Wireless Access

I'm trying to setup an Aruba S3500 mobility switch - I invoke Quick setup and supply the basic config:

 

Management
VLAN: 1
Upstream Ports : GE-0/0/0
IP address assignment: Static
IP Address : 172.16.252.50
Net Mask : 255.255.252.0
Default Gateway : 172.16.252.1

 

But after the config is successfully pushed, I can't ping 172.16.252.50, SSH to it, etc

 

Sniffing the wire I see a lot of STP packets and an occasional gratuitous ARP for the tunneled IP of the Aruba controller (specified in the Startup Wizard). But the Aruba mobility switch doesn't appear to respond to an ARP of it's IP address.

 

Feel like I'm missing something obvious here

What port is your client connected to?  Can you do a show trunk command and see if the port (VLAN tagging perspective) is matched to the "uplink" port - 0/0/0 in the physical topology?  I.E - is the inter-switch links configured similarly?

I have a laptop connected to 0/0/0 - nothing else. I've tried other ports not assigned to the management vlan - I've also tried adding multiple ports to the management vlan. Is the management vlan port tagged? I've been assuming it's untagged

I haven't run through the startup wizard in a while...can you please post your config?

I just factory-defaulted and invoked the GUI startup wizard - slight changes from my original post but not much different (see below)

 

I statically assign the laptop connected to 0/0/0:

 

 IPv4 Address. . . . . . . . . . . : 172.16.252.49
 Subnet Mask . . . . . . . . . . . : 255.255.252.0
 Default Gateway . . . . . . . . . : 172.16.252.1

 

I see an ARP broadcast targeting 172.16.252.50 but no response.

 

The Aruba S3500 Startup Wizard config:

 

Basic Info

Name: ArubaS3500-48P-US Country Code: US Tunneled Server IP Address: 172.16.0.254 Date: 2014 Apr 09 Time: 15 2 42(hr min sec) TimeZone: GMT -05:00 EST

Management

VLAN: 6 Upstream Ports : GE-0/0/0 IP address assignment: Static IP Address : 172.16.252.50 Net Mask : 255.255.252.0 Default Gateway : 172.16.252.1

Can you send the output of show run....

Perhaps you can suggest a way but I'm at a loss since I can't SSH into it - I've tried assigning an IP address to the out-of-band management port but the same thing - no L3 connectivity. I have SSH into the switch - but only after invoking the startup wizard and pointing putty to 172.16.0.254 (the IP address the switch assigns itself to serve DHCP and the GUI startup wizard). I'm assuming this wipes the running config - but maybe not?

Ah...I see.  I was thinking you had a local console connected.  Try the followinG:

 

Go through the setup wizard but do NOT choose a management VLAN and do NOT select an Uplink port.  Leave those as blank/default.

Will do first thing tomorrow and post results - thanks for your assistance with this!

Just to update everyone, I tried Seth's suggestion of leaving the vlan assignment/upstream ports as blank/default. Same result - the switch doesn't respond to an all-F's broadcast ARP for its IP address (see config below)

 

To answer cjenson, I have tried assigning an IP address to the out-of-band management interface - same result, can't ping, etc

 

To Vinay, I totally see what you're saying. An assigned vlan on an upstream port is going to be tagged whereas the native vlan is going to ride untagged (and as your config indicates the native vlan actually rides both tagged and untagged). But... I did try just leaving the vlan as 1 (see my first post) - and got the same result. Still I think I'll give it another try and leave it as 1 and see if it works. After that I'm going to get a driver for my laptop's nic that will tag my traffic and see how that goes - or just connect it to another switch's tagged port.

 

 

Basic Info

Name: ArubaS3500-48P-US Country Code: US Tunneled Server IP Address: 172.16.0.254 Date: 2014 Apr 10 Time: 8 28 11(hr min sec) TimeZone: GMT -04:00 EST

Management

VLAN: 1 No Upstream ports are selected. IP address assignment: Static IP Address : 172.16.252.50 Net Mask : 255.255.252.0 Default Gateway : 172.16.252.1 Out of band management interface: IP Address : 172.16.252.49 Net Mask : 255.255.252.0

I see a value for Tunneled server IP.  Can you please leave that blank?

