Wired Intelligent Edge

I'm trying to set up two new Aruba 6405's in a VSX sync pair at the aggregate layer. We've successfully gotten them to sync and can configure VLANs, IPs, and routes on both. However, once we connect to an access port and try to actually use them we go nowhere. I can't even ping the gateway (which I've tried setting to the VLAN interface IP or the active gateway IP) and can't route at all. Can anyone take a look at my config and see what I'm missing?

What I've been trying to get to work first is connecting my laptop to a 1G SFP+ module on port 1/4/2 on VLAN 110 and trying to ping 10.1.110.1 or 10.1.110.3 which should be the SVI for VLAN 110

Current configuration:
!
!Version ArubaOS-CX FL.10.05.0011
!export-password: default
hostname arubatop
domain-name default
allow-unsupported-transceiver

module 1/3 product-number r0x43a
module 1/4 product-number r0x43a
clock timezone us/mountain
vrf KeepAlive
vrf test
ntp server 10.1.0.123 version 4 prefer
ntp enable
!
!
!
!
ssh server vrf default
ssh server vrf mgmt
access-list ip deny_guest
1 deny any 172.16.0.0/255.255.0.0 10.0.0.0/255.0.0.0
vlan 1
vsx-sync
vlan 10
name Administration
voice
vsx-sync
vlan 11
name NFS
vsx-sync
vlan 20
name COURT
vsx-sync
vlan 30
name FD81
vsx-sync
vlan 40
name LIBRARY
vsx-sync
vlan 50
name LEGACY
vsx-sync
vlan 55
name ODP
vsx-sync
vlan 60
name POLICE
vsx-sync
vlan 70
name POWER
vsx-sync
vlan 80
name LIT_SPORTS
vsx-sync
vlan 90
name WATER
vsx-sync
vlan 99
name SECURITY
vsx-sync
vlan 100
name FD82
vsx-sync
vlan 103
name FD83
vsx-sync
vlan 110
name IT
vsx-sync
vlan 125
name FACILITIES
vsx-sync
vlan 130
name PARKS
vsx-sync
vlan 135
name CEMETERY
vsx-sync
vlan 140
name FLEET
vsx-sync
vlan 160
name RICHFIELD
vsx-sync
vlan 190
name LIBRARY VDI
vsx-sync
vlan 200
name PA-Trust
vsx-sync
vlan 420
name DMZ
vsx-sync
vlan 666
name NETWORK MGMT
vsx-sync
vlan 1000
name SERVERS
vsx-sync
vlan 1100
name RUCKUS WIFI
vsx-sync
vlan 2010
name ADMIN PHONES
vsx-sync
vlan 2020
name COURT PHONES
vsx-sync
vlan 2030
name FD81 PHONES
vsx-sync
vlan 2040
name LIBRARY PHONES
vsx-sync
vlan 2050
name LEGACY PHONES
vsx-sync
vlan 2055
name ODP PHONES
vsx-sync
vlan 2060
name POLICE PHONES
vsx-sync
vlan 2070
name POWER PHONES
vsx-sync
vlan 2080
name LIT_SPORTS PHONES
vsx-sync
vlan 2090
name WATER PHONES
vsx-sync
vlan 2100
name FD82 PHONES
vsx-sync
vlan 2103
name FD83 PHONES
vsx-sync
vlan 2110
name IT PHONES
vsx-sync
vlan 2125
name FACILITIES PHONES
vsx-sync
vlan 2130
name PARKS PHONES
vsx-sync
vlan 2135
name CEMETERY PHONES
vsx-sync
vlan 2140
name FLEET PHONES
vsx-sync
vlan 3000
name LEHI CORP WIFI
vsx-sync
vlan 3010
name VMOTION
vsx-sync
vlan 3020
name iSCSI
vsx-sync
vlan 3060
name POWER_CAT NETWORK
vsx-sync
vlan 3070
name POWER SCADA
vsx-sync
vlan 3080
name POWER SCADA 3rd PARTY
vsx-sync
vlan 3090
name POWER DMZ
vsx-sync
vlan 3900
name COURT 3rd PARTY
vsx-sync
vlan 4000
name LEHI EMPLOYEE WIFI
vsx-sync
vlan 4003
name LEHI GUEST WIFI
vsx-sync
spanning-tree
interface mgmt
no shutdown
ip dhcp
qos queue-profile ef_priority
map queue 0 local-priority 0,1
map queue 1 local-priority 2,3
map queue 2 local-priority 4,6
