Wired Intelligent Edge

 View Only
last person joined: 2 days ago 

Bring performance and reliability to your network with the Aruba Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of the ArubaOS-Switch and ArubaOS-CX devices, and find ways to improve security across your network to bring together a mobile first solution.
Expand all | Collapse all

Network Unreachable thru trunk.

This thread has been viewed 35 times
  • 1.  Network Unreachable thru trunk.

    Posted 20 days ago
    Having a strange issue with one of my Aruba 6100 switches.

    The switch is managed from VLAN 206.
    Switch is connected on 1/1/52 to Top of rack switch (6100 as well). Both sides of trunk are identical.
    3 other switches with the exact same config except for different IPs are connected to the top of rack without issue.
    Top of rack connects to FortiGate 200e which is doing routing.

    I noticed from the problem switch I could only ping other switches on VLAN 206. But trying to ping any other vlan or internet IP results in Network unreachable. It was after hours so I rebooted the switch, and everything worked for a day then back to the same.

    I am going to swap out the switch with a spare. Seems like the easiest way to eliminate my config as the problem.

    Anyone had an experience similar to this or have any ideas on what to check?  I am new to Aruba.
    GR-DiL-01# sh run
    Current configuration:
    !
    !Version ArubaOS-CX PL.10.10.0002
    !export-password: default
    hostname GR-DiL-01
    user xxxxx group administrators password ciphertext xxxxx
    user yyyyy group administrators password ciphertext yyyyy
    user zzzzz group administrators password ciphertext zzzzz
    ntp server 10.2.4.2
    ntp server pool.ntp.org minpoll 4 maxpoll 4 iburst
    ntp enable
    !
    !
    !
    !
    radius-server host <ip address> port 10036 acct-port 10037 key ciphertext xxxxx
    !
    !
    aaa group server radius NAC
        server <ip address> port 10036
    !
    aaa accounting port-access start-stop group NAC
    !
    aruba-central
        disable
    ssh server vrf default
    ssh key-exchange-algorithms curve25519-sha256 curve25519-sha256@libssh.org ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521 diffie-hellman-group-exchange-sha256 diffie-hellman-group16-sha512 diffie-hellman-group18-sha512 diffie-hellman-group14-sha256 diffie-hellman-group14-sha1
    vlan 1,202,206,208,210
    vlan 212
        voice
    vlan 214
    spanning-tree
    aaa authentication port-access dot1x authenticator
        radius server-group Portnox
        enable
    aaa authentication port-access mac-auth
        radius server-group Portnox
        enable
    interface 1/1/1
        description PME_WiFi_AP
        no shutdown
    						   
        vlan trunk native 206
        vlan trunk allowed 206,208,210
    interface 1/1/2
        description PME_WiFi_AP
        no shutdown
    						   
