Wired

last person joined: yesterday 

Bring performance and reliability to your network with the Aruba Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of the ArubaOS-Switch and ArubaOS-CX devices, and find ways to improve security across your network to bring together a mobile first solution.
Expand all | Collapse all

Aruba 5406R internet access issue

  • 1.  Aruba 5406R internet access issue

    Posted Dec 28, 2020 08:24 AM


    Hello folks,
             I have a very strange issue with internet access from the different VLANs on the Core 5406R switch. I have the routing enabled and a static route to one of the interface VLAN (internet VLAN)  (KB.16.10.0011 (Booted))

    when I tried to access the internet from any device from any VLAN I could only ping the internet VLAN Interface x.x.x.105 and I couldn't ping the internet device IP x.x.x.104

    from the Core CLI i can ping both x.x.x.104, x.x.x.105 plus 8.8.8.8, i suspect that the problem is from the ISP device side!

    diagram:

    internet IP: x.x.x.104--------- IP: x.x.x.105 (internet VLAN)  Core switch (VLANs interfaces) -----------------    (Data VLAN)  PC

                                                                                                                                           DHCP IP address: from data VLAN
                                                                                                                                                       DG:  data VLAN inetrafce   

    hostname "CORE-SW"
    module A type j9988a
    module B type j9990a
    module C type j9987a
    console idle-timeout 300
    console idle-timeout serial-usb 300
    ip route 0.0.0.0 0.0.0.0 x.x.x.104
    ip routing
    snmp-server community "public" unrestricted
    oobm
    ip address dhcp-bootp
    exit
    vlan 1
    name "DEFAULT_VLAN"
    tagged A1-A24,B1-B24,C1-C24
    ip address dhcp-bootp
    ipv6 enable
    ipv6 address dhcp full
    exit
    vlan 100
    name "MGMT"
    untagged A1-A24,B21-B24
    ip address 10.10.10.1 255.255.255.0
    exit
    vlan 200
    name "e"
    untagged C5-C22
    tagged A1-A24,B21-B24
    ip address 10.10.20.1 255.255.255.0
    dhcp-server
    exit
    vlan 300
    name "f"
    tagged A1-A24,B21-B24
    ip address 10.10.28.1 255.255.252.0
    dhcp-server
    exit
    vlan 400
    name "c"
    tagged A1-A24,B21-B24
    ip address 10.10.40.1 255.255.255.0
    dhcp-server
    exit
    vlan 500
    name "a"
    untagged B1-B4
    tagged A1-A24,B21-B24
    ip address 10.10.50.1 255.255.255.0
    dhcp-server
    exit
    vlan 600
    name "IPTV-VLAN"
    untagged B17-B20
    tagged A1-A24,B21-B24
    ip address 172.168.0.5 255.255.252.0
    ip igmp
    dhcp-server
    exit
    vlan 700
    name "d"
    untagged C1-C4
    tagged A1-A24,B21-B24
    ip address 10.10.70.1 255.255.255.0
    voice
    dhcp-server
    exit
    vlan 800
    name "T"
    untagged B9-B12
    tagged A1-A24,B21-B24
    ip address 172.16.30.254 255.255.255.0
    ip igmp
    exit
    vlan 900
    name "P"
    untagged B13-B16
    tagged A1-A24,B21-B24
    ip address 172.16.40.254 255.255.255.0
    ip igmp
    exit
    vlan 1000
    name "I"
    untagged B5-B8
    tagged A1-A24,B21-B24
    ip address 172.16.10.254 255.255.255.0
    exit
    vlan 1100
    name "Internet"
    untagged C24
    ip address x.x.x.105 255.255.255.0
    exit
    spanning-tree
    spanning-tree root primary priority 1
    no tftp server
    no autorun
    no dhcp config-file-update
    no dhcp image-file-update
    dhcp-server pool "a"
    default-router "10.10.50.1"
    dns-server "8.8.8.8"
    network 10.10.50.0 255.255.255.0
    range 10.10.50.6 10.10.50.250
    exit
    dhcp-server pool "b"
    default-router "172.168.0.5"
    dns-server "8.8.8.8"
    network 172.168.0.0 255.255.252.0
    range 172.168.0.6 172.168.3.250
    exit
    dhcp-server pool "c"
    default-router "10.10.40.1"
    dns-server "8.8.8.8"
    network 10.10.40.0 255.255.255.0
    option 43 ip "10.10.40.2"
    range 10.10.40.6 10.10.40.250
    exit
    dhcp-server pool "d"
    default-router "10.10.70.1"
    dns-server "8.8.8.8"
    network 10.10.70.0 255.255.255.0
    range 10.10.70.6 10.10.70.250
    exit
    dhcp-server pool "e"
    default-router "10.10.20.1"
    dns-server "8.8.8.8"
    network 10.10.20.0 255.255.255.0
    range 10.10.20.6 10.10.20.250
    exit
    dhcp-server pool "f"
    default-router "10.10.28.1"
    dns-server "8.8.8.8"
    network 10.10.28.0 255.255.252.0
    range 10.10.28.6 10.10.31.250
    exit
    dhcp-server enable
    password manager
    password operator

                                  



    ------------------------------
    Mahmoud R
    ------------------------------


  • 2.  RE: Aruba 5406R internet access issue

    Posted Dec 28, 2020 09:17 AM

    Hi! it looks like you're using the VLAN 1100 as a "transport" VLAN.

