Wireless Access

Reply
Highlighted
Contributor II

Re: Startup Wizard

 

ak74,

 

If you  leave the mgmt-VLAN as 1 (default), things should work.

 

However, if you have specific requirement to have mgmt-vlan as something else (in your case VLAN-6), then:

After quick-setup is done,

I believe you you will seeing something as below

 

(ArubaS3500-24T) #show running-config  | begin 0/0/0
Building Configuration...
interface gigabitethernet "0/0/0"
   switching-profile "Upstream-profile"
!
interface vlan "6"
   ip address 172.16.252.50 255.255.252.0
!

(ArubaS3500-24T) # show interface-profile switching-profile Upstream-profile

switching profile "Upstream-profile"
------------------------------------
Parameter                                             Value
---------                                             -----
Switchport mode                                       trunk   <<<<<<<<<<<<<
Access mode VLAN                                      1            <<<<<<<<<<<<<
Trunk mode native VLAN                                1
Enable broadcast traffic rate limiting                Enabled
Enable multicast traffic rate limiting                Disabled
Enable unknown unicast traffic rate limiting          Enabled
Max allowed rate limit traffic on port in percentage  50
Trunk mode allowed VLANs                              1-4094

 

(ArubaS3500-24T) #show interface gigabitethernet 0/0/0 switchport extensive

GE0/0/0
Link is Up
Flags: Trunk, Trusted
Native VLAN is 1

VLAN membership:

VLAN tag  Tagness   STP-State
--------  --------  ---------
1         Untagged  FWD       <<<<<<<<<<<<<
1         Tagged    FWD
6         Tagged    FWD

As you can see from above, port 0/0/0 has native VLAN as 1, as a result , it allows un-tagged packets only for VLAN-1.

And is trunk-port for all other VLANs. 

But, since your mgmt-IP is sitting on VLNA-6, packets (ARP-request) would go out as tagged (with 6)

Client / PC would anyway discard  "tag"ness of the packet & would reply to ARP-request, which would be Un-tagged.

But target IP is sitting on RVI-6.

 

  Looks like this is causing problem.  also I beleive there was already internal bug reported on similar issue.

 Not sure on that though...need to check with engineering team..... will get back on this.

 

Thanks,

-Vinay

 

 

 

Highlighted
Occasional Contributor II

Re: Startup Wizard

Just to update everyone, I tried Seth's suggestion of leaving the vlan assignment/upstream ports as blank/default. Same result - the switch doesn't respond to an all-F's broadcast ARP for its IP address (see config below)

 

To answer cjenson, I have tried assigning an IP address to the out-of-band management interface - same result, can't ping, etc

 

To Vinay, I totally see what you're saying. An assigned vlan on an upstream port is going to be tagged whereas the native vlan is going to ride untagged (and as your config indicates the native vlan actually rides both tagged and untagged). But... I did try just leaving the vlan as 1 (see my first post) - and got the same result. Still I think I'll give it another try and leave it as 1 and see if it works. After that I'm going to get a driver for my laptop's nic that will tag my traffic and see how that goes - or just connect it to another switch's tagged port.

 

 

  • Basic Info
Name: ArubaS3500-48P-US
Country Code: US
Tunneled Server IP Address: 172.16.0.254
Date: 2014 Apr 10
Time: 8 28 11(hr min sec)
TimeZone: GMT -04:00 EST
 
  • Management
VLAN: 1
No Upstream ports are selected.
IP address assignment: Static
IP Address : 172.16.252.50
Net Mask : 255.255.252.0
Default Gateway : 172.16.252.1
Out of band management interface:
IP Address : 172.16.252.49
Net Mask : 255.255.252.0
Highlighted

Re: Startup Wizard

I see a value for Tunneled server IP.  Can you please leave that blank?

 

One more thing - the mgmt interface and VLAN 1 cannot be in the same network.

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
Highlighted
Occasional Contributor II

Re: Startup Wizard

Ok, I factory defaulted the switch, invoked Quick Setup and applied the following per Seth's suggestion (before his most recent post advising the mgmt int not be in the same subnet) with no value for tunneled IP:

Management
VLAN: 1
No Upstream ports are selected.
IP address assignment: Static
IP Address : 172.16.252.50
Net Mask : 255.255.252.0
Default Gateway : 172.16.252.1
Out of band management interface:
IP Address : 172.16.252.49
Net Mask : 255.255.252.0

No luck - so I tried again, after another factory default+invoked-quick-setup I put 0/0/0 in vlan 1 (contrary to Seth's suggestion) hoping that without a tunneled IP and vlan 1 being untagged, I'd get a ping echo.

