Original Message:
Sent: Sep 30, 2024 07:14 AM
From: thomasbnc
Subject: ARUBA AOS CX LDAP CONNECTION PROBLEM WITH TRUNK
Hmm, so working with a moving target is a bit difficult here ... We need to have a stable state and work from there. If you ever change the configuration, troubleshooting will fail.
So, please make sure you have the following config on Aruba:
int 1/1/1
no routing
vlan trunk native 1
vlan trunk allowed 110
no shutdown
spanning-tree port-type admin-edge
int 1/1/2
no routing
vlan access 110
no shutdown
spanning-tree port-type admin-edge
Then, connect the devices, wait a couple of seconds, run a ping from the AD server to the firewall and run the following commands on Aruba:
- show int brief
- show vlan
- show spanning-tree
- show mac-address-table vlan 110
Please share the output of the commands here. Once checked, we made sure Layer2 is okay, then we continue with Layer3 troubleshooting. For reference, please query the mac-addresses of the Fortigate and the AD controller on the respective systems so we can identify they are visible on the switch.
Regarding your question about the dot1q tag: Aruba adds the tag everytime you configure the port as trunk ("vlan trunk .....") as long as it's not the trunks native VLAN. So, make sure native VLAN is set to 1, the command then disappears from the output of "show run int x/x/x").
Regards,
Thomas
Original Message:
Sent: Sep 30, 2024 06:34 AM
From: barisben
Subject: ARUBA AOS CX LDAP CONNECTION PROBLEM WITH TRUNK
Sorry for the missing. It was already native vlan 1 on Aruba, it doesn't work like this. How can I add dot1q tag as Cisco on Aruba?
edit "port2"
set vdom "root"
set type physical
set snmp-index 2
edit "AD"
set vdom "root"
set ip 10.10.10.1 255.255.255.0
set allowaccess ping
set device-identification enable
set role lan
set snmp-index 9
set interface "port2"
set vlanid 110
Original Message:
Sent: Sep 30, 2024 06:16 AM
From: thomasbnc
Subject: ARUBA AOS CX LDAP CONNECTION PROBLEM WITH TRUNK
Hi
thanks.
I notice one difference:
On Cisco. you have your first port (Gi0/0) configured with VLAN110 as tagged (the switch adds a dot1q tag to the ethernet frames) whereas on Aruba you configured it as native (e.g. no tag will be added). This will result in L2 problems between the firewall and the switch as the firewall will most probably have a VLAN configured on port2.
You may fix it by reverting the native vlan on Aruba's Interface 1/1/1 to 1, vlan trunk native 1.
If it still doesn't work, please share port2 and vlan110 config of your FortiGate (show system interface).
Regards.
Thomas
Original Message:
Sent: Sep 30, 2024 04:40 AM
From: barisben
Subject: ARUBA AOS CX LDAP CONNECTION PROBLEM WITH TRUNK
Hey, I have a problem that something weird. I have Fortigate, Switch and a AD Server. When I want to add LDAP Server to Fortigate, I can't. The problem is If I put a Aruba Switch between Firewall and AD Server, It doesn't work. But Firewall and AD Server can communicate, can ping each other. So there is no problem with it. At this point, If I put a Cisco Switch between them with the Firewall and AD Server same config, there is no problem. I don't understand why Aruba Switch causes this. This is the topology;
This is Cisco Switch's config;
boot-start-marker
boot-end-marker
no aaa new-model
ip cef
no ipv6 cef
spanning-tree mode pvst
spanning-tree extend system-id
interface GigabitEthernet0/0
switchport trunk allowed vlan 110
switchport trunk encapsulation dot1q
switchport mode trunk
negotiation auto
interface GigabitEthernet0/1
switchport access vlan 110
switchport mode access
negotiation auto
interface GigabitEthernet0/2
negotiation auto
interface GigabitEthernet0/3
negotiation auto
interface GigabitEthernet1/0
negotiation auto
interface GigabitEthernet1/1
negotiation auto
interface GigabitEthernet1/2
negotiation auto
interface GigabitEthernet1/3
negotiation auto
ip forward-protocol nd
ip http server
ip http secure-server
ip ssh server algorithm encryption aes128-ctr aes192-ctr aes256-ctr
ip ssh client algorithm encryption aes128-ctr aes192-ctr aes256-ctr
This is Aruba Switch config;
led locator on
ntp server pool.ntp.org minpoll 4 maxpoll 4 iburst
ntp enable
ssh server vrf mgmt
vlan 1
vlan 110
name ADSERVER
interface mgmt
no shutdown
ip dhcp
interface 1/1/1
no shutdown
no routing
vlan trunk native 110
vlan trunk allowed 110
interface 1/1/2
no shutdown
no routing
vlan access 110
https-server vrf mgmt