Wired Intelligent Edge

Hi

This week we couldn't reach the hosts behind an access switch, but when we rebooted the switch then we could. It has occurred 2 times and we are wondreing what can be causing that.

This is the config of the core switch:

Running configuration:

; JL259A Configuration Editor; Created on release #WC.16.10.0009
; Ver #14:67.6f.f8.1d.9b.3f.bf.bb.ef.7c.59.fc.6b.fb.9f.fc.ff.ff.37.ef:44
hostname "HBW-HQ-SW-01"
module 1 type jl259a
console idle-timeout 600
console idle-timeout serial-usb 600
dhcp-snooping authorized-server 172.21.10.10
dhcp-snooping authorized-server 172.21.20.1
dhcp-snooping authorized-server 172.21.30.1
dhcp-snooping vlan 200 300
trunk 25 trk1 trunk
trunk 26 trk2 trunk
trunk 27 trk3 trunk
no telnet-server
time timezone -240
ip route 0.0.0.0 0.0.0.0 10.10.10.1
ip route 172.19.25.201 255.255.255.255 172.16.1.201
ip route 172.19.25.202 255.255.255.255 172.16.1.202
ip route 172.19.25.203 255.255.255.255 172.16.1.203
ip route 172.19.25.204 255.255.255.255 172.16.1.204
ip route 172.31.21.1 255.255.255.255 192.168.6.1
ip route 192.168.60.0 255.255.255.0 172.19.25.121 name "to_DGA"
ip route 192.168.205.0 255.255.255.0 172.19.25.121 name "to_DGAMonitoring"
ip routing
interface 5
dhcp-snooping trust
exit
interface 6
dhcp-snooping trust
exit
snmp-server community "public" unrestricted
vlan 1
name "DEFAULT_VLAN"
no untagged 1-24
untagged 28,Trk1-Trk3
ip address dhcp-bootp
ipv6 enable
ipv6 address dhcp full
exit
vlan 100
name "Servidores"
untagged 5-6,11
ip address 172.21.10.1 255.255.255.0
exit
vlan 200
name "VoIP"
untagged 3-4
tagged 9,Trk1-Trk3
ip address 172.21.20.1 255.255.255.0
ip address 192.168.6.3 255.255.255.0
ip helper-address 172.21.10.10
exit
vlan 300
name "Usuarios"
untagged 10
tagged Trk1-Trk3
ip address 172.21.30.1 255.255.255.0
ip helper-address 172.21.10.10
exit
vlan 500
name "Seguridad"
untagged 12-15,20-24
tagged Trk1-Trk3
ip address 172.16.1.1 255.255.255.0
exit
vlan 700
name "DGA_CCTV"
untagged 7
ip address 172.19.25.122 255.255.255.248
exit
vlan 750
name "DGA_CCTV_NVR"
untagged 16-19
no ip address
exit
vlan 800
name "DGA"
untagged 8-9
tagged Trk1-Trk3
no ip address
exit
vlan 999
name "MNGMNT"
tagged Trk1-Trk3
ip address 192.168.99.11 255.255.255.0
exit
vlan 1000
name "Internet"
untagged 1-2
ip address 10.10.10.2 255.255.255.0
exit
spanning-tree
spanning-tree Trk1 priority 0
spanning-tree Trk2 priority 0
spanning-tree Trk3 priority 0
spanning-tree priority 0
no tftp server
no autorun
no dhcp config-file-update
no dhcp image-file-update
no dhcp tr69-acs-url
password manager
password operator


And this is the config of the access switch:

Running configuration:

; J9772A Configuration Editor; Created on release #YA.16.10.0002
; Ver #14:01.44.00.04.19.02.13.98.82.34.61.18.28.f3.84.9c.63.ff.37.27:45
hostname "HBW-HQ-SW-04"
console idle-timeout 600
console idle-timeout serial-usb 600
dhcp-snooping authorized-server 172.21.10.10
dhcp-snooping authorized-server 172.21.20.1
dhcp-snooping authorized-server 172.21.30.1
dhcp-snooping vlan 200 300
trunk 49 trk1 trunk
no telnet-server
time timezone -240
ip default-gateway 192.168.99.11
interface Trk1
dhcp-snooping trust
exit
snmp-server community "public" unrestricted
vlan 1
name "DEFAULT_VLAN"
no untagged 1-48
untagged 50-52,Trk1
ip address dhcp-bootp
exit
vlan 100
name "Servidores"
no ip address
exit
vlan 200
name "VoIP"
tagged 3-5,Trk1
no ip address
exit
vlan 300
name "Usuarios"
untagged 3-5
tagged Trk1
no ip address
exit
vlan 500
name "Seguridad"
untagged 6-48
tagged Trk1
no ip address
exit
vlan 800
name "VLAN800"
untagged 1-2
tagged Trk1
no ip address
exit
vlan 999
name "Mngmnt"
tagged Trk1
ip address 192.168.99.14 255.255.255.0
exit
spanning-tree
spanning-tree Trk1 priority 4
no tftp server
no dhcp config-file-update
no dhcp image-file-update
no dhcp tr69-acs-url
password manager
password operator



------------------------------
Juan Divison
------------------------------

Hello Juan,

Are you're trying to ping from an Host connected on Access ports 3-5 (thus belonging to "Usuarios" VLAN 300 [*]) to your Core's SVI on the very same VLAN 300 and that ping fails? and what's about pinging from the Core to the Host using the VLAN 300 SVI as source - ping <IP-Address-of-the-Host-on-172.21.30.0/24> source 172.21.30.1 - ? doesn't it work too?

[*] the Host under test should have be assigned with an IP Address (DHCP or static manually set) belonging to the "Usuarios" subnet 172.21.30.0/24 and with a Default Gateway equal to 172.21.30.1 (the VLAN 300's SVI on your Core).

Note: given both running configurations you posted immediately a strange thing pops up: why were created single link port trunks (links aggregations) both on core HBW-HQ-SW-01 and on access HBW-HQ-SW-04? was done on-purpose or was just a misunderstanding about how Port Trunking means and works on ArubaOS-Switch based switches?

On the Access Switch a Port Trunk (Non Protocol = Static) was configured with just one port - trunk 49 trk1 trunk - so the physical port 49 was set as the only member of the logical interface trk1 and trk1 has not any other member for resiliency and load balancing, the same can be seen on the Core Switch where one of the three Port Trunks (trunk 25 trk1 trunk, trunk 26 trk2 trunk and trunk 27 trk3 trunk) is involved as corresponding peer interface.

I believe this configuration "error" was due to a Cisco biased approach where the word "trunk" means "port carrying more VLAN IDs". In ArubaOS-Switch jargon (and on HP ProVision based Switches' jargon too) the word "trunk" means Links Aggregation (Non Protocol or LACP).

So will be interesting to correct your setup by removing those logical interface in favor of simple (single links) downlinks (tagged and untagged as needed).

Example: Core port 25 to Access port 49 (point-to-point)

Core: Port 25 should be made an untagged member of VLAN 1 "Default" and a tagged member of VLAN 200 "VoIP", 300 "Usuarios", 500 "Seguridad", 800 "VLAN800" and 999 "Mngmt" (192.168.99.11).

Access: Port 49 should match the tagging memberships of the corresponding peer port 49 on the Core.

------------------------------
Davide Poletto
------------------------------

Original Message:
Sent: Sep 07, 2021 09:32 AM
From: Juan Divison
Subject: VLANs unreachable on switch 2530

Hi

This week we couldn't reach the hosts behind an access switch, but when we rebooted the switch then we could. It has occurred 2 times and we are wondreing what can be causing that.

