Aruba 2530 Management And Configuration Manual

Aruba 2530 Management And Configuration Manual

Arubaos-switch 16.05
Table of Contents

Advertisement

Aruba 2530 Management and
Configuration Guide for ArubaOS-
Switch 16.05
Part Number: 5200-4207a
Published: April 2018
Edition: 2

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the 2530 and is the answer not in the manual?

Questions and answers

Subscribe to Our Youtube Channel

Summary of Contents for Aruba 2530

  • Page 1 Aruba 2530 Management and Configuration Guide for ArubaOS- Switch 16.05 Part Number: 5200-4207a Published: April 2018 Edition: 2...
  • Page 2 © Copyright 2017 Hewlett Packard Enterprise Notices The information contained herein is subject to change without notice. The only warranties for Hewlett Packard Enterprise products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein.
  • Page 3: Table Of Contents

    Contents Chapter 1 About this guide................Applicable products..........................19 Switch prompts used in this guide......................Chapter 2 Time Protocols................General steps for running a time protocol on the switch................20 TimeP time synchronization......................SNTP time synchronization......................20 Selecting a time synchronization protocol....................21 Disabling time synchronization........................
  • Page 4 Planning and implementing a PoE configuration..................Power requirements........................Assigning PoE ports to VLANs......................85 Applying security features to PoE configurations................85 Assigning priority policies to PoE traffic..................PoE Event Log messages......................85 About PoE operation..........................85 Configuration options........................support............................ Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 5 Power priority operation........................ Configuring PoE operation........................87 Disabling or re-enabling PoE port operation................. Enabling support for pre-standard devices................... Configuring the PoE port priority....................Controlling PoE allocation......................Manually configuring PoE power levels..................Changing the threshold for generating a power notice..............Cycling power on a port........................
  • Page 6 Enabling or disabling restrictions from all non-SNMPv3 agents to read-only access..Viewing the operating status of SNMPv3................. Viewing status of message reception of non-SNMPv3 messages........Viewing status of write messages of non-SNMPv3 messages.........146 Enabling SNMPv3......................Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 7 SNMPv3 users......................... Group access levels......................SNMPv3 communities...................... Viewing and configuring non-version-3 SNMP communities (Menu)....... Listing community names and values (CLI)..............SNMP notifications........................154 Supported Notifications....................General steps for configuring SNMP notifications............155 SNMPv1 and SNMPv2c Traps..................SNMP trap receivers......................SNMPv2c informs......................157 Configuring SNMPv3 notifications (CLI)................158 Network security notifications...................161...
  • Page 8 Portal......................212 Configuring Captive Portal on CPPM.....................212 Import the HP RADIUS dictionary....................Create enforcement profiles......................213 Create a ClearPass guest self-registration................. Configure the login delay ......................Configuring the switch..........................215 Configure the URL key........................216 Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 9 LED behavior during connectivity loss..................Aruba Central Configuration manually..................aruba-central........................Troubleshooting...........................242 show aruba-central......................242 debug ztp..........................242 Stacking support......................... Chapter 11 Auto configuration upon Aruba AP detection......243 Auto device detection and configuration....................Requirements..........................243 Limitations........................... Feature Interactions........................Profile Manager and 802.1X.....................244 Profile Manager and LMA/WMA/MAC-AUTH..............244 Profile manager and Private VLANs.................244...
  • Page 10 Downloading the OS from another switch (CLI)............... Using AirWave to update switch software................... Using IMC to update switch software..................275 Copying software images........................275 TFTP: Copying a software image to a remote host (CLI)............275 Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 11 Xmodem: Copying a software image from the switch to a serially connected PC or UNIX workstation (CLI)......................... Transferring switch configurations......................TFTP: Copying a configuration file to a remote host (CLI)............276 TFTP: Copying a configuration file from a remote host (CLI)............277 TFTP: Copying a customized command file to a switch (CLI)............
  • Page 12 The authorized MAC address on a port that is configured for both 802.1X and port security either changes or is re-acquired after execution of aaa port-access ............315 authenticator <port-list> initialize Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 13 A trunked port configured for 802.1X is blocked.............. QoS-related problems......................... Loss of communication when using VLAN-tagged traffic..........Radius-related problems......................The switch does not receive a response to RADIUS authentication requests....RADIUS server fails to respond to a request for service, even though the server's IP address is correctly configured in the switch..............316 MSTP and fast-uplink...
  • Page 14 Configuring a DNS entry......................Using DNS names with ping and traceroute: Example:.............. Viewing the current DNS configuration..................Operating notes...........................388 Event Log messages........................388 Chapter 17 MAC Address Management............. Overview..............................Determining MAC addresses......................... Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 15 Viewing the MAC addresses of connected devices................Viewing the switch's MAC address assignments for VLANs configured on the switch......390 Viewing the port and VLAN MAC addresses................391 Chapter 18 Power-Saving Features............Configuring the savepower LED option....................Configuring the savepower port-low-pwr option..................393 Chapter 19 Job Scheduler................
  • Page 16 [no] policy user..........................policy resequence........................Commands in the policy-user context..................(policy-user)# class......................User role configuration...........................442 aaa authorization user-role......................Error log..........................443 captive-portal-profile........................444 policy............................reauth-period..........................444 Validation rules......................... VLAN commands........................vlan-id..........................445 vlan-name.........................445 Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 17 VLAN range commands.........................446 Applying a UDR............................. aaa port-access local-mac apply user-role................. VXLAN show commands........................show captive-portal profile......................show user-role..........................448 show port-access clients......................Chapter 24 Port QoS Trust Mode..............Overview..............................Configuration commands........................trust............................dscp-map..........................452 Show commands........................... show qos trust..........................Validation rules ............................454 Chapter 25 Net-destination and Net-service..........455 Net-service Overview..........................455...
  • Page 18 CPE username configuration...................... Enable/disable CWMP........................ Show commands.........................472 CWMP configuration and status query................472 Event logging............................System logging..........................473 Status/control commands......................474 Configuration backup and restore without reboot........476 Glossary......................Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 19: Chapter 1 About This Guide

    This guide provides information on how to configure, manage, and monitor basic switch operation. Applicable products This guide applies to these products: Aruba 2530 Switch Series (J9772A, J9773A, J9774A, J9775A, J9776A, J9777A, J9778A, J9779A, J9780A, J9781A, J9782A, J9783A, J9853A, J9854A, J9855A, J9856A, JL070A) Switch prompts used in this guide Examples in this guide are representative and may not match your particular switch/environment.
  • Page 20: Chapter 2 Time Protocols

    In the factory-default configuration, time synchronization is disabled by default. NOTE: Because the Aruba 2530 Switch Series does not contain an RTC (real time clock) chip, Hewlett Packard Enterprise recommends configuring one of the time synchronization protocols supported.
  • Page 21: Selecting A Time Synchronization Protocol

    The switch requests a time update from the configured SNTP server. (You can configure one server using the menu interface, or up to three servers using the CLI sntp server command.) This option provides increased security over the Broadcast mode by specifying which time server to use instead of using the first one detected through a broadcast.
  • Page 22: Viewing And Configuring Sntp (Menu)

    Specifies the order in which the configured servers are polled for getting the time. Value is between 1 and 3. Viewing and configuring SNTP (Menu) Procedure 1. From the Main Menu, select: Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 23 a. 2. Switch Configuration… b. 1. System Information Figure 1: System Information screen (default values) 2. Press [E] (for Edit ). Move the cursor to the System Name field. 3. Use the Space bar to move the cursor to the Time Sync Method field. 4.
  • Page 24: Viewing And Configuring Sntp (Cli)

    SNTP configuration when SNTP is the selected time synchronization method switch(config)# show sntp SNTP Configuration Time Sync Mode: Sntp SNTP Mode : Unicast Poll Interval (sec) [720] : 719 Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 25 Priority SNTP Server Address Protocol Version -------- ------------------------------ ---------------- 2001:db8::215:60ff:fe79:8980 10.255.5.24 fe80::123%vlan10 In the factory-default configuration (where TimeP is the selected time synchronization method), show sntp still lists the SNTP configuration, even though it is not currently in use. In SNTP configuration when SNTP is not the selected time synchronization method on page 25, even though TimeP is the current time synchronous method, the switch maintains the SNTP configuration.
  • Page 26: Configuring (Enabling Or Disabling) The Sntp Mode

    Selects SNTP as the time synchronization method. Syntax: sntp broadcast Configures broadcast as the SNTP mode. Example: Suppose that time synchronization is in the factory-default configuration (TimeP is the currently selected time synchronization method.) Complete the following: Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 27 Procedure 1. View the current time synchronization. 2. Select SNTP as the time synchronization mode. 3. Enable SNTP for Broadcast mode. 4. View the SNTP configuration again to verify the configuration. The commands and output would appear as follows: Figure 4: Enabling SNTP operation in Broadcast Mode switch(config)# show sntp SNTP Configuration Time Sync Mode: Timep...
  • Page 28 SNTP Configuration Time Sync Mode: Sntp SNTP Mode : Unicast Poll Interval (sec) [720] : 720 Priority SNTP Server Address Protocol Version -------- ---------------------------------------------- ---------------- 2001:db8::215:60ff:fe79:8980 7 10.255.5.24 3 fe80::123%vlan10 3 Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 29 In this Example:, the Poll Interval and the Protocol Version appear at their default settings. Both IPv4 and IPv6 addresses are displayed. Note: Protocol Version appears only when there is an IP address configured for an SNTP server. If the SNTP server you specify uses SNTP v4 or later, use the sntp server command to specify the correct version number.
  • Page 30 (the default), no sntp changes the SNTP configuration as shown below and disables time synchronization on the switch. Disabling time synchronization by disabling the SNTP mode switch(config)# no sntp switch(config)# show sntp SNTP Configuration Time Sync Mode: Sntp Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 31: Timep: Selecting And Configuring

    SNTP Mode : disabled Poll Interval (sec) [720] : 600 IP Address Protocol Version ------------- ----------------- 10.28.227.141 Note that even though the Time Sync Mode is set to Sntp, time synchronization is disabled because no sntp has disabled the SNTP Mode parameter. TimeP: Selecting and configuring The following table shows TimeP parameters and their operations.
  • Page 32 Enter the IP address of the TimeP server you want the switch to use for time synchronization. NOTE: This step replaces any previously configured TimeP server IP address. ◦ Move the cursor to the Poll Interval field, then go to step 6. Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 33: Viewing The Current Timep Configuration (Cli)

    6. In the Poll Interval field, enter the time in minutes that you want for a TimeP Poll Interval. 7. Select [Enter] to return to the Actions line, then select [S] (for Save) to enter the new time protocol configuration in both the startup-config and running-config files. Viewing the current TimeP configuration (CLI) Using different show commands, you can display either the full TimeP configuration or a combined listing of all TimeP, SNTP, and VLAN IP addresses configured on the switch.
  • Page 34: Configuring (Enabling Or Disabling) The Timep Mode

    IP address of the TimeP server. (The switch allows only one TimeP server.) Syntax: timesync timep Selects TimeP. Syntax: ip timep manual <ip-addr> Activates TimeP in manual mode with a specified TimeP server. Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 35 Syntax: no ip timep Disables TimeP. Enabling TimeP in DHCP Mode Because the switch provides a TimeP polling interval (default:720 minutes), you need only these two commands for a minimal TimeP DHCP configuration: Syntax: timesync timep Selects TimeP as the time synchronization method. Syntax: ip timep dhcp Configures DHCP as the TimeP mode.
  • Page 36 Disables time synchronization by changing the Time Sync Mode configuration to Disabled. This halts time synchronization without changing your TimeP configuration. The recommended method for disabling time synchronization is to use the timesync command. Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 37: Sntp Unicast Time Polling With Multiple Sntp Servers

    Example: Suppose TimeP is running as the switch's time synchronization protocol, with DHCP as the TimeP mode, and the factory-default polling interval. You would halt time synchronization with this command: switch(config)# no timesync If you then viewed the TimeP configuration, you would see the following: TimeP with time synchronization disabled switch(config)# show timep Timep Configuration...
  • Page 38: Displaying All Sntp Server Addresses Configured On The Switch (Cli)

    Deletes a server address. If there are multiple addresses and you delete one of them, the switch re-orders the address priority. Example: To delete the primary address in the above Example: and automatically convert the secondary address to primary: Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 39: Operating With Multiple Sntp Server Addresses Configured (Menu)

    switch(config)# no sntp server 10.28.227.141 Operating with multiple SNTP server addresses configured (Menu) When you use the Menu interface to configure an SNTP server IP address, the new address writes over the current primary address, if one is configured. SNTP messages in the Event Log If an SNTP time change of more than three seconds occurs, the switch's Event Log records the change.
  • Page 40: Timesync Ntp

    This command disables NTP and removes all NTP configurations on the device. Syntax [no] ntp [authentication <key-id> | broadcast | enable | max-association <integer> | server <IP-ADDR> | trap <trap-name> | unicast] Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 41: Ntp Enable

    Description Disable NTP and removes the entire NTP configuration. Options authentication Configure NTP authentication. broadcast Operate in broadcast mode. enable Enable/disable NTP. max-association Maximum number of Network Time Protocol (NTP) associations. server Configure a NTP server to poll for time synchronization. trap Enable/disable NTP traps.
  • Page 42: Ntp Authentication Key-Id

    Switch(config)# ntp authentication key-id 1 authentication-mode|trusted md5 key-value Enter a string to be set as the NTP authentication key. ntp authentication key-id Syntax ntp authentication key-id <key-id> [authentication-mode [md5 | sha1] Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 43: Ntp Max-Association

    key-value <key-value>] [trusted] Description The NTP client authenticates the NTP server. Options authentication-mode Set the NTP authentication mode. • md5: Authenticate using MD5. • sha1: Authenticate using SHA1. trusted Set this authentication key as trusted. ntp max-association This command is used to configure the maximum number of servers associated with this NTP client. Syntax ntp max-association <number>...
  • Page 44: Ntp Server

    Allow the software clock to be synchronized by an NTP time server. broadcast Operate in broadcast mode. unicast Operate in unicast mode. switch(config)# ntp server IP-ADDR IPv4 address of the NTP server. Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 45: Ntp Server Key-Id

    IPV6-ADDR IPv6 address of the NTP server. switch(config)# ntp server <IP-ADDR> Specify the authentication key. switch(config)# ntp server <IP-ADDR> key key-id Max-poll Configure the maximum time intervals in seconds. switch(config)# ntp server <IP-ADDR> key key-id max-poll <4-17> Enter an integer number. Switch(config)# ntp server <IP-ADDR>...
  • Page 46: Ntp Ipv6-Multicast

    This command is used to display debug messages for NTP. Syntax debug ntp <event | packet> Options event Displays event log messages related to NTP. packets Displays NTP packet messages. Description Enable debug logging. Use [no] to disable debug logging. Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 47: Ntp Trap

    Example Switch(config)# debug ntp event Display event log messages related to NTP. packet Display NTP packet messages. ntp trap This command is used to configure NTP traps. Syntax ntp trap <trap-name> Description Enable NTP traps. Use [no] to disable NTP traps. Options ntp-mode-change Trap name resulting in send notification when the NTP entity changes mode, including...
  • Page 48: Show Ntp Statistics

    NTP In Packets : 100 NTP Out Packets : 110 NTP Bad Version Packets NTP Protocol Error Packets : 0 show ntp status Syntax Description Show the status of NTP. show ntp status Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 49: Show Ntp Associations

    Example Switch(config)# show ntp status NTP Status information NTP Status : Disabled NTP Mode : Broadcast Synchronization Status : Synchronized Peer Dispersion : 8.01 sec Stratum Number Leap Direction Reference Assoc Id Clock Offset : 0.0000 sec Reference : 192.0.2.1 Root Delay : 0.00 sec Precision...
  • Page 50: Show Ntp Authentication

    Description Show the authentication status and other information about the authentication key. show ntp authentication Switch(config)# show ntp authentication NTP Authentication Information Key-ID Auth Mode Trusted -------- ---------- ------- sha1 sha1 Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 51: Validation Rules

    Validation rules Validation Error/Warning/Prompt If access-list name is not valid. Please enter a valid access-list name. If the authentication method is being set to If both the public key and username/password are not two-factor authentication, various messages configured: Public key and username/password should display.
  • Page 52 If min poll value is more than max poll value. NTP max poll value should be more than min poll value. If ipv6 is not enabled on vlan interface. IPv6 address not configured on the VLAN. Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 53: Event Log Messages

    Event log messages Cause Event Message RMON_AUTH_TWO_FACTOR_AUTHEN_STATUS W 01/01/15 18:24:03 03397: auth: %s. Examples: W 01/01/15 18:24:03 03397: auth: Public key and username/password should be configured for the successful two-factor authentication. W 01/01/15 18:24:03 03397: auth: Username and password should be configured for the successful two-factor authentication.
  • Page 54 The NTP Server 10.1.1.2 is unreachable. (2 times in 60 seconds) When MD5/SHA1 authentication failed. The MD5 authentication on the NTP packet failed. The SHA1 authentication on the NTP packet failed. Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 55: Chapter 3 Port Status And Configuration

