hosts file ssh server pub key Copy the switch s SSH server public key running config Co...

Page 366: ...Required for TFTP and SFTP transfers filename File name to upload download Required for TFTP and SFTP transfers hostname Hostname of the TFTP SFTP server Required for TFTP SFTP transfers IPv4 address TFTP SFTP server IPv4 address Required for TFTP SFTP transfers IPv6 address TFTP SFTP server IPv6 address Required for TFTP SFTP transfers manager Replace the keys for manager access follow with the a...

Page 367: ... Syntax copy crash files interfaces Copy interfaces crash files management Copy management crash files Destination SFTP TFTP Xmodem Slot ID X X X MM active X X X MM standby X X X Stacking switches Syntax copy crash files member Copy stack member crash files Options for member Option Destination SFTP TFTP USB xmodem management X X X X interfaces X X X X Chapter 11 File Transfers 367 ...

Page 368: ... remote system Information hostname IPv4 or IPv6 address dirname str Specify the destination directory name Destination options management Copy management crash files Flight Data Recorder FDR The Flight Data Recorder FDR log collects information that is interesting when the switch is not performing correctly but has not crashed Runtime logs are written to FDR memory while the switch is running and...

Page 369: ... Switch Series usb port Syntax usb port no usb port Description Enables the USB port The no form of the command disables the USB port and any access to the device Command context Config show usb port Syntax show usb port Description Displays the status of the USB port It can be enabled disabled or not present Command context operator Usage One of the following messages indicates the presence or ab...

Page 370: ...hether the image will be installed in the primary or secondary flash Copying using USB To copy the primary image to a USB flash drive Procedure 1 Insert a USB device into the switch s USB port 2 Execute the command switch copy flash usb K 0800 swi primary secondary where K 0800 swi is the name given to the primary flash image that is copied from the switch to the USB device copy flash usb Syntax c...

Page 371: ...and executes the named text file from a USB flash drive and executes the ACL commands in the file Depending on the ACL commands used this action does one of the following in the running config file Creates a new ACL Replaces an existing ACL Adds to an existing ACL Parameters FILENAME TXT A text file containing ACL commands and stored in the USB flash drive unix pc The type of workstation used to c...

Page 372: ...egal non ACL command in the file it bypasses the illegal command displays a notice and continues to implement the remaining ACL commands in the file 372 Aruba 2930F 2930M Management and Configuration Guide for ArubaOS Switch 16 08 ...

Page 373: ...ons are described in Troubleshooting on page 458 See Diagnostic tools on page 527 Switch and network operations The switches have several built in tools for monitoring analyzing and troubleshooting switch and network operation Status Includes options for displaying general switch information management address data port status port and trunk group statistics MAC addresses detected on each port or ...

Page 374: ...tions chassislocate Displays the chassisLocator LED status Possible values are ON Off or Blink When the status is On or Blink the number of minutes that the Locator LED will continue to be on or to blink is displayed See Figure 39 Command results for show system chassislocate command on page 375 information Displays global system information and operational parameters for the switch See Figure 41 ...

Page 375: ...0 System fan status Figure 41 Switch system information chassislocate Syntax Description Identifies the location of a specific switch by activating the blue locator LED on the front panel of the switch chassislocate blink on off Parameters and options Chapter 12 Monitoring and Analyzing Switch Operation 375 ...

Page 376: ...number of minutes for the chassis locate LED to remain on or blink at Specify when the command is applied default immediately now Turn on the chassis locate LED immediately startup Turn on the chassis locate LED at switch startup off Turn off the chassis locate LED switch chassislocate at startup chassislocate blink 10 at startup show system chassislocate Syntax show system chassislocate Descripti...

Page 377: ...n and operational parameters for the switch See Switch system information on page 377 fans Shows system fan status See System fan status on page 377 Command results for show system chassislocate command switch config show system chassislocate Chassis Locator LED ON 5 minutes 5 seconds switch config show system chassislocate Chassis Locator LED BLINK 10 minutes 6 seconds switch config show system c...

Page 378: ...he existing debug mode command taskusage d When the task monitor command is enabled the show cpu command summarizes the processor usage by protocol and system functions Syntax no task monitor cpu Allows the collection of processor utilization data Only manager logins can execute this command The settings are not persistent that is there are no changes to the configuration Default Disabled The task...

Page 379: ...gement address information Component information views The CLI show modules command displays additional component information for the following SSM identification including serial number Mini GBICS a list of installed mini GBICs displaying the type J number and serial number when available show modules Syntax show modules Description Displays information about the installed modules Figure 43 The s...

Page 380: ...owing SSM and mini GBIC information Task usage reporting The task usage reporting feature provides the ability to collect and display CPU usage data with a refresh rate of 5 seconds of running tasks on the switch It includes the following commands process tracking This command is used to enable disable the task usage collecting capability for a specific module on the switch show cpu process This c...

Page 381: ...w cpu CHASSIS_MIN_CPU_UTIL_INDEX CHASSIS_MAX_CPU_UTIL_INDEX slot SLOT LIST CHASSIS_MIN_CPU_UTIL_INDEX CHASSIS_MODULE_MAX_CPU_UTIL_INDEX process slot SLOT LIST refresh iterations refresh iterations Shows average CPU utilization over the last 1 5 and 60 seconds or the number of seconds specified Use the slot option to display CPU utilization for the specified modules rather than the chassis CPU Use ...

Page 382: ...imes to refresh process usage display cr show cpu process slot A refresh tab INTEGER Enter an integer number show cpu process slot A refresh 10 tab cr Output for the show cpu process command switch show cpu process Recent Time Since Times Max Process Name Priority Time CPU Last Ran Ran Time Idle 1 226 10 s 41 57 us 380986 69 us Idle 3 1 5 s 20 52 us 761665 55 us Idle 0 226 8 s 33 19 us 380867 66 u...

Page 383: ...rt see Viewing the port and VLAN MAC addresses on page 384 MAC addresses are assigned at the factory The switch automatically implements these addresses for VLANs and ports as they are added to the switch NOTE The switch s base MAC address is also printed on a label affixed to the switch Determining MAC addresses Use the CLI to view the switch s port MAC addresses in hexadecimal format NOTE The sw...

Page 384: ... unless the name has been changed by using the VLAN Names screen On the switches covered in this guide the VID VLAN identification number for the default VLAN is always 1 and cannot be changed Viewing the port and VLAN MAC addresses The MAC address assigned to each switch port is used internally by such features as Flow Control and the spanning tree protocol Using the walkmib command to determine ...

Page 385: ...e WebAgent and the console interface show the same port status data Viewing port status CLI Syntax show interfaces brief Viewing port and trunk group statistics WebAgent 1 In the navigation pane of the WebAgent click Interface 2 Click Port Info Config For information about this screen click in the upper right corner of the WebAgent screen Chapter 12 Monitoring and Analyzing Switch Operation 385 ...

Page 386: ... The Reset action resets the counter display to zero for the current session but does not affect the cumulative values in the actual hardware counters In compliance with the SNMP standard the values in the hardware counters are not reset to zero unless you reboot the switch Exiting from the console session and starting a new session restores the counter displays to the accumulated values in the ha...

Page 387: ...ounters It is useful to be able to clear all counters and statistics without rebooting the switch when troubleshooting network issues The clear statistics global command clears all counters and statistics for all interfaces except SNMP You can also clear the counters and statistics for an individual port using the clear statistics port list command Syntax clear statistics port list global When exe...

Page 388: ...s the MAC addresses associated with the ports for a given VLAN For Example Switch show mac address vlan 100 NOTE The switches operate with a multiple forwarding database architecture Finding the port on which the switch learned a specific MAC address For example to find the port on which the switch learns a MAC address of 080009 21ae84 Accessing MSTP Data CLI Syntax show spanning tree Displays the...

Page 389: ...e 46 Output from show spanning tree command Viewing internet IGMP status CLI The switch uses the CLI to display the following IGMP status on a per VLAN basis Chapter 12 Monitoring and Analyzing Switch Operation 389 ...

Page 390: ... A2 VLAN 33 33 A3 A4 VLAN 44 44 The next three examples show how you could list data on the above VLANs Listing the VLAN ID vid and status for specific ports Switch show vlan ports A1 A2 Status and Counters VLAN Information for ports A1 A2 802 1Q VLAN ID Name Status 1 DEFAULT_VLAN Static 33 VLAN 33 Static Note Because ports A1 and A2 are not members of VLAN 44 it does not appear in this listing VL...

Page 391: ...atus and Counters VLAN Information VLAN 1 VLAN ID 1 Name DEFAULT_VLAN Status Static Voice Yes Jumbo No Port Information Mode Unknown VLAN Status A1 Untagged Learn Up A2 Untagged Learn Up A3 Untagged Learn Up A4 Untagged Learn Down A5 Untagged Learn Up A6 Untagged Learn Up A7 Untagged Learn Up Chapter 12 Monitoring and Analyzing Switch Operation 391 ...

Page 392: ... with zl modules in a chassis switch When in Compatibility Mode the switch accepts either v2 zl or zl modules The default is Compatibility Mode enabled If Compatibility Mode is disabled by executing the no allow v1 modules command the switch will only power up v2 zl modules allow v1 modules Syntax no allow v1 modules Enables Compatibility Mode for interoperation of v2 zl and zl modules in the same...

Page 393: ... added into trunk Bandwidth utilization for trunks is calculated by averaging the value of the sum of bandwidth utilization for each trunk member in the last 5 minute interval show interfaces Syntax show interfaces brief config PORT LIST Description Shows interface information for ports or trunk groups in brief or configuration detail Command context operator or manager Parameters brief Shows the ...

Page 394: ...x Auto off 0 B3 100 1000T No Yes Down 1000FDx Auto off 0 B4 100 1000T No Yes Down 1000FDx Auto off 0 B5 100 1000T No Yes Down 1000FDx Auto off 0 B6 100 1000T No Yes Down 1000FDx Auto off 0 Show the configuration of the interfaces currently available switch show interfaces config Port Settings Port Type Enabled Mode Flow Ctrl MDI B1 100 1000T Yes Auto 10 100 Disable Auto B2 100 1000T Yes Auto Disab...

Page 395: ... information for port trunk 1 switch show interface trk1 Status and Counters Port Counters for port Trk1 Name Trk1 MAC Address 3464a9 b1b8bf Link Status Up Totals Since boot or last clear Bytes Rx 777 713 956 Bytes Tx 596 853 141 Unicast Rx 1 154 693 Unicast Tx 0 Bcast Mcast Rx 48 563 Bcast Mcast Tx 607 474 910 Errors Since boot or last clear FCS Rx 0 Drops Tx 0 Alignment Rx 0 Collisions Tx 0 Runt...

Page 396: ...Removing Port from trunk CLI SNMP Interface counters for this port will be cleared across all sessions Average rate counters are not cleared Trunk port coming Up CLI enable No change in counters Interface counters for this port are not cleared Average rate counters are not cleared Counters will start from 0 when the trunk port comes up Trunk port coming Up Cable connect No change in counters Inter...

Page 397: ...f trunk CLI Not allowed The error message Module not present for port or invalid port PORT NUM displays when the command clear statistics is executed on a port which part of a trunk Clear statistics on trunk CLI Interface counters for physical ports which are part of trunk will be cleared Average rate counters are not cleared Reset port counters When troubleshooting network issues you can clear al...

Page 398: ...nd Counters Port Address Table MAC Address Port VLAN Age d h m s ms 3c4a92 31c100 F23 1 0000 00 00 00 34 9cb654 ce6169 A2 1 0000 00 02 37 93 c09134 cd2740 F23 1 0000 00 00 00 28 c09134 cd277d F23 1 0000 00 00 23 62 f0921c 85b0e0 F24 1 0000 00 00 08 29 f0921c 85b0e9 F24 1 0000 00 00 09 47 show mac add detail for Vxlan Tunnel supporting and non supporting platforms switch show mac address detail Sta...

Page 399: ...anager Parameters vlan VLAN ID Show MAC addresses learned on a specified VLAN PORT LIST Show MAC addresses learned on the specified ports MAC ADDR Show the specified port for a specified MAC address TUNNEL ID Show MAC addresses learned on the specified VXLAN tunnel Usage show mac address Lists all learned MAC addresses on the switch and their corresponding port numbers show mac address a1 a4 a6 Li...

Page 400: ... a VLAN This feature uses a device s MAC address that you enter to identify the port used by that device Procedure 1 Proceeding from the figure above press S for Search to display the following prompt Enter MAC address _ 2 Enter the MAC address you want to locate and press Enter The address and port number are highlighted if found If the switch does not find the MAC address on the currently select...

Page 401: ... data show spanning tree Syntax show spanning tree Description Displays the global and regional spanning tree status for the switch and displays the per port spanning tree operation at the regional level Values for the following parameters appear only for ports connected to active devices Designated Bridge Hello Time PtP and Edge Chapter 12 Monitoring and Analyzing Switch Operation 401 ...

Page 402: ...t IP IGMP status show ip igmp Syntax show ip igmp VLAN ID config group IP ADDR groups statistics Description Global command that lists IGMP status for all VLANs configured in the switch including 402 Aruba 2930F 2930M Management and Configuration Guide for ArubaOS Switch 16 08 ...

Page 403: ...up with port type Access type Age Timer data and Leave Timer data groups Displays VLAN ID group address uptime expiration time multicast filter type and the last reporter for IGMP groups statistics Displays IGMP operational information such as VLAN IDs and names and filtered and flooding statistics Output from show ip igmp config command IGMP statistical information switch vlan 2 show ip igmp stat...

Page 404: ...e following for the specified VLAN Name VID and status static dynamic Per port mode tagged untagged forbid no auto Unknown VLAN setting Learn Block Disable Port status up down List data on specific VLANs The next three figures show how you can list data for the following VLANs Ports VLAN VID A1 A12 DEFAULT_VLAN 1 Table Continued 404 Aruba 2930F 2930M Management and Configuration Guide for ArubaOS ...

Page 405: ... entire switch Figure 53 Port listing for an individual VLAN Configuring local mirroring To configure a local mirroring session in which the mirroring source and destination are on the same switch follow these general steps Procedure 1 Determine the session and local destination port Chapter 12 Monitoring and Analyzing Switch Operation 405 ...

Page 406: ...gure mirroring for a local session in which the mirroring source and destination are on the same switch The mirror command identifies the destination in a mirroring session The interface and vlan commands identify the mirroring source including source interface traffic direction and traffic selection criteria for a specified session NOTE With no allow v2 modules specified in the configuration of a...

Page 407: ... VLAN trunk or mesh interface for a specified session but leaves the session available for other assignments Parameters and options mirror SESSION Accepts either a number 1 to 4 or a name To use a name you must first configure the name NAME STR parameter option for the specified mirroring session using the policy mirror command MAC based criteria to select traffic monitor mac Syntax no monitor mac...

Page 408: ...destination on a local switch Parameters and options Local mirroring destination on the local switch mirror port Syntax mirror SESSION port EXIT PORT Description Configures a local mirroring destination on a local switch Parameters and options Monitored traffic interface Syntax interface PORT TRUNK MESH Description Parameters and options monitor all Syntax monitor all in out both mirror SESSION no...

Page 409: ...P address of the source switch to use in the session The IP address and exit port number on the remote endpoint switch In a remote mirroring endpoint the IP address of exit port and the remote destination switch can belong to different VLANs Source mirror on the local switch mirror remote ip Syntax no mirror 1 4 name NAME STR remote ip SRC IP SRC UDP PORT DST IP truncation Description Configures t...

Page 410: ...witches For a given mirroring session the same src ip src udp port and dst ip values must be entered with the mirror endpoint ip command on the destination switch and later with the mirror remote ip command on the source switch CAUTION Do not remove the configuration of a remote mirroring endpoint support for a given session if there are source switches currently configured to mirror traffic to th...

Page 411: ...ion Syntax no mirror 1 4 name name str remote ip src ip src udp port dst ip truncation Used on the source switch to uniquely associate the mirrored traffic in the specified session with a remote destination switch You must configure the same source and destination parameters when you configure the same session on both the source and destination switches If multiple remote sessions use the same sou...

Page 412: ... specified in the command this is the IP address of the VLAN or subnet on which the remote exit port exists The exit port to which a traffic analyzer or IDS is connected is configured on the remote switch in section truncation Enables truncation of oversize frames causing the part of the frame in excess of the MTU size to be truncated Unless truncation is enabled oversize frames are dropped The fr...

Page 413: ...o four sessions for example interface a1 monitor all in mirror 1 1 Configures the port traffic to be mirrored in the specified session number name name str Optional configures the port traffic to be mirrored in the specified session name The string can be used interchangeably with the session number when using this command to assign a mirroring source to a session no tag added Prevents a VLAN tag ...

Page 414: ...ing session precludes assigning any other mirroring sources to the same session If a VLAN is already assigned to a given mirroring session using this command to assign another VLAN to the same mirroring session results in the second assignment replacing the first Also if there are other port trunk or mesh mirroring sources already assigned to a session the switch displays a message similar to Mirr...

Page 415: ...s To identify a session you can enter either its name or number for example mirror 1 2 3 traffsrc4 1 4 Specifies a mirroring session by number for which the configured MAC address is used to select and mirror inbound and or outbound traffic Packets that are sent or received on an interface configured with a mirroring session and that contain the MAC address as source and or destination address are...

Page 416: ...he configured actions are executed on packets that match a match statement in a class No policy action is performed on packets that match an ignore statement Context Policy configuration Syntax no seq number class ipv4 ipv6 classname action mirror session Defines the mirroring action to be applied on a pre configured IPv4 or IPv6 traffic class when a packet matches the match criteria in the traffi...

Page 417: ...ng a dash for example a1 a5 The mirroring policy name you enter must be the same as the policy name you configured with the policy mirror command Syntax vlan vlan id service policy policy name in Configures a mirroring policy on the specified VLAN that is applied to inbound traffic on the VLAN interface Valid VLAN ID numbers range from 1 to 4094 The mirroring policy name you enter must be the same...

Page 418: ...he session is a port local or IPv4 remote mirroring session show monitor endpoint The IP address configured for the source VLAN or subnet on which the monitored source interface exists In the configuration of a remote session the same UDP source address must be configured on the source and destination switches UDP port The unique UDP port number that identifies a remote session In the configuratio...

Page 419: ...itch UDP Source Addr The IP address configured for the source VLAN or subnet on which the monitored source interface exists In the configuration of a remote session the same UDP source address must be configured on the source and destination switches UDP port The unique UDP port number that identifies a remote session In the configuration of a remote session the same UDP port number must be config...

Page 420: ... mirroring session After you configure session 2 for remote mirroring Figure 55 Configuring a remote mirroring session and monitored source on page 420 you can enter the show monitor 2 command to verify the configuration Figure 56 Displaying the Configuration of a Remote Mirroring Session on page 420 Figure 55 Configuring a remote mirroring session and monitored source Figure 56 Displaying the Con...

Page 421: ...en used to display the configuration of a local session the show monitor command displays a subset of the information displayed for a remote mirroring session Example Figure 59 Displaying the configuration of a local mirroring session on page 421 displays a local mirroring configuration for a session configured as follows Session number 1 Session name Detail Classifier based mirroring policy Mirro...

Page 422: ...twork Monitoring Session 3 Session Name Policy MirrorAdminTraffic Mirror Destination C1 Port Monitoring Sources Direction VLAN 5 Source Viewing information about a classifier based mirroring configuration Syntax show class ipv4 classname show class ipv6 classname show class config ipv4 classname Lists the statements that make up the IPv4 class identified by classname ipv6 classname Lists the state...

Page 423: ...defined for the switch and lists the statements that make up each policy Additional variants of the show policy command provide information on policies that have been applied to ports or VLANs Figure 62 show policy output for a mirroring policy Viewing resource usage for mirroring policies Syntax show policy resources Displays the number of hardware resources rules meters and application port rang...

Page 424: ...n command to view the current mirroring configurations on the switch In the show run command output information about mirroring sources in configured sessions begins with the mirror keyword monitored source interfaces are listed per interface Compatibility mode The following table shows how the v2 zl and zl modules behave in various combinations and situations when Compatibility mode is enabled an...

Page 425: ... to a local or remote destination such as a traffic analyzer or IDS Traffic mirroring provides the following benefits Allows you to monitor the traffic flow on specific source interfaces Helps in analyzing and debugging problems in network operation resulting from a misbehaving network or an individual client The mirroring of selected traffic to an external device makes it easier to diagnose a net...

Page 426: ...to four mirroring sessions on a switch Each session can have one or more sources ports and or static trunks that monitor traffic entering and or leaving the switch NOTE Using the CLI you can make full use of the switch s local and remote mirroring capabilities Mirroring sessions A mirroring session consists of a mirroring source and destination endpoint Although a mirroring source can be one of se...

Page 427: ...re interfaces inbound and or outbound Classifier based service policy Provides a finer granularity of match criteria to zoom in on a subset of a monitored port or VLAN traffic IPv4 or IPv6 and select it for local or remote mirroring inbound only Deprecation of ACL based traffic selection The use of ACLs for selecting traffic in a mirroring session has been deprecated and is replaced by the use of ...

Page 428: ...eaving the switch on Ports and static trunks Provides the flexibility for mirroring on individual ports groups of ports static port trunks or any combination of these Criteria for selecting mirrored traffic On the monitored sources listed above you can configure the following criteria to select the traffic you want to mirror Direction of traffic movement entering or leaving the switch or both Type...

Page 429: ...h traffic volume you can reduce the risk of oversubscribing a single exit port by Directing traffic from different session sources to multiple exit ports Configuring an exit port with a higher bandwidth than the monitored source port Remote mirroring overview To configure a remote mirroring session in which the mirroring source and destination are on different switches follow these general steps A...

Page 430: ...dentifies the destination in a mirroring session The interface and vlan commands identify the monitored interface traffic direction and traffic selection criteria for a specified session CAUTION When configuring a remote mirroring session always configure the destination switch first Configuring the source switch first can result in a large volume of mirrored IPv4 encapsulated traffic arriving at ...

Page 431: ...re local mirroring exit port number is all that is required If the exit port for a mirroring destination is on a remote switch instead of the local source switch you must enter the source IP address destination IP address and UDP port number for the remote mirroring session You may also wish to enable frame truncation to allow oversize frames to be truncated rather than dropped Frames that exceed ...

Page 432: ...ce type Port trunk and or mesh VLAN Switch global configuration level Traffic direction and selection criteria All inbound and or outbound traffic on a port or VLAN interface Only inbound IP traffic selected with an ACL deprecated in software release K 14 01 and greater Only inbound IPv4 or IPv6 traffic selected with a classifier based mirroring policy All inbound and or outbound traffic selected ...

Page 433: ... in Figure 65 Mirroring commands with the no tag added option on page 433 and Figure 66 Displaying a mirror session configuration with the no tag added option on page 433 Figure 65 Mirroring commands with the no tag added option Figure 66 Displaying a mirror session configuration with the no tag added option About using SNMP to configure no tag added The MIB object hpicfBridgeDontTagWithVlan is us...

Page 434: ...allows you to mirror traffic using a policy to specify IP addresses as selection criteria MAC based mirroring allows you monitor switch traffic using a source and or destination MAC address You can apply MAC based mirroring in one or more mirroring sessions on the switch to monitor Inbound traffic Outbound traffic Both inbound and outbound traffic MAC based mirroring is useful in Switch Network Im...

Page 435: ... on the switch To re use a MAC address that has already been configured as a source and or destination address for traffic selection in a mirror session you must first remove the configuration by entering the no form of the command and then re enter the MAC address in a new monitor mac mirror command For example if you have already configured MAC address 111111 222222 to filter inbound and outboun...

Page 436: ... IP precedence bits Layer 3 DSCP codepoint Layer 4 TCP UDP application port including TCP flags VLAN ID Enter one or more match or ignore commands from the class configuration context to filter traffic and determine the packets on which policy actions will be performed 3 Create a mirroring policy to configure the session and destination device to which specified classes of inbound traffic are sent...

Page 437: ...the mirror session parameter in a default class action statement 5 Apply the mirroring policy to inbound traffic on a port interface service policy in command or VLAN vlan service policy in command interface CAUTION After you apply a mirroring policy for one or more preconfigured sessions on a port or VLAN interface the switch immediately starts to use the traffic selection criteria and exit port ...

Page 438: ...ound and or outbound traffic can be added to the session Figure 67 Mirroring configuration in which only a mirroring policy is supported If a mirroring session is already configured with one or more traffic selection criteria MAC based or all inbound and or outbound traffic the session does not support the addition of a classifier based policy Figure 68 Mirroring configuration in which only traffi...

Page 439: ...rt A5 and workstation Y on port B17 to a traffic analyzer connected to port C24 see Figure 70 Local mirroring topology on page 439 In this case the administrator chooses 1 as the session number Any unused session number from 1 to 4 is valid Because the switch provides both the source and destination for the traffic to monitor local mirroring can be used In this case the command sequence is Configu...

Page 440: ...mirroring session To configure this remote mirroring session using a classifier based policy to select inbound TCP traffic on two VLAN interfaces take the following steps 1 On remote switch C configure a remote mirroring endpoint using port A15 as the exit port as described in Configure a mirroring destination on a remote switch on page 431 Figure 73 Configuring a remote mirroring endpoint remote ...

Page 441: ...ring on page 435 Figure 74 Configuring a classifier based policy on source switch A 4 On source switch B repeat steps 2 and 3 a Configure an association between the remote mirroring endpoint on switch C and a mirroring session on switch B b Configure a classifier based mirroring policy to select inbound TCP traffic destined to the server at 10 10 30 153 and apply the policy to a VLAN interface for...

Page 442: ...xit port of B10 on switch C and a remote mirroring session on switch A If the mirroring configuration in the proceeding example is enabled it is necessary to use a different session number 2 and UDP port number 9400 The IP address of the remote exit port 10 10 40 7 connected to traffic analyzer 2 exit port B10 can belong to a different VLAN than the destination IP address of the VLAN used to reach...

Page 443: ... 2 Figure 78 Configuring a remote mirroring session for inbound port traffic Maximum supported frame size The IPv4 encapsulation of mirrored traffic adds a 54 byte header to each mirrored frame If a resulting frame exceeds the MTU allowed in the network the frame is dropped or truncated NOTE Oversized mirroring frames are dropped or truncated according to the setting of the truncation parameter in...

Page 444: ... Tagged Non jumbo 1522 4 1522 1468 54 Jumbo11 on all VLANs 9220 4 9218 9164 54 Jumbo11 On all but source VLAN 1522 4 n a22 1468 54 1 Jumbo frames are allowed on ports operating at or above 1 Gbps 2 For local mirroring a non jumbo configuration on the source VLAN dictates an MTU of 1518 bytes for untagged frames and an MTU of 1522 for tagged frames regardless of the jumbo configuration on any other...

Page 445: ...iginal frame carried when it entered into or exited from the switch The tagged or untagged VLAN membership of ports in the path leading to the mirroring destination does not affect the tagged or untagged status of the mirrored copy itself Thus if a tagged frame arrives on a mirrored port the mirrored copy is also tagged regardless of the status of ports in the destination path If a frame exits fro...

Page 446: ...ecified VLAN or ports to the destination configured for session 1 Loss of connectivity suspends remote mirroring When a remote mirroring session is configured on a source switch the switch sends an ARP request to the configured destination approximately every 60 seconds If the source switch fails to receive the expected ARP response from the destination for the session transmission of mirrored tra...

Page 447: ...P is enabled on any VLAN you may get two copies of IGMP packets on the monitored port Port trunks cannot be used as a monitoring port The switch can monitor static LACP trunks but not dynamic LACP trunks It is possible when monitoring multiple interfaces in networks with high traffic levels to copy more traffic to a monitor port than the link can support In this case some packets may not be copied...

Page 448: ...onitoring sources Syntax no interface monitor list monitor monitor list Includes port numbers and static trunk names such as 4 7 5 8 trk1 NOTE Individual ports and static trunks can be monitored at the same time However if you configure the switch to monitor a VLAN all other interfaces are removed from monitoring Also you can configure only one VLAN at a time for monitoring Elements in the monitor...

Page 449: ...or a group of ports Fans There are three fan types Power supply fans Fan tray fans Stacking switch fans show system Syntax show system chassislocate information temperature Description Shows global system information and operational parameters for the switch Command context manager and operator Parameters chassislocate Shows the chassis locator LED status Possible values are ON Off and Blink When ...

Page 450: ...s Locating the system chassis by LED blink using the show system chassislocate command Showing the general switch system information by using the show system command show system fans Syntax show system fans Description Shows the state status and location of system fans Command context manager and operator 450 Aruba 2930F 2930M Management and Configuration Guide for ArubaOS Switch 16 08 ...

Page 451: ...all system fans within the PoEP context is shown by using the command show system fans Switch PoEP show system fans Fan Information Num State Failures Location Fan 1 Fan OK 0 Chassis Fan 2 Fan OK 0 Chassis Fan 3 Fan OK 0 Chassis Fan 4 Fan Removed 0 PS 1 Fan 5 Fan Failed 2 PS 2 1 5 Fans in Failure State 1 5 Fans have been in Failure State The state of all stacked switch system fans is shown by usin...

Page 452: ...Fan Tray Sys 5 Fan Removed 0 PS 1 Sys 6 Fan Failed 2 PS 2 1 6 Fans in Failure State 1 6 Fans have been in Failure State VSF Member 2 Num State Failures Location Sys 1 Fan OK 0 Fan Tray Sys 2 Fan OK 0 Fan Tray Sys 3 Fan OK 0 Fan Tray Sys 4 Fan OK 0 Fan Tray Sys 5 Fan OK 0 PS 1 Sys 6 Fan OK 0 PS 2 0 6 Fans in Failure State 0 6 Fans have been in Failure State show system power supply Syntax show syst...

Page 453: ...V 700 3 Not Present 0 4 J9830A IN43G4G05H Powered AC 120V 240V 2750 3 4 supply bays delivering power Total power 4150 W Use of the command show system power supply detailed shows the power supply status in detail for all active switches Switch show system power supply detailed Status and Counters Power Supply Detailed Information PS Model Serial State Status 1 J9828A IN30G4D009 Powered AC Power Co...

Page 454: ...Z81KX Powered Power Consumption 51 Watts AC Input Voltage 208 Volts Inlet Internal Temp 85 6F 87 7F Fan 1 Speed util 1650RPM 20 Fan 2 Speed util 1600RPM 19 1 3 J9828A IN5BGZ81KY Powered Power Consumption 43 Watts AC Input Voltage 119 Volts Inlet Internal Temp 85 6F 87 7F Fan 1 Speed util 1650RPM 20 Fan 2 Speed util 1600RPM 19 1 4 Not Present 2 1 J9830A IN5BGZ81KZ Powered Power Consumption 95 Watts...

Page 455: ...on 46 Watts AC MAIN Voltage 209 Volts Power Supplied 21 Watts Power Capacity 700 Watts Inlet Temp C F 27 7C 80 6F Internal Temp C F 32 5C 89 6F Fan 1 Speed 1600 RPM Fan 2 Speed 1600 RPM 3 Not Present 4 J9830A IN43G4G05H Aux Not Powered 2 4 supply bays delivering power Currently supplying 68 W 4150 W total power Use of the command show system power supply shows the power supply status all active sw...

Page 456: ...eparate line will be included for each Currently Supplying A summary of the total power being supplied and the total capacity same summary as seen on the command show system power supply Fan failures and SNMP traps Power supply fan fault Power supply events indicating an internal fan fault are reported by SNMP traps issued up to 10 seconds after the corresponding power supply fan fault occures For...

Page 457: ...M1 Fan OK Fan 3 Failures 1 Shown is a fan tray fan fault fan number 3 failure The event is issued as a Warning w W 11 30 16 14 02 38 00070 chassis AM1 Fan failure Fan 3 Failures 1 Chapter 12 Monitoring and Analyzing Switch Operation 457 ...

Page 458: ...e switch hardware and software are indicated by flashing the Fault and other switch LEDs For a description of the LED behavior and information on using the LEDs for troubleshooting see the installation guide shipped with the switch Check the network topology installation For topology information see the installation guide shipped with the switch Check cables for damage correct type and proper conn...

Page 459: ...he switch allows inbound telnet access only to a device having an authorized IP address For more information on IP Authorized managers see the access security guide for your switch Java applets may not be running on the web browser They are required for the switch WebAgent to operate correctly Refer to the online Help on your web browser for how to run the Java applets Cannot Telnet into the switc...

Page 460: ...If you are configuring a port trunk finish configuring the ports in the trunk before connecting the related cables Otherwise you may inadvertently create a number of redundant links that is topology loops that will cause broadcast storms Turn on STP to block redundant links Check for FFI messages in the Event Log Duplicate IP addresses This is indicated by this Event Log message ip Invalid ARP sou...

Page 461: ...ally reset to zero the default Ports in a trunk group operate only at the default priority setting Addressing ACL problems ACLs are properly configured and assigned to VLANs but the switch is not using the ACLs to filter IP layer 3 packets Procedure 1 The switch may be running with IP routing disabled To ensure that IP routing is enabled execute show running and look for the IP routing statement i...

Page 462: ... blocked as a security measure To preempt this action edit the ACL to include an ACE that permits access to the switch s DA on that VLAN from the management device Error Invalid input when entering an IP address When using the host option in the Command syntax ensure that you are not including a mask in either dotted decimal or CIDR format Using the host option implies a specific host device and t...

Page 463: ...P address as a DA or to use a wildcard ACL mask in a deny statement that happens to include the switch s IP address For an Example of this problem see section General ACL Operating Notes in the Access Control Lists ACLs of the latest access security guide for your switch Routing through a gateway on the switch fails Configuring a deny ACE that includes a gateway address can block traffic attemptin...

Page 464: ...fic 3 Deny any unauthorized traffic that you have not already denied in step 1 IGMP related problems IP multicast IGMP traffic that is directed by IGMP does not reach IGMP hosts or a multicast router connected to a port IGMP must be enabled on the switch and the affected port must be configured for Auto or Forward operation IP multicast traffic floods out all ports IGMP does not appear to filter t...

Page 465: ...not receiving a response to an authentication request Do the following Use ping to ensure that the switch has access to the configured RADIUS servers Verify that the switch is using the correct encryption key RADIUS secret key for each server Verify that the switch has the correct IP address for each RADIUS server Ensure that the radius server timeout period is long enough for network conditions T...

Page 466: ...ctivated switch config show port access authenticator e 9 Port Access Authenticator Status Port access authenticator activated No No Access Authenticator Authenticator Port Status Control State Backend State 9 Open 1 FU Force Auth Idle Switch config show port access authenticator active Switch config show port access authenticator e 9 Port Access Authenticator Status Port access authenticator acti...

Page 467: ...you are using RADIUS authentication and the RADIUS server specifies a VLAN for the port the switch allows authentication but blocks the port To eliminate this problem either remove the port from the trunk or reconfigure the RADIUS server to avoid specifying a VLAN QoS related problems Loss of communication when using VLAN tagged traffic If you cannot communicate with a device in a tagged VLAN envi...

Page 468: ...IUS Encryption Key 2 Unique RADIUS Encryption Key for the RADIUS server at 10 33 18 119 MSTP and fast uplink problems CAUTION If you enable MSTP Hewlett Packard Enterprise recommends that you leave the remainder of the MSTP parameter settings at their default values until you have had an opportunity to evaluate MSTP performance in your network Because incorrect MSTP settings can adversely affect n...

Page 469: ...H client application for a utility that can convert the PEM formatted key into an ASCII formatted key Executing IP SSH does not enable SSH on the switch The switch does not have a host key Verify by executing show ip host public key If you see the message ssh cannot be enabled until a host key is configured use crypto command you need to generate an SSH key pair for the switch To do so execute cry...

Page 470: ...nfiguration changes in the switch that have not been saved to flash boot up configuration by causing the switch to reboot from the boot up configuration which includes only the configuration changes made prior to the last write memory command If you did not use write memory to save the authentication configuration to flash pressing the Reset button reboots the switch with the boot up configuration...

Page 471: ...login attempts than specified in the switch configuration Your TACACS server application may be configured to allow fewer login attempts than you have configured in the switch with the aaa authentication num attempts command TimeP SNTP or Gateway problems The switch cannot find the time server or the configured gateway TimeP SNTP and Gateway access are through the primary VLAN which in the default...

Page 472: ...switch A it must also be configured as Tagged on the link port on switch B Make sure that the VLAN ID VID is the same on both switches Duplicate MAC addresses across VLANs The switches operate with multiple forwarding databases Thus duplicate MAC addresses occurring on different VLANs can appear where a device having one MAC address is a member of more than one 802 1Q VLAN and the switch port to w...

Page 473: ... initialization failed for vlan x For a multinetted VLAN multiple IP addresses assigned to the VLAN only the IP addresses that are overlapping subnets are removed The other IP addresses on the VLAN are retained and function correctly The error message can be somewhat misleading the IP addresses on the VLAN that are not overlapping are initialized correctly The output of the show ip command correct...

Page 474: ...ich is required for rapid detection of link faults However the consequence of this is that a marginal transceiver optical or wire cabling one that flaps up and down several times per second can cause STP and other protocols to react poorly resulting in a network outage The link flap option expands the functionality of the existing fault finder function to include a link flap event and a new action...

Page 475: ...isablement is not desired on ports that are at the client edge of the network because link state changes there are frequent and expected Hewlett Packard Enterprise does not recommend automatic disabling of a port at the core or distribution layers when excessive broadcasts are detected because of the potential to disable large parts of the network that may be uninvolved and for the opportunity to ...

Page 476: ...nder check and set parameters for it These commands may be repeated to enable additional checks The default sensitivity is medium and the default action is warn no fault finder all fault sensitivity low medium high action warn warn and disable no fault finder link flap sensitivity low medium high action warn warn and disable no fault finder link flap PORT LIST action warn warn and disable SECONDS ...

Page 477: ...etection Disable link flap detection for port A5 switch config no fault finder link flap ethernet A5 Show fault finder link flap Syntax show fault finder link flap ethernet PORT LIST Description Display the link flap control configuration Show fault finder link flap switch show fault finder link flap A1 Link Port Disable Disable Time Port Flap Status Sensitivity Action Timer Left A1 Yes Down Low w...

Page 478: ...disabled Link flap is detected and the action is to disable the port with disable timer port ID timer 71 has expired ports port ID is now on line vlan VLAN VLAN ID virtual LAN is enabled The port is enabled when the disable timer expires Restrictions Per port configuration for options link flap only Global settings for other options No support for menu interface No support for Web UI No support fo...

Page 479: ...P LRM Transceiver D J9153A 10GbE SFP ER Transceiver D J9144A 10GbE X2 SC LRM Transceiver D J8438A 10Gbe X2 SC ER Transceiver D JH233A 40G QSFP MPO eSR4 Transceiver V JH232A 40G QSFP LC LR4 SM Transceiver V JL308A 40G QSFP BIDI V JH231A 40G QSFP MPO SR4 Transceiver V 1 Support indicators V Validated to respond to DOM requests N No support of DOM D Documented by the component suppliers as supporting...

Page 480: ...or show interfaces transceiver port list is shown below You can specify multiple ports separated by commas and the information for each transceiver will display Output for a specified transceiver switch config show interfaces transceiver 21 Transceiver Technical information Product Serial Part Port Type Number Number Number 21 1000SX J4858C MY050VM9WB 1990 3657 If there is no transceiver in the po...

Page 481: ...wing information displays Table 32 General transceiver information Parameter Description Interface Index The switch interface number Transceiver type Pluggable transceiver type Transceiver model Pluggable transceiver model Connector type Type of connector of the transceiver Wavelength For an optical transceiver the central wavelength of the laser sent in nm If the transceiver supports multiple wav...

Page 482: ...ceiver Volts Bias Laser bias current mA RX power Rx power mW and dBm TX power Tx power mW and dBm The alarm information for GBIC SFP transceivers is shown in this table Table 34 Alarm and error information GBIC SFP transceivers only Alarm Description RX loss of signal Incoming RX signal is lost RX power high Incoming RX power level is high RX power low Incoming RX power level is low TX fault Trans...

Page 483: ...Dependent receiver local fault PCS receiver local fault Physical Coding Sublayer receiver local fault PHY XS receive local fault PHY Extended Sublayer receive local fault RX power high RX power is high RX power low RX power is low Laser bias current fault Laser bias current fault Laser temperature fault Laser temperature fault Laser output power fault Laser output power fault TX fault TX fault PMA...

Page 484: ...l number MY050VM9WB Status Temperature 50 111C Voltage 3 1234V TX Bias 6mA TX Power 0 2650mW 5 768dBm RX Power 0 3892mW 4 098dBm Time stamp Mon Mar 7 14 22 13 2011 An Example of the output for a 10GbE LR transceiver is shown below Detailed information for a 10GbE LR transceiver switch config show interfaces transceiver 23 detail Transceiver in 23 Interface Index 24 Type 10GbE LR Model J8437A Conne...

Page 485: ...nter the test cable diagnostics command in any context to begin cable diagnostics for the transceiver The diagnostic attempts to identify cable faults The tests may take a few seconds to complete for each interface There is the potential of link loss during the diagnostic Syntax test cable diagnostics port list Invokes cable diagnostics and displays the results Output from test cable diagnostics c...

Page 486: ...ector type Type of connector of the transceiver Wavelength For an optical transceiver the central wavelength of the laser sent in nm If the transceiver supports multiple wavelengths the values will be separated by a comma An electrical transceiver value is displayed as N A Transfer Distance Link length supported by the transceiver in meters The corresponding transfer medium is shown in brackets fo...

Page 487: ...DI crossover status of the two wire pairs 1 2 3 6 4 5 7 8 will be either MDI or MDIX Viewing transceiver information This features provides the ability to view diagnostic monitoring information for transceivers with Diagnostic Optical Monitoring DOM support The following table indicates the support level for specific transceivers Product Description Support1 J8436A 10GbE X2 SC SR Optic V J8437A 10...

Page 488: ...ting switch problems The Event Log records operating events in single or double line entries and serves as a tool to isolate and troubleshoot problems Once the log has received 2000 entries it discards the oldest message each time a new message is received The Event Log window contains 14 log entry lines You can scroll through it to view any part of the log Once the log has received 2000 entries i...

Page 489: ...ehaved unexpectedly I information provides information on normal switch operation D debug is reserved for internal diagnostic information Date The date in the format mm dd yy when an entry is recorded in the log Time The time in the format hh mm ss when an entry is recorded in the log Event number The number assigned to an event You can turn event numbering on and off with the no log number comman...

Page 490: ...rmit or deny to take on a packet if it meets the criteria Advanced Traffic Management Guide addrmgr Address Table Manager Manages MAC addresses that the switch has learned and are stored in the switch s address table Management and Configuration Guide arp protect Dynamic ARP Protection Protects the network from ARP cache poisoning Only valid ARP requests and responses are relayed or used to update...

Page 491: ... IP traffic that exhibits this behavior and optionally either throttling or dropping all IP traffic from the offending hosts Connection rate filtering messages include events on virus throttling Virus throttling uses connection rate filtering to stop the propagation of malicious agents Access Security Guide console Console interface used to monitor switch and port status reconfigure the switch and...

Page 492: ...tware version or files to the switch Management and Configuration Guide dhcp snoop DHCP snooping Protects your network from common DHCP attacks such as address spoofing and repeated address requests Access Security Guide dma Direct Access Memory DMA Transmits and receives packets between the CPU and the switch fault Fault Detection facility including response policy and the sensitivity level at wh...

Page 493: ...Advanced Traffic Management Guide hpesp Management module that maintains communication between switch ports Installation and Getting Started Guide idm Identity driven Management Optional management application used to monitor and control access to switch Advanced Traffic Management Guide igmp Internet Group Management Protocol Reduces unnecessary bandwidth usage for multicast traffic transmitted f...

Page 494: ...tion keys for all routing protocols including a timing mechanism for activating and deactivating an individual protocol Access Security Guide lacp LACP trunks The switch can either automatically establish an 802 3ad compliant trunk group or provide a manually configured static LACP trunk Management and Configuration Guide ldbal Load balancing in LACP port trunks or 802 1s Multiple Spanning Tree pr...

Page 495: ...ased security employed on the network edge to protect private networks and the switch itself from unauthorized access using one of the following interfaces Web page login to authenticate users for access to the network RADIUS server that uses a device s MAC address for authentication Access Security Guide maclock MAC lockdown and MAC lockout MAC lockdown prevents station movement and MAC address h...

Page 496: ...2 3ad ports Port status and port configuration features including mode speed and duplex flow control broadcast limit jumbo packets and security settings Port messages include events on POE operation and transceiver connections with other network devices Installation and Getting Started Guide Management and Configuration Guide Access Security Guide radius RADIUS Remote Authentication Dial In User S...

Page 497: ...ime among interoperating devices Management and Configuration Guide ssh Secure Shell version 2 SSHv2 Provides remote access to management functions on a switch via encrypted paths between the switch and management station clients capable of SSH operation SSH messages also include events from the Secure File Transfer Protocol SFTP feature SFTP provides a secure alternative to TFTP for transferring ...

Page 498: ...stem Switch management including system configuration switch bootup activation of boot ROM image memory buffers traffic and security filters System messages also include events from management interfaces menu and CLI used to reconfigure the switch and monitor switch status and performance Basic Operation Guide Access Security Guide tacacs TACACS authentication A central server is used to control a...

Page 499: ...nal Link Detection Monitors a link between two switches and blocks the ports on both ends of the link if the link fails at any point between the two devices Access Security Guide udpf UDP broadcast forwarding Supports the forwarding of client requests sent as limited IP broadcasts addressed to a UDP application port on a network server Multicast and Routing Guide update Updates TFTP or serial to H...

Page 500: ...nce Advanced Traffic Management Guide xmodem Xmodem Binary transfer feature that supports the download of software files from a PC or UNIX workstation Basic Operation Guide Using the CLI Syntax show logging a b r s t m e p w i d command filter option str By default the show logging command displays the log messages recorded since the last reboot in chronological order a Displays all recorded log m...

Page 501: ... command switch show logging a system To display all Event Log messages recorded since the last reboot that have the word system in the message text or module name enter switch show logging system Clearing Event Log entries Syntax clear logging command Removes all entries from the event log display output Use the clear logging command to hide but not erase Event Log entries displayed in show loggi...

Page 502: ...le period during which any additional instances of the event are counted but not logged Thus for a particular recurring event the switch displays only one message in the Event Log for each log throttle period in which the event reoccurs Also each logged instance of the event message includes counter data showing how many times the event has occurred since the last reboot The switch manages message...

Page 503: ...ated events of the same type Example of event counter operation Suppose the switch detects the following after a reboot Three duplicate instances of the PIM Send error during the first log throttle period for this event Five more instances of the same Send error during the second log throttle period for this event Four instances of the same Send error during the third log throttle period for this ...

Page 504: ...es to the syslog server Default Disabled running config change Mandatory option for the notify parameter Specifies the type of notification to send transmission interval 0 4294967295 Specifies the time interval in seconds between the transmission of two consecutive notifications Running config changes occurring within the specified interval will not generate syslog notifications A value of zero me...

Page 505: ...s ip address The IP address of the sending interface will be used as the message origin identifier This is the default format for the origin identifier The IP address of the sending interface in dotted decimal notation is the default format hostname The hostname of the sending switch will be used as the message origin identifier none No origin identifier will be embedded in the syslog message Nilv...

Page 506: ...resses are supported Specify syslog server facility with the option facility The command no logging facility sets the facility back to defaults Specify filtering rules Specify severity for event messages to be filtered to the syslog server with the option severity The command no logging severity sets the severity back to default Event messages of specified system module will be sent to the syslog ...

Page 507: ...o none nilvalue switch config logging origin id none The following syslog message will occur 14 Jan 1 00 15 35 00076 ports port 2 is now on line Use any of the commands in the following example to set the origin id to ip address default Setting the origin id to ip address default switch config logging origin id ip address switch config no logging origin id hostname switch config no logging origin ...

Page 508: ...ier Hostname Destination None Enabled debug types None are enabled The command logging origin id none will produce the syslog message shown in the following example Syslog message for logging origin id none Debug Logging Origin identifier none Destination None Enabled debug types None are enabled Syntax show running config The following example shows the output of the show running config command O...

Page 509: ...ess read write Status current Default ip address Debug syslog destination devices To use debug syslog messaging you must configure an external device as the logging destination by using the logging and debug destination commands For more information see Debug destinations on page 519 and Configuring a syslog server on page 521 A debug syslog destination device can be a syslog server and or a conso...

Page 510: ...es or disables OSPFv3 IPv6 adjacency logging Must be executed in OSPFv3 context The detail option displays all the adjacency state transitions and adjacency related errors severity Sends Event Log messages of equal or greater severity than the specified value to configured debug destinations The default setting is to send Event Log messages from all severity levels system module Sends Event Log me...

Page 511: ...og logging on one or more syslog servers configured with the logging syslog ip addr command session Assigns or re assigns destination status to the terminal device that was most recently used to request debug output buffer Enables syslog logging to send the debug message types specified by the debug debug type command to a buffer in switch memory event Sends standard Event Log messages to configur...

Page 512: ...ing high CPU load or on a switch with more than 10 PIM enabled VLANs In high load situations the switch may suffer from protocol starvation high latency or even reload When debugging a switch with more than 10 PIM enabled VLANs the vlan option in debug ip pim packet should be utilized Debugging should only be used temporarily while troubleshooting problems Customers are advised to exercise caution...

Page 513: ...ng operations Configure the switch to send Event Log messages to one or more Syslog servers In addition you can configure the messages to be sent to the User log facility default or to another log facility on configured Syslog servers Configure the switch to send Event Log messages to the current management access session serial connect CLI Telnet CLI or SSH Disable all Syslog debug logging while ...

Page 514: ...ers by specifying a severity level a system module or both using the following commands switch config logging severity debug major error warning info switch config logging system module system module To display a list of valid values for each command enter logging severity or logging system module followed by or pressing the Tab key The severity levels in order from the highest to lowest severity ...

Page 515: ...ge types selected for debugging purposes If no syslog server address is configured with the logging syslog ip addr command no show debug command output is displayed Output of the show debug command switch config show debug Debug Logging Destination Logging 10 28 38 164 Facility kern Severity warning System module all pass Enabled debug types event Example In the following Example no syslog servers...

Page 516: ...gure a syslog server address and enable syslog logging all debug and logging settings are displayed with the show debug command If you do not want Event Log messages sent to syslog servers you can block the messages from being sent by entering the no debug event command There is no effect on the normal logging of messages in the switch s Event Log Example The next Example shows how to configure De...

Page 517: ...mmand At the manager level use the debug command to perform two main functions Specify the types of event messages to be sent to an external destination Specify the destinations to which selected message types are sent By default no debug destination is enabled and only Event Log messages are enabled to be sent NOTE To configure a syslog server use the logging syslog ip addr command For more infor...

Page 518: ... Enables syslog logging to send the debug message types specified by the debug debug type command to a buffer in switch memory For more information on these options see Debug destinations on page 519 event Configures the switch to send Event Log messages to configured debug destinations NOTE This value does not affect the reception of event notification messages in the Event Log on the switch Even...

Page 519: ...to configured debug destinations agent Displays DHCP snooping agent messages event Displays DHCP snooping event messages packet Displays DHCP snooping packet messages dynamic ip lockdown Sends dynamic IP lockdown debug messages to the debug destination port access Sends port access debug messages to the debug destination radius server Sends RADIUS debug messages to the debug destination ssh Sends ...

Page 520: ...ssages stored in the switch buffer enter the show debug buffer command Logging command At the global configuration level the loggingcommand allows you to enable debug logging on specified syslog servers and select a subset of Event Log messages to send for debugging purposes according to Severity level System module By specifying both a severity level and system module you can use both configured ...

Page 521: ... sent enter the show debug command See Debug syslog configuration commands on page 510 Syntax no logging syslog ip addr Enables or disables syslog messaging to the specified IP address You can configure up to six addresses If you configure an address when none are already configured this command enables destination logging syslog and the Event debug type Therefore at a minimum the switch begins se...

Page 522: ...ort with UDP or TCP is optional Default ports UDP port is 514 TCP port is 1470 Default Transport Protocol UDP Because TCP is a connection oriented protocol a connection must be present before the logging information is sent This helps ensure that the logging message will reach the syslog server Each configured syslog server needs its own connection You can configure the destination port that is us...

Page 523: ... printer subsystem news Netnews subsystem uucp uucp subsystem cron cron at subsystem sys9 cron at subsystem sys10 sys14 Reserved for system use local10 local17 Reserved for system use Use the no form of the command to remove the configured facility and reconfigure the default user value Adding a description for a Syslog server You can associate a user friendly description with each of the IP addre...

Page 524: ... Provides a user friendly description for the combined filter values of severity and system module If no description is entered this is blank If text_string contains white space use quotes around the string Use the no form of the command to remove the description Limit 255 characters The logging command with a priority description switch config logging priority descr severe pri NOTE A notification...

Page 525: ...g the logging system module command you can select a set of Event Log messages according to the originating system module and send them to a syslog server Syntax no logging system module system module Configures the switch to send all Event Log messages being logged from the specified system module to configured syslog servers To configure a syslog server see Configuring a syslog server See Event ...

Page 526: ...bled event debug type If a syslog server IP address is configured in the startup config file the sending of Event Log messages is reset to enabled regardless of the last active setting If no syslog server is configured the sending of Event Log messages is disabled IP debug type Disabled Debug commands do not affect normal message output to the Event Log Using the debug event command you can specif...

Page 527: ...ng and link tests The ping test and the link test are point to point tests between your switch and another IEEE 802 3 compliant device on your network These tests can tell you whether the switch is communicating properly with another device NOTE To respond to a ping test or a link test the device you are trying to reach must be IEEE 802 3 compliant Ping test A test of the path between the switch a...

Page 528: ...f another device is alive It also measures the amount of time it takes to receive a reply from the specified destination The ping command has several extended commands that allow advanced checking of destination availability Syntax ping ip address hostname repetitions 1 10000 timeout 1 60 source ip address vlan id loopback 0 7 data size 0 65471 data fill 0 1024 ip option record route loose source ...

Page 529: ...source route IP addr The loose source route option prompts for the IP address of each source IP on the path It allows you to specify the IP addresses that you want the ping packet to go through the packet may go through other IP addresses as well record route 1 9 Displays the IP addresses of the interfaces that the ping packet goes through on its way to the destination and on the way back When spe...

Page 530: ...6 seconds Syntax link mac address repetitions 1 999 timeout 1 256 vlan vlan id Example Figure 90 Link tests Tracing the route from the switch to a host address The traceroute command enables you to trace the route from the switch to a host address This command outputs information for each router hop between the switch and the destination address Note that every time you execute traceroute it uses ...

Page 531: ...p is shown in the output If minttl is less than the actual number of hops all hops are listed For any instance of traceroute if you want a minttl value other than the default you must specify that value Default 1 maxttl 1 255 For the current instance of traceroute changes the maximum number of hops allowed for each probe packet sent along the route If the destination address is further from the sw...

Page 532: ...ce route is not recorded The source route is automatically recorded when loose or strict source routing is enabled Default 9 strict source route IP addr Restricts the ping packet to only those IP addresses that have been specified and no other addresses timeout 1 120 For the current instance of traceroute changes the timeout period the switch waits for each probe of a hop in the route For any inst...

Page 533: ...ting traceroute where the route becomes blocked or otherwise fails results in an output marked by timeouts for all probes beyond the last detected hop For example with a maximum hop count of 7 maxttl 7 where the route becomes blocked or otherwise fails the output appears similar to this Figure 93 Traceroute failing to reach the destination address Viewing switch configuration and operation In some...

Page 534: ...al data Syntax show tech By default the show tech command displays a single output of switch operating and running configuration data from several internal switch sources including Image stamp software version data Running configuration Event Log listing Boot history Port settings Status and counters port status IP routes Status and counters VLAN information GVRP support Load balancing trunk and L...