map queue 3 local-priority 5,7
qos schedule-profile voip
dwrr queue 0 weight 1
dwrr queue 1 weight 1
dwrr queue 2 weight 1
strict queue 3
apply qos queue-profile ef_priority schedule-profile voip
qos trust dscp
qos dscp-map 40 local-priority 6 color green name CS5
qos dscp-map 41 local-priority 6 color green
qos dscp-map 42 local-priority 6 color green
qos dscp-map 43 local-priority 6 color green
qos dscp-map 44 local-priority 6 color green
qos dscp-map 45 local-priority 6 color green
qos dscp-map 47 local-priority 6 color green
interface lag 256
no shutdown
description ISL link
no routing
vlan trunk native 1 tag
vlan trunk allowed all
lacp mode active
interface 1/3/1
no shutdown
qos trust dscp
no routing
vlan access 10
interface 1/3/2
no shutdown
no routing
vlan access 1
interface 1/3/3
no shutdown
no routing
vlan access 1
interface 1/3/4
no shutdown
no routing
vlan access 1
interface 1/3/5
no shutdown
no routing
vlan access 1
interface 1/3/6
no shutdown
no routing
vlan access 1
interface 1/3/7
no shutdown
no routing
vlan access 1
interface 1/3/8
no shutdown
no routing
vlan access 1
interface 1/3/9
no shutdown
no routing
vlan access 1
interface 1/3/10
no shutdown
no routing
vlan access 1
interface 1/3/11
no shutdown
no routing
vlan access 1
interface 1/3/12
no shutdown
no routing
vlan access 1
interface 1/3/13
no shutdown
no routing
vlan access 1
interface 1/3/14
no shutdown
no routing
vlan access 1
interface 1/3/15
no shutdown
no routing
vlan access 1
interface 1/3/16
no shutdown
no routing
vlan access 1
interface 1/3/17
no shutdown
no routing
vlan access 1
interface 1/3/18
no shutdown
no routing
vlan access 1
interface 1/3/19
no shutdown
no routing
vlan access 1
interface 1/3/20
no shutdown
no routing
vlan access 1
interface 1/3/21
no shutdown
no routing
vlan access 1
interface 1/3/22
no shutdown
no routing
vlan access 1
interface 1/3/23
no shutdown
description ISL physical link
lag 256
interface 1/3/24
no shutdown
routing
vrf attach KeepAlive
description VSX KeepAlive
ip address 192.168.0.1/30
interface 1/3/25
no shutdown
no routing
vlan access 1
interface 1/3/26
no shutdown
no routing
vlan access 1
interface 1/3/27
no shutdown
no routing
vlan access 1
interface 1/3/28
no shutdown
no routing
vlan access 1
interface 1/4/1
no shutdown
no routing
vlan trunk native 1000
vlan trunk allowed all
interface 1/4/2
no shutdown
no routing
vlan access 110
interface 1/4/3
no shutdown
no routing
vlan access 200
interface 1/4/4
no shutdown
no routing
vlan access 110
interface 1/4/5
no shutdown
no routing
vlan access 1
interface 1/4/6
no shutdown
no routing
vlan access 1
interface 1/4/7
no shutdown
no routing
vlan access 1
interface 1/4/8
no shutdown
no routing
vlan access 1
interface 1/4/9
no shutdown
no routing
vlan access 1
interface 1/4/10
no shutdown
no routing
vlan access 1
interface 1/4/11
no shutdown
no routing
vlan access 1
interface 1/4/12
no shutdown
no routing
vlan access 1
interface 1/4/13
no shutdown
no routing
vlan access 1
interface 1/4/14
no shutdown
no routing
vlan access 1
interface 1/4/15
no shutdown
no routing
vlan access 1
interface 1/4/16
no shutdown
no routing