Management
VLAN: 1
Upstream Ports : GE-0/0/0
IP address assignment: Static
IP Address : 172.16.252.50
Net Mask : 255.255.252.0
Default Gateway : 172.16.252.1
Out of band management interface:
IP Address : 172.16.252.49
Net Mask : 255.255.252.0

Still no luck - but I notice on the wire the switch was sending out occasional ARP for the tunneled IP...


194    49.874703000    ArubaNet_12:f2:c0    Broadcast    ARP    60    Gratuitous ARP for 172.16.0.254 (Request)

Which was strange since I assumed a factory default would remove any running or start config, so..

I erased the config from the LED screen, rebooted and I think I'm good now since the switch is sending out DHCP discover broadcasts. So I invoke quick setup and apply:

VLAN: 1
Upstream Ports : GE-0/0/0
IP address assignment: Static
IP Address : 172.16.252.50
Net Mask : 255.255.252.0
Default Gateway : 172.16.252.1

While trying to ping 172.16.252.50 I see (even after I erased the config):

1474    468.715089000    ArubaNet_12:f2:c0    Broadcast    ARP    60    Gratuitous ARP for 172.16.0.254 (Request)

I think somehow the tunneled IP is persisting even when factory defaulted or erase config... so, I factory default again and invoke quick setup so that I can SSH into 172.16.0.254 to have a look (see sh run below)

But maybe I'm barking up the wrong tree - my Aruba controller happens to have the same IP as the IP address the mobility switch uses for Quick setup. Perhaps the gratuitous ARP is just to make sure it's not on a subnet where that would present a problem?

I'm going to factory default the switch again and run quick setup from the CLI - see next post... sorry for the long post, just thinking out loud

Here's sh run:

login as: admin
admin@172.16.0.254's password:


(ArubaS3500-48P-US) >en
Password:******
Quick-setup helps in setting the basic configuration of the system

Autoconfiguration of system will be stopped, if Quick-setup is launched by user

Quick-setup already running on web-ui

Quick-setup dialog can be launched by executing "quick-setup" command in enable                                                                              mode

(ArubaS3500-48P-US) #show run
Building Configuration...

#
# Configuration file for ArubaOS
version 7.1
enable secret "******"
clock timezone PST -8
location "Building1.floor1"
controller config 1
ip NAT pool dynamic-srcnat 0.0.0.0 0.0.0.0
ip access-list eth validuserethacl
  permit any
!
netservice svc-https tcp 443
netservice svc-dhcp udp 67 68
netservice svc-telnet tcp 23
netservice svc-sip-tcp tcp 5060
netservice svc-kerberos udp 88
netservice svc-tftp udp 69
netservice svc-dns udp 53
netservice svc-h323-udp udp 1718 1719
netservice svc-h323-tcp tcp 1720
netservice svc-vocera udp 5002
netservice svc-http tcp 80
netservice svc-sip-udp udp 5060
netservice svc-natt udp 4500
netservice svc-ftp tcp 21
netservice svc-smtp tcp 25
netservice svc-sips tcp 5061
netservice svc-ntp udp 123
netservice svc-icmp 1
netservice svc-ssh tcp 22
netexthdr default
!
ip access-list stateless dhcp-acl-stateless
  any any svc-dhcp  permit
!
ip access-list stateless validuser
  network 169.254.0.0 255.255.0.0 any any  deny
  any any any  permit
!
ip access-list stateless https-acl-stateless
  any any svc-https  permit
!
ip access-list stateless dns-acl-stateless
  any any svc-dns  permit
!
ip access-list stateless logon-control-stateless
  any any svc-icmp  permit
  any any svc-dns  permit
  any any svc-dhcp  permit
  any any svc-natt  permit
!
ip access-list stateless icmp-acl-stateless
  any any svc-icmp  permit
!
ip access-list stateless allowall-stateless
  any any any  permit
!
ip access-list stateless http-acl-stateless
  any any svc-http  permit
!
user-role ap-role
!
user-role denyall
!
user-role guest-logon
!
user-role guest
 access-list stateless http-acl-stateless
 access-list stateless https-acl-stateless
 access-list stateless dhcp-acl-stateless
 access-list stateless icmp-acl-stateless
 access-list stateless dns-acl-stateless
!
user-role stateful-dot1x
!
user-role authenticated
 access-list stateless allowall-stateless
!
user-role logon
 access-list stateless logon-control-stateless
!
!