Page 535: ...perational data is sent to your terminal emulator You can use your terminal emulator s text capture features to save the show tech data to a text file for viewing printing or sending to an associate to diagnose a problem For example if your terminal emulator is the Hyperterminal application available with Microsoft Windows software you can copy the show tech output to a file and then use either Mi...

Page 536: ...shes 5 Click on Transfer Capture Text Stop in HyperTerminal to stop copying data and save the text file If you do not stop HyperTerminal from copying command output into the text file additional unwanted data can be copied from the HyperTerminal screen 6 To access the file open it in Microsoft Word Notepad or a similar text editor Customizing show tech command output Use the copy show tech command...

Page 537: ...ed module or management modules where slot id Includes the crash data from an installed module Valid slot IDs are the letters a through h master Includes the crash data from both management modules crash log slot id master Includes the crash logs from all management and interface modules in show tech command output To limit the amount of crash log data displayed specify an installed module or mana...

Page 538: ...le acl filename txt Specifies the pathname of an ACL command file on the connected device pc unix Specifies whether the connected device is a DOS based PC or UNIX workstation Viewing more information on switch operation Use the following commands to display additional information on switch operation for troubleshooting purposes Syntax show boot history Displays the crash information saved for each...

Page 539: ...essions are permitted symbols such as the asterisk cannot be substituted to perform more general matching include Only the lines that contain the matching pattern are displayed in the output exclude Only the lines that contain the matching pattern are not displayed in the output begin The display of the output begins with the line that contains the matching pattern NOTE Pattern matching is case se...

Page 540: ...125 48 exit no autorun password manager 1Displays the running config beginning at the first line that contains ipv6 The following is an Example of the show arp command output and then the output displayed when the include option has the IP address of 15 255 128 1 as the regular expression The show arp command and pattern matching with the include option switch config show arp IP ARP table IP Addre...

Page 541: ...t you can see the results of multiple commands displayed over a period of time To halt the command execution press any key on the keyboard Syntax setup Displays the Switch Setup screen from the menu interface Restoring the factory default configuration As part of your troubleshooting process it may become necessary to return the switch configuration to the factory default settings This process Mom...

Page 542: ... Clear Reset Procedure 1 Using pointed objects simultaneously press both the Reset and Clear buttons on the front of the switch 2 Continue to press the Clear button while releasing the Reset button 3 When the Self Test LED begins to flash release the Clear button The switch then completes its self test and begins operating with the configuration restored to the factory default settings Restoring a...

Page 543: ...uld then appear in the terminal emulator Enter h or for help 3 Because the OS file is large you can increase the speed of the download by changing the switch console and terminal emulator baud rates to a high speed For Example a Change the switch baud rate to 115 200 Bps sp 115200 b Change the terminal emulator baud rate to match the switch speed I In HyperTerminal select Call Disconnect II Select...

Page 544: ...st recent startup config file DNS resolver The domain name system DNS resolver is designed for use in local network domains where it enables the use of a host name or fully qualified domain name with DNS compatible switch CLI commands DNS operation supports both IPv4 and IPv6 DNS resolution and multiple prioritized DNS servers For information on IPv6 DNS resolution see the latest IPv6 configuratio...

Page 545: ...is configured for a different domain than the target host the fully qualified domain name must be used Note that if the target host is in a domain other than the domain configured on the switch The host s domain must be reachable from the switch This requires that the DNS server for the switch must be able to communicate with the DNS servers in the path to the domain in which the target host opera...

Page 546: ...n suffix enables the use of DNS compatible commands with a target s host name instead of the target s fully qualified domain name Syntax no ip dns server address priority 1 3 ip addr Configures the access priority and IP address of a DNS server accessible to the switch These settings specify The relative priority of the DNS server when multiple servers are configured The IP address of the DNS serv...

Page 547: ...ription The no form of the command replaces the configured domain suffix with the null setting Default null Using DNS names with ping and traceroute Example In the network illustrated in Figure 99 Example network domain on page 547 the switch at 10 28 192 1 is configured to use DNS names for DNS compatible commands in the pubs outdoors com domain The DNS server has been configured to assign the ho...

Page 548: ...19 is alive time 1 ms switch traceroute docservr traceroute to 10 28 229 219 1 hop min 30 hops max 5 sec timeout 3 probes 1 10 28 192 2 1 1 ms 0 ms 0 ms 2 10 28 229 219 2 0 ms 0 ms 0 ms 1First Hop Router B 2Traceroute Target As mentioned under the following example if the DNS entry configured in the switch does not include the domain suffix for the desired target you must use the target host s ful...

Page 549: ...ove the address from the configuration then use ip dns server address priority ip addr to reconfigure the address with the new priority Also if the priority to which you want to move an address is already used in the configuration for another address you must first use the no form of the command to remove the current address from the target priority The DNS servers and domain configured on the swi...

Page 550: ... a specified number of minutes Default 30 minutes on 1 1440 Turns the chassis Locate LED on for a specified number of minutes Default 30 minutes off Turns the chassis Locate LED off Locating a switch with the chassislocate command switch config chassislocate blink 1 1440 Blink the chassis locate led default 30 minutes off Turn the chassis locate led off on 1 1440 Turn the chassis locate led on def...

Page 551: ...ob JOB NAME at delay enable disable Description Schedule a command to run automatically Jobs can be scheduled to run once multiple times on a recurring basis or after certain events such as reboots All commands run with manager privilege in configuration context The no form of the command deletes a scheduled job By default jobs will be repeated an infinite number of times Restrictions Jobs schedul...

Page 552: ...ow job Job Scheduler Status and Configuration Scheduler Status Waiting for the system time to be set Event or Repeat Save Name Time Count Cfg Command Burrrrrrrrrrrr reboot Yes chassislocate blink baz reboot No show time foo 17 00 SxTWTxS No savepower led a1 12 00 2 Yes sh time a2 Every 2 14 30 days 75 Yes vlan 3 a3 Every 00 00 25 days 1 No vlan 4 NOTE Caution The scheduler does not run until the s...

Page 553: ...om Last Run Tue Dec 15 01 24 00 2015 switch show job a2 Job Information Job Name a2 Runs At Every 2 14 30 days Config Save Yes Repeat Count 75 Run Count 0 Error Count 0 Command vlan 3 Job Status Disabled switch show job foo Job Information Job Name foo Runs At 17 00 SxTWTxS Config Save Yes Repeat Count Run Count 0 Error Count 0 Command savepower led Job Status Enabled Chapter 14 Job Scheduler 553 ...

Page 554: ...ns that were exported from the switch can be imported or restored on the switch Restores the configuration without reboot from a backup configuration when the running configuration has functional issues like misconfigurations from remote management stations Recommended scenarios Use the configuration restore feature for incremental configuration updates Use the force option with cfg restore for co...

Page 555: ...iles Configuration files id act pri sec name 1 config 2 stable 3 newfile 4 5 4 Check the difference between the newfile running configuration and stable backed up configuration using cfg restore flash stable diff command Based on the difference apply the backed up configuration using cfg restore flash stable command 5 Check the status of the configuration restore using show cfg restore status comm...

Page 556: ...es Configuration files id act pri sec name 1 config 2 stable 3 4 5 4 Edit the configuration as needed If the user is still connected to the switch the configuration is stable and the job which reloads the older configuration can be cancelled using the command no job cfg_stable switch config no job cfg_stable 5 If the user loses connectivity after applying the new configuration the job scheduler ex...

Page 557: ...les available in the flash cfg restore Restores the given configuration as the running configuration without reboot show cfg restore status Shows the status of latest restore performed show cfg restore latest diff Views the list of configuration changes that are removed modified or added to the running configuration show hash Shows the SHA ID of a startup or running configuration Configuration bac...

Page 558: ...ng config sftp tftp server address FILE NAME The existing copy command copies the startup and running configuration to the TFTP or SFTP server Examples switch config cfg backup running config Backup the running configuration to the flash file mentioned startup config Backup the startup configuration to the flash file mentioned switch config cfg backup running config startup config config Backup th...

Page 559: ... 23 2017 03 42 38 Version WC 16 05 0000x File Name modify File ID 3 File Size 35902 Bytes Last Modified Mon Oct 23 2017 03 42 38 Version WC 16 05 0000x To view the contents of a configuration file in the flash switch show config add JL255A Configuration Editor Created on release WC 16 05 0000x Ver 12 08 1d 9b 3f bf bb ef 7c 59 fc 6b fb 9f fc ff ff 37 ef ba hostname Aruba 2930F 24G PoEP 4SFPP modul...

Page 560: ...n Restores the given configuration as the running configuration without reboot If the configuration is not suitable to successfully restore without reboot the command will return a failure message with details NOTE The restored configuration commands will be executed on a running configuration so the name of the current active configuration does not change after configuration restore except for th...

Page 561: ...orce recovery mode enable disable verbose force recovery mode enable disable diff force Examples switch cfg restore flash Copy file from flash sftp Copy file from SFTP Server tftp Copy file from TFTP Server switch cfg restore flash FILE NAME Name of the backup configuration file to restore into the running configuration switch cfg restore flash config_file diff Provide the list of changes that wil...

Page 562: ...e 1 config 2 def 3 golden_config 4 5 switch config cfg restore flash golden_config Current running configuration will be replaced with golden_config Continue y n y Configuration restore is in progress configuration changes are temporarily disabled Configuration restoration is not allowed as the configuration has reboot required commands switch config show cfg restore status Status Failed Config Fi...

Page 563: ...Number of Add Commands 0 Number of Remove Commands 5 Time Taken for Each Phase Calculating diff 1 Seconds Adding commands 0 Seconds Removing commands 0 Seconds NOTE Time taken for adding and deleting commands is zero as the switch reboots It is similar to downloading a startup configuration to the device cfg restore non blocking Syntax cfg restore flash tftp sftp FILE NAME non blocking Description...

Page 564: ...ode is enabled Command context config Usage To disable recovery mode use cfg restore flash tftp sftp FILE NAME recovery mode disable Example With the following running configuration a restore to the backup file modify fails but this configuration will be retained as recovery mode is enabled switch config show running config Running configuration JL255A Configuration Editor Created on release WC 16...

Page 565: ...figuration JL255A Configuration Editor Created on release WC 16 05 0000x Ver 12 08 1d 9b 3f bf bb ef 7c 59 fc 6b fb 9f fc ff ff 37 ef ba hostname Aruba 2930F 24G PoEP 4SFPP module 1 type jl255a ip routing snmp server community public unrestricted vlan 1 name DEFAULT_VLAN untagged 1 28 ip address dhcp bootp exit vlan 10 name VLAN10 no ip address exit switch config cfg restore flash modify recovery ...

Page 566: ...ning configuration will be replaced with config Continue y n y Configuration restore is in progress configuration changes are temporarily disabled Configuration Restore Information Status Success Config File Name config Source Flash Time Taken 6 Seconds Last Run Tue Nov 7 03 43 07 2017 Recovery Mode Enabled Failure Reason Number of Add Commands 0 Number of Remove Commands 12 Time Taken for Each Ph...

Page 567: ... switch config cfg restore sftp HOSTNAME STR Specify hostname of the SFTP server IP ADDR IP Address of the SFTP Server IPV6 ADDR IPV6 Address of the SFTP Server user Specify username on the remote system information USER IP STR Specify username along with remote system information switch config cfg restore tftp 10 100 0 12 pvos tftp_2930_config_file Current running configuration will be replaced w...

Page 568: ...t pri sec name 1 config 2 file1 3 file2 4 5 2 Use cfg restore flash file1 force command to see the configuration of file1 switch config cfg restore flash file1 force As the file1 configuration requires a reboot a system reboot occurs When the switch comes up file1 is the new active configuration switch config sh config files Configuration files id act pri sec name 1 config 2 file1 3 file2 4 5 NOTE...

Page 569: ...qinq mixedvlan svlan qos queue config terminal type vt100 ansi console flow control terminal vsf member 0 9 vsf remove access list grouping console baud rate speed sense 1200 2400 4800 9600 19200 38400 57600 115200 Systemwide change commands Following commands change the system configuration module 0 9 a z A Z module 0 9 a z A Z type type igmp lookup mode ip flexible module a z A Z type type stack...

Page 570: ... will remain the same but the running configuration is replaced by file1 configuration NOTE In a configuration restore without reboot the association remains the same The default config file is updated based on the configuration of the restored file show cfg restore status Syntax show cfg restore status Description Shows the status of latest restore performed The running configuration is updated b...

Page 571: ...ch Phase Calculating diff 1 Seconds Adding commands 0 Seconds Removing commands 0 Seconds If the configuration restoration fails the line number and the failed commands are displayed switch config show cfg restore status Status Failed Config File name def Source Flash Time taken 20 Seconds Last Run Sun Oct 22 20 22 54 2017 Recovery Mode Enabled Failure Reason Add commands have been failed Number o...

Page 572: ...ricted vlan 1 name DEFAULT_VLAN no untagged 11 13 15 18 untagged 1 10 14 19 28 ip address dhcp bootp exit vlan 100 name VLAN100 untagged 11 13 no ip address exit vlan 300 name VLAN300 untagged 15 18 no ip address exit 2 Execute the show config golden_config command to show the backup configuration of the switch switch config show config golden_config JL255A Configuration Editor Created on release ...

Page 573: ...onfig cfg restore flash modify diff Current config and backup config is identical 4 Execute the show cfg restore latest diff command to display the difference between the running and the backup configuration switch config show cfg restore latest diff Shows the difference between running and back up configuration status Show configuration restoration status switch config show cfg restore latest dif...

Page 574: ...culated This may take several minutes Continue y n y Calculating hash Startup Configuration hash 4f66 8b77 6b66 e5fb 0c12 f7fb 8ea6 b548 af2e 2e03 This hash is only valid for comparison to a baseline hash if the configuration has not been explicitly changed such as with a CLI command or implicitly changed such as by the removal of a hardware module switch config show config hash recalculate Calcul...

Page 575: ... the restored configuration changes the entire configuration for example module add or remove More information cfg restore on page 560 Troubleshooting and support Switch configuration restore without reboot feature provides CLI support to display the number of commands with line number that failed to restore display the delta between running configuration and the configuration to be restored More ...

Page 576: ...ted vlan 2 tagged 9 0000 01 39 56 58 CFG mCfgRestoreMgr Command executed no vlan 3 tagged 9 Status Success 0000 01 39 56 58 CFG mCfgRestoreMgr Command deleted vlan 3 tagged 9 0000 01 39 56 64 CFG mCfgRestoreMgr Command executed no vlan 4 tagged 9 Status Success 0000 01 39 56 65 CFG mCfgRestoreMgr Command deleted vlan 4 tagged 9 0000 01 39 56 65 CFG mCfgRestoreMgr cfg restore iteration count 2 0000...

Page 577: ...agnostic crash via the serial console Cisco Discovery Protocol CDP Show cdp traffic Syntax show cdp traffic Description Displays the number of Cisco Discovery Protocol CDP packets transmitted received and dropped CDP frame Statistics Port No Transmitted Frames Received Frames Discarded Frames Error Frames A1 46 26 6 7 A2 30 35 7 9 A3 120 420 670 670 Clear cdp counters Syntax clear cdp counters Des...

Page 578: ...rt 2 25 Device ID 94 18 82 55 50 20 Address Type IP Address 172 31 99 143 Platform Aruba JL356A 2540 24G PoE 4SFP Switch revision YC 16 Capability Switch Device Port 3 Version Aruba JL356A 2540 24G PoE 4SFP Switch revision YC 16 Enable Disable debug tracing for MOCANA code Debug security Syntax debug security ssl Description Enables the debug tracing for MOCANA code Use the no parameter to disable...

Page 579: ...factory reset is disabled the configuration password s can not be reset using the clear and reset button combination at boot time When password recovery is enabled and the front panel buttons disabled a lost password can be recovered by contacting customer support When password recovery is disabled there is no way to access a device after losing a password with the front panel buttons disabled If ...

Page 580: ...eature so that the user is prevented from capturing diagnostic data and performing a diagnostic reset on the switch Both the sub options reset via serial console and reset via clear button will be disabled This is necessary if the switch becomes unresponsive hangs for unknown reasons No front panel security diagnostic reset no front panel security diagnostic reset Clear Password Enabled Reset on c...

Page 581: ...asons Ensure that you are familiar with the front panel security options before proceeding No front panel security diagnostic reset clear button From the configure context Syntax no front panel security diagnostic reset clear button Description Disables the diagnostic reset via clear button CAUTION Disabling the diagnostic reset prevents the switch from capturing diagnostic data on those rare even...

Page 582: ...lt configuration 1 Press Clear and Reset simultaneously 2 While continuing to press Clear release Reset 3 When the Test LED begins blinking after approximately 25 seconds release Clear The switch removes all configuration changes restores the factory default configuration and runs self test Diagnostic reset 1 Press Clear to 30 40 seconds 2 When the test LED begins blinking approximately after 30 s...

Page 583: ...d signaled to AMM RMON_BOOT_CRASH_RECORD1 STKM Diagnostic reset sequence detected on serial console user has initiated diagnostic reset On detection on non commander serial console and signaled to commander RMON_BOOT_CRASH_RECORD1 User has initiated diagnostic reset via the serial console Sw_panic message RMON_BOOT_CRASH_RECORD1 SMM User has initiated diagnostic reset via the serial console Sw_pan...

Page 584: ...and collects diagnostic data for debugging an application hang a system hang or any other rare occurrence Diagnostic reset is controlled via FPS options The serial sequence to initiate the User Initiated Diagnostic Reset via Serial console is Ctrl S Ctrl T Ctrl Q Ctrl T Ctrl S Front panel security diagnostic reset serial console In the configure context Syntax front panel security diagnostic reset...

Page 585: ... initiated diagnostic reset RMON_BOOT_CRASH_RECORD1 SMM Diagnostic reset sequence detected on serial console user has initiated diagnostic reset RMON_BOOT_CRASH_RECORD1 STKM Diagnostic reset sequence detected on serial console user has initiated diagnostic reset RMON_BOOT_CRASH_RECORD1 User has initiated diagnostic reset via the serial console RMON_BOOT_CRASH_RECORD1 SMM User has initiated diagnos...

Page 586: ... test packet The IP SLA feature provides Application aware monitoring that simulates actual protocol packets Predictable measures that aid in ease of deployment and help with assessment of existing network performance Accurate measures of delay and packet loss for time sensitive applications End to end measurements to represent actual user experience We support the following SLA types UDP Echo inc...

Page 587: ... between the source and the responder must be synchronized with NTP if One Way Delay parameters have to be calculated for UDP Echo tests Timeout for probes is 3 seconds for all SLA types and is not configurable Transient spikes in RTT occur during the tests in the source and the responder if processor usage is high Consider average result values over a period of time rather than point in time resu...

