Wired Intelligent Edge

last person joined: 10 hours ago 

Bring performance and reliability to your network with the Aruba Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of the ArubaOS-Switch and ArubaOS-CX devices, and find ways to improve security across your network to bring together a mobile first solution.
Expand all | Collapse all

Traceroute VLAN Client - Server from Gateway Aruba CX first HOP Hidden

This thread has been viewed 25 times
  • 1.  Traceroute VLAN Client - Server from Gateway Aruba CX first HOP Hidden

    Posted 12 days ago

    Hello everyone,

    I have a non-blocking problem concerning the Aruba CX 8325 switches in VSX.

    We noticed that since we activated the servers and clients on the default GW in VSX, during the tracert tests from the client / server systems the first hop is hidden.

    The gateway, and therefore the first hop, is the Aruba switch in VSX.

    The firmware version of the nodes is 10.06.0113. I also checked if there were any ACLs active on the VLAN interface, but there is nothing.

    Do you have any suggestions on this?

    Thanks Oscar



  • 2.  RE: Traceroute VLAN Client - Server from Gateway Aruba CX first HOP Hidden

    Posted 12 days ago
    Hi Oscar, I have a similar scenario (Active Gateways) on a VSX of Aruba 8320 (10.5) and a traceroute from a system which uses one of its VLAN SVIs reports the IP of the virtual gateway without any issue (say x.x.x.254, as example).

    Are you able to share relevant sanitized parts of your VSX running configuration showing the active-gateway configurations made within a particular VLAN interface?

    Davide.

    ------------------------------
    Davide Poletto
    ------------------------------



  • 3.  RE: Traceroute VLAN Client - Server from Gateway Aruba CX first HOP Hidden

    Posted 12 days ago

    Hello Davide,

    sure, yes I can.

    Below part of the configuration:

     

    interface vlan 1

        vsx-sync active-gateways

        ip address 192.168.DD.DD/24

        ip address 192.168.CC.CC/24 secondary

        ip address 192.168.YY.YY/24 secondary

        ip address 192.168.XX.XX/24 secondary

        active-gateway ip mac 12:01:00:XX:XX:XX:XX

        active-gateway ip 192.168.DD.DD

        active-gateway ip 192.168.CC.CC

        active-gateway ip 192.168.YY.YY

        active-gateway ip 192.168.XX.XX

     

    vsx

        system-mac 02:01:00:XX:XX:XX

        inter-switch-link lag 256

        role primary

        keepalive peer 192.168.XX.XX source 192.168.XX.XX vrf XX

        vsx-sync aaa dhcp-relay dns mclag-interfaces route-map snmp ssh static-routes stp-global time vsx-globa

     

    Thank you very Much.

    BR

    Oscar

     

     

    Hi Oscar, I have a similar scenario (Active Gateways) on a VSX of Aruba 8320 (10.5) and a traceroute from a system which uses one of its VLAN SVIs... -posted to the "Wired Intelligent Edge" community

    Wired Intelligent Edge

    Post New Topic

     

    Re: Traceroute VLAN Client - Server from Gateway Aruba CX first HOP Hidden

    parnassus

    Sep 13, 2021 10:29 AM

    parnassus

    Hi Oscar, I have a similar scenario (Active Gateways) on a VSX of Aruba 8320 (10.5) and a traceroute from a system which uses one of its VLAN SVIs reports the IP of the virtual gateway without any issue (say x.x.x.254, as example).

    Are you able to share relevant sanitized parts of your VSX running configuration showing the active-gateway configurations made within a particular VLAN interface?

    Davide.

    ------------------------------
    Davide Poletto
    ------------------------------

      Reply to Discussion on Airheads   View Topic   Kudos   Forward   Send to Admin for Review  


    Hello everyone,

    I have a non-blocking problem concerning the Aruba CX 8325 switches in VSX.

    We noticed that since we activated the servers and clients on the default GW in VSX, during the tracert tests from the client / server systems the first hop is hidden.