        vlan trunk native 206
        vlan trunk allowed 206,208,210
    interface 1/1/3
        no shutdown
        vlan trunk native 202
        vlan trunk allowed 202,212
        aaa authentication port-access dot1x authenticator
            enable
        aaa authentication port-access mac-auth
            enable
    interface 1/1/4
        no shutdown
        vlan trunk native 202
        vlan trunk allowed 202,212
        aaa authentication port-access dot1x authenticator
            enable
        aaa authentication port-access mac-auth
            enable
    interface 1/1/5
        no shutdown
        vlan trunk native 202
        vlan trunk allowed 202,212
        aaa authentication port-access dot1x authenticator
            enable
        aaa authentication port-access mac-auth
            enable
    interface 1/1/6
        no shutdown
        vlan trunk native 202
        vlan trunk allowed 202,212
        aaa authentication port-access dot1x authenticator
            enable
        aaa authentication port-access mac-auth
            enable
    interface 1/1/7
        no shutdown
        vlan trunk native 202
        vlan trunk allowed 202,212
        aaa authentication port-access dot1x authenticator
            enable
        aaa authentication port-access mac-auth
            enable
    interface 1/1/8
        no shutdown
        vlan trunk native 202
        vlan trunk allowed 202,212
        aaa authentication port-access dot1x authenticator
            enable
        aaa authentication port-access mac-auth
            enable
    interface 1/1/9
        no shutdown
        vlan trunk native 202
        vlan trunk allowed 202,212
        aaa authentication port-access dot1x authenticator
            enable
        aaa authentication port-access mac-auth
            enable
    interface 1/1/10
        no shutdown
        vlan trunk native 202
        vlan trunk allowed 202,212
        aaa authentication port-access dot1x authenticator
            enable
        aaa authentication port-access mac-auth
            enable
    interface 1/1/11
        no shutdown
        vlan trunk native 202
        vlan trunk allowed 202,212
        aaa authentication port-access dot1x authenticator
            enable
        aaa authentication port-access mac-auth
            enable
    interface 1/1/12
        no shutdown
        vlan trunk native 206
        vlan trunk allowed 206,212
        aaa authentication port-access dot1x authenticator
            enable
        aaa authentication port-access mac-auth
            enable
    interface 1/1/13
        no shutdown
        vlan trunk native 206
        vlan trunk allowed 206,212
    interface 1/1/14
        no shutdown
        vlan trunk native 202
        vlan trunk allowed 202,212
    interface 1/1/15
        no shutdown
        vlan trunk native 202
        vlan trunk allowed 202,212
    interface 1/1/16
        no shutdown
        vlan access 214
        aaa authentication port-access dot1x authenticator
            enable
        aaa authentication port-access mac-auth
            enable
    interface 1/1/17
        no shutdown
        vlan trunk native 202
        vlan trunk allowed 202,212
        aaa authentication port-access dot1x authenticator
            enable
        aaa authentication port-access mac-auth
            enable
    interface 1/1/18
        no shutdown
        vlan trunk native 202
        vlan trunk allowed 202,212
        aaa authentication port-access dot1x authenticator
            enable
        aaa authentication port-access mac-auth
            enable
    interface 1/1/19
        no shutdown
        vlan access 214
        aaa authentication port-access dot1x authenticator
            enable
        aaa authentication port-access mac-auth
            enable
    interface 1/1/20
        no shutdown
        vlan trunk native 202
        vlan trunk allowed 202,212
        aaa authentication port-access dot1x authenticator
            enable
        aaa authentication port-access mac-auth
            enable
    interface 1/1/21
        no shutdown
        vlan trunk native 202
        vlan trunk allowed 202,212
        aaa authentication port-access dot1x authenticator
            enable
        aaa authentication port-access mac-auth
            enable
    interface 1/1/22
        no shutdown
        vlan trunk native 202
        vlan trunk allowed 202,212
        aaa authentication port-access dot1x authenticator
            enable
        aaa authentication port-access mac-auth
            enable
    interface 1/1/23
        no shutdown
        vlan trunk native 202
        vlan trunk allowed 202,212
        aaa authentication port-access dot1x authenticator
            enable
        aaa authentication port-access mac-auth
            enable
    interface 1/1/24
        no shutdown
        vlan access 214
    interface 1/1/25
        no shutdown
        vlan access 214
    interface 1/1/26
        no shutdown
        vlan trunk native 202
        vlan trunk allowed 202,212
        aaa authentication port-access dot1x authenticator
            enable
        aaa authentication port-access mac-auth
            enable
    interface 1/1/27
        no shutdown
        vlan trunk native 202
        vlan trunk allowed 202,212			  