This is the config of the core switch:

Running configuration:

; JL259A Configuration Editor; Created on release #WC.16.10.0009
; Ver #14:67.6f.f8.1d.9b.3f.bf.bb.ef.7c.59.fc.6b.fb.9f.fc.ff.ff.37.ef:44
hostname "HBW-HQ-SW-01"
module 1 type jl259a
console idle-timeout 600
console idle-timeout serial-usb 600
dhcp-snooping authorized-server 172.21.10.10
dhcp-snooping authorized-server 172.21.20.1
dhcp-snooping authorized-server 172.21.30.1
dhcp-snooping vlan 200 300
trunk 25 trk1 trunk
trunk 26 trk2 trunk
trunk 27 trk3 trunk
no telnet-server
time timezone -240
ip route 0.0.0.0 0.0.0.0 10.10.10.1
ip route 172.19.25.201 255.255.255.255 172.16.1.201
ip route 172.19.25.202 255.255.255.255 172.16.1.202
ip route 172.19.25.203 255.255.255.255 172.16.1.203
ip route 172.19.25.204 255.255.255.255 172.16.1.204
ip route 172.31.21.1 255.255.255.255 192.168.6.1
ip route 192.168.60.0 255.255.255.0 172.19.25.121 name "to_DGA"
ip route 192.168.205.0 255.255.255.0 172.19.25.121 name "to_DGAMonitoring"
ip routing
interface 5
dhcp-snooping trust
exit
interface 6
dhcp-snooping trust
exit
snmp-server community "public" unrestricted
vlan 1
name "DEFAULT_VLAN"
no untagged 1-24
untagged 28,Trk1-Trk3
ip address dhcp-bootp
ipv6 enable
ipv6 address dhcp full
exit
vlan 100
name "Servidores"
untagged 5-6,11
ip address 172.21.10.1 255.255.255.0
exit
vlan 200
name "VoIP"
untagged 3-4
tagged 9,Trk1-Trk3
ip address 172.21.20.1 255.255.255.0
ip address 192.168.6.3 255.255.255.0
ip helper-address 172.21.10.10
exit
vlan 300
name "Usuarios"
untagged 10
tagged Trk1-Trk3
ip address 172.21.30.1 255.255.255.0
ip helper-address 172.21.10.10
exit
vlan 500
name "Seguridad"
untagged 12-15,20-24
tagged Trk1-Trk3
ip address 172.16.1.1 255.255.255.0
exit
vlan 700
name "DGA_CCTV"
untagged 7
ip address 172.19.25.122 255.255.255.248
exit
vlan 750
name "DGA_CCTV_NVR"
untagged 16-19
no ip address
exit
vlan 800
name "DGA"
untagged 8-9
tagged Trk1-Trk3
no ip address
exit
vlan 999
name "MNGMNT"
tagged Trk1-Trk3
ip address 192.168.99.11 255.255.255.0
exit
vlan 1000
name "Internet"
untagged 1-2
ip address 10.10.10.2 255.255.255.0
exit
spanning-tree
spanning-tree Trk1 priority 0
spanning-tree Trk2 priority 0
spanning-tree Trk3 priority 0
spanning-tree priority 0
no tftp server
no autorun
no dhcp config-file-update
no dhcp image-file-update
no dhcp tr69-acs-url
password manager
password operator


And this is the config of the access switch:

Running configuration:

; J9772A Configuration Editor; Created on release #YA.16.10.0002
; Ver #14:01.44.00.04.19.02.13.98.82.34.61.18.28.f3.84.9c.63.ff.37.27:45
hostname "HBW-HQ-SW-04"
console idle-timeout 600
console idle-timeout serial-usb 600
dhcp-snooping authorized-server 172.21.10.10
dhcp-snooping authorized-server 172.21.20.1
dhcp-snooping authorized-server 172.21.30.1
dhcp-snooping vlan 200 300
trunk 49 trk1 trunk
no telnet-server
time timezone -240
ip default-gateway 192.168.99.11
interface Trk1
dhcp-snooping trust
exit
snmp-server community "public" unrestricted
vlan 1
name "DEFAULT_VLAN"
no untagged 1-48
untagged 50-52,Trk1
ip address dhcp-bootp
exit
vlan 100
name "Servidores"
no ip address
exit
vlan 200
name "VoIP"
tagged 3-5,Trk1
no ip address
exit
vlan 300
name "Usuarios"
untagged 3-5
tagged Trk1
no ip address
exit
vlan 500
name "Seguridad"
untagged 6-48
tagged Trk1
no ip address
exit
vlan 800
name "VLAN800"
untagged 1-2
tagged Trk1
no ip address
exit
vlan 999
name "Mngmnt"
tagged Trk1
ip address 192.168.99.14 255.255.255.0
exit
spanning-tree
spanning-tree Trk1 priority 4
no tftp server
no dhcp config-file-update
no dhcp image-file-update
no dhcp tr69-acs-url
password manager
password operator



------------------------------
Juan Divison
------------------------------

The hosts connected on the access switch didn't get IP address from DHCP Server, I configured It static but couldn't ping any IP address.

I also tried to ping the hosts from the core switch with the IP 172.21.30.1 as source and ping failed, also tried with the network 172.16.1.0/24 as 172.16.1.1 as source.

But I was able to connect to the access switch through SSH and be able to ping many hotst of the network 172.16.1.0/24 that are connected on It.

After I rebooted the access switch everything was back to normality.

I know this thing about the Trunk ports in Aruba, at the moment I made the configuration I forget that Lol. Do you think It could be causing this problem?

------------------------------
Juan Divison
------------------------------

Original Message:
Sent: Sep 07, 2021 07:13 PM
From: Davide Poletto
Subject: VLANs unreachable on switch 2530

Hello Juan,

Are you're trying to ping from an Host connected on Access ports 3-5 (thus belonging to "Usuarios" VLAN 300 [*]) to your Core's SVI on the very same VLAN 300 and that ping fails? and what's about pinging from the Core to the Host using the VLAN 300 SVI as source - ping <IP-Address-of-the-Host-on-172.21.30.0/24> source 172.21.30.1 - ? doesn't it work too?

[*] the Host under test should have be assigned with an IP Address (DHCP or static manually set) belonging to the "Usuarios" subnet 172.21.30.0/24 and with a Default Gateway equal to 172.21.30.1 (the VLAN 300's SVI on your Core).

Note: given both running configurations you posted immediately a strange thing pops up: why were created single link port trunks (links aggregations) both on core HBW-HQ-SW-01 and on access HBW-HQ-SW-04? was done on-purpose or was just a misunderstanding about how Port Trunking means and works on ArubaOS-Switch based switches?

On the Access Switch a Port Trunk (Non Protocol = Static) was configured with just one port - trunk 49 trk1 trunk - so the physical port 49 was set as the only member of the logical interface trk1 and trk1 has not any other member for resiliency and load balancing, the same can be seen on the Core Switch where one of the three Port Trunks (trunk 25 trk1 trunk, trunk 26 trk2 trunk and trunk 27 trk3 trunk) is involved as corresponding peer interface.

I believe this configuration "error" was due to a Cisco biased approach where the word "trunk" means "port carrying more VLAN IDs". In ArubaOS-Switch jargon (and on HP ProVision based Switches' jargon too) the word "trunk" means Links Aggregation (Non Protocol or LACP).

So will be interesting to correct your setup by removing those logical interface in favor of simple (single links) downlinks (tagged and untagged as needed).

Example: Core port 25 to Access port 49 (point-to-point)

Core: Port 25 should be made an untagged member of VLAN 1 "Default" and a tagged member of VLAN 200 "VoIP", 300 "Usuarios", 500 "Seguridad", 800 "VLAN800" and 999 "Mngmt" (192.168.99.11).

Access: Port 49 should match the tagging memberships of the corresponding peer port 49 on the Core.

------------------------------
Davide Poletto

Original Message:
Sent: Sep 07, 2021 09:32 AM
From: Juan Divison
Subject: VLANs unreachable on switch 2530

Hi

This week we couldn't reach the hosts behind an access switch, but when we rebooted the switch then we could. It has occurred 2 times and we are wondreing what can be causing that.

This is the config of the core switch:

Running configuration:

; JL259A Configuration Editor; Created on release #WC.16.10.0009
; Ver #14:67.6f.f8.1d.9b.3f.bf.bb.ef.7c.59.fc.6b.fb.9f.fc.ff.ff.37.ef:44
hostname "HBW-HQ-SW-01"
module 1 type jl259a
console idle-timeout 600
console idle-timeout serial-usb 600
dhcp-snooping authorized-server 172.21.10.10
dhcp-snooping authorized-server 172.21.20.1
dhcp-snooping authorized-server 172.21.30.1
dhcp-snooping vlan 200 300
trunk 25 trk1 trunk
trunk 26 trk2 trunk
trunk 27 trk3 trunk
no telnet-server
time timezone -240
ip route 0.0.0.0 0.0.0.0 10.10.10.1
ip route 172.19.25.201 255.255.255.255 172.16.1.201
ip route 172.19.25.202 255.255.255.255 172.16.1.202
ip route 172.19.25.203 255.255.255.255 172.16.1.203
ip route 172.19.25.204 255.255.255.255 172.16.1.204
ip route 172.31.21.1 255.255.255.255 192.168.6.1
ip route 192.168.60.0 255.255.255.0 172.19.25.121 name "to_DGA"
ip route 192.168.205.0 255.255.255.0 172.19.25.121 name "to_DGAMonitoring"
ip routing
interface 5
dhcp-snooping trust
exit
interface 6
dhcp-snooping trust
exit
snmp-server community "public" unrestricted
vlan 1
name "DEFAULT_VLAN"
no untagged 1-24
untagged 28,Trk1-Trk3
ip address dhcp-bootp
ipv6 enable
ipv6 address dhcp full
exit
vlan 100
name "Servidores"
untagged 5-6,11
ip address 172.21.10.1 255.255.255.0
exit
vlan 200
name "VoIP"
untagged 3-4
tagged 9,Trk1-Trk3
ip address 172.21.20.1 255.255.255.0
ip address 192.168.6.3 255.255.255.0
ip helper-address 172.21.10.10
exit
vlan 300
name "Usuarios"
untagged 10
tagged Trk1-Trk3
ip address 172.21.30.1 255.255.255.0
ip helper-address 172.21.10.10
exit
vlan 500
name "Seguridad"
untagged 12-15,20-24
tagged Trk1-Trk3
ip address 172.16.1.1 255.255.255.0
exit
vlan 700
name "DGA_CCTV"
untagged 7
ip address 172.19.25.122 255.255.255.248
exit
vlan 750
name "DGA_CCTV_NVR"
untagged 16-19
no ip address
exit
vlan 800
name "DGA"
untagged 8-9
tagged Trk1-Trk3
no ip address
exit
vlan 999
name "MNGMNT"
tagged Trk1-Trk3
ip address 192.168.99.11 255.255.255.0
exit
vlan 1000
name "Internet"
untagged 1-2
ip address 10.10.10.2 255.255.255.0
exit
spanning-tree
spanning-tree Trk1 priority 0
spanning-tree Trk2 priority 0
spanning-tree Trk3 priority 0
spanning-tree priority 0
no tftp server
no autorun
no dhcp config-file-update
no dhcp image-file-update
no dhcp tr69-acs-url
password manager
password operator


And this is the config of the access switch:

Running configuration:

; J9772A Configuration Editor; Created on release #YA.16.10.0002
; Ver #14:01.44.00.04.19.02.13.98.82.34.61.18.28.f3.84.9c.63.ff.37.27:45
hostname "HBW-HQ-SW-04"
console idle-timeout 600
console idle-timeout serial-usb 600
dhcp-snooping authorized-server 172.21.10.10
dhcp-snooping authorized-server 172.21.20.1
dhcp-snooping authorized-server 172.21.30.1
dhcp-snooping vlan 200 300
trunk 49 trk1 trunk
no telnet-server
time timezone -240
ip default-gateway 192.168.99.11
interface Trk1
dhcp-snooping trust
exit
snmp-server community "public" unrestricted
vlan 1
name "DEFAULT_VLAN"
no untagged 1-48
untagged 50-52,Trk1
ip address dhcp-bootp
exit
vlan 100
name "Servidores"
no ip address
exit
vlan 200
name "VoIP"
tagged 3-5,Trk1
no ip address
exit
vlan 300
name "Usuarios"
untagged 3-5
tagged Trk1
no ip address
exit
vlan 500
name "Seguridad"
untagged 6-48
tagged Trk1
no ip address
exit
vlan 800
name "VLAN800"
untagged 1-2
tagged Trk1
no ip address
exit
vlan 999
name "Mngmnt"
tagged Trk1
ip address 192.168.99.14 255.255.255.0
exit
spanning-tree
spanning-tree Trk1 priority 4
no tftp server
no dhcp config-file-update
no dhcp image-file-update
no dhcp tr69-acs-url
password manager
password operator



------------------------------
Juan Divison
------------------------------

Hello Juan, you wrote: "The hosts connected on the access switch didn't get IP address from DHCP Server, I configured It static but couldn't ping any IP address." this is quite strange especially if you manually configured hosts' IP Addresses in static mode (so bypassing any potential DHCP related issues).

Assumptions:

An Host A with IP Address set within VLAN A's Subnet connected to a VLAN A Access port (untagged member of VLAN A) MUST be able to ping its Default Gateway, that's essential (and an Host's default gateway is de-facto the VLAN's SVI IP Address which, in your case, is set on the Core Switch where the Layer 3 - IP Routing - happens).

An Host B with IP Address set within VLAN B's Subnet connected to a VLAN B Access port (untagged member of VLAN B) MUST be able to ping its Default Gateway, that's essential (and an Host's default gateway is de-facto the VLAN's SVI IP Address which, in your case, is set on the Core Switch where the Layer 3 - IP Routing - happens).

Expected behavior:

Both Host A and Host B MUST be able to ping each others (in any way: A -> B and B -> A) because the Core Switch has the duty of routing their packets, clearly this works IF (a) there aren't ACLs blocking those messages (or there are ACLs permitting those messages) and (b) Hosts accepts incoming ICMP (thus triple check Host Firewall at OS level).

Please report the outputs of these four commands:

show vlan ports ethernet trk1 detail (executed on HBW-HQ-SW-01)
show vlan ports ethernet trk2 detail (executed on HBW-HQ-SW-01)
show vlan ports ethernet trk3 detail (executed on HBW-HQ-SW-01)
show vlan ports ethernet trk1 detail (executed on HBW-HQ-SW-04)

and the output of these other two commands:

show lldp info remote-device (executed on HBW-HQ-SW-01)
show lldp info remote-device (executed on HBW-HQ-SW-04)

Thanks.


------------------------------
Davide Poletto
------------------------------

Original Message:
Sent: Sep 08, 2021 12:01 PM
From: Juan Divison
Subject: VLANs unreachable on switch 2530

The hosts connected on the access switch didn't get IP address from DHCP Server, I configured It static but couldn't ping any IP address.