vlan access 1
interface 1/4/17
no shutdown
no routing
vlan access 1
interface 1/4/18
no shutdown
no routing
vlan access 1
interface 1/4/19
no shutdown
no routing
vlan access 1
interface 1/4/20
no shutdown
no routing
vlan access 1
interface 1/4/21
no shutdown
no routing
vlan access 1
interface 1/4/22
no shutdown
no routing
vlan access 1
interface 1/4/23
no shutdown
description ISL physical link
lag 256
interface 1/4/24
no shutdown
no routing
vlan access 1
interface 1/4/25
no shutdown
no routing
vlan access 1
interface 1/4/26
no shutdown
no routing
vlan access 1
interface 1/4/27
no shutdown
no routing
vlan access 1
interface 1/4/28
no shutdown
no routing
vlan access 1
interface vlan 1
interface vlan 10
ip address 10.1.10.1/24
interface vlan 20
ip address 10.1.20.1/24
interface vlan 30
ip address 10.1.30.1/24
interface vlan 40
ip address 10.1.40.1/24
interface vlan 50
ip address 10.1.50.1/24
interface vlan 55
ip address 10.1.55.1/24
interface vlan 60
ip address 10.1.60.1/24
interface vlan 70
ip address 10.1.70.1/24
interface vlan 80
ip address 10.1.80.1/24
interface vlan 90
ip address 10.1.90.1/24
interface vlan 99
ip address 10.1.99.1/24
interface vlan 100
ip address 10.1.100.1/24
interface vlan 103
ip address 10.1.103.1/24
interface vlan 110
vsx-sync active-gateways
ip address 10.1.110.1/24
active-gateway ip mac 00:00:00:00:01:10
active-gateway ip 10.1.110.3
ip ospf 2 area 0.0.0.0
interface vlan 125
ip address 10.1.125.1/24
interface vlan 130
ip address 10.1.130.1/24
interface vlan 135
ip address 10.1.135.1/24
interface vlan 140
ip address 10.1.140.1/24
interface vlan 160
ip address 10.1.160.1/24
interface vlan 190
ip address 10.1.190.1/24
interface vlan 200
ip address 10.1.200.1/24
interface vlan 666
ip address 10.1.0.1/24
interface vlan 1000
ip address 10.1.1.1/24
interface vlan 1100
ip address 10.0.0.1/24
interface vlan 2010
ip address 10.2.10.1/24
interface vlan 2020
ip address 10.2.20.1/24
interface vlan 2030
ip address 10.2.30.1/24
interface vlan 2040
ip address 10.2.40.1/24
interface vlan 2050
ip address 10.2.50.1/24
interface vlan 2055
ip address 10.2.55.1/24
interface vlan 2060
ip address 10.2.60.1/24
interface vlan 2070
ip address 10.2.70.1/24
interface vlan 2080
ip address 10.2.80.1/24
interface vlan 2090
ip address 10.2.90.1/24
interface vlan 2100
ip address 10.2.100.1/24
interface vlan 2103
ip address 10.2.103.1/24
interface vlan 2110
ip address 10.2.110.1/24
interface vlan 2125
ip address 10.2.125.1/24
interface vlan 2130
ip address 10.2.130.1/24
interface vlan 2135
ip address 10.2.135.1/24
interface vlan 2140
ip address 10.2.140.1/24
interface vlan 3000
ip address 10.1.248.1/24
vsx
system-mac 02:01:00:00:01:00
inter-switch-link lag 256
role primary
vsx-sync aaa acl-log-timer arp-security bfd-global bgp copp-policy dhcp-relay dhcp-server dhcp-snooping dns icmp-tcp lldp loop-protect-global mac-lockout mclag-interfaces neighbor ospf qos-global route-map sflow-global snmp ssh stp-global time vsx-global
ip route 0.0.0.0/0 10.1.200.3
!
!
!
!
!
router ospf 2
router-id 10.1.1.1
redistribute connected
area 0.0.0.0
https-server vrf default
https-server vrf mgmt