Page 588: ...ited interoperability with Comware 7 SLA v2 version One Way packet drops SD packet loss and DS packet loss on the Comware Jitter initiator is not reported when interoperating with Aruba Jitter Responder IP SLA responder or initiator implementation is not interoperable with Cisco s IP SLA feature How IP SLA works 1 The source originates a test packet to the destination 2 The destination responds to...

Page 589: ...s and respective threshold action values schedule Configure the start time stop time lifetime and frequency of run for the IP SLA tcp connect Configure TCP connect as the IP SLA test mechanism tos Configure the Type of Service value to be set in the test packet for the IP SLA udp echo Configure UDP echo as the IP SLA test mechanism On platforms that support Jitter and VOIP the following options ar...

Page 590: ...efault payload size is not set no ip sla ID udp echo Syntax no ip sla ID udp echo destination IP ADDR HOST NAME PORT NUM source IP ADDR VLAN ID payload size SIZE Description Configure UDP echo as the IP SLA test mechanism Requires destination address hostname and source address VLAN ID for the IP SLA of UDP Echo SLA type PORT NUM Value can range from 1024 65535 payload size Value can range from 1 ...

Page 591: ...n NOTE The command option threshold config can be individually set for rtt srcTodstTime and dstToSrcTime no ip sla ID monitor packet loss Syntax no ip sla ID monitor packet loss threshold type immediate consecutive COUNT action type trap log trap log none Description Configure threshold action values when packet loss happens threshold type immediate Take action immediately when the monitored param...

Page 592: ... of operation is 60 seconds no ip sla ID tos Syntax no ip sla ID tos VALUE Description Configure the Type of Service value to be set in the test packet for the IP SLA Valid values 0 255 no ip sla responder Syntax no ip sla responder Description Configure SLA responder to respond to probe packets IP address local interface IP address port takes L4 port numbers SLA types supported udp echo tcp conne...

Page 593: ...code the test VoIP packets Available codecs g711a g711u g729a Default is g711a Advantage factor Advantage factor to be configured for the test Default is 0 Allowed range 0 20 Show commands show ip sla ID Syntax show ip sla ID Description Show IP SLA configurations Options history Show the IP SLA results history message statistics Show the IP SLA message statistics results Show the IP SLA results f...

Page 594: ...etion Action Type None show ip sla ID history Syntax show ip sla ID history Description Show the IP SLA results history show ip sla ID history SLA ID 1 SLA Type UDP Echo Minimum RTT ms 1 Maximum RTT ms 4294967282 Average RTT ms 3 Total RTT ms 315 RTT2 sum of RTT squared 63681 Start Time Status RTT Description Mon Jan 1 00 51 28 1990 Failed DMA tail drop detected Mon Jan 1 00 51 30 1990 Failed SLA ...

Page 595: ...tion Shows the results for the last IPSLA UDP Jitter or UDP Jitter for VoIP test Note this command is not valid for any other SLA type Switch config sh ip sla 1 results Test Results for SLA ID 1 Probe Id 10 SLA Type UDP Jitter Destination IP Address 10 2 2 2 Destination Port 4444 Source IP Address 10 2 2 2 Source Port 5555 Number of Packets Sent 10 Number of Packets Received 10 Minimum Round Trip ...

Page 596: ...38 show ip sla ID aggregated results Syntax show ip sla ID aggregated results Description Shows the aggregated results for the last 25 probes conducted for an IPSLA UDP Jitter or UDP Jitter For VoIP SLA test Note this command is not valid for any other SLA type Switch config show ip sla 1 aggregated results Test results for SLA ID 1 SLA Type UDP Jitter Destination IP Address 10 2 2 2 Destination P...

Page 597: ...SD Delays 78 Sum of DS Delays 85 Square Sum of SD Delays 666 Square Sum of DS Delays 787 For UDP Jitter for VoIP SLA the following parameters are additionally shown Voice Scores Max MOS Value 4 38 Min MOS Value 4 38 Max ICPIF Value 0 Min ICPIF Value 0 show ip sla responder Syntax show ip sla responder Description Show the IP SLA responder details show ip sla responder SLA type UDP echo Listening A...

Page 598: ...uence used by technical support show tech ip sla switch sh tech ip sla ipslaShowTech IP SLA show tech BEGIN GLOBALS Hash Handle 1e7bab20 Struct Mem Handle for hash 1e7ba2a8 Struct Mem Handle for SLA ID LL 1e7c9430 Struct Mem Handle for FD List 1e7bd690 FastLog Handle dfabf5c IPSLACtrl task ID 1068091456 IPSLA Sender ID 1068092544 IPSLA Listener ID 1068091840 Number of enabled SLA s 1 SLA ID List H...

Page 599: ...d 0 No route to target 0 Internal error 0 Local interface is down 0 No response from target 0 Successful probes sent 9 Probe response received 9 Possibly tail dropped 0 Count of Threshold hits RTT 0 packetLoss 0 SLA ID 1 Minimum RTT ms 1 Maximum RTT ms 1 Average RTT ms 1 Total RTT ms 9 RTT2 sum of RTT squared 9 Start Time Status RTT Description Tue Jun 14 10 43 12 2016 Passed 1 Mon Jun 13 10 39 05...

Page 600: ... or VoIP UDP jitter Command context config Parameters SLA TYPE Specifies the SLA type udp jitter Selects standard UDP jitter udp jitter voip Selects UDP VOIP jitter LOCAL IP ADDR Specifies the local interface IP address LOCAL PORT NUM Specifies the local interface port number Range 1024 to 65535 SOURCE IP ADDR Specifies the Source IP address Examples Clear IP SLA responder statistics for UDP jitte...

Page 601: ...d frequency and repetitions Configuring srcTodstTime or dstTosrcTime threshold configuration for icmp echo or tcp connect Invalid threshold configuration for configured SLA type Enabling the IP SLA which is already in enabled state IP SLA is already enabled Disabling the IP SLA which is already in disabled state IP SLA is already disabled Show IP SLA history of un configured SLA IP SLA is not conf...

Page 602: ...ime Error Stop time must be greater than start time Configure schedule with past stop time Error Stop time must be greater than current time Configure schedule with invalid frequency value Error Schedule frequency is out of range Valid range is 5 to 604800 Configuring history size with invalid value Error IP SLA History size is out of range Valid range is 1 50 Configuring SLA type with invalid pay...

Page 603: ...tiated or done by the user I 10 28 15 01 42 22 05027 ipsla IP SLA 1 state changed to Expired I 10 28 15 01 42 22 05021 ipsla IP SLA 1 state changed to Enabled I 10 28 15 01 42 22 05021 ipsla IP SLA 1 state changed to Scheduled I 10 28 15 01 42 22 05021 ipsla IP SLA 1 state changed to Admin disabled User configures a responder I 10 28 15 01 42 22 05025 ipsla IP SLA responder configured for SLA Type...

Page 604: ...SLA 1 For TCP 4 tuple combination has to be unique User adds DHCP SLA configuration I 08 09 16 02 47 12 05031 ipsla The IP SLA 1 of SLA Type DHCP Vlan 1 added User removes DHCP SLA configuration I 08 09 16 02 47 12 05032 ipsla The IP SLA 1 of SLA Type DHCP Vlan 1 removed DHCP SLA test has completed and the threshold config for test completion is present I 08 09 16 02 47 12 05033 ipsla The IP SLA 1...

Page 605: ... server the very first packet will arrive after one second and successive packets will be sent immediately ideally In real world scenarios intermediate node latencies different return paths for different packets and network congestion can contribute to varying delays To counter such effects packets are buffered at the media player The amount of packet buffering needed can be derived from the jitte...

Page 606: ...LA Measurements The following metrics are measured as part of this IP SLA jitter functionality One way jitter One way jitter is defined as the time difference between inter packets transmit time and inter packets arrival time in a given direction This is measured in both the Initiator to Responder direction referred to as SD jitter as well as the Responder to initiator direction referred to as DS ...

Page 607: ...he Responder receiving the frame This requires the Initiator and the Responder to be time synchronized with the same clock server This is explained in the illustration below Round trip time RTT is measured at the initiator on a per packet basis and is as illustrated below Chapter 17 IP Service Level Agreement 607 ...

Page 608: ... campus networks The policies associated with the client can be driven through a RADIUS server a downloaded role from ClearPass or by local MAC authentication in the switch Many devices that require Power over Ethernet PoE and network access such as security cameras printers payment card readers and medical devices do not have built in security software such as those on desktop or laptop computers...

Page 609: ...onfiguration is needed Tunnel client traffic over core complexity Reduced switch configuration Traffic visibility Wired guest access Simple branch configuration Controller supplied client attributes visibility Use Cases Following are the common use cases for Dynamic Segmentation apart from the common use case of segmenting traffic based on user role policy Create a wired guest capability Provide a...

Page 610: ...Dual Personality Ports 10 100 1000BASE T PoE T or SFP S LEDMode Reset Clear Status Console 10 100 1000 BASE T PoE Ports 1 48T AuxPort Mgmt Console 2930M Spd Usr Back UID PoE Dual Personality Ports 10 100 1000BASE T PoE T or SFP S LEDMode Reset Clear Status Console 10 100 1000 BASE T PoE Ports 1 48T AuxPort Mgmt Console 2930M Spd Usr Back UID PoE Dual Personality Ports 10 100 1000BASE T PoE T or SF...

Page 611: ...0M Spd Usr Back UID PoE Dual Personality Ports 10 100 1000BASE T PoE T or SFP S LEDMode Reset Clear Status Console 10 100 1000 BASE T PoE Ports 1 48T AuxPort Mgmt Console 2930M Spd Usr Back UID PoE Dual Personality Ports 10 100 1000BASE T PoE T or SFP S LEDMode Reset Clear Status Console 10 100 1000 BASE T PoE Ports 1 48T AuxPort Mgmt Console 2930M HPE Smart Rate 1 2 5 5 10 GbE PoE Ports 1 8 JL323...

Page 612: ...plementation is done using the same mechanism with an Aruba Mobility Controller In essence a wired port becomes a wired AP Each switch port can then be individually configured to create a single tunnel to the Mobility Controller However at the Mobility Controller each tunneled node port is seen as separate tunnel to provide more granular visibility as each tunnel has a unique GRE key By tunneling ...

Page 613: ...by issuing the following command Ensure the time interval between keepalive messages is set to the default value 8 Switch config tunneled node server keepalive interval 1 8 Configure the time interval between two successive keepalive messages sent to the controller 2 Execute the following commands to enable port based tunneling on an interface or a range of interfaces Switch config vlan 200 untagg...

Page 614: ...y HA will be supported for the tunneled node related configuration A tunnel associated with a port is up when the following conditions are met A tunnel is down when either of the conditions are not met Either the primary or backup controller is reachable A boot strap message response is received from the controller Heartbeat between the switch and controller fails when the controller does not resp...

Page 615: ...ress egress IGMP MLD GMB Broadcast limit Energy Efficient Ethernet Flow Control PoE poe allocate by poe lldp detect Rogue MAC detection LLDP auto provisioning Restrictions Once a tunneled node profile is applied to a port the controller IP primary and backup cannot be changed IP address cannot be assigned to VLANs that contain ports with Port Based Tunneling configured Chapter 18 Dynamic Segmentat...

Page 616: ...esh Global VXLAN Global IP address manual and dhcp VLAN 802 1x mac auth webauth LMA port security Port DIPLD IPv4 IPv6 Port DSNOOP IPv4 IPv6 VLAN ARP protect VLAN RA guard Port Virus throttling Port BYOD VLAN Trunk Profile cannot be applied to a trunk PBR policies VLAN VSF on a Port Based Tunnel configured port Port Source port Multicast filters Port DHCP client Server Relay VLAN Preventing double...

Page 617: ...ute the following command switch config device profile name test To allow tunneled node by the configured device profile parameter execute the following command switch device profile allow tunneled node Examples switch config device profile name device profile name switch device profile allow jumbo frames Configure jumbo frame support for the device port allow tunneled node Configure Tunneled Node...

Page 618: ...e default device profile exit When allow tunneled node is disabled switch config show run J9625A Configuration Editor Created on release KB 16 05 0000x Ver 0f 02 43 18 82 34 61 1c 28 f3 84 9c 63 ff 37 2f da hostname switch snmp server community public unrestricted device identity name cpe lldp oui 33bbcc device identity name cpe lldp sub type 1 device identity name phone lldp oui 112233 vlan 1 nam...

Page 619: ... profile default ap profile untagged vlan 1 tagged vlan None ingress bandwidth 100 egress bandwidth 100 cos 0 speed duplex auto poe max power Class LLDP poe priority critical allow jumbo frames Disabled allow tunneled node Enabled Device Profile Configuration Configuration for device profile test untagged vlan 1 tagged vlan None ingress bandwidth 100 egress bandwidth 100 cos None speed duplex auto...

Page 620: ... control The decision to tunnel client traffic is based on the user role User roles redirect traffic to an Aruba controller when the tunnel status is up A secondary role provided by the authentication subsystem when present in the user role authorizations notifies the User Based Tunnel and provides a secondary role The communication between a User Based Tunneling switch and the ClearPass is suppor...

Page 621: ...d with the standby managed device and acts as a secondary switch anchor controller s SAC Authenticating the User As a user connects to a secure port the Aruba switch sends a request to the RADIUS server in this case ClearPass which authenticates the user and returns a user role attribute to the Aruba switch Once the attribute containing information on which user role the user will be placed in is ...

Page 622: ...user anchor controllers a PAPI Process Application Programming Interface based keepalive packet is exchanged with the controllers that have users anchored to them NOTE Upgrading from earlier images to 16 08 or greater with the same user role configuration is seamless and is supported After upgrading to 16 08 or later if Reserved VLAN mode is configured the VLAN IDs already configured in user roles...

Page 623: ...rver Table for pool profile root Service Type PoolSize ExpiredLic ActualPoolSize UsedLic RemainingLic Warnings FeatureBit Access Points 512 0 512 18 494 None enabled Next Generation Policy Enforcement Firewall Module 256 0 256 18 238 None enabled RF Protect 512 0 512 18 494 None enabled Advanced Cryptography 512 0 512 0 512 None enabled WebCC 0 0 0 0 0 None disabled MM VA 1000 0 1000 12 988 None e...

Page 624: ...d to all tunneled clients and the same VLAN is used while tunneling client traffic to the controller Thus to use a reserved VLAN it is not required to preconfigure VLANs configured under user role in switch prior to initiating client authentication When a reserved VLAN is configured if it is not already present on the switch it will be created and traffic from all clients on the switch will go thr...

Page 625: ...witch tunneled node server mode role based reserved vlan vlan id switch tunneled node server enable NOTE IPv6 configurations are only available when the switch is operating in role based mode User Based Tunneling tunneled node server Syntax tunneled node server controller ip IP ADDR IPv6 ADDR backup controller ip IP ADDR IPv6 ADDR keepalive TIMEOUT enable mode role based reserved vlan VLAN ID no t...

Page 626: ...e applied to the tunneled traffic by the controller Command context user role Parameters secondary role ROLE NAME Specifies the secondary role applied on the user traffic by the controller Example switch config aaa authorization user role name testrole switch user role tunneled node server redirect tunneled node server The tunneled node server redirect attribute instructs the switch to redirect al...

Page 627: ...082e5f 263518 UP authenticated NOTE Starting from 16 08 the CLI constraint while configuring tunneled node server redirect attribute without configuring VLAN ID has been removed IP source interface Syntax switch config ip source interface tunneled node server IP_ADDRESS loopback LOOPBACK_INTERFACE vlan VLAN_ID Description Defines source IP address or interface for specified protocol NOTE If interf...

Page 628: ... role based reserved vlan VLAN ID Description Enable tunneled node server with a reserved VLAN on which all client traffic is sent to the controller Example To configure a tunneled node server in role based reserved VLAN mode switch tunneled node server mode port based Configure tunneled node server mode as port based role based Configure tunneled node server mode as role based switch tunneled nod...

Page 629: ...erator Parameters role name Specifies the user role name Examples Shows the user role by specific name switch show user role testrole User Role Information Name testrole Type local Reauthentication Period seconds 0 Cached Reauth Period seconds 0 Logoff Period seconds 300 Untagged VLAN 100 Tagged VLAN Captive Portal Profile Policy Tunnelednode Server Redirect Enabled Secondary Role Name XYZ Device ...

Page 630: ... node server Syntax show tunneled node server information statistics controller state controller Description Shows the tunneled node server information statistics or state NOTE Information for SAC and SSAC Switch Anchor Controller SAC Standby Anchor Controller SSAC and User Anchor Controller UAC is available in the ArubaOS Switch Controller Guide at https support arubanetworks com Command context ...

Page 631: ...37520 Registered User Anchor Controller UAC 10 10 10 148 User Port VLAN State Bucket ID 00000f 000200 1 24 100 Registered 2 switch show tunneled node server statistics Tunneled Node Statistics Control Plane Statistics SAC 10 10 10 148 Bootstrap Tx 1 Bootstrap Rx 1 Nodelist Rx 0 Nodelist Ackd 0 Bucketmap Rx 0 Bucketmap Ackd 0 Failover Tx 0 Failover Ackd Tx 0 Unbootstrap Tx 0 Unbootstrap Ackd Tx 0 H...

Page 632: ... 1 1 0 1 1 48 0 1 1 0 1 1 0 1 1 0 1 1 0 1 1 0 1 1 54 0 1 1 0 1 1 0 1 1 0 1 1 0 1 1 0 1 1 60 0 1 1 0 1 1 0 1 1 0 1 1 0 1 1 0 1 1 66 0 1 1 0 1 1 0 1 1 0 1 1 0 1 1 0 1 1 72 0 1 1 0 1 1 0 1 1 0 1 1 0 1 1 0 1 1 78 0 1 1 0 1 1 0 1 1 0 1 1 0 1 1 0 1 1 84 0 1 1 0 1 1 0 1 1 0 1 1 0 1 1 0 1 1 90 0 1 1 0 1 1 0 1 1 0 1 1 0 1 1 0 1 1 96 0 1 1 0 1 1 0 1 1 0 1 1 0 1 1 0 1 1 102 0 1 1 0 1 1 0 1 1 0 1 1 0 1 1 0 1 ...

Page 633: ...1 0 1 1 1 0 1 90 0 1 1 1 0 1 0 1 1 1 0 1 0 1 1 1 0 1 96 0 1 1 1 0 1 0 1 1 1 0 1 0 1 1 1 0 1 102 0 1 1 1 0 1 0 1 1 1 0 1 0 1 1 1 0 1 108 0 1 1 1 0 1 0 1 1 1 0 1 0 1 1 1 0 1 114 0 1 1 1 0 1 0 1 1 1 0 1 0 1 1 1 0 1 120 0 1 1 1 0 1 0 1 1 1 0 1 0 1 1 1 0 1 126 0 1 1 1 0 1 0 1 1 1 0 1 0 1 1 1 0 1 132 0 1 1 1 0 1 0 1 1 1 0 1 0 1 1 1 0 1 138 0 1 1 1 0 1 0 1 1 1 0 1 0 1 1 1 0 1 144 0 1 1 1 0 1 0 1 1 1 0 1 ...