snmp-server view ALL oid-tree iso included
snmp-server group ALLPRIV v1 read ALL notify ALL
snmp-server group ALLPRIV v2c read ALL notify ALL
snmp-server group ALLPRIV v3 noauth read ALL notify ALL
snmp-server group AUTHPRIV v3 priv read ALL notify ALL
snmp-server group AUTHNOPRIV v3 auth read ALL notify ALL

ssh mgmt-auth username/password
mgmt-user admin root f10719e301564b835db7899eeca00a1e3706e42e13761424e2



packet-capture-defaults tcp disable udp disable sysmsg disable other disable
!
ip domain lookup
!
country US
aaa authentication mac "default"
!
aaa authentication dot1x "default"
!
aaa server-group "default"
 auth-server Internal
 set role condition role value-of
!
aaa profile "default"
!
aaa authentication mgmt
!
aaa authentication wired
!
web-server
!
aaa password-policy mgmt
!
traceoptions
!
service dhcp
!
qos-profile "default"
!
policer-profile "default"
!
ip-profile
!
lcd-menu
!
interface-profile ospf-profile "default"
   area 0.0.0.0
!
interface-profile pim-profile "default"
!
interface-profile igmp-profile "default"
!
stack-profile
!
ipv6-profile
!
interface-profile switching-profile "default"
!
interface-profile poe-profile "default"
!
interface-profile poe-profile "poe-factory-initial"
   enable
!
interface-profile enet-link-profile "default"
!
interface-profile lldp-profile "default"
!
interface-profile lldp-profile "lldp-factory-initial"
   lldp transmit
   lldp receive
   med enable
!
interface-profile mstp-profile "default"
!
interface-profile pvst-port-profile "default"
!
vlan-profile mld-snooping-profile "default"
!
vlan-profile igmp-snooping-profile "default"
!
vlan-profile igmp-snooping-profile "igmp-snooping-factory-initial"
!
spanning-tree
   mode mstp
!
mstp
!
lacp
!
vlan "1"
   igmp-snooping-profile "igmp-snooping-factory-initial"
!
interface vlan "1"
   ip address 172.16.0.254 netmask 255.255.255.0
!
interface mgmt
!
interface-group gigabitethernet "default"
   apply-to ALL
   lldp-profile "lldp-factory-initial"
   poe-profile "poe-factory-initial"
!

snmp-server enable trap
end

(ArubaS3500-48P-US) #



Highlighted
Occasional Contributor II

Re: Startup Wizard

So another factory default, reboot, and invoke quick setup...

I SSH into the switch and then via the GUI apply:

VLAN: 1
No Upstream ports are selected.
IP address assignment: Static
IP Address : 172.16.252.50
Net Mask : 255.255.252.0
Default Gateway : 172.16.252.1

After successfully pushing the config, sh run is below. Note that vlan 1 is still 172.16.0.254 - my SSH session is still up even though I've pushed a new IP to VLAN 1 via the GUI.

So I configure via the CLI
 
(ArubaS3500-48P-US) #
(ArubaS3500-48P-US) #configure t
Enter Configuration commands, one per line. End with CNTL/Z

(ArubaS3500-48P-US) (config) #interface vlan 1
(ArubaS3500-48P-US) (vlan "1") #ip address 172.16.252.50 ?
<mask>                  A.B.C.D format
netmask                 Network mask

(ArubaS3500-48P-US) (vlan "1") #ip address 172.16.252.50 255.255.252.0

And now I can ping!

C:\Users\ak74>ping 172.16.252.50

Pinging 172.16.252.50 with 32 bytes of data&colon;
Reply from 172.16.252.50: bytes=32 time=17ms TTL=64
Reply from 172.16.252.50: bytes=32 time=1ms TTL=64
Reply from 172.16.252.50: bytes=32 time=1ms TTL=64
Reply from 172.16.252.50: bytes=32 time=1ms TTL=64

Ping statistics for 172.16.252.50:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 1ms, Maximum = 17ms, Average = 5ms



So... I'm guessing the switch was just ARPing 172.16.0.254 in case there was a node with that address - presumably quick-setup would choose another IP in case of a response.

Also, I don't think the quick-setup GUI is working the way it should - the VLAN IP address doesn't appear to apply to the running config even after:

"Configuration is successfully pushed to your mobility access switch.

Please point your browser to https://172.16.252.50 to access the WebUI."

Maybe a bug? At any rate, I think I'm all set to demo this switch so I'm good to go. I really appreciate all the suggestions and advice - I think it just wasn't working as expected.



(ArubaS3500-48P-US) #show run
Building Configuration...