I also tried to ping the hosts from the core switch with the IP 172.21.30.1 as source and ping failed, also tried with the network 172.16.1.0/24 as 172.16.1.1 as source.

But I was able to connect to the access switch through SSH and be able to ping many hotst of the network 172.16.1.0/24 that are connected on It.

After I rebooted the access switch everything was back to normality.

I know this thing about the Trunk ports in Aruba, at the moment I made the configuration I forget that Lol. Do you think It could be causing this problem?

------------------------------
Juan Divison

Original Message:
Sent: Sep 07, 2021 07:13 PM
From: Davide Poletto
Subject: VLANs unreachable on switch 2530

Hello Juan,

Are you're trying to ping from an Host connected on Access ports 3-5 (thus belonging to "Usuarios" VLAN 300 [*]) to your Core's SVI on the very same VLAN 300 and that ping fails? and what's about pinging from the Core to the Host using the VLAN 300 SVI as source - ping <IP-Address-of-the-Host-on-172.21.30.0/24> source 172.21.30.1 - ? doesn't it work too?

[*] the Host under test should have be assigned with an IP Address (DHCP or static manually set) belonging to the "Usuarios" subnet 172.21.30.0/24 and with a Default Gateway equal to 172.21.30.1 (the VLAN 300's SVI on your Core).

Note: given both running configurations you posted immediately a strange thing pops up: why were created single link port trunks (links aggregations) both on core HBW-HQ-SW-01 and on access HBW-HQ-SW-04? was done on-purpose or was just a misunderstanding about how Port Trunking means and works on ArubaOS-Switch based switches?

On the Access Switch a Port Trunk (Non Protocol = Static) was configured with just one port - trunk 49 trk1 trunk - so the physical port 49 was set as the only member of the logical interface trk1 and trk1 has not any other member for resiliency and load balancing, the same can be seen on the Core Switch where one of the three Port Trunks (trunk 25 trk1 trunk, trunk 26 trk2 trunk and trunk 27 trk3 trunk) is involved as corresponding peer interface.

I believe this configuration "error" was due to a Cisco biased approach where the word "trunk" means "port carrying more VLAN IDs". In ArubaOS-Switch jargon (and on HP ProVision based Switches' jargon too) the word "trunk" means Links Aggregation (Non Protocol or LACP).

So will be interesting to correct your setup by removing those logical interface in favor of simple (single links) downlinks (tagged and untagged as needed).

Example: Core port 25 to Access port 49 (point-to-point)

Core: Port 25 should be made an untagged member of VLAN 1 "Default" and a tagged member of VLAN 200 "VoIP", 300 "Usuarios", 500 "Seguridad", 800 "VLAN800" and 999 "Mngmt" (192.168.99.11).

Access: Port 49 should match the tagging memberships of the corresponding peer port 49 on the Core.

------------------------------
Davide Poletto

Original Message:
Sent: Sep 07, 2021 09:32 AM
From: Juan Divison
Subject: VLANs unreachable on switch 2530

Hi

This week we couldn't reach the hosts behind an access switch, but when we rebooted the switch then we could. It has occurred 2 times and we are wondreing what can be causing that.

This is the config of the core switch:

Running configuration:

; JL259A Configuration Editor; Created on release #WC.16.10.0009
; Ver #14:67.6f.f8.1d.9b.3f.bf.bb.ef.7c.59.fc.6b.fb.9f.fc.ff.ff.37.ef:44
hostname "HBW-HQ-SW-01"
module 1 type jl259a
console idle-timeout 600
console idle-timeout serial-usb 600
dhcp-snooping authorized-server 172.21.10.10
dhcp-snooping authorized-server 172.21.20.1
dhcp-snooping authorized-server 172.21.30.1
dhcp-snooping vlan 200 300
trunk 25 trk1 trunk
trunk 26 trk2 trunk
trunk 27 trk3 trunk
no telnet-server
time timezone -240
ip route 0.0.0.0 0.0.0.0 10.10.10.1
ip route 172.19.25.201 255.255.255.255 172.16.1.201
ip route 172.19.25.202 255.255.255.255 172.16.1.202
ip route 172.19.25.203 255.255.255.255 172.16.1.203
ip route 172.19.25.204 255.255.255.255 172.16.1.204
ip route 172.31.21.1 255.255.255.255 192.168.6.1
ip route 192.168.60.0 255.255.255.0 172.19.25.121 name "to_DGA"
ip route 192.168.205.0 255.255.255.0 172.19.25.121 name "to_DGAMonitoring"
ip routing
interface 5
dhcp-snooping trust
exit
interface 6
dhcp-snooping trust
exit
snmp-server community "public" unrestricted
vlan 1
name "DEFAULT_VLAN"
no untagged 1-24
untagged 28,Trk1-Trk3
ip address dhcp-bootp
ipv6 enable
ipv6 address dhcp full
exit
vlan 100
name "Servidores"
untagged 5-6,11
ip address 172.21.10.1 255.255.255.0
exit
vlan 200
name "VoIP"
untagged 3-4
tagged 9,Trk1-Trk3
ip address 172.21.20.1 255.255.255.0
ip address 192.168.6.3 255.255.255.0
ip helper-address 172.21.10.10
exit
vlan 300
name "Usuarios"
untagged 10
tagged Trk1-Trk3
ip address 172.21.30.1 255.255.255.0
ip helper-address 172.21.10.10
exit
vlan 500
name "Seguridad"
untagged 12-15,20-24
tagged Trk1-Trk3
ip address 172.16.1.1 255.255.255.0
exit
vlan 700
name "DGA_CCTV"
untagged 7
ip address 172.19.25.122 255.255.255.248
exit
vlan 750
name "DGA_CCTV_NVR"
untagged 16-19
no ip address
exit
vlan 800
name "DGA"
untagged 8-9
tagged Trk1-Trk3
no ip address
exit
vlan 999
name "MNGMNT"
tagged Trk1-Trk3
ip address 192.168.99.11 255.255.255.0
exit
vlan 1000
name "Internet"
untagged 1-2
ip address 10.10.10.2 255.255.255.0
exit
spanning-tree
spanning-tree Trk1 priority 0
spanning-tree Trk2 priority 0
spanning-tree Trk3 priority 0
spanning-tree priority 0
no tftp server
no autorun
no dhcp config-file-update
no dhcp image-file-update
no dhcp tr69-acs-url
password manager
password operator


And this is the config of the access switch:

Running configuration:

; J9772A Configuration Editor; Created on release #YA.16.10.0002
; Ver #14:01.44.00.04.19.02.13.98.82.34.61.18.28.f3.84.9c.63.ff.37.27:45
hostname "HBW-HQ-SW-04"
console idle-timeout 600
console idle-timeout serial-usb 600
dhcp-snooping authorized-server 172.21.10.10
dhcp-snooping authorized-server 172.21.20.1
dhcp-snooping authorized-server 172.21.30.1
dhcp-snooping vlan 200 300
trunk 49 trk1 trunk
no telnet-server
time timezone -240
ip default-gateway 192.168.99.11
interface Trk1
dhcp-snooping trust
exit
snmp-server community "public" unrestricted
vlan 1
name "DEFAULT_VLAN"
no untagged 1-48
untagged 50-52,Trk1
ip address dhcp-bootp
exit
vlan 100
name "Servidores"
no ip address
exit
vlan 200
name "VoIP"
tagged 3-5,Trk1
no ip address
exit
vlan 300
name "Usuarios"
untagged 3-5
tagged Trk1
no ip address
exit
vlan 500
name "Seguridad"
untagged 6-48
tagged Trk1
no ip address
exit
vlan 800
name "VLAN800"
untagged 1-2
tagged Trk1
no ip address
exit
vlan 999
name "Mngmnt"
tagged Trk1
ip address 192.168.99.14 255.255.255.0
exit
spanning-tree
spanning-tree Trk1 priority 4
no tftp server
no dhcp config-file-update
no dhcp image-file-update
no dhcp tr69-acs-url
password manager
password operator



