Download Print this page

HP Aruba JL253A Management And Configuration Manual

For arubaos-switch 16.08
Hide thumbs


Quick Links

Aruba 2930F / 2930M Management and
Configuration Guide for ArubaOS-
Switch 16.08
Part Number: 5200-5486a
Published: January 2019
Edition: 2



  Related Manuals for HP Aruba JL253A

  Summary of Contents for HP Aruba JL253A

  • Page 1 Aruba 2930F / 2930M Management and Configuration Guide for ArubaOS- Switch 16.08 Part Number: 5200-5486a Published: January 2019 Edition: 2...
  • Page 2 © Copyright 2019 Hewlett Packard Enterprise Notices The information contained herein is subject to change without notice. The only warranties for Hewlett Packard Enterprise products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein.
  • Page 3: Table Of Contents

    Contents Chapter 1 About this guide................Applicable products..........................26 Switch prompts used in this guide......................Chapter 2 Time Protocols................General steps for running a time protocol on the switch................27 TimeP time synchronization......................SNTP time synchronization......................27 NTP time synchronization......................Command........................timesync Selecting a time synchronization protocol....................28 Disabling time synchronization........................
  • Page 4 show ntp ntp authentication......................60 Validation rules........................Event log messages......................Precision Time Protocol (PTP).........................63 ptp..............................63 show ptp............................. Monitoring resources..........................Displaying current resource usage....................65 Viewing information on resource usage..................Policy enforcement engine....................Usage notes for show resources output................67 When insufficient resources are available..................67 Chapter 3 Port Status and Configuration.............69...
  • Page 5 Configuring UDLD for tagged ports..................Viewing UDLD information (CLI)....................Viewing summary information on all UDLD-enabled ports (CLI)........Viewing detailed UDLD information for specific ports (CLI)..........99 Clearing UDLD statistics (CLI)................... Uplink Failure Detection...........................99 Configuration Guidelines for UFD....................enable/disable........................101 uplink-failure-detection..................... configuration........................uplink-failure-detection track.................101 show uplink-failure-detection................102...
  • Page 6 Recommendations........................Show commands.........................125 PoE Event Log messages........................127 Chapter 5 Port Trunking................Overview of port trunking........................Port connections and configuration.....................129 Port trunk features and operation......................Fault tolerance ........................... Trunk configuration methods........................130 Dynamic LACP trunk........................130 Using keys to control dynamic LACP trunk configuration..........130 Static trunk..........................
  • Page 7 Configuring ICMP rate-limiting....................Using both ICMP rate-limiting and all-traffic rate-limiting on the same interface......159 Viewing the current ICMP rate-limit configuration............... Operating notes for ICMP rate-limiting..................160 ICMP rate-limiting trap and Event Log messages...............161 Determining the switch port number used in ICMP port reset commands.......
  • Page 8 Listing community names and values (CLI)..............SNMP notifications........................194 Supported Notifications....................General steps for configuring SNMP notifications............194 SNMPv1 and SNMPv2c Traps..................SNMP trap receivers......................Overview.......................... SNMP trap when MAC address table changes..............SNMPv2c informs......................198 Configuring SNMPv3 notifications (CLI)................199 Network security notifications...................202 Enabling Link-Change Traps (CLI)...................
  • Page 9 Basic LLDP per-port advertisement content..............228 Support for port speed and duplex advertisements............230 Port VLAN ID TLV support on LLDP................... Configuring the VLAN ID TLV...................231 Viewing the TLVs advertised.................... SNMP support........................LLDP-MED (media-endpoint-discovery)..................LLDP-MED endpoint support................... LLDP-MED endpoint device classes................LLDP-MED operational support..................
  • Page 10 dhcp-server........................DHCP address pool name......................dhcp-server pool.......................259 Authoritative........................DHCP client boot file........................bootfile-name ........................261 DHCP client default router......................default-router........................DNS IP servers .......................... dns-server........................Configure a domain name......................262 domain-name........................Configure lease NetBIOS WINS servers.......................262 NetBIOS node type........................bios-ode-type......................263 Subnet and mask ........................
  • Page 11 dhcpv6–snooping authorized-server................... ddhcpv6–snooping database file....................275 dhcpv6–snooping max-bindings....................276 dhcpv6–relay option 79....................... snmp-server enable traps dhcpv6-snooping................clear dhcpv6–snooping stats.......................278 debug security dhcpv6–snooping....................278 ipv6 source-lockdown ethernet....................ipv6 source-binding........................snmp-server enable traps dyn-ipv6-lockdown................281 debug security dynamic-ipv6-lockdown..................Show commands for DHCPv6–snooping....................282 show dhcpv6-snooping....................... show dhcpv6 snooping bindings....................
  • Page 12 show crypto-ipsec sa......................322 show running-configuration....................ZTP with Aruba Central..........................324 LED Blink feature........................Aruba Central Configuration manually..................Activating ArubaOS-Switch Firmware Integration............activate software-update enable..................activate software-update check..................326 activate software-update activate software-update..................327 Show activate provision....................328 aruba-central........................Troubleshooting...........................331 Show aruba-central......................Error reason for Aruba Central..................
  • Page 13 Copying diagnostic data.........................357 copy command-log........................357 copy event-log..........................357 Transferring switch configurations......................TFTP: Copying a configuration file to a remote host (CLI)............358 TFTP: Copying a configuration file from a remote host (CLI)............359 TFTP: Copying a customized command file to a switch (CLI)............ USB: Copying a configuration file to a USB device..............360 USB: Copying a configuration file from a USB...
  • Page 14 Accessing port and trunk group statistics (CLI)..............386 Displaying trunk load balancing statistics.................386 Clearing trunk load balancing statistics................Resetting the port counters....................Viewing the switch's MAC address tables...................387 Accessing MAC address views and searches (CLI)............388 Accessing MSTP Data (CLI)....................... Viewing internet IGMP status (CLI).....................
  • Page 15 Traffic-direction criteria...........................409 Configure ACL criteria to select inbound....................interface monitor ip access-group....................Configuring a destination switch in a remote mirroring session.............410 Configuring a source switch in a local mirroring session................411 Configuring a source switch in a remote mirroring session..............411 Selecting all traffic on a port interface for mirroring according to traffic direction........412 Selecting all traffic on a VLAN interface for mirroring according to traffic direction.......
  • Page 16 About selecting inbound traffic using advanced classifier-based mirroring.........435 Classifier-based mirroring configuration....................Classifier-based mirroring restrictions..................437 About applying multiple mirroring sessions to an interface............Mirroring configuration examples....................Maximum supported frame size......................443 Enabling jumbo frames to increase the mirroring path MTU............444 Effect of downstream VLAN tagging on untagged, mirrored traffic............
  • Page 17 The switch does not receive a response to RADIUS authentication requests....The switch does not authenticate a client even though the RADIUS server is properly configured and providing a response to the authentication request.........465 During RADIUS-authenticated client sessions, access to a VLAN on the port used for the client sessions is lost....................465 The switch appears to be properly configured as a supplicant, but cannot gain access...
  • Page 18 Event Log......................... Restrictions........................478 Viewing transceiver information......................Viewing information about transceivers (CLI)................480 support..........................480 Viewing transceiver information....................Information displayed with the detail parameter...............481 Viewing transceiver information for copper transceivers with VCT support........... Testing the Cable........................Viewing transceiver information......................Using the Event Log for troubleshooting switch problems..............
  • Page 19 Saving show tech command output to a text file.............. Customizing show tech command output.................536 Viewing more information on switch operation................538 Searching for text using pattern matching with show command........Displaying the information you need to diagnose problems............541 Restoring the factory-default configuration....................
  • Page 20 Troubleshooting and support......................... debug cfg-restore........................575 Chapter 16 Virtual Technician..............Cisco Discovery Protocol (CDP)......................Show cdp traffic...........................577 Clear cdp cdp neighbors detail......................578 Enable/Disable debug tracing for MOCANA code................. Debug security ........................... User diagnostic crash via Front Panel Security (FPS) button..............579 Front panel security password-clear...................
  • Page 21 Event log messages..........................603 Interoperability............................IP SLA UDP Jitter and Jitter for VoIP ....................604 Overview............................. Significance of jitter........................Solution components........................605 Measurements........................606 Chapter 18 Dynamic Segmentation............Definition of Terms..........................Overview..............................Benefits of Dynamic Segmentation......................609 Cases............................. Users/Devices and Policy Enforcement Recommendations..............Colorless Ports............................612 Port-Based Tunneling..........................
  • Page 22 VSF link..............................651 Physical VSF ports..........................651 VSF member ID............................. Interface naming conventions........................ VSF member roles..........................Member priority............................Supported topologies..........................Running-configuration synchronization ....................654 VSF split..............................655 VSF merge.............................655 commands............................. Configuration commands ......................enable......................... disable........................vsf member link ....................... domain........................member........................657 vsf member shutdown...................... vsf member reboot......................
  • Page 23 configuration..........................Manual configuration of a VSF....................689 Manual configuration with multiple ports bundled in a VSF link........Automatic configuration of a VSF fabric..................695 Port speed..............................701 VSF port LED front panel........................701 VSF port LEDs..........................Diagnostic tips for stacking error....................702 LED 1 and LED 2 display solid green color, whereas, LED 3 displays solid orange..702 LED 1 displays slow flash orange, LED 2 displays solid green, whereas, LED 3 displays different...
  • Page 24 Requirements............................728 Limitations..............................728 Feature Interactions..........................Profile Manager and 802.1X....................... Profile Manager and LMA/WMA/MAC-AUTH................729 Profile manager and Private VLANs................... MAC lockout and lockdown ......................729 LMA/WMA/802.1X/Port-Security....................730 Troubleshooting............................. Dynamic configuration not displayed when using “show running-config”........730 The show run command displays non-numerical value for untagged-vlan.......730 Show commands.........................731...
  • Page 25 Overview..............................LACP-MAD Passthrough commands.....................750 interface lacp..........................750 show lacp............................ clear lacp statistics........................Remote Device Deployment (TR-069)............752 Introduction............................Advantages of TR-069........................ Zero-touch configuration process....................753 Zero-touch configuration setup and execution................CLI commands............................756 Configuration setup........................ACS password configuration.......................757 When encrypt-credentials is off..................When encrypt-credentials is on..................
  • Page 26: Chapter 1 About This Guide

    Chapter 1 About this guide This guide provides information on how to configure, manage, and monitor basic switch operation. Applicable products This guide applies to these products: Aruba 2930F Switch Series (JL253A, JL254A, JL255A, JL256A, JL258A, JL259A, JL260A, JL261A, JL262A, JL263A, JL264A, JL557A, JL558A, JL559A) Aruba 2930M Switch Series (JL319A, JL320A, JL321A, JL322A, JL323A, JL324A, R0M67A, R0M68A) Switch prompts used in this guide...
  • Page 27: Chapter 2 Time Protocols

    Chapter 2 Time Protocols NOTE: For successful time protocol setup and specific configuration details, you may need to contact your system administrator regarding your local configuration. General steps for running a time protocol on the switch Using time synchronization ensures a uniform time among interoperating devices. This helps you to manage and troubleshoot switch operation by attaching meaningful time data to event and error messages.
  • Page 28: Ntp Time Synchronization

    security over the Broadcast mode by specifying which time server to use instead of using the first one detected through a broadcast. NTP time synchronization The Network Time Protocol (NTP) synchronizes the time of day among a set of distributed time servers and clients in order to correlate events when receiving system logs and other time-specific events from multiple network devices.
  • Page 29: Disabling Time Synchronization

    The switch retains the parameter settings for both time protocols even if you change from one protocol to the other. Thus, if you select a time protocol, the switch uses the parameters you last configured for the selected protocol. Simply selecting a time synchronization protocol does not enable that protocol on the switch unless you also enable the protocol itself (step 2, above).
  • Page 30 If you configure the switch with TimeP as the time synchronization method, then enable TimeP in DHCP mode with the default poll interval, show timep lists the following: TimeP configuration when TimeP is the selected Time synchronization method switch(config)# show timep Timep Configuration Time Sync Mode: Timep TimeP Mode [Disabled] : DHCP...
  • Page 31: Configuring (Enabling Or Disabling) The Timep Mode

    Configuring (enabling or disabling) the TimeP mode Enabling the TimeP mode means to configure it for either broadcast or unicast mode. Remember to run TimeP as the switch's time synchronization protocol, you must also select TimeP as the time synchronization method by using the CLI timesync command.
  • Page 32 Selects TimeP as the time synchronization method. Syntax: ip timep dhcp Configures DHCP as the TimeP mode. For example, suppose: • Time Synchronization is configured for SNTP. • You want to: ◦ View the current time synchronization. ◦ Select TimeP as the synchronization mode. ◦...
  • Page 33 Configuring TimeP for manual operation switch(config)# timesync timep switch(config)# ip timep manual switch(config)# show timep Timep Configuration Time Sync Mode: Timep TimeP Mode : Manual Server Address : Poll Interval (min) : 720 Changing from one TimeP server to another (CLI) Procedure 1.
  • Page 34: Sntp: Selecting And Configuring

    Disabling the TimeP mode Syntax: no ip timep Disables TimeP by changing the TimeP mode configuration to Disabled and prevents the switch from using it as the time synchronization protocol, even if it is the selected Time Sync Method option. Example: If the switch is running TimeP in DHCP mode, no ip timep changes the TimeP configuration as shown below and disables time synchronization.
  • Page 35: Viewing And Configuring Sntp (Cli)

    SNTP parameter Operation Server Address Used only when the SNTP Mode is set to Unicast. Specifies the IP address of the SNTP server that the switch accesses for time synchronization updates. You can configure up to three servers; one using the menu or CLI, and two more using the CLI. Server Version Specifies the SNTP software version to use and is assigned on a per-server basis.
  • Page 36: Configuring (Enabling Or Disabling) The Sntp Mode

    Priority SNTP Server Address Protocol Version -------- ------------------------------ ---------------- 2001:db8::215:60ff:fe79:8980 fe80::123%vlan10 Syntax: show management This command can help you to easily examine and compare the IP addressing on the switch. It lists the IP addresses for all time servers configured on the switch, plus the IP addresses and default gateway for all VLANs configured on the switch.
  • Page 37 Syntax: sntp server priority <1-3> Specifies the order in which the configured servers are polled for getting the time. Value is between 1 and 3. Syntax: sntp <30-720> Configures the amount of time between updates of the system clock via SNTP. Default: 720 seconds Enabling SNTP in Broadcast Mode Because the switch provides an SNTP polling interval (default: 720 seconds), you need only these two commands...
  • Page 38 The commands and output would appear as follows: Figure 1: Enabling SNTP operation in Broadcast Mode switch(config)# show sntp SNTP Configuration Time Sync Mode: Timep SNTP Mode : disabled Poll Interval (sec) [720] :720 switch(config)# timesync sntp switch(config)# sntp broadcast switch(config)# show sntp SNTP Configuration Time Sync Mode: Sntp...
  • Page 39 version The protocol version of the SNTP server. Allowable values are 1 through 7; default is 3. Syntax: no sntp server priority <1-3> <ip-addr> Deletes the specified SNTP server. NOTE: priority <1-3> value must match what server is configured with. Deleting an SNTP server when only one is configured disables SNTP unicast operation.
  • Page 40 Specifying the SNTP protocol version number switch(config)# no sntp server switch(config)# sntp server 4 switch(config)# show sntp SNTP Configuration Time Sync Mode: Sntp SNTP Mode : Broadcast Poll Interval (sec) [720] : 600 IP Address Protocol Version ------------- ----------------- •...
  • Page 41 Disabling time synchronization without changing the SNTP configuration (CLI) The recommended method for disabling time synchronization is to use the timesync command. Syntax: no timesync Halts time synchronization without changing your SNTP configuration. Example: Suppose SNTP is running as the switch's time synchronization protocol, with broadcast as the SNTP mode and the factory-default polling interval.
  • Page 42: Sntp Client Authentication

    Note that even though the Time Sync Mode is set to Sntp, time synchronization is disabled because no sntp has disabled the SNTP Mode parameter. SNTP client authentication Enabling SNTP authentication allows network devices such as switches to validate the SNTP messages received from an NTP or SNTP server before updating the network time.
  • Page 43: Configuring A Trusted Key

    Syntax: sntp authentication key-id <key-id> authentication-mode <md5> key-value <key-string> [trusted] no sntp authentication key-id <key-id> Configures a key-id, authentication-mode (MD5 only), and key-value, which are required for authentication. The no version of the command deletes the authentication key. Default: No default keys are configured on the switch. key-id A numeric key identifier in the range of 1-4,294,967,295 (2 ) that identifies the unique key value.
  • Page 44: Associating A Key With An Sntp Server (Cli)

    Trusted keys are used during the authentication process. You can configure the switch with up to eight sets of key-id/key-value pairs. One specific set must selected for authentication; this is done by configuring the set as trusted. The key-id itself must already be configured on the switch. To enable authentication, at least one key-id must be configured as trusted.
  • Page 45: Configuring Unicast And Broadcast Mode For Authentication

    Configuring unicast and broadcast mode for authentication To enable authentication, you must configure either unicast or broadcast mode. When authentication is enabled, changing the mode from unicast to broadcast or vice versa is not allowed; you must disable authentication and then change the mode.
  • Page 46: Saving Configuration Files And The Include-Credentials Command

    Viewing all SNTP authentication keys that have been configured on the switch (CLI) Enter the show sntp authentication command, as shown in Show sntp authentication command output on page 46. Show sntp authentication command output switch(config)# show sntp authentication SNTP Authentication Information SNTP Authentication : Enabled Key-ID Auth Mode...
  • Page 47 sntp broadcast sntp 50 sntp authentication sntp server priority 1 key-id 55 sntp server priority 2 fe80::200:24ff:fec8:4ca8 4 key-id 55 NOTE: SNTP authentication has been enabled and a key-id of 55 has been created. In this Example:, the include-credentials command has not been executed and is not present in the configuration file.
  • Page 48: Sntp Unicast Time Polling With Multiple Sntp Servers

    If include-credentials is configured, the SNTP authentication configuration is saved in the configuration file. When the show config command is entered, all of the information that has been configured for SNTP authentication displays, including the key-values. Figure 2: Saved SNTP Authentication information when include-credentials is configured SNTP unicast time polling with multiple SNTP servers When running SNTP unicast time polling as the time synchronization method, the switch requests a time update from the server you configured with either the Server Address parameter in the menu interface, or the primary...
  • Page 49: Adding And Deleting Sntp Server Addresses

    Default Gateway : VLAN Name MAC Address | IP Address ------------ ------------------- + ------------------- DEFAULT_VLAN 001279-88a100 | Disabled VLAN10 001279-88a100 | Adding and deleting SNTP server addresses Adding addresses As mentioned earlier, you can configure one SNTP server address using either the Menu interface or the CLI. To configure a second and third address, you must use the CLI.
  • Page 50: Commands

    Before synchronizing, NTP compares the time reported by several network devices and does not synchronize with one that is significantly different, even if it is a stratum 1. The security features of NTP can be used to avoid the accidental or malicious setting of incorrect time. One such mechanism is available: an encrypted authentication mechanism.
  • Page 51: Ntp Enable

    Disable NTP and removes the entire NTP configuration. Options authentication Configure NTP authentication. broadcast Operate in broadcast mode. enable Enable/disable NTP. max-association Maximum number of Network Time Protocol (NTP) associations. server Configure a NTP server to poll for time synchronization. trap Enable/disable NTP traps.
  • Page 52: Ntp Authentication Key-Id

    ntp authentication key-id <KEY-ID> [authentication-mode <MODE> key-value <KEY- STRING>] [trusted] Parameters/Options key-id <id> Sets the key-id for the authentication key. Subcommands authentication-mode Sets the NTP authentication mode key-value <KEY-STRING> Sets the key-value for the authentication key. [trusted] Sets the authentication key as trusted. Example Switch(config)# ntp Authentication...
  • Page 53: Ntp Max-Association

    Description The NTP client authenticates the NTP server. Options authentication-mode Set the NTP authentication mode. • md5: Authenticate using MD5. • sha1: Authenticate using SHA1. trusted Set this authentication key as trusted. ntp max-association This command is used to configure the maximum number of servers associated with this NTP client. Syntax ntp max-association <number>...
  • Page 54 Syntax [no] ntp server ntp server <IP-ADDR|IPv6-ADDR> [key <key-id>] [oobm] [max-poll <max-poll-val>][min-poll <min-poll-val>][burst | iburst] [version <1-4>] Parameters/Options [no] Removes the unicast NTP configurations on the device. Subcommands IP-ADDR Sets the IPv4 address of the NTP server. IPV6-ADDR Sets the IPv6 address of the NTP server. key <key-id>...
  • Page 55: Ntp Server Key-Id

    switch(config)# ntp server <IP-ADDR> key key-id Max-poll Configure the maximum time intervals in seconds. switch(config)# ntp server <IP-ADDR> key key-id max-poll <4-17> Enter an integer number. Switch(config)# ntp server <IP-ADDR> key key-id Min-poll Configure the minimum time intervals in seconds. switch(config)# ntp server <IP-ADDR>...
  • Page 56: Ntp Ipv6-Multicast

    key-id Set the authentication key to use for this server. max-poll <max-poll-val> Configure the maximum time intervals in seconds. min-poll <min-poll-val> Configure the minimum time intervals in seconds. ntp ipv6-multicast This command is used to configure NTP multicast on a VLAN interface. Syntax ntp ipv6-multicast Description...
  • Page 57 Syntax ntp trap <trap-name> Description Enable NTP traps. Use [no] to disable NTP traps. Options ntp-mode-change Trap name resulting in send notification when the NTP entity changes mode, including starting and stopping (if possible). ntp-stratum-change Trap name resulting in send notification when stratum level of NTP changes. ntp-peer-change Trap name resulting in send notification when a (new) syspeer has been selected.
  • Page 58: Show Ntp Statistics

    - 'ntpEntNotifConfigChanged' The notification to be sent when the NTP configuration has changed. - 'ntpEntNotifLeapSecondAnnounced' The notification to be sent when a leap second has been announced. - 'ntpEntNotifHeartbeat' The notification to be sent periodically (as defined by ntpEntHeartbeatInterval) to indicate that the NTP entity is still alive. - 'ntpEntNotifAll' The notification to be sent when all traps have been enabled show ntp statistics This command is used to show NTP statistics.
  • Page 59: Show Ntp Associations