 

One more thing - the mgmt interface and VLAN 1 cannot be in the same network.

Ok, I factory defaulted the switch, invoked Quick Setup and applied the following per Seth's suggestion (before his most recent post advising the mgmt int not be in the same subnet) with no value for tunneled IP:

Management
VLAN: 1
No Upstream ports are selected.
IP address assignment: Static
IP Address : 172.16.252.50
Net Mask : 255.255.252.0
Default Gateway : 172.16.252.1
Out of band management interface:
IP Address : 172.16.252.49
Net Mask : 255.255.252.0

No luck - so I tried again, after another factory default+invoked-quick-setup I put 0/0/0 in vlan 1 (contrary to Seth's suggestion) hoping that without a tunneled IP and vlan 1 being untagged, I'd get a ping echo.

Management
VLAN: 1
Upstream Ports : GE-0/0/0
IP address assignment: Static
IP Address : 172.16.252.50
Net Mask : 255.255.252.0
Default Gateway : 172.16.252.1
Out of band management interface:
IP Address : 172.16.252.49
Net Mask : 255.255.252.0

Still no luck - but I notice on the wire the switch was sending out occasional ARP for the tunneled IP...


194    49.874703000    ArubaNet_12:f2:c0    Broadcast    ARP    60    Gratuitous ARP for 172.16.0.254 (Request)

Which was strange since I assumed a factory default would remove any running or start config, so..

I erased the config from the LED screen, rebooted and I think I'm good now since the switch is sending out DHCP discover broadcasts. So I invoke quick setup and apply:

VLAN: 1
Upstream Ports : GE-0/0/0
IP address assignment: Static
IP Address : 172.16.252.50
Net Mask : 255.255.252.0
Default Gateway : 172.16.252.1

While trying to ping 172.16.252.50 I see (even after I erased the config):

1474    468.715089000    ArubaNet_12:f2:c0    Broadcast    ARP    60    Gratuitous ARP for 172.16.0.254 (Request)

I think somehow the tunneled IP is persisting even when factory defaulted or erase config... so, I factory default again and invoke quick setup so that I can SSH into 172.16.0.254 to have a look (see sh run below)

But maybe I'm barking up the wrong tree - my Aruba controller happens to have the same IP as the IP address the mobility switch uses for Quick setup. Perhaps the gratuitous ARP is just to make sure it's not on a subnet where that would present a problem?

I'm going to factory default the switch again and run quick setup from the CLI - see next post... sorry for the long post, just thinking out loud

Here's sh run:

login as: admin
admin@172.16.0.254's password:


(ArubaS3500-48P-US) >en
Password:******
Quick-setup helps in setting the basic configuration of the system

Autoconfiguration of system will be stopped, if Quick-setup is launched by user

Quick-setup already running on web-ui

Quick-setup dialog can be launched by executing "quick-setup" command in enable                                                                              mode

(ArubaS3500-48P-US) #show run
Building Configuration...

#
# Configuration file for ArubaOS
version 7.1
enable secret "******"
clock timezone PST -8
location "Building1.floor1"
controller config 1
ip NAT pool dynamic-srcnat 0.0.0.0 0.0.0.0
ip access-list eth validuserethacl
  permit any
!
netservice svc-https tcp 443
netservice svc-dhcp udp 67 68
netservice svc-telnet tcp 23
netservice svc-sip-tcp tcp 5060
netservice svc-kerberos udp 88
netservice svc-tftp udp 69
netservice svc-dns udp 53
netservice svc-h323-udp udp 1718 1719
netservice svc-h323-tcp tcp 1720
netservice svc-vocera udp 5002
netservice svc-http tcp 80
netservice svc-sip-udp udp 5060
netservice svc-natt udp 4500
netservice svc-ftp tcp 21
netservice svc-smtp tcp 25
netservice svc-sips tcp 5061
netservice svc-ntp udp 123
netservice svc-icmp 1
netservice svc-ssh tcp 22
netexthdr default
!
ip access-list stateless dhcp-acl-stateless
  any any svc-dhcp  permit
!
ip access-list stateless validuser
  network 169.254.0.0 255.255.0.0 any any  deny
  any any any  permit
!
ip access-list stateless https-acl-stateless
  any any svc-https  permit
!
ip access-list stateless dns-acl-stateless
  any any svc-dns  permit
!
ip access-list stateless logon-control-stateless
  any any svc-icmp  permit
  any any svc-dns  permit
  any any svc-dhcp  permit
  any any svc-natt  permit
!
ip access-list stateless icmp-acl-stateless
  any any svc-icmp  permit
!
ip access-list stateless allowall-stateless
  any any any  permit
!
ip access-list stateless http-acl-stateless
  any any svc-http  permit
!
user-role ap-role
!
user-role denyall
!
user-role guest-logon
!
user-role guest
 access-list stateless http-acl-stateless
 access-list stateless https-acl-stateless
 access-list stateless dhcp-acl-stateless
 access-list stateless icmp-acl-stateless
 access-list stateless dns-acl-stateless
!
user-role stateful-dot1x
!
user-role authenticated
 access-list stateless allowall-stateless
!
user-role logon
 access-list stateless logon-control-stateless
!
!


