Wired Intelligent Edge (Campus Switching and Routing)

Occasional Contributor I

aruba 2920

Customer have 2 plaint office

In Plaint 1 office:

- using 30m red tone internet

- HP OfficeConnect 1910

- firewall ip address


In Plaint 2 office:

- Aruba 2920-24G


switch settings are as below

; J9726A Configuration Editor; Created on release #WB.16.02.0012
; Ver #0e:01.b0.ee.34.5f.3c.29.eb.9f.fc.f3.ff.37.ef:73

hostname "MYPCSBCSW001-DATA"
module 1 type j9726a
aruba-central disable
no rest-interface
timesync ntp
ntp unicast
ntp server iburst
ntp enable
time timezone 480
ip default-gateway
ip route
ip routing
snmp-server community "public" unrestricted
ip address dhcp-bootp
vlan 1
no untagged 1-24
ip address dhcp-bootp
vlan 2
name "VLAN2"
untagged 3-19,24
tagged 1-2,21-23
ip address
vlan 10
tagged 1-2,20-23
ip address
vlan 12
name "EndPoints"
tagged 1-2,20-23
ip address
ip address
no tftp server
no autorun
no dhcp config-file-update
no dhcp image-file-update
dhcp-server pool "EndPoints"
default-router ""
dns-server ""
lease 00:04:00
dhcp-server enable
password manager


Question is

- now plaint 2 office want to install new firewall with new internet line and want to be primary line, he want to remail previous line as backup if new line down, he will turn off firewall and will switch over to old internet line

- Firewall ip is


so i add 

ip route

vlan 5
untagged 23 -> this port connect to new firewall
ip address


Problem is, i try to ping i will receive a reply  but when i ping to it has no responding, whats wrong with my settings?


Occasional Contributor I

Re: aruba 2920

I usually wouldn't entertain these types of posts, but curiosity is getting the better of me. This is how I go about diagnosing every issue, whether believed to be networking or application, and every layer in between. I base my thought process on the 7 layer OSI model. Starting from layer 1 and ending up at 7. Do not skip any steps and don't just say you did a step as someone will find out.


I live by two rules before I even start to diagnose any issue. (a) can I predictably repeat the problem that I am seeing? and (b) do not make any changes until I am confident this change fixes the issue or helps clarify point (a).


Then the diagnosis. We need to ask ourselves questions: 


Firstly, are we confident Layer 1 is working

Is it plugged in? Do we have link lights? If a link is fibre, do we have light coming out of one of the fibres? is it the right strand of fibre? Is it terminated on the correct patch panel port? What does the switch think about the port(s)? Type the commandShow interface status. is the "link status" or link state showing up and the port enabled?


Are we confident Layer 2 is working

are we learning MAC addresses on the correct ports? type the show mac-address  command. Is the layer 2 VLAN created on the switch? Is that port in the correct VLAN? is the source and destination MAC in the same VLAN? are they supposed to be in the same VLAN? Is the MAC flapping between multiple ports? Is the port showing any packets or frames? are the packets all in one direction (TX or RX counters)? 


Are we confident Layer 3 is working

Does the Layer 3 device have the right MAC lined up to the right IP Address? Is it the same MAC above? Command: show ip arp and show ip route. Does the show ip route point the IP in the correct direction / or attached to the right VLAN that you checked in Layer 2? Is the route learnt the expected way (Static/Connected/OSPF/BGP/etc.)?


And so on we go... As you said Pinging the IP address of the firewall is not possible that's a Layer 3 problem, which means any layer below this symptom could be the cause. If you find that it's a layer 2 problem, like the switch is not learning the MAC address on that port, then it's a Layer 2 or Layer 1 problem. From here we can eliminate each layer from the equation. 


There are tools and questions we need to ask of every layer in the model. One last example is in Layer 4 we can use CLI and Telnet to check if the TCP port we need is open and establishing connections (4 way handshakes for example). It's very easy to say an application is running slow, but working through the layers systematically will expose the root of the issue. Our aim in this method is to identify the issue as low as possible or to prove (and be confident) that the issue is not in our layer of responsibility as network engineers.



Even after all those rules and suggestions, my random guess is the firewall probably isn't responding to ping/ICMP by default/design. Your symptom doesn't sound suspicious to me at all. You might actually find that you don't have a problem at all :) 





Contributor I

Re: aruba 2920



You simply cannot have configured these three commands at the same time on the switch:


  ip default-gateway
  ip route
  ip routing


If you want to maintain the switch using only L2 erase


  ip route
  ip routing


But if you want to add L3 routes erase 


  ip default-gateway




If it helps please add Kudos
Search Airheads
Showing results for 
Search instead for 
Did you mean: