It may be that the port GE0/0/3 and/or vlan 4080 on the 9004 gateway are not trusted. You can check with the command 'show users' on the 9004, and if you see many IP addresses from your DC or other sites, the interface trust is probably the case.
Maybe your Aruba partner, Aruba SE or Aruba Support can have a look with your as this should be quick to solve if someone knows what to look for.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------
Original Message:
Sent: Jul 14, 2023 01:08 PM
From: CJ_1
Subject: What type of tunnel am I looking for
Good Day Everyone,
First, please excuse my ignorance on this topic. This is the first time I've ever worked on SD-WAN infrastructure and so I'm not fully versed.
We have a site that won't be covered with a MAN connection and have to connect it over a common internet carrier back to our datacenter. Due to regulations, all traffic from the site, at least initially, has to be sent back to the DC for processing and internet access. We have BGP that covers MAN connections to all sites, with all sites having a 6300 for the BGP and local routing.
So with this new site, it was initially thought that we would bring up a L3 Tunnel to the site, have the Gateway join the BGP network and then the site peer with the gateway. After review by our Aruba SE that since all traffic must be sent back to the DC, all we needed was a L2 Tunnel and the the site would just peer with the network with the tunnel providing the transport between the two sides. This made sense to me.
The tunnel was created and is working, but he traffic isn't flowing as expected. I feel like it is a policy issue or maybe a L2 tunnel setting by default blocks some traffic.
- Site: Only sees L2 traffic from the BGP overlay network; ARP (Announcements, Requests and Responses), LLDP. I don't see any L3 traffic
- DC: Appears to see all traffic from the Site (L2 and L3)
So because the DC can't send back to the Site, this causes all stateful connections to fail. I know the Gateway can modify/route/block traffic that goes across the tunnel, which for this site I don't want.
Here is a diagram:
So my question are:
- Does a L2 tunnel block stateful L3 connections by default?
- Is there a better tunnel type to build for this connection?
Would love to hear thoughts.
-Chris