snmp-server view ALL oid-tree iso included
snmp-server group ALLPRIV v1 read ALL notify ALL
snmp-server group ALLPRIV v2c read ALL notify ALL
snmp-server group ALLPRIV v3 noauth read ALL notify ALL
snmp-server group AUTHPRIV v3 priv read ALL notify ALL
snmp-server group AUTHNOPRIV v3 auth read ALL notify ALL

ssh mgmt-auth username/password
mgmt-user admin root f10719e301564b835db7899eeca00a1e3706e42e13761424e2



packet-capture-defaults tcp disable udp disable sysmsg disable other disable
!
ip domain lookup
!
country US
aaa authentication mac "default"
!
aaa authentication dot1x "default"
!
aaa server-group "default"
 auth-server Internal
 set role condition role value-of
!
aaa profile "default"
!
aaa authentication mgmt
!
aaa authentication wired
!
web-server
!
aaa password-policy mgmt
!
traceoptions
!
service dhcp
!
qos-profile "default"
!
policer-profile "default"
!
ip-profile
!
lcd-menu
!
interface-profile ospf-profile "default"
   area 0.0.0.0
!
interface-profile pim-profile "default"
!
interface-profile igmp-profile "default"
!
stack-profile
!
ipv6-profile
!
interface-profile switching-profile "default"
!
interface-profile poe-profile "default"
!
interface-profile poe-profile "poe-factory-initial"
   enable
!
interface-profile enet-link-profile "default"
!
interface-profile lldp-profile "default"
!
interface-profile lldp-profile "lldp-factory-initial"
   lldp transmit
   lldp receive
   med enable
!
interface-profile mstp-profile "default"
!
interface-profile pvst-port-profile "default"
!
vlan-profile mld-snooping-profile "default"
!
vlan-profile igmp-snooping-profile "default"
!
vlan-profile igmp-snooping-profile "igmp-snooping-factory-initial"
!
spanning-tree
   mode mstp
!
mstp
!
lacp
!
vlan "1"
   igmp-snooping-profile "igmp-snooping-factory-initial"
!
interface vlan "1"
   ip address 172.16.0.254 netmask 255.255.255.0
!
interface mgmt
!
interface-group gigabitethernet "default"
   apply-to ALL
   lldp-profile "lldp-factory-initial"
   poe-profile "poe-factory-initial"
!

snmp-server enable trap
end

(ArubaS3500-48P-US) #

So another factory default, reboot, and invoke quick setup...

I SSH into the switch and then via the GUI apply:

VLAN: 1
No Upstream ports are selected.
IP address assignment: Static
IP Address : 172.16.252.50
Net Mask : 255.255.252.0
Default Gateway : 172.16.252.1

After successfully pushing the config, sh run is below. Note that vlan 1 is still 172.16.0.254 - my SSH session is still up even though I've pushed a new IP to VLAN 1 via the GUI.