#
# Configuration file for ArubaOS
version 7.1
enable secret "******"
clock timezone PST -8
location "Building1.floor1"
controller config 1
ip NAT pool dynamic-srcnat 0.0.0.0 0.0.0.0
ip access-list eth validuserethacl
  permit any
!
netservice svc-https tcp 443
netservice svc-dhcp udp 67 68
netservice svc-telnet tcp 23
netservice svc-sip-tcp tcp 5060
netservice svc-kerberos udp 88
netservice svc-tftp udp 69
netservice svc-dns udp 53
netservice svc-h323-udp udp 1718 1719
netservice svc-h323-tcp tcp 1720
netservice svc-vocera udp 5002
netservice svc-http tcp 80
netservice svc-sip-udp udp 5060
netservice svc-natt udp 4500
netservice svc-ftp tcp 21
netservice svc-smtp tcp 25
netservice svc-sips tcp 5061
netservice svc-ntp udp 123
netservice svc-icmp 1
netservice svc-ssh tcp 22
netexthdr default
!
ip access-list stateless dhcp-acl-stateless
  any any svc-dhcp  permit
!
ip access-list stateless validuser
  network 169.254.0.0 255.255.0.0 any any  deny
  any any any  permit
!
ip access-list stateless https-acl-stateless
  any any svc-https  permit
!
ip access-list stateless dns-acl-stateless
  any any svc-dns  permit
!
ip access-list stateless logon-control-stateless
  any any svc-icmp  permit
  any any svc-dns  permit
  any any svc-dhcp  permit
  any any svc-natt  permit
!
ip access-list stateless icmp-acl-stateless
  any any svc-icmp  permit
!
ip access-list stateless allowall-stateless
  any any any  permit
!
ip access-list stateless http-acl-stateless
  any any svc-http  permit
!
user-role ap-role
!
user-role denyall
!
user-role guest-logon
!
user-role guest
 access-list stateless http-acl-stateless
 access-list stateless https-acl-stateless
 access-list stateless dhcp-acl-stateless
 access-list stateless icmp-acl-stateless
 access-list stateless dns-acl-stateless
!
user-role stateful-dot1x
!
user-role authenticated
 access-list stateless allowall-stateless
!
user-role logon
 access-list stateless logon-control-stateless
!
!


snmp-server view ALL oid-tree iso included
snmp-server group ALLPRIV v1 read ALL notify ALL
snmp-server group ALLPRIV v2c read ALL notify ALL
snmp-server group ALLPRIV v3 noauth read ALL notify ALL
snmp-server group AUTHPRIV v3 priv read ALL notify ALL
snmp-server group AUTHNOPRIV v3 auth read ALL notify ALL

ssh mgmt-auth username/password
mgmt-user admin root f10719e301564b835db7899eeca00a1e3706e42e13761424e2



packet-capture-defaults tcp disable udp disable sysmsg disable other disable
!
ip domain lookup
!
country US
aaa authentication mac "default"
!
aaa authentication dot1x "default"
!
aaa server-group "default"
 auth-server Internal
 set role condition role value-of
!
aaa profile "default"
!
aaa authentication mgmt
!
aaa authentication wired
!
web-server
!
aaa password-policy mgmt
!
traceoptions
!
qos-profile "default"
!
policer-profile "default"
!
ip-profile
!
lcd-menu
!
interface-profile ospf-profile "default"
   area 0.0.0.0
!
interface-profile pim-profile "default"
!
interface-profile igmp-profile "default"
!
stack-profile
!
ipv6-profile
!
interface-profile switching-profile "default"
!
interface-profile poe-profile "default"
!
interface-profile poe-profile "poe-factory-initial"
   enable
!
interface-profile enet-link-profile "default"
!
interface-profile lldp-profile "default"
!
interface-profile lldp-profile "lldp-factory-initial"
   lldp transmit
   lldp receive
   med enable
!
interface-profile mstp-profile "default"
!
interface-profile pvst-port-profile "default"
!
vlan-profile mld-snooping-profile "default"
!
vlan-profile igmp-snooping-profile "default"
!
vlan-profile igmp-snooping-profile "igmp-snooping-factory-initial"
!
spanning-tree
   mode mstp
!
mstp
!
lacp
!
vlan "1"
   igmp-snooping-profile "igmp-snooping-factory-initial"
!
interface vlan "1"
   ip address 172.16.0.254 netmask 255.255.255.0
!
interface mgmt
!
interface-group gigabitethernet "default"
   apply-to ALL
   lldp-profile "lldp-factory-initial"
   poe-profile "poe-factory-initial"
!

snmp-server enable trap
end

View solution in original post

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: