Wired Intelligent Edge

 View Only
last person joined: yesterday 

Bring performance and reliability to your network with the HPE Aruba Networking Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of your switching devices, and find ways to improve security across your network to bring together a mobile-first solution
Expand all | Collapse all

Aruba CX 6405 and Copp Policies

This thread has been viewed 26 times
  • 1.  Aruba CX 6405 and Copp Policies

    MVP
    Posted Jul 03, 2024 04:15 PM

    We've just moved our core from an HP 8212zl to an Aruba CX 6405. Almost immediately, we've been having issues with out NAC (FortiNAC) polling our Aruba 8 wireless cluster and 337 APs. According to FortiNAC, it loses contact with both controllers and most APs at random times throughout the day. The controllers and APs are not going down, FortiNACs polls (SNMP and ping) are sporadically failing.

    After way too much time, this led me to think that these new copp policies may be causing the issue. If we look at the copp policy stats, there are a few lines of note:

    WS-Core01# show copp-policy stat
    Statistics for CoPP policy 'default':
    Totals:
        packets passed   : 5050627            packets dropped  : 39534
    Class: icmp-unicast-ipv4
        packets passed   : 103783             packets dropped  : 161
    Class: ip-exceptions
        packets passed   : 415463             packets dropped  : 32799
    Class: unresolved-ip-unicast
        packets passed   : 773216             packets dropped  : 6574

    We did not have a control plane policy enabled on our 8212zl. It's enabled by default on the CX line and can't be turned off, only modified. Is there a way to whitelist my FortiNAC/controllers/APs or simply the VLAN traffic from being monitored with packets being dropped?



  • 2.  RE: Aruba CX 6405 and Copp Policies

    Posted Jul 04, 2024 02:45 AM

    CoPP should only affect traffic to your switch, not traffic through (from NAC to controllers/APs). If you see that you lose traffic, it may be good to investigate this further with your Aruba partner and/or TAC Support.

    Except if someone reading this has seen the same and knows the answer.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 3.  RE: Aruba CX 6405 and Copp Policies

    MVP
    Posted Jul 04, 2024 07:11 AM
    Thank you. It appears that I misunderstood copp policies. The mystery deepens.







  • 4.  RE: Aruba CX 6405 and Copp Policies

    MVP
    Posted Jul 04, 2024 09:18 AM

    Our Aruba SE mentioned that the 8212zl had a default MTU of 1522 instead of 1500 on the new CXs. Do you think that could be causing an issue? Would it be a good idea to increase the default MTU to 1522 on the controller interfaces connected to the new core?




  • 5.  RE: Aruba CX 6405 and Copp Policies

    Posted Jul 04, 2024 09:38 AM

    If MTU is the issue, I would expect to see input/output errors or drops on your interfaces. Have you checked the interface counters already?



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 6.  RE: Aruba CX 6405 and Copp Policies

    MVP
    Posted Jul 04, 2024 09:45 AM

    Yes, zero drops/errors on the interfaces for both controllers and the VM cluster that FortiNAC lives on. 




  • 7.  RE: Aruba CX 6405 and Copp Policies

    MVP
    Posted Jul 05, 2024 02:26 PM

    I'm also wondering if our controllers and APs are falling out of the mac address table erroneously, or too quickly. Our new core's arp timeout is default at 1800 with the mac address table age time at 300 (default). 

    Would it be worth trying to increase the mac address table age? What if we matched the arp table value?




  • 8.  RE: Aruba CX 6405 and Copp Policies

    Posted Jul 08, 2024 05:13 AM

    That's unlikely to cause any issues, unless there are other problems in your network.

    If a mac is removed from the mac-address table, the traffic is sent to all ports in a VLAN, and as soon as the device responds, it's added to the table again.

    If an arp entry is lost, traffic is kept, new ARP is done to get the mac address for a specific AP, then traffic is forwarded.

    Personally, I would setup a port mirror on a device that shows the problem and on the port of your NAC, and see which packets are lost en when. Once you know which traffic is lost (if any), you will get a better understanding what is happening and how to solve it. This may be something to do with your Aruba partner and/or Aruba TAC Support.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------