Page 634: ...OLE FAILURE REASON 123 XYZ123 UP ROLE NAME1 234 XYZ1234 DOWN ROLE NAME2 UAC_DOWN Show the total number of clients configured with the user based tunneled node switch config show tunneled node users count Total number of clients configured with user based tunneled node 2 Show the port access clients in detail switch show port access clients Downloaded user roles are preceded by Port Access Client S...

Page 635: ...k2_DUR_prof2_PUTN 3037 12 10 match ip 0 0 0 0 255 255 255 255 0 0 0 0 255 255 255 255 exit Tunnelednode Server Redirect Enabled Secondary Role Name authenticated Commands to configure VLAN ID in user role Local user roles allow user based policy configuration local to an Aruba switch Within the user role configuration use the tunneled node server redirect command to tunnel traffic to a Mobility Co...

Page 636: ... specify the managed device IP addresses and map the managed devices to the cluster profile ArubaMM mynode config show switches All Switches IP Address IPv6 Address Name Location Type Model Version Status Configuration State Config Sync Time sec Config ID 15 212 178 108 None ArubaMM Building1 floor1 master ArubaMM 8 0 0 0_55647 up UPDATE SUCCESSFUL 0 0 10 0 102 218 None C2 Building1 floor1 MD Arub...

Page 637: ...ss using downloadable user roles This makes the ClearPass a centralized point to administer user policy to the access switch and minimize user configuration on the Aruba switch For downloadable user roles to work appropriately the signing Certificate Authority CA of the ClearPass HTTPS certificate must be added to the Aruba switch and marked as trusted With ArubaOS Switch 16 08 there is an automat...

Page 638: ...twork is similar in setup and the configuration and show command covered in earlier sections work for IPv4 as well as IPv6 environments PAPI security Protocol Application Programming Interface PAPI The PAPI Enhanced Security configuration provides protection to Aruba devices AirWave and ALE against malicious users sending fake messages that results in security challenges Starting from ArubaOS Swit...

Page 639: ...hared secret key When enhanced security mode is enabled an AP is not updated with the new shared secret key unless the AP knows the previous key and the AP is updated with the new key within one hour of the key creation Key length has to be between 10 64 or the following message will appear Minimum key value length allowed is 10 characters and maximum allowed is 64 characters Usage Switch config p...

Page 640: ...0 00 50 65 f3 b4 a6 c0 oobm ip address dhcp bootp exit vlan 1 name DEFAULT_VLAN untagged 1 52 ip address dhcp bootp exit activate provision disable Frequently Asked Questions Following is a list of frequently asked questions and answers relating to per user tunnel node In a controller cluster how does the switch determine which controller to send the user traffic to The SAC sends a bucket map to t...

Page 641: ...witch Since the node list is received from the s SAC and not the SAC the switch considers that SAC is down and initiates a failover to s SAC Also the switch removes all users anchored to SAC Once s SAC acknowledges the failover request the s SAC becomes the new active SAC The new Active SAC then sends a node list update and bucket map update In the node list update the new s SAC will be provided T...

Page 642: ...VLAN and the tunneled users VLAN cannot be same A user is registered at the switch but does not respond to a ping How do I debug Check that the user roles and VLANs are correctly configured at the switch as well as the controller Check that the IP MTU is set to 1500 46 at all the switches in the path from User Based Tunneling switch to the controller There are two parts to the solution and the par...

Page 643: ...t as a input port number Test cable diagnostics C21 test cable diagnostics C21 The test cable diagnostics command will cause a loss of link and will take a few seconds per interface to complete Continue Y N y MDI Cable Distance Pair Pair MDI Port Pair Status to Fault Skew Polarity Mode C21 1 2 Open 0 m 0 ns 3 6 Open 0 m 0 ns 4 5 Open 0 m 0 ns 7 8 Open 1 m 0 ns Test cable diagnostics 1 1 1 10 switc...

Page 644: ...OK 7m 3 6 OK 5m 4 5 OK 5m 7 8 OK 5m Good cable tests switch test cable diagnostics 51 This command will cause a loss of link on all tested ports and will take several seconds per port to complete Use the show cable diagnostics command to view the results Continue y n Y switch show cable diagnostics 51 Cable Diagnostic Status Transceiver Ports MDI Cable Distance Pair Pair MDI Port Pair Status to Fa...

Page 645: ... will take several seconds per port to complete Use the show cable diagnostics command to view the results Continue y n y switch show cable diagnostics 51 Cable Diagnostic Status Transceiver Ports MDI Cable Distance Pair Pair MDI Port Pair Status to Fault Skew Polarity Mode 51 1 2 OK 0 m 0 ns 3 6 Short 1 m 0 ns 4 5 Short 1 m 0 ns 7 8 OK 0 m 0 ns switch test cable diagnostics 52 This command will c...

Page 646: ...s an input port number clear cable diagnostics Syntax clear cable diagnostics Description Use the command to clear the result buffer Example switch config clear cable diagnostics Limitations TDR has the following limitations TDR length accuracy is 5 m Does not work on Smart Rate Interfaces with 10GBASE T and NGBASE T 2 5G 5G copper ports available on v3 blades J9991A Aruba 20 port 10 100 1000BASE ...

Page 647: ... Not supported on v2 zl modules Valid only on 100BASE TX and 1000BASE T ports Chapter 19 Cable Diagnostics 647 ...

Page 648: ...ol MVRP Multiple VLAN Registration Protocol Overview of VSF Aruba Virtual Switching Framework VSF technology virtualizes up to eight physical devices in the same layer into one virtual fabric which provides high availability and scalability A virtual fabric is therefore multiple physical devices in the same layer that use VSF technology Chapter 20 Virtual Switching Framework VSF 648 Aruba 2930F 29...

Page 649: ...3 onwards VSF supported a 4 member stack for 1G and 10G links In VSF 8 member stack the same front plane stacking capability has been extended to 2930F switches Variants have 1G copper and SFP ports and 10G SFP ports PoE and non PoE ports None of the variants have an OOBM port The VSF feature allows the user to form a stack of up to eight devices of any SKU including mixing the SKUs in a single st...

Page 650: ...ts as the commander to manage and control the entire VSF fabric One of the switches acts as a standby and backs up the commander and takes over in case of commander failure VSF port aggregation A VSF link can aggregate upto eight VSF ports with the immediate neighboring member This provides redundancy till failure of seven VSF ports Distributed trunking The Ethernet link aggregation feature can be...

Page 651: ...k The bound physical interfaces are automatically aggregated to form a VSF link A VSF link goes down only if all its VSF physical interfaces are down Physical VSF ports VSF ports connect VSF member devices and must be bound to using a VSF link These VSF ports forward VSF protocol packets and data traffic Up to eight ports can be bound to a VSF link NOTE Once a port is bound to a VSF link all exist...

Page 652: ...warding databases synchronizing them with the Standby and controlling all line cards including that of the Standby Standby Standby is a stateful backup device for the Commander and is ready to take control of the VSF virtual chassis if the Commander device fails This enables the VSF virtual chassis to continue its operations seamlessly in the event of a failure Member All devices in the stack othe...

Page 653: ...o VSF links A VSF fabric with ring topology is recommended Loss or failure of one link in this topology will degrade the topology to chain without losing any VSF members from the stack Traffic will still continue with minimal loss of in flight traffic Table 38 Supported chain topologies Members Chain topology 1 member standalone 2 member 3 member 4 member 5 member 6 member 7 member 8 member Chapte...

Page 654: ...on synchronization VSF uses a strict running configuration synchronization mechanism In a VSF fabric the Commander manages and retains the configuration of all the devices All other devices obtain and use the running configuration from the Commander 654 Aruba 2930F 2930M Management and Configuration Guide for ArubaOS Switch 16 08 ...

Page 655: ... elected as the new Standby in the previous Commander fragment Previous Standby will failover and become Commander Member 2 will be elected as a new standby to that fragment Once the fragment become inactive all front plane ports except VSF links will be brought down A limited set of CLI commands will be available on the inactive fragment VSF merge VSF merge occurs on connecting two different VSF ...

Page 656: ...o be updated the switch will reboot twice vsf disable Syntax vsf disable Description Disable VSF on the virtual chassis Restriction This command will not be available until VSF is enabled vsf member link Syntax no vsf member MEMBER ID link LINK ID ethernet PORT LIST name LINK NAME start disabled Description Create the VSF links A set of physical ports between any two members carrying VSF traffic i...

Page 657: ...The VSF member ID for the member command or parameter Member ID value can be in the range of 1 to 8 vsf member shutdown For a switch that physically exists this command will cause the switch to shut down shutdown is used in preparation to remove the switch from the virtual chassis The switch will not become a voting member of the virtual chassis again until it is rejoined The shutdown command cann...

Page 658: ... physically exists its configuration will be erased It will then be powered down by default Syntax vsf member MEMBER ID remove Description Erase the VSF virtual chassis member configuration Parameters MEMBER ID The VSF member ID for the member command or parameter Member ID value can be in the range of 1 to 8 Restriction Remove will not be available until VSF is enabled vsf member remove reboot Sy...

Page 659: ...A loose provisioning allows the device with the specified J number to be configured without a MAC address being specified This allows any device which matches the J number to adopt this configuration If a provisioned configuration exists with the member ID the following command is used to change the provisioning from strict and loose and vice versa It is recommended to configure the member VSF lin...

Page 660: ...ovisioning for VSF VC member 2 and changes the MAC address to 001122 334455 vsf member 2 type J9850A Changes the strict provisioning for VSF VC member 2 to loose provisioning The configured MAC address is then removed vsf member 2 type J9850A mac 00aabb cceedd Changes loose provisioning for VSF VC member 2 to strict provisioning with MAC address 00aabb cceedd snmp server enable traps vsf Syntax no...

Page 661: ...tack split Only one MAD VLAN can be configured Parameters VLAN ID VLAN identifier or the VLAN name if configured Vlan ID value can be in the range of 1 to 4096 Usage no vsf vlan mad VLAN ID vsf lldp mad ipv4 Syntax no vsf lldp mad ipv4 IPV4_ADDR v2c COMMUNITY STR Description Enable LLDP MAD on the VSF device NOTE The command vsf lldp mad requires a peer switch to be configured as the assist device...

Page 662: ...L254A 2930F 48G 4SFP Switch 128 Member 3 b05ada 9771c0 Aruba JL256A 2930F 48G PoE 4SFP 128 Standby 4 b05ada 963120 Aruba JL255A 2930F 24G PoE 4SFP 128 Member 5 9cdc71 393440 Aruba JL256A 2930F 48G PoE 4SFP 128 Member 6 b05ada 962180 Aruba JL253A 2930F 24G 4SFP Switch 128 Member 7 b05ada 9631e0 Aruba JL255A 2930F 24G PoE 4SFP 128 Commander 8 b05ada 96f000 Aruba JL253A 2930F 24G 4SFP Switch 128 Memb...

Page 663: ...3 130 624 bytes Free 221 141 152 bytes VSF Links 1 Active Peer member 2 2 Active Peer member 8 Member ID 2 MAC Address 9cdc71 371d20 Type JL253A Model Aruba JL253A 2930F 24G 4SFP Switch Priority 128 Status Member ROM Version WC 16 01 0006 Serial Number CN71HKT0BQ Uptime 0d 17h 26m CPU Utilization 0 Memory Total 343 130 624 bytes Free 253 175 276 bytes VSF Links 1 Active Peer member 3 2 Active Peer...

Page 664: ...55A 2930F 24G PoE 4SFP Switch Priority 128 Status Member ROM Version WC 16 01 0004 Serial Number CN6ZHKW005 Uptime 0d 17h 6m CPU Utilization 0 Memory Total 343 130 624 bytes Free 253 160 108 bytes VSF Links 1 Active Peer member 4 2 Active Peer member 6 Member ID 6 MAC Address 941882 42d320 Type JL255A Model Aruba JL255A 2930F 24G PoE 4SFP Switch Priority 128 Status Standby ROM Version WC 16 01 000...

Page 665: ...ytes Free 253 174 992 bytes VSF Links 1 Active Peer member 7 2 Active Peer member 1 The above example shows Member 1 Link 1 is connected to Member 2 Link 1 Member 2 Link 2 is connected to Member 3 Link 1 Member 3 Link 2 is connected to Member 4 Link 1 Member 4 Link 2 is connected to Member 5 Link 1 Member 5 Link 2 is connected to Member 6 Link 1 Member 6 Link 2 is connected to Member 8 Link 2 Memb...

Page 666: ... 4 Link Peer Peer Link Link Name State Member Link 1 I Link4_1 Up 3 2 2 I Link4_2 Up 5 1 VSF Member 5 Link Peer Peer Link Link Name State Member Link 1 I Link5_1 Up 4 2 2 I Link5_2 Up 6 1 VSF Member 6 Link Peer Peer Link Link Name State Member Link 1 I Link6_1 Up 5 2 2 I Link6_2 Up 8 2 VSF Member 7 Link Peer Peer Link Link Name State Member Link 1 I Link7_1 Down 0 0 2 I Link7_2 Up 8 1 VSF Member 8...

Page 667: ...isplays a detailed output of VSF port state and links for each VSF member Example output switch show vsf link detail VSF Member 1 Link 1 Port State 1 9 Up Connected to port 2 49 VSF Member 2 Link 1 Port State 2 49 Up Connected to port 1 9 VSF Member 2 Link 2 Port State 2 51 Up Connected to port 3 51 VSF Member 3 Link 1 Port State 3 51 Up Connected to port 2 51 VSF Member 3 Link 2 Port State 3 49 U...

Page 668: ...ected to port 6 25 VSF Member 6 Link 1 Port State 6 25 Up Connected to port 5 49 VSF Member 6 Link 2 Port State 6 27 Up Connected to port 8 27 VSF Member 7 Link 2 Port State 7 25 Up Connected to port 8 25 VSF Member 8 Link 1 Port State 8 25 Up Connected to port 7 25 VSF Member 8 Link 2 Port State 8 27 Up Connected to port 6 27 668 Aruba 2930F 2930M Management and Configuration Guide for ArubaOS Sw...

Page 669: ...Active Peer member 8 switch show vsf member 2 Member ID 2 MAC Address 98f2b3 bc4700 Type JL254A Model Aruba JL254A 2930F 48G 4SFP Switch Priority 255 Status Commander ROM Version WC 16 01 0004 Serial Number CN77HKV09F Uptime 36d 20h 5m CPU Utilization 24 Memory Total 343 482 880 bytes Free 224 031 528 bytes VSF Links 1 Active Peer member 1 2 Active Peer member 3 switch show vsf member 3 Member ID ...

Page 670: ...n WC 16 01 0004 Serial Number CN71HKT0BD Uptime 36d 20h 5m CPU Utilization 0 Memory Total 343 482 880 bytes Free 253 575 816 bytes VSF Links 1 Active Peer member 4 2 Active Peer member 6 switch show vsf member 6 Member ID 6 MAC Address 941882 429800 Type JL258A Model Aruba JL258A 2930F 8G PoE 2SFP Switch Priority 255 Status Standby ROM Version WC 16 01 0004 Serial Number CN69HL00F4 Uptime 36d 20h ...

Page 671: ...ctive Peer member 7 show vsf topology Syntax show vsf topology Description This command shows information about VSF virtual chassis member connections Example output switch show vsf topology VSF member s interconnection with links Stby Cmdr 1 1 1 2 2 1 3 2 1 4 2 1 5 2 1 6 2 2 8 1 2 7 The preceding example shows Member ID 1 Link 1 is connected to Member ID 2 Link 1 Member ID 2 Link 2 is connected t...

Page 672: ...show vsf topology detail Uni destination Link Path VSF Member ID 1 2 3 4 5 6 7 8 1 1 1 1 1 1 1 1 2 1 2 2 2 2 2 2 3 1 1 2 2 2 2 2 4 1 1 1 2 2 2 2 5 1 1 1 1 2 2 2 6 1 1 1 1 1 2 2 7 2 2 2 2 2 2 2 8 2 2 2 2 2 2 1 In the preceding example the unidestination traffic from Member ID 1 to Member ID 8 egresses through VSF link 1 Member ID 2 to Member ID 8 egresses through VSF link 2 Member ID 3 to Member ID...

Page 673: ...which specific VSF member or link pair witnessed the state transitions Parameters change history Show VSF stack topology changes Example output Switch show vsf topology change history Thu Apr 21 00 06 10 2017 The link between Member 4 Link 2 and Member 3 Link 2 went UP Thu Apr 21 00 06 10 2017 The link between Member 3 Link 2 and Member 4 Link 2 went UP Thu Apr 21 00 06 09 2017 The link between Me...

Page 674: ... Fragment Yes No show vsf vlan mad Syntax show vsf vlan mad Description Shows information for the VSF Multi Active Detection MAD VLAN VLAN MAD Connectivity status full All member VLAN MAD ports are connected to the MAD interconnect device partial Atleast one member VLAN MAD port is connected to the MAD interconnect device none None of the member VLAN MAD ports are connected to the MAD interconnect...

Page 675: ...an be in the range of 1 to 8 Example Switch show vsf trunk designated forwarder member 1 Trunk Designated Forwarders NAME TYPE Forwarding Member Flood Forwarding Member Unicast Trk1 TRK 2 1 2 Trk2 TRK 3 3 4 show cpu Syntax show cpu SECONDS Description Show average CPU utilization Usage show cpu slot SLOT LIST SECONDS show cpu process slot SLOT LIST refresh COUNT Example output switch config show c...

Page 676: ... 1 percent busy 1 min ave 1 percent busy VSF slot 6 a 1 percent busy from 300 sec ago 1 sec ave 1 percent busy 5 sec ave 1 percent busy 1 min ave 1 percent busy VSF slot 7 a 0 percent busy from 300 sec ago 1 sec ave 1 percent busy 5 sec ave 1 percent busy 1 min ave 1 percent busy VSF slot 8 a 0 percent busy from 300 sec ago 1 sec ave 2 percent busy 5 sec ave 1 percent busy 1 min ave 1 percent busy...

Page 677: ...r all VSF members Parameters MEMBER ID The VSF member ID for the member command or parameter Member ID value can be in the range from 1 to 8 Example switch config show system information vsf Show global configured and operational system parameters of the specified VSF members switch config show system information Status and Counters General System Information System Name Aruba VSF 2930F System Con...

Page 678: ...e 35 days CPU Util 0 MAC Addr 98f2b3 bc75c0 Serial Number CN77HKV06B Memory Total 343 482 880 Free 253 575 816 VSF Member 5 ROM Version WC 16 01 0004 Up Time 35 days CPU Util 0 MAC Addr 9cdc71 378c00 Serial Number CN71HKT0BD Memory Total 343 482 880 Free 253 575 816 VSF Member 6 ROM Version WC 16 01 0004 Up Time 35 days CPU Util 0 MAC Addr 941882 429800 Serial Number CN69HL00F4 Memory Total 343 48...