    interface 1/1/28
        no shutdown
        vlan trunk native 202
        vlan trunk allowed 202,212
        aaa authentication port-access dot1x authenticator
            enable
        aaa authentication port-access mac-auth
            enable
    interface 1/1/29
        no shutdown
        vlan trunk native 202
        vlan trunk allowed 202,212
        aaa authentication port-access dot1x authenticator
            enable
        aaa authentication port-access mac-auth
            enable
    interface 1/1/30
        no shutdown
        vlan trunk native 202
        vlan trunk allowed 202,212
        aaa authentication port-access dot1x authenticator
            enable
        aaa authentication port-access mac-auth
            enable
    interface 1/1/31
        no shutdown
        vlan trunk native 202
        vlan trunk allowed 202,212
        aaa authentication port-access dot1x authenticator
            enable
        aaa authentication port-access mac-auth
            enable
    interface 1/1/32
        no shutdown
        vlan trunk native 202
        vlan trunk allowed 202,212
        aaa authentication port-access dot1x authenticator
            enable
        aaa authentication port-access mac-auth
            enable
    interface 1/1/33
        no shutdown
        vlan trunk native 202
        vlan trunk allowed 202,212
        aaa authentication port-access dot1x authenticator
            enable
        aaa authentication port-access mac-auth
            enable
    interface 1/1/34
        no shutdown
        vlan trunk native 202
        vlan trunk allowed 202,212
        aaa authentication port-access dot1x authenticator
            enable
        aaa authentication port-access mac-auth
            enable
    interface 1/1/35
        no shutdown
        vlan trunk native 202
        vlan trunk allowed 202,212
        aaa authentication port-access dot1x authenticator
            enable
        aaa authentication port-access mac-auth
            enable
    interface 1/1/36
        no shutdown
        vlan trunk native 202
        vlan trunk allowed 202,212
        aaa authentication port-access dot1x authenticator
            enable
        aaa authentication port-access mac-auth
            enable
    interface 1/1/37
        no shutdown
        vlan trunk native 202
        vlan trunk allowed 202,212
        aaa authentication port-access dot1x authenticator
            enable
        aaa authentication port-access mac-auth
            enable
    interface 1/1/38
        no shutdown
        vlan trunk native 202
        vlan trunk allowed 202,212
        aaa authentication port-access dot1x authenticator
            enable
        aaa authentication port-access mac-auth
            enable
    interface 1/1/39
        no shutdown
        vlan trunk native 202
        vlan trunk allowed 202,212
        aaa authentication port-access dot1x authenticator
            enable
        aaa authentication port-access mac-auth
            enable
    interface 1/1/40
        no shutdown
        vlan trunk native 202
        vlan trunk allowed 202,212
        aaa authentication port-access dot1x authenticator
            enable
        aaa authentication port-access mac-auth
            enable
    interface 1/1/41
        no shutdown
        vlan trunk native 202
        vlan trunk allowed 202,212
        aaa authentication port-access dot1x authenticator
            enable
        aaa authentication port-access mac-auth
            enable
    interface 1/1/42
        no shutdown
        vlan trunk native 202
        vlan trunk allowed 202,212
        aaa authentication port-access dot1x authenticator
            enable
        aaa authentication port-access mac-auth
            enable
    interface 1/1/43
        no shutdown
        vlan trunk native 202
        vlan trunk allowed 202,212
        aaa authentication port-access dot1x authenticator
            enable
        aaa authentication port-access mac-auth
            enable
    interface 1/1/44
        no shutdown
        vlan trunk native 202
        vlan trunk allowed 202,212
        aaa authentication port-access dot1x authenticator
            enable
        aaa authentication port-access mac-auth
            enable
    interface 1/1/45
        no shutdown
        vlan trunk native 202
        vlan trunk allowed 202,212
        aaa authentication port-access dot1x authenticator
            enable
        aaa authentication port-access mac-auth
            enable
    interface 1/1/46
        no shutdown
        vlan access 1
    interface 1/1/47
        no shutdown
        vlan access 1
    interface 1/1/48
        no shutdown
        vlan access 1
    interface 1/1/49
        no shutdown
        vlan access 1
    interface 1/1/50
        no shutdown
        vlan access 1
    interface 1/1/51
        no shutdown
        vlan access 1
    interface 1/1/52
        description To GR-SRV-01 1/1/52
        no shutdown		   
        vlan trunk native 1
        vlan trunk allowed 202,206,208,210,212,214
    interface vlan 1
        no ip dhcp
    interface vlan 206
        ip address 10.2.6.7/23
    ip route 0.0.0.0/0 10.2.6.1
    !
    !
    !
    !
    !
    https-server vrf default
    GR-DiL-01#
    ​