    Chapter 3 Port Status and Configuration Viewing port status and configuring port parameters Connecting transceivers to fixed-configuration devices If the switch either fails to show a link between an installed transceiver and another device or demonstrates errors or other unexpected behavior on the link, check the port configuration on both devices for a speed and/or duplex (mode) mismatch.
  • Page 56 Ethernet cables. Sets the port to connect with a PC using a crossover cable (Manual mode— applies only to copper port switches using twisted-pair copper Ethernet cables). Table Continued Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 57 Mode Speed and Duplex Settings MDIX Sets the port to connect with a PC using a straight-through cable (Manual mode—applies only to copper port switches using twisted-pair copper Ethernet cables). Auto-10 Allows the port to negotiate between half-duplex (HDx) and full-duplex (FDx) while keeping speed at 10Mbps.
  • Page 58: Configuring Ports (Menu)

    For further information on configuration options for these features, see the online help provided with this screen. 3. When you have finished making changes to the above parameters, press [Enter], then press [S] (for Save). Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 59: Viewing Port Status And Configuration (Cli)

    Viewing port status and configuration (CLI) Use the following commands to display port status and configuration data. Syntax: show interfaces [brief | config | < port-list >] brief Lists the current operating status for all ports on the switch. config Lists a subset of configuration data for all ports on the switch;...
  • Page 60: Customizing The Show Interfaces Command (Cli)

    Select the information that you want to display. Supported columns are shown in the table below. Table 6: Supported columns, what they display, and examples: Parameter column Displays Examples port Port identifier type Port type 100/1000T status Port status up or down Table Continued Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 61: Error Messages Associated With The Show Interfaces Command

    Parameter column Displays Examples speed Connection speed and duplex 1000FDX mode Configured mode auto, auto-100, 100FDX MDI mode auto, MDIX flow Flow control on or off name Friendly port name vlanid The vlan id this port belongs to, or "tagged" if it 4tagged belongs to more than one vlan enabled...
  • Page 62: Viewing Port Utilization Statistics (Cli)

    | Kbits/sec Pkts/sec Util | Kbits/sec Pkts/sec Util ----- -------- + ---------- --------- ----- + ---------- --------- ----- 1000FDx 1000FDx 1000FDx 1000FDx 1000FDx 1000FDx 100FDx | 624 00.62 | 496 00.49 Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 63: Operating Notes For Viewing Port Utilization Statistics

    Operating notes for viewing port utilization statistics • For each port on the switch, the command provides a real-time display of the rate at which data is received (Rx) and transmitted (Tx) in terms of kilobits per second (KBits/s), number of packets per second (Pkts/s), and utilization (Util) expressed as a percentage of the total bandwidth available.
  • Page 64: Enabling Or Disabling Ports And Configuring Port Mode (Cli)

    For example, to enter the context level for port C6 and then configure that port for 100FDx: switch(config)# int e c6 switch(eth-C6)# speed-duplex 100-full Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 65: Enabling Or Disabling Flow Control (Cli)

    If port C8 was disabled, and you wanted to enable it and configure it for 100FDx with flow-control active, you could do so with either of the following command sets: Figure 7: Two methods for changing a port configuration For more on flow control, see Enabling or disabling flow control (CLI) on page 65. Enabling or disabling flow control (CLI) NOTE: You must enable flow control on both ports in a given link.
  • Page 66 10GigFD 10GbE-T | No Down 10GigFD 10GbE-T | No Down 10GigFD 10GbE-T | No Down 10GigFD 10GbE-T | No Down 10GigFD 10GbE-T | No Down 10GigFD 10GbE-T | No Down 10GigFD Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 67: Configuring A Broadcast Limit

    Configuring a broadcast limit Broadcast-Limit on switches covered in this guide is configured on a per-port basis. You must be at the port context level for this command to work, for example: switch(config)#int 1 switch(int 1)# broadcast-limit 1 Broadcast-limit Syntax: broadcast-limit <0-99>...
  • Page 68: Viewing Broadcast Storm

    [ethernet] <A22> action [warn] <pps 100> Viewing broadcast storm Use the following command to display the broadcast-storm-control configuration. Syntax: show fault-finder broadcast-storm [[ethernet] port-list] Examples: switch# show fault-finder broadcast-storm [A1] Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 69: Snmp Mib

    Port Bcast Storm Port Status Rising Action Disable Disable Threshold Timer Timer Left Down warn-and- 65535 — disable switch (config)# show fault-finder broadcast-storm Port Bcast Storm Port Status Rising Action Disable Disable Threshold Timer Timer Left Down 200 pps warn-and- disable switch (config)# show fault-finder broadcast-storm A1 Port...
  • Page 70 • status: current • description: This Is The Rising Threshold Level in percent of bandwidth of the port. hpicfFfBcastStormControlAction occurs when broadcast traffic reaches this level. ::= {hpicfFfBcastStormControlPortConfigEntry 3} Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 71: Configuring Auto-Mdix

    hpicfFfBcastStormControlRisingpps OBJECT-TYPE • Syntax Integer32 (1..10000000) • max-access: read-write • status: current • description: This object indicates the rising threshold for broadcast storm control. This value is in packets-per- second of received broadcast traffic. hpicfffbcaststormcontrolaction object takes action when broadcast traffic reaches this level.
  • Page 72: Manual Override

    The auto-MDIX features apply only to copper port switches using twisted-pair copper Ethernet cables. For information about auto-MDIX, see Configuring auto-MDIX on page 71. Syntax: interface <port-list> mdix-mode < {auto-mdix | mdi | mdix>} Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 73 auto-mdix The automatic,default setting. This configures the port for automatic detection of the cable (either straight-through or crossover). The manual mode setting that configures the port for connecting to either a PC or other MDI device with a crossover cable, or to a switch, hub, or other MDI-X device with a straight- through cable.
  • Page 74: Using Friendly (Optional) Port Names

    (In the CLI, use the write memory command.) Configuring friendly port names (CLI) For detailed information about friendly port names, see Using friendly (optional) port names on page 74. Syntax: interface <port-list> name <port-name-string> Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 75: Configuring A Single Port Name (Cli)

    Assigns a port name to port-list. Syntax: no interface <port-list> name Deletes the port name from <port-list>. Configuring a single port name (CLI) Suppose that you have connected port A3 on the switch to Bill Smith's workstation, and want to assign Bill's name and workstation IP address (10.25.101.73) as a port name for port A3: Configuring a friendly port name switch(config)# int A3 name...
  • Page 76: Listing All Ports Or Selected Ports With Their Friendly Port Names (Cli)

    A3-A5 Port Names Port : A3 Type : 10GbE-T Name : Bill_Smith@10.25.101.73 Port : A4 Type : 10GbE-T Name : Port : A5 Type : 10GbE-T Name : Draft-Server:Trunk Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 77: Including Friendly Port Names In Per-Port Statistics Listings (Cli)

    Including friendly port names in per-port statistics listings (CLI) Syntax: show interface <port-number> Includes the friendly port name with the port's traffic statistics listing. A friendly port name configured to a port is automatically included when you display the port's statistics output. If you configure port A1 with the name "O'Connor_10.25.101.43,"...
  • Page 78: Uni-Directional Link Detection (Udld)

    UDLD-enabled ports; however, will prevent traffic from being sent across a bad link by blocking the ports in the event that either the individual transmitter or receiver for that connection fails. Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 79: Configuring Udld

    Ports enabled for UDLD exchange health-check packets once every five seconds (the link-keepalive interval). If a port does not receive a health-check packet from the port at the other end of the link within the keepalive interval, the port waits for four more intervals. If the port still does not receive a health-check packet after waiting for five intervals, the port concludes that the link has failed and blocks the UDLD-enabled port.
  • Page 80: Enabling Udld (Cli)

    UDLD packet is received by a non-HPE switch, that switch may reject the packet. To avoid such an occurrence, you can configure ports to send out UDLD control packets that are tagged with a specified VLAN. Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 81: Viewing Udld Information (Cli)

    To enable ports to receive and send UDLD control packets tagged with a specific VLAN ID, enter a command such as the following at the interface configuration level: switch(config)#interface link-keepalive vlan 22 NOTE: • You must configure the same VLANs that will be used for UDLD on all devices across the network;...
  • Page 82: Viewing Detailed Udld Information For Specific Ports (Cli)

    Viewing detailed UDLD information for specific ports (CLI) Enter the show link-keepalive statistics command. Example: Figure 11: Example: of show link-keepalive statistics command Clearing UDLD statistics (CLI) Enter the following command: switch# clear link-keepalive statistics Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 83 This command clears the packets sent, packets received, and transitions counters in the show link keepalive statistics display (see Figure 11: Example: of show link-keepalive statistics command on page 82 for an Example:). Chapter 3 Port Status and Configuration...
  • Page 84: Chapter 4 Power Over Ethernet (Poe/Poe+) Operation

    (external power supply) can also be connected to these switches to provide extra or redundant PoE power. See the HPE PoE/PoE+ planning and implementation guide for detailed information about the PoE/PoE+ power requirements for your switch. Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 85: Assigning Poe Ports To Vlans

    Please see the event log message reference guide for information about Event Log messages. To see these manuals, go to http://www.hpe.com/networking. Auto search the model number for your switch, for Example: “HPE Switch 2530”, then select the device from the list and click on Product manuals. Click on the “User guide” link under Manuals.
  • Page 86: Configuration Options

    PoE power to support the PD's operation. Unused power becomes available for supporting other PD connections. However, if you configure the poe-allocate-by option to either value or class, all of the power configured is allocated to the port. Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 87: Power Priority Operation

    For PoE (not PoE+), while 17 watts must be available for a PoE module on the switch to begin supplying power to a port with a PD connected, 17 watts per port is not continually required if the connected PD requires less power. For example, with 20 watts of PoE power remaining available on a module, you can connect one new PD without losing power to any connected PDs on that module.
  • Page 88: Configuring The Poe Port Priority

    (Default) Specifies the third priority PoE support for <port-list>. The active PoE ports at this level are provisioned only if there is power available after provisioning any active PoE ports at the higher priority levels. The following table shows some examples of PoE priority configuration. Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 89: Controlling Poe Allocation

    Table 9: PoE priority operation on a PoE module Port Priority setting Configuration command and resulting operation with PDs connected to ports C3 through C24 Critical C3 - C17 In this Example:, the following CLI command sets ports C3 to C17 to Critical: switch(config)# interface c3-c17 power-over-ethernet critical...
  • Page 90: Manually Configuring Poe Power Levels

    To configure a port by value: Procedure 1. Set the PoE allocation by entering the poe-allocate-by value command: switch(config) # int A6 poe-allocate-by value 2. or in interface context: switch(eth-A6) # poe-allocate-by value Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 91 3. Select a value: switch(config) # int A6 poe-value 15 4. or in interface context: switch(eth-A6) # poe-value 15 Chapter 4 Power Over Ethernet (PoE/PoE+) Operation...
  • Page 92: Changing The Threshold For Generating A Power Notice

    By default, PoE support is enabled on the switch’s 10/100Base-TX ports, with the power priority set to Low and the power threshold set to 80 (%). The following commands allow you to adjust these settings. Syntax: power threshold <1-99> Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 93: Cycling Power On A Port

    The power threshold is a configurable percentage of the total PoE power available on the switch. When PoE consumption exceeds the threshold, the switch automatically generates an SNMP trap and also sends a message to the Event Log. For example, if the power threshold is set to 80% (the default), and an increasing PoE power demand crosses this threshold, the switch sends an SNMP trap and generates this Event Log message: PoE usage has exceeded threshold of 80 %.
  • Page 94: Enabling Poe Detection Via Lldp Tlv Advertisement

    Enabling PoE-lldp-detect allows the data link layer to be used for power negotiation. When a PD requests power on a PoE port, LLDP interacts with PoE to see if there is enough power to fulfill the request. Power is set at Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 95: Initiating Advertisement Of Poe+ Tlvs

    the level requested. If the PD goes into power-saving mode, the power supplied is reduced; if the need for power increases, the amount supplied is increased. PoE and LLDP interact to meet the current power demands. Syntax: int <port-list> poe-lldp-detect [enabled | disabled] Allows the data link layer to be used for power negotiation between a PD on a PoE port and LLDP.
  • Page 96: Viewing Poe When Using Lldp Information

    Local power information on page 96 shows an Example: of the local device power information using the show lldp info local-device <port-list> command. Local power information switch(config)# show lldp info local-device A1 Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 97: Operation Note

    LLCP Local Port Information Detail Port : A1 PortType : local PortId PortDesc : A1 Pvid Poe Plus Information Detail Poe Device Type : Type2 PSE Power Source : Primary Power Priority : low PD Requested Power Value : 20 Watts PSE Actual Power Value : 20 Watts Remote power information on page 97 shows the remote device power information using the show lldp...
  • Page 98: Viewing The Global Poe Power Status Of The Switch

    Displays PoE information for the ports in port-list. See Viewing the PoE status on specific <port- ports on page 101. list> The show power-over-ethernet displays data similar to that shown in Output for the show power-over- ethernet command on page 99. Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 99: Viewing Poe Status On All Ports

    Output for the show power-over-ethernet command switch(config)# show power-over-ethernet Status and Counters - System Power Status Pre-standard Detect : On System Power Status : No redundancy PoE Power Status : No redundancy Chassis power-over-ethernet Total Available Power 600 W Total Failover Power 300 W Total Redundancy Power : Total Used Power...
  • Page 100 Searching You can also show the PoE information by slot: Showing the PoE information by slot switch(config)# show power-over-ethernet slot A Status and Counters - System Power Status for slot A Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 101: Viewing The Poe Status On Specific Ports

    Maximum Power : 408 W Operational Status : On Power In Use 9 W +/- 6 W Usage Threshold (%) : 80 Viewing the PoE status on specific ports Syntax: show power-over-ethernet <port-list> Displays the following PoE status and statistics (since the last reboot) for each port in <port-list>: Power Enable Shows Yes for ports enabled to support PoE (the default) and No for ports on which PoE is disabled.
  • Page 102 Status and Counters - Port Power Status for port A7 Power Enable : Yes LLDP Detect : disabled Priority : low Configured Type : AllocateBy : value Value : 17 W Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 103 Detection Status : Searching Power Class Over Current Cnt MPS Absent Cnt Power Denied Cnt Short Cnt Voltage : 0 V Current : 0 mA Power : 0 W Chapter 4 Power Over Ethernet (PoE/PoE+) Operation...
  • Page 104: Chapter 5 Port Trunking

    Port security does not operate on a trunk group. If you configure port security on one or more ports that are later added to a trunk group, the switch resets the port security parameters for those ports to the factory-default configuration. Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 105: Port Trunk Features And Operation

    CAUTION: To avoid broadcast storms or loops in your network while configuring a trunk, first disable or disconnect all ports you want to add to or remove from the trunk. After you finish configuring the trunk, enable or re-connect the ports. Port trunk features and operation The switches covered in this guide offer these options for port trunking: •...
  • Page 106: Static Trunk

    CLI to create a static port trunk. The switch offers two types of static trunks: LACP and Trunk. Table 11: Trunk types used in static and dynamic trunk groups Trunking method LACP Trunk Dynamic Static The following table describes the trunking options for LACP and Trunk protocols. Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 107 Table 12: Trunk configuration protocols Protocol Trunking Options LACP (802.3ad) Provides dynamic and static LACP trunking options. • Dynamic LACP — Use the switch-negotiated dynamic LACP trunk when: ◦ The port on the other end of the trunk link is configured for Active or Passive LACP. ◦...
  • Page 108: Static Trunk

    All of the switch trunk protocols use the SA/DA (source address/destination address) method of distributing traffic across the trunked links. See Outbound traffic distribution across trunked links on page 123. Table Continued Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 109: Static Trunk

    Spanning Tree: 802.1D (STP) and 802.1w (RSTP) Spanning Tree operate as a global setting on the switch (with one instance of Spanning Tree per switch). 802.1s (MSTP) Spanning Tree operates on a per-instance basis (with multiple instances allowed per switch). For each Spanning Tree instance, you can adjust Spanning Tree parameters on a per-port basis.A static trunk of any type appears in the Spanning Tree configuration display, and you can configure Spanning Tree parameters for a static trunk in the same way that you would...
  • Page 110: Viewing And Configuring A Static Trunk Group (Menu)

    This procedure uses the Port/Trunk Settings screen to configure a static port trunk group on the switch. Procedure 1. Follow the procedures in the preceding IMPORTANT note. 2. From the Main Menu, select: 2. Switch Configuration… 2. Port/Trunk Settings Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 111 3. Press [E] (for Edit) and then use the arrow keys to access the port trunk parameters. Figure 15: Example: of the menu screen for configuring a port trunk group 4. In the Group column, move the cursor to the port you want to configure. 5.
  • Page 112: Viewing And Configuring Port Trunk Groups (Cli)

    112, the command does not include a port list, so the switch lists all ports having static trunk membership. A show trunk listing without specifying ports switch# show trunks Load Balancing Port | Name Type | Group Type Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 113: Viewing Static Lacp And Dynamic Lacp Trunk Data

    ---- + ----------------------- --------- + ----- ----- | Print-Server-Trunk 10/100TX | Trk1 Trunk | Print-Server-Trunk 10/100TX | Trk1 Trunk 10/100TX | Trk2 Trunk 10/100TX | Trk2 Trunk Viewing static LACP and dynamic LACP trunk data Syntax: show lacp Lists data for only the LACP-configured ports. Example: Ports A1 and A2 have been previously configured for a static LACP trunk.
  • Page 114: Configuring A Static Trunk Or Static Lacp Trunk Group

    Syntax: no trunk <port-list> Removes the specified ports from an existing trunk group. Example: To remove ports C4 and C5 from an existing trunk group: switch(config)# no trunk c4-c5 Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 115: Enabling A Dynamic Lacp Trunk Group

    Enabling a dynamic LACP trunk group In the default port configuration, all ports on the switch are set to disabled. To enable the switch to automatically form a trunk group that is dynamic on both ends of the link, the ports on one end of a set of links must be LACP Active.
  • Page 116: Viewing Existing Port Trunk Groups (Webagent)

    Thus, to display a listing of dynamic LACP trunk ports, you must use the show lacp command. In most cases, trunks configured for LACP on the switches operate as described in the following table. Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 117: Static Trunk

    Table 14: LACP trunk types LACP port trunk Operation configuration Dynamic LACP This option automatically establishes an 802.3ad-compliant trunk group, with LACP for the port Type parameter and DynX for the port Group name, where X is an automatically assigned value from 1 to 144, depending on how many dynamic and static trunks are currently on the switch.
  • Page 118: Default Port Operation

    The following table lists the elements of per-port LACP operation. To display this data for a switch, execute the following command in the CLI: switch# show lacp Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 119: Lacp Notes And Restrictions

    Table 15: LACP port status data Status Meaning name Port Numb Shows the physical port number for each port configured for LACP operation (C1, C2, C3 …). Unlisted port numbers indicate that the missing ports that are assigned to a static trunk group are not configured for any trunking.
  • Page 120: 802.1X (Port-Based Access Control) Configured On A Port

    VLANs and dynamic LACP A dynamic LACP trunk operates only in the default VLAN (unless you have enabled GVRP on the switch and use Forbid to prevent the ports from joining the default VLAN). Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 121: Blocked Ports With Older Devices

    If you want to use LACP for a trunk on a non-default VLAN and GVRP is disabled, configure the trunk as a static trunk. Blocked ports with older devices Some older devices are limited to four ports in a trunk. When eight LACP-enabled ports are connected to one of these older devices, four ports connect, but the other four ports are blocked.
  • Page 122: Half-Duplex, Different Port Speeds, Or Both Not Allowed In Lacp Trunks

    Appears in the output from the CLI show lacp command. Interface option Dynamic LACP trunk Static LACP trunk group Static non-protocol group Menu interface CLI show trunk CLI show interfaces Table Continued Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 123: Outbound Traffic Distribution Across Trunked Links

    Interface option Dynamic LACP trunk Static LACP trunk group Static non-protocol group CLI show lacp CLI show spanning- tree CLI show igmp CLI show config Outbound traffic distribution across trunked links The two trunk group options (LACP and trunk) use SA/DA pairs for distributing outbound traffic over trunked links. That is, the switch sends traffic from the same source address to the same destination address through the same trunked link, and may also send traffic from the same source address to a different destination address through the same link or a different link, depending on the mapping of path assignments among the links in the trunk.
  • Page 124 Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 125: Chapter 6 Port Traffic Controls

    Chapter 6 Port Traffic Controls VLAN-based rate-limiting VLAN-based rate-limiting provides specific bandwidth for a specific VLAN for the inbound traffic on the VLAN. It allows the user to specify the maximum number of kilobits per second (kbps) a VLAN can receive. The specified VLAN drops all traffic that exceeds the configured rate.
  • Page 126: Guidelines For Configuring Icmp Rate-Limiting

    For detailed information about ICMP rate-limiting, see ICMP rate-limiting on page 125. The rate-limit icmp command controls inbound usage of a port by setting a limit on the bandwidth available for inbound ICMP traffic. Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 127: Using Both Icmp Rate-Limiting And All-Traffic Rate-Limiting On The Same Interface

    Syntax: [no] int <port-list> rate-limit icmp {< percent < 0-100 > | kbps < 0-10000000 > | [trap-clear>]} Configures inbound ICMP traffic rate-limiting. You can configure a rate limit from either the global configuration level (as shown above) or from the interface context level. The no form of the command disables ICMP rate- limiting on the specified interfaces.
  • Page 128: Viewing The Current Icmp Rate-Limit Configuration

    Operating notes for ICMP rate-limiting ICMP rate-limiting operates on an interface (per-port) basis to allow, on average, the highest expected amount of legitimate, inbound ICMP traffic. Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 129: Notes On Testing Icmp Rate-Limiting

    • Interface support: ICMP rate-limiting is available on all types of ports (other than trunk ports or mesh ports), and at all port speeds configurable for the switch. • Rate-limiting is not permitted on mesh ports: Either type of rate-limiting (all-traffic or ICMP) can reduce the efficiency of paths through a mesh domain.
  • Page 130: Icmp Rate-Limiting Trap And Event Log Messages

    To match the port's external slot/number to the internal port number, use the walkmib ifDescr command, as shown in the following example: Matching internal port numbers to external port numbers switch# walkmib ifDescr ifDescr.1 = 1 ifDescr.2 = 2 ifDescr.3 = 3 ifDescr.4 = 4 Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 131: Configuring Inbound Rate-Limiting For Broadcast And Multicast Traffic

    ifDescr.5 = 5 ifDescr.6 = 6 ifDescr.7 = 7 ifDescr.8 = 8 ifDescr.9 = 9 ifDescr.10 = 10 ifDescr.11 = 11 ifDescr.12 = 12 ifDescr.13 = 13 ifDescr.14 = 14 ifDescr.15 = 15 ifDescr.16 = 16 ifDescr.17 = 17 ifDescr.18 = 18 ifDescr.19 = 19 ifDescr.20 = 20 ifDescr.21 = 21...
  • Page 132: Operating Notes

    ----- + ------------- --------- --------------- | Disabled Disabled No-override | Disabled Disabled No-override | Disabled Disabled No-override | Disabled Disabled No-override Operating Notes The following information is displayed for each installed transceiver: Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 133: Jumbo Frames

    • Port number on which transceiver is installed. • Type of transceiver. • Product number — Includes revision letter, such as A, B, or C. If no revision letter follows a product number, this means that no revision is available for the transceiver. •...
  • Page 134: Jumbo Traffic-Handling

    VLAN includes some ports that do not belong to another, jumbo-enabled VLAN and some ports that do belong to another, jumbo-enabled VLAN. In this case, ports capable of receiving jumbo frames can forward them to Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 135: Configuring Jumbo Frame Operation

    the ports in the VLAN that do not have jumbo capability, as shown in Figure 22: Forwarding jumbo frames through non-jumbo ports on page 135. Figure 22: Forwarding jumbo frames through non-jumbo ports Jumbo frames can also be forwarded out non-jumbo ports when the jumbo frames received inbound on a jumbo-enabled VLAN are routed to another, non-jumbo VLAN for outbound transmission on ports that have no memberships in other, jumbo-capable VLANs.
  • Page 136 VLANS. (See Figure 24: Listing the VLAN memberships for a range of ports on page 136.) Figure 24: Listing the VLAN memberships for a range of ports Syntax: show vlans <vid> Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 137: Enabling Or Disabling Jumbo Traffic On A Vlan

    Shows port membership and jumbo configuration for the specified vid . (See Figure 25: Example: of listing the port membership and jumbo status for a VLAN on page 137.) Figure 25: Example: of listing the port membership and jumbo status for a VLAN Enabling or disabling jumbo traffic on a VLAN Syntax: vlan <vid>...
  • Page 138: Configuring Ip Mtu

    • The original way to configure jumbo frames remains the same, which is per-VLAN, but you cannot set a maximum frame size per-VLAN. Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 139: Troubleshooting

    • Jumbo support must be enabled for a VLAN from the CLI or through SNMP. • Setting the maximum frame size does not require a reboot. • When you upgrade to a version of software that supports setting the maximum frame size from a version that did not, the max-frame-size value is set automatically to 9216 bytes.
  • Page 140: Chapter 7 Fault-Finder Port-Level Link-Flap

    Re-enable the port after waiting for the specified number of seconds. The default value is 0, which indicates that the port will not be automatically enabled. sensitivity Indicate the sensitivity of the link-flap control threshold within a 10-second interval. Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 141 • Low indicates 10 link-flaps. • Medium indicates 6 link-flaps. • High indicates 3 link-flaps. Parameters action Configure the action taken when a fault is detected. ethernet PORT-LIST Enable link-flap control on a list of ports. warn Warn about faults found. warn-and-disable Warn and disable faulty component.
  • Page 142: Show Fault-Finder Link-Flap

    Left ------ ----- + ------ ----------- ------------------ ---------- ------------ Down warn-and-disable 65535 45303 switch# show fault-finder link-flap Link | Port Disable Disable Time Port Flap | Status Sensitivity Action Timer Left Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 143: Event Log

    ------ ----- + ------ ----------- ------------------- ---------- ------------ Down warn-and-disable 65535 45303 None None Down warn-and-disable Down High warn-and-disable NOTE: This example displays only the list of ports configured via the above per-port config commands, does not include the global configuration ports. Event Log Cause Message...
  • Page 144: Chapter 8 Configuring For Network Management Applications

    1. Type a model number of your switch (For example, 8212) or product number in the Auto Search text box. 2. Select an appropriate product from the drop down list. 3. Click the Display selected button. Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 145: Snmpv1 And V2C Access To The Switch

    4. From the options that appear, select Software downloads. 5. MIBs are available with switch software in the Other category. Click on software updates, then MIBs. SNMPv1 and v2c access to the switch SNMP access requires an IP address and subnet mask configured on the switch. If you are using DHCP/Bootp to configure the switch, ensure that the DHCP/Bootp process provides the IP address.
  • Page 146: Enabling And Disabling Switch For Access From Snmpv3 Agents

    Syntax: show snmpv3 restricted-access Enabling SNMPv3 The snmpv3 enable command allows the switch to: • Receive SNMPv3 messages. • Configure initial users. • Restrict non-version 3 messages to "read only" (optional). Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 147: Snmpv3 Users

    CAUTION: Restricting access to only version 3 messages makes the community named "public" inaccessible to network management applications (such as autodiscovery, traffic monitoring, SNMP trap generation, and threshold setting) from running on the switch. Example: SNMP version 3 enable command SNMPv3 users NOTE: To create new users, most SNMPv3 management software requires an initial user record to clone.
  • Page 148 Listing Users To display the management stations configured to access the switch with SNMPv3 and view the authentication and privacy protocols that each station uses, enter the show snmpv3 user command. Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 149 Syntax: show snmpv3 user Display of the management stations configured on VLAN 1 on page 149 displays information about the management stations configured on VLAN 1 to access the switch. Display of the management stations configured on VLAN 1 switch# configure terminal switch(config)# vlan 1 switch(vlan-1)# show snmpv3 user Status and Counters - SNMPv3 Global Configuration Information...
  • Page 150: Group Access Levels

    Manager Write View – access to all managed objects except the following: ◦ vacmContextTable ◦ vacmAccessTable ◦ vacmViewTreeFamilyTable • OperatorReadView – no access to the following: ◦ icfSecurityMIB ◦ hpSwitchIpTftpMode ◦ vacmContextTable Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 151: Snmpv3 Communities

    ◦ vacmAccessTable ◦ vacmViewTreeFamilyTable ◦ usmUserTable ◦ snmpCommunityTable • Discovery View – Access limited to samplingProbe MIB. NOTE: All access groups and views are predefined on the switch. There is no method to modify or add groups or views to those that are predefined on the switch. SNMPv3 communities SNMP commuities are supported by the switch to allow management applications that use version 2c or version 1 to access the switch.
  • Page 152: Viewing And Configuring Non-Version-3 Snmp Communities (Menu)

    If you need information on the options in each field, press [Enter] to move the cursor to the Actions line, then select the Help option. When you are finished with Help, press [E] (for Edit) to return the cursor to the parameter fields. Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 153: Listing Community Names And Values (Cli)

    3. Enter the name you want in the Community Name field, and use the Space bar to select the appropriate value in each of the other fields. (Use the [Tab] key to move from one field to the next.) 4. Press [Enter] , then [S] (for Save ). Listing community names and values (CLI) This command lists the data for currently configured SNMP community names (along with trap receivers and the setting for authentication traps—see SNMP notifications on page 154).
  • Page 154: Snmp Notifications

    • SNMPv2c informs • SNMP v3 notification process, including traps This section describes how to configure a switch to send network security and link-change notifications to configured trap receivers. Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 155: Supported Notifications

    Supported Notifications By default, the following notifications are enabled on a switch: • Manager password changes • SNMP authentication failure • Link-change traps: when the link on a port changes from up to down (linkDown) or down to up (linkUp) •...
  • Page 156: Snmp Trap Receivers

    IPv4 or IPv6 address. You can specify up to ten trap receivers (network management stations). (The default community name is public.) Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 157: Snmpv2C Informs

    (Optional) Configures the security level of the Event Log [{<none | all | not-info | messages you want to send as traps to a trap receiver (see critical | debug>}] the following table). • The type of Event Log message that you specify applies only to Event Log messages, not to threshold traps.
  • Page 158: Configuring Snmpv3 Notifications (Cli)

    Procedure 1. Enable SNMPv3 operation on the switch by entering the snmpv3 enable command (See "SNMP Version 3 Commands" on page N-7). When SNMPv3 is enabled, the switch supports: Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 159 • Reception of SNMPv3 notification messages (traps and informs) • Configuration of initial users • (Optional) Restriction of non-SNMPv3 messages to "read only" 2. Configure SNMPv3 users by entering the snmpv3 user command (see SNMPv3 users on page 147). Each SNMPv3 user configuration is entered in the User Table.
  • Page 160 SNMPv3 user (from the user user_name value configured with the snmpv3 user command in Step 2). If you enter the snmpv3 params user command, you must also configure a security model ( sec-model) and message processing algorithm ( msg-processing). Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 161: Network Security Notifications

    Configures the security model used for SNMPv3 {<sec-model [ver1 | ver2c | ver3>]} notification messages sent to the management station configured with the snmpv3 targetaddress command in Step 5. If you configure the security model as ver3, you must also configure the message processing value as ver3.
  • Page 162 For a failed login with a manager password. password-change-mgr When a manager password is reset. mac-notify Globally enables the generation of SNMP trap notifications upon MAC address table changes. nd-snooping Set the trap for nd snooping Table Continued Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 163: Enabling Link-Change Traps (Cli)

    port-security For a failed authentication attempt through a web, MAC, or 801.X authentication session. running-config-change When changes to the running configuration file are made. snmp-authentication [extended | For a failed authentication attempt via SNMP.(Default: standard] extended.) Startup-config-change Sends a trap when changes to the startup configuration file are made.
  • Page 164: Source Ip Address For Snmp Notifications

    To use the IP address of the destination interface on which an SNMP request was received as the source IP address in the IP header of SNMP traps and replies, enter the following command: switch(config)# snmp-server response-source dst-ip-of-request Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 165 Syntax: [no] snmp-server trap-source [ipv4-addr | loopback <0-7>] Specifies the source IP address to be used for a trap PDU. To configure the switch to use a specified source IP address in generated trap PDUs, enter the snmp-server trap-source command. The no form of the command resets the switch to the default behavior (compliant with rfc-1517).
  • Page 166: Viewing Snmp Notification Configuration (Cli)

    Figure 32: Display of SNMP notification configuration Advanced management: RMON The switch supports RMON (remote monitoring) on all connected network segments. This allows for troubleshooting and optimizing your network. The following RMON groups are supported: Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 167: Cli-Configured Sflow With Multiple Instances

    • Ethernet Statistics (except the numbers of packets of different frame sizes) • Alarm • History (of the supported Ethernet statistics) • Event The RMON agent automatically runs in the switch. Use the RMON management station on your network to enable or disable specific RMON traps and events.
  • Page 168: Viewing Sflow Configuration And Status (Cli)

    (this is set by the management station and decrements with time). • Max Datagram Size shows the currently set value (typically a default value, but this can also be set by the management station). Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 169: Configuring Udld Verify Before Forwarding

    Syntax: show sflow <receiver instance> sampling-polling <port-list/range> Displays status information about sFlow sampling and polling. The show sflow instance sampling-polling [port-list] command displays information about sFlow sampling and polling on the switch, as shown in Figure 33: Example: of viewing sFlow sampling and polling information on page 169.
  • Page 170: Restrictions

    Syntax: HP Switch(config)# link-keepalive mode forward-then-verify Forwards the data then verifies the status of the link. If a unidirectional state is detected, the port is then moved to a blocked state. Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 171: Show Commands

    Syntax: HP Switch(config)# link-keepalive interval <deciseconds> Configure the interval for link-keepalive. The link-keepalive interval is the time between sending two UDLD packets. The time interval is entered in deciseconds (1/10 sec). The default keepalive interval is 50 deciseconds. Example: A value of 10 is 1 sec., 11 is 1.1 sec. Syntax: HP Switch(config)# link-keepalive retries <number>...
  • Page 172: General Lldp Operation