    The Last Resort Route (0/0 via x.x.x.104 <- the LAN IP Address of your Next Hop Gateway NHG to all other - non directly connected - networks) looks good. All your directly connected VLAN IDs with a SVI (100, 200, 300, 400, 500, 600, 700, 800, 900 and 1000) are in routing with the VLAN ID 1100 so any non directly connected network will be reached through the VLAN 1100 SVI (routed with the LRR to x.x.x.104).

    The SVI address of VLAN 1100 (x.x.x.105) looks good to.

    Two doubts remains about:

    1. why using a /24 (255.255.255.0) for a Transport VLAN where only two IP Addresses are necessary? ...if I were you I would have used a /29, /30 or a /31 (you need just a Point to Point)
    2. why having the VLAN 1 as "tagged" on the C24 uplink interface?

    The interface C24 is untagged member of VLAN 1100 (Transport) so we should expect the same VLAN ID is defined on the NHG LAN interface (LAN side).

    Now the questions:

    First question is: is your NHG acknowledged about the fact all your directly connected VLANs can be found/reached through the x.x.x.105 IP Address? <- generally this should imply that your gateway must have static routes to all your directly connected VLAN IDs via the x.x.x.105 (example: destination 10.10.20.0/24 via x.x.x.105).

    Second question: Probably then your NHG has a NAT between its internal side (x.x.x.104) and the Internet. Is this NAT OK too?

    Third question: why to obfuscate VLAN 1100 SVI and NHG LAN Interface IP Address? don't tell me you are not doing NAT between LAN side and WAN side on your gateway...isn't it? strong suspect...otherwise that VLAN's SVI will be exactly as all the others, a private one.



    ------------------------------
    Davide Poletto
    ------------------------------



  • 3.  RE: Aruba 5406R internet access issue

    Posted Dec 28, 2020 10:44 AM

    Thanks for your support,

    regarding your comments

    1) this mask /24 (255.255.255.0), i got it from the the customer as he is the one who contacted the ISP to arrange this DIA line

    2) VLAN 1 is tagged in all the switch ports by default and i didn't change , i believe also it will not make any effect in our case here .

    is your NHG acknowledged about the fact all your directly connected VLANs can be found/reached through the x.x.x.105 IP Address?

    i don't have this info. but i assumed from the beginning that everything is fine from their side and i believe the problem will be from their side , 

    thanks again for your time and your inputs



    ------------------------------
    Mahmoud Refaat
    ------------------------------



  • 4.  RE: Aruba 5406R internet access issue

    Posted Dec 28, 2020 11:09 AM

    Hi Mahmoud,

    1. OK, anyway it will work with a /24 too (it's just a waste of IP addresses since you only need one on your Core Switch and the other on the Gateway LAN interface connected to your Core Switch).
    2. Strange. Normally VLAN 1 is removed from all ports (all ports are removed from being VLAN 1 members). Having VLAN 1 tagged on some ports could be reasonable or not, it depends on your networks requirements (the point is that your Core Switch hasn't a SVI on that VLAN...so it will not be the router for that VLAN...not necessarily a negative effect on your scenario but a sort of abnormal asymmetry if you consider all others VLANs have SVIs on your Core Switch). No matter...it's up to you discover why things were set that way...and if you can live with that setup or not.

    With regards to Static Routes necessary for external networks to reach your internal ones...you wrote:

    "i don't have this info. but i assumed from the beginning that everything is fine from their side and i believe the problem will be from their side"

    personally I can't tell without knowing how your ISP Router is actually configured (I generally do not like to believe...in my opinion it's way better trying to understand what's going on by looking at how devices are configured than believe what an ISP tells, way better to see how your ISP Router was configured and, in this way, ensure that what you "believe" is really going to happen without too many surprises).

    Ask them to ping/traceroute any of your internal SVIs from the Router and provide you the evidence of the results (e.g. they could ping/traceroute the 10.10.10.1 or the 10.10.70.1 from the Router through its LAN interface). Ensure on your side you can ping/traceroute (reach) all your SVIs and your NHG IP Address from any VLAN (from a client with its IP Addressing belonging to any of your VLAN).

    Regarding the NAT...again...it's up to you...personally I expect a Core Router to be connected to a sort of Gateway (with Firewall features) and thus I also expect to see a NAT between its LAN side (internal LANs) and its WAN side (one WAN or more WANs)...



    ------------------------------
    Davide Poletto
    ------------------------------