------------------------------
Juan Divison
------------------------------

Here are the outputs:

HBW-HQ-SW-01# show vlan ports ethernet trk1 detail

Status and Counters - VLAN Information - for ports Trk1

VLAN ID Name | Status Voice Jumbo Mode
------- -------------------- + ---------- ----- ----- --------
1 DEFAULT_VLAN | Port-based No No Untagged
200 VoIP | Port-based No No Tagged
300 Usuarios | Port-based No No Tagged
500 Seguridad | Port-based No No Tagged
800 DGA | Port-based No No Tagged
999 MNGMNT | Port-based No No Tagged


HBW-HQ-SW-01# show vlan ports ethernet trk2 detail

Status and Counters - VLAN Information - for ports Trk2

VLAN ID Name | Status Voice Jumbo Mode
------- -------------------- + ---------- ----- ----- --------
1 DEFAULT_VLAN | Port-based No No Untagged
200 VoIP | Port-based No No Tagged
300 Usuarios | Port-based No No Tagged
500 Seguridad | Port-based No No Tagged
800 DGA | Port-based No No Tagged
999 MNGMNT | Port-based No No Tagged


HBW-HQ-SW-01# show vlan ports ethernet trk3 detail

Status and Counters - VLAN Information - for ports Trk3

VLAN ID Name | Status Voice Jumbo Mode
------- -------------------- + ---------- ----- ----- --------
1 DEFAULT_VLAN | Port-based No No Untagged
200 VoIP | Port-based No No Tagged
300 Usuarios | Port-based No No Tagged
500 Seguridad | Port-based No No Tagged
800 DGA | Port-based No No Tagged
999 MNGMNT | Port-based No No Tagged


HBW-HQ-SW-04# sh vlan ports ethernet trk1 detail

Status and Counters - VLAN Information - for ports Trk1

VLAN ID Name | Status Voice Jumbo Mode
------- -------------------- + ---------- ----- ----- --------
1 DEFAULT_VLAN | Port-based No No Untagged
200 VoIP | Port-based No No Tagged
300 Usuarios | Port-based No No Tagged
500 Seguridad | Port-based No No Tagged
800 VLAN800 | Port-based No No Tagged
999 Mngmnt | Port-based No No Tagged



HBW-HQ-SW-01# show lldp info remote-device

LLDP Remote Devices Information

LocalPort | ChassisId PortId PortDescr SysName
--------- + ------------------ ------------------ --------- ------------------
9 | 0c2724571562 gi25 Cisco SG200-26 ...
9 | 0c2724-571562 gi25
25 | 08f1ea-24de80 49 49 HBW-HQ-SW-02
26 | f860f0-7c3080 49 49 HBW-HQ-SW-03
27 | 104f58-979880 49 49 HBW-HQ-SW-04



HBW-HQ-SW-04# show lldp info remote-device

LLDP Remote Devices Information

LocalPort | ChassisId PortId PortDescr SysName
--------- + ------------------ ------------------ --------- ------------------
1 | e4 54 e8 5a 26 83 e4 54 e8 5a 26 83
4 | 00 0b 82 7e 7b 66 00 0b 82 7e 7b 66 eth0 gxp1405_000b827...
5 | 24 79 2a 3d 08 d0 24 79 2a 3d 08 d3 eth0 RuckusAP
49 | 64 e8 81 05 75 20 27 27 HBW-HQ-SW-01



I forgot to notice you that I have changed the spanning tree priority of the port trunks to  zero on the core switch because they were 4.

In summary I have changed the commands:

spanning-tree Trk1 priority 4
spanning-tree Trk2 priority 4
spanning-tree Trk3 priority 4

to:

spanning-tree Trk1 priority 0
spanning-tree Trk2 priority 0
spanning-tree Trk3 priority 0

Do you think this could have been causing this problem?


------------------------------
Juan Divison
------------------------------

Original Message:
Sent: Sep 09, 2021 05:54 AM
From: Davide Poletto
Subject: VLANs unreachable on switch 2530

Hello Juan, you wrote: "The hosts connected on the access switch didn't get IP address from DHCP Server, I configured It static but couldn't ping any IP address." this is quite strange especially if you manually configured hosts' IP Addresses in static mode (so bypassing any potential DHCP related issues).

Assumptions:

An Host A with IP Address set within VLAN A's Subnet connected to a VLAN A Access port (untagged member of VLAN A) MUST be able to ping its Default Gateway, that's essential (and an Host's default gateway is de-facto the VLAN's SVI IP Address which, in your case, is set on the Core Switch where the Layer 3 - IP Routing - happens).

An Host B with IP Address set within VLAN B's Subnet connected to a VLAN B Access port (untagged member of VLAN B) MUST be able to ping its Default Gateway, that's essential (and an Host's default gateway is de-facto the VLAN's SVI IP Address which, in your case, is set on the Core Switch where the Layer 3 - IP Routing - happens).

Expected behavior:

Both Host A and Host B MUST be able to ping each others (in any way: A -> B and B -> A) because the Core Switch has the duty of routing their packets, clearly this works IF (a) there aren't ACLs blocking those messages (or there are ACLs permitting those messages) and (b) Hosts accepts incoming ICMP (thus triple check Host Firewall at OS level).

Please report the outputs of these four commands:

show vlan ports ethernet trk1 detail (executed on HBW-HQ-SW-01)
show vlan ports ethernet trk2 detail (executed on HBW-HQ-SW-01)
show vlan ports ethernet trk3 detail (executed on HBW-HQ-SW-01)
show vlan ports ethernet trk1 detail (executed on HBW-HQ-SW-04)

and the output of these other two commands:

show lldp info remote-device (executed on HBW-HQ-SW-01)
show lldp info remote-device (executed on HBW-HQ-SW-04)

Thanks.


------------------------------
Davide Poletto

Original Message:
Sent: Sep 08, 2021 12:01 PM
From: Juan Divison
Subject: VLANs unreachable on switch 2530

The hosts connected on the access switch didn't get IP address from DHCP Server, I configured It static but couldn't ping any IP address.

I also tried to ping the hosts from the core switch with the IP 172.21.30.1 as source and ping failed, also tried with the network 172.16.1.0/24 as 172.16.1.1 as source.

But I was able to connect to the access switch through SSH and be able to ping many hotst of the network 172.16.1.0/24 that are connected on It.

After I rebooted the access switch everything was back to normality.

I know this thing about the Trunk ports in Aruba, at the moment I made the configuration I forget that Lol. Do you think It could be causing this problem?

------------------------------
Juan Divison

Original Message:
Sent: Sep 07, 2021 07:13 PM
From: Davide Poletto
Subject: VLANs unreachable on switch 2530

Hello Juan,

Are you're trying to ping from an Host connected on Access ports 3-5 (thus belonging to "Usuarios" VLAN 300 [*]) to your Core's SVI on the very same VLAN 300 and that ping fails? and what's about pinging from the Core to the Host using the VLAN 300 SVI as source - ping <IP-Address-of-the-Host-on-172.21.30.0/24> source 172.21.30.1 - ? doesn't it work too?