Page 679: ...F member ID for the member command or parameter Member ID value can be in the range of 1 to 8 Example output switch show system information vsf member 1 Status and Counters General System Information System Name Aruba VSF 2930F System Contact System Location MAC Age Time sec 300 Time Zone 0 Daylight Time Rule None Software revision WC 16 06 0000x Base MAC Addr f40343 f8368a VSF Member 1 ROM Versio...

Page 680: ...System Contact System Location MAC Age Time sec 300 Time Zone 0 Daylight Time Rule None Software revision WC 16 06 0000x Base MAC Addr f40343 f8368a VSF Member 3 ROM Version WC 16 01 0004 Up Time 36 days CPU Util 0 MAC Addr f40343 6bff80 Serial Number CN77HKW0FM Memory Total 343 482 880 Free 253 575 664 switch show system information vsf member 4 Status and Counters General System Information Syst...

Page 681: ...on WC 16 01 0004 Up Time 36 days CPU Util 0 MAC Addr 9cdc71 378c00 Serial Number CN71HKT0BD Memory Total 343 482 880 Free 253 575 816 switch show system information vsf member 6 Status and Counters General System Information System Name Aruba VSF 2930F System Contact System Location MAC Age Time sec 300 Time Zone 0 Daylight Time Rule None Software revision WC 16 06 0000x Base MAC Addr f40343 f8368...

Page 682: ...uba VSF 2930F System Contact System Location MAC Age Time sec 300 Time Zone 0 Daylight Time Rule None Software revision WC 16 06 0000x Base MAC Addr f40343 f8368a VSF Member 8 ROM Version WC 16 01 0004 Up Time 36 days CPU Util 0 MAC Addr b05ada 96d620 Serial Number CN65HKW03D Memory Total 343 482 880 Free 253 575 660 show system fans Syntax show system fans vsf member MEMBER ID Description Show sy...

Page 683: ...s Sys 3 Fan OK 0 Chassis 0 3 Fans in Failure State 0 3 Fans have been in Failure State VSF Member 4 Num State Failures Location Sys 1 Fan OK 0 Chassis Sys 2 Fan OK 0 Chassis 0 2 Fans in Failure State 0 2 Fans have been in Failure State VSF Member 5 Num State Failures Location Sys 1 Fan OK 0 Chassis Sys 2 Fan OK 0 Chassis Sys 3 Fan OK 0 Chassis 0 3 Fans in Failure State 0 3 Fans have been in Failur...

Page 684: ...D information for all the VSF members Parameters MEMBER ID The VSF member ID for the member command or parameter Member ID value can be in the range of 1 to 8 Example output switch config show system chassislocate Locator LED Status VSF Current Time Member State Remaining Configuration 1 off 2 off 3 off 4 off 5 off 6 off 7 off 8 off show system power supply Description Show chassis power supply in...

Page 685: ... Powered AC 120V 240V 65 show uptime Syntax show uptime vsf member MEMBER ID Description Display the elapsed time since the last boot of the specified member Parameters MEMBER ID The VSF member ID for the member command or parameter Member ID value can be in the range of 1 to 8 Example output switch config show uptime VSF Virtual Chassis 35d 19h 45m VSF Member 1 35d 19h 45m VSF Member 2 35d 19h 45...

Page 686: ... both Syntax copy fdr log vsf member MEMBER ID all mm active sftp tftp usb xmodem HOST NAME STR IP ADDR IPV6 ADDR FILENAME STR Description Copy FDR logs from the switch to an SFTP TFTP server USB or xmodem terminal Parameters MEMBER ID The VSF member ID for the member command or parameter Member ID value can be in the range from 1 to 8 copy crash log Syntax copy crash log vsf member MEMBER ID SLOT...

Page 687: ...or VSF Parameters MEMBER ID The VSF member ID for the member command or parameter Member ID value can be in the range from 1 to 8 core dump Enable disable core dump for the specified member User can enable disable core dump for interface modules or management module Syntax core dump interfaces management module vsf tftp server member MEMBER ID interfaces management module Description Enable disabl...

Page 688: ...OST NAME STR IP ADDR IPV6 ADDR FILENAME STR Description Copy the switch crash files from the specific VSF member Parameters mm active Copy active management module crash files MEMBER ID The VSF member ID for the member command or parameter Member ID value can be in the range from 1 to 8 SLOT ID RANGE Enter single slot identifier Usage Switch config copy crash files vsf member Switch config copy cr...

Page 689: ...16 06 XXXX on all switches to form a stack of size greater than four members Figure 109 An eight member ring setup 23 24 24 30 30 23 1 2 8 7 25 25 29 29 3 6 26 26 28 28 27 27 4 5 Procedure 1 To form an eight member ring setup as shown do not make the connections initially The ports on each switch are Ethernet ports and connecting as described will create a network loop The ports are connected only...

Page 690: ...nable VSF the REST interface will be disabled This will save the current configuration and reboot the switch Continue y n y b The preceding sequence of commands will configure the member 2 with priority 150 4 Log in to the third and fourth devices configured as members 3 and 4 respectively a Physically connect member 3 with member 2 Enter the following commands on device 3 Switch configure Switch ...

Page 691: ...member 6 Enter the following commands on device 7 Switch configure Switch config vsf member 7 priority 100 Switch config vsf member 7 link 1 30 All configuration on this port has been removed and port is placed in VSF mode Switch config vsf member 7 link 2 29 All configuration on this port has been removed and port is placed in VSF mode To enable VSF the REST interface will be disabled This will s...

Page 692: ...r 7 b05ada 9631e0 Aruba JL254A 2930F 48G 4SFP Switch 100 Member 8 b05ada 96f000 Aruba JL259A 2930F 24G 4SFP Switch 100 Member It indicates an eight member VSF stack with domain ID 5472 The stack topology is a ring and the stack interconnect ports are of 1G speed The user is connected to the console of member 2 NOTE The user can alternatively add a port to a VSF link keeping it in disabled state us...

Page 693: ...en removed and port is placed in VSF mode Switch config vsf member 1 link 2 21 24 All configuration on this port has been removed and port is placed in VSF mode Switch config vsf enable domain 5472 To enable VSF the REST interface will be disabled This will save the current configuration and reboot the switch Continue y n y The above sequence of commands will configure the switch as member 1 which...

Page 694: ...F Port Speed 1G Software Version WC 16 03 0000x Mbr ID MAC Address Model Pri Status 1 b05ada 961100 Aruba JL253A 2930F 24G 4SFP Switch 200 Commander 2 b05ada 9721c0 Aruba JL260A 2930F 48G 4SFP Switch 150 Standby 3 Log in to the third and fourth devices These will be configured as members 3 and 4 respectively Enter the following commands on device 3 Switch configure Switch config vsf member 3 prior...

Page 695: ...ll now be formed with four ports bundled in a single VSF link Switch show vsf VSF Domain ID 5472 MAC Address b05ada 961103 VSF Topology Ring VSF Status Active Uptime 0d 3h 22m VSF MAD None VSF Port Speed 1G Software Version WC 16 03 0000x Mbr ID MAC Address Model Pri Status 1 b05ada 961100 Aruba JL253A 2930F 24G 4SFP Switch 200 Commander 2 b05ada 9721c0 Aruba JL260A 2930F 48G 4SFP Switch 150 Stand...

Page 696: ...ember 1 link 2 23 All configuration on this port has been removed and port is placed in VSF mode Switch config vsf enable domain 3144 To enable VSF the REST interface will be disabled This will save the current configuration and reboot the switch Continue y n y The preceding sequence of commands will configure the switch as member 1 with priority 200 The ports 22 and 23 are configured on VSF links...

Page 697: ... b05ada 972200 Aruba JL254A 2930F 48G 4SFP Switch 128 Member 6 All switches can be now interconnected and powered on 23 23 1 2 22 46 3 With provisioning 1 Do not connect the ports initially Since the ports are Ethernet ports connecting them in a ring topology can cause loops Note down the J number MAC address of each switch The J number is available on the front panel of the switch while the MAC a...

Page 698: ...Provision member 2 Switch configure Switch config vsf member 2 type JL260A mac address b05ada 9721c0 This will save the current configuration Continue y n y Warning The link and port should be provisioned for member 2 to join the VSF stack Switch config vsf member 2 priority 150 Switch config vsf member 2 link 1 2 22 All configuration on this port has been removed and port is placed in VSF mode Sw...

Page 699: ...ed in VSF mode Switch config vsf member 4 type JL259A mac address b05ada 96f080 This will save the current configuration Continue y n y Warning The link and port should be provisioned for member 4 to join the VSF stack Switch config vsf member 4 link 1 4 46 All configuration on this port has been removed and port is placed in VSF mode Switch config vsf member 4 link 2 4 47 All configuration on thi...

Page 700: ...iguration first and reboot This procedure takes between 30 seconds to 1 minute 4 Once switches 2 4 have joined the stack power on switch 3 5 VSF configuration will be pushed to switch 3 It will reboot last and join the stack The final stack configuration will now include all switches Switch show vsf VSF Domain ID 3144 MAC Address b05ada 961103 VSF Topology Ring VSF Status Active Uptime 0d 3h 22m V...

Page 701: ...uration is complete and the interconnections are made the user changes the port speed using the command vsf port speed 10g This triggers a reboot of the stack and once the stack is reformed it uses the configured 10G ports while the 1G ports will be in error state The 1G ports can now be disconnected and unconfigured NOTE In the case of transceiver ports the speed is determined by the bay type An ...

Page 702: ...lays slow flash orange and LED 2 displays solid green color whereas LED 3 displays different colors on page 704 Solid green Solid green Slow flash green MemberFast flash green Commander See LED 1 and LED 2 display solid green whereas LED 3 displays different colors on page 704 Solid green Solid green Slow flash green MemberFast flash green Commander See LED 1 and LED 2 display solid green whereas ...

Page 703: ...ailure has occurred see the LEDs on the device at the other end of the connection Solution 2 Cause A stacking link failure has occurred on a link that was functioning The switch at the other end of the VSF port cable has been powered off The stacking feature is disabled on the switch at the other end of the VSF port cable The cable is faulty Action 1 If this error occurred on an operational stack ...

Page 704: ... original stack LED 1 and LED 2 display solid green whereas LED 3 displays different colors Symptom LED 1 and LED 2 display solid green whereas LED 3 displays slow flash green and fast flash green 1 1 LED 1 is Global Status LED LED 2 is Mode LED Usr and LED 3 is Port LED Cause Merging two stacks that have different stack IDs which were not previously part of the same stack Action 1 Select one of t...

Page 705: ...y rebooting in the middle of locate LED duration After bootup standby indicates Locator if it was indicating before reboot Member rebooting in the middle of locate LED duration After bootup member indicates Locator if it was indicating before reboot Member removed in the middle of locate LED duration After member is removed it boots up as standalone member and does not indicate Locator LED Stack s...

Page 706: ...an split a stack with greater than four members into more than two fragments for example 1 2 3 4 5 6 and 7 8 To restore the stack to its previous state after addressing the issues ensure that not more than two fragments are merged at a time For example merge 1 2 3 4 with 5 6 followed by merging 1 2 3 4 5 6 with 7 8 VSF Use Cases Use Case 1 Multiple Active Detection What is MAD Multiple Active Dete...

Page 707: ...s whether multiple active topology is in place If LLDP MAD is configured and a VSF split occurs one of the VSF members will become inactive which disables the non VSF frontplane ports This ensures that only one of the members will be actively forwarding traffic Figure 112 LLDP MAD LAG Standby Commander Upstream VSF MAD readiness check The MAD assist device must be connected over a LACP trunk inter...

Page 708: ...assigned to the VLAN MAD The default VLAN cannot also be the VLAN MAD GVRP cannot be configured on VLAN MAD member ports Use the interface level unknown vlans command to disable GVRP in ports MVRP cannot be enabled on VLAN MAD member ports VLAN MAD cannot be configured when multicast filter is enabled for MAC address 0x00 0x12 0x79 0x4a 0xd5 and 0x82 LACP enabled port cannot be part of the MAD VLA...

Page 709: ...30F 48G PoE 4SFP Sw 250 Standby 4 b05ada 963860 Aruba JL261A 2930F 24G PoE 4SFP Sw 128 Member Subsequently any switch model under JL253A which is connected to the stack will be assigned member 1 configuration and role Use Case 3 Changing VSF link speed The sequence to change the VSF link speed is as follows Prerequisites VSF requires that all ports in all VSF links in the VSF stack must be of the ...

Page 710: ...rigger a reboot of the whole stack On reboot the stack will form using the ports which match the new VSF port speed Ports which do not match will be kept disabled The output of show vsf link detail after the reboot would be as follows VSF Member 1 Link 1 Port State 1 1 Error Port speed mismatch 1 25 Up Connected to 4 25 VSF Member 1 Link 2 Port State 1 2 Error Port speed mismatch 1 26 Up Connected...

Page 711: ...by adding a switch to increase capacity There will be minimal disruption of switching function during this operation This process is similar to the VSF deployment and can be done in either Manual or Automatic configuration mode NOTE The maximum number of members in a VSF stack is 8 The first step is to convert running stack to chain if it is in ring topology To increase the stack size add a new sw...

Page 712: ...fragment with the commander will always be active In an unequal stack split the fragment with higher number of members will always be active NOTE Any topology change to an active fragment which is in a partial state will result in an undesirable behavior 712 Aruba 2930F 2930M Management and Configuration Guide for ArubaOS Switch 16 08 ...

Page 713: ...applies predefined configurations to ports on which the Aruba AP is detected You can create port configuration profiles associate them to a device type and enable or disable a device type One of the device types supported is aruba ap and it is used to identify all the Aruba APs When a configured device type is connected on a port the system automatically applies the corresponding port profile Conn...

Page 714: ...mple you can execute no untagged vlan to create a device profile with tagged only ports Parameters name Specifies the name of the profile to be configured The profile names can be at most 32 characters long cos The Class of Service CoS priority for traffic from the device untagged vlan The port is an untagged member of specified VLAN tagged vlan The port is a tagged member of the specified VLANs a...

Page 715: ...profile type From within the configure context Syntax device profile type DEVICE associate PROFILE NAME enable disable Description This command specifies an approved device type in order to configure and attach a profile to it The profile s configuration is applied to any port where a device of this type is connected Approved device types aruba ap Aruba access point device arubaos switch ArubaOS s...

Page 716: ...ile name associated with the device type enable Selects the profile of the device being enabled disable Selects the profile of the device being disabled Usage The command device profile type aruba ap enable enables profile for Aruba AP Device Name is defined the same as Device Identity show device profile Syntax Within the configure context show device profile Description Show device profile confi...

Page 717: ...nfiguration for device profile profile1 untagged vlan 1 tagged vlan None ingress bandwidth 100 egress bandwidth 100 cos None speed duplex auto poe max power Class LLDP poe priority critical allow jumbo frames Disabled allow tunneled node Enabled show command device profile status Syntax show device profile config status Description Displays the device profile configuration or device profile status...

Page 718: ...width 100 cos None speed duplex auto poe max power Class LLDP poe priority critical allow jumbo frames Disabled allow tunneled node Enabled Configuration for device profile test untagged vlan 1 tagged vlan None ingress bandwidth 100 egress bandwidth 100 cos None speed duplex auto poe max power Class LLDP poe priority critical allow jumbo frames Disabled allow tunneled node Enabled Configuration fo...

Page 719: ...w jumbo frames Disabled allow tunneled node Enabled Device Profile Association Device Type aruba ap Profile Name default ap profile Device Status Disabled Device Type aruba switch Profile Name default aos profile Device Status Disabled Device Type scs wan cpe Profile Name default scs profile Device Status Disabled show device profile status Syntax show device profile status Description Shows the p...

Page 720: ...lso be automatically configured using device profiles Since the market for IoT devices is vast with several hundred manufacturers and thousands of devices instead of hardcoding the LLDP signatures Aruba switches provide a way for an administrator to create a device type for the IoT devices in their deployment By associating the custom device type that they create with a device profile users can le...

Page 721: ... show device identity Syntax show device identity Description Specify name of the device to be discovered Command context config Usage device identity name device_name lldp oui mac_oui subtype subtype no device identity name device_name lldp oui mac_oui subtype subtype Example device identity name avayaPhone lldp oui 00096e sub type 1 switch device profile show device identity Device Identity Conf...

Page 722: ...arubaos switch ArubaOS switch Options DEVICE_NAME Defines in device identity associate PROFILE NAME Associated the specified device type by profile name enable Enables the automatic profile association disable Disables the automatic profile association Usage Use the following command to configure a device device identity name DEVICE_NAME lldp oui OUI subtype SUBTYPE Example device p device type av...

Page 723: ...rofile status Syntax show device profile config status Description Displays the device profile configuration or device profile status Options config Show device profile configuration details for a single profile or all profiles status Show currently applied device profiles status show device profile status Switch show device profile status Device Profile Status Port Device type Applied device prof...

Page 724: ...ress The rogue ap isolation command configures the rogue AP isolation for the switch and gives the option to enable or disable the rogue AP isolation feature The rogue ap isolation action command gives you the ability to block the traffic to or from the rogue device or log the MAC of the rogue device When the action is set to block the rogue MAC is logged as well By default the action is set to bl...

Page 725: ...ion whitelist Rogue AP Whitelist Configuration Rogue AP MAC 00 50 56 00 32 6a rogue ap isolation syntax rogue ap isolation enable disable Description Configures the rogue AP isolation for the switch Parameters enable Enables the rogue AP isolation disable Disables the rogue AP isolation rogue ap isolation action syntax rogue ap isolation action log block Description Configures the action to take f...

Page 726: ...ist even if they are reported as rogue devices Parameters MAC ADDRESS Specifies the MAC address of the device to be moved from the rogue AP list to the whitelist Options no Removes the MAC address individually by specifying the MAC Restrictions You can add a maximum of 128 MAC addresses to the whitelist clear rogue ap isolation syntax clear rogue ap isolation MAC ADDRESS all Description Removes th...

Page 727: ... security features such as LMA WMA or 802 1X the MAC is logged but you cannot block it using the rogue ap isolation feature A RMON event is logged to notify the user When a MAC is already configured as an IP received MAC of a VLAN interface the MAC is logged but you cannot block it by using the rogue ap isolation feature A RMON event is logged to notify the user When a MAC is already locked out vi...

Page 728: ...to disable and then back to tx_rx or rx_only Show commands Use the following show commands to view the various configurations and status Command Description show rogue ap isolation Shows the following information The status of the feature enabled or disabled The current action type for the rogue MACs detected The list of MAC addresses detected as rogue and the MAC address of the AP that reported t...