So I configure via the CLI
 
(ArubaS3500-48P-US) #
(ArubaS3500-48P-US) #configure t
Enter Configuration commands, one per line. End with CNTL/Z

(ArubaS3500-48P-US) (config) #interface vlan 1
(ArubaS3500-48P-US) (vlan "1") #ip address 172.16.252.50 ?
<mask>                  A.B.C.D format
netmask                 Network mask

(ArubaS3500-48P-US) (vlan "1") #ip address 172.16.252.50 255.255.252.0

And now I can ping!

C:\Users\ak74>ping 172.16.252.50

Pinging 172.16.252.50 with 32 bytes of data&colon;
Reply from 172.16.252.50: bytes=32 time=17ms TTL=64
Reply from 172.16.252.50: bytes=32 time=1ms TTL=64
Reply from 172.16.252.50: bytes=32 time=1ms TTL=64
Reply from 172.16.252.50: bytes=32 time=1ms TTL=64

Ping statistics for 172.16.252.50:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 1ms, Maximum = 17ms, Average = 5ms



So... I'm guessing the switch was just ARPing 172.16.0.254 in case there was a node with that address - presumably quick-setup would choose another IP in case of a response.

Also, I don't think the quick-setup GUI is working the way it should - the VLAN IP address doesn't appear to apply to the running config even after:

"Configuration is successfully pushed to your mobility access switch.

Please point your browser to https://172.16.252.50 to access the WebUI."

Maybe a bug? At any rate, I think I'm all set to demo this switch so I'm good to go. I really appreciate all the suggestions and advice - I think it just wasn't working as expected.



(ArubaS3500-48P-US) #show run
Building Configuration...

#
# Configuration file for ArubaOS
version 7.1
enable secret "******"
clock timezone PST -8
location "Building1.floor1"
controller config 1
ip NAT pool dynamic-srcnat 0.0.0.0 0.0.0.0
ip access-list eth validuserethacl
  permit any
!
netservice svc-https tcp 443
netservice svc-dhcp udp 67 68
netservice svc-telnet tcp 23
netservice svc-sip-tcp tcp 5060
netservice svc-kerberos udp 88
netservice svc-tftp udp 69
netservice svc-dns udp 53
netservice svc-h323-udp udp 1718 1719
netservice svc-h323-tcp tcp 1720
netservice svc-vocera udp 5002
netservice svc-http tcp 80
netservice svc-sip-udp udp 5060
netservice svc-natt udp 4500
netservice svc-ftp tcp 21
netservice svc-smtp tcp 25
netservice svc-sips tcp 5061
netservice svc-ntp udp 123
netservice svc-icmp 1
netservice svc-ssh tcp 22
netexthdr default
!
ip access-list stateless dhcp-acl-stateless
  any any svc-dhcp  permit
!
ip access-list stateless validuser
  network 169.254.0.0 255.255.0.0 any any  deny
  any any any  permit
!
ip access-list stateless https-acl-stateless
  any any svc-https  permit
!
ip access-list stateless dns-acl-stateless
  any any svc-dns  permit
!
ip access-list stateless logon-control-stateless
  any any svc-icmp  permit
  any any svc-dns  permit
  any any svc-dhcp  permit
  any any svc-natt  permit
!
ip access-list stateless icmp-acl-stateless
  any any svc-icmp  permit
!
ip access-list stateless allowall-stateless
  any any any  permit
!
ip access-list stateless http-acl-stateless
  any any svc-http  permit
!
user-role ap-role
!
user-role denyall
!
user-role guest-logon
!
user-role guest
 access-list stateless http-acl-stateless
 access-list stateless https-acl-stateless
 access-list stateless dhcp-acl-stateless
 access-list stateless icmp-acl-stateless
 access-list stateless dns-acl-stateless
!
user-role stateful-dot1x
!
user-role authenticated
 access-list stateless allowall-stateless
!
user-role logon
 access-list stateless logon-control-stateless
!
!