[*] the Host under test should have be assigned with an IP Address (DHCP or static manually set) belonging to the "Usuarios" subnet 172.21.30.0/24 and with a Default Gateway equal to 172.21.30.1 (the VLAN 300's SVI on your Core).

Note: given both running configurations you posted immediately a strange thing pops up: why were created single link port trunks (links aggregations) both on core HBW-HQ-SW-01 and on access HBW-HQ-SW-04? was done on-purpose or was just a misunderstanding about how Port Trunking means and works on ArubaOS-Switch based switches?

On the Access Switch a Port Trunk (Non Protocol = Static) was configured with just one port - trunk 49 trk1 trunk - so the physical port 49 was set as the only member of the logical interface trk1 and trk1 has not any other member for resiliency and load balancing, the same can be seen on the Core Switch where one of the three Port Trunks (trunk 25 trk1 trunk, trunk 26 trk2 trunk and trunk 27 trk3 trunk) is involved as corresponding peer interface.

I believe this configuration "error" was due to a Cisco biased approach where the word "trunk" means "port carrying more VLAN IDs". In ArubaOS-Switch jargon (and on HP ProVision based Switches' jargon too) the word "trunk" means Links Aggregation (Non Protocol or LACP).

So will be interesting to correct your setup by removing those logical interface in favor of simple (single links) downlinks (tagged and untagged as needed).

Example: Core port 25 to Access port 49 (point-to-point)

Core: Port 25 should be made an untagged member of VLAN 1 "Default" and a tagged member of VLAN 200 "VoIP", 300 "Usuarios", 500 "Seguridad", 800 "VLAN800" and 999 "Mngmt" (192.168.99.11).

Access: Port 49 should match the tagging memberships of the corresponding peer port 49 on the Core.

------------------------------
Davide Poletto

Original Message:
Sent: Sep 07, 2021 09:32 AM
From: Juan Divison
Subject: VLANs unreachable on switch 2530

Hi

This week we couldn't reach the hosts behind an access switch, but when we rebooted the switch then we could. It has occurred 2 times and we are wondreing what can be causing that.

This is the config of the core switch:

Running configuration:

; JL259A Configuration Editor; Created on release #WC.16.10.0009
; Ver #14:67.6f.f8.1d.9b.3f.bf.bb.ef.7c.59.fc.6b.fb.9f.fc.ff.ff.37.ef:44
hostname "HBW-HQ-SW-01"
module 1 type jl259a
console idle-timeout 600
console idle-timeout serial-usb 600
dhcp-snooping authorized-server 172.21.10.10
dhcp-snooping authorized-server 172.21.20.1
dhcp-snooping authorized-server 172.21.30.1
dhcp-snooping vlan 200 300
trunk 25 trk1 trunk
trunk 26 trk2 trunk
trunk 27 trk3 trunk
no telnet-server
time timezone -240
ip route 0.0.0.0 0.0.0.0 10.10.10.1
ip route 172.19.25.201 255.255.255.255 172.16.1.201
ip route 172.19.25.202 255.255.255.255 172.16.1.202
ip route 172.19.25.203 255.255.255.255 172.16.1.203
ip route 172.19.25.204 255.255.255.255 172.16.1.204
ip route 172.31.21.1 255.255.255.255 192.168.6.1
ip route 192.168.60.0 255.255.255.0 172.19.25.121 name "to_DGA"
ip route 192.168.205.0 255.255.255.0 172.19.25.121 name "to_DGAMonitoring"
ip routing
interface 5
dhcp-snooping trust
exit
interface 6
dhcp-snooping trust
exit
snmp-server community "public" unrestricted
vlan 1
name "DEFAULT_VLAN"
no untagged 1-24
untagged 28,Trk1-Trk3
ip address dhcp-bootp
ipv6 enable
ipv6 address dhcp full
exit
vlan 100
name "Servidores"
untagged 5-6,11
ip address 172.21.10.1 255.255.255.0
exit
vlan 200
name "VoIP"
untagged 3-4
tagged 9,Trk1-Trk3
ip address 172.21.20.1 255.255.255.0
ip address 192.168.6.3 255.255.255.0
ip helper-address 172.21.10.10
exit
vlan 300
name "Usuarios"
untagged 10
tagged Trk1-Trk3
ip address 172.21.30.1 255.255.255.0
ip helper-address 172.21.10.10
exit
vlan 500
name "Seguridad"
untagged 12-15,20-24
tagged Trk1-Trk3
ip address 172.16.1.1 255.255.255.0
exit
vlan 700
name "DGA_CCTV"
untagged 7
ip address 172.19.25.122 255.255.255.248
exit
vlan 750
name "DGA_CCTV_NVR"
untagged 16-19
no ip address
exit
vlan 800
name "DGA"
untagged 8-9
tagged Trk1-Trk3
no ip address
exit
vlan 999
name "MNGMNT"
tagged Trk1-Trk3
ip address 192.168.99.11 255.255.255.0
exit
vlan 1000
name "Internet"
untagged 1-2
ip address 10.10.10.2 255.255.255.0
exit
spanning-tree
spanning-tree Trk1 priority 0
spanning-tree Trk2 priority 0
spanning-tree Trk3 priority 0
spanning-tree priority 0
no tftp server
no autorun
no dhcp config-file-update
no dhcp image-file-update
no dhcp tr69-acs-url
password manager
password operator


And this is the config of the access switch:

Running configuration:

; J9772A Configuration Editor; Created on release #YA.16.10.0002
; Ver #14:01.44.00.04.19.02.13.98.82.34.61.18.28.f3.84.9c.63.ff.37.27:45
hostname "HBW-HQ-SW-04"
console idle-timeout 600
console idle-timeout serial-usb 600
dhcp-snooping authorized-server 172.21.10.10
dhcp-snooping authorized-server 172.21.20.1
dhcp-snooping authorized-server 172.21.30.1
dhcp-snooping vlan 200 300
trunk 49 trk1 trunk
no telnet-server
time timezone -240
ip default-gateway 192.168.99.11
interface Trk1
dhcp-snooping trust
exit
snmp-server community "public" unrestricted
vlan 1
name "DEFAULT_VLAN"
no untagged 1-48
untagged 50-52,Trk1
ip address dhcp-bootp
exit
vlan 100
name "Servidores"
no ip address
exit
vlan 200
name "VoIP"
tagged 3-5,Trk1
no ip address
exit
vlan 300
name "Usuarios"
untagged 3-5
tagged Trk1
no ip address
exit
vlan 500
name "Seguridad"
untagged 6-48
tagged Trk1
no ip address
exit
vlan 800
name "VLAN800"
untagged 1-2
tagged Trk1
no ip address
exit
vlan 999
name "Mngmnt"
tagged Trk1
ip address 192.168.99.14 255.255.255.0
exit
spanning-tree
spanning-tree Trk1 priority 4
no tftp server
no dhcp config-file-update
no dhcp image-file-update
no dhcp tr69-acs-url
password manager
password operator



------------------------------
Juan Divison
------------------------------

Hello Juan, as far as I can tell I don't see any particular issue in how uplinks between access switches and your core are set and it seems you have a stellar topology. All uplinks between ArubaOS-Switch based switches are:

VLAN ID Name                 | Status     Voice Jumbo Mode
------- -------------------- + ---------- ----- ----- --------
1       DEFAULT_VLAN         | Port-based No    No    Untagged
200     VoIP                 | Port-based No    No    Tagged
300     Usuarios             | Port-based No    No    Tagged
500     Seguridad            | Port-based No    No    Tagged
800     DGA                  | Port-based No    No    Tagged
999     MNGMNT               | Port-based No    No    Tagged​

so you are allowing VLAN 1 (Untagged) and all others (Tagged) and there is a perfect match between peer ports.