on the access switch hope you have configured Trunk on the port.

To check basic L1, please provide:

show int 1/4/2

and

show int 1/4/2 transc detail

---

@alexb-crt wrote:

I'm trying to set up two new Aruba 6405's in a VSX sync pair at the aggregate layer. We've successfully gotten them to sync and can configure VLANs, IPs, and routes on both. However, once we connect to an access port and try to actually use them we go nowhere. I can't even ping the gateway (which I've tried setting to the VLAN interface IP or the active gateway IP) and can't route at all. Can anyone take a look at my config and see what I'm missing?

 

What I've been trying to get to work first is connecting my laptop to a 1G SFP+ module on port 1/4/2 on VLAN 110 and trying to ping 10.1.110.1 or 10.1.110.3 which should be the SVI for VLAN 110

---

Hi! if so can you show us the VLAN membership configured on the interface 1/4/2? ...you could use the show vlan port 1/4/2 and the show interface 1/4/2 brief CLI commands for that.

I suppose not only that your laptop is well connected (Layer 1) to your VSX Primary on the interface 174/2 but also that that interface 1/4/2 is properly configured in terms of VLAN 110 membership (native untagged) IF your laptop's NIC port is configured to work with untagged traffic (basically that's valid IF we consider an host NIC port as "VLAN unaware" and corresponding Switch port need to be properly configured about that to position incoming untagged traffic on the right VLAN internally, that aspect is specially true if we speak about client hosts, generally VLAN unaware and not servers hosts, generally VLAN aware).

I'm going to try these "show" commands and let you know what I find. Do I need to set the native VLAN on access ports? I was operating under the assumption that if I assign a Layer 2 access switchport to a VLAN that there was nothing else needed, but I can try setting the native or even setting it as a trunk with native 110 as a test.

Hi! probably I missed the part where you

---

@alexb-crt wrote: I was operating under the assumption that if I assign a Layer 2 access switchport to a VLAN that there was nothing else needed

---

did that.

I only saw this:

interface 1/4/2
no shutdown
no routing

So I'm under the assumption that interface 1/4/2 is not an untagged member of VLAN 110.

Were you under the assumption or did you really assigned the interface 1/4/2 as untagged member of VLAN 110 (here untagged means to set the VLAN 110 as the PVID of that port)?

If I were you I would not go down the Trunk route because it is unnecessary if you're planning to connect a simple host (laptop) to a port you declare as "access"...Trunk are generally used between switches or between switch and server when carrying multiple VLAN is a requirement...here you are just working with one VLAN, the VLAN id 110...and you are doing just for test through a laptop.

I was setting interface 1/4/2 as an access port on VLAN 110. Does this not set the PVID as well? My intention was to only use trunk ports between switches as you were mentioning.

---

@alexb-crt wrote: I was setting interface 1/4/2 as an access port on VLAN 110.

---

Show us.

---

@alexb-crt wrote: Does this not set the PVID as well?

It depends on what you exactly did (or on what you are exactly doing). Again, please show us.

---

@alexb-crt wrote: My intention was to only use trunk ports between switches as you were mentioning.

---

Yes, but you were the one that initially wrote that you were testing a Laptop on a access port.

Interfaces in Trunk Mode are used to carry more VLAN as Tagged...are you trying to do that with your laptop? if so you don't really want to set the related port in Access Mode. Isn't it?

If you look at my initial show running-config I uploaded, the settings for that port are

interface 1/4/2
no shutdown
no routing
vlan access 110

Then I've got interface vlan 110 set as 

interface vlan 110
vsx-sync active-gateways
ip address 10.1.110.1/24
active-gateway ip mac 00:00:00:00:01:10
active-gateway ip 10.1.110.3
ip ospf 2 area 0.0.0.0

If I connect my laptop to that interface via an Ethernet cable, then statically set an IP (example 10.1.110.23 subnetmask 255.255.255.0) I'm unable to ping either the interface IP or the active-gateway ip. I'm also not able to ping the laptop from the switch when issuing commands over the console. However, it can ping itself so I know that 10.1.110.1 is valid for ICMP. So that's where I'm not sure why since my understanding was that an access switchport didn't need any further configurations.

Is firewall already disabled at laptop's OS level?

Yes I did disable the Windows firewall as part of the test. Another coworker is working with ArubaTAC so maybe they can look into the hardware diagnostics with us.