Wired Intelligent Edge

 View Only
last person joined: 22 hours ago 

Bring performance and reliability to your network with the Aruba Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of the ArubaOS-Switch and ArubaOS-CX devices, and find ways to improve security across your network to bring together a mobile first solution.
Expand all | Collapse all

Aruba 2930F and 6000 configuration help

Jump to Best Answer
This thread has been viewed 18 times
  • 1.  Aruba 2930F and 6000 configuration help

    Posted Jun 28, 2022 04:49 PM
    I have 4 switch
    2930f 24G as core sw
    2930f 48G as acc sw1
    2930f 48G as acc sw2
    6000 48G as acc sw3

    4 vlan
    10 for management network 192.168.10.x/24 using IP 192.168.10.254
    20 for LAN network 192.168.20.x/24 using IP 192.168.20.254
    30 for Wireless network 192.168.30.x/24 using IP 192.168.30.254
    40 for Guest Wifi network 192.168.40.x/24 using IP 192.168.10.254
    90 for Internet Access network 192.168.9.0 using IP192.168.9.254

    Core-sw port 21 connect to acc sw1 port 48 IP 192.168.10.251
    Core-sw port 22 connect to acc sw2 port 48 IP 192.168.10.252
    Core-sw port 23 connect to acc sw3 port 48 IP 192.168.10.253
    Core-sw port 21 connect to firewall IP 192.168.9.1 for internet access

    Question
    1.  Uplink from core sw to acc sw should create a trunk port and vice versa and the trk port should be tagged or untagged all 4 vlan? Please provide config sample
    1.1. For port that connect to Router/Firewall, it couldn't configure IP on the interface only can create vlan interface and assign ip to the interface. This is the current config that i did and its work fine but is there any other way for configure a port for static IP to connect to router? Like Cisco
    2. In this scenario if i want to allow any vlan access to internet i need to run ip route 0.0.0.0 0.0.0.0 192.168.9.1 and ip routing or use ip default-gateway 192.168.9.1 instead, on all switch or just core switch?
    3. Any other route require to configure like on core switch and access switch do i need to configure for intervlan route and to have access to the internet
    ip route 192.168.10.0 255.255.255.0 192.168.10.254
    ip route 192.168.20.0 255.255.255.0 192.168.20.254
    ip route 192.168.30.0 255.255.255.0 192.168.30.254
    ip route 192.168.40.0 255.255.255.0 192.168.40.254
    4. dhcp-server configured on core switch so on access switch i need to configure like ip helper-address 192.168.x.x under vlan interface or no need? for the client to get ip from dhcp server on core switch when its connected to the port that untagged to specific vlan on access switch
    5. Now we could access web gui on all vlan interface, how do i allow access to 192.168.10.254 only and not other vlan IP like 192.168.20.254?
    6. From question.5 i tried changed management vlan to 10 and it only access 192.168.10.254 not other vlan but got another problem that other switch that connect to trunk port on core couldn't ping or reach or get ip from dhcp-server, was this normal? I set primary-vlan 10 but all vlan could access web gui
    7. Could you explain about native vlan on 6000 as its differnent OS-CX, when i configured trunk should i tagged native vlan 10 and trunk all other 3 vlans?
    8. How do i block access vlan 40 to reach other vlan except internet access only?
    9. On some interface like the port that connect to access point to server or client that has to allow all vlan to connect to, how do i prioritize that device to get ip from a specific vlan like if i tagged that port to vlan 10,20,30,40 and i want this device to get ip from vlan 20 or 30 instead of 10? 
    10. How do i disable vlan1? or remove all ports on vlan1 i tried to no untagged other port like 25-28 that is sfp but it could not

    Thanks for your response


  • 2.  RE: Aruba 2930F and 6000 configuration help

    MVP GURU
    Posted Jun 29, 2022 02:26 AM
    Hi, first of all avoid cross-posting the same content into different discussion zones (your very same thread was created also here).

    Given what you wrote about your network topology, below first answers:

    1 - Trk = Port Trunk = Links Aggregation on ArubaOS-Switch OS based switches (your Aruba 2930F Switch series) while Trunk means an interface carrying multiple VLANs on ArubaOS-CX OS based switches (your Aruba CX 6000 Switch series). Given that you have single link downlinks from your Core Switch to your Aggregation Switches you shouldn't currently worry about Prot Trunks (Links Aggregation) on any of your Switch BUT you should worry about Trunk (Multiple VLAN tagging, if any/necessary) on your Aruba CX 6000 Switch's uplink interface to Aruba 2930F Core.
    1.1 - Given you are dealing with Aruba 2930F Switch as Core, ArubaOS-Switch OS doesn't support L3 Interfaces (as you probably are referring to) and so the configuration you did looks good.
    2 - Only on the Core where IP Routing is happening (the Route of Last Resort or Default Routed to your next hop gateway - the 192.168.9.1 - is OK on the Core (Default Gateway is used by the switch itself and loses value when IP Routing is enabled).
    3 - You should not need any other "route"/"static route" is required on Core if the Core has (as we presume) the IP Routing feature enabled.
    4 - IP Helper Address should be configured on required VLAN Contexts on the Core Switch (other switches are not involved).
    5 - Remove unwanted IP Addresses (on related VLANs) on the relevant Access Switches.
    6 - Management VLAN (protected) and a VLAN used for Management are two different concepts (and have different restrictions/requirements). Are you dealing with Management VLAN OR with VLAN used for Management?
    7 - See 1 <- on Aruba CX 6000 an interface operating in "Trunk mode" carries multiple VLAN: the native VLAN is the "untagged" one and the allowed (you should include the native within the allowed) should contain the tagged ones you want carried (the tagged in the ArubaOS-Switch jargon).
    8 - ACL.
    9 - Please reformulate, it's unclear to me what you're trying to achieve or what is your real issue.
    10 - On ArubaOS-Switch or on ArubaOS-CX? generally the goal should be not to remove a VLAN but remove the ports' membership on that VLAN.


  • 3.  RE: Aruba 2930F and 6000 configuration help

    Posted Jun 29, 2022 06:04 AM
    Based on your answer
    1 - Even with one uplink port should this trunk port be tagged all vlan or untagged some vlan? Or should i tagged all vlan on that port without using trunk?
    2 on access switch no need any static route correct to the router gateway or vlan gateway?
    3. on  access switch if i don't add ip default-gateway 192.168.9.1 i can't ping or reach other vlan ip on any access switch, just curious should i need to add ip default-gateway 192.168.9.1?
    4. Ip helper no need to configure on vlan as below?
    vlan 20
    name "PC_VLAN"
    untagged 6-7,9,11-47
    tagged Trk1
    no ip address
    ip helper-address 192.168.20.254

    5. if i removed vlan ip on 20,30 and 40 then it won't have a gateway? As i configure dhcp server to set gateway as vlan ip (192.168.20.254) This won't cause any problem?

    6. I use vlan 10 as management but i dont want web gui to be accessible from vlan ip which is not vlan 10
    8. Can you provide a config for ACL in this case that i dont want 192.168.40.0/24 to access any ip from 192.168.10.0/24,192.168.20.0/24 and 192.168.30.0/24
    9. On some port i tagged vlan 10,20,30 but i always get ip from vlan10 if a device connected to this port, how could i make it to accept or get ip from dhcp vlan 20 (192.168.20.x)


  • 4.  RE: Aruba 2930F and 6000 configuration help
    Best Answer

    MVP GURU
    Posted Jun 29, 2022 02:10 PM
    "Even with one uplink port should this trunk port be tagged all vlan or untagged some vlan? Or should i tagged all vlan on that port without using trunk?"

    You can't "untagged some vlan".

    An interface can be an untagged member of only one VLAN Id (this is called the PVID Port VLAN ID on ArubaOS-Switch OS based switches or, more commonly, Native VLAN id as reported on ArubaOS-CX OS based switches), an interface can be an untagged member of one VLAN and, concurrently, be a tagged member of one ore more others VLAN Id(s)...an interface can't be "orphaned" of a VLAN Id membership (I means that it can be orphaned of its native VLAN but it must be then a tagged member of at least one other VLAN Id). ArubaOS-CX admits (supports) a tagged VLAN as the "native" VLAN (but, generally, Native VLAN Id membership refers to Untagged VLAN Id membership). Back to your question: interfaces at both ends should (I would say must but it is too strong) match each others their respective VLAN memberships...so what you have on the downlink port of a switch you should have on the uplink port of the other otherwise you fall into a VLAN Id mismatch that can lead to traffic disruption at worst (Native VLAN mismatch is the best case...since traffic will continue to flow and be accepted but the mismatch persists internally at the Switch level, on both ends).

    Edit: forgot to point out that a port with just its Native VLAN Id set (or PVID if you prefer) is generally identified as a port operating in "Access Mode" because the connected peer is supposed to be VLAN-unaware (so the untagged kicks in on the Switch side). Conversely a port with Native VLAN Id set (or PVID if you prefer) and carrying additional VLAN Ids tagged (or only carrying VLAN Ids tagged being orphaned of its Native VLAN Id) is generally identified as a port operating in "Trunk mode" (and it is supposed that the peer port which it is connected to is matching the VLAN Id(s) memberships). Here the term "Trunk mode" doesn't refer to "Links Aggregation".

    "on access switch no need any static route correct to the router gateway or vlan gateway?"

    No, static routes should be used on Core Switch, Firewall or on edge devices (e.g. Servers). If routing of internal VLANs is correctly configured why do you need static routing to route internal VLANs on access switches? it's the role of the Core to route its VLANs (if IP Routing is enabled and VLAN Id(s) have a Layer 3 interface <- an IP address associated with the VLAN Id).

    "on  access switch if i don't add ip default-gateway 192.168.9.1 i can't ping or reach other vlan ip on any access switch, just curious should i need to add ip default-gateway 192.168.9.1?"

    That's normal because your Access Switches are operating in Layer 2 mode (IP Routing disabled) and so they are like edge hosts...don't edge hosts use a Default Gateway to eventually communicate with other networks? it's the same for your Access Switches.

    "Ip helper no need to configure on vlan as below?"

    IP Helper Address should be configured at VLAN context level on the Routing Switch (your Core).

    "if i removed vlan ip on 20,30 and 40 then it won't have a gateway? As i configure dhcp server to set gateway as vlan ip (192.168.20.254) This won't cause any problem?"

    Remove from where? it's clear that you shouldn't remove them from the Core...but you can easily remove IP Address assigned to those VLANs on Access Switches.

    "I use vlan 10 as management but i dont want web gui to be accessible from vlan ip which is not vlan 10"

    Look for implementing ACL or authorized managers feature.