I can't say nothing about the uplink to the Cisco SG200-26 switch since it is connected via HBW-HQ-SW-01 port 9 which is (along with port 8) an untagged member of VLAN 800 "DGA" only (with No SVI) and nothing else.

The fact hosts in different VLANs can't ping each others looks extremely strange (have you triple checked that access ports have the correct access VLAN configuration? have you triple checked OS Firewall blocking ICMP?).

Another point would be to investigate the Spanning Tree as a side task (it appears enabled but with no particular configuration, such as spanning tree protocol, priority, bpdu-filtering and admin-edge settings just to name a few).

To diagnose DHCP I would start by disabling those various DHCP snooping related settings to start plain.

------------------------------
Davide Poletto
------------------------------

Original Message:
Sent: Sep 09, 2021 09:49 AM
From: Juan Divison
Subject: VLANs unreachable on switch 2530

Here are the outputs:

HBW-HQ-SW-01# show vlan ports ethernet trk1 detail

Status and Counters - VLAN Information - for ports Trk1

VLAN ID Name | Status Voice Jumbo Mode
------- -------------------- + ---------- ----- ----- --------
1 DEFAULT_VLAN | Port-based No No Untagged
200 VoIP | Port-based No No Tagged
300 Usuarios | Port-based No No Tagged
500 Seguridad | Port-based No No Tagged
800 DGA | Port-based No No Tagged
999 MNGMNT | Port-based No No Tagged


HBW-HQ-SW-01# show vlan ports ethernet trk2 detail

Status and Counters - VLAN Information - for ports Trk2

VLAN ID Name | Status Voice Jumbo Mode
------- -------------------- + ---------- ----- ----- --------
1 DEFAULT_VLAN | Port-based No No Untagged
200 VoIP | Port-based No No Tagged
300 Usuarios | Port-based No No Tagged
500 Seguridad | Port-based No No Tagged
800 DGA | Port-based No No Tagged
999 MNGMNT | Port-based No No Tagged


HBW-HQ-SW-01# show vlan ports ethernet trk3 detail

Status and Counters - VLAN Information - for ports Trk3

VLAN ID Name | Status Voice Jumbo Mode
------- -------------------- + ---------- ----- ----- --------
1 DEFAULT_VLAN | Port-based No No Untagged
200 VoIP | Port-based No No Tagged
300 Usuarios | Port-based No No Tagged
500 Seguridad | Port-based No No Tagged
800 DGA | Port-based No No Tagged
999 MNGMNT | Port-based No No Tagged


HBW-HQ-SW-04# sh vlan ports ethernet trk1 detail

Status and Counters - VLAN Information - for ports Trk1

VLAN ID Name | Status Voice Jumbo Mode
------- -------------------- + ---------- ----- ----- --------
1 DEFAULT_VLAN | Port-based No No Untagged
200 VoIP | Port-based No No Tagged
300 Usuarios | Port-based No No Tagged
500 Seguridad | Port-based No No Tagged
800 VLAN800 | Port-based No No Tagged
999 Mngmnt | Port-based No No Tagged



HBW-HQ-SW-01# show lldp info remote-device

LLDP Remote Devices Information

LocalPort | ChassisId PortId PortDescr SysName
--------- + ------------------ ------------------ --------- ------------------
9 | 0c2724571562 gi25 Cisco SG200-26 ...
9 | 0c2724-571562 gi25
25 | 08f1ea-24de80 49 49 HBW-HQ-SW-02
26 | f860f0-7c3080 49 49 HBW-HQ-SW-03
27 | 104f58-979880 49 49 HBW-HQ-SW-04



HBW-HQ-SW-04# show lldp info remote-device

LLDP Remote Devices Information

LocalPort | ChassisId PortId PortDescr SysName
--------- + ------------------ ------------------ --------- ------------------
1 | e4 54 e8 5a 26 83 e4 54 e8 5a 26 83
4 | 00 0b 82 7e 7b 66 00 0b 82 7e 7b 66 eth0 gxp1405_000b827...
5 | 24 79 2a 3d 08 d0 24 79 2a 3d 08 d3 eth0 RuckusAP
49 | 64 e8 81 05 75 20 27 27 HBW-HQ-SW-01



I forgot to notice you that I have changed the spanning tree priority of the port trunks to  zero on the core switch because they were 4.

In summary I have changed the commands:

spanning-tree Trk1 priority 4
spanning-tree Trk2 priority 4
spanning-tree Trk3 priority 4

to:

spanning-tree Trk1 priority 0
spanning-tree Trk2 priority 0
spanning-tree Trk3 priority 0

Do you think this could have been causing this problem?


------------------------------
Juan Divison

Original Message:
Sent: Sep 09, 2021 05:54 AM
From: Davide Poletto
Subject: VLANs unreachable on switch 2530

Hello Juan, you wrote: "The hosts connected on the access switch didn't get IP address from DHCP Server, I configured It static but couldn't ping any IP address." this is quite strange especially if you manually configured hosts' IP Addresses in static mode (so bypassing any potential DHCP related issues).

Assumptions:

An Host A with IP Address set within VLAN A's Subnet connected to a VLAN A Access port (untagged member of VLAN A) MUST be able to ping its Default Gateway, that's essential (and an Host's default gateway is de-facto the VLAN's SVI IP Address which, in your case, is set on the Core Switch where the Layer 3 - IP Routing - happens).

An Host B with IP Address set within VLAN B's Subnet connected to a VLAN B Access port (untagged member of VLAN B) MUST be able to ping its Default Gateway, that's essential (and an Host's default gateway is de-facto the VLAN's SVI IP Address which, in your case, is set on the Core Switch where the Layer 3 - IP Routing - happens).

Expected behavior:

Both Host A and Host B MUST be able to ping each others (in any way: A -> B and B -> A) because the Core Switch has the duty of routing their packets, clearly this works IF (a) there aren't ACLs blocking those messages (or there are ACLs permitting those messages) and (b) Hosts accepts incoming ICMP (thus triple check Host Firewall at OS level).

Please report the outputs of these four commands:

show vlan ports ethernet trk1 detail (executed on HBW-HQ-SW-01)
show vlan ports ethernet trk2 detail (executed on HBW-HQ-SW-01)
show vlan ports ethernet trk3 detail (executed on HBW-HQ-SW-01)
show vlan ports ethernet trk1 detail (executed on HBW-HQ-SW-04)

and the output of these other two commands:

show lldp info remote-device (executed on HBW-HQ-SW-01)
show lldp info remote-device (executed on HBW-HQ-SW-04)

Thanks.


------------------------------
Davide Poletto

Original Message:
Sent: Sep 08, 2021 12:01 PM
From: Juan Divison
Subject: VLANs unreachable on switch 2530

The hosts connected on the access switch didn't get IP address from DHCP Server, I configured It static but couldn't ping any IP address.

I also tried to ping the hosts from the core switch with the IP 172.21.30.1 as source and ping failed, also tried with the network 172.16.1.0/24 as 172.16.1.1 as source.

But I was able to connect to the access switch through SSH and be able to ping many hotst of the network 172.16.1.0/24 that are connected on It.

After I rebooted the access switch everything was back to normality.

I know this thing about the Trunk ports in Aruba, at the moment I made the configuration I forget that Lol. Do you think It could be causing this problem?

------------------------------
Juan Divison

Original Message:
Sent: Sep 07, 2021 07:13 PM
From: Davide Poletto
Subject: VLANs unreachable on switch 2530

Hello Juan,

Are you're trying to ping from an Host connected on Access ports 3-5 (thus belonging to "Usuarios" VLAN 300 [*]) to your Core's SVI on the very same VLAN 300 and that ping fails? and what's about pinging from the Core to the Host using the VLAN 300 SVI as source - ping <IP-Address-of-the-Host-on-172.21.30.0/24> source 172.21.30.1 - ? doesn't it work too?

[*] the Host under test should have be assigned with an IP Address (DHCP or static manually set) belonging to the "Usuarios" subnet 172.21.30.0/24 and with a Default Gateway equal to 172.21.30.1 (the VLAN 300's SVI on your Core).

Note: given both running configurations you posted immediately a strange thing pops up: why were created single link port trunks (links aggregations) both on core HBW-HQ-SW-01 and on access HBW-HQ-SW-04? was done on-purpose or was just a misunderstanding about how Port Trunking means and works on ArubaOS-Switch based switches?

On the Access Switch a Port Trunk (Non Protocol = Static) was configured with just one port - trunk 49 trk1 trunk - so the physical port 49 was set as the only member of the logical interface trk1 and trk1 has not any other member for resiliency and load balancing, the same can be seen on the Core Switch where one of the three Port Trunks (trunk 25 trk1 trunk, trunk 26 trk2 trunk and trunk 27 trk3 trunk) is involved as corresponding peer interface.

I believe this configuration "error" was due to a Cisco biased approach where the word "trunk" means "port carrying more VLAN IDs". In ArubaOS-Switch jargon (and on HP ProVision based Switches' jargon too) the word "trunk" means Links Aggregation (Non Protocol or LACP).

So will be interesting to correct your setup by removing those logical interface in favor of simple (single links) downlinks (tagged and untagged as needed).

Example: Core port 25 to Access port 49 (point-to-point)

Core: Port 25 should be made an untagged member of VLAN 1 "Default" and a tagged member of VLAN 200 "VoIP", 300 "Usuarios", 500 "Seguridad", 800 "VLAN800" and 999 "Mngmt" (192.168.99.11).

Access: Port 49 should match the tagging memberships of the corresponding peer port 49 on the Core.

------------------------------
Davide Poletto

Original Message:
Sent: Sep 07, 2021 09:32 AM
From: Juan Divison
Subject: VLANs unreachable on switch 2530

Hi

This week we couldn't reach the hosts behind an access switch, but when we rebooted the switch then we could. It has occurred 2 times and we are wondreing what can be causing that.

This is the config of the core switch:

Running configuration:

; JL259A Configuration Editor; Created on release #WC.16.10.0009
; Ver #14:67.6f.f8.1d.9b.3f.bf.bb.ef.7c.59.fc.6b.fb.9f.fc.ff.ff.37.ef:44
hostname "HBW-HQ-SW-01"
module 1 type jl259a
console idle-timeout 600
console idle-timeout serial-usb 600
dhcp-snooping authorized-server 172.21.10.10
dhcp-snooping authorized-server 172.21.20.1
dhcp-snooping authorized-server 172.21.30.1
dhcp-snooping vlan 200 300
trunk 25 trk1 trunk
trunk 26 trk2 trunk
trunk 27 trk3 trunk
no telnet-server
time timezone -240
ip route 0.0.0.0 0.0.0.0 10.10.10.1
ip route 172.19.25.201 255.255.255.255 172.16.1.201
ip route 172.19.25.202 255.255.255.255 172.16.1.202
ip route 172.19.25.203 255.255.255.255 172.16.1.203
ip route 172.19.25.204 255.255.255.255 172.16.1.204
ip route 172.31.21.1 255.255.255.255 192.168.6.1
ip route 192.168.60.0 255.255.255.0 172.19.25.121 name "to_DGA"
ip route 192.168.205.0 255.255.255.0 172.19.25.121 name "to_DGAMonitoring"
ip routing
interface 5
dhcp-snooping trust
exit
interface 6
dhcp-snooping trust
exit
snmp-server community "public" unrestricted
vlan 1
name "DEFAULT_VLAN"
no untagged 1-24
untagged 28,Trk1-Trk3
ip address dhcp-bootp
ipv6 enable
ipv6 address dhcp full
exit
vlan 100
name "Servidores"
untagged 5-6,11
ip address 172.21.10.1 255.255.255.0
exit
vlan 200
name "VoIP"
untagged 3-4
tagged 9,Trk1-Trk3
ip address 172.21.20.1 255.255.255.0
ip address 192.168.6.3 255.255.255.0
ip helper-address 172.21.10.10
exit
vlan 300
name "Usuarios"
untagged 10
tagged Trk1-Trk3
ip address 172.21.30.1 255.255.255.0
ip helper-address 172.21.10.10
exit
vlan 500
name "Seguridad"
untagged 12-15,20-24
tagged Trk1-Trk3
ip address 172.16.1.1 255.255.255.0
exit
vlan 700
name "DGA_CCTV"
untagged 7
ip address 172.19.25.122 255.255.255.248
exit
vlan 750
name "DGA_CCTV_NVR"
untagged 16-19
no ip address
exit
vlan 800
name "DGA"
untagged 8-9
tagged Trk1-Trk3
no ip address
exit
vlan 999
name "MNGMNT"
tagged Trk1-Trk3
ip address 192.168.99.11 255.255.255.0
exit
vlan 1000
name "Internet"
untagged 1-2
ip address 10.10.10.2 255.255.255.0
exit
spanning-tree
spanning-tree Trk1 priority 0
spanning-tree Trk2 priority 0
spanning-tree Trk3 priority 0
spanning-tree priority 0
no tftp server
no autorun
no dhcp config-file-update
no dhcp image-file-update
no dhcp tr69-acs-url
password manager
password operator


And this is the config of the access switch:

Running configuration:

; J9772A Configuration Editor; Created on release #YA.16.10.0002
; Ver #14:01.44.00.04.19.02.13.98.82.34.61.18.28.f3.84.9c.63.ff.37.27:45
hostname "HBW-HQ-SW-04"
console idle-timeout 600
console idle-timeout serial-usb 600
dhcp-snooping authorized-server 172.21.10.10
dhcp-snooping authorized-server 172.21.20.1
dhcp-snooping authorized-server 172.21.30.1
dhcp-snooping vlan 200 300
trunk 49 trk1 trunk
no telnet-server
time timezone -240
ip default-gateway 192.168.99.11
interface Trk1
dhcp-snooping trust
exit
snmp-server community "public" unrestricted
vlan 1
name "DEFAULT_VLAN"
no untagged 1-48
untagged 50-52,Trk1
ip address dhcp-bootp
exit
vlan 100
name "Servidores"
no ip address
exit
vlan 200
name "VoIP"
tagged 3-5,Trk1
no ip address
exit
vlan 300
name "Usuarios"
untagged 3-5
tagged Trk1
no ip address
exit
vlan 500
name "Seguridad"
untagged 6-48
tagged Trk1
no ip address
exit
vlan 800
name "VLAN800"
untagged 1-2
tagged Trk1
no ip address
exit
vlan 999
name "Mngmnt"
tagged Trk1
ip address 192.168.99.14 255.255.255.0
exit
spanning-tree
spanning-tree Trk1 priority 4
no tftp server
no dhcp config-file-update
no dhcp image-file-update
no dhcp tr69-acs-url
password manager
password operator



------------------------------
Juan Divison
------------------------------