    Precision : 2**7 Root Dispersion : 15.91 sec NTP Uptime : 01d 09h 15m Time Resolution : 1 Drift : 0.000000000 sec/sec System Time : Tue Aug 25 04:59:11 2015 Reference Time : Mon Jan 1 00:00:00 1990 show ntp associations Syntax show ntp associations [detail <IP-ADDR>]...
  • Page 60: Show Ntp Authentication

    Filter Delay = 4.23 4.14 2.41 5.95 2.37 2.33 4.26 4.33 Filter Offset = -8.59 -8.82 -9.91 -8.42 -10.51 -10.77 -10.13 -10.11 show ntp authentication Syntax Description Show the authentication status and other information about the authentication key. show ntp authentication Switch(config)# show ntp authentication NTP Authentication Information Key-ID...
  • Page 61 Validation Error/Warning/Prompt If the username and the key installation user The username in the key being installed does not for that privilege do not match, a message match the username configured on the switch. displays and installation is not allowed. This will also happen when the authentication method is set for two-factor.
  • Page 62: Event Log Messages

    Event log messages Cause Event Message RMON_AUTH_TWO_FACTOR_AUTHEN_STATUS W 01/01/15 18:24:03 03397: auth: %s. Examples: W 01/01/15 18:24:03 03397: auth: Public key and username/password should be configured for the successful two-factor authentication. W 01/01/15 18:24:03 03397: auth: Username and password should be configured for the successful two-factor authentication.
  • Page 63: Precision Time Protocol (Ptp)

    Event Message When NTP found a new broadcast server. A new broadcast server at %s. When system clock was updated with new time. The system clock time was changed by %ld sec %lu nsec. The new time is %s. When NTP stratum was updated. The NTP Stratum was changed from %d to %d.
  • Page 64: Show Ptp

    displays: Port A1 does not support IEEE 1588 end-to-end transparent mode.Use the command show ptp to identify the unsupported ports. • IEEE 1588 end-to-end transparent mode cannot be enabled on a stack. If the user attempts this, an error message like the following displays: IEEE 1588 end-to-end transparent mode cannot be enabled when stacking is enabled.
  • Page 65: Displaying Current Resource Usage

    Displaying current resource usage To display current resource usage in the switch, enter the following command: Syntax: show {<qos | access-list | policy> resources} Displays the resource usage of the policy enforcement engine on the switch by software feature. For each type of resource, the amount still available and the amount used by each software feature is shown.
  • Page 66: Viewing Information On Resource Usage

    Resource usage includes resources actually in use, or reserved for future use by the listed feature. Internal dedicated-purpose resources, such as port bandwidth limits or VLAN QoS priority, are not included. Viewing information on resource usage The switch allows you to view information about the current usage and availability of resources in the Policy Enforcement engine, including the following software features: •...
  • Page 67: Usage Notes For Show Resources Output

    ◦ Mirror policies per VLAN through the CLI using monitor service ◦ Jumbo IP-MTU • When the following features are configured per-port, resource usage is applied only to the slot or port group on which the feature is configured: ◦ ACLs or QoS applied per-port or per-user through RADIUS authentication ◦...
  • Page 68 mirroring policies if a policy has not been applied to an interface. However, sufficient resources must be available when you apply a configured policy to an interface. ◦ Acceptance of new RADIUS-based client authentication requests (displayed as a new resource entry for IDM).Failure to authenticate a client that presents valid credentials may indicate that insufficient resources are available for the features configured for the client in the RADIUS server.
  • Page 69: Chapter 3 Port Status And Configuration

    Chapter 3 Port Status and Configuration Viewing port status and configuring port parameters Connecting transceivers to fixed-configuration devices If the switch either fails to show a link between an installed transceiver and another device or demonstrates errors or other unexpected behavior on the link, check the port configuration on both devices for a speed and/or duplex (mode) mismatch.
  • Page 70 Status or Description parameter Mode The port's speed and duplex (data transfer operation) setting.10/100/1000Base-T Ports: • Auto-MDIX (default): Senses speed and negotiates with the port at the other end of the link for port operation (MDI-X or MDI).To see what the switch negotiates for the auto setting, use the CLI show interfaces brief command.
  • Page 71: Viewing Port Status And Configuration (Cli)

    Status or Description parameter 10-Gigabit CX4 Copper Ports: 10-Gigabit SC Fiber-Optic Ports (10-GbE SR, 10-GbE LR, 10-GbE ER): Auto: The port operates at 10 gigabits FDx and negotiates flow control. Lower speed settings or half-duplex are not allowed. NOTE: Conditioning patch cord cables are not supported on 10-GbE. Auto-MDIX The switch supports Auto-MDIX on 10Mb, 100Mb, and 1 Gb T/TX (copper) ports.
  • Page 72: Dynamically Updating The Show Interfaces Command (Cli/Menu)

    brief Lists the current operating status for all ports on the switch. config Lists a subset of configuration data for all ports on the switch; that is, for each port, the display shows whether the port is enabled, the operating mode, and whether it is configured for flow control. <port-list>...
  • Page 73: Customizing The Show Interfaces Command (Cli)

    When using the display option in the CLI, the information stays on the screen and is updated every 3 seconds, as occurs with the display using the menu feature. The update is terminated with Cntl-C. You can use the arrow keys to scroll through the screen when the output does not fit in one screen. Figure 3: show interfaces display command with dynamically updating output Customizing the show interfaces command (CLI) You can create show commands displaying the information that you want to see in any order you want by using...
  • Page 74: Error Messages Associated With The Show Interfaces Command

    Parameter column Displays Examples name Friendly port name vlanid The vlan id this port belongs to, or "tagged" if it 4tagged belongs to more than one vlan enabled port is or is not enabled yes or nointrusion intrusion Intrusion alert status bcast Broadcast limit The custom show interfaces command...
  • Page 75: Show Interface Smartrate

    Note on using pattern matching with the show interfaces custom command If you have included a pattern matching command to search for a field in the output of the show int custom command, and the show int custom command produces an error, the error message may not be visible and the output is empty.
  • Page 76: Operating Notes For Viewing Port Utilization Statistics

    Operating notes for viewing port utilization statistics • For each port on the switch, the command provides a real-time display of the rate at which data is received (Rx) and transmitted (Tx) in terms of kilobits per second (KBits/s), number of packets per second (Pkts/s), and utilization (Util) expressed as a percentage of the total bandwidth available.
  • Page 77: Enabling Or Disabling Ports And Configuring Port Mode (Cli)

    • For a non-Aruba switches installed transceiver, no transceiver type, product number, or part information is displayed. In the Serial Number field, non-operational is displayed instead of a serial number. • The following error messages may be displayed for a non-operational transceiver: ◦...
  • Page 78: Enabling Or Disabling Flow Control (Cli)

    If port C8 was disabled, and you wanted to enable it and configure it for 100FDx with flow-control active, you could do so with either of the following command sets: Figure 4: Two methods for changing a port configuration For more on flow control, see Enabling or disabling flow control (CLI) on page 78. Enabling or disabling flow control (CLI) NOTE: You must enable flow control on both ports in a given link.
  • Page 79 Assuming that flow control is currently disabled on the switch, you would use these commands: Figure 5: Configuring flow control for a series of ports switch(config)# int a1-a6 flow-control switch(config)# show interfaces brief Status and Counters - Port Status | Intrusion Flow Bcast Port Type...
  • Page 80: Port Shutdown With Broadcast Storm

    Port shutdown with broadcast storm A LAN broadcast storm arises when an excessively high rate of broadcast packets flood the LAN. Occurrence of LAN broadcast storm disrupts traffic and degrades network performance. To prevent LAN traffic from being disrupted, an enhancement of fault-finder commands adds new options, and the corresponding MIBs, that trigger a port disablement when a broadcast storm is detected on that port.
  • Page 81: Snmp Mib

    Syntax: show fault-finder broadcast-storm [[ethernet] port-list] Examples: switch# show fault-finder broadcast-storm [A1] Port Bcast Storm Port Status Rising Action Disable Disable Threshold Timer Timer Left Down warn-and- 65535 — disable switch (config)# show fault-finder broadcast-storm Port Bcast Storm Port Status Rising Action Disable...
  • Page 82 • syntax HpicfFfBcastStormControlPortConfigEntry • max-access: not-accessible • status: current • description: This object provides information about broadcast storm control configuration of each port. • index: {hpicfffbcaststormcontrolportindex}::= {hpicfFfBcastStormControlPortConfigTable 1} hpicfFfBcastStormControlPortConfigEntry ::= Syntax sequence:hpicfFfBcastStormControlPortIndex InterfaceIndex, hpicfFfBcastStormControlMode Integer, hpicfFfBcastStormControlRisingpercent Integer32, hpicfFfBcastStormControlRisingpps Integer32, hpicfFfBcastStormControlAction Integer, hpicfFfBcastStormControlPortDisableTimer Unsigned32 hpicfFfBcastStormControlPortIndex OBJECT-TYPE •...
  • Page 83: Multicast Storm Control

    hpicfFfBcastStormControlRisingpps OBJECT-TYPE • Syntax Integer32 (1..10000000) • max-access: read-write • status: current • description: This object indicates the rising threshold for broadcast storm control. This value is in packets-per- second of received broadcast traffic. hpicfffbcaststormcontrolaction object takes action when broadcast traffic reaches this level.
  • Page 84: Fault-Finder Multicast-Storm

    fault-finder multicast-storm Syntax fault-finder multicast-storm <PORT-LIST> action {warn | warn-and-disable <Seconds>} {percent <Percent> | pps <Rate>} no fault-finder multicast-storm <PORT-LIST> action {warn | warn-and-disable <Seconds>} {percent <Percent> | pps <Rate>} Description Per-port command to configure multicast-storm. The no form of the command disables multicast-storm configuration on the port.
  • Page 85 switch(config)# fault-finder multicast-storm ethernet 1/1 action warn-and-disable 10 percent <1-100> The percentage that is considered a multicast storm. switch(config)# fault-finder multicast-storm ethernet 1/1 action warn-and-disable 10 percent 40 Per port show fault-finder output: switch(config)# show fault-finder multicast-storm 1/1 Mcast | Port Rising Disable Disable Time...
  • Page 86: Fault-Finder Multicast-Storm Action

    fault-finder multicast-storm action Syntax fault-finder multicast-storm [action {warn | warn-and-disable}] [sensitivity {low | medium |high}] no fault-finder multicast-storm [action {warn | warn-and-disable}] [sensitivity {low | medium |high}] Description Global command to configure multicast-storm. The no form of the command disables multicast-storm configuration on the port.
  • Page 87: Show Logging

    bad-driver medium warn bad-transceiver medium warn bad-cable medium warn too-long-cable medium warn over-bandwidth medium warn broadcast-storm medium warn loss-of-link medium warn duplex-mismatch-hdx medium warn duplex-mismatch-fdx medium warn multicast-storm high warn-and-disable link-flap medium warn show running-config Syntax show running-config Description Displays information about the current configuration. Command context Manager Example...
  • Page 88: Restrictions

    Description Checks the FFI multicast-storm logging message. Command context Manager Example switch# show logging Keys: W=Warning I=Information M=Major D=Debug E=Error ---- Event Log listing: Events Since Boot ---- I 01/07/90 20:22:55 00076 ports: port 3 is now on-line M 01/07/90 20:22:52 02677 FFI: port 3-Port enabled by Fault-finder. I 01/07/90 20:22:33 00077 ports: port 3 is now off-line M 01/07/90 20:22:33 02676 FFI: port 3-Re-enable after 20 seconds.
  • Page 89: Manual Override

    Manual override If you require control over the MDI/MDI-X feature, you can set the switch to either of these non-default modes: • Manual MDI • Manual MDI-X The table below shows the cabling requirements for the MDI/MDI-X settings. Table 5: Cable types for auto and manual MDI/MDI-X settings Setting MDI/MDI-X device type PC or other MDI device type...
  • Page 90: Using Friendly (Optional) Port Names

    • Where a port is linked to another device, this command lists the MDI mode the port is currently using. • In the case of ports configured for Auto ( auto-mdix), the MDI mode appears as either MDI or MDIX, depending upon which option the port has negotiated with the device on the other end of the link.
  • Page 91: Configuring And Operating Rules For Friendly Port Names

    Configuring and operating rules for friendly port names • At either the global or context configuration level, you can assign a unique name to a port. You can also assign the same name to multiple ports. • The friendly port names you configure appear in the output of the show name [port-list], show config, and show interface <port-number >...
  • Page 92: Configuring The Same Name For Multiple Ports (Cli)

    Configuring the same name for multiple ports (CLI) Suppose that you want to use ports A5 through A8 as a trunked link to a server used by a drafting group. In this case you might configure ports A5 through A8 with the name "Draft-Server:Trunk." Configuring one friendly port name on multiple ports switch(config)# int a5-a8 name Draft-Server:Trunk switch(config)# write mem...
  • Page 93: Including Friendly Port Names In Per-Port Statistics Listings (Cli)

    Lists the friendly port name with its corresponding port number and port type. The show name command without a port list shows this data for all ports on the switch. Friendly port name data for all ports on the switch switch(config)# show name Port Names Port...
  • Page 94: Searching The Configuration For Ports With Friendly Port Names (Cli)

    Giants Rx Excessive Colln : 0 Total Rx Errors : 0 Deferred Tx Others (Since boot or last clear) : Discard Rx Out Queue Len Unknown Protos Rates (5 minute weighted average) : Total Rx (bps) : 3,028,168 Total Tx (bps) : 1,918,384 Unicast Rx (Pkts/sec) : 5 Unicast Tx (Pkts/sec) : 0...
  • Page 95: Uni-Directional Link Detection (Udld)

    Uni-directional link detection (UDLD) Uni-directional link detection (UDLD) monitors a link between two switches and blocks the ports on both ends of the link if the link fails at any point between the two devices. This feature is particularly useful for detecting failures in fiber links and trunks.
  • Page 96: Configuring Udld

    Configuring UDLD When configuring UDLD, keep the following considerations in mind: • UDLD is configured on a per-port basis and must be enabled at both ends of the link. See the note below for a list of switches that support UDLD. •...
  • Page 97: Changing The Keepalive Interval (Cli)

    Example: To enable UDLD on port a1, enter: switch(config)#interface al link-keepalive To enable the feature on a trunk group, enter the appropriate port range. For example: switch(config)#interface al-a4 link-keepalive NOTE: When at least one port is UDLD-enabled, the switch will forward out UDLD packets that arrive on non-UDLD-configured ports out of all other non-UDLDconfigured ports in the same vlan.
  • Page 98: Viewing Udld Information (Cli)

    NOTE: • You must configure the same VLANs that will be used for UDLD on all devices across the network; otherwise, the UDLD link cannot be maintained. • If a VLAN ID is not specified, UDLD control packets are sent out of the port as untagged packets. •...
  • Page 99: Viewing Detailed Udld Information For Specific Ports (Cli)

    Viewing detailed UDLD information for specific ports (CLI) Enter the show link-keepalive statistics command. Example: Figure 8: Example: of show link-keepalive statistics command Clearing UDLD statistics (CLI) Enter the following command: switch# clear link-keepalive statistics This command clears the packets sent, packets received, and transitions counters in the show link keepalive statistics display (see Figure 8: Example: of show link-keepalive statistics command on page 99 for an Example:).
  • Page 100 For UFD functionality to work as expected, the NIC teaming must be in Network Fault Tolerance (NFT) mode. Figure 9: Teamed NICs in conjunction with UFD Figure 10: Teamed NICs with a failed uplink NOTE: The state of the LtD is purely governed by the state of the LtM, and is independent of the physical state of the ports in the LtD.
  • Page 101: Configuration Guidelines For Ufd

    Configuration Guidelines for UFD Below is a list of configuration guidelines to be followed for UFD. These are applicable only to blade switches where there is a clear distinction between downlink and uplink ports. 1. UFD is required only when uplink-path redundancy is not available on the blade switches. 2.
  • Page 102: Show Uplink-Failure-Detection

    Command context config Parameters <track_ID> Specifies the track id. <Port-List> Specifies the port list. <delay_value> Specifies the delay value. Examples Configure port A8 as LtM, port A6 as LtD, and delay value as 100 for track 1: Switch(config)# uplink-failure-detection track 1 links-to-monitor A8 links-to-disable A6 delay 100 switch(config)# show running-config Running configuration:...
  • Page 103: Error Log

    Description Shows the uplink failure detection information. Command context manager Examples switch# show uplink-failure-detection Uplink Failure Detection Information UFD Enabled : Yes Track | Monitored Links to Delay | Links Disable State State Lacp Key Lacp Key (sec) ------+---------- ----------- -------- ------- --------- ---------- ------ | Dyn1 Dyn2...
  • Page 104: Basic Usb Port Commands

    Invalid port(s) specified as links-to-monitor. • When a user specifies an invalid LtD port, a message similar to the following is displayed. Invalid port(s) specified as links-to-disable. • When a user specifies an incorrect delay value, an error message similar to the following is displayed: Delay specified does not match with the configured value of <delay value>.
  • Page 105 switch# show usb-port USB port status: enabled USB port power status: power on (USB device detected in port) Chapter 3 Port Status and Configuration...
  • Page 106: Chapter 4 Power Over Ethernet (Poe/Poe+) Operation

    Chapter 4 Power Over Ethernet (PoE/PoE+) Operation Introduction to PoE PoE technology allows IP telephones, wireless LAN access points, and other appliances to receive power and transfer data over existing ethernet LAN cabling. For more information about PoE technology, see the PoE/PoE+ planning and implementation guide, which is available on the Networking website at networking.
  • Page 107: Applying Security Features To Poe Configurations

    Applying security features to PoE configurations You can use the port security features built into the switch to control device or user access to the network through PoE ports in the same way as non-PoE ports. Using Port Security, you can configure each switch port with a unique list of MAC addresses for devices that are authorized to access the network through that port.
  • Page 108: Pd Support

    • Disable or re-enable per-port PoE operation on individual ports to help control power usage and avoid oversubscribing PoE resources. • Configure per-port priority for allocating power in case a PoE device becomes oversubscribed and must drop power for some lower-priority ports to support the demand on other, higher-priority ports. •...
  • Page 109: How Is Power Allocation Prioritized

    priority ports to meet the power demand on other, higher-priority ports. This operation occurs regardless of the order in which PDs connect to the switch’s PoE-enabled ports. How is power allocation prioritized? There are two ways that PoE power is prioritized: •...
  • Page 110: Configuring The Poe Port Priority

    NOTE: The default setting for the pre-std-detect PoE parameter changed. In earlier software the default setting is “on”. The default setting is “off”. Configuring the PoE port priority Syntax: interface <port-list> power-over-ethernet [critical | high | low] Reconfigures the PoE priority level on <port-list>. For a given level, ports are prioritized by port number in ascending order.
  • Page 111: Manually Configuring Poe Power Levels

    Table 7: Power classes and their values Power Value class Depends on cable type and PoE architecture. Maximum power level output of 15.4 watts at the PSE.This is the default class; if there is not enough information about the load for a specific classification, the PSE classifies the load as class 0 (zero).
  • Page 112: Configuring Poe Redundancy

    To view the settings, enter the show power-over-ethernet command, shown in Figure 11: PoE allocation by value and the maximum power delivered on page 112. Figure 11: PoE allocation by value and the maximum power delivered switch(config)# show power-over-ethernet A6 Status and Counters - Port Power Status for port A6 Power Enable : Yes...
  • Page 113: Changing The Threshold For Generating A Power Notice

    Allows you to set the amount of power held in reserve for redundancy. Means that all available power can be allocated to PDs.Default: No PoE redundancy enforced. One of the power supplies is held in reserve for redundancy. If a single power supply fails, no powered devices are shut down.If power supplies with different ratings are used, the highest-rated power supply is held in reserve to ensure full redundancy.
  • Page 114: Poe/Poe+ Allocation Using Lldp Information

    With this setting, if module B is allocated 100 watts of PoE power and is using 68 watts, and then another PD is connected to the module in slot B that uses 8 watts, the 70% threshold of 70 watts is exceeded. The switch sends an SNMP trap and generates this Event Log message: Slot B POE usage has exceeded threshold of 70%.
  • Page 115: Enabling Or Disabling Ports For Allocating Power Using Lldp

    Enabling or disabling ports for allocating power using LLDP Syntax: int <port-list> poe-lldp-detect [enabled | disabled] Enables or disables ports for allocating PoE power based on the link-partner's capabilities via LLDP. Default: Disabled Example: You can enter this command to enable LLDP detection: switch(config) # int A7 poe-lldp-detect enabled or in interface context: switch(eth-A7) # poe-lldp-detect enabled...
  • Page 116: Viewing Poe When Using Lldp Information

    Allows the data link layer to be used for power negotiation between a PD on a PoE port and LLDP. Default: Disabled Example: You can enter this command to enable LLDP detection: switch(config) # int 7 PoE-lldp-detect enabled or in interface context: switch(eth-7) # PoE-lldp-detect enabled NOTE: Detecting PoE information via LLDP affects only power delivery;...
  • Page 117 LLCP Port Configuration Detail Port : 4 AdminStatus [Tx_Rx] : Tx_Rx NotificationsEnabled [False] : False Med Topology Trap Enabled [False] : False TLVS Advertised: * port_descr * system_name * system_descr * system_cap * capabilities * network_policy * location_id * poe * macphy_config * poeplus_config IpAddress Advertised:...
  • Page 118: Operating Note

    System Descr : Switch 3500-24, revision W.14.xx PortDescr : 23 Pvid : 55 System Capabilities Supported : bridge, router System Capabilities Enabled : bridge Remote Management Address Type : ipv4 Address : Poe Plus Information Detail Poe Device Type : Type2 PD Power Source : Only PSE...
  • Page 119: Viewing Poe Status On All Ports

    Displays PoE information for each port. See Viewing PoE status on all ports on page brief 119. Displays PoE information for the ports in port-list. See Viewing the PoE status on <port-list> specific ports on page 121. Displays PoE information for the selected slots. See Showing the PoE information by <slot-id- slot).Enter the all option to display the PoE information for all slots.
  • Page 120 The maximum amount of PoE power allocated for that port (expressed in watts).Default: 17 Alloc Power watts for PoE; 33 watts for PoE+. The power actually being used on that port. Actual Power If configured, shows the user-specified identifier for the port. If not configured, this field is Configured Type empty.
  • Page 121: Viewing The Poe Status On Specific Ports

    You can also show the PoE information by slot: Showing the PoE information by slot switch(config)# show power-over-ethernet slot A Status and Counters - System Power Status for slot A Maximum Power : 408 W Operational Status : On Power In Use 9 W +/- 6 W Usage Threshold (%) : 80 Viewing the PoE status on specific ports...
  • Page 122: 802.3Bt Support