    The gateway, and therefore the first hop, is the Aruba switch in VSX.

    The firmware version of the nodes is 10.06.0113. I also checked if there were any ACLs active on the VLAN interface, but there is nothing.

    Do you have any suggestions on this?

    Thanks Oscar



     

     

    You are subscribed to "Wired Intelligent Edge" as oscar.civiero@project.it. To change your subscriptions, go to My Subscriptions. To unsubscribe from this community discussion, go to Unsubscribe.


    --
    Questo messaggio e' stato analizzato con Libraesva ESG ed e' risultato non infetto.




    Original Message:
    Sent: 9/13/2021 10:29:00 AM
    From: parnassus
    Subject: RE: Traceroute VLAN Client - Server from Gateway Aruba CX first HOP Hidden

    Hi Oscar, I have a similar scenario (Active Gateways) on a VSX of Aruba 8320 (10.5) and a traceroute from a system which uses one of its VLAN SVIs reports the IP of the virtual gateway without any issue (say x.x.x.254, as example).

    Are you able to share relevant sanitized parts of your VSX running configuration showing the active-gateway configurations made within a particular VLAN interface?

    Davide.

    ------------------------------
    Davide Poletto
    ------------------------------


  • 4.  RE: Traceroute VLAN Client - Server from Gateway Aruba CX first HOP Hidden

    Posted 12 days ago
    Ciao Oscar, apart from small reasonable differences (MAC Addresses and IP Addressing, as example) and the lack of secondary VLANs' IP addressing my configuration looks very similar to your one (at least considering the part you shared): I just noticed that I perform vsx synchronization of icmp-tcp while you don't.

    I've no issue in doing traceroute from a virtualized Linux client against its configured Gateway (VLAN SVI on the VSX), indeed - as I expected - the Hop distance between the source and destination is just one Hop and the fact the destination interface is a VSX LAG it's not an issue (redacted output):

    vlan1000vhost:~ # traceroute 10.254.0.254
    traceroute to 10.254.0.254 (10.254.0.254), 30 hops max, 60 byte packets
    1 gw1000.mynetwork.internal (10.254.0.254) 0.504 ms 0.521 ms 0.554 ms
    Out of curiosity, since you wrote no ACLs are currently enforcing any particular TCP/UDP/ICMP traffic filtering, have you tried different traceroute sources? I mean, to perform traceroute test against the VLAN SVI (Default Gateway for the client) using different OSes, Linux traceroute could be different by Microsoft traceroute.

    Also, is the routing path symmetrical between your test Client and your VSX Core?

    ------------------------------
    Davide Poletto
    ------------------------------



  • 5.  RE: Traceroute VLAN Client - Server from Gateway Aruba CX first HOP Hidden

    Posted 11 days ago
    Ciao Davide,
    I have identified the problem. Below is the note of the documentation:

    IP multinetting over VSX
    IP multinetting is the assignment of more than one IP interface to a single VLAN that is used to enable a

    router to provide default gateway service to different address ranges associated with a single VLAN.

    When using IP multinetting in an environment with VSX enabled, you must configure multiple active gateway IP addresses per SVI so that you can reach multiple networks on the same VLAN. Make sure that you configure an IP address for either the primary or secondary VSX switch on the SVI with the same subnet.

    The maximum number of supported active gateways per switch is 4,000. Since a maximum of 31 secondary IPv4 addresses can be configured on an SVI, 32 IPv4 active gateways (along with the primary IPv4 address) can be configured per SVI with IP multinetting support. This support is also the same for IPv6 addresses.

    Disable IP ICMP redirect when IP multinetting is enabled.

    Now all is work.
    Best Regards
    Ciao Oscar

    ------------------------------
    oscar civiero
    ------------------------------



  • 6.  RE: Traceroute VLAN Client - Server from Gateway Aruba CX first HOP Hidden

    Posted 11 days ago
    Ciao Oscar, great (and great to know)! Davide.

    ------------------------------
    Davide Poletto
    ------------------------------