snmp-server view ALL oid-tree iso included
snmp-server group ALLPRIV v1 read ALL notify ALL
snmp-server group ALLPRIV v2c read ALL notify ALL
snmp-server group ALLPRIV v3 noauth read ALL notify ALL
snmp-server group AUTHPRIV v3 priv read ALL notify ALL
snmp-server group AUTHNOPRIV v3 auth read ALL notify ALL

ssh mgmt-auth username/password
mgmt-user admin root f10719e301564b835db7899eeca00a1e3706e42e13761424e2



packet-capture-defaults tcp disable udp disable sysmsg disable other disable
!
ip domain lookup
!
country US
aaa authentication mac "default"
!
aaa authentication dot1x "default"
!
aaa server-group "default"
 auth-server Internal
 set role condition role value-of
!
aaa profile "default"
!
aaa authentication mgmt
!
aaa authentication wired
!
web-server
!
aaa password-policy mgmt
!
traceoptions
!
qos-profile "default"
!
policer-profile "default"
!
ip-profile
!
lcd-menu
!
interface-profile ospf-profile "default"
   area 0.0.0.0
!
interface-profile pim-profile "default"
!
interface-profile igmp-profile "default"
!
stack-profile
!
ipv6-profile
!
interface-profile switching-profile "default"
!
interface-profile poe-profile "default"
!
interface-profile poe-profile "poe-factory-initial"
   enable
!
interface-profile enet-link-profile "default"
!
interface-profile lldp-profile "default"
!
interface-profile lldp-profile "lldp-factory-initial"
   lldp transmit
   lldp receive
   med enable
!
interface-profile mstp-profile "default"
!
interface-profile pvst-port-profile "default"
!
vlan-profile mld-snooping-profile "default"
!
vlan-profile igmp-snooping-profile "default"
!
vlan-profile igmp-snooping-profile "igmp-snooping-factory-initial"
!
spanning-tree
   mode mstp
!
mstp
!
lacp
!
vlan "1"
   igmp-snooping-profile "igmp-snooping-factory-initial"
!
interface vlan "1"
   ip address 172.16.0.254 netmask 255.255.255.0
!
interface mgmt
!
interface-group gigabitethernet "default"
   apply-to ALL
   lldp-profile "lldp-factory-initial"
   poe-profile "poe-factory-initial"
!

snmp-server enable trap
end

Aaron, this may be too simple, but there is a management port on the back of the switch. could you be configuring that?

 

ak74,

 

If you  leave the mgmt-VLAN as 1 (default), things should work.

 

However, if you have specific requirement to have mgmt-vlan as something else (in your case VLAN-6), then:

After quick-setup is done,

I believe you you will seeing something as below

 

(ArubaS3500-24T) #show running-config  | begin 0/0/0
Building Configuration...
interface gigabitethernet "0/0/0"
   switching-profile "Upstream-profile"
!
interface vlan "6"
   ip address 172.16.252.50 255.255.252.0
!

(ArubaS3500-24T) # show interface-profile switching-profile Upstream-profile

switching profile "Upstream-profile"
------------------------------------
Parameter                                             Value
---------                                             -----
Switchport mode                                       trunk   <<<<<<<<<<<<<
Access mode VLAN                                      1            <<<<<<<<<<<<<
Trunk mode native VLAN                                1
Enable broadcast traffic rate limiting                Enabled
Enable multicast traffic rate limiting                Disabled
Enable unknown unicast traffic rate limiting          Enabled
Max allowed rate limit traffic on port in percentage  50
Trunk mode allowed VLANs                              1-4094

 

(ArubaS3500-24T) #show interface gigabitethernet 0/0/0 switchport extensive

GE0/0/0
Link is Up
Flags: Trunk, Trusted
Native VLAN is 1

VLAN membership:

VLAN tag  Tagness   STP-State
--------  --------  ---------
1         Untagged  FWD       <<<<<<<<<<<<<
1         Tagged    FWD
6         Tagged    FWD

As you can see from above, port 0/0/0 has native VLAN as 1, as a result , it allows un-tagged packets only for VLAN-1.

And is trunk-port for all other VLANs. 

But, since your mgmt-IP is sitting on VLNA-6, packets (ARP-request) would go out as tagged (with 6)

Client / PC would anyway discard  "tag"ness of the packet & would reply to ARP-request, which would be Un-tagged.

But target IP is sitting on RVI-6.

 

  Looks like this is causing problem.  also I beleive there was already internal bug reported on similar issue.

 Not sure on that though...need to check with engineering team..... will get back on this.

 

Thanks,

-Vinay