Page 729: ... the device profile will not be applied on such ports Profile Manager and LMA WMA MAC AUTH If either LMA WMA or MAC AUTH is enabled on an interface all the MAC addresses reaching the port must be authenticated If LMA WMA or MAC AUTH is configured on an interface the user can have more granular control and does not need the device profile configuration Therefore the device profile will not be appli...

Page 730: ...globally Once a MAC has been authorized by one of these features it will not be blocked by Rogue AP isolation A RMON will be logged to indicate the failure to block The Rogue AP module will retry to block any such MACs periodically In the event of the MAC no longer being authorized Rogue AP isolation will block the MAC again No RMON is logged to indicate this event Troubleshooting Dynamic configur...

Page 731: ... the various configurations and status Command Description show device profile Shows the device profile configuration and status show device profile config Shows the device profile configuration details for a single profile or all profiles show device profile status Shows currently applied device profiles show run Shows the running configuration Chapter 21 Simplifying Wireless and IoT Deployments ...

Page 732: ...nt network that connects multiple switches It has the added advantage that it can be done from a central location and does not require an individual physical cable from the management station to each switch s console port Table 43 Switch management ports In band Out of band Networked Directly connected Networked Management interface Command line CLI menu Web Command line CLI menu Command line CLI ...

Page 733: ...yes yes4 yes Traceroute yes4 yes yes4 yes 1 N A not applicable 2 Ping and Traceroute do not have explicit servers Ping and Traceroute responses are sent by the host stack For applications that have servers oobm data both options have been added to listen mode There is now a listen keyword in the CLI commands to allow selection of those options Default value is both for all servers Example In a typ...

Page 734: ... each switch at boot time and to control the switches through the console ports as well as through the management ports OOBM Configuration OOBM configuration commands can be issued from the global configuration context config or from a specific OOBM configuration context oobm Entering the OOBM configuration context from the general configuration context Syntax oobm Enters the OOBM context from the...

Page 735: ...h config oobm disable Enabling and disabling the OOBM port The OOBM interface command enables or disables the OOBM interface that is the OOBM port as opposed to the OOBM function From the OOBM context Syntax interface enable disable From the general configuration context Syntax oobm interface enable disable Enables or disables the networked OOBM interface port Examples Switch oobm interface enable...

Page 736: ...ntax no ip address dhcp bootp ip address mask length From the general configuration context Syntax no oobm ip address dhcp bootp ip address mask length Configures an IPv4 address for the switch s OOBM interface You can configure an IPv4 address even when global OOBM is disabled that address will become effective when OOBM is enabled Example Switch oobm ip address 10 1 1 17 24 Configuring an OOBM I...

Page 737: ...v6 default gateway IPV6 ADDR no oobm ipv6 default gateway Description Configures the IPv6 default gateway address for OOBM interfaces The no form of the command deletes the default gateway It is imparative that an IPv6 address is specified when the no form of the command is used Command context config Parameters IPV6 ADDR Specifies the IPv6 address when configuring the OOBM for a specific gateway ...

Page 738: ... is critical for making the communication more efficient For example one router may provide much better performance than another for a destination while choosing a wrong router may result in failure to communicate ipv6 nd ra router preference Syntax ipv6 nd ra router preference low medium high no ipv6 nd ra router preference Description Sets the router preference configuration for communicating de...

Page 739: ... the OOBM context the show ip command displays the IP configuration for the data plane to see the IP configuration of the OOBM interface you need to use show oobm ip Showing the global OOBM and OOBM port configuration Syntax show oobm Summarizes OOBM configuration information This command displays the global OOBM configuration enabled or disabled the OOBM interface status up or down and the port s...

Page 740: ...6 service status for OOBM interfaces Command context operator Example Shows the IPv6 service status for OOBM interfaces switch show oobm ipv6 Internet IPv6 Service for OOBM Interface IPv6 Status Enabled IPv6 Default Gateway 1000 2 Address Intf Member IP Config IP Address Prefix Length Status Status Global manual 1000 1 64 Up Global autoconfig fe80 42a8 f0ff fe9e 901 64 Up show oobm ipv6 for stacke...

Page 741: ...f fe9b a581 64 Active Down 1 manual 1000 1 64 Active Down 2 manual 2000 1 64 Active Up show oobm ipv6 member for stacked switches Syntax show oobm ipv6 member MEMBER ID Description Shows the OOBM IPv6 service detail for a specific member Command context operator Example Shows the OOBM IPv6 service detail for a specific member stack switch show oobm ipv6 member 2 Internet IPv6 Service for OOBM Inte...

Page 742: ...ess Prefix Length Status manual 3 3 3 2 24 preferred manual 3000 2 64 preferred autoconfig fe80 42a8 f0ff fe9b a581 64 preferred Member 1 IPv4 Status Enabled IPv6 Status Enabled IPv4 Default Gateway 2 2 2 1 IPv6 Default Gateway 2000 1 Origin IP Address Prefix Length Status manual 2 2 2 2 24 preferred manual 2000 2 64 preferred Member 2 IPv4 Status Enabled IPv6 Status Enabled IPv4 Default Gateway 1...

Page 743: ...se the no form of the command to prevent the server from running on either interface Examples Telnet no telnet server SSH no ip ssh SNMP no snmp server TFTP no tftp server HTTP no web management The show servers command shows the listen mode of the servers Switch show servers Server listen mode Server Listen mode Telnet both Ssh both Tftp both Web management both Snmp both Application client comma...

Page 744: ...address oobm DNS no ip dns server address priority priority ip address oobm Syslog no logging ip address control descr oobm Ping ping source ip address vlan id oobm Traceroute traceroute source ip address vlan id oobm Management and Configuration Guide Example Figure 114 Example data center on page 745 shows setup and use of network OOBM using the commands described above 744 Aruba 2930F 2930M Man...

Page 745: ...nd Exit back to manager context Switch 41 show oobm Look at default OOBM configuration Global Configuration OOBM Enabled Yes OOBM Port Type 10 100TX OOBM Interface Status Up Defaults look appropriate OOBM Port Enabled OOBM Port Speed Auto Switch 41 config Switch 41 config oobm Go to OOBM context and Switch 41 oobm ip address 10 255 255 41 24 add IP address and Switch 41 oobm ip default gateway 10 ...

Page 746: ... Packard Enterprise My Networking website www hpe com networking support Hewlett Packard Enterprise My Networking Portal www hpe com networking mynetworking Hewlett Packard Enterprise Networking Warranty www hpe com networking warranty General websites Hewlett Packard Enterprise Information Library www hpe com info EIL For additional websites see Support and other resources Chapter 23 Websites 746...

Page 747: ...e products provide a mechanism for accessing software updates through the product interface Review your product documentation to identify the recommended software update method To download product updates Hewlett Packard Enterprise Support Center www hpe com support hpesc Hewlett Packard Enterprise Support Center Software downloads www hpe com support downloads Software Depot www hpe com support s...

Page 748: ... level Hewlett Packard Enterprise strongly recommends that you register your device for remote support If your product includes additional remote support details use search to locate that information Remote support and Proactive Care information HPE Get Connected www hpe com services getconnected HPE Proactive Care services www hpe com services proactivecare HPE Proactive Care service Supported pr...

Page 749: ...ach For Hewlett Packard Enterprise product environmental and safety information and compliance data including RoHS and REACH see www hpe com info ecodata For Hewlett Packard Enterprise environmental information including company programs product recycling and energy efficiency see www hpe com info environment Documentation feedback Hewlett Packard Enterprise is committed to providing documentation...

Page 750: ...ssion of LACP MAD frames or participate in any MAD decision making process These devices forward LACP MAD TLVs received on one interface to the other interfaces on the trunk LACP MAD passthrough can be enabled for 24 LACP trunks By default LACP MAD passthrough is disabled NOTE This Appendix is applicable only if the customer is using a hybrid deployment of Comware and ArubaOS Switches LACP MAD Pas...

Page 751: ...hrough counters PORT LIST Description Show LACP MAD passthrough configuration on LACP trunks or show LACP MAD passthough counters on ports Parameters counters Display the various counters related to LACP ports local Display the various local information related to LACP ports peer Display the LACP peer port information distributed Show distributed LACP information mad passthrough Display the variou...

Page 752: ...te for resources TR 069 defines the CPE WAN Management Protocol CWMP protocol necessary to remotely manage end user devices ACS provides automatic configuration for these devices NOTE CWMP is automatically enabled To conserve resources reconfigure this setting using the cwmp disable command TR 069 defines an auto configuration architecture which provides the following primary capabilities Auto con...

Page 753: ...le for WAN management across internet TR 069 is suitable for zero touch configuration The zero configuration mechanism is defined in the TR 069 specification TR 069 is suitable for large scale device management TR 069 support distributed architecture The ACS can be distributed to multiple servers each ACS can manage part of devices Zero touch configuration process Auto configuration or zero touch ...

Page 754: ...up and running configurations Run CPE ping diagnostics Reset CPE to factory default Get periodic Status several parameters can be retrieved depending on what is supported Since TR 069 uses HTTP it can be used across a WAN If the CPE can reach the URL it can be managed TR 069 is mostly a push protocol where the client periodically sends information without server requests This allows for greater sc...

Page 755: ...onfiguration for all CPEs in BIMS 2 CPEs get BIMS parameters from DHCP server 3 CPEs initiate a connection to BIMS then BIMS deploys the pre configuration to CPEs Zero touch configuration for Branch networks In this example the following steps to configure CPEs for a Branch network environment Appendix B Remote Device Deployment TR 069 755 ...

Page 756: ...nd deployed by BIMS 3 The IPSec VPN tunnel is automatically created 4 The device in the branch private network can DHCP relay to HQ to continue the zero touch configuration Zero touch configuration setup and execution 1 DHCP configuration 2 BIMS configuration 3 Execution CLI commands 756 Aruba 2930F 2930M Management and Configuration Guide for ArubaOS Switch 16 08 ...

Page 757: ...and enable Enable the CPE WAN Management Protocol Syntax no cwmp acs Configure Auto Configuration Server ACS access cpe Configure Customer Premises Equipment CPE access enable Enable the CPE WAN Management Protocol ACS password configuration Syntax cwmp acs password Configure the password used for authentication when the switch connects to the ACS url Configure the URL of the ACS username Configur...

Page 758: ...o the ACS Encrypt credential on cwmp acs password encrypted key ASCII STR Enter an ASCII string maximum length 384 characters Plaintext password cwmp acs password plaintext PASSWORD STR A plaintext password used for ACS authentication maximum length 256 characters ACS URL configuration Syntax cwmp acs url URL STR The URL of the ACS maximum length 256 characters ACS username configuration Syntax cw...

Page 759: ...edentials command plaintext Configure the password used for authentication when the ACS connects to the switch Syntax cwmp cpe password encrypted key ASCII STR Enter an ASCII string maximum length 384 characters When encrypt credentials is off Syntax cwmp cpe password plaintext Configure the password used for authentication when the ACS connects to the switch Syntax cwmp cpe PASSWORD STR A plainte...

Page 760: ...uration CWMP Configuration CWMP Status Enabled ACS URL http 16 93 62 32 9090 ACS Username bims Inform Enable Status Enabled Inform Interval 60 Inform Time 2014 04 08T06 00 00 Reconnection Timeout 30 CWMP status CWMP Status CWMP Status Enabled ACS URL http 16 93 62 32 9090 ACS URL Origin Config ACS Username bims Connection Status Disconnected Data Transfer Status None Last ACS Connection Time Wed A...

Page 761: ...ompleted with error INFORM to http 15 29 20 50 9090 from 10 0 10 212 completed successfully RMON_TR69_AUTH_FAILED Authentication on ACS http 15 29 20 50 9090 failed RMON_TR69_CONN_FAILED Connection attempts with ACS http 15 29 20 50 9090 from 10 0 10 212 failed To avoid flooding the system log on frequent attempts to connect with the ACS the following criteria are used with both successful and fai...

Page 762: ...3 08 06 13 04190 http Upload of SourceFile to http 10 0 11 240 9876 path failed errno 1 W 11 19 13 08 06 13 04190 http Download of http 10 0 11 240 9876 path to DestinationFile failed errno 13 W 11 19 13 08 06 13 04190 http Download of http 10 0 11 240 9876 path to DestinationFile failed errno 1 W 11 19 13 08 06 13 04190 http Download of http 10 0 11 240 9876 path to DestinationFile failed errno 1...

Page 763: ...er status None Time of last successful connection Thu Feb 20 01 16 59 2014 Interval upon to next connection Null show cwmp configuration CWMP is Enabled ACS URL https 16 93 62 32 9443 ACS Username bims Inform Enable Status Disabled Inform Interval 3559 Inform Time Reconnection times 30 no dhcp tr69 acs url Prevents using any ACS information from DHCP Appendix B Remote Device Deployment TR 069 763 ...

Page 764: ...heduler Spanning Tree STP RSTP MSTP RPVST Authorized IP Managers VLANs Authorized Manager List Web SSH TFTP 802 1Q VLAN Tagging Auto MDIX Configuration 802 1X Port Based Priority DHCP Configuration 802 1X Multiple Authenticated Clients Per Port Flow Control 802 3x IGMP Friendly Port Names LACP Trunk Guaranteed Minimum Bandwidth GMB MAC Lockdown IP Addressing MAC based Authentication IP Routing MAC...

Page 765: ...UI Inactivity Timer Per port Tunneled node Control Plane Protection Zero touch provisioning DHCP Activate Egress ACLs ClearPass support Device profile switch auto configuration HTTP redirection Captive portal Device profile Auto configuration with Aruba AP detection Device profile LLDP Authentication Bypass with AP Tunneled Node enhancement fallback to switching RADIUS Port Speed VSA Rogue AP isol...

Page 766: ... been increased from three to five When the firmware is downgraded to lower versions the show config files command displays the details to only three configuration files Restore is allowed based on the available system resource factors Blocking of configuration from other sessions All write operations are not allowed from other sessions CLI WebUI SNMP REST and so on during a configuration restorat...

Page 767: ...port Syntax show interface PORT LIST smartrate Displays port diagnostics on a Smart Rate port Unlinked Smart Rate port show interface C5 smartrate Status and Counters Smart Rate information for Port C5 Model 0x03a1 Chip 0xb4b3 Firmware major 0x0002 Firmware minor 0x0003 Firmware candidate 0x0005 Firmware provision 0x0001 Chan1 Chan2 Chan3 Chan4 in db Current SNR 9 000000 6 700000 3 500000 9 200000...

Page 768: ...lished link speed 1000Mbps Number of attempts to establish link 5 Uptime since link was last established ms 5099 Local port advertised speeds 1000Mbps 2500Mbps 5000Mbps 10Gbps No No No No Link partner speed capability 1000Mbps 2500Mbps 5000Mbps 10Gbps Yes Yes Yes Yes Link Partner matching vendor Yes Rate Limiting GMB features when Fast Connect SmartRate ports are configured When Rate Limiting or G...

Page 769: ...otiate link parameters auto 1000 1000 Mbps only auto negotiate link parameters auto 2500 2500 Mbps only auto negotiate link parameters auto 5000 5000 Mbps only auto negotiate link parameters auto 2500 5000 2500 or 5000 Mbps only auto negotiate link parameters auto 10g 10 Gbps only auto negotiate link parameters Limitations on 5Gbps ports For 5Gbps ports when the customer has Rate Limiting or Guara...

Page 770: ...Rate ports can operate on 100Mbps speed NOTE If MACsec is configured on a port we cannot configure speed duplex as auto 100 for that particular port and conversely 100Mbps is supported on auto speed duplex mode by default 100 Mbps support on Smart Rate ports is available for 5400R 3810M and 2930M interface speed duplex auto 100 Syntax interface PORT speed duplex auto 100 Description Configures spe...

Page 771: ...e link was established 30 seconds Local Port advertised capabilities 100MBT 1 0GBT 2 5G NBT 5 0G NBT 2 5GBT 5 0GBT 10GBT Yes No No No No No No Link Partner advertised capabilities 100MBT 1 0GBT 2 5G NBT 5 0G NBT 2 5GBT 5 0GBT 10GBT Yes Yes Yes Yes No No Yes switch config show interface A2 smartrate Status and Counters Smart Rate information for Port A2 Model 0x03a1 Chip 0xb582 Firmware 3 3 e Provi...

Page 772: ...art of the show running config output Example switch config show running config Running configuration JL320A Configuration Editor Created on release WC 16 06 0000x Ver 13 03 f8 1c 9b 3f bf bb ef 7c 59 fc 6b fb 9f fc ff ff 37 ef 49 module 1 type jl320a flexible module A type JL081A interface A1 speed duplex auto 100 exit Downgrade with CLI reboot command Procedure 1 If the Smart Rate port speed con...

Page 773: ...mmand power cycle Procedure 1 Reboot with auto 100 mode configuration on Smart Rate port the following events occur a The speed duplex status is shown blank when you execute the show interface brief command b The port status is displayed as down 2 Save the configuration and again reboot The preconfigured auto 100 restores the Smart Rate port to auto mode thus restoring its functionality Appendix D...

Page 774: ... Host Configuration Protocol DoS Denial of Service EWA Enhanced Web Authentication IP Internet Protocol HA High Availability HMAC SHA1 Hash based Message Authentication Code used with the SHA 1 cryptographic hash function HTTP Hypertext Transfer Protocol HTTPS Secure Hypertext Transfer Protocol ID Identifier IP Internet Protocol Table Continued Appendix E Glossary 774 Aruba 2930F 2930M Management ...

Page 775: ... LAN Local Area Network MAC Media Access Control MAFR MAC Authentication Failure Redirect MAS Management Interface Specification NMS Network Management System PVOS ArubaOS Switch Operating System RADIUS Remote Authentication Dial In User Service SNMP Simple Network Management Protocol VLAN Virtual Local Area Network VSA Vendor Specific Attribute ZTP Zero Touch Provisioning Appendix E Glossary 775 ...

Reviews:

No comments

Related manuals for Aruba 2930F Series

Brand: GAIM Pages: 2

Brand: Daxten Pages: 7

Brand: tbs electronics Pages: 2

Brand: D-Link Pages: 17

Brand: Accton Technology Pages: 10

Brand: Lancom Pages: 23

Brand: Extron electronics Pages: 137

FlexFabric 5940 Series

Brand: Hewlett Packard Enterprise Pages: 123

Brand: 3onedata Pages: 4

Brand: Sunix Pages: 55

Brand: Black Box Pages: 4

Brand: Minicom DX Pages: 36

Brand: Versitron Pages: 46

Brand: axing Pages: 4

Brand: AV Link Pages: 2

Brand: Exsys Pages: 16

Spectrum 2E42-27

Brand: Cabletron Systems Pages: 77

Brand: Gigabyte Pages: 10

Brands by name

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Popular brands

Load more brands