    Thus, two LLDP switches joined by a hub or repeater handle LLDP traffic in the same way that they would if directly connected. • Any intervening 802.1D device or Layer-3 device that is either LLDP-unaware or has disabled LLDP operation drops the packet. Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 173: Lldp Operation Configuration Options

    LLDP operation configuration options In the default configuration, LLDP is enabled and in both transmit and receive mode on all active ports. The LLDP configuration includes global settings, which apply to all active ports on the switch, and per-port settings, which affect only the operation of the specified ports.
  • Page 174 Uses the switch's assigned name. System Description Enable/Disable Enabled Includes switch model name and running software version, and ROM version. Port Description Enable/Disable Enabled Uses the physical port identifier. Table Continued Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 175: Remote Management Address

    Data type Configuration options Default Description System capabilities Enable/Disable Enabled Identifies the switch's supported primary capabilities (bridge, router). System capabilities Enable/Disable Enabled Identifies the primary 3,66 3 enabled switch functions that are enabled, such as routing. The Packet Time-to-Live value is included in LLDP data packets. Subelement of the Chassis ID TLV.
  • Page 176: Lldp Operating Rules

    The commands in this section affect both LLDP and LLDP-MED operation. for information on operation and configuration unique to LLDP-MED, refer to “LLDP-MED (Media-Endpoint-Discovery)”. Syntax: show lldp config Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 177 Displays the LLDP global configuration, LLDP port status, and SNMP notification status. For information on port admin status, see Configuring per-port transmit and receive modes (CLI) on page 182. show lldp config produces the following display when the switch is in the default LLDP configuration: Viewing the general LLDP configuration switch(config)# show lldp config LLDP Global Configuration...
  • Page 178: Configuring Global Lldp Packet Controls

    The switch preserves the current LLDP configuration when LLDP is disabled. After LLDP is disabled, the information in the LLDP neighbors database remains until it times-out. (Default: Enabled) Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 179 Disabling LLDP switch(config)# no lldp run Changing the packet transmission interval (CLI) This interval controls how often active ports retransmit advertisements to their neighbors. Syntax: lldp refresh-interval <5-32768> Changes the interval between consecutive transmissions of LLDP advertisements on any given port. (Default: 30 seconds) NOTE: The refresh-interval must be greater than or equal to (4 x delay-interval).
  • Page 180 Extending the reinitialization-delay interval delays the ability of the port to reinitialize and generate LLDP traffic following an LLDP disable/enable cycle. Changing the reinitialization delay interval (CLI) Syntax: setmib lldpReinitDelay.0 -i <1-10> Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 181: Configuring Snmp Notification Support

    Uses setmib to change the minimum time (reinitialization delay interval) an LLDP port will wait before reinitializing after receiving an LLDP disable command followed closely by a txonly or tx_rx command. The delay interval commences with execution of the lldp admin-status port-list disable command. (Default: 2 seconds;...
  • Page 182: Configuring Per-Port Transmit And Receive Modes (Cli)

    The no form of the command deletes the specified IP address. If there are no IP addresses configured as management addresses, the IP address selection method returns to the default operation. Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 183 Default: The port advertises the IP address of the lowest-numbered VLAN (VID) to which it belongs. If there is no IP address configured on the VLANs to which the port belongs, and if the port is not configured to advertise an IP address from any other (static) VLAN on the switch, the port advertises an address of 127.0.0.1.) NOTE: This command does not accept either IP addresses acquired through DHCP or Bootp, or IP...
  • Page 184: Support For Port Speed And Duplex Advertisements

    Using SNMP to compare local and remote information can help in locating configuration mismatches. (Default: Enabled) NOTE: For LLDP operation, this TLV is optional. For LLDP-MED operation, this TLV is mandatory. Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 185: Port Vlan Id Tlv Support On Lldp

    Port VLAN ID TLV support on LLDP The port-vlan-id option enables advertisement of the port VLAN ID TLV as part of the regularly advertised TLVs. This allows discovery of a mismatch in the configured native VLAN ID between LLDP peers. The information is visible using show commands and is logged to the Syslog server.
  • Page 186: Snmp Support

    MIB object lldpXdot1ConfigPortVlanTxEnable in the lldpXdot1ConfigPortVlanTable. The port VLAN ID TLV local information can be obtained from the MIB object lldpXdot1LocPortVlanId in the local information table lldpXdot1LocTable. Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 187: Lldp-Med (Media-Endpoint-Discovery)

    The port VLAN ID TLV information about all the connected peer devices can be obtained from the MIB object lldpXdot1RemPortVlanId in the remote information table lldpXdot1RemTable. LLDP-MED (media-endpoint-discovery) LLDP-MED (ANSI/TIA-1057/D6) extends the LLDP (IEEE 802.1AB) industry standard to support advanced features on the network edge for Voice Over IP (VoIP) endpoint devices with specialized capabilities and LLDP- MED standards-based functionality.
  • Page 188: Lldp-Med Endpoint Support

    IP media and offer all Class 1 and Class 2 features, plus location identification and emergency 911 capability, Layer 2 switch support, and device information management. LLDP-MED operational support The switches offer two configurable TLVs supporting MED-specific capabilities: Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 189: Lldp-Med Fast Start Control

    • medTlvEnable (for per-port enabling or disabling of LLDP-MED operation) • medPortLocation (for configuring per-port location or emergency call data) NOTE: LLDP-MED operation also requires the port speed and duplex TLV (dot3TlvEnable), which is enabled in the default configuration. Topology change notifications provide one method for monitoring system activity. However, because SNMP normally employs UDP, which does not guarantee datagram delivery, topology change notification should not be relied upon as the sole method for monitoring critical endpoint device connectivity.
  • Page 190 Web browser.) The QoS and voice VLAN policy elements can be statically configured with the following CLI commands: vlan <vid> voice vlan <vid> {<tagged | untagged> <port-list>} int <port-list> qos priority <0-7> vlan <vid> qos dscp <codepoint> Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 191 NOTE: A codepoint must have an 802.1p priority before you can configure it for use in prioritizing packets by VLAN-ID. If a codepoint you want to use shows No Override in the Priority column of the DSCP policy table (display with show qos-dscp map, then use qos-dscp map <codepoint>...
  • Page 192: Location Data For Lldp-Med Devices

    You can configure a switch port to advertise location data for the switch itself, the physical wall-jack location of the endpoint (recommended), or the location of a DHCP server supporting the switch, endpoint, or both. You also have the option of configuring these different address types: Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 193 • Civic address: physical address data such as city, street number, and building information • ELIN (Emergency Location Identification Number): an emergency number typically assigned to MLTS (Multiline Telephone System) Operators in North America • Coordinate-based location: attitude, longitude, and altitude information (Requires configuration via an SNMP application.) Configuring location data for LLDP-MED devices Syntax:...
  • Page 194 An ELIN is a valid NANP format telephone number assigned to MLTS operators in North America by the appropriate authority. The ELIN is used to route emergency (E911) calls to a PSAP. (Range: 1-15 numeric characters) Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 195 Configuring coordinate-based locations Latitude, longitude, and altitude data can be configured per switch port using an SNMP management application. For more information, see the documentation provided with the application. A further source of information on this topic is RFC 3825-Dynamic host configuration protocol option for coordinate-based location configuration information.
  • Page 196: Viewing Switch Information Available For Outbound Advertisements

    <port-list> command to change the selection of information that is included in actual outbound advertisements. In the default LLDP configuration, all information displayed by this command is transmitted in outbound advertisements. Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 197: Displaying The Current Port Speed And Duplex Configuration On A Switch Port

    In the default configuration, the switch information currently available for outbound LLDP advertisements appears similar to the display in the following example. Displaying the global and per-port information available for outbound advertisements switch(config)# show lldp info local-device LLDP Local Device Information Chassis Type : mac-address Chassis Id : 00 23 47 4b 68 DD System Name : HP Switch1...
  • Page 198: Viewing Advertisements Currently In The Neighbors Mib

    An LLLDP-MED listing of an advertisement received from an LLDP-MED (VoIP telephone) source switch(config)# show lldp info remote-device 1 LLDP Remote Device Information Detail Local Port : A2 ChassisType : network-address ChassisId : 0f ff 7a 5c PortType : mac-address Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 199: Displaying Lldp Statistics

    PortId : 08 00 0f 14 de f2 SysName : HP Switch System Descr : HP Switch, revision xx.15.06.0000x PortDescr : LAN Port System Capabilities Supported : bridge, telephone System Capabilities Enabled : bridge, telephone Remote Management Address MED Information Detail EndpointClass :Class3 Media Policy Vlan id...
  • Page 200 The number of LLDP neighbors dropped on the port because of Time-to- Live expiring. Examples: A global LLDP statistics display switch(config)# show lldp stats LLDP Device Statistics Neighbor Entries List Last Updated : 2 hours Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 201: Lldp Operating Notes

    New Neighbor Entries Count : 20 Neighbor Entries Deleted Count : 20 Neighbor Entries Dropped Count : 0 Neighbor Entries AgeOut Count : 20 LLDP Port Statistics Port | NumFramesRecvd NumFramesSent NumFramesDiscarded ------ + -------------- ------------- ------------------ | 97317 97843 | 21 | 446 A per-port LLDP statistics display...
  • Page 202: Neighbor Data Can Remain In The Neighbor Database After The Neighbor Is Disconnected

    System Capability TLV. CDP has only a single field for this data. Thus, Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 203: Cdp Operation And Commands

    when CDP System Capability data is mapped to LLDP, the same value appears in both LLDP System Capability fields. ◦ System Name and Port Descr are not communicated by CDP, and thus are not included in the switch's Neighbors database. NOTE: Because HPE switches do not generate CDP packets, they are not represented in the CDP data collected by any neighbor devices running CDP.
  • Page 204: Viewing The Current Cdp Neighbors Table Of The Switch

    | Platform Capability ---- ----------------------------- + ---------------------------- ----------- Accounting (0030c1-7fcc40) | J4812A HP Switch. . . Resear¢1-1 (0060b0-889e43) | J4121A HP Switch. . . Support (0060b0_761a45) | J4121A HP Switch. . . Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 205: Enabling And Disabling Cdp Operation

    Marketing (0030c5_33dc59) | J4313A HP Switch. . . Mgmt NIC(099a05-09df9b | NIC Model X666 Mgmt NIC(099a05-09df11 | NIC Model X666 Enabling and Disabling CDP Operation Enabling CDP operation (the default) on the switch causes the switch to add entries to its CDP Neighbors table for any CDP packets it receives from other neighboring CDP devices.
  • Page 206: Configuring The Switch To Filter Untagged Traffic

    PVID advertised by a neighboring switch and the PVID of the switch port which receives the LLDP advertisement. Logging is an LLDP feature that allows detection of possible vlan leakage Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 207: Generic Header Id In Configuration File

    The IGNORE tag is inserted into the first line of the configuration file directly after the J-number. Configuration file ; J9782A IGNORE Configuration Editor; Created on release #YB.15.14.0000x ; Ver #04:63.ff.37.27:88 hostname "HP-2530-24" snmp-server community "public" unrestricted vlan 1 name "DEFAULT_VLAN"...
  • Page 208: Configuration Commands For The Add-Ignore-Tag Option

    The show logging command is used to locate errors during a configuration validation process. The event log catalogs entries with the ID#00158 and updates for each invalid entry found in the configuration file. Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 209: Exclusions

    Show logging -- Reverse event Log listing: Events Since Boot ---- W 01/07/14 00:29:31 00158 update: line 13. Module command missing for port or invalid port: 36 I 01/07/14 00:29:30 00131 tftp: Transfer completed I 01/07/14 00:29:29 00090 dhcp: Trying to download Config File (using TFTP) received in DHCP from 192.168.1.1 NOTE: Downloading manually edited configuration file is not encouraged.
  • Page 210: Chapter 9 Captive Portal For Clearpass

    If you are running HPE 5400 Series v2 modules, you must turn off the compatibility mode with the following command: switch(config)# no allow-v1-modules This will ensure that the switch will only power up with the v2 modules. Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 211: Best Practices

    Best Practices • Use the Port Bounce VSA via a CoA message, instead of the Disconnect message, to cause the second RADIUS authentication to occur during the Captive Portal exchange. This is the more reliable method for forcing a re-DHCP for the client. •...
  • Page 212: Captive Portal When Disabled

    For CPPM versions 6.5.*, you must update the HP RADIUS dictionary. To import the dictionary in CPPM, follow these steps: Procedure 1. Go to Administration -> Dictionaries -> RADIUS and click Import. 2. Select the XML HP RADIUS Dictionary from your Hard Drive. 3. Click Import. Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 213: Create Enforcement Profiles

    Create enforcement profiles NOTE: Create the HPE Bounce Host-Port profile and the Guest Login profile only if they do not already exist. For the HPE Bounce Host-Port profile, configure Captive Portal so that the RADIUS CoA message that includes the Port Bounce VSA is sent to force the second RADIUS re-authentication after the user registers their device and makes it known.
  • Page 214: Create A Clearpass Guest Self-Registration

    Create a ClearPass guest self-registration Procedure 1. From the Customize Guest Registration window, select Server-initiated as the Login Method. 2. Optionally, under Security Hash, select the level of checking to apply to the redirect URL. Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 215: Configure The Login Delay

    Configure the login delay Enter the Login Delay value. The value must be greater than the HPE-Port-Bounce-Host attribute. In this example, we set the login delay value to 20 seconds. Configuring the switch Once you have configured Captive Portal, you can configure the switch. To configure the switch, you must first configure the switch as a RADIUS client, then configure the ports that will be used for Captive Portal, as follows: Procedure 1.
  • Page 216: Configure The Url Key

    Display Captive Portal configuration To display the Captive Portal configuration settings, enter the show captive-portal command: switch(config)# show captive-portal Captive Portal Configuration Redirection Enabled : Yes Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 217: Show Certificate Information

    URL Hash Key Configured : No Show certificate information To view the certificate information, enter: switch(config)# show crypto pki local-certificate Name Usage Expiration Parent / Profile -------------------- --------------- -------------- -------------------- Captive Portal 2016/08/14 default Troubleshooting Event Timestamp not working Symptom The client gets a credentials request on the web browser even though the valid credentials were already provided, or the client is not redirected to the Captive Portal.
  • Page 218: Unable To Enable Feature

    The status is not changed to Known. Action After the client submits the credentials, the CPPM service must change the Endpoint Status to Known. Solution 2 Cause The cache value is set. Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 219: Unable To Configure A Url Hash Key

    Action Clear the CPPM Cache Timeout of the Endpoint Repository. Unable to configure a URL hash key Symptom The following message is displayed: Key exceeds the maximum length of 64 characters. Cause The URL hash key is not valid. Action Select a key that is 64 or less ASCII text.
  • Page 220: Debug Command

    Enables debug logging for the Radius sub-system. debug destination session Prints debug messages to terminal. debug destination logging Sends debug messages to the syslog server. debug destination buffer Prints debug messages to a buffer in memory. Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 221: Chapter 10 Zero Touch Provisioning With Airwave And Central

    Aruba Central is a popular cloud-based management solution for Branch and Distributed Enterprises which prefer simplicity, programmability, and integration with third-party cloud-based solutions for automation. Central offers cloud portal subscriptions through which one can manage the entire network of Aruba devices, without having to set up, upgrade, scale, or manage an NMS.
  • Page 222 NOTE: The AirWave configuration must be in the following format: <Group>:<Topfolder>:<folder1>,<AMP IP >,<shared secret> 4. After a successful registration, AirWave can monitor, configure, and troubleshoot the switches. Refer to Aruba Networks and AirWave Switch Configuration Guide. 5. Check-in failure retry is done every 60 seconds for 10 retries.
  • Page 223: Limitations

    NOTE: If IPsec tunnel is required for AirWave, the switch requires Aruba Mobility Controller IP address, which is provided through ZTP with DHCP Option 138 (CAPWAP). Limitations • ZTP is not supported through OOBM. • The HTTPS check-in to AirWave does not support HTTPS proxy.
  • Page 224 Select Roles -> DHCP -> Server -> w2k8 -> IPv4. Right-click IPv4 and select Set Predefined Options... Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 225 The Predefined Options and Values screen is displayed. Click Add..Enter the desired Name (any), Data type (select String), Code (enter 60), and Description (any). Chapter 10 Zero Touch Provisioning with AirWave and Central...
  • Page 226 From the Predefined Options and Values screen, under Value, enter the String ArubaInstantAP. The string is case-sensitive and must be ArubaInstantAP. Click OK. Under IPv4, expand Scope. Right-click Scope Options and select Configure Options... Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 227 10. Under the General tab, select 043 Vendor Specific Info. The Data entry data appears. Under ASCII, enter hpeSwitch:hp2920,90.1.1.10, admin. The ASCII value has the following format: <Group>:<Topfolder>,<AMP IP>,<shared secret> 11. To add sub-folders, use the following format:<Group>:<Topfolder>:<folder1>,<AMP IP>,<shared secret> 12.
  • Page 228: Configure Airwave Details In Dhcp (Alternative Method)