  • 2.  RE: Network Unreachable thru trunk.

    EMPLOYEE
    Posted 20 days ago
    If you are able to ping other switches on the VLAN then the traffic is leaving the switch. That's a good start. If your FortiGate is the router, are you able to see traffic from 10.2.6.7 when you are attempting to ping devices that are not within vlan 206?


  • 3.  RE: Network Unreachable thru trunk.

    Posted 19 days ago
    I cannot see the traffic on the FortiGate all the time.  I rebooted it on 11/11/2022 and I could see the NTP and NAC traffic for approximately 1 day then back to not passing.


  • 4.  RE: Network Unreachable thru trunk.

    MVP GURU
    Posted 19 days ago
    Hi, you reported that "...could only ping other switches on VLAN 206. But trying to ping any other vlan or internet IP results in Network unreachable." which immediately points me thinking that there could be an issue with routing between VLAN 206 and all other internal VLANs you desire to reach (and also to all the rest of all possible external networks routed by your Firewall too, according to its Access/NAT policies).

    So...given that:

    vlan 206
        ip address 10.2.6.7/23
    ip route 0.0.0.0/0 10.2.6.1

    are you able to ping your next hop gateway for any networks (10.2.6.1) from your Switch 10.2.6.7?

    Are the uplinks starting from port 1/1/52 on the GR-DiL-01 10.2.6.7 (VLAN 206) Switch toward the other Aruba 6100 up to the Firewall carrying the right VLANs (I expect you transported with proper tagging all required VLANs defined into the GR-DiL-01 Switch)?


  • 5.  RE: Network Unreachable thru trunk.

    Posted 19 days ago
    After a reboot of the switch, I am able to ping the GW for a short time. Another strange thing is the WiFi APs on 1/1/1 & 1/1/2 are both on vlan 206 and work fine

    Here is the config on the other side of the trunk.
    GR-SRV-01# sh run | begin 50 "interface 1/1/52"
    interface 1/1/52
        description To_GR-DiL-01
        no shutdown
        vlan trunk native 1
        vlan trunk allowed 202,206,208,210,212,214
    interface vlan 1
        ip dhcp
    interface vlan 206
        ip address 10.2.6.2/23
    ip route 0.0.0.0/0 10.2.6.1
    ​



  • 6.  RE: Network Unreachable thru trunk.

    Posted 19 days ago
    I should add that the other 3 switches connected to the top of rack on ports 1/1/49-51 are all the same config with different IPs for vlan 206 and minor port changes here and there.

    I have configured a spare 6100. Hoping to get approval to replace it this evening


  • 7.  RE: Network Unreachable thru trunk.

    MVP GURU
    Posted 19 days ago
    What show events -r reports?

    Is 10.2.6.2 capable of pinging 10.2.6.7 and vice-versa (switched traffic between hosts belonging to the same 206 VLAN)?



  • 8.  RE: Network Unreachable thru trunk.

    Posted 19 days ago
    Between the switches works I cannot ssh unless I ssh to 10.2.6.2 and then ssh to 10.2.6.7 from there.  I have a printer on port 1/1/13 on vlan 206 and clients on other vlans can access after disabling NAC on the port.  Traffic from the switch is unable to reach RADIUS to authenticate.

    The part that is bugging me is that it works after a reboot for almost a whole day.


  • 9.  RE: Network Unreachable thru trunk.

    EMPLOYEE
    Posted 18 days ago
    Almost like ARP is broken... fixed for a "period of time" after a reboot. Is the subnet mask on the FortiGate set to 255.255.254.0 to match your /23 on the switches?



  • 10.  RE: Network Unreachable thru trunk.

    Posted 18 days ago
    Its working right now because someone crashed into a pole causing a power outage for longer than the UPS could handle.

    Yes, the FortiGate subnet mask matches.


  • 11.  RE: Network Unreachable thru trunk.

    MVP GURU
    Posted 17 days ago
    To me...it seems an issue which generates at level of your L3 device (FortiGate 200E) other than at level switching level of your Aruba 6100 switches (the one acting as the Hub to the Firewall and the others acting as access ones).