    To configure a DHCP server for ZTP and AirWave, from a Windows Server 2008, do the following steps: NOTE: Use these steps to configure ZTP for every switch by selecting a different Vendor Class for each type of switch. Procedure From the Start menu, select Server Manager. Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 229 Select Roles -> DHCP -> Server -> w2k8 -> IPv4. Right-click IPv4 and select Define Vendor Classes... Chapter 10 Zero Touch Provisioning with AirWave and Central...
  • Page 230 To get the vendor-specific value of a switch, go to the switch console and enter: switch# show dhcp client vendor-specific In our example, the command returns the following value: Processing of Vendor Specific Configuration is enabled Vendor Class Id = HP J9729A 2920-24G-PoE+ Switch dslforum.org Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 231 From the New Class window, enter the desired Display name (any) and the Description (any). For the ASCII field, enter the exact value that you got by executing the show command performed in the previous step. In this example, Hewlett Packard Enterprise J9729A 2920-24G-PoE+ Switch dslforum.org. Click OK.
  • Page 232 DHCP Vendor Class. In this example, the Option Class is switch. 11. Click Add..12. From the Option Type window, enter the desired Class (any), the Data type (select string), the Code (enter 146), and the Description (any). Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 233 13. Click OK. 14. Under the Predefined Options and Values window, enter the Value String. In this example, we enter hpeSwitch:hp2920,90.1.1.10, admin. The String has the following format: <Group>:<Topfolder>,<AMP IP>,<shared secret> 15. To add sub-folders, use the following format:<Group>:<Topfolder>:<folder1>,<AMP IP>,<shared secret>...
  • Page 234 18. From the Scope Options window: a. Select the Advanced tab. b. Under Vendor class, select the desired switch. In this example, switch. c. Select the 146 hpswitch option. d. Click OK. Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 235: Configure Airwave Details Manually

    19. You can verify the AirWave details as follows: switch# show amp-server switch# show run Configure AirWave details manually This section focuses on configuring the switch manually to reach out to AirWave. Manual configuration may be required, if ZTP is disabled due to the following scenarios or if AirWave credentials are not provided during the DHCP offer: •...
  • Page 236: Amp-Server

    To view the AirWave configuration details, use the show amp-server command, for example: AirWave Configuration details AMP Server IP : 192.168.1.1 AMP Server Group : HP_GROUP AMP Server Folder : folder AMP Server Secret : branch1024 AMP Server Config Status: Configured Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 237: Debug Ztp

    show running-configuration switch# show running-config hostname "switch-name" module 1 type j9726a snmp-server community "public" unrestricted oobm ip address dhcp-bootp exit vlan 1 name "DEFAULT_VLAN" untagged 1-24 ip address dhcp-bootp exit amp-server ip 192.168.1.1 group "group" folder "folder" secret "branch1024" debug ztp Syntax debug ztp no debug ztp...
  • Page 238: Image Upgrade

    Absence of corporate network reaching every branch Configuring Activate-based ZTP with AirWave For Activate-based ZTP, the switch connects to Aruba Activate service through the Internet and autoconfiguration takes place based on the settings provided in Activate. For more information on how to set up an Activate account, folder and their rules, refer to the Aruba Activate User Guide.
  • Page 239: Ztp With Aruba Central

    AirWave. This configuration can be set as part of the initial configuration push from Activate. ZTP with Aruba Central Aruba Central does not require any configuration of local DHCP server or other network components but requires a switch with Internet access.
  • Page 240 3. The switches check-in with Central and the server pushes the configuration to the switches based on the group, switch model, and branch location. For more information on Central configuration, refer to the Aruba Central Configuration Guide. After the switch successfully checks-in with Central, the following management interfaces on the switch are disabled: •...
  • Page 241: Led Behavior During Connectivity Loss

    Central server, the configuration is updated from that server and most local configuration commands are disabled. Support mode enables those commands for use in troubleshooting problems. Support mode is disabled by default. When the system is not connected to Aruba Central server, the full command set is enabled for local configuration.
  • Page 242: Troubleshooting

    Enter support mode to enable all CLI configuration commands switch(config)# aruba-central support-mode enable This mode will enable all CLI configuration commands, including those normally reserved by the Aruba Central service. Use of this mode may invalidate the configuration provisioned through Aruba Central server.
  • Page 243: Chapter 11 Auto Configuration Upon Aruba Ap Detection

    You can create port configuration profiles, associate them to a device type, and enable or disable a device type. The only device type supported is aruba-ap and it is used to identify all the Aruba APs. When a configured device type is connected on a port, the system automatically applies the corresponding port profile.
  • Page 244: Profile Manager And 802.1X

    Profile Manager interoperates with RADIUS when it is working in the client mode. When a port is blocked due to 802.1X authentication failure, the LLDP packets cannot come in on that port. Therefore, the Aruba AP cannot be detected and the device profile cannot be applied. When the port gets authenticated, the LLDP packets comes in, the AP is detected, and the device profile is applied.
  • Page 245: Device-Profile Name

    The Class of Service (CoS) priority for traffic from the device. untagged-vlan The port is an untagged member of specified VLAN. tagged-vlan The port is a tagged member of the specified VLANs. ingress-bandwidth The ingress maximum bandwidth for the device port. egress-bandwidth Chapter 11 Auto configuration upon Aruba AP detection...
  • Page 246: Device-Profile Type

    Parameters type An approved device type in order to configure and attach a profile to it. The only device type supported is aruba- ap and it is used to identify all the Aruba APs. APs.
  • Page 247: Rogue Ap Isolation

    The MAC is also logged in the system log. When an Aruba AP detects a rogue AP on the network, it sends out the MAC address of the AP as well as the MAC of the clients connected to the AP to the switch using the ArubaOS-Switch proprietary LLDP TLV protocol.
  • Page 248: Feature Interactions

    If rogue-ap-isolation blocks a MAC before it is configured to be authorized, packets from such MACs will be dropped until one of the following happens: • Rogue action is changed to LOG. • Rogue-AP isolation feature is disabled. Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 249: L3 Mac

    Rogue AP Action : Block Rogue MAC Address Neighbour MAC Address ----------------- --------------------- 3. Change the action type from block to log: switch# rogue-ap-isolation action log switch# show rogue-ap-isolation Rogue AP Isolation Chapter 11 Auto configuration upon Aruba AP detection...
  • Page 250: Rogue-Ap-Isolation

    Configures the action to take for the rogue AP packets. This function is disabled by default. Parameters action Configure the action to take for rogue AP packets. By default, the rogue AP packets are blocked. Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 251: Rogue-Ap-Isolation Whitelist

    2. The data that is in the rogue AP TLV sent from the AP that informed the rogue MAC has changed. 3. To permanently ignore a MAC from being detected as rogue, add it to the whitelist. Chapter 11 Auto configuration upon Aruba AP detection...
  • Page 252: Troubleshooting

    The show run command displays one of the following values for untagged-vlan: • no untagged-vlan • untagged-vlan : None Cause The no device-profile or the no rogue-ap-isolation whitelist command is executed to configure untagged-vlan to 0. Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 253: Show Commands

    Device profile <> does not exist. device-profile profile-name deletion. Cannot delete profile <> when associated with a device type. device-profile profile-name deletion. Default profile cannot be deleted. Table Continued Chapter 11 Auto configuration upon Aruba AP detection...
  • Page 254 The maximum number of whitelist MACs allowed is 128. rogue-ap-whitelist <MAC> Cannot add the whitelist entry because the specified MAC address is already configured as a lock-out MAC. Table Continued Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 255 MAC address is already configured as a whitelist MAC. Cannot add an entry for the MAC address <MAC- lockout-mac <MAC-ADDRESS>ORstatic-mac <MAC-ADDRESS> vlan <vlan-id> interface ADDRESS> because it is already blocked by rogue- <interface>ORvlan <vlan-id> ip-recv-mac- ap-isolation. address <MAC-ADDRESS Chapter 11 Auto configuration upon Aruba AP detection...
  • Page 256: Chapter 12 Lacp-Mad

    ID of an VSF virtual device. The active ID is identical to the member ID of the master and is thus unique to the VSF virtual device. When LACP MAD detection is enabled, the members exchange their active IDs by sending extended LACPDUs. Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 257 • When the VSF virtual device operates normally, the active IDs in the extended LACPDUs sent by all members are the same, indicating that there is no multi-active collision. • When there is a breakup in the VSF stack, the active IDs in the extended LACPDUs sent by the members in different VSF virtual devices are different, indicating that there are multi-active collisions.
  • Page 258: Chapter 13 Scalability Ip Address Vlan And Routing Maximum Values

    Dynamic Routing Total routes supported IPv4 only: 10,000 (including ARP) IPv4 and IPv6: 10 K (IPv4) and 3 K (IPv6) IPv6 only: 5 K IPv4 Routing Protocol RIP interfaces Table Continued Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 259 Subject Maximum IPv6 Routing Protocol DHCPv6 Helper Addresses 32 unique addresses; multiple instances of same address counts as 1 towards maximum Chapter 13 Scalability IP Address VLAN and Routing Maximum Values...
  • Page 260: Chapter 14 File Transfers

    The switch is properly connected to your network and has already been configured with a compatible IP address and subnet mask. • The TFTP server is accessible to the switch via IP. Before you use the procedure, do the following: Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 261: Downloading From A Server To Primary Flash Using Tftp (Menu)

    • Obtain the IP address of the TFTP server in which the software file has been stored. • If VLANs are configured on the switch, determine the name of the VLAN in which the TFTP server is operating. • Determine the name of the software file stored in the TFTP server for the switch (For example, E0820.swi). NOTE: If your TFTP server is a UNIX workstation, ensure that the case (upper or lower) that you specify for the filename is the same case as the characters in the software filenames on the server.
  • Page 262 From the Main Menu, select 2. Switch Configuration... 2. Port/Trunk Settings b. Check the Firmware revision line. For troubleshooting information on download failures, see Troubleshooting TFTP download failures on page 263. Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 263: Troubleshooting Tftp Download Failures

    Troubleshooting TFTP download failures Cause When using the menu interface, if a TFTP download fails, the Download OS (Operating System, or software) screen indicates the failure as seen in the following figure. Figure 39: Example: of message for download failure Some of the causes of download failures include: •...
  • Page 264: Downloading From A Server To Flash Using Tftp (Cli)

    NOTE: If you use auto-tftp to download a new image in a redundant management system, the active management module downloads the new image to both the active and standby modules. Rebooting after the auto-tftp process completes reboots the entire system. Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 265: Using Scp And Sftp

    Using SCP and SFTP For some situations you may want to use a secure method to issue commands or copy files to the switch. By opening a secure, encrypted SSH session and enabling ip ssh file transfer, you can then use a third-party software application to take advantage of SCP and SFTP.
  • Page 266: Enabling Scp And Sftp

    Viewing the configuration shows that SFTP is enabled and TFTP is disabled. If you enable SFTP and then later disable it, TFTP and auto-TFTP remain disabled unless they are explicitly re- enabled. Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 267 Operating rules are: • The TFTP feature is enabled by default, and can be enabled or disabled through the CLI, the Menu interface (see Figure 40: Using the Menu interface to disable TFTP on page 267), or an SNMP application. Auto- TFTP is disabled by default and must be configured through the CLI.
  • Page 268: Enabling Ssh V2 (Required For Sftp)

    Because the third-party software utilities you may use for SCP/SFTP vary, you should refer to the documentation provided with the utility you select before performing this process. Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 269: Scp/Sftp Operating Notes

    SCP/SFTP operating notes • Any attempts to use SCP or SFTP without using ip ssh filetransfer will cause the SCP or SFTP session to fail. Depending on the client software in use, you will receive an error message on the originating console, for Example: IP file transfer not enabled on the switch •...
  • Page 270: Troubleshooting Ssh, Sftp, And Scp Operations

    This next Example: shows the error message that may appear on the client console if a new SCP (or SFTP) session is started from a client before the previous client session has been closed (the switch requires approximately ten seconds to timeout the previous session): Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 271: Using Xmodem To Download Switch Software From A Pc Or Unix Workstation

    Received disconnect from 10.0.12.31: 2: Wait for previous session to complete lost connection Attempt to start a second session The switch supports only one SFTP session or one SCP session at a time. If a second session is initiated (For example, an SFTP session is running and then an SCP session is attempted), the following error message may appear on the client console: Received disconnect from 10.0.12.31: 2: Other SCP/SFTP...
  • Page 272: Downloading To Primary Or Secondary Flash Using Xmodem And A Terminal Emulator (Cli)

    Type the file path and name in the Filename field. c. In the Protocol field, select Xmodem. d. Click on the [Send] button. The download can take several minutes, depending on the baud rate used in the transfer. Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 273: Switch-To-Switch Download

    3. When the download finishes, you must reboot the switch to implement the newly downloaded software. To do so, use one of the following commands: Syntax: boot system flash {<primary | secondary>} Reboots from the selected flash Syntax: reload Reboots from the flash image currently in use For more information on these commands, see “Rebooting the Switches”...
  • Page 274: Downloading The Os From Another Switch (Cli)

    To download a software file from primary flash in a switch with an IP address of 10.29.227.103 to the primary flash in the destination switch, you would execute the following command in the destination switch's CLI: Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 275: Using Airwave To Update Switch Software

    Switch-to-switch, from primary in source to either flash in destination switch# copy tftp flash 10.29.227.13 flash Device will be rebooted, do you want to continue [y/n]? y 00107K Running Total of Bytes Downloaded Downloading from either flash in the source switch to either flash in the destination switch (CLI) Syntax: copy tftp flash <ip-addr>...
  • Page 276: Xmodem: Copying A Software Image From The Switch To A Serially Connected Pc Or Unix Workstation (Cli)

    This command can copy a designated config file in the switch to a TFTP server. For more information, see "Multiple Configuration Files" in the basic operation guide for your switch. Example: Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 277: Tftp: Copying A Configuration File From A Remote Host (Cli)

    To upload the current startup configuration to a file named sw8200 in the configs directory on drive "d" in a TFTP server having an IP address of 10.28.227.105: switch# copy startup-config tftp 10.28.227.105 d:\configs\sw8200 TFTP: Copying a configuration file from a remote host (CLI) Syntax: copy tftp {<startup-config | running-config>...
  • Page 278: Xmodem: Copying A Configuration File To A Serially Connected Pc Or Unix Workstation (Cli)

    {<pc | unix>} copy xmodem config <filename> < {pc | unix>} Copies a configuration file from a serially connected PC or UNIX workstation to a designated configuration file on the switch. Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 279: Copying Diagnostic Data To A Remote Host, Pc Or Unix Workstation

    For more information, see "Multiple Configuration Files" in the basic operation guide for your switch. Example: To copy a configuration file from a PC serially connected to the switch: Procedure 1. Execute the following command: switch# copy xmodem startup-config pc Device will be rebooted, do you want to continue [y/n]? y Press 'Enter' and start XMODEM on your host...
  • Page 280: Copying Command Output To A Destination Device (Cli)

    Figure 42: Sending event log content to a file on an attached PC Copying crash data content to a destination device (CLI) This command uses TFTP, USB or Xmodem to copy the Crash Data content to a destination device. Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 281 Syntax: copy crash-data tftp <ip-address> <filename> copy crash-data xmodem These commands copy the crash data content to a remote host, attached USB device, or to a serially connected PC or UNIX workstation. slot-id a - h—Retrieves the crash log or crash data from the processor on the module in the specified slot Retrieves crash log or crash data from the switch's chassis processor.
  • Page 282: Chapter 15 Monitoring And Analyzing Switch Operation

    View port activity for specific ports. Reset port counters When troubleshooting network issues, you can clear all counters and statistics without rebooting the switch using the clear statistics global command or using the menu. Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 283: Clear Statistics

    SNMP displays the counter and statistics totals accumulated since the last reboot, and it is not affected by the clear statistics global command or the clear statistics <PORT-LIST> command. Clearing statistics initiates an SNMP trap. IMPORTANT: Once cleared, statistics cannot be reintroduced. clear statistics Syntax clear statistics [<PORT-LIST>|global]...
  • Page 284: Accessing Port And Trunk Statistics (Menu)

    This screen also includes the Reset action for the current session. MAC address tables MAC address views and searches You can view and search MAC addresses using the CLI or the menu. show mac-address Syntax Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 285: Using The Menu To View And Search Mac Addresses

    show mac-address [vlan <VLAN-ID>] [<PORT-LIST>] [<MAC-ADDR>] Description Lists all MAC addresses on the switch and their corresponding port numbers. You can also choose to list specific addresses and ports, or addresses and ports on a VLAN. The switches operate with a multiple forwarding database architecture.
  • Page 286: Finding The Port Connection For A Specific Device On A Vlan

    1. Proceeding from Figure 45: Example of the address table on page 286, press [S] (for Search ), to display the following prompt: Enter MAC address: _ 2. Enter the MAC address you want to locate and press [Enter]. Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 287: Viewing And Searching Port-Level Mac Addresses

    3. The address and port number are highlighted if found (Figure 46: Example of menu indicating located MAC address on page 287.) If the switch does not find the MAC address on the currently selected VLAN, it leaves the MAC address listing empty. Figure 46: Example of menu indicating located MAC address 4.
  • Page 288: Show Spanning-Tree

    Values for the following parameters appear only for ports connected to active devices: Designated Bridge, Hello Time, PtP, and Edge. show spanning-tree command output Figure 47: show spanning-tree command output IP IGMP status Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 289: Show Ip Igmp

    show ip igmp Syntax show ip igmp <VLAN-ID> [config] [group <IP-ADDR>|groups] [statistics] Description Global command that lists IGMP status for all VLANs configured in the switch, including: • VLAN ID (VID) and name • Querier address • Active group addresses per VLAN •...
  • Page 290: Vlan Information

    "Unknown VLAN" setting (Learn, Block, Disable) • Port status (up/down) List data on specific VLANs The next three figures show how you can list data for the following VLANs: Ports VLAN A1-A12 DEFAULT_VLAN Table Continued Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 291: Configuring A Source Switch In A Local Mirroring Session

    A1, A2 VLAN-33 A3, A4 VLAN-44 Figure 48: Listing the VLAN ID (vid) and status for specific ports Figure 49: Example of VLAN listing for the entire switch Figure 50: Port listing for an individual VLAN Configuring a source switch in a local mirroring session Enter the mirror port command on the source switch to configure an exit port on the same switch.
  • Page 292: Selecting All Traffic On A Port Interface For Mirroring According To Traffic Direction

    • both: Mirrors traffic entering and exiting. If you enter the monitor all command without selection criteria or a session identifier, the command applies by default to session 1 Table Continued Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 293: Viewing All Mirroring Sessions Configured On The Switch

    Assigns the traffic specified by the interface and direction to a session by mirror [1 - 4 | name-str] number or—if configured—by name. The session must have been previously configured. Depending on how many sessions are already configured on the switch, you can use the same command to assign the specified source to up to four sessions, for example, interface a1 monitor all in mirror 1 2 •...
  • Page 294: Viewing The Mirroring Configuration For A Specific Session

    Indicates whether the source is using a classifier-based mirroring policy to select inbound IPv4 or IPv6 traffic for mirroring. Mirroring Destination For a local mirroring session, displays the port configured as the exit port on the source switch. Table Continued Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 295: Using The Menu To Configure Local Mirroring

    Monitoring Sources For the specified local session, displays the source (port, trunk, or VLAN) interface and the MAC address (if configured) used to select mirrored traffic. Direction For the selected interface, indicates whether mirrored traffic is entering the switch (in), leaving the switch (out), or both.
  • Page 296 Restriction: In a policy, you can configure only one mirroring session per class. However, you can configure the same session for different classes. Mirroring is not executed on packets that match ignore criteria in a class. Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 297: Classifier-Based Mirroring Restrictions

    The execution of mirroring actions is performed in the order in which the classes are numerically listed in the policy. The complete no form of the class action mirror command or the no <seq-number> command removes a class and mirroring action from the policy configuration. To manage packets that do not match the match or ignore criteria in any class in the policy, and therefore have no mirroring actions performed on them, you can enter an optional default class.
  • Page 298: Mirroring Configuration Examples

    "1" as the session number. (Any unused session number from 1 to 4 is valid.) Because the switch provides both the source and destination for the traffic to monitor, local mirroring can be used. In this case, the command sequence is: Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 299: Maximum Supported Frame Size

    • Configure the local mirroring session, including the exit port. • Configure the monitored source interfaces for the session. Figure 54: Local mirroring topology Figure 55: Configuring a local mirroring session for all inbound and outbound port traffic Maximum supported frame size The IPv4 encapsulation of mirrored traffic adds a 54-byte header to each mirrored frame.
  • Page 300: Effect Of Downstream Vlan Tagging On Untagged, Mirrored Traffic

    802.1Q VLAN tags, the MTU for untagged mirrored frames leaving the source switch is reduced below the values shown in Maximum frame sizes for mirroring. Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 301: Operating Notes For Traffic Mirroring

    For example, if the MTU on the path to the destination is 1522 bytes, untagged mirrored frames leaving the source switch cannot exceed 1518 bytes. Likewise, if the MTU on the path to the destination is 9220 bytes, untagged mirrored frames leaving the source switch cannot exceed 9216 bytes. Figure 56: Effect of downstream VLAN tagging on the MTU for mirrored traffic Operating notes for traffic mirroring •...
  • Page 302 Note that if a link's connectivity is repeatedly interrupted ("link toggling"), little or no mirrored traffic may be allowed for sessions using that link. To verify the status of any mirroring session configured on the source switch, use the show monitor command. Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 303: Troubleshooting Traffic Mirroring

    Troubleshooting traffic mirroring Cause If mirrored traffic does not reach the configured remote destination (endpoint) switch or remote exit port, check the following configurations: • If the destination for mirrored traffic is on a different VLAN than the source, routing must be correctly configured along the path from the source to the destination.
  • Page 304: Configuring Port And Static Trunk Monitoring (Cli)

    This command assigns or removes a monitoring port, and must be executed from the global configuration level. Removing the monitor port disables port monitoring and resets the monitoring parameters to their factory-default settings. Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 305 For example, to assign port 6 as the monitoring port: switch(config)# mirror-port 6 To turn off monitoring: switch(config)# no mirror-port Selecting or removing monitoring source interfaces After you configure a monitor port you can use either the global configuration level or the interface context level to select ports or static trunks as monitoring sources.
  • Page 306 Use the Port Utilization Graph and Alert Log in the WebAgent included in the switch to help isolate problems. These tools are available through the WebAgent: ◦ Port Utilization Graph ◦ Alert log Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 307 ◦ Port Status and Port Counters screens ◦ Diagnostic tools (Link test, Ping test, configuration file browser) • For help in isolating problems, use the easy-to-access switch console built into the switch or Telnet to the switch console. For operating information on the Menu and CLI interfaces included in the console, see chapters 3 and 4.
  • Page 308 Invalid ARP source: IP address on IP address where both instances of IP address are the same address, indicating that the switch's IP address has been duplicated somewhere on the network. Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 309 Duplicate IP addresses in a DHCP network If you use a DHCP server to assign IP addresses in your network, and you find a device with a valid IP address that does not appear to communicate properly with the server or other devices, a duplicate IP address may have been issued by the server.
  • Page 310 Correctly and incorrectly specifying a single host Switch(config)# access-list 6 permit host 10.28.100.100 Switch(config)# access-list 6 permit host 10.28.100.100 255.255.255.255 Invalid input: 255.255.255.255 Switch(config)# access-list 6 permit host 10.28.100.100/32 Invalid input: 10.28.100.100/32 Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 311 • Correct. • Incorrect. No mask needed to specify a single host. • Incorrect. No mask needed to specify a single host. Apparent failure to log all "deny" matches Where the log statement is included in multiple ACEs configured with a "deny" option, a large volume of "deny" matches generating logging messages in a short period of time can impact switch performance.
  • Page 312 1. Configure gateway security first for routing with specific permit and deny statements. 2. Permit authorized traffic. 3. Deny any unauthorized traffic that you have not already denied in step 1. IGMP-related problems Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 313 IP multicast (IGMP) traffic that is directed by IGMP does not reach IGMP hosts or a multicast router connected to a port IGMP must be enabled on the switch and the affected port must be configured for "Auto" or "Forward" operation. IP multicast traffic floods out all ports;...
  • Page 314 Port Access Authenticator Status Port-access authenticator activated [No] : No Access Authenticator Authenticator Port Status Control State Backend State ---- ------ -------- -------------- -------------- Open Force Auth Idle Switch(config)# show port-access authenticator active Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 315 Switch(config)# show port-access authenticator e 9 Port Access Authenticator Status Port-access authenticator activated [No] : Yes Access Authenticator Authenticator Port Status Control State Backend State ---- ------ -------- -------------- -------------- Closed FU Force Unauth Idle Port A9 shows an “Open” status even though Access Control is set to Unauthorized (Force Auth). This is because the port-access authenticator has not yet been activated.
  • Page 316 Dynamic Authorization UDP Port : 3799 Auth Acct DM/ Time Server IP Addr Port Port CoA Window Encryption Key --------------- ---- ---- --- ------ --------------- 10.33.18.119 1812 1813 119-only-key • Global RADIUS Encryption Key • Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 317 Unique RADIUS Encryption Key for the RADIUS server at 10.33.18.119 MSTP and fast-uplink problems CAUTION: If you enable MSTP, Hewlett Packard Enterprise recommends that you leave the remainder of the MSTP parameter settings at their default values until you have had an opportunity to evaluate MSTP performance in your network.
  • Page 318 If the switch is functioning properly, but no username/password pairs result in console or Telnet access to the switch, the problem may be caused by how the TACACS+ server and/or the switch are configured. Use one of the following methods to recover: Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 319 • Access the TACACS+ server application and adjust or remove the configuration parameters controlling access to the switch. • If the above method does not work, try eliminating configuration changes in the switch that have not been saved to flash (boot-up configuration) by causing the switch to reboot from the boot-up configuration (which includes only the configuration changes made prior to the last write memory command.) If you did not use write memory to save the authentication configuration to flash, pressing the Reset button reboots the switch with the boot-up configuration.
  • Page 320 VLAN_2 use the same link between switch "X" and switch "Y," as shown in Figure 58: Example: of correct VLAN port assignments on a link on page 320. Figure 58: Example: of correct VLAN port assignments on a link Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 321 • If VLAN_1 (VID=1) is configured as "Untagged" on port 3 on switch "X," it must also be configured as "Untagged" on port 7 on switch "Y." Make sure that the VLAN ID (VID) is the same on both switches. •...
  • Page 322 V - Validated to respond to DOM requests • N - No support of DOM • D - Documented by the component suppliers as supporting DOM • NA - Not applicable to the transceiver (copper transceiver) Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 323 NOTE: Not all transceivers support Digital Optical Monitoring. If DOM appears in the Diagnostic Support field of the show interfaces transceiver detail command, or the hpicfTransceiverMIB hpicfXcvrDiagnostics MIB object, DOM is supported for that transceiver. Viewing information about transceivers (CLI) Syntax: show interfaces transceiver [port-list] [detail] Displays information about the transceivers.
  • Page 324 Link-length supported by the transceiver in meters. The corresponding transfer medium is Distance shown in brackets following the transfer distance value, For example, 50um multimode fiber. If the transceiver supports multiple transfer media, the values are separated by a comma. Table Continued Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 325 Parameter Description Diagnostic Shows whether the transceiver supports diagnostics: Support None Supported Supported Supported Serial Number Serial number of the transceiver The information in the next three tables is only displayed when the transceiver supports DOM. Table 24: DOM information Parameter Description Temperature...
  • Page 326 PCS transmit local fault PHY XS transmit local fault PHY SX transmit local fault TX bias high TX bias current is high TX bias low TX bias current is low Table Continued Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 327 Alarm Description TX power high TX power is high TX power low TX power is low Temp high Temperature is high Temp low Temperature is low An Example: of the output for the show interfaces transceiver [port-list] detail for a 1000SX transceiver is shown below.
  • Page 328 6 ns Normal MDIX 6 ns Normal Short Impedance Impedance Open Copper cable diagnostic test results switch# show interfaces transceiver a23 detail Transceiver in A23 Interface Index : 23 Type : 1000T-sfp Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 329 Model : J8177C Connector Type : RJ45 Wavelength : n/a Transfer Distance : 100m (copper), Diagnostic Support : VCT Serial Number : US051HF099 Link Status : Up Speed : 1000 Duplex : Full Cable Distance Pair Pair Port Pair Status to Fault Skew Polarity...
  • Page 330 As shown in Figure 60: Format of an event log entry on page 330, each Event Log entry is composed of six or seven fields, depending on whether numbering is turned on or not: Figure 60: Format of an event log entry Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 331 Item Description Severity One of the following codes (from highest to lowest severity): M—(major) indicates that a fatal switch error has occurred. E—(error) indicates that an error condition occurred on the switch. W—(warning) indicates that a switch service has behaved unexpectedly.I—(information) provides information on normal switch operation.
  • Page 332 TFTP server address. dhcp v6c DHCP for IPv6 prefix assignment IPv6 Configuration Guide dhcpr DHCP relay: Forwards client- Advanced Traffic Management originated DHCP packets to a Guide DHCP network server. Table Continued Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 333 System module Description Documented in HPE Switch hardware/software guide download Download operation for copying a Management and Configuration software version or files to the Guide switch. Direct Access Memory (DMA): — Transmits and receives packets between the CPU and the switch. fault Fault Detection facility, including Management and Configuration...
  • Page 334 Supports transmitting LLDP packets Guide to neighbor devices and reading LLDP packets received from neighbor devices, enabling a switch to advertise itself to adjacent devices and to learn about adjacent LLDP devices. Table Continued Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 335 System module Description Documented in HPE Switch hardware/software guide macauth Web and MAC authentication: Port- Access Security Guide based security employed on the network edge to protect private networks and the switch itself from unauthorized access using one of the following interfaces: •...
  • Page 336 Secure File Transfer Protocol (SFTP) feature. SFTP provides a secure alternative to TFTP for transferring sensitive information, such as switch configuration files, to and from the switch in an SSH session. Table Continued Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 337 System module Description Documented in HPE Switch hardware/software guide Secure Socket Layer Version 3 Access Security Guide (SSLv3), including Transport Layer Security (TLSv1) support: Provides remote web access to a switch via encrypted paths between the switch and management station clients capable of SSL/TLS operation.
  • Page 338 PC or UNIX workstation. Using the Menu To display the Event Log from the Main Menu, select Event Log. The following example shows a sample event log display. Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 339 An event log display Switch 5406zl 25-Oct-2013 18:02:52 ==========================-CONSOLE - MANAGER MODE - ============================= M 10/25/13 16:30:02 sys: 'Operator cold reboot from CONSOLE session.' I 10/25/13 17:42:51 00061 system: ------------------------------------------ I 10/25/13 17:42:51 00063 system: System went down : 10/25/13 16:30:02 I 10/25/13 17:42:51 00064 system: Operator cold reboot from CONSOLE session.
  • Page 340 Only new entries generated after you enter the command will be displayed. To redisplay all hidden entries, including Event Log entries recorded prior to the last reboot, enter the show logging -a command. Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 341 Turning event numbering on Syntax: [no] log-numbers Turns event numbering on and off Using log throttling to reduce duplicate Event Log and SNMP messages A recurring event can generate a series of duplicate Event Log messages and SNMP traps in a relatively short time.
  • Page 342 SNMP trap receivers.) Table 28: How the duplicate message counter increments Instances during 1st log Instances during 2nd log Instances during 3rd log Duplicate message throttle period throttle period throttle period counter Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 343 This value always comprises the first instance of the duplicate message in the current log throttle period plus all previous occurrences of the duplicate message occurring since the switch last rebooted. Reporting information about changes to the running configuration Syslog can be used for sending notifications to a remote syslog server about changes made to the running configuration.
  • Page 344 Adds an IPv4 address to the list of receiving syslog servers. IPV6-ADDR Adds an IPv6 address to the list of receiving syslog servers. origin-id Sends the Syslog messages with the specified origin-id. Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 345 notify Notifies the specified type sent to the syslog server(s). priority-descr A text string associated with the values of facility, severity, and system-module. severity Event messages of the specified severity or higher sent to the syslog server. system-module Event messages of the specified system module (subsystem) sent to the syslog server. hostname Sets the hostname of the device as the origin-id.
  • Page 346 When hostname or none is configured using logging origin-id, the same displays as part of the show running-config command. Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 347 Syntax: show debug Default option is ip-address. The following shows the output of the show debug command when configured without loggin origin-id. Output of the show debug command when configured without login origin-id Debug Logging Origin identifier: Outgoing Interface IP Destination: None Enabled debug types:...
  • Page 348 A debug/syslog destination device can be a syslog server and/or a console session. You can configure debug and logging messages to be sent to: • Up to six syslog servers • A CLI session through a direct RS-232 console connection, or a Telnet or SSH session Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 349 Debug/syslog configuration commands Event notification logging — Automatically sends switch-level event messages to the switch's Event Log. Debug and syslog do not affect this operation, but add the capability of directing Event Log messaging to an external device. <syslog-ip-addr> logging command Enables syslog messaging to be sent to the specified IP address.
  • Page 350 Sends SSH debug messages at the specified level to the debug destination. The levels are fatal, error, info, verbose, debug, debug2, and debug3. Using the Debug/Syslog feature, you can perform the following operations: Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 351 • Configure the switch to send Event Log messages to one or more Syslog servers. In addition, you can configure the messages to be sent to the User log facility (default) or to another log facility on configured Syslog servers. •...
  • Page 352 (If no syslog server address is configured with the logging <syslog-ip-addr> command, no show debug command output is displayed.) Output of the show debug command switch(config)# show debug Debug Logging Destination: Logging -- 10.28.38.164 Facility=kern Severity=warning System module=all-pass Enabled debug types: event Example: Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 353 In the following Example:, no syslog servers are configured on the switch (default setting). When you configure a syslog server, debug logging is enabled to send Event Log messages to the server. To limit the Event Log messages sent to the syslog server, specify a set of messages by entering the logging severity and logging system-module commands.
  • Page 354 By default, no debug destination is enabled and only Event Log messages are enabled to be sent. NOTE: To configure a syslog server, use the logging <syslog-ip-addr> command. For more information, see Configuring a syslog server on page 358. Debug messages Syntax: [no] debug <debug-type> Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 355 Configures the switch to send all debug message types to configured debug destinations.(Default: Disabled—No debug messages are sent.) Sends CDP information to configured debug destinations. destination logging—Disables or re-enables syslog logging on one or more syslog servers configured with the logging <syslog-ip-addr>...
  • Page 356 Use the debug destination command to enable (and disable)syslog messaging on a syslog server or to a CLI session for specified types of debug and Event Log messages. Syntax: [no] debug destination {<logging | session | buffer>} Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 357 logging Enables syslog logging to configured syslog servers so that the debug message types specified by the debug <debug-type> command (see Debug messages on page 354) are sent.(Default: Logging disabled)To configure a syslog server IP address, see Configuring a syslog server on page 358. NOTE: Debug messages from the switches covered in this guide have a debug severity level.
  • Page 358 Deleting syslog addresses in the startup configuration Enter a no logging command followed by the write memory command. Verifying the deletion of a syslog server address Display the startup configuration by entering the show config command. Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 359 Blocking the messages sent to configured syslog servers from the currently configured debug message type Enter the no debug <debug-type> command. (See Debug messages on page 354.) Disabling syslog logging on the switch without deleting configured server addresses Enter the no debug destination logging command. Note that, unlike the case in which no syslog servers are configured, if one or more syslog servers are already configured and syslog messaging is disabled, configuring a new server address does not re-enable syslog messaging.
  • Page 360 Only one filter can be enabled at a time. • The maximum number of configured filters is 10. • A filter is identified by a unique name of up to 16 printable ASCII characters. Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 361 • Filters can be dynamically replaced; the newly enabled filter automatically disables the previous filter. • A filter always contains a default sub-filter that functions as the filtering rules terminator. • To apply filtering to an event logging process, the filter must be explicitly enabled from the CLI. •...
  • Page 362 2. The second sub-filter has a sequence number of 20 and a severity type of major. The sub-filter specifies that a match for an event log message with a severity of “major” will be logged. Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 363 3. The default sub-filter, which is created automatically at the time of filter creation, is always the last entry in the filter module. It matches “anything” and cannot be changed. You can change the actions to either permit or deny. This example specifies that any message that did not meet the prior matching criteria will not be logged. 4.
  • Page 364 Enabled : Yes Messages Dropped : 0 Seq Type Value Action Matches --- -------- ----------------------------------- ------ ------- RegExp (A[1-9]|A10|B[1-4]).*Blocked by STP Permit 2 RegExp .*Blocked by STP Deny (any) Permit 0 Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 365 Output of running-config file HP Switch# show running-config Running configuration: ; J9470A Configuration Editor; Created on release #XX.15.13.0000x ; Ver #04:0f.ff.3f.ef:24 hostname "HP Switch" module 1 type j94dda logging filter "noUpPorts" 10 "(A10|A22|B5) is now on-line" deny logging filter "noUpPorts" default permit logging filter "SevWarnFatal"...
  • Page 366 [no] logging severity {< major | error | warning | info | debug >} Configures the switch to send all Event Log messages with a severity level equal to or higher than the specified value to all configured Syslog servers. Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 367 Default: debug (Reports messages of all severity levels.) Use the no form of the command to remove the configured severity level and reconfigure the default value, which sends Event Log messages of all severity levels to syslog servers. NOTE: The severity setting does not affect event notification messages that the switch normally sends to the Event Log.
  • Page 368 The ping test and the link test are point-to-point tests between your switch and another IEEE 802.3-compliant device on your network. These tests can tell you whether the switch is communicating properly with another device. Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 369 NOTE: To respond to a ping test or a link test, the device you are trying to reach must be IEEE 802.3- compliant. Ping test A test of the path between the switch and another device on the same or another IP network that can respond to IP packets (ICMP Echo Requests).
  • Page 370 10.10.10.10 is alive, iteration 1, time = 15 ms 10.10.10.10 is alive, iteration 1, time = 15 ms 10.10.10.10 is alive, iteration 1, time = 15 ms switch# ping 10.10.10.10 timeout 2 10.10.10.10 is alive, time = 10 ms Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 371 switch# ping 10.11.12.13 The destination address is unreachable. Halting a ping test To halt a ping test before it concludes, press [Ctrl] [C]. NOTE: To use the ping (or traceroute) command with host names or fully qualified domain names, see DNS resolver on page 383.
  • Page 372 If a VLAN is specified, the IP address associated with the specified VLAN is addr] | [vlan- used. id>]] NOTE: For information about traceroute6, see the IPv6 configuration guide for your switch. Halting an ongoing traceroute search Press the [Ctrl] [C] keys. Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 373 A low maxttl causes traceroute to halt before reaching the destination address Executing traceroute with its default values for a destination IP address that is four hops away produces a result similar to this: Figure 67: A completed traceroute enquiry Continuing from the previous Example: (Figure 67: A completed traceroute enquiry on page 373), executing traceroute with an insufficient maxttl for the actual hop count produces an output similar to this: Figure 68: Incomplete traceroute because of low maxttl setting...
  • Page 374 Viewing a summary of switch operational data Syntax: show tech By default, the show tech command displays a single output of switch operating and running-configuration data from several internal switch sources, including: Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 375 • Image stamp (software version data) • Running configuration • Event Log listing • Boot history • Port settings • Status and counters — port status • IP routes • Status and counters — VLAN information • GVRP support • Load balancing (trunk and LACP) The show tech command on page 375 shows sample output from the show tech command.
  • Page 376 6. To access the file, open it in Microsoft Word, Notepad, or a similar text editor. Viewing more information on switch operation Use the following commands to display additional information on switch operation for troubleshooting purposes. Syntax: show boot-history Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 377 Displays the crash information saved for each management module on the switch. show history Displays the current command history. This command output is used for reference or when you want to repeat a command (See Displaying the information you need to diagnose problems on page 379). show system-information Displays globally configured parameters and information on switch operation.
  • Page 378 | begin ipv6 ipv6 enable no untagged 21-24 exit vlan 20 name "VLAN20" untagged 21-24 ipv6 enable no ip address exit policy qos "michael" exit ipv6 access-list "EH-01" Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 379 sequence 10 deny tcp 2001:db8:255::/48 2001:db8:125::/48 exit no autorun password manager Displays the running config beginning at the first line that contains “ipv6”. The following is an Example: of the show arp command output, and then the output displayed when the include option has the IP address of 15.255.128.1 as the regular expression.
  • Page 380 For more information, see the section on "Saving Security Credentials in a Config File" in the access security guide for your switch. Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 381 Using Clear/Reset Procedure 1. Using pointed objects, simultaneously press both the Reset and Clear buttons on the front of the switch. 2. Continue to press the Clear button while releasing the Reset button. 3. When the Self Test LED begins to flash, release the Clear button. The switch then completes its self test and begins operating with the configuration restored to the factory default settings.
  • Page 382 Select Transfer|File in HyperTerminal. c. Enter the appropriate filename and path for the OS image. d. Select the Xmodem protocol (and not the 1k Xmodem protocol). e. Click on [Send]. Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 383 If you are using HyperTerminal, you will see a screen similar to the following to indicate that the download is in progress: Figure 72: Example: of Xmodem download in progress When the download completes, the switch reboots from primary flash using the OS image you downloaded in the preceding steps, plus the most recent startup-config file.
  • Page 384 The domain name for an accessible domain in which there are hosts you want to reach with a DNS- compatible command. (This is the domain suffix in the fully qualified domain name for a given host Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 385 operating in the selected domain. See Basic operation on page 383.) Note that if a domain suffix is not configured, fully qualified domain names can be used to resolve DNS-compatible commands. d. The host names assigned to target IP addresses in the DNS server for the specified domain. 2.
  • Page 386 With the above already configured, the following commands enable a DNS-compatible command with the host name docserver to reach the document server at 10.28.229.219. Configuring switch "A" in Example: network domain to support DNS resolution switch(config)# ip dns server-address 10.28.229.10 switch(config)# ip dns domain-name pbs.outdoors.com Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 387 Ping and traceroute execution for the network in Example: network domain switch(config)# ping docservr 10.28.229.219 is alive, time = 1 ms switch# traceroute docservr traceroute to 10.28.229.219 1 hop min, 30 hops max, 5 sec. timeout, 3 probes 1 10.28.192.2 1 ms 0 ms 0 ms...
  • Page 388 The DNS server address must be manually input. It is not automatically determined viaDHCP. Event Log messages Please see the Event Log Message Reference Guide for information about Event Log messages. Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 389 Chapter 17 MAC Address Management Overview The switch assigns MAC addresses in these areas: • For management functions, one Base MAC address is assigned to the default VLAN (VID = 1). (All VLANs on the switches covered in this guide use the same MAC address.) •...
  • Page 390 On the switches covered in this guide, the VID (VLAN identification number) for the default VLAN is always "1," and cannot be changed. From the Main Menu, select 1. Status and Counters 2. Switch Management Address Information Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 391 If the switch has only the default VLAN, the following screen appears. If the switch has multiple static VLANs, each is listed with its address data. Figure 78: Example: of the Management Address Information screen Viewing the port and VLAN MAC addresses The MAC address assigned to each switch port is used internally by such features as Flow Control and the spanning-tree protocol.
  • Page 392 A 4-port module in slot A, a 24-port module in slot C, and no modules in slots B and D • Two non-default VLANs configured Figure 79: Example: of Port MAC address assignments on a switch Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 393 Chapter 18 Power-Saving Features Configuring the savepower LED option The savepower led command provides the ability to turn off port LEDs even when a link exists. If power-saving is enabled, it can be temporarily overridden by the LED Mode button on the front panel. If the LED Mode button is pressed, the LEDs will behave normally (turn on) for a period of 10 minutes, and then turn off again.
  • Page 394 Output for the show savepower port-low-pwr command switch(config)# show savepower port-low-pwr Port Save Power Status: Enabled Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 395 Chapter 19 Job Scheduler Job Scheduler The Job Scheduler feature enables the user to schedule commands or jobs on the switch for one time or multiple times. This is similar in concept to the UNIX ‘cron’ utility. The user can schedule any CLI command that the user would otherwise enter interactively.
  • Page 396 Every 00:00:25 days 1 vlan 4 NOTE: Caution The scheduler does not run until the system time is set. Show job <Name> Syntax show job JOB NAME Description Show the job by name. Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 397 Show job <JOB NAME> switch# show job a1 Job Information Job Name : a1 Runs At : 01:24 Config Save : No Repeat Count: -- Job Status : Enabled Run Count Error Count : 0 Command : show time Job Status : Enabled Output from Last Run --------------------...
  • Page 398 If a user loses connectivity after applying the new configuration, a job scheduler executes the job after a specific time frame. This restores the current configuration to the switch, without rebooting it. More information Switching to a new configuration on page 399 Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 399 Rolling back to a stable configuration using job scheduler on page 400 Switching to a new configuration Procedure 1. Back up the configuration using cfg-backup running-config config <config_name> command. In the following example, the configuration name used is “stable”. cfg-backup running-config config stable 2.
  • Page 400 • switch(config)# show cfg-restore status switch(config)# show job cfg_stable Job Information Job Name : cfg_stable Runs At : Every 00:00:15 days:hours:minutes Config Save : No Repeat Count Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 401 Job Status : Enabled Running Status : Active Run Count Error Count Skip Count Command : cfg_rollback switch(config)# show cfg-restore status Status : Success Config File Name : stable Source : Flash Time Taken : 9 Seconds Last Run : Tue Nov 28 20:50:00 2017 Recovery Mode : Enabled Failure Reason...
  • Page 402 Backup the named configuration file. switch(config)# cfg-backup {running-config | startup-config} config ASCII-STR Enter an ASCII string. show config files Syntax show config files Description Shows a list of configuration files available in the flash. Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 403 To view the contents of a configuration file in the flash: switch# show config add ; JL255A Configuration Editor; Created on release #WC.16.05.0000x ; Ver #12:08.1d.9b.3f.bf.bb.ef.7c.59.fc.6b.fb.9f.fc.ff.ff.37.ef:ba hostname "Aruba-2930F-24G-PoEP-4SFPP" module 1 type jl255a snmp-server community "public" unrestricted vlan 1 name "DEFAULT_VLAN"...
  • Page 404 IP address of the TFTP server. <FILE-NAME> Name of the backup configuration file to restore into the running configuration. diff Provides the list of changes that will be applied on the running configuration. Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 405 force Forces a reboot if configuration in restored configuration requires a reboot. Applies the configuration with reboot if the configuration has reboot required commands or system-wide change commands. After a forced reboot, the name of the configuration changes. non-blocking Configuration restoration in non-blocking mode, where actual process happens in the background. recovery-mode Enables or disables recovery-mode.
  • Page 406 Do you want to continue (y/n)? Current running-configuration will be replaced with 'golden_config'. Continue (y/n)? Configuration restore is in progress, configuration changes are temporarily disabled. Successfully applied configuration 'golden_config' to running configuration. Rebooting switch... Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 407 In the preceding output, Command : console terminal none shows that cfg-restore failed because a reboot is required. After the switch reboots and comes up, the golden_config becomes the active configuration. NOTE: In case of a switch reboot, the switch comes up with the configuration associated with the primary or secondary.
  • Page 408 ; Ver #12:08.1d.9b.3f.bf.bb.ef.7c.59.fc.6b.fb.9f.fc.ff.ff.37.ef:ba hostname "Aruba-2930F-24G-PoEP-4SFPP" module 1 type jl255a ip routing snmp-server community "public" unrestricted vlan 1 name "DEFAULT_VLAN" untagged 1-28 ip address dhcp-bootp exit vlan 10 name "VLAN10" no ip address Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 409 Current running-configuration will be replaced with 'modify'. Continue (y/n)? y Configuration restore is in progress, configuration changes are temporarily disabled. Partially applied configuration 'modify' to running configuration. Aruba-2930F-24G-PoEP-4SFPP(config)# show running-config Running configuration: ; JL255A Configuration Editor; Created on release #WC.16.05.0000x ; Ver #12:08.1d.9b.3f.bf.bb.ef.7c.59.fc.6b.fb.9f.fc.ff.ff.37.ef:ba hostname "Aruba-2930F-24G-PoEP-4SFPP"...
  • Page 410 : 2 Seconds Adding commands : 0 Seconds Removing commands : 0 Seconds Configuration delete list: vlan 2 name "VLAN2" no ip address exit vlan 3 name "VLAN3" no ip address Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 411 exit vlan 4 name "VLAN4" no ip address exit vlan 5 name "VLAN5" no ip address exit Successfully applied configuration 'config' to running configuration. cfg-restore config_bkp Syntax cfg-restore {tftp <ip-address> | sftp <ip-address>} config_bkp Description Downloads and restores a configuration from the TFTP or SFTP server, without rebooting the switch. NOTE: The commands from the restored configuration will be executed on the running configuration.
  • Page 412 | file1 | file2 NOTE: During a configuration restore with reboot, the association changes. To make the configuration as a default configuration for subsequent system reboots, use startup-default [<primary|secondary>] config FILENAME command. Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 413 For startup-default config file1: switch(config)# show config files Configuration files: id | act pri sec | name --+-------------+--------- | config | file1 | file2 System reboot commands Following commands require a system reboot: • secure-mode standard • secure-mode enhanced • mesh id [0-9] •...
  • Page 414 • whether a flash file was used from SFTP or TFTP server • the total time taken to restore • the time when last restore was initiated Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 415 • whether a recovery-mode was enabled • the number of add and delete commands • reboot commands present (if any), and • the split time taken for each phase Examples switch(config)# show cfg-restore latest-diff Shows the difference between running and back-up configuration.
  • Page 416 ; JL255A Configuration Editor; Created on release #WC.16.05.0000x ; Ver #12:08.1d.9b.3f.bf.bb.ef.7c.59.fc.6b.fb.9f.fc.ff.ff.37.ef:ba hostname "Aruba-2930F-24G-PoEP-4SFPP" module 1 type jl255a 3. Execute the cfg-restore flash golden_config diff command to view the differences that will be applied. switch# cfg-restore flash golden_config diff Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 417 Configuration delete list: vlan 1 no untagged 11-13,15-18 untagged 3-10 exit vlan 100 untagged 11-13 exit vlan 300 name "VLAN300" untagged 15-18 no ip address exit Configuration add list: vlan 1 no untagged 3-10 untagged 11-13,15-18 exit vlan 100 untagged 3-5 exit vlan 200 name "VLAN200"...
  • Page 418 4f66 8b77 6b66 e5fb 0c12 f7fb 8ea6 b548 af2e 2e03 This hash is only valid for comparison to a baseline hash if the configuration has not been explicitly changed (such as Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 419 with a CLI command) or implicitly changed (such as by the removal of a hardware module). To display the hash calculated for the running configuration: switch(config)# show running-config hash The hash must be calculated. This may take several minutes. Continue (y/n)? y Calculating hash...
  • Page 420 0000:01:39:56.65 CFG mCfgRestoreMgr:Command deleted = vlan 4 tagged 9. 0000:01:39:56.65 CFG mCfgRestoreMgr:cfg-restore iteration count = 2. 0000:01:39:59.38 CFG mCfgRestoreMgr:Successfully applied configuration 'backup_conif' to running configuration. ** Total debug messages = 22 Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 421 Chapter 21 Virtual Technician HPE’s Virtual Technician is a set of tools aimed at aiding network switch administrators in diagnosing and caring for their networks. VT provides tools for switch diagnoses when faced with unforeseen issues. To improve the Virtual Technician features of our devices, HPE has added the following tools: •...
  • Page 422 When password-recovery is enabled (and the front panel buttons disabled), a lost password can be recovered by contacting HPE customer support. • When password-recovery is disabled, there is no way to access a device after losing a password with the front panel buttons disabled. Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 423 • If diagnostic-reset is disabled, the user cannot perform a diagnostic switch reset on those rare events where the switch becomes unresponsive to user input because of unknown reason(s). • If diagnostic-reset is enabled, the user can perform a diagnostic hard reset which will capture valuable diagnostic data and reset the switch.
  • Page 424 [No] front-panel-security diagnostic-reset clear-button From the configure context: Syntax [no] front-panel-security diagnostic-reset clear-button Description Disables the diagnostic-reset via clear button. Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 425 CAUTION: Disabling the diagnostic reset prevents the switch from capturing diagnostic data on those rare events where the switch becomes unresponsive to user input because of unknown reasons. Ensure that you are familiar with the front panel security options before proceeding. Show front-panel-security Syntax show front-panel-security...
  • Page 426 FPS options. The serial sequence to initiate the User Initiated Diagnostic Reset via Serial console is Ctrl+S, Ctrl+T, Ctrl+Q, Ctrl +T, Ctrl+S. Front-panel-security diagnostic-reset serial-console In the configure context: Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 427 Syntax front-panel-security diagnostic-reset serial-console Enables the diagnostic-reset via serial console. Allows the user to perform diagnostic reset by keying-in diagnostic reset sequence. Front-panel-security diagnostic-reset serial-console front-panel-security diagnostic-reset serial-console Diagnostic Reset - Enabled clear-button - Disabled serial-console - Enabled [No] front-panel-security diagnostic-reset serial-console In the configure context: Syntax [no] front-panel-security diagnostic-reset serial-console...
  • Page 428 STKM: HA Sync in progress; user initiated diagnostic request via the serial console rejected. Retry after sometime. Console print STKM: Member is booting; user initiated diagnostic request via the serial console rejected. Retry after sometime. Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 429 To associate each device type with a device profile, a context level is created which authorizes the user to enable or disable the profile by device-type. Only the device type aruba-ap is supported. Rogue AP isolation The command rogue-ap-isolation configures each device and blocks, logs, or allows a rogue AP when detected.
  • Page 430 Configure this port as an untagged member of specified VLAN. tagged-vlan <VLAN-LIST> Configure this port as a tagged member of the specified VLANs. cos <COS-VALUE> Configure the Class of Service (CoS) priority for traffic from the device. Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 431 [no] device-profile type <DEVICE> Associating a device with a profile To associate an Aruba access point (AP) device-type to a user-defined profile, use the context HPE Switch(device-aruba-ap)#. All Aruba access points use the identifier aruba-ap. The [no] form of the command removes the device type association and disables the feature for the device type.
  • Page 432 [no] device-profile type <DEVICE> [associate <PROFILE-NAME> |enable | disable] Restrictions Only one device type is supported, aruba-ap, and it is used to identify all the Aruba access points. Configuring the rogue-ap-isolation command Used to configure the rogue-ap-isolation command. A block/log option may be configured for when a rogue AP is identified by the switch.
  • Page 433 Usage rogue-ap-isolation [enable | disable] rogue-ap-isolation action [log | block] [no] rogue-ap-isolation whitelist <MAC-ADDRESS> VXLAN show commands VXLAN show commands include commands to display the status of a VXLAN feature, tunnels, and tunnel statistics. show device-profile Syntax Within the configure context: show device-profile Description Show device profile configuration and status.
  • Page 434 Device Type Applied Device Profile ---- ----------- ---------------------- aruba-ap profile1 aruba-ap profile1 Show rogue-ap-isolation Syntax show rogue-ap-isolation Description Show rogue access point information. Options whitelist Show rogue access point whitelist information. Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 435 Usage show rogue-ap-isolation whitelist show rogue-ap-isolation Switch# show rogue-ap-isolation Rogue AP Isolation Rogue AP Status : Enable Rogue AP Action : Block Rogue AP MAC Neighbor Device ----------------- ----------------- 11:22:33:44:55:66 00:12:34:56:67:89 aa:bb:cc:dd:ee:ff 00:98:45:56:67:89 show rogue-ap-isolation whitelist Switch# show rogue-ap-isolation whitelist Rogue AP Whitelist Configuration Rogue AP MAC -----------------...
  • Page 436 The time that the session is valid for. The default is 0 unless the user role is overridden. The default means that the reauthentication is disabled. NOTE: Reauthentication period is required to override the default of 0. • Untagged VLAN (either VLAN ID or VLAN-name) VLAN precedence order behavior: Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 437 ◦ If configured, untagged VLAN specified in the user role (VSA Derived Role, UDR, or Initial Role). ◦ Statically configured untagged and/or tagged VLANs of the port the user is on. Operational notes • When user roles are enabled, all users that are connecting on ports where authentication is configured will have a user role applied.
  • Page 438 Two captive portal profiles are supported: • Predefined and read-only Predefined and read-only profile name is use-radius-vsa. • Customized [no] aaa authentication captive-portal profile Syntax [no] aaa authentication captive-portal profile <PROFILE-STR> [url <URL-STR>] Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 439 Description Create a captive-portal profile. Profiles are used in user roles to direct the user to a designated captive portal server. When the profile includes a web address, that web address is always used to contact the server. When no web address is specified, it is obtained from the RADIUS VSA.
  • Page 440 Create and enter newly created user policy context. Usage Switch (config)# policy user employee [no] policy user Syntax [no] policy user <POLICYNAME> Description Delete and remove specified user policy from switch configuration. Operating notes Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 441 • The user policy will include implicit “deny all” rules for both IPv4 and IPv6 traffic. • ipv4 or ipv6 classes must specify source address as any. Specifying host addresses or subnets will result in the following error message: Switch (policy-user)# class ipv4 class25 action priority 0 User policies cannot use classes that have a source IP address specified.
  • Page 442 • The user role feature is enabled with RADIUS authentication, but no user role VSA is returned. • User role does not exist. Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 443 • Not enough TCAM resource available. • Access-Reject from RADIUS. • User role VSA is sent along with invalid attributes. • RADIUS not reachable. • VLAN configured on the user role does not exist. • Captive Portal profile does not exist. •...
  • Page 444 Set the reauthentication period for the user role. Use [0] to disable reauthentication. For RADIUS-based authentication methods, it will override the RADIUS session timeout. It also overrides any port-based reauth- period configuration with the exception that LMA does not support a reauth-period. Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 445 Options <VALUE> Valid values are 0 – 999,999,999; a required configuration in user roles and it defaults to 0. (user-role)# reauth-period 100 Set the reauthentication value for the current user role: (user-role)# reauth-period 100 (user-role)# reauth-period 0 0 is used to disable reauthentication, and it is the default value. (user-role)# reauth-period 0 Validation rules Validation...
  • Page 446 VLAN-ID-LIST. After command execution, CLI returns to the global configuration context. Examples config# vlan 2-15 tagged A1-A20 config# vlan 5,10,13-20,25 tagged A1-A5,L2,L5-L10 config# vlan 2-20 tagged all config# no vlan 2-15 tagged A1-A5 config# no vlan 5,10,13-20 tagged A1-A5,L6 Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 447 Applying a UDR UDR can be used to assign user roles locally (that is, without RADIUS). LMA has been extended to allow applying a user role to a MAC address, MAC group, MAC mask, or MAC OUI. aaa port-access local-mac apply user-role Syntax [no] aaa port-access local-mac apply user-role <Role-Name>...
  • Page 448 Employee local Guest predefined denyall show user-role <ROLE-NAME> Switch# show user-role captivePortalwithVSA User Role Information Name : captivePortalwithVSA Type : local Reauthentication Period (seconds) : 0 Untagged VLAN : 610 Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 449 Captive Portal Profile : use-radius-vsa Policy : cppolicy show user-role detailed The example shows how to configure user roles to use Clearpass as a Captive Portal. The Captive Portal URL is specified in a RADIUS VSA. Switch# show user-role captivePortalwithVSA detailed User Role Information Name : captivePortalwithVSA...
  • Page 450 Statements for policy "policyIxia1" policy user "policyIxia1" 10 class ipv4 "classIxia1" action rate-limit kbps 11000 exit Statements for class IPv4 "classIxia1" class ipv4 "classIxia1" 10 match ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 exit Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 451 Chapter 24 Port QoS Trust Mode Overview The Port QoS Trust feature restricts which packet QoS information may be used to determine inbound queue servicing and any priority information to be permitted into the local hop. Port QoS Trust Mode configuration allows preservation or removal of the inbound QoS priorities carried in Layer 2 (the VLAN cos or Priority CodePoint (PCP) value, known as the 802.1p priority tag) and/or in Layer 3 (the IP-ToS byte, in IP-Precedence or IP-Diffserv mode).
  • Page 452 Description Shows port-based QoS trust configuration Options device Show list of trusted devices per-port. <port> Show trusted devices on a single port. Usage show qos trust [device | [ethernet <PORT-LIST> ] Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 453 Port-Based QoS Trust Configuration Port Trusted Devices ------- --------------- aruba-ap aruba-ap aruba-ap show qos trust device <PORT> switch# show qos trust device <PORT> Port A4 QoS Trust Configuration Current state: Trusted Trusted Devices: aruba-ap Chapter 24 Port QoS Trust Mode...
  • Page 454 QoS trust mode. QoS trust device when any port QoS The port QoS priority feature must be disabled priority is enabled. before configuring this port QoS trust mode. Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 455 Chapter 25 Net-destination and Net-service Net-service Overview Net-service names are used as alias in defining ACL rules for defined lists. An alias of net-service will configure a list of hosts, networks, or subnets. Extended ACL can have both source IP, destination IP and port number along with protocol in its ACE. An alias- based ACE for an extended ACL therefore allows the use of an alias of net-service protocol and destination port.
  • Page 456 The use of net-service will also restrict the operators that can be specified for port number to equalsand range. Example - extended HP-Switch-5406Rzl2(config)# ip access-list extended aext1 HP-Switch-5406Rzl2(config-ext-nacl)# Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 457 permit tcp host 10.100.12.1 gt 23 16.90.0.0 /16 range 200 400 HP-Switch-5406Rzl2(config-ext-nacl)# exit Limitations • Limited to IPv4 addresses per syntax. • Any changes made to an existing net-destination that is used by an ACL, will be applied on the ACL only when the rule is reapplied to it or when switch is rebooted.
  • Page 458 Syntax show net-destination <NAME-STR> Description Show a host-specific net-destination. Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 459 Chapter 26 Websites Networking Websites Hewlett Packard Enterprise Networking Information Library www.hpe.com/networking/resourcefinder Hewlett Packard Enterprise Networking Software www.hpe.com/networking/software Hewlett Packard Enterprise Networking website www.hpe.com/info/networking Hewlett Packard Enterprise My Networking website www.hpe.com/networking/support Hewlett Packard Enterprise My Networking Portal www.hpe.com/networking/mynetworking Hewlett Packard Enterprise Networking Warranty www.hpe.com/networking/warranty General websites Hewlett Packard Enterprise Information Library...
  • Page 460 To view and update your entitlements, and to link your contracts and warranties with your profile, go to the Hewlett Packard Enterprise Support Center More Information on Access to Support Materials page: Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 461 www.hpe.com/support/AccessToSupportMaterials IMPORTANT: Access to some updates might require product entitlement when accessed through the Hewlett Packard Enterprise Support Center. You must have an HPE Passport set up with relevant entitlements. Customer self repair Hewlett Packard Enterprise customer self repair (CSR) programs allow you to repair your product. If a CSR part needs to be replaced, it will be shipped directly to you so that you can install it at your convenience.
  • Page 462 For online help content, include the product name, product version, help edition, and publication date located on the legal notices page. Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 463 Appendix A Remote Device Deployment (TR-069) Remote Device Deployment (TR-069) Introduction TR-069 is a technical specification created by the Broadband Forum. The TR-069 protocol specifies client and server requirements to manage devices across the Internet by using a client server architecture to provide communication between the CPE (Customer Premises Equipment) and the ACS (Auto Configuration Server).
  • Page 464 The zero-configuration mechanism is defined in the TR-069 specification. • TR-069 is suitable for large-scale device management. TR-069 support distributed architecture. The ACS can be distributed to multiple servers, each ACS can manage part of devices. Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 465 Zero-touch configuration process Auto configuration or “zero-touch” deployment is a recurring customer requirement, especially for remote-office deployments. New devices introduced inside a private network require management tools be co-located to configure them or update firmware, or require manual intervention to do configuration. TR-069 allows managing devices that reside in a private network via HTTP(S), enabling a new set of deployment and management models today, not possible using SNMP.
  • Page 466 In this example, the following steps to configure CPEs for a Campus Network environment. 1. Pre-configuration for all CPEs in BIMS. 2. CPEs get BIMS parameters from DHCP server. 3. CPEs initiate a connection to BIMS, then BIMS deploys the pre-configuration to CPEs. Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 467 Zero-touch configuration for Branch networks In this example, the following steps to configure CPEs for a Branch network environment. 1. Create the basic configuration for your spoke device manually, using the username/password from ISP and BIMS URL. 2. The IPSec VPN configuration is generated by IVM and deployed by BIMS. 3.
  • Page 468 Zero-touch configuration setup and execution 1. DHCP configuration 2. BIMS configuration 3. Execution CLI commands Configuration setup Within the configure mode: Syntax: cwmp Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 469 Configure Auto Configuration Server (ACS) access. Configure Customer Premises Equipment (CPE) access. disable Disable the CPE WAN Management Protocol. NOTE: CWMP is automatically enabled. To conserve resources, reconfigure this setting using the cwmp disable command. enable Enable the CPE WAN Management Protocol. Syntax: [no] cwmp Configure Auto Configuration Server (ACS) access.
  • Page 470 USERNAME-STR A username for ACS authentication (maximum length: 256 characters). CPE configuration Syntax: cwmp cpe password Configure the password used for authentication when the ACS connects to the switch. Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 471 username Configure the username used for authentication when the ACS connects to the switch. CPE password configuration When encrypt-credentials is on Syntax: cwmp cpe password encrypted-key An encrypted password generated with the 'encrypt-credentials' command. plaintext Configure the password used for authentication when the ACS connects to the switch. Syntax: cwmp cpe password encrypted-key ASCII-STR...
  • Page 472 : Disconnected Data Transfer Status : None Last ACS Connection Time : Wed Apr 9 16:56:00 2014 Time to Next Connection : 00:00:36 When CWMP is disabled Syntax: show cwmp status Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 473 CWMP status CWMP Status CWMP Status : Disabled CWMP configuration show cwmp configuration CWMP Configuration CWMP Status : Disabled Event logging The TR-069 client offers some tools to diagnose problems: • System logging • Status/control commands System logging The CPE implements the following system log notification codes and sample messages: •...
  • Page 474 W 11/19/13 08:06:13 04200 http: Upload of SourceFile to http://10.0.11.240:9876/path canceled because of inexistent file. Status/control commands The following commands help assess the general state of TR–069 and control the source of the ACS configuration record: Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 475 Table 29: Status/control commands Command Result show cwmp status CWMP is Enabled ACS URL : https://16.93.62.32:9443 ACS URL is set by : Config ACS Username : bims Connection status : Disconnected Data transfer status : None Time of last successful connection : Thu Feb 20 01:16:59 2014 Interval upon to next connection : Null show cwmp...
  • Page 476 Multicast Filtering LLDP-MED Power over Ethernet (PoE and PoE+) Loop Protection Protocol Filters MAC Address Management RADIUS Authentication and Accounting Management VLAN RADIUS-Based Configuration Passwords and Password Clear Protection/include- credentials Table Continued Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 477 Zero-touch provisioning - DHCP, Activate Egress ACLs CPPM support Device profile - switch auto configuration HTTP redirection/Captive portal Device profile: Auto configuration with Aruba AP Device profile: LLDP Authentication Bypass with AP detection Tunneled Node enhancement: fallback to switching RADIUS Port Speed VSA...
  • Page 478 Enhanced Web Authentication Internet Protocol High Availability HMAC-SHA1 Hash-based Message Authentication Code used with the SHA-1 cryptographic hash function. HTTP Hypertext Transfer Protocol HTTPS Secure Hypertext Transfer Protocol Identifier Internet Protocol Table Continued Aruba 2530 Management and Configuration Guide for ArubaOS-Switch 16.05...
  • Page 479 Acronym Definition The third, or routing, layer of the open systems interconnection (OSI) model. The network layer routes data to different LANs and Wide Area Networks (WANs) based on network addresses. Local Area Network Media Access Control MAFR MAC Authentication Failure Redirect Management Interface Specification Network Management System PVOS...

Table of Contents

Save PDF