    Shows the power class of the PD detected on the indicated port. Classes include: Power Class • 0: 0.44 to 12.95 watts • 1: 0.44 to 3.84 watts • 2: 3.84 to 6.49 watts • 3: 6.49 to 12.95 watts •...
  • Page 123: Definition Of Terms

    IEEE 802.3bt standard devices are backwards compatible with previous PoE standard devices, IEEE 802.3at and IEEE 802.3af, allowing existing PoE devices to deliver or receive power up to their maximum IEEE 802.3 PoE classification. The 2930M switches provide modular stacking, modular 10GbE, 40GbE, or Smart Rate multi-gigabit ports, and hot-swappable power supplies for redundancy, up to 60W PoE per port (up to 1440W PoE total**) for powering APs, cameras, and IoT devices.
  • Page 124: Configuring The Switch

    Table 8: PoE types, classes, standards, power needs for SS PDs Classes Associated PoE types Associated IEEE standard Maximum power at PD port Minimum power at PSE port Class 0 802.3at 13 W / 15.4 W Class 1 1 or 3 802.3at or 802.3bt 3.84 W / 4 W Class 2...
  • Page 125: Recommendations

    • The default switch configuration always power demotes all Class 4-8 SS PDs to Class 3 power and requires successful LLDP dot3Tlv 29 octet power negotiation for Class 5-8 PDs or 12 octet power negotiation for Class 4 PDs before increasing the power delivery to above 16W. •...
  • Page 126 usage usage 0.0 W 0.0 W Searching usage usage 2.0 W 1.9 W Delivering usage usage 9.0 W 8.4 W Delivering usage lldp 7.3 W 6.9 W Delivering # - Dual signature power delivery ^ - Power demoted ports Example of show pow port Example show command output at a port where LLDP is enabled for a Dual Signature PD.
  • Page 127: Poe Event Log Messages

    PD Requested Power Value : 0.0 W PSE TLV Sent Type : MED MED LLDP Detect : Disabled PD TLV Sent Type : n/a LLDP Dual Signature Information PSE Allocated Power Value A : 25.5 W PSE Allocated Power Value B : 25.5 W PD Requested Power Value A : 0.0 W PD Requested Power Value B...
  • Page 128 “Switch 2920”, then select the device from the list and click on Product manuals. Click on the “User guide” link under Manuals. Aruba 2930F / 2930M Management and Configuration Guide for ArubaOS-Switch 16.08...
  • Page 129: Chapter 5 Port Trunking

    Chapter 5 Port Trunking Overview of port trunking Port trunking allows you to assign up to eight physical links to one logical link (trunk) that functions as a single, higher-speed link providing dramatically increased bandwidth. This capability applies to connections between backbone devices as well as to connections in other network areas where traffic bottlenecks exist.
  • Page 130: Port Trunk Features And Operation

    Port trunk features and operation The switches covered in this guide offer these options for port trunking: • LACP: IEEE 802.3ad—Trunk group operation using LACP on page 142 • Trunk: Non-Protocol—Trunk group operation using the "trunk" option on page 149 Up to 60 trunk groups are supported on the switches.
  • Page 131: Static Trunk

    Admin and Operational key are usually the same, but using static LACP can alter the Operational key during runtime, in which case the keys would differ. The lacp key command configures both the Admin and Operational keys when using dynamic LACP trunks. It only configures the Admin key if the trunk is a static LACP trunk.
  • Page 132 Table 11: Trunk configuration protocols Protocol Trunking Options LACP (802.3ad) Provides dynamic and static LACP trunking options. • Dynamic LACP — Use the switch-negotiated dynamic LACP trunk when: ◦ The port on the other end of the trunk link is configured for Active or Passive LACP. ◦...
  • Page 133 Table 12: General operating rules for port trunks Media: For proper trunk operation, all ports on both ends of a trunk group must have the same media type and mode (speed and duplex). (For the switches, it is recommended to leave the port mode setting at Auto or, in networks using Cat 3 cabling, Auto-10.) Port Configuration: The default port configuration is Auto, which enables a port to sense speed...
  • Page 134 Spanning Tree: 802.1D (STP) and 802.1w (RSTP) Spanning Tree operate as a global setting on the switch (with one instance of Spanning Tree per switch). 802.1s (MSTP) Spanning Tree operates on a per-instance basis (with multiple instances allowed per switch). For each Spanning Tree instance, you can adjust Spanning Tree parameters on a per-port basis.A static trunk of any type appears in the Spanning Tree configuration display, and you can configure Spanning Tree parameters for a static trunk in the same way that you would...
  • Page 135: Viewing And Configuring Port Trunk Groups (Cli)

    Recommended port mode setting for LACP switch(config)# show interfaces config Port Settings Port Type | Enabled Mode Flow Ctrl MDI ----- --------- + ------- ------------ --------- ---- 10/100TX | Yes Auto Enable Auto 10/100TX | Yes Auto Enable A port trunk in a Spanning Tree listing Port Type Cost Priority State...
  • Page 136: Viewing Static Lacp And Dynamic Lacp Trunk Data

    specifying ports on page 136, the command does not include a port list, so the switch lists all ports having static trunk membership. A show trunk listing without specifying ports switch# show trunks Load Balancing Port | Name Type | Group Type ---- + ----------------------- --------- + ----- ----- | Print-Server-Trunk 10/100TX...
  • Page 137: Configuring A Static Trunk Or Static Lacp Trunk Group

    LACP Trunk Port LACP Admin Oper Port Enabled Group Status Partner Status ---- ------- ----- ------ ------- ------ ---- ----- Active Dyn1 Success Active Dyn1 Success Active Dyn1 Success Active Dyn1 Success Active Dyn1 Success Active Dyn1 Success Active Dyn1 Success Active Dyn1...
  • Page 138: Enabling A Dynamic Lacp Trunk Group

    switch(config)# no trunk c4-c5 Enabling a dynamic LACP trunk group In the default port configuration, all ports on the switch are set to disabled. To enable the switch to automatically form a trunk group that is dynamic on both ends of the link, the ports on one end of a set of links must be LACP Active.
  • Page 139: Specifying Minimum Active Links For Lacp

    Syntax: no interface <port-list> lacp Removes <port-list> from any dynamic LACP trunk and returns the ports in <port-list> to passive LACP. Example: Port C6 belongs to an operating, dynamic LACP trunk. To remove port C6 from the dynamic trunk and return it to passive LACP, do the following: switch(config)# no interface c6 lacp switch(config)# interface c6 lacp passive...
  • Page 140: Lacp Enable-Timer

    Example: eth-Trk Parameters value Sets the threshold value for LACP trunk. The value is an integer that ranges from zero to eight which represents the number of minimum active links. The default value is zero which disables the minimum active links.
  • Page 141: Show Lacp Min-Active-Links

    mad-passthrough Enable or disable MAD passthrough on the LACP trunks. min-active-links Configure the threshold for the minimum number of active member links in a LACP trunk group, for it to be operational. active Enable active LACP. passive Enable passive LACP. static Set the mode of a static LACP port to active or passive.
  • Page 142: Limitations

    lacp enable-timer 356 exit Limitations • Dynamic LACP, static trunks, and distributed trunks will not support this feature. • The command is not available for REST/next Gen UI. • If the LACP trunk is down due to lack of active links with the timer enabled, a dynamic update to the enable- timer by configuration will not take effect immediately as the current timer runs with the previously configured value.
  • Page 143 In most cases, trunks configured for LACP on the switches operate as described in the following table. Chapter 5 Port Trunking...
  • Page 144 Table 13: LACP trunk types LACP port trunk Operation configuration Dynamic LACP This option automatically establishes an 802.3ad-compliant trunk group, with LACP for the port Type parameter and DynX for the port Group name, where X is an automatically assigned value from , depending on how many dynamic and static trunks are currently on the switch.
  • Page 145: Default Port Operation

    LACP port trunk Operation configuration • The port on the other end of the trunk link is configured for a static LACP trunk. • You want to configure non-default Spanning Tree or IGMP parameters on an LACP trunk group. • You want an LACP trunk group to operate in a VLAN other than the default VLAN and GVRP is disabled.
  • Page 146 Table 14: LACP port status data Status Meaning name Port Numb Shows the physical port number for each port configured for LACP operation (C1, C2, C3 …). Unlisted port numbers indicate that the missing ports that are assigned to a static trunk group are not configured for any trunking.
  • Page 147: Lacp Notes And Restrictions

    LACP notes and restrictions 802.1X (Port-based access control) configured on a port To maintain security, LACP is not allowed on ports configured for 802.1X authenticator operation. If you configure port security on a port on which LACP (active or passive) is configured, the switch removes the LACP configuration, displays a notice that LACP is disabled on the port, and enables 802.1X on that port.
  • Page 148: Vlans And Dynamic Lacp

    VLANs and dynamic LACP A dynamic LACP trunk operates only in the default VLAN (unless you have enabled GVRP on the switch and use Forbid to prevent the ports from joining the default VLAN). If you want to use LACP for a trunk on a non-default VLAN and GVRP is disabled, configure the trunk as a static trunk.
  • Page 149: Spanning Tree And Igmp

    Spanning Tree and IGMP If Spanning Tree, IGMP, or both are enabled in the switch, a dynamic LACP trunk operates only with the default settings for these features and does not appear in the port listings for these features. Half-duplex, different port speeds, or both not allowed in LACP trunks Theports on both sides of an LACP trunk must be configured for the same speed and for full-duplex (FDx).
  • Page 150: Outbound Traffic Distribution Across Trunked Links

    Interface option Dynamic LACP trunk Static LACP trunk group Static non-protocol group CLI show trunk CLI show interfaces CLI show lacp CLI show spanning- tree CLI show igmp CLI show config Outbound traffic distribution across trunked links The two trunk group options (LACP and trunk) use SA/DA pairs for distributing outbound traffic over trunked links. That is, the switch sends traffic from the same source address to the same destination address through the same trunked link, and may also send traffic from the same source address to a different destination address through the same link or a different link, depending on the mapping of path assignments among the links in the trunk.
  • Page 151: Trunk Load Balancing Using Port Layers

    When a new port is added to the trunk, the switch begins sending traffic, either new traffic or existing traffic, through the new link. As links are added or deleted, the switch redistributes traffic across the trunk group. For example, in the figure below showing a three-port trunk, traffic could be assigned as shown in the following table. Figure 17: Example: of port-trunked network Table 15: Example: of link assignments in a trunk group (SA/DA distribution) Source...
  • Page 152 Syntax: trunk-load-balance L3-based | [L4-based >] This option enables load balancing based on port layer information. The configuration is executed in global configuration context and applies to the entire switch. Default: L3-based load balancing L2-based: Load balance based on Layer 2 information. L3-based: Load balance based on Layer 3 information if present, or Layer 2 information.
  • Page 153: Chapter 6 Port Traffic Controls

    Chapter 6 Port Traffic Controls Rate-limiting CAUTION: Rate-limiting is intended for use on edge ports in a network. It is not recommended for use on links to other switches, routers, or servers within a network, or for use in the network core. Doing so can interfere with applications the network requires to function properly.
  • Page 154: Displaying The Current Rate-Limit Configuration

    NOTE: The granularity of actual limits may vary across different switch models. For more details on configuring rate-limiting, see All traffic rate-limiting on page 153. Notes: • The rate-limit icmp command specifies a rate limit on inbound ICMP traffic only (see ICMP rate-limiting on page 157).
  • Page 155 All-Traffic Rate Limit Maximum % | Inbound Radius | Outbound Radius Port | Limit Mode Override | Limit Mode Override ------ + --------- -------- ----------- + --------- -------- -------- | Disabled Disabled No-override | 200 kbps No-override | Disabled Disabled No-override | 200 kbps No-override | Disabled...
  • Page 156: Operating Notes For Rate-Limiting

    Operating notes for rate-limiting • Rate-limiting operates on a per-port basis, regardless of traffic priority. Rate-limiting is available on all types of ports (other than trunked ports) and at all port speeds configurable for these switches. • Rate-limiting on a trunk is not allowed for the all, bcast, icmp, and mcast traffic types. Rate-limiting is not supported on ports configured in a trunk group (including mesh ports).
  • Page 157: Icmp Rate-Limiting

    NOTE: Rate-limiting is applied to the available bandwidth on a port and not to any specific applications running through the port. If the total bandwidth requested by all applications is less than the configured maximum rate, then no rate-limit can be applied. This situation occurs with a number of popular throughput-testing applications, as well as most regular network applications.
  • Page 158: Guidelines For Configuring Icmp Rate-Limiting

    NOTE: ICMP rate-limiting does not throttle non-ICMP traffic. In cases where you want to throttle both ICMP traffic and all other inbound traffic on a given interface, you can separately configure both ICMP rate- limiting and all-traffic rate-limiting. The all-traffic rate-limiting command (rate-limit all) and the ICMP rate-limiting command (rate-limit icmp) operate differently: •...
  • Page 159: Using Both Icmp Rate-Limiting And All-Traffic Rate-Limiting On The Same Interface

    (Default: Disabled.) percent <1-100> Values in this range allow ICMP traffic as a percentage of the bandwidth available on the interface. kbps <0-10000000> Specifies the rate at which to forward traffic in kilobits per second. Causes an interface to drop all incoming ICMP traffic and is not recommended. See the caution.
  • Page 160: Viewing The Current Icmp Rate-Limit Configuration

    • Inbound ICMP traffic on port "X" is using 1% of the port's bandwidth, and • Inbound traffic of all types on port "X" demands 61% of the ports's bandwidth, all inbound traffic above 55% of the port's bandwidth, including any additional ICMP traffic, is dropped as long as all inbound traffic combined on the port demands 55% or more of the port's bandwidth.
  • Page 161: Icmp Rate-Limiting Trap And Event Log Messages

    • ICMP percentage-based rate-limits are calculated as a percentage of the negotiated link speed: For example, if a 100 Mbps port negotiates a link to another switch at 100 Mbps and is ICMP rate-limit configured at 5%, the inbound ICMP traffic flow through that port is limited to 5 Mbps. Similarly, if the same port negotiates a 10 Mbps link, it allows 0.5 Mbps of inbound traffic.
  • Page 162: Determining The Switch Port Number Used In Icmp Port Reset Commands

    Syntax: interface <port-list> rate-limit icmp trap-clear On a port configured with ICMP rate-limiting, this command resets the ICMP trap function, which allows the switch to generate a new SNMP trap and an Event Log message if ICMP traffic in excess of the configured limit is detected on the port.
  • Page 163: Configuring Inbound Rate-Limiting For Broadcast And Multicast Traffic

    Configuring inbound rate-limiting for broadcast and multicast traffic You can configure rate-limiting (throttling) of inbound broadcast and multicast traffic on the switch, which helps prevent the switch from being disrupted by traffic storms if they occur on the rate-limited port. The rate-limiting is implemented as a percentage of the total available bandwidth on the port.
  • Page 164: Operating Notes

    Inbound multicast rate-limiting of 20% on port 3 switch(eth-3)# rate-limit mcast in percent 20 switch(eth-3)# show rate-limit mcast Multicast-Traffic Rate Limit Maximum % Port | Inbound Limit Mode Radius Override ----- + ------------- --------- --------------- | Disabled Disabled No-override | Disabled Disabled No-override | 20...
  • Page 165: Guaranteed Minimum Bandwidth (Gmb)

    ◦ Transceiver type not supported in this software version. ◦ Not an Switch Transceiver. Guaranteed minimum bandwidth (GMB) GMB provides a method for ensuring that each of a given port's outbound traffic priority queues has a specified minimum consideration for sending traffic out on the link to another device. This can prevent a condition where applications generating lower-priority traffic in the network are frequently or continually "starved"...
  • Page 166: Impacts Of Qos Queue Configuration On Gmb Operation

    Since the switch services outbound traffic according to priority (highest to lowest), the highest-priority outbound traffic on a given port automatically receives the first priority in servicing. Thus, in most applications, it is necessary only to specify the minimum bandwidth you want to allocate to the lower priority queues. In this case, the high-priority traffic automatically receives all unassigned bandwidth without starving the lower-priority queues.
  • Page 167: Configuring Gmb For Outbound Traffic

    Configuring GMB for outbound traffic For any port, group of ports, or static trunk, you can configure either the default minimum bandwidth settings for each outbound priority queue or a customized bandwidth allocation. For most applications, Hewlett Packard Enterprise recommends configuring GMB with the same values on all ports on the switch so that the outbound traffic profile is consistent for all outbound traffic.
  • Page 168 Queue 8 (high priority) Queue 7 (high priority) Queue 6 (medium priority) Queue 5 (medium priority) Queue 4 (normal priority) Queue 3 (normal priority) Queue 2 (low priority) Queue 1 (low priority) A setting of 0 (zero percent) on a queue means that no bandwidth minimum is specifically reserved for that queue for each of the ports (including trunked ports) in the <port-list|trk_#>...
  • Page 169: Viewing The Current Gmb Configuration

    Priority of Minimum Effect on outbound bandwidth allocation outbound port bandwidth % queue Queue 6 has a GMB of 10% and, if oversubscribed, is subordinate to queues 8 and 7 in priority for any unused outbound bandwidth available on the port. Queue 5 has a GMB of 10% and, if oversubscribed, is subordinate to queues 8, 7, and 6 for any unused outbound bandwidth available on the port.
  • Page 170: Gmb Operating Notes

    Port ------ --- ------ --- ------ --- --- --- ------ strict strict strict strict strict Trk1 strict GMB operating notes Impact of QoS queue configuration on GMB commands Changing the number of queues causes the GMB commands (interface bandwidth-min and show bandwidth output) to operate only on the number of queues currently configured.
  • Page 171: Rate-Limit Unknown-Unicast In Kbps

    mcast Set a rate limit for multicast traffic. queues Set a rate limit for each traffic queue. unknown-unicast Set a rate limit for unicast flood traffic. switch(eth-2)# rate-limit unknown-unicast Set a rate limit for incoming unicast flood traffic. switch(eth-2)# rate-limit unknown-unicast in kbps percent switch(eth-2)# rate-limit unknown-unicast in percent 10...
  • Page 172: Show Rate-Limit Unknown-Unicast

    switch(eth-1)# rate-limit unknown-unicast Set a rate limit for incoming unicast flood traffic. switch(eth-1)# rate-limit unknown-unicast kbps percent switch(eth-1)# rate-limit unknown-unicast in kbps 100 switch(eth-1)# show rate-limit Show total traffic rate limits. bcast Show broadcast traffic rate limits. icmp Show ICMP traffic rate limits. mcast Show multicast traffic rate limits.
  • Page 173: Jumbo Frames

    | 10 kbps | 10 | Disabled Disabled | Disabled Disabled | Disabled Disabled | Disabled Disabled | Disabled Disabled | Disabled Disabled | Disabled Disabled | Disabled Disabled | Disabled Disabled | Disabled Disabled | Disabled Disabled | Disabled Disabled | Disabled Disabled...
  • Page 174 to 9220 bytes. A port receiving frames exceeding the applicable MTU drops such frames, causing the switch to generate an Event Log message and increment the "Giant Rx" counter (displayed by show interfaces <port-list> ). • The switch allows flow control and jumbo frame capability to co-exist on a port. •...
  • Page 175: Configuring Jumbo Frame Operation

    downstream device must be configured to accept the jumbo traffic. Otherwise, this traffic will be dropped by the downstream device. Configuring jumbo frame operation For detailed information about jumbo frames, see Jumbo frames on page 173. Overview 1. Determine the VLAN membership of the ports or trunks through which you want the switch to accept inbound jumbo traffic.
  • Page 176: Enabling Or Disabling Jumbo Traffic On A Vlan

    If port 1 belongs to VLAN 1, port 2 belongs to VLAN 10, and port 3 belongs to VLAN 15, executing this command with a port-list of 1 - 3 results in a listing of all three VLANs, even though none of the ports belong to all three VLANS.
  • Page 177: Configuring A Maximum Frame Size

    Configuring a maximum frame size You can globally set a maximum frame size for jumbo frames that will support values from 1518 bytes to 9216 bytes for untagged frames. Syntax: jumbo max-frame-size <size> Sets the maximum frame size for jumbo frames. The range is from 1518 bytes to 9216 bytes. (Default: 9216 bytes) NOTE: The jumbo max-frame-size is set on a GLOBAL level.
  • Page 178: Operating Notes For Maximum Frame Size

    switch(config)# show jumbos Jumbos Global Values Configured : MaxFrameSize : 9216 Ip-MTU : 9198 In Use : MaxFrameSize : 9216 Ip-MTU : 9198 For more information about frame size, see Jumbo frames on page 173. Operating notes for maximum frame size •...
  • Page 179: Fault Finder Thresholds

    • Too many undersized/giant packets (bad driver) • Excessive late collisions (cable too long) • High collision or drop rate (over bandwidth) • Excessive broadcast packets (broadcast storm) • Excessive multicast packets (multicast storm) • Duplex mismatch (duplex mismatch HDx - reconfigure to Full Duplex) •...
  • Page 180 • all: All fault types • bad-driver: Too many undersized/giant packets • bad-transceiver: Excessive jabbering • bad-cable: Excessive CRC/alignment errors • too-long-cable: Excessive late collisions • over-bandwidth: High collision or drop rate • broadcast-storm: Excessive broadcasts • duplex-mismatch-HDx: Duplex mismatch. Reconfigure to Full Duplex •...
  • Page 181 Table 18: Fault finder sensitivities for supported conditions Condition Sensitivities Units (in Time period Fault finder triggering packets) reacts: fault finder High Medium Bad driver — 1/10,000 20 secs If (undersized/ Too many Incoming total) >= under-sized (sensitivity/ packets or too 10,000)OrIf many giant (giant/total) >=...
  • Page 182 Condition Sensitivities Units (in Time period Fault finder triggering packets) reacts: fault finder Over 21257 36449 1/10,000 5 mins5 mins If (excessive bandwidth - OutgoingOne collisions/ High collision Packet total) >= rate -High (sensitivity/ drop rate 10,000)The count of dropped packets >= sensitivity during the last...
  • Page 183 1. CRC errors/total must be >= (sensitivity/10,000) to trigger an alert. 2. CRC errors/total = 15/3500 = .00043 3. Sensitivity/10,000 = 6/10,000 = .0006 4. .00043 is not greater than or equal to .0006, so an alert is not triggered. Chapter 6 Port Traffic Controls...
  • Page 184: Chapter 7 Configuring For Network Management Applications

    Chapter 7 Configuring for Network Management Applications Using SNMP tools to manage the switch SNMP is a management protocol that allows an SNMP client application to retrieve device configuration and status information and to configure the device (get and set). You can manage the switch via SNMP from a network management station.
  • Page 185: Snmpv1 And V2C Access To The Switch

    Click on software updates, then MIBs. SNMPv1 and v2c access to the switch SNMP access requires an IP address and subnet mask configured on the switch. If you are using DHCP/Bootp to configure the switch, ensure that the DHCP/Bootp process provides the IP address. Once an IP address is configured, the main steps for configuring SNMPv1 and v2c access management features are: Procedure...
  • Page 186: Enabling And Disabling Switch For Access From Snmpv3 Agents

    CAUTION: Restricting access to only version 3 messages will make the community named “public” inaccessible to network management applications (such as autodiscovery, traffic monitoring, SNMP trap generation, and threshold setting) from operating in the switch. Enabling and disabling switch for access from SNMPv3 agents This includes the creation of the initial user record.
  • Page 187: Snmpv3 Users

    CAUTION: Restricting access to only version 3 messages makes the community named "public" inaccessible to network management applications (such as autodiscovery, traffic monitoring, SNMP trap generation, and threshold setting) from running on the switch. Example: SNMP version 3 enable command SNMPv3 users NOTE: To create new users, most SNMPv3 management software requires an initial user record to clone.
  • Page 188 Adding users To configure an SNMPv3 user, you must first add the user name to the list of known users with the snmpv3 user command, as shown in the following image. Figure 23: Adding SNMPv3 users and displaying SNMPv3 configuration SNMPv3 user commands Syntax: [no] snmpv3 user <USER_NAME>...
  • Page 189 Displays information about the management stations configured on VLAN 1 to access the switch. Display of the management stations configured on VLAN 1 switch# configure terminal switch(config)# vlan 1 switch(vlan-1)# show snmpv3 user Status and Counters - SNMPv3 Global Configuration Information User Name Auth.
  • Page 190: Group Access Levels

    Group access levels The switch supports eight predefined group access levels, shown in the following table. There are four levels for use by version 3 users and four are used for access by version 2c or version 1 management applications. Table 19: Predefined group access levels Group name Group access type...
  • Page 191: Snmpv3 Communities

    ◦ vacmContextTable ◦ vacmAccessTable ◦ vacmViewTreeFamilyTable • OperatorReadView – no access to the following: ◦ icfSecurityMIB ◦ hpSwitchIpTftpMode ◦ vacmContextTable ◦ vacmAccessTable ◦ vacmViewTreeFamilyTable ◦ usmUserTable ◦ snmpCommunityTable • Discovery View – Access limited to samplingProbe MIB. NOTE: All access groups and views are predefined on the switch. There is no method to modify or add groups or views to those that are predefined on the switch.
  • Page 192: Listing Community Names And Values (Cli)

    The following image shows the assigning an Operator community on MgrStation1 to the CommunityOperatorReadWrite group. Any other operator has an access level of CommunityOperatorReadOnly. Figure 25: Assigning a community to a group access level SNMP community features Use SNMP communities to restrict access to the switch by SNMP management stations by adding, editing, or deleting SNMP communities.
  • Page 193 To list the data for only one community, such as the "public" community, use the above command with the community name included. For Example: switch# show snmp-server public Configuring community names and values (CLI) The snmp-server command enables you to add SNMP communities with either default or specific access attributes, and to delete specific communities.
  • Page 194: Snmp Notifications

    switch(config) # no snmp-server community gold-team SNMP notifications The switches: • Default Traps: A switch automatically sends default traps to trap receivers using the configured community name. You have to configure and supply the community name to use in the trap-receiver config, there is no default.
  • Page 195: Snmpv1 And Snmpv2C Traps

    If you want to use SNMPv3 notifications (including traps), you must also configure an SNMPv3 management station. Follow the required configuration procedure in Configuring SNMPv3 notifications (CLI) on page 199. 2. To reconfigure any of the SNMP notifications that are enabled by default to be sent to a management station (trap receiver), see Enabling Link-Change Traps (CLI) on page 204.
  • Page 196: Overview

    Configuring an SNMP trap receiver (CLI) Syntax: snmp-server host {< ipv4-addr | ipv6-addr >} < community name> Configures a destination network management station to receive SNMPv1/v2c traps and (optionally) Event Log messages sent as traps from the switch, using the specified community name and destination IPv4 or IPv6 address.
  • Page 197: Snmp Trap When Mac Address Table Changes

    Use the rmonlog-set-threshold command to set the threshold limit for RMON event log memory. rmonlog-set-threshold Syntax rmonlog-set-threshold <percentage> no rmonlog-set-threshold <percentage> Description Configures the threshold percentage for RMON event logging. The default value is 80. The no form of this command resets RMON event logging threshold to default value. Command context config Parameters...
  • Page 198: Snmpv2C Informs

    The mac-notify trap feature globally enables the generation of SNMP trap notifications on MAC address table changes (learns/moves/removes/ages.) The following command enables trap for aged MAC addresses: Syntax: switch(config)# [no] mac-notify traps [port-list] aged Example: For port 1 the command is: Syntax: switch(config)# mac-notify traps 1 aged show command...
  • Page 199: Configuring Snmpv3 Notifications (Cli)

    Enabling SNMPv2c informs (CLI) For information about enabling SNMPv2c informs, see SNMPv2c informs on page 198. Syntax: [no] snmp-server host {< ipv4-addr | ipv6-addr >} <community name> inform [retries < count >] [timeout < interval >] Enables (or disables) the inform option for SNMPv2c on the switch and allows you to configure options for sending SNMP inform requests.
  • Page 200 When SNMPv3 is enabled, the switch supports: • Reception of SNMPv3 notification messages (traps and informs) • Configuration of initial users • (Optional) Restriction of non-SNMPv3 messages to "read only" 2. Configure SNMPv3 users by entering the snmpv3 user command. Each SNMPv3 user configuration is entered in the User Table.
  • Page 201 Name of the SNMPv3 station's parameters file. The params <ASCII-STR> parameters filename configured with params <ASCII- STR> must match the params <ASCII-STR> value entered with the snmpv3 params command in Step 6. The <IP-ADDR> sets the IP address of the destination. Specifies the SNMPv3 notifications (identified by one or taglist <ASCII-STR>...
  • Page 202: Network Security Notifications

    Configures the security model used for SNMPv3 {<sec_model [ver1 | ver2c | ver3>]} notification messages sent to the management station configured with the snmpv3 targetaddress command in Step 5. If you configure the security model as ver3, you must also configure the message processing value as ver3.
  • Page 203 • Invalid password entered in a login attempt through a direct serial, Telnet, or SSH connection • Manager password changes • Port-security (web, MAC, or802.1X) authentication failure • SNMP authentication failure • Running configuration changes Enabling or disabling notification/traps for network security failures and other security events (CLI) Syntax: [no] snmp-server enable traps [arp-protect | auth-server-fail | dhcp-server...
  • Page 204: Enabling Link-Change Traps (Cli)

    running-config-change Traps for running config change. snmp-authentication [extended | Select RFC-1157 (standard) or ICF-SNMP (extended) standard] traps. Startup-config-change Traps for changes to the startup configuration. Enable traps for the VSF functionality. To determine the specific cause of a security event, check the Event Log in the console interface to see why a trap was sent.
  • Page 205: Source Ip Address For Snmp Notifications

    Enter all to enable or disable link-change traps on all ports on the switch. Readable interface names in traps The SNMP trap notification messages for linkup and linkdown events on an interface includes IfDesc and IfAlias var-bind information. Source IP address for SNMP notifications The switch uses an interface IP address as the source IP address in IP headers when sending SNMP notifications (traps and informs) or responses to SNMP requests.
  • Page 206 The no form of the command resets the switch to the default behavior (compliant with rfc-1517). (Default: Use the interface IP address in generated trap PDUs) ipv4-addr User-defined interface IPv4 address that is used as the source IP address in generated traps.
  • Page 207: Viewing Snmp Notification Configuration (Cli)

    dstIpOfRequest: The destination IP address of the interface on which an SNMP request is received and used as the source IP address in SNMP replies. Viewing SNMP notification configuration (CLI) Syntax: show snmp-server Displays the currently configured notification settings for versions SNMPv1 and SNMPv2c traps, including SNMP communities, trap receivers, link-change traps, and network security notifications.
  • Page 208: Event Scenario Matrix

    • Authentication failure notifications • Enterprise change notifications • Intrusion alarm notifications Event scenario matrix Different event scenarios for which traps are generated: Event Id Severity Action Message Info Slot Insertion I 06/20/16 09:18:43 00068 chassis: AM1: Slot C Inserted Info Slot Removal I 06/20/16 09:18:50 00067 chassis: AM1: Slot C Removed...
  • Page 209 Removing a slot module Event Id: 67 Inserting transceiver Event Id: 405 Chapter 7 Configuring for Network Management Applications...
  • Page 210 Removing a transceiver Aruba 2930F / 2930M Management and Configuration Guide for ArubaOS-Switch 16.08...
  • Page 211: Configuring The Mac Address Count Option

    Inserting a stack-module Configuring the MAC address count option The MAC Address Count feature provides a way to notify the switch management system when the number of MAC addresses learned on a switch port exceeds the permitted configurable number. To enable the mac-count-notify option, enter this command in global config context. Syntax: [no] snmp-server enable traps mac-count-notify Sends a trap when the number of MAC addresses learned on the specified ports exceeds the configured...
  • Page 212: Displaying Information About The Mac-Count-Notify Option

    Configuring mac-count notify traps on ports 5–7 switch (config)# mac-count-notify traps 5-7 50 Displaying information about the mac-count-notify option Use the show mac-count-notify traps [<port-list>] command to display information about the configured value for sending a trap, the current count, and if a trap has been sent. Information displayed for the show mac-count-notify traps command switch(config)# show mac-count-notify traps Mac-count-notify Enabled: Yes...
  • Page 213: Advanced Management: Rmon

    MAC address table changes : Disabled MAC Address Count : Enabled Address Community Events Type Retry Timeout ---------------- ----------- ------- ------ ------ ------- public None trap public None trap public None trap public None trap Excluded MIBs The notify option is enabled.
  • Page 214: Viewing Sflow Configuration And Status (Cli)

    Once an sFlow receiver/destination has been enabled, this command enables flow sampling for that instance. The receiver-instance number is 1, 2, or 3, and the sampling rate is the allowable non-zero skipcount for the specified port or ports. To disable flow-sampling for the specified port-list, repeat the above command with a sampling rate of 0. Syntax: sflow <receiver-instance>...
  • Page 215: Configuring Udld Verify Before Forwarding

    Datagrams Sent Destination Address Receiver Port 6343 Owner Administrator, CLI-owned, Instance 2 Timeout (seconds) 99995530 Max Datagram Size 1400 Datagram Version Support Note the following details: • Destination Address remains blank unless it has been configured. • Datagrams Sent shows the number of datagrams sent by the switch agent to the management station since the switch agent was last enabled.
  • Page 216: Udld Time Delay

    The default mode of a switch is “forward first then verify’’. Enabling UDLD link-up will default to “forward first then verify”. To change the mode to “verify then forward”, you need to configure using the commands found in section 6.72. NOTE: Link-UP data traffic will resumed after probing the link partner completes.
  • Page 217: Show Commands

    Keeps the port in a logically blocked state until the link configured for UDLD has been successfully established in bi-directional communication. Syntax: Switch(config)# link-keepalive mode forward-then-verify Forwards the data then verifies the status of the link. If a unidirectional state is detected, the port is then moved to a blocked state.
  • Page 218: Lldp

    Severity: - Info. LLDP To standardize device discovery on all switches, LLDP is implemented while offering limited read-only support for CDP, as documented in this manual. For the latest information on your switch model, consult the Release Notes (available on the HPE Networking website). If LLDP has not yet been implemented (or if you are running an older version of software), consult a previous version of the Management and Configuration Guide for device discovery details.
  • Page 219: Packet Boundaries In A Network Topology

    Packet boundaries in a network topology • Where multiple LLDP devices are directly connected, an outbound LLDP packet travels only to the next LLDP device. An LLDP-capable device does not forward LLDP packets to any other devices, regardless of whether they are LLDP-enabled.
  • Page 220: Snmp Notification

    • Receive only (rxonly): This setting enables a port to receive and read LLDP packets from LLDP neighbors and to store the packet data in the switch's MIB. However, the port does not transmit outbound LLDP packets. This prevents LLDP neighbors from learning about the switch through that port. •...
  • Page 221: Remote Management Address

    Data type Configuration options Default Description Type Always Enabled Shows the network address type. Address Default or Configured Uses a default address selection method unless an optional address is configured. See Remote management address on page 221. System Name Enable/Disable Enabled Uses the switch's assigned name.
  • Page 222: Lldp And Lldp-Med Standards Compatibility

    • Using the switch's show lldp info command options to display data collected on adjacent LLDP devices— as well as the local data the switch is transmitting to adjacent LLDP devices (Displaying the global LLDP, port admin, and SNMP notification status (CLI) on page 223). •...
  • Page 223: Spanning-Tree Blocking

    Spanning-tree blocking Spanning tree does not prevent LLDP packet transmission or receipt on STP-blocked links. 802.1X blocking Ports blocked by 802.1X operation do not allow transmission or receipt of LLDP packets. Configuring LLDP operation Displaying the global LLDP, port admin, and SNMP notification status (CLI) In the default configuration, LLDP is enabled and in both transmit and receive mode on all active ports.
  • Page 224: Configuring Global Lldp Packet Controls

    Viewing port configuration details (CLI) Syntax: show lldp config <port-list> Displays the LLDP port-specific configuration for all ports in <port-list>, including which optional TLVs and any non-default IP address that are included in the port's outbound advertisements. For information on the notification setting, see Configuring SNMP notification support on page 227. For information on the other configurable settings displayed by this command, see Configuring per-port transmit and receive modes (CLI) on page 228.
  • Page 225 Enables or disables LLDP operation on the switch. The no form of the command, regardless of individual LLDP port configurations, prevents the switch from transmitting outbound LLDP advertisements and causes the switch to drop all LLDP advertisements received from other devices. The switch preserves the current LLDP configuration when LLDP is disabled.
  • Page 226 switch(config)# lldp holdtime-multiplier 2 Delay interval between advertisements generated by value or status changes to the LLDP MIB The switch uses a delay-interval setting to delay transmitting successive advertisements resulting from these LLDP MIB changes. If a switch is subject to frequent changes to its LLDP MIB, lengthening this interval can reduce the frequency of successive advertisements.
  • Page 227: Configuring Snmp Notification Support

    Changing the reinitialization delay interval (CLI) Syntax: setmib lldpReinitDelay.0 -i <1-10> Uses setmib to change the minimum time (reinitialization delay interval) an LLDP port will wait before reinitializing after receiving an LLDP disable command followed closely by a txonly or tx_rx command. The delay interval commences with execution of the lldp admin-status port-list disable command.
  • Page 228: Configuring Per-Port Transmit And Receive Modes (Cli)

    switch(config)# setmib lldpnotificationinterval.0 -i 60 lldpNotificationInterval.0=60 Configuring per-port transmit and receive modes (CLI) Syntax: lldp admin-status <port-list> {<txonly | rxonly | tx_rx | disable>} With LLDP enabled on the switch in the default configuration, each port is configured to transmit and receive LLDP packets.
  • Page 229 If there are no IP addresses configured as management addresses, the IP address selection method returns to the default operation. Default: The port advertises the IP address of the lowest-numbered VLAN (VID) to which it belongs. If there is no IP address configured on the VLANs to which the port belongs, and if the port is not configured to advertise an IP address from any other (static) VLAN on the switch, the port advertises an address of NOTE: This command does not accept either IP addresses acquired through DHCP or Bootp, or IP...
  • Page 230: Support For Port Speed And Duplex Advertisements

    ◦ System capabilities Supported (TLV subelement) ◦ System capabilities Enabled (TLV subelement) • Port speed and duplex (TLV subelement) Optional data types, when enabled, are populated with data internal to the switch; that is, you cannot use LLDP commands to configure their actual content. Support for port speed and duplex advertisements This feature is optional for LLDP operation, but is required for LLDP-MED operation.
  • Page 231: Configuring The Vlan Id Tlv

    Configuring the VLAN ID TLV This TLV advertisement is enabled by default. To enable or disable the TLV, use this command. For more information, see Port VLAN ID TLV support on LLDP Port VLAN ID TLV support on LLDP on page 230. Syntax: [no] lldp config <port-list>...
  • Page 232: Snmp Support

    The VLAN ID TLV is being advertised. Local device LLDP information switch(config)# show lldp config info local-device a1 LLDP Port Configuration Information Detail Port : A1 PortType : local PortId PortDesc : A1 Port VLAN ID : 1 The information that LLDP used in its advertisement. Remote device LLDP information switch(config)# show lldp info remote-device a1 LLDP Remote Device Information Detail...
  • Page 233: Lldp-Med (Media-Endpoint-Discovery)

    LLDP-MED (media-endpoint-discovery) LLDP-MED (ANSI/TIA-1057/D6) extends the LLDP (IEEE 802.1AB) industry standard to support advanced features on the network edge for Voice Over IP (VoIP) endpoint devices with specialized capabilities and LLDP- MED standards-based functionality. LLDP-MED in the switches uses the standard LLDP commands described earlier in this section, with some extensions, and also introduces new commands unique to LLDP-MED operation.
  • Page 234: Lldp-Med Endpoint Device Classes

    • Autonegotiate speed and duplex configuration with the switch • Use the following network policy elements configured on the client port ◦ Voice VLAN ID ◦ 802.1p (Layer 2) QoS ◦ Diffserv codepoint (DSCP) (Layer 3) QoS • Discover and advertise device location data learned from the switch •...
  • Page 235: Lldp-Med Fast Start Control

    NOTE: LLDP-MED operation also requires the port speed and duplex TLV (dot3TlvEnable), which is enabled in the default configuration. Topology change notifications provide one method for monitoring system activity. However, because SNMP normally employs UDP, which does not guarantee datagram delivery, topology change notification should not be relied upon as the sole method for monitoring critical endpoint device connectivity.
  • Page 236 NOTE: LLDP-MED operation requires the macphy_config TLV subelement (enabled by default) that is optional for IEEE 802.1AB LLDP operation. For more information, see the dot3TlvEnable macphy_config command (Configuring support for port speed and duplex advertisements (CLI) on page 230). Network policy advertisements Network policy advertisements are intended for real-time voice and video applications, and include these TLV subelements: •...
  • Page 237 Syntax: [no] lldp config <port-list> medTlvEnable <medTlv> Enables or disables advertisement of the following TLVs on the specified ports: • Device capability TLV • Configured network policy TLV • Configured location data TLV (see Configuring location data for LLDP-MED devices on page 238.) •...
  • Page 238: Location Data For Lldp-Med Devices

    PoE advertisements These advertisements inform an LLDP-MED endpoint of the power (PoE) configuration on switch ports. Similar advertisements from an LLDP-MED endpoint inform the switch of the endpoint's power needs and provide information that can be used to identify power priority mismatches. PoE TLVs include the following power data: •...
  • Page 239 NOTE: The switch allows one medPortLocation entry per port (without regard to type). Configuring a new medPortLocation entry of any type on a port replaces any previously configured entry on that port. civic-addr <COUNTRY-STR> <WHAT> <CA-TYPE> <CA-VALUE> … [< CA-TYPE > < CA-VALUE >] … [< CA-TYPE > < CA-VALUE >] Enables configuration of a physical address on a switch port and allows up to 75 characters of address information.
  • Page 240 Type/Value Pairs A series of data pairs, each composed of a location data "type" specifier and the (CA-TYPE and CA- corresponding location data for that type. That is, the first value in a pair is expected VALUE) to be the civic address "type" number ( CA-TYPE), and the second value in a pair is expected to be the corresponding civic address data ( CA-VALUE).
  • Page 241 Configuring coordinate-based locations Latitude, longitude, and altitude data can be configured per switch port using an SNMP management application. For more information, see the documentation provided with the application. A further source of information on this topic is RFC 3825-Dynamic host configuration protocol option for coordinate-based location configuration information.
  • Page 242: Viewing Switch Information Available For Outbound Advertisements

    A civic address configuration switch(config)# lldp config 2 medportlocation civic-addr US 2 1 CA 3 Widgitville 6 Main 19 1433 26 Suite_4—N 27 4 28 N4—3 switch(config)# show lldp config 2 LLDP Port Configuration Detail Port : A2 AdminStatus [Tx_Rx] : Tx_Rx NotificationEnabled [False] : False Med Topology Trap Enabled [False] : False Country Name...
  • Page 243: Displaying The Current Port Speed And Duplex Configuration On A Switch Port

    Displaying the global and per-port information available for outbound advertisements switch(config)# show lldp info local-device LLDP Local Device Information Chassis Type : mac-address Chassis Id : 00 23 47 4b 68 DD System Name : Switch1 System Description : J9091A Switch 3500yl, revision XX.15.06... System Capabilities Supported:bridge System Capabilities Enabled:bridge Management Address...
  • Page 244: Viewing Advertisements Currently In The Neighbors Mib

    Viewing the current port speed and duplex configuration on a switch port Syntax: show interfaces brief <port-list> Includes port speed and duplex configuration in the Mode column of the resulting display. Viewing advertisements currently in the neighbors MIB Syntax: show lldp info remote-device [port-list] Without the [port-list] option, provides a global list of the individual devices it has detected by reading LLDP advertisements.
  • Page 245: Displaying Lldp Statistics

    System Capabilities Supported : bridge, telephone System Capabilities Enabled : bridge, telephone Remote Management Address MED Information Detail EndpointClass :Class3 Media Policy Vlan id Media Policy Priority Media Policy Dscp Media Policy Tagged :False Poe Device Type Power Requested Power Source :Unknown Power Priority :High...
  • Page 246 Neighbor Entries Dropped The number of valid LLDP neighbors the switch detected, but could not Count add.This can occur, For example, when a new neighbor is detected when the switch is already supporting the maximum number of neighbors. See Neighbor maximum on page 247. Neighbor Entries AgeOut The number of LLDP neighbors dropped on all ports because of Time-to- Count...
  • Page 247: Lldp Operating Notes

    | 97317 97843 | 21 | 446 A per-port LLDP statistics display switch(config)# show lldp stats 1 LLDP Port Statistics Detail PortName : 1 Frames Discarded Frames Invalid Frames Received : 7309 Frames Sent : 7231 TLVs Unrecognized : 0 TLVs Discarded Neighbor Ageouts LLDP Operating Notes...
  • Page 248: Mandatory Tlvs

    refresh-interval is large. See Changing the time-to-live for transmitted advertisements (CLI) on page 225. Mandatory TLVs All mandatory TLVs required for LLDP operation are also mandatory for LLDP-MED operation. LLDP and CDP data management This section describes points to note regarding LLDP and CDP (Cisco Discovery Protocol) data received by the switch from other devices.
  • Page 249: Cdp Operation And Commands

    LLDP data transmission/collection and CDP data collection are both enabled in the switch's default configuration. In this state, an SNMP network management application designed to discover devices running either CDP or LLDP can retrieve neighbor information from the switch regardless of whether LLDP or CDP is used to collect the device-specific information.
  • Page 250: Viewing The Current Cdp Neighbors Table Of The Switch

    Enable CDP [Yes] : Yes (Receive Only) Port CDP ---- -------- enabled enabled enabled Viewing the current CDP neighbors table of the switch Devices are listed by the port on which they were detected. Syntax: show cdp neighbors Lists the neighboring CDP devices the switch detects, with a subset of the information collected from the device's CDP packet.
  • Page 251: Enabling Or Disabling Cdp Operation On Individual Ports

    Enables or disables CDP read-only operation on the switch. (Default: Enabled) Example: To disable CDP read-only on the switch: switch(config)# no cdp run When CDP is disabled: • show cdp neighbors displays an empty CDP Neighbors table • show cdp displaysGlobal CDP informationEnable CDP [Yes]: No Enabling or disabling CDP operation on individual ports In the factory-default configuration, the switch has all ports enabled to receive CDP packets.
  • Page 252 • VOIP VLAN Reply (type 0xe): voice VLAN ID (same as advertised by LLDPMED) • Trust Bitmap (type 0x12): 0x00 • Untrusted port COS (type 0x13): 0x00 CDP should be enabled and running on the interfaces to which the phones are connected. Use the cdp enable and cdp run commands.
  • Page 253: Filtering Cdp Information

    enabled tx_rx enabled tx_rx When CDP mode is not pre-standard voice, the admin-status column is note displayed. The show cdp output when cdp run and cdp mode rxonly are enabled switch(config)# show cdp Global CDP Information Enable CDP [Yes} : Yes CDP mode [rxonly] : rxonly Port CDP ---- --------...
  • Page 254: Displaying The Configuration

    Configuring the switch to ignore packet MAC address learns for an untagged VLAN switch(config) ignore-untagged-mac 1-2 Displaying the configuration Enter the show running-config command to display information about the configuration. Configuration showing interfaces to ignore packet MAC address learns switch(config) show running-config Running configuration: ;...
  • Page 255: Overview

    Syntax: logging filter [filter-name] enable Overview A command has been written to suppress the IPv4 / IPv6 management address transmission in outgoing LLDP packets. A local LAN device transmits organization-specific information in the form of type, length, and value (TLV). The organization-associated values are stored in the LLDP organizationally defined local device LLDP MIB extensions.
  • Page 256: Lldp Config

    [no] lldp config all basicTlvEnable management_addr lldp config Syntax lldp config <port-number> Description Configure the lldp for the desired port by number. Parameter basicTlvEnable Enables the basic advertised TLV for each port by number. Options <management_addr> Use the option <management_addr> to specify specific devices to enable TLV advertisement. Usage lldp config <port_num>...
  • Page 257: Chapter 8 Dhcpv4 Server

    Chapter 8 DHCPv4 server Overview The Dynamic Host Configuration Protocol (DHCP) is a network protocol that enables a server to automate assignment of IP addresses to hosts. A DHCP server can be configured to provide other network information like IP addresses of TFTP servers, DNS server, boot file name and vendor specific options. Commonly there are two types of address assignments, dynamic and manual.
  • Page 258: Authoritative Pools

    Authoritative pools To process the DHCPINFORM packets received from a client within the given IP pool, a DHCP server has to be configured as authoritative for that IP pool. The server is the sole authority for this IP pool so when a client requests an IP address lease where the server is authoritative, and the server has no record of that IP address, the server will respond with DHCPNAK message which indicates that the client should no longer use that IP address.
  • Page 259: Dhcpv4 Configuration Commands

    Table 25: Authoritative and non-authoritative pools Authoritative Pool Non-authoritative pool When a For Own IP For IP Unknown IP For Own IP For IP belonging to Unknown IP DHCP client belonging to falling outside different client falling outside sending.. different the range the range client...
  • Page 260 pool DHCPv4 server IP address pool. ASCII-STR Enter an ASCII string. authoritative Configure the DHCP server authoritative for a pool. bootfile-name Specify the boot file name which is used as a boot image. default-router List of IP addresses of the default routers. dns-server List of IP addresses of the DNS servers.
  • Page 261: Authoritative

    Trying to delete non existing pool The specified address pool does not exist. Only alphanumeric characters, numerals and Invalid name. Only alphanumeric characters and underscore is allowed in the pool name. Violating hyphen are allowed. this would throw the following error message. Trying to delete existing pool or adding new pool DHCP server should be disabled before changing when DHCP server enabled.
  • Page 262: Dns-Server

    dns-server Syntax [no] dns-server <IP-ADDR> [IP-ADDR2 IP-ADDR8] Description Configure the DHCP pool context to the DNS IP servers that are available to a DHCP client. List of IP addresses of the DNS servers. Two IP addresses must be separated by comma. Maximum of eight DNS servers can be configured.
  • Page 263: Netbios Node Type

    Maximum of 8 NetBIOS (WINS) name servers can be configured. NetBIOS node type net bios-ode-type Syntax [no] netbios-node-type [ broadcast | hybrid | mixed | peer-to-peer ] Description Configure the DHCP pool mode to the NetBIOS node type for a Microsoft DHCP. The NetBIOS node type for Microsoft DHCP clients can be one of four settings: broadcast, peer-to-peer, mixed, or hybrid.
  • Page 264 Specify hexadecimal string as option code value. Specify one or more IP addresses as option code value. ip-addr-str Specify IP address. ascii-str Enter an ASCII string. hex-str Specify Hexadecimal string. Configure the raw DHCP server options. NOTE: Following DHCP options are not supported: 1,3,6,12,15,44,46,50,52,54,55,57,58,59,61,66,67,82.
  • Page 265: Ip Address Range

    IP address range range Syntax [no] range <IP-ADDR>[<IP-ADDR>] Description Configure the DHCP pool to the range of IP address for the DHCP address pool. Parameters and options range Range of IP addresses for the DHCPv4 server address pool. ip-addr Low IP address. High IP address.
  • Page 266: Tftp-Server

    tftp-server Syntax [no] tftp-server [server-name <server-name> | server-ip < ip-address >] Description Configure the TFTP server domain name for the DHCP address pool. Parameters and options tftp-server Configure a TFTP server for the DHCPv4 server address pool. server-name TFTP server name for the DHCPv4 server address pool. Configure the TFTP server address tftp-server Syntax...
  • Page 267: Save Dhcp Server Automatic Bindings

    timeout <1-10 Ping timeout in the range of 1–10 seconds. Indicates the amount of time the DHCPv4 server must wait before timing out a ping packet. Defaults to one second. Save DHCP server automatic bindings dhcp-server database Syntax [no] dhcp-server database [file ASCII-STR] [delay<15-86400>][timeout <0-86400>] Description Specifies DHCPv4 database agent and the interval between database updates and database transfers.
  • Page 268: Dhcp-Server Conflict-Logging

    dhcp-server conflict-logging Syntax [no] dhcp-server conflict-logging Description Enable conflict logging on a DHCP server. Default is disabled. Parameters and options conflict-logging Enable DHCPv4 server address conflict logging. Enable the DHCP server on a VLAN dhcp-server Syntax dhcp-server Description Enable DHCPv4 server on a VLAN. DHCPv4 client or DHCPv4 relay cannot co-exist with DHCPv4 server on a VLAN.
  • Page 269: Delete An Automatic Address Binding

    Description Reset all DHCP server and BOOTP counters Parameters and options statistics Reset DHCPv4 server and BOOTP counters. Delete an automatic address binding clear dhcp-server statistics Syntax clear dhcp-server statistics Description Delete an automatic address binding from the DHCP server database. Parameters and options binding Reset DHCPv4 server automatic address bindings.
  • Page 270: Event Log

    Event log Event Log Messages Cause Table 26: Event Log Messages Events Debug messages DHCP server is enabled globally. DHCP server is enabled globally. DHCP server is enabled globally.Warning -One or DHCP server is enabled globally. Warnings - more incomplete pool configurations are found One or more incomplete pool configurations during the server startup.
  • Page 271 Events Debug messages "All IP addresses are removed from the conflict- All IP addresses are removed from the logging database conflict-logging database. Dynamic binding for IP address %s is freed Dynamic binding for a specific IP address is freed. All the dynamic IP bindings are freed All the dynamic IP bindings are freed.
  • Page 272 Events Debug messages No IP addresses to offer from pool %s No IP addresses available on the specified pool. High threshold reached for pool %s. Active High threshold reached for the specified bindings: %d, Free bindings: %d pool. Count of Active bindings and Free bindings are printed as arguments.
  • Page 273: Chapter 9 Dhcpv6 Server

    Chapter 9 DHCPv6 server DHCPv6 hardware address The incremental deployment of IPv6 to existing IPv4 networks results in dual-stacking network environments. Some devices will act as both DHCPv4 and DHCPv6 clients. For these dual-stack situation, here is a need to associate DHCPv4 and DHCPv6 messages with the same client interface.
  • Page 274: Dhcpv6 Snooping Trust

    Validation rules for DHCPv6 global snooping Validation Error/Warning/Prompt Verify whether entered ipv6 address is valid Invalid Ipv6 address:< ipv6-address> If an invalid server address is configured Invalid IP address. Only IPv6 unicast or link- local addresses are supported. If the limit on configuring the authorized servers had Cannot configure the authorized server as reached.
  • Page 275: Dhcpv6-Snooping Authorized-Server

    Validation Error/Warning/Prompt Verify whether the port exist in the device. Module not present for port or invalid port: <PORT- LIST> If the port is a part of a SVLAN and the Port %s cannot be configured as trusted port as it is bridge mode is mixed mode.
  • Page 276: Dhcpv6-Snooping Max-Bindings

    that the attempt to transfer the DHCPv6 lease file retries indefinitely. The default timeout value is 300 seconds. database Configure the parameters to copy the DHCPv6 Snooping lease file to a TFTP server. delay Configure the number of seconds to wait before copying the DSNOOPv6 lease file to a TFTP server. file Copy the DHCPv6 Snooping lease file to a TFTP server.
  • Page 277: Dhcpv6-Relay Option 79

    Validation rules Validation Error/Warning/Prompt Verify max-bindings value entered is in the range Invalid input: <value> If DHCPv6-Snooping is already configured before Existing bindings %d are more than the max- entering the command and current bindings are bindings being configured, and the maximum greater than the value being set.
  • Page 278: Clear Dhcpv6-Snooping Stats

    Description Configure the traps for DHCPv6 snooping. Parameters and options out-of-resources This trap is sent when the number of bindings exceed the maximum limit of 8192 bindings. errant-reply This trap is sent when a DHCPv6 reply packet is received on an untrusted port or from an un-authorized server.
  • Page 279 Parameters and options [ethernet] PORT-LIST Specify the ports being configured for Ipv6 source-lockdown. source-lockdown Enable IPv6 source lockdown for a specific port. Validation rules Validation Error/Warning/Prompt Verify whether dhcpv6-snooping is enabled DHCPv6 snooping is disabled. globally Verify whether port configured is in the VLAN Ports <PORT-LIST>...
  • Page 280: Ipv6 Source-Binding

    ipv6 source-binding Syntax [no] ipv6 source-binding VLAN-ID IPV6-ADDR MAC-ADDR PORT-NUM IPV6-ADDR Description Add a DHCPv6 static binding entry into the binding table. Static binding entries will have infinite lifetime. Parameters and options VLAN-ID The VLAN ID of the static binding entry. Ipv6-ADDRESS The Ipv6 address of the static binding entry.
  • Page 281: Snmp-Server Enable Traps Dyn-Ipv6-Lockdown

    Validation Error/Warning/Prompt If DSNOOPV6 is globally disabled when Cannot configure static binding whenDHCPv6 configuring a static binding. Snooping is disabled. While configuring a static binding if the Ipv6 %s has already been assigned to a VID/MAC. address is already present in the Binding table but Delete the existing binding first.
  • Page 282: Debug Security Dynamic-Ipv6-Lockdown

    out-of-resources Dynamic IPv6 Lockdown out of resources. violations Dynamic IPv6 lockdown violations. debug security dynamic-ipv6-lockdown Syntax debug security dynamic-ipv6-lockdown Description Enable debug for DIPLDv6 Show commands for DHCPv6–snooping show dhcpv6-snooping Syntax show dhcpv6-snooping Description Show dhcpv6 snooping configuration. Validaton rules Validation Error/Warning/Prompt If dhcpv6-snooping not enabled...
  • Page 283: Show Ipv6 Source-Lockdown

    show ipv6 source-lockdown Syntax show ipv6 source-lockdown [bindings | status] Description Shows IPv6 source bindings that are configured using the command IPv6 source-bindings. Parameters and options bindings Show source bindings for Dynamic IPv6 Lockdown ports. status Show source bindings for Dynamic IPv6 Lockdown status. Show source bindings Dynamic IPv6 Lockdown status Dynamic IPv6 Lockdown Bindings Port...
  • Page 284: Show Snmp-Server Traps

    show snmp-server traps Syntax show snmp-server traps <COMMUNITY-STR> Description Shows traps controlled. Shows all information on SNMP communities, trap receivers and SNMP response or trap source-ip policy configured on the switch. Parameters and options traps Show all configured traps. <COMMUNITY-STR> Displays information for the specified community only.
  • Page 285: Show Distributed-Trunking Consistency-Parameters

    dhcp-snooping Display DHCP snooping peer consistency details. IGMP Display IGMP peer consistency details. loop-protect Display Loop protect peer consistency details. Display MLD peer consistency details. pim-dm Display PIM-DM peer consistency details. pim-sm Display PIM-SM peer consistency details. Display PIM-SM peer consistency details. show distributed-trunking consistency-parameters global feature pim-sm PIM-SM Enabled VLANs on Local : 20,30 PIM-SM Enabled VLANs on Peer : 20,30...
  • Page 286: Show Dhcpv6 Relay

    IGMP enabled VLANs on Local : IGMP enabled VLANs on Peer : PIM-DM Enabled VLANs on Local : <List of Vlans> PIM-DM Enabled VLANs on Peer : <List of Vlans> PIM-SM enabled VLANs on Local : <List of Vlans> PIM-SM enabled VLANs on Peer : <List of Vlans> DHCP-snooping Enabled on Local : DHCP-Snooping Enabled on Peer : Yes...
  • Page 287: Dhcpv6 Event Log

    DHCPv6 event log Cause Event Message RMON_DSNOOPV6_UNTRUSTED_PORT_SERVER_RELAY %s: %s message received on the untrusted port %s from RMON_DSNOOPV6_UNTRUSTED_PORT_SERVER_SUSP %s: Ceasing the log messages for the server packets received on an untrusted port for %s. RMON_DSNOOPV6_UNTRUSTED_PORT_CLIENT_DEST %s: Client packet destined to the untrusted port %s is dropped.
  • Page 288 Event Message RMON_DSNOOPV6_MAX_BINDING_CROSSED %s: Droppped IPv6 request from %02X%02X%02X-%02X %02X%02X. The max-binding limit has reached on the port %s. %s RMON_DSNOOPV6_MAX_BINDING_CROSSED_SUSP %s: Ceasing max-binding limit crossed packet information logs for %s. RMON_DSNOOPV6_EVENT_MAXBINDING_REMOVED %s: The DHCPv6-Snooping max-binding configured on port %s is removed. RMON_DSNOOPV6_EVENT_MAXBINDING_REMOVED_SUSP %s: Ceasing the log messages for the removal of...
  • Page 289 Event Message RMON_DSNOOPV6_TABLE_FULL_REM_LEASE %s: The dynamic binding for %s on port %s was replaced with a manual binding. RMON_DSNOOPV6_TABLE_FULL_REM_LEASE_SUSP %s: Ceasing removed lease logs for %s. RMON_DSNOOPV6_BAD_IP_REQ %s: Illegal IPv6 request from %02X%02X%02X-%02X%02X %02X on port %s; %s. RMON_DSNOOPV6_BAD_IP_REQ_SUSP %s: s: Ceasing the log messages for illegal IPv6 requests for %s RMON_DSNOOPV6_BAD_IP_OFFER...
  • Page 290 Event Message RMON_DSNOOPV6_PORT_TRUSTED_TO_VALIDATING The port %s is configured as an untrusted port. RMON_DSNOOPV6_PORT_ADD_TO_TRUNK_ERROR Unable to add port %s to trunk, insufficient HW resources. RMON_DIPLDV6_PORT_ADD_HW_RESOURCE_ERROR Unable to apply dynamic Ipv6 lockdown to port %s, insufficient HW resources. RMON_DIPLDV6_ADD_BINDING_OUT_OF_RESOURCES Unable to add binding for %x, %02x%02x%02x-%02x%02x %02x on port %s.
  • Page 291: Dhcpv6 Event Messages

    DHCPv6 event messages Cause Events Debug messages When the BST becomes full, to indicate that lease Unable to add binding for %x, %02x%02x%02x-%02x bindings are being dropped. %02x%02x on port %s. BST is full. When DHCPv6 packet validation fails (packets are Dropping packet as validation failed, reason %s received on which they are not expected to).
  • Page 292 Events Debug messages When DIPLDv6 violations are detected on a VLAN Access was denied on VLAN %d, %d packets received since last log. When max-binding limit is reached on a Port Max-binding limit reached on Port %s. Aruba 2930F / 2930M Management and Configuration Guide for ArubaOS-Switch 16.08...
  • Page 293: Chapter 10 Zero Touch Provisioning With Airwave And Central

    Chapter 10 Zero Touch Provisioning with AirWave and Central Aruba offers on-premise and cloud-based management solutions for switches, access points, and controllers. AirWave is an award-winning on-premise Network Management Solution (NMS) that manages both Aruba and third-party network devices. AirWave is ideal for Campus networks and for organizations which prefer to have complete control over the hardware and software and have their NMS within premises (for example: either in the head office or data center or one of the large campuses).
  • Page 294: Configuring Dhcp-Based Ztp With Airwave

    Configuring DHCP-based ZTP with AirWave ZTP auto-configures your switches as follows: Procedure 1. The switch boots up with the factory default configuration. 2. The switch sends out a DHCP discovery from data port/OOBM. IPv4: • The preferred configuration method uses DHCP option 43 value as a string to parse AirWave configuration. Switch expects a DHCP option 60 with value ArubaInstantAP along with DHCP option 43 to parse AirWave details.
  • Page 295: Dhcp Server Configuration For Dhcp Based Ztp

    Switch being provisioned Corporate Network Branch 1 DHCP Server WAN Router AirWave Internet Router/ Server WAN Router Firewall Corporate Branch 2 DHCP Switch being Server provisioned In the preceding illustration, the workflow is as follows: 1. The switches being provisioned in the branches are booted obtaining the IP address from the DHCP server. 2.
  • Page 296 Select Roles -> DHCP -> Server -> w2k8 -> IPv4. Right-click IPv4 and select Set Predefined Options... Aruba 2930F / 2930M Management and Configuration Guide for ArubaOS-Switch 16.08...
  • Page 297 The Predefined Options and Values screen is displayed. Click Add..Enter the Name (any), Data type (select String), Code (enter 60), and Description (any). Chapter 10 Zero Touch Provisioning with AirWave and Central...
  • Page 298 Click OK. From the Predefined Options and Values screen, under Value, enter the String ArubaInstantAP. The string is case-sensitive and must be ArubaInstantAP. Click OK. Under IPv4, expand Scope. Right-click Scope Options and select Configure Options... Aruba 2930F / 2930M Management and Configuration Guide for ArubaOS-Switch 16.08...
  • Page 299 10. Under the General tab, select 043 Vendor Specific Info. The Data entry data appears. Under ASCII, enter hpeSwitch:hp2920,, admin. The ASCII value has the following format: <Group>:<Topfolder>,<AMP IP>,<shared secret> 11. To add subdirectories, use the following format: <Group>:<Topfolder>:<folder1>,<AMP IP>,<shared secret> 12.
  • Page 300 NOTE: No changes are required to the 060 option. 13. You can verify the AirWave details as follows: switch# show amp-server switch# show run Configure AirWave details in Linux DHCP server for IPv4 To configure the AirWave details in Linux DHCP server for IPv4, enter the following information: option CAPWAP code 138 = array of ip-address;...
  • Page 301 Configure AirWave details in Linux DHCP server for IPv6 To configure the AirWave details in Linux DHCP server for IPv6, enter the following information: default-lease-time 900; preferred-lifetime 600; option dhcp-renewal-time 300; option dhcp-rebinding-time 600; allow leasequery; option 800; dhcpv6-lease-file-name "/root/dhcpd6.leases"; host myclient { # The entry is looked up by this host-identifier option...
  • Page 302 Configure AirWave details in Windows DHCP server for IPv4 NOTE: AirWave provisioning using IPv6 on Windows based DHCP server is not supported. To configure the AirWave details in Windows DHCP server for IPv4, do the following steps: NOTE: • Use these steps to configure ZTP for every switch by selecting a different Vendor Class for each type of switch.
  • Page 303 Right-click IPv4 and select Define Vendor Classes..The DHCP Vendor Classes window is displayed. Click Add..Chapter 10 Zero Touch Provisioning with AirWave and Central...
  • Page 304 To get the vendor-specific value of a switch, go to the switch console and enter: switch# show dhcp client vendor-specific The following is the sample command output: Processing of Vendor Specific Configuration is enabled. Vendor Class Id = J9729A 2920-24G-PoE+ Switch From the New Class window, enter the desired Display name (any) and the Description (any).
  • Page 305 Click OK. Right-click IPv4 and select Set Predefined Options..10. From the Predefined Options and Values window, select Option class. The Option Class displayed is the one that you configured under DHCP Vendor Class. In this example, the Option Class is switch. Chapter 10 Zero Touch Provisioning with AirWave and Central...
  • Page 306 11. Click Add..12. From the Option Type window, enter the desired Class (any), the Data type (select string), the Code (enter 146), and the Description (any). 13. Click OK. 14. Under the Predefined Options and Values window, enter the Value String. In this example, enter hpeSwitch:hp2920,, admin.
  • Page 307 16. Click OK. 17. Under IPv4, expand Scope. Right-click Scope Options and select Configure Options... 18. From the Scope Options window: a. Select the Advanced tab. b. Under Vendor class, select the desired switch. In this example, switch. c. Select the 146 switch option. d.
  • Page 308 19. You can verify the AirWave details as follows: switch# show amp-server switch# show run Configure AirWave details in Linux DHCP server for IPv4 To configure the AirWave details in Linux DHCP server for IPv4, enter the following information: option space ArubaInstantAP; option ArubaInstantAP.cfg code 144 = text;...
  • Page 309: Limitations

    CAPWAP,; class "vendor-class" { match substring (option vendor-class-identifier,0,2); #match option vendor-class-identifier; subclass "vendor-class" "HP" { vendor-option-space ArubaInstantAP; #option ArubaInstantAP.cfg "runningConfig_5400R.txt"; #option ArubaInstantAP.img "KB_16_01_0004.swi"; option "aw_group:fold,,secret1234"; subclass "vendor-class" "Ar" { vendor-option-space ArubaInstantAP; #option ArubaInstantAP.cfg "runningConfig_5400R.txt"; #option ArubaInstantAP.img "KB_16_01_0004.swi";...
  • Page 310: Amp-Server

    In any of the above scenarios, you need to manually configure to reach the AirWave server using the amp- server command. This command helps you configure the AirWave IP address, group, folder, and shared secret. You must have the manager role to execute this command. For example: switch(config)# amp-server ip group "group"...
  • Page 311 Example Switch(config)# amp-server Configure AMP server IP address. Switch(config)# amp-server ip IP-ADDR Enter an IP address. IPV6-ADDR Enter an IPv6 address. Switch(config)# amp-server ip group AMP server group name. Switch(config)# amp-server ip group GROUPNAME-STR AMP server group name. Switch(config)# amp-server ip group grp11 folder AMP server folder name.
  • Page 312: Debug Ztp

    module 1 type jl071x flexible-module A type JL081A snmp-server community "public" unrestricted oobm ip address dhcp-bootp exit vlan 1 name "DEFAULT_VLAN" untagged 1-24,A1-A4 ip address dhcp-bootp ipv6 enable ipv6 address dhcp full exit amp-server ip 2001:1db8:3cd4:1115:1111:2222:1a2f:1a2b group "grp21" folder "fld21" secret "scrt21"...
  • Page 313: Image Upgrade

    Image Upgrade If you upgrade from any 15.xx version to version 16.xx, the following minimal set of configuration is validated to enable or disable the ZTP process: • If the switch has any other VLAN apart from the default VLAN, ZTP gets disabled. •...
  • Page 314: Ipsec For Airwave Connectivity

    Switch being provisioned Branch 1 Activate AirWave Server Router/ WAN Router Firewall Internet WAN Router Aruba Corporate Controller Branch 2 Switch being provisioned In the preceding illustration, the workflow is as follows: 1. The switches being provisioned in the branches are booted and connect to the Activate on the cloud. 2.
  • Page 315: Ipsec Tunnel Establishment

    • Activate ZTP • DHCP ZTP with option 138 1. To assign controller IP addresses, select DHCP option 138. 2. Define the controller IP addresses for both the primary and secondary controllers. • Manual configuration IPsec Tunnel Establishment • IPsec tunnel for AirWave is auto-configured. The switch decides to create IPsec tunnel only when an Aruba controller IP is present in the device before establishing the connection to AirWave.
  • Page 316: Ipsec Tunnel Failures

    IPsec Tunnel Failures The following behaviors can cause an IPsec tunnel creation failure: • Time The time in the switch has to be valid and correct. Ensure that NTP configuration is set up on switch and on the controller where the tunnel is terminating. •...
  • Page 317 5. Switch tries to establish the IPsec tunnel with the same controller when the following events occur: • Switch IP change • Vlan ID change • Redundancy switch over 6. If aruba-vpn type is amp, after five consecutive AirWave check-in failures, the existing tunnel is destroyed and an IPsec tunnel is established with the other controller.
  • Page 318 Switch reachability to the controllers Figure 33: Controllers through same VLAN Primary Controller Services (Airwave, CPPM, Syslog etc.) Switch Router Services (Airwave, CPPM, Backup Syslog etc.) Controller Figure 34: Controllers through different VLANs Primary Controller Services (Airwave, CPPM, Syslog etc.) Switch Services (Airwave, CPPM,...
  • Page 319: Airwave Ip After Discovery

    NOTE: The failover will take up to three minutes. 4. The events such as time change and port flap, breaks the existing IPsec session and triggers a failover. The new IPsec session is established with a backup controller. In such scenario, switch does not perform any reachability test before selecting a controller to retry.
  • Page 320: Show Commands

    Description Configure the Aruba VPN type, peer IP address. When Aruba VPN type is any, the tunnel is established independent of Airwave configuration. The no form of the command removes the aruba-vpn type statement from the configuration. Parameters type Configure the controller IP. Configure Remote Access VPN session to protect specific switch generated traffic.
  • Page 321: Show Ip Route

    Aruba VPN details Aruba VPN Type : amp Aruba VPN Peer IP : Aruba VPN Backup Peer IP : Aruba VPN Config Status : Configured Aruba VPN tos : Value from IPv4 header Aruba VPN ttl : 64 show aruba-vpn type amp show aruba-vpn type amp Aruba VPN details...
  • Page 322: Show Crypto-Ipsec Sa

    Auto-configured tunnel interface before creating IPsec. The tunnel ID is auto generated and to avoid conflict with user generated tunnel interface, the tunnel id is always the max tunnel supported by the switch + 1. aruba-vpn Display the configuration and status details of aruba-vpn tunnel. brief Display brief configuration and status for all tunnels.
  • Page 323: Show Running-Configuration

    Show crypto-IPsec statistics. switch# show crypto ipsec sa Crypto IPSec Status Interface Source Address : Destination Address : Source Port Destination Port : 3767553536 Encapsulation Protocol : ESP Encryption : AES Hash : SHA1 PFS Group Mode : tunnel Key Life : 3600 Remaining key Life : 3303...
  • Page 324: Ztp With Aruba Central

    ZTP with Aruba Central Aruba Central does not require any configuration of local DHCP server or other network components but requires a switch with Internet access. Users with access to Aruba Central cloud portal must provision their switches and assign licenses accordingly. Once complete, Aruba Central will automatically program the Activate portal with the required switch details and the group to which the switch must check in.
  • Page 325: Led Blink Feature

    • TR-69 • Menu There is a restriction on executing the following commands over CLI: • boot • recopy • erase • reload • startup-default • upgrade-software • setup • delete • reboot • restore • menu • write memory •...
  • Page 326: Activate Software-Update Enable

    Operating Notes Switch will periodically check with Activate every seven days for the latest image version. Download the image from the URL provided by Activate and upgrade the switch with the new image. Restrictions When a switch is managed by either AirWave or Aruba Central, the automatic firmware check is disabled. Activate upgrade from the non-supported build is disabled upon upgrading to version 16.03.
  • Page 327: Activate Software-Update Update

    Activate Server Address : Activate Server Polling : Enabled Installed Software Version : WB.16.04.0000x Server Software Version : Not available - server communication error. Server Software Image URL : Not available - server communication error. switch(config)$ NOTE: This switch is not connected to Activate, hence communication error is shown in “Server Software Version”...
  • Page 328: Show Activate Provision

    Server Software Image URL : Not available - server communication error. switch(config)$ Show activate provision Syntax show activate provision Description Show the configuration and status of the Activate Provision services. Examples switch(config)#show activate provision Configuration and Status - Activate Provision service Activate server address : Activate server polling...
  • Page 329 Activate Connection Status : Success Error Reason : NA Unsuccessful Activate connection when device entry not present in Activate switch(config)# show activate provision Configuration and Status - Activate Provision Service Activate Provision Service : Enabled Activate Server Address : Activation Key : Not Available NTP/HTP Time Sync Status...
  • Page 330: Aruba-Central

    Fields added in 16.07. Status Validation Time sync status • Time sync from NTP • Default - Not updated, time is not updated from NTP and HTTP. • Time sync from HTTP • NA - In this case switch get the •...
  • Page 331: Troubleshooting

    CAUTION: To avoid broadcast storm or loops in your network while configuring ZTP, do not have redundant links after you complete ZTP and Airwave registration. Authorize the new switch and then push the Golden Configuration template from Airwave. Example Enable Aruba Central server support switch(config)# aruba-central enable Disable Aruba Central server support switch(config)# aruba-central disable...
  • Page 332: Error Reason For Aruba Central

    Fields added in 16.07. Status Validation Server DNS Lookup • Success By default status is NA. Other status is based on DNS resolution. • Failure • Proxy Server DNS Lookup • Success If proxy is not configured, status will be NA. Otherwise Status will be set •...
  • Page 333 Preprocessor Directive Mocana Error Error Reason Enum CLOUD_TLS_INVALID_SIG_ERR ERR_SSL_INVALID_ Unable to verify the SIGNATURE signature on a certificate. ERR_SSL_NO_DATA_ No data received CLOUD_TLS_NO_DATA_RECV_ERR TO_RECEIVE from server. Check the server reachability. CLOUD_CERT_ERR ERR_CERT System certificate is invalid. CLOUD_CERT_EXPIRE_ERR ERR_CERT_EXPIRED System certificate expired.
  • Page 334: Debug Ztp

    Preprocessor Directive Mocana Error Error Reason Enum CLOUD_HTTP_ACCEPT_KEY_MISSNG_IN_RESP Internal error: Missing Sec- WebSocket-Accept in HTTP response. Contact Aruba support. CLOUD_HTTP_MISMATCH_ACCEPT_KEY Internal error: Mismatch Sec- WebSocket-Accept in HTTP response. Contact Aruba support. CLOUD_URL_NOT_REACHABLE_VIA_PXY Central server is not reachable through proxy. debug ztp Syntax debug ztp no debug ztp...
  • Page 335: Stacking Support

    Stacking support The ZTP process for stacked switches with Central is similar to the one for a standalone switch, with the exception that only the commander in the stack checks in with Central. For switches supported on Central when stacking is ON, refer to the Aruba Central Switch Configuration Guide. Fault finder switch events Fault finder switch events supported by Aruba Central EVENT_FF_BAD_DRIVER_NIC...
  • Page 336: Http Proxy Support With Ztp Overview

    device (switch / AP / router). switch(config)# interface 2 device-type network-device Switch(config)# show running config ; JL074A Configuration Editor; Created on release #KB.16.04.0000x ; Ver hostname "Aruba-3810M-48G-PoEP-1-slot" module 1 type jl074x module 2 type jl074y flexible-module A type JL078A interface 2 device-type network-device exit...
  • Page 337 • Aruba AirWave • Aruba Activate • Firmware download through MNP • Aruba ClearPass connectivity • Aruba Central connectivity • TR69 support Support for Aruba AirWave AirWave is used to manage the ArubaOS-Switches and its communication to the switch is over HTTPS. When AirWave is deployed with Aruba controller, an IPsec tunnel is created between the switch and the controller.
  • Page 338 2. To get vendor-specific value of a switch, go to switch command prompt and enter show dhcp client vendor-specific command. Vendor class identifier for the switch (VCI) appears as follows: Switch# show dhcp client vendor-specific Vendor Class Id = J9854A 2530-24G-PoE+-2SFP+ Switch Processing of Vendor Specific Configuration is enabled.
  • Page 339 4. Right-click IPv4 and select Set Predefined Options. Select option class as the newly defined vendor class, click ADD and enter the following information for Proxy details: a. Name - Proxy b. Data Type - String c. Code - 148 d.
  • Page 340 Now the new vendor class will have new suboption with code 148. Next is to add these vendor class and suboptions to the scope. To add proxy server details to scope, navigate to Server Manager and select Server Options in the IPv4 window. 5.
  • Page 341 6. Click Apply and OK and the proxy option is added in the Server options. 7. Now restart the DHCP service and download new DHCP attributes in the switch, you can check that the proxy details are correctly downloaded in the switch using the show proxy config command. Chapter 10 Zero Touch Provisioning with AirWave and Central...
  • Page 342: Proxy Server

    proxy server Syntax proxy server <http://<ip-addr/FQDN>:port number> no proxy server Description Configures the URL/IP address to reach the proxy server. Provide the correct proxy port number along with the URL/IP address. Port number must be in the range of 1024 to 65535. HTTPS proxy server is not supported. The no form of this command removes the proxy server.
  • Page 343: Show Proxy Config

    Example switch(config)# proxy exception ip switch(config)# proxy exception host "" show proxy config Syntax show proxy config Description Shows the proxy configuration. Command context config Examples switch(config)# show proxy config Http Proxy Configuration details Server URL : Manually configured exceptions Exception ------- -----------------------------------------
  • Page 344: Chapter 11 File Transfers

    Chapter 11 File Transfers Overview The switches support several methods for transferring files to and from a physically connected device or via the network, including TFTP and Xmodem. This appendix explains how to download new switch software, upload or download switch configuration files and software images, and upload command files for configuring ACLs. Downloading switch software Switch periodically provides switch software updates through the Switch Networking website.
  • Page 345: Troubleshooting Tftp Download Failures

    • Obtain the IP address of the TFTP server in which the software file has been stored. • If VLANs are configured on the switch, determine the name of the VLAN in which the TFTP server is operating. • Determine the name of the software file stored in the TFTP server for the switch (For example, E0820.swi). NOTE: If your TFTP server is a UNIX workstation, ensure that the case (upper or lower) that you specify for the filename is the same case as the characters in the software filenames on the server.
  • Page 346: Downloading From A Server To Flash Using Tftp (Cli)

    • Examine the messages in the switch's Event Log by executing the show log tftp command from the CLI. • For descriptions of individual Event Log messages, see the latest version of the event log message reference guide for your switch, available on the Switch website. (See "Getting Documentation From the Web".) NOTE: If an error occurs in which normal switch operation cannot be restored, the switch automatically reboots itself, and an appropriate message is displayed after the reboot.
  • Page 347: Enabling Tftp (Cli)

    For more information on these commands, see "Rebooting the Switch" in the basic operation guide for your switch. 3. To confirm that the software downloaded correctly, execute show system and check the Firmware revision line. For information on primary and secondary flash memory and the boot commands, see "Using Primary and Secondary Flash Image Options"...
  • Page 348: Use Usb To Transfer Files To And From The Switch

    • Enter the boot system flash primary command in the CLI. • With the default flash boot image set to primary flash (the default), enter the boot or the reload command, or cycle the power to the switch. (To reset the boot image to primary flash, use boot set-default flash primary.) Syntax: auto-tftp <ip-addr>...
  • Page 349: Enabling Scp And Sftp

    Once you have configured your switch to enable secure file transfers with SCP and SFTP, files can be copied to or from the switch in a secure (encrypted) environment and TFTP is no longer necessary. To use these commands, you must install on the administrator workstation a third-party application software client that supports the SFTP and/or SCP functions.
  • Page 350: Disabling Tftp And Auto-Tftp For Enhanced Security

    Procedure 1. Open an SSH session as you normally would to establish a secure encrypted tunnel between your computer and the switch. For more detailed directions on how to open an SSH session, see "Configuring secure shell (SSH)" in the access security guide for your switch.
  • Page 351: Enabling Ssh V2 (Required For Sftp)

    SFTP must be disabled before enabling tftp. SFTP must be disabled before enabling auto-tftp. Similarly, while SFTP is enabled, TFTP cannot be enabled using an SNMP management application. Attempting to do so generates an "inconsistent value" message. (An SNMP management application cannot be used to enable or disable auto-TFTP.) •...
  • Page 352: Scp/Sftp Operating Notes

    SCP/SFTP operating notes • Any attempts to use SCP or SFTP without using ip ssh filetransfer will cause the SCP or SFTP session to fail. Depending on the client software in use, you will receive an error message on the originating console, for Example: IP file transfer not enabled on the switch •...
  • Page 353: Troubleshooting Ssh, Sftp, And Scp Operations

    +---mgr_keys authorized_keys \---oper_keys authorized_keys \---core port_1-24.cor core-dump for ports 1-24 (stackable switches only) port_25-48.cor core-dump for ports 25-48 (stackable switches only) Once you have configured your switch for secure file transfers with SCP and SFTP, files can be copied to or from the switch in a secure (encrypted) environment and TFTP is no longer necessary.
  • Page 354: Using Xmodem To Download Switch Software From A Pc Or Unix Workstation

    Received disconnect from 2: Wait for previous session to complete lost connection Attempt to start a second session The switch supports only one SFTP session or one SCP session at a time. If a second session is initiated (For example, an SFTP session is running and then an SCP session is attempted), the following error message may appear on the client console: Received disconnect from 2: Other SCP/SFTP...
  • Page 355: Switch-To-Switch Download

    c. In the Protocol field, select Xmodem. d. Click on the [Send] button. The download can take several minutes, depending on the baud rate used in the transfer. 3. When the download finishes, you must reboot the switch to implement the newly downloaded software. To do so, use one of the following commands: Syntax: boot system flash {<primary | secondary>}...
  • Page 356: Using Airwave To Update Switch Software

    To download a software file from primary flash in a switch with an IP address of to the primary flash in the destination switch, you would execute the following command in the destination switch's CLI: Switch-to-switch, from primary in source to either flash in destination switch# copy tftp flash flash Device will be rebooted, do you want to continue [y/n]? y 00107K...
  • Page 357: Xmodem: Copying A Software Image From The Switch To A Serially Connected Pc Or Unix Workstation (Cli)

    To copy the primary flash to a TFTP server having an IP address of switch# copy flash tftp k0800.swi where k0800.swi is the filename given to the flash image being copied. Xmodem: Copying a software image from the switch to a serially connected PC or UNIX workstation (CLI) To use this method, the switch must be connected via the serial port to a PC or UNIX workstation.
  • Page 358: Transferring Switch Configurations

    These commands copy the Event Log content to a remote host, attached USB device, or to a serially connected PC or UNIX workstation. Parameters and options oobm For switches that have a separate OOBM port, the oobm parameter specifies that the transfer is through the OOBM interface.
  • Page 359: Tftp: Copying A Configuration File From A Remote Host (Cli)

    TFTP: Copying a configuration file from a remote host (CLI) Syntax: copy tftp {<startup-config | running-config> < ip-address > < remote-file >} [pc | unix] copy tftp config <filename> <ip-address> <remote-file> [pc | unix] This command can copy a configuration from a remote host to a designated config file in the switch. For more information, see "Multiple Configuration Files"...
  • Page 360: Usb: Copying A Configuration File To A Usb Device

    The show tech custom command switch# show tech custom No SHOW-TECH file found. USB: Copying a configuration file to a USB device Syntax: copy startup-config usb <FILENAME> This command can copy a designated config file in the switch to a USB device. Example: MyConfig is the name given to the configuration file that you copy from the switch to the USB device.
  • Page 361: Xmodem: Copying A Configuration File From A Serially Connected Pc Or Unix Workstation (Cli)

    switch# copy startup-config xmodem pc Press 'Enter' and start XMODEM on your host... 3. After you see the above prompt, press [Enter]. 4. Execute the terminal emulator commands to begin the file transfer. Xmodem: Copying a configuration file from a serially connected PC or UNIX workstation (CLI) To use this method, the switch must be connected via the serial port to a PC or UNIX workstation on which is stored the configuration file you want to copy.
  • Page 362: Transferring Acl Command Files

    (For more on these commands, see "Rebooting the Switch" in the basic operation guide for your switch.) Transferring ACL command files This section describes how to upload and execute a command file to the switch for configuring or replacing an ACL in the switch configuration.
  • Page 363: Xmodem: Uploading An Acl Command File From A Serially Connected Pc Or Unix Workstation (Cli)

    Figure 37: Using the copy command to download and configure an ACL on page 363), and continues to implement the remaining ACL commands in the file. Figure 37: Using the copy command to download and configure an ACL switch(config)# copy tftp command-file v1an10_in.txt pc Running configuration may change, do you want to continue [y/n]? y 1.
  • Page 364: Single Copy Command

    TFTP A destination directory and files can be created for all crash files (core-dump, crash-data, crash-log, fdr-log, and event-log) on an TFTP server (with write permissions). SFTP Files are auto created on the SFTP server as a secured transfer. The destination directories however can be manually created on the server.
  • Page 365 Data file Operation note core-dump Copy core-dump file from flash. crash-data Copy the switch crash-data file. crash-log a|b| Copy the switch crash-log file. c|d|e|f|g|h| master crash-files Copy core-dump, crash-data, crash-log, fdr-log, and event-log files to an SFTP/TFTP server, or xmodem terminal. When using the crash-files option, the destination directory alone must be specified as the destination path.
  • Page 366 Destination SFTP TFTP xmodem Data Files Specify the data file name at the target. Data file command file config default-config flash pub-key-file show-tech startup-config ssh-client-key ssh-client-known-hosts Options Option Operation note Requirement append Add the keys for operator access. n/a directory Directory name to upload.
  • Page 367: Multiple Management Switches

    Option Operation note Requirement operator Replace the keys for operator access (default); follow with the append option to add the keys. unix Multiple management switches Syntax copy crash-files interfaces Copy interfaces crash files. management Copy management crash files. Destination SFTP TFTP Xmodem Slot-ID...
  • Page 368: Standalone Switches

    Standalone switches Syntax copy crash-files Options Option Destination SFTP TFTP xmodem management interfaces Crash file options Syntax copy crash-files crash-file-options host-name-str | ip-addr | ipv6-addrsftp dirname-str Options host-name-str Specify hostname of the SFTP server. ip-addr Specify SFTP server IPv4 address. ipv6–addr Specify SFTP server IPv6 address.
  • Page 369: Usb

    Copies fdr-log files to a user-specified file. Copies all the log files from both management modules and all slots. mm-active Copies the active management module's log. mm-standby Copies the standby management module's log. slot Retrieves the crash log from the module in the identified slots. NOTE: The USB port is available only on the 2930M Switch Series.
  • Page 370: Downloading Switch Software Using Usb

    Example Display USB port status. switch# show usb-port USB port status: enabled USB port power status: power on (USB device detected in port) Downloading switch software using USB Prerequisites Procedure 1. Store a software version for the switch on a USB flash drive. (The latest software file is typically available from the Switch Networking website at 2.
  • Page 371: Copy Usb Command-File

    Procedure 1. Issue the copy usb flash command as shown below: Figure 38: The command to copy switch software from USB 2. When the switch finishes copying the software file from the USB device, it displays this progress message: Validating and Writing System Software to the Filesystem..3.
  • Page 372 If the switch detects an illegal (non-ACL) command in the file, it bypasses the illegal command, displays a notice, and continues to implement the remaining ACL commands in the file. Aruba 2930F / 2930M Management and Configuration Guide for ArubaOS-Switch 16.08...
  • Page 373: Chapter 12 Monitoring And Analyzing Switch Operation

    Chapter 12 Monitoring and Analyzing Switch Operation Overview The switches have several built-in tools for monitoring, analyzing, and troubleshooting switch and network operation: • Status: Includes options for displaying general switch information, management address data, port status, port and trunk group statistics, MAC addresses detected on each port or VLAN, and STP, IGMP, and VLAN data. •...
  • Page 374: Status And Counters Data

    Status and counters data This section describes the status and counters screens available through the switch console interface and/or the WebAgent. NOTE: You can access all console screens from the WebAgent via Telnet to the console. Telnet access to the switch is available in the Device View window under the Configuration tab. show system Syntax show system [chassislocate|information|fans]...
  • Page 375: Chassislocate

    show system chassislocate command Figure 39: Command results for show system chassislocate command Figure 40: System fan status Figure 41: Switch system information chassislocate Syntax Description Identifies the location of a specific switch by activating the blue locator LED on the front panel of the switch. chassislocate [blink|on|off] Parameters and options Chapter 12 Monitoring and Analyzing Switch Operation...
  • Page 376: Chassislocate At Startup

    blink <1–1440> Blinks the chassis locate LED for a specified number of minutes (Default: 30 min.) on <1–1440> Turns the chassis locate LED on for a specified number of minutes (Default: 20 min.) Turns the chassis locate LED off. Chassislocate at startup The chassislocate command has an optional parameter that configures it to run in the future instead of immediately.
  • Page 377: General System Information

    01:05:27 General system information Accessing system information (CLI) Syntax: show system [chassislocate | information | fans | power-supply | temperature] Displays global system information and operational parameters for the switch. chassislocate Shows the chassisLocator LED status. Possible values are On, Off, or Blink.When the status is On or Blink, the number of minutes that the Locator LED will continue to be on or to blink is displayed.
  • Page 378: Collecting Processor Data With The Task Monitor (Cli)

    System Name : Switch System Contact System Location MAC Age Time (sec) : 300 Time Zone Daylight Time Rule : None Software revision : T.13.XX Base MAC Addr : 001635-b57cc0 ROM Version : XX.12.12 Serial Number : LP621KI005 Up Time : 51 secs Memory - Total : 152,455,616...
  • Page 379: Switch Management Address Information Access

    Enables or disables the collection of processor utilization data, and requires a manager log in. Settings are not persistent; there are no changes to the configuration. Defaults to disabled. task-monitor cpu command Figure 42: The task-monitor cpu command and show cpu output Switch management address information access show management Syntax...
  • Page 380: Task Usage Reporting

    Additionally, this command displays the part number (J number) and serial number of the chassis. (See Figure 44: The show modules details command for the 8212zl, showing SSM and mini-GBIC information on page 380.) show modules command Figure 43: The show modules command output show modules details command Figure 44: The show modules details command for the 8212zl, showing SSM and mini-GBIC information Task usage reporting...
  • Page 381 [no] process-tracking [slot[SLOT-LIST] [<time>]] [<time>] Enables/disables module process-tracking functionality. process-tracking <tab> slot Enables/disables process-tracking for a module. INTEGER Specifies time to track value between 1 second to 30 seconds. <cr> process-tracking slot <tab> SLOT-ID-RANGE Enter an alphabetic device slot identifier or slot range. process-tracking slot A INTEGER Specifies time to track value between 1 second to 30 seconds.
  • Page 382 <1-300> Time (in seconds) over which to average CPU utilization. <cr> show cpu process <tab> refresh Number of times to refresh process usage display. slot Displays module process usage. <cr> show cpu process refresh <tab> INTEGER Enter an integer number. show cpu process refresh 10 <tab>...
  • Page 383: Switch Management Address Information

    | Recent | | Time Since | Times | Max Process Name | Priority | Time | CPU | Last Ran | Ran | Time ----------------- + --------- + ------ + ---- + ---------- + ------ + ------- System Services-2 | 156 | 253 ms | 2 | 767 ms | 12...
  • Page 384 Lists the MAC addresses of the devices the switch has detected, on the specified [port-list] ports. Lists the port on which the switch detects the specified MAC address.Returns the [mac-addr] following message if the specified MAC address is not detected on any port in the switch: MAC address <mac-addr>...
  • Page 385: Port Status

    • A 4-port module in slot A, a 24-port module in slot C, and no modules in slots B and D • Two non-default VLANs configured Figure 45: Example: of Port MAC address assignments on a switch Port Status The WebAgent and the console interface show the same port status data. Viewing port status (CLI) Syntax: show interfaces brief...
  • Page 386: Port And Trunk Group Statistics And Flow Control Status

    NOTE: To reset the port counters to zero, you must reboot the switch. Port and trunk group statistics and flow control status The features described in this section enable you to determine the traffic patterns for each port since the last reboot or reset of the switch.
  • Page 387: Clearing Trunk Load Balancing Statistics

    Ouptut for the show trunk-statistics command switch(config)# show trunk-statistics trk1 Group : Trk1 Ports : 3,4 Monitoring time : 23 hours 15 minutes Totals Packets Rx : 3,452,664 Bytes Rx : 14,004,243 Packets Tx : 2,121,122 Bytes Tx : 2,077,566 Packets Tx Drop : Rates (5 minute weighted average): Trunk utilization Rx : 30.2 %...
  • Page 388: Accessing Mac Address Views And Searches (Cli)

    Accessing MAC address views and searches (CLI) Syntax: show mac-address [vlan < vlan-id>] [<port-list>] [< mac-addr >] Listing all learned MAC addresses on the switch, with the port number on which each MAC address was learned Switch# show mac-address Listing all learned MAC addresses on one or more ports, with their corresponding port numbers For example, to list the learned MAC address on ports A1 through A4 and port A6: Switch# show mac-address a1-a4,a6...
  • Page 389: Viewing Internet Igmp Status (Cli)

    Example: Figure 46: Output from show spanning-tree command Viewing internet IGMP status (CLI) The switch uses the CLI to display the following IGMP status on a per-VLAN basis: Chapter 12 Monitoring and Analyzing Switch Operation...
  • Page 390: Viewing Vlan Information (Cli)

    Viewing VLAN information (CLI) Show command Output show vlan Lists: • Maximum number of VLANs to support • Existing VLANs • Status (static or dynamic) • Primary VLAN show vlan <vlan-id> For the specified VLAN, lists: • Name, VID, and status (static/dynamic) •...
  • Page 391 802.1Q VLAN ID Name Status -------------- ------------ ------ DEFAULT_VLAN Static VLAN-33 Static VLAN-44 Static Port listing for an individual VLAN switch(config)# show vlan 1 Status and Counters - VLAN Information - VLAN 1 VLAN ID : 1 Name : DEFAULT_VLAN Status : Static Voice : Yes Jumbo : No...
  • Page 392: Webagent Status Information

    WebAgent status information The WebAgent Status screen provides an overview of the status of the switch. Scroll down to view more details. For information about this screen, click on ? in the upper right corner of the WebAgent screen. For an Example: of a status screen, see Figure 47: Example: of a WebAgent status screen on page 392.
  • Page 393: Port Status

    no allow-v1–modules Figure 49: Disabling compatibility mode Port status You can view port status using either the CLI or the menu. show interfaces brief Syntax show interfaces brief Description View the port status. Accessing port and trunk group statistics Use the CLI to view port counter summary reports, and to view detailed traffic summary for specific ports. Trunk bandwidth utilization •...
  • Page 394 <TRUNK-GROUP> Specifies the trunk group for which status information will be shown. The status information shown consists of total transmit and receive counters and weighted average rate for the trunk group specified. The weighted average rate is calculated in 5 minute intervals. Usage Both external and internal ports are supported on the same module.
  • Page 395: Show Interfaces Trunk-Utilization

    switch# show interfaces brief b1-b3i Status and Counters - Port Status | Intrusion Flow Bcast Port Type | Alert Enabled Status Mode Mode Ctrl Limit ------ ---------- + --------- ------- ------ ---------- ---- ---- ----- 100/1000T | No Down 1000FDx Auto off 100/1000T | No...
  • Page 396: Statistic Interactions Of Interface Counters

    Example Show bandwidth utilization for trunks. Switch(config)# show interfaces trunk-utilization Status and Counters - Port Utilization Port | --------------------------- | --------------------------- | Kbits/sec Pkts/sec Util | Kbits/sec Pkts/sec Util -------- ---------- ----- + ---------- ---------- --------- ----- Trk1 Trk2 Trk10 Statistic interactions of interface counters Table 27: Statistic interactions Interface counters are cleared using the command clear statistics.
  • Page 397: Reset Port Counters

    Action taken Trigger Interaction with interface counter Trunk port Module crash/ • Interface counters for this port are not cleared. going Down module reload • Average rate counters are cleared. Trunk port Save power - off • Interface counters for this port are not cleared. going Down •...
  • Page 398: Mac Address Tables

    <PORT-LIST> Clears the counters and statistics for specific ports. global Clears all counters and statistics for all interfaces except SNMP. MAC address tables MAC address views and searches You can view and search MAC addresses using the CLI or the menu. show mac-add detail Syntax show mac-address detail...
  • Page 399: Show Mac-Address

    stack-Switch# show mac-address detail Status and Counters - Port Address Table MAC Address Port VLAN Age ( ------------- ------ ---- ---------------- 009c02-d80f28 1/2 0000:00:00:30.18 3464a9-abe500 1/2 0030:07:01:20.23 show mac-address Syntax show mac-address [vlan <VLAN-ID> ] [<PORT-LIST>] [<MAC-ADDR>] [TUNNEL-ID] Description Lists all MAC addresses on the switch and their corresponding port numbers. You can also choose to list specific addresses and ports, or addresses and ports on a VLAN.
  • Page 400: Finding The Port Connection For A Specific Device On A Vlan

    Description Specifies the age and existing details of the specific mac address given. manager Parameters <MAC-ADDRESS> Specifies the mac-address being requested in detail. Examples Show mac-address detail for f0921c-b6e97e. switch# show mac-address f0921c-b6e97e detail Status and Counters - Port Address Table MAC Address Port VLAN Age (
  • Page 401: Mstp Data

    The address is highlighted if found. If the switch does not find the address, it leaves the MAC address listing empty. 3. Press [P] (for Prev page) to return to the previous per-port listing. MSTP data show spanning-tree Syntax show spanning-tree Description Displays the global and regional spanning-tree status for the switch, and displays the per-port spanning-tree operation at the regional level.
  • Page 402: Ip Igmp Status

    show spanning-tree command output Figure 50: show spanning-tree command output IP IGMP status show ip igmp Syntax show ip igmp <VLAN-ID> [config] [group <IP-ADDR>|groups] [statistics] Description Global command that lists IGMP status for all VLANs configured in the switch, including: Aruba 2930F / 2930M Management and Configuration Guide for ArubaOS-Switch 16.08...
  • Page 403 • VLAN ID (VID) and name • Querier address • Active group addresses per VLAN • Number of report and query packets per group • Querier access port per VLAN Parameters and options config Displays the IGMP configuration information, including VLAN ID, VLAN name, status, forwarding, and Querier information.
  • Page 404: Vlan Information

    VLAN information show vlan Syntax show vlan <VLAN-ID> Description Lists the maximum number of VLANs to support, existing VLANS, VLAN status (static or dynamic), and primary VLAN. Parameters and options <VLAN-ID> Lists the following for the specified VLAN: • Name, VID, and status (static/dynamic) •...
  • Page 405: Configuring Local Mirroring

    A1, A2 VLAN-33 A3, A4 VLAN-44 Figure 51: Listing the VLAN ID (vid) and status for specific ports Figure 52: Example of VLAN listing for the entire switch Figure 53: Port listing for an individual VLAN Configuring local mirroring To configure a local mirroring session in which the mirroring source and destination are on the same switch, follow these general steps: Procedure 1.
  • Page 406: Local Mirroring Sessions

    a. Session number (1) and (optional) alphanumeric name b. Exit port (any port on the switch except a monitored interface used to mirror traffic) IMPORTANT: Hewlett Packard Enterprise strongly discourages connecting a mirroring exit port to a network because doing so can result in serious network performance problems. Only connect an exit port to a network analyzer, IDS, or other network edge device that has no connection to other network resources.
  • Page 407: Class [Ipv4|Ipv6]

    class [ipv4|ipv6] Syntax class [ipv4|ipv6] <CLASSNAME> [no] [seq-number] [match|ignore] <IP-PROTOCOL> <SOURCE-ADDRESS> <DESTINATION-ADDRESS>][precedence <PRECEDENCE-VALUE>][tos <TOS- VALUE>][ip-dscp <CODEPOINTS>][vlan <VLAN-ID>] Description Configures the mirroring policy for inbound traffic on the switch. Parameters and options policy mirror Syntax policy mirror <POLICY-NAME> [no] <SEQ-NUMBER> [class [ipv4|ipv6] <CLASSNAME> action mirror <SESSION>] [action mirror <SESSION>] [no] default-class action mirror <SESSION>...
  • Page 408: Remote Mirroring Destination On A Remote Switch

    Remote mirroring destination on a remote switch Syntax mirror endpoint ip <SRC-IP> <SRC-UDP-PORT > <DST-IP> <EXIT-PORT> [truncation] Description Configures a remote mirroring destination on a remote switch. Parameters and options Remote mirroring destination on a local switch mirror remote ip Syntax mirror <SESSION>...
  • Page 409: Service-Policy

    show monitor [endpoint|<SESSION-NUMBER>|name <SESSION-NAME> service-policy Syntax service-policy <mirror-policy-name> in Destination mirror on a remote switch mirror endpoint Syntax mirror endpoint ip <SRC-IP-ADDR> <SRC-UDP-PORT> <DST-IP-ADDR> port <EXIT-PORT> Description Enter this command on a remote switch to configure the exit port to use in a remote mirroring session. to configure the mirroring source on the local switch.
  • Page 410: Configure Acl Criteria To Select Inbound

    Configures traffic direction criteria for specific traffic Configure ACL criteria to select inbound interface monitor ip access-group Syntax [no] [interface <PORT> <TRUNK> <MESH>|vlan <VID-#>] monitor ip access—group <ACL—NAME> inmirror [1–4|<NAME-STR>] [1 — 4|<NAME-STR . . .>] Configuring a destination switch in a remote mirroring session CAUTION: When configuring a remote mirroring session, always configure the destination switch first.
  • Page 411: Configuring A Source Switch In A Local Mirroring Session

    Configuring a source switch in a local mirroring session Enter the mirror port command on the source switch to configure an exit port on the same switch. To create the mirroring session, use the information gathered in High-level overview of the mirror configuration process on page 430.
  • Page 412: Selecting All Traffic On A Port Interface For Mirroring According To Traffic Direction

    src-ip The IP address of the VLAN or subnet on which the traffic to be mirrored enters or leaves the switch. src-udp-port Associates the remote session with a UDP port number. When multiple sessions have the same source IP address src-ip and destination IP address dst-ip , the UDP port number must be unique in each session.
  • Page 413: Selecting All Traffic On A Vlan Interface For Mirroring According To Traffic Direction

    interface port/trunk/mesh Identifies the source ports, static trunks, and/or mesh on which to mirror traffic. Use a hyphen for a range of consecutive ports or trunks (a5-a8, Trk2- Trk4.) Use a comma to separate non-contiguous interfaces (b11, b14, Trk4, Trk7.) For the interface specified by port/trunk/mesh , selects traffic to mirror based monitor all [in | out | on whether the traffic is entering or leaving the switch on the interface:...
  • Page 414: Configuring A Mac Address To Filter Mirrored Traffic On An Interface

    vlan vid-# Identifies the VLAN on which to mirror traffic. monitor all [in | out Uses the direction of traffic on the specified vid-# to select traffic to mirror. If | both] you enter the monitor all command without selection criteria or a session identifier, the command applies by default to session 1.
  • Page 415: Configuring Classifier-Based Mirroring

    monitor mac mac-addr Configures the MAC address as selection criteria for mirroring traffic on any port or learned VLAN on the switch. Specifies how the MAC address is used to filter and mirror packets in inbound {src | dest | both} and/or outbound traffic on the interfaces on which the mirroring session is applied: •...
  • Page 416 After you enter the class command, you enter the class configuration context to specify match criteria. A traffic class contains a series of match and ignore commands, which specify the criteria used to classify packets. To configure a default traffic class, use the default-class command as described below. A default class manages the packets that do not match the match/ignore criteria in any other classes in a policy.
  • Page 417: Applying A Mirroring Policy On A Port Or Vlan Interface

    Context: Policy configuration Syntax [no] default-class action mirror session [action mirror session ...] Configures a default class that allows packets that are not matched nor ignored by any of the class configurations in a mirroring policy to be mirrored to the destination configured for the specified session. Applying a mirroring policy on a port or VLAN interface Enter one of the following service-policy commands from the global configuration context.
  • Page 418: Viewing All Mirroring Session Configured On The Switch

    Viewing all mirroring session configured on the switch Syntax show monitor If a monitored source for a mirror session is configured on the switch, the following information is displayed. Otherwise, the output displays: Mirroring is currently disabled. Mirror port configured on the switch is shown: switch(config) # show monitor Network Monitoring Port Mirror Port: 16...
  • Page 419: Viewing The Mirroring Configuration For A Specific Session

    In the following figure, the show monitor endpoint output shows that the switch is configured as the remote endpoint (destination) for two remote sessions from the same monitored source interface. Figure 54: Displaying the configuration of remote mirroring endpoints on the switch Viewing the mirroring configuration for a specific session Syntax show monitor [1 | name name-str]...
  • Page 420: Viewing A Remote Mirroring Session

    Monitoring Sources For the specified local or remote session, displays the source (port, trunk, or VLAN) interface and the MAC address (if configured) used to select mirrored traffic. Direction For the selected interface, indicates whether mirrored traffic is entering the switch (in), leaving the switch (out), or both.
  • Page 421: Viewing A Mac-Based Mirroring Session

    Viewing a MAC-based mirroring session After you configure a MAC-based mirroring session (Figure 57: Configuring a MAC-based mirroring session on page 421), you can enter the show monitor 3 command to verify the configuration (Figure 58: Displaying a MAC-based mirroring session on page 421.) Figure 57: Configuring a MAC-based mirroring session Figure 58: Displaying a MAC-based mirroring session Viewing a local mirroring session...
  • Page 422: Viewing Information On A Classifier-Based Mirroring Session

    Viewing information on a classifier-based mirroring session In the following example, a classifier-based mirroring policy (mirrorAdminTraffic) mirrors selected inbound IPv4 packets on VLAN 5 to the destination device configured for mirroring session 3. Figure 60: Configuring a classifier-based mirroring policy in a local mirroring session Displaying a classifier-based policy in a local mirroring session switch(config)# show monitor 3 Network Monitoring...
  • Page 423: Viewing Information About A Classifier-Based Mirroring Configuration

    Additional variants of the show class … command provide information on classes that are members of policies that have been applied to ports or VLANs. Figure 61: show class output for a mirroring policy Viewing information about a classifier-based mirroring configuration Syntax show policy policy-name...
  • Page 424: Viewing The Mirroring Configurations In The Running Configuration File

    NOTE: The information displayed is the same as the output of the show qos resources and show access-list resources commands. Figure 63: Displaying the hardware resources used by currently configured mirroring policies Viewing the mirroring configurations in the running configuration file Use the show run command to view the current mirroring configurations on the switch.
  • Page 425: Traffic Mirroring Overview

    Table 28: Compatibility mode enabled/disabled comparisons Modules Compatibility mode enabled Compatibility mode disabled v2 zl modules Can insert zl module and the module will come v2 zl modules are at full capacity. zl modules only up. Any v2 zl modules are limited to the zl are not allowed to power up.
  • Page 426: Mirroring Destinations

    ◦ The monitored interface (A1) and exit port (B7) are on different switches. ◦ Mirrored traffic can be bridged or routed from a source switch to a remote switch. Figure 64: Local and remote sessions showing mirroring terms Mirroring destinations Traffic mirroring supports destination devices that are connected to the local switch or to a remote switch: Traffic can be copied to a destination (host) device connected to the same switch as the mirroring source in a local mirroring session.
  • Page 427: Mirroring Session Limits

    Mirroring sessions can have the same or a different destination. You can configure an exit port on the local (source) switch and/or on a remote switch as the destination in a mirroring session. When configuring a mirroring destination, consider the following options: You can segregate traffic by type, direction, or source.
  • Page 428: Local Destinations

    Local destinations A local mirroring traffic destination is a port on the same switch as the source of the traffic being mirrored. Remote destinations A remote mirroring traffic destination is an switch configured to operate as the exit switch for mirrored traffic sessions originating on other switches.
  • Page 429: Remote Mirroring Endpoint And Intermediate Devices

    You can use the CLI can configure sessions 1 to 4 for local or remote mirroring in any combination, and override a Menu configuration of session 1. You can also use SNMP configure sessions 1 to 4 for local or remote mirroring in any combination and override a Menu configuration of session 1, except that SNMP cannot be used to configure a classifier-based mirroring policy.
  • Page 430: Quick Reference To Remote Mirroring Setup

    a. Direction: inbound, outbound, or both. b. Classifier-based mirroring policy: inbound only for IPv4 or IPv6 traffic. c. MAC source and/or destination address: inbound, outbound, or both. 5. On the source switch: a. Enter the mirror command with the session number (1 to 4) and the IP addresses and UDP port number from 1 on page 429 to configure a mirroring session.
  • Page 431: Configure A Mirroring Destination On A Remote Switch

    CAUTION: Although the switch supports the use of UDP port numbers from 1 to 65535, UDP port numbers below 7933 are reserved for various IP applications. Using these port numbers for mirroring can result in an interruption of other IP functions, and in non-mirrored traffic being received on the destination (endpoint) switch and sent to the device connected to the remote exit port.
  • Page 432: Configure The Monitored Traffic In A Mirror Session

    CAUTION: After you configure a mirroring session with traffic-selection criteria and a destination, the switch immediately starts to mirror traffic to the destination device connected to each exit port. In a remote mirroring session that uses IPv4 encapsulation, if the remote (endpoint) switch is not already configured as the destination for the session, its performance may be adversely affected by the stream of mirrored traffic.
  • Page 433: About Selecting All Inbound/Outbound Traffic To Mirror

    About selecting all inbound/outbound traffic to mirror If you have already configured session 1 with a local or remote destination, you can enter the vlan vid monitor or interface port monitor command without additional parameters for traffic-selection criteria and session number to configure mirroring for all inbound and outbound traffic on the specified VLAN or port interfaces in session 1 with the preconfigured destination.
  • Page 434: Operating Notes

    DEFVAL { 2 } ::= { hpicfBridgeMirrorSessionEntry 2 } Operating notes The following conditions apply for the no-tag-added option: • The specified port can be a physical port, trunk port, or mesh port. • Only a single logical port (physical port or trunk) can be associated with a mirror session when the no-tag- added option is specified.
  • Page 435: About Selecting Inbound Traffic Using Advanced Classifier-Based Mirroring

    • Up to 320 different MAC addresses are supported for traffic selection in all mirroring sessions configured on the switch. • A destination MAC address is not supported as mirroring criteria for routed traffic, because in routed packets, the destination MAC address is changed to the next-hop address when the packet is forwarded. Therefore, the destination MAC address that you want to mirror will not appear in routed packet headers.
  • Page 436: Classifier-Based Mirroring Configuration

    Classifier-based mirroring policies provide greater precision when analyzing and debugging a network traffic problem. Using multiple match criteria, you can finely select and define the classes of traffic that you want to mirror on a traffic analyzer or IDS device. Classifier-based mirroring configuration 1.
  • Page 437: Classifier-Based Mirroring Restrictions

    • In a local mirroring session, the exit port is configured with the mirror <session-number> port command • In a remote mirroring session, the remote exit port is configured with the mirror endpoint ip and mirror <session-number> remote ip commands. Restriction: In a policy, you can configure only one mirroring session per class.
  • Page 438: About Applying Multiple Mirroring Sessions To An Interface

    • A mirroring policy is supported only on inbound IPv4 or IPv6 traffic. • A mirroring policy is not supported on a meshed port interface. (Classifier-based policies are supported only on a port, VLAN, or trunk interface.) • Only one classifier-based mirroring policy is supported on a port or VLAN interface. You can, however, apply a classifier-based policy of a different type, such as QoS.
  • Page 439: Mirroring Configuration Examples

    In the following example, traffic on Port b1 is used as the mirroring source for two different, local mirroring sessions: • All inbound and outbound traffic on Ports b1, b2, and b3 is mirrored in session 4. • Only selected voice traffic on Port b1 is mirrored in session 2. Figure 69: Example of applying multiple sessions to the same interface Mirroring configuration examples Local mirroring using traffic-direction criteria...
  • Page 440 Remote mirroring using a classifier-based policy In the network shown in the figure below, an administrator has connected a traffic analyzer to port A15 (in VLAN 30) on switch C to monitor the TCP traffic to the server at from workstations connected to switches A and B.
  • Page 441 3. On switch A, configure a classifier-based mirroring policy to select inbound TCP traffic destined to the server at, and apply the policy to the interfaces of VLAN 10 (as described in About selecting inbound traffic using advanced classifier-based mirroring on page 435.) Figure 74: Configuring a classifier-based policy on source switch A 4.
  • Page 442 Because the remote session has mirroring sources on different switches, you can use the same session number (1) for both sessions. Figure 75: Configuring a classifier-based policy on source switch B Remote mirroring using traffic-direction criteria In the network shown in the figure below, the administrator connects another traffic analyzer to port B10 (in VLAN 40) on switch C to monitor all traffic entering switch A on port C12.
  • Page 443: Maximum Supported Frame Size

    1. On remote switch C, configure the remote mirroring endpoint using port B10 as the exit port for a traffic analyzer (as described in Configure a mirroring destination on a remote switch on page 431): Figure 77: Configuring a remote mirroring endpoint 2.
  • Page 444: Enabling Jumbo Frames To Increase The Mirroring Path Mtu

    Enabling jumbo frames to increase the mirroring path MTU On 1-Gbps and 10-Gbps ports in the mirroring path, you can reduce the number of dropped frames by enabling jumbo frames on all intermediate switches and routers. (The MTU on the switches covered by this manual is 9220 bytes for frames having an 802.1Q VLAN tag, and 9216 bytes for untagged frames.) Table 30: Maximum frame sizes for mirroring Frame type...
  • Page 445: Operating Notes For Traffic Mirroring

    For example, if the MTU on the path to the destination is 1522 bytes, untagged mirrored frames leaving the source switch cannot exceed 1518 bytes. Likewise, if the MTU on the path to the destination is 9220 bytes, untagged mirrored frames leaving the source switch cannot exceed 9216 bytes. Figure 79: Effect of downstream VLAN tagging on the MTU for mirrored traffic Operating notes for traffic mirroring •...
  • Page 446: Troubleshooting Traffic Mirroring

    To reduce the number of dropped frames, enable jumbo frames in the mirroring path, including all intermediate switches and/or routers. (The MTU on the switch is 9220 bytes, which includes 4 bytes for the 802.1Q VLAN tag.) • Intercepted or injected traffic The mirroring feature does not protect against either mirrored traffic being intercepted or traffic being injected into a mirrored stream by an intermediate host.
  • Page 447: Interface Monitoring Features

    Interface monitoring features You can designate monitoring of inbound and outbound traffic on: Ports and static trunks: Allows monitoring of individual ports, groups of contiguous ports, and static port trunks. The switch monitors network activity by copying all traffic inbound and outbound on the specified interfaces to the designated monitoring port, to which a network analyzer can be attached.
  • Page 448: Configuring The Monitor Port

    • Port receiving monitored traffic. • Monitored Ports Configuring the monitor port Syntax: [no] mirror-port [< port-num >] This command assigns or removes a monitoring port, and must be executed from the global configuration level. Removing the monitor port disables port monitoring and resets the monitoring parameters to their factory-default settings.
  • Page 449: Fans

    Network Monitoring Port Mirror Port: 5 Monitoring sources ------------------ VLAN_20 Disabling monitoring at the interface context and the global config level switch(eth-1-3, 5)# no int 5 monitor switch(eth-1-3, 5)# no monitor switch(config)# no int 5 monitor switch(config)# no int 1-3, 5 monitor •...
  • Page 450: Show System Fans

    Usage • To show system fans, see show system fans • To show chassis power supply and settings, see show system power-supply • To show system fans for VSF members, see show system fans vsf Examples Locating the system chassis by LED blink using the show system chassislocate command. Showing the general switch system information by using the show system command.
  • Page 451 Usage Command can be executed using various command contexts. See examples for use of command context PoEP and VSF. Examples The state of all system fans is shown by using the command show system fans. Switch# show system fans Fan Information | State | Failures | Location -------+-------------+----------+----------...
  • Page 452: Show System Power-Supply

    Member | State | Failures | Location -------+-------------+--------------------- Sys-1 | Fan OK | Chassis Sys-2 | Fan OK | Chassis Sys-3 | Fan OK | Chassis Sys-4 | Fan OK | PS 1 Sys-5 | Fan OK | PS 2 0 / 5 Fans in Failure State 0 / 5 Fans have been in Failure State The state of all VSF switch members system fans is shown by using the command show system fans from...
  • Page 453 Parameters detailed Shows detailed switch power supply sensor information. fahrenheit Shows detailed switch power supply sensor information with temperatures in degrees Fahrenheit. Usage • The show system power-supply detailed command shows detailed information for the local power supplies only. • The show system power-supply detailed command shows detailed information for power supplies in the powered state only.
  • Page 454 Not Present J9830A IN43G4G05H Powered AC Power Consumption : 90 Watts AC MAIN/AUX Voltage : 210/118 Volts Power Supplied : 16 Watts Power Capacity : 2750 Watts Inlet Temp (C/F) : 30.9C/86.0F Internal Temp (C/F) : 65.6C/149.0F Fan 1 Speed : 2000 RPM (37%) Fan 2 Speed : 1950 RPM (36%)
  • Page 455 6 / 8 supply bays delivering power. Total Input Power: 378 Watts Use of the command show system power-supply detailed shows the power supply status all active switches including a nonpowered J9830A PSU. switch# show system power-supply detailed Status and Counters - Power Supply Detailed Information PS# Model Serial State...
  • Page 456: Fan Failures And Snmp Traps

    Table 31: Field key for output of show system power-supply detailed Field Description AC Power Actual power consumed from AC input Consumption Actual voltage measured on AC Input: AC MAIN/AUX Voltage • Two voltages are displayed for PS#4, as the J9830A includes two AC input IEC connectors.
  • Page 457 I 11/30/16 14:03:08 00070 chassis: AM1: Fan OK: Fan: 3 Failures: 1 Shown is a fan-tray fan-fault (fan number 3) failure. The event is issued as a "Warning" (w). W 11/30/16 14:02:38 00070 chassis: AM1: Fan failure: Fan: 3 Failures: 1 Chapter 12 Monitoring and Analyzing Switch Operation...
  • Page 458: Troubleshooting

    Chapter 13 Troubleshooting Overview This chapter addresses performance-related network problems that can be caused by topology, switch configuration, and the effects of other devices or their configurations on switch operation. (For switch-specific information on hardware problems indicated by LED behavior, cabling requirements, and other potential hardware-related problems, see the installation guide you received with the switch.) NOTE: Switch software updates are periodically places on the Switch Networking website.
  • Page 459: Browser Or Telnet Access Problems

    ◦ Status and Counters screens ◦ Event Log ◦ Diagnostics tools (Link test, Ping test, configuration file browser, and advanced user commands) Browser or Telnet access problems Cannot access the WebAgent • Access may be disabled by the Web Agent Enabled parameter in the switch console. Check the setting on this parameter by selecting: 2.
  • Page 460: Unusual Network Activity

    5. IP Configuration • If you are using DHCP to acquire the IP address for the switch, the IP address "lease time" may have expired so that the IP address has changed. For more information on how to "reserve" an IP address, see the documentation for the DHCP application that you are using.
  • Page 461: The Switch Has Been Configured For Dhcp/Bootp Operation, But Has Not Received A Dhcp Or Bootp Reply

    where both instances of IP-address are the same address, indicating that the IP address has been duplicated somewhere on the network. The switch has been configured for DHCP/Bootp operation, but has not received a DHCP or Bootp reply When the switch is first configured for DHCP/Bootp operation, or if it is rebooted with this configuration, it immediately begins sending request packets on the network.
  • Page 462: The Switch Does Not Allow Management Access From A Device On The Same Vlan

    Indicates that routing is enabled, a requirement for ACL operation. (There is an exception. Refer to the Note, below.) NOTE: If an ACL assigned to a VLAN includes an ACE referencing an IP address on the switch itself as a packet source or destination, the ACE screens traffic to or from this switch address regardless of whether IP routing is enabled.
  • Page 463: The Switch Does Not Allow Any Routed Access From A Specific Host, Group Of Hosts, Or Subnet

    The switch does not allow any routed access from a specific host, group of hosts, or subnet The implicit deny any function that the switch automatically applies as the last entry in any ACL may be blocking all access by devices not specifically permitted by an entry in an ACL affecting those sources. If you are using the ACL to block specific hosts, a group of hosts, or a subnet, but want to allow any access not specifically permitted, insert permit any as the last explicit entry in the ACL.
  • Page 464: Igmp-Related Problems

    Procedure 1. Configure an ACE that specifically permits authorized traffic from the remote network. 2. Configure narrowly defined ACEs to block unwanted IP traffic that would otherwise use the gateway; such ACEs might deny traffic for a particular application, particular hosts, or an entire subnet. 3.
  • Page 465: Unable To Enable Lacp On A Port With The Interface Lacp Command

    Unable to enable LACP on a port with the interface <port-number> lacp command In this case, the switch displays the following message: Operation is not allowed for a trunked port. You cannot enable LACP on a port while it is configured as a static Trunk port. To enable LACP on a static- trunked port: Procedure 1.
  • Page 466: The Switch Appears To Be Properly Configured As A Supplicant, But Cannot Gain Access To The Intended Authenticator Port On The Switch To Which It Is Connected

    The switch appears to be properly configured as a supplicant, but cannot gain access to the intended authenticator port on the switch to which it is connected If aaa authentication port-access is configured for Local, ensure that you have entered the local login (operator-level) username and password of the authenticator switch into the identity and secret parameters of the supplicant configuration.
  • Page 467: Authenticator Initialize

    Retransmit Attempts : 3 Global Encryption Key : My-Global-Key Dynamic Authorization UDP Port : 3799 Auth Acct DM/ Time Server IP Addr Port Port CoA Window Encryption Key --------------- ---- ---- --- ------ --------------- 1812 1813 119-only-key Also, ensure that the switch port used to access the RADIUS server is not blocked by an 802.1X configuration on that port.
  • Page 468: Radius Server Fails To Respond To A Request For Service, Even Though The Server's Ip Address Is Correctly Configured In The Switch

    NOTE: Because of an inconsistency between the Windows XP 802.1x supplicant timeout value and the switch default timeout value, which is 5, when adding a backup RADIUS server, set the switch radius-server timeout value to 4. Otherwise, the switch may not failover properly to the backup RADIUS server.
  • Page 469: Fast-Uplink Troubleshooting

    Fast-uplink troubleshooting Some of the problems that can result from incorrect use of fast-uplink MSTP include temporary loops and generation of duplicate packets. Problem sources can include: • Fast-uplink is configured on a switch that is the MSTP root device. •...
  • Page 470: Client Ceases To Respond ("Hangs") During Connection Phase

    The public key file you are trying to download has one of the following problems: • A key in the file is too long. The maximum key length is 1024 characters, including spaces. This could also mean that two or more keys are merged together instead of being separated by a <CR> <LF>. •...
  • Page 471: Access Is Denied Even Though The Username/Password Pair Is Correct

    in the switch. (Use show tacacs-server to list the global key. Use show config or show config running to list any server-specific keys.) • The accessible TACACS+ servers are not configured to provide service to the switch. Access is denied even though the username/password pair is correct Some reasons for denial include the following parameters controlled by your TACACS+ server application: •...
  • Page 472: None Of The Devices Assigned To One Or More Vlans On An 802.1Q-Compliant Switch Are Being Recognized

    None of the devices assigned to one or more VLANs on an 802.1Q-compliant switch are being recognized If multiple VLANs are being used on ports connecting 802.1Q-compliant devices, inconsistent VLAN IDs may have been assigned to one or more VLANs. For a given VLAN, the same VLAN ID must be used on all connected 802.1Q-compliant devices.
  • Page 473: Disabled Overlapping Subnet Configuration

    received on different ports. You can avoid this problem by creating redundant paths using port trunks or spanning tree. Figure 82: Example: of duplicate MAC address Disabled overlapping subnet configuration Previous software versions allowed configuration of VLAN IP addresses in overlapping subnets which can cause incorrect routing of packets and result in IP communication failure.
  • Page 474: Fan Failure

    The information is retained in the config file to allow you to boot up the switch and have it function as it did when it was configured with earlier software that allows overlapping subnets.If you attempt to remove the overlapping subnet from the VLAN, the switch displays an error message similar to: The IP address <ip-address>...
  • Page 475: Fault-Finder Link-Flap

    When the link-flap threshold is met for a port configured for warn (For example, fault-finder link-flap sensitivity medium action warn), the following message is seen in the switch event log. 02672 FFI: port <number>-Excessive link state transitions When the link-flap threshold is met for a port configured for warn-and-disable (For example, fault-finder linkflap sensitivity medium action warn-and-disable), the following messages are seen in the switch event log.
  • Page 476 action Configure the action taken when a fault is detected. ethernet PORT-LIST Enable link-flap control on a list of ports. warn Warn about faults found. warn-and-disable Warn and disable faulty component. seconds Configure the number of seconds for which the port remains disabled. A value of 0 means that the port will remain disabled until manually re-enabled.
  • Page 477: Show Fault-Finder Link-Flap

    Configure ports for link-flap detection with medium sensitivity Configure ports A8 for link-flap detection with sensitivity of medium (6 flaps over 10s) and to log and disable port if the link-flap threshold is exceeded. User will need to re-enable the port if disabled. switch(config)# fault-finder link-flap ethernet A8 action warn-and-disable 0 sensitivity medium Configure ports for link-flap detection with low sensitivity Configure ports A22 for link-flap detection with sensitivity of low (10 flaps over 10s) and to log if the link-flap...
  • Page 478: Event Log

    Event Log Cause Message Cause FFI: port <ID>- Excessive link state transitions. Link-flap is detected by fault-finder per the sensitivity configured. FFI: port <ID>- Excessive link state Link-flap is detected and the action is to disable the port with transitions.FFI: port <ID>-Port disabled by no disable timer.
  • Page 479 Product # Description Support J4858A Gigabit-SX-LC Mini- GBIC J4858B Gigabit-SX-LC Mini- GBIC J4858C Gigabit-SX-LC Mini- V (some) GBIC J9054B 100-FX SFP-LC Transceiver J8177C Gigabit 1000Base-T Mini-GBIC J9150A 10GbE SFP+ SR Transceiver J9151A 10GbE SFP+ LR Transceiver J9152A 10GbE SFP+ LRM Transceiver J9153A 10GbE SFP+ ER...
  • Page 480: Viewing Information About Transceivers (Cli)

    NOTE: Not all transceivers support Digital Optical Monitoring. If DOM appears in the Diagnostic Support field of the show interfaces transceiver detail command, or the hpicfTransceiverMIB hpicfXcvrDiagnostics MIB object, DOM is supported for that transceiver. Viewing information about transceivers (CLI) Syntax: show interfaces transceiver [port-list] [detail] Displays information about the transceivers.
  • Page 481: Information Displayed With The Detail Parameter

    1000SX J4858C MY050VM9WB 1990-3657 1000SX J4858B P834DIP2 You can specify all for port-list as shown below. Output when “all” is specified switch(config)# show interfaces transceiver all No Transceiver found on interface 1 No Transceiver found on interface 2 No Transceiver found on interface 24 Transceiver Technical information: Product Serial...
  • Page 482 Parameter Description Diagnostic Shows whether the transceiver supports diagnostics: Support None Supported Supported Supported Serial Number Serial number of the transceiver The information in the next three tables is only displayed when the transceiver supports DOM. Table 33: DOM information Parameter Description Temperature...
  • Page 483 Alarm Description TX power low TX power is low Temp high Temperature is high Temp low Temperature is low Voltage High Voltage is high Voltage Low Voltage is low The alarm information for XENPAK transceivers is shown in this table. Table 35: Alarm and error information (XENPAK transceivers) Alarm Description...
  • Page 484 Alarm Description TX power high TX power is high TX power low TX power is low Temp high Temperature is high Temp low Temperature is low An Example: of the output for the show interfaces transceiver [port-list] detail for a 1000SX transceiver is shown below.
  • Page 485: Viewing Transceiver Information For Copper Transceivers With Vct Support

    Rx power low alarm Rx power low warning Recent errors: Receive optical power fault PMA/PMD receiver local fault PMA/PMD transmitter local fault PCS receive local fault PHY XS transmit local fault Time stamp : Mon Mar 7 16:26:06 2013 Viewing transceiver information for copper transceivers with VCT support This feature provides the ability to view diagnostic monitoring information for copper transceivers with Virtual Cable Test (VCT) support.
  • Page 486 Interface Index : 23 Type : 1000T-sfp Model : J8177C Connector Type : RJ45 Wavelength : n/a Transfer Distance : 100m (copper), Diagnostic Support : VCT Serial Number : US051HF099 Link Status : Up Speed : 1000 Duplex : Full Cable Distance Pair...
  • Page 487: Viewing Transceiver Information

    Parameter Description Link Status Link up or down Speed Speed of transceiver in Mbps Duplex Type of duplexing Cable Status Values are OK, Open, Short, or Impedance Distance to Fault The distance in meters to a cable fault (accuracy is +/- 2 meters); displays 0 (zero) if there is no fault Pair Skew Difference in propagation between the fastest and slowest wire pairs...
  • Page 488: Using The Event Log For Troubleshooting Switch Problems

    Product # Description Support J9150A 10GbE SFP+ SR Transceiver J9151A 10GbE SFP+ LR Transceiver J9152A 10GbE SFP+ LRM Transceiver J9153A 10GbE SFP+ ER Transceiver J9144A 10GbE X2-SC LRM Transceiver J8438A 10Gbe X2-SC ER Transceiver Support indicators: • V - Validated to respond to DOM requests •...
  • Page 489: Event Log Entries

    Event Log entries As shown in Figure 84: Format of an event log entry on page 489, each Event Log entry is composed of six or seven fields, depending on whether numbering is turned on or not: Figure 84: Format of an event log entry Item Description Severity...
  • Page 490 Table 36: Event Log system modules System module Description Documented in Switch hardware/ software guide 802.1x 802.1X authentication: Provides Access Security Guide access control on a per-client or per-port basis: • Client-level security that allows LAN access to 802.1X clients (up to 32 per port) with valid user credentials •...
  • Page 491 System module Description Documented in Switch hardware/ software guide Cisco Discovery Protocol: Supports Management and Configuration reading CDP packets received from Guide neighbor devices, enabling a switch to learn about adjacent CDP devices. HPE does not support the transmission of CDP packets to neighbor devices.
  • Page 492 System module Description Documented in Switch hardware/ software guide Dynamic Configuration Arbiter Access Security Guide (DCA) determines the client-specific parameters that are assigned in an authentication session. dhcp Dynamic Host Configuration Management and Configuration Protocol (DHCP) server Guide configuration: Switch is automatically configured from a DHCP (Bootp) server, including IP address, subnet mask, default...
  • Page 493 System module Description Documented in Switch hardware/ software guide Find, Fix, and Inform: Event or alert Installation and Getting Started log messages indicating a possible Guide topology loop that causes excessive Management and Configuration network activity and results in the Guide network running slow.
  • Page 494 System module Description Documented in Switch hardware/ software guide ipaddrmgr IP Address Manager: Programs IP Multicast and Routing Guide routing information in switch hardware. iplock IP Lockdown: Prevents IP source Access Security Guide address spoofing on a per-port and per-VLAN basis by forwarding only the IP packets in VLAN traffic that contain a known source IP address and MAC address binding for the...
  • Page 495 System module Description Documented in Switch hardware/ software guide lldp Link-Layer Discovery Protocol: Management and Configuration Supports transmitting LLDP packets Guide to neighbor devices and reading LLDP packets received from neighbor devices, enabling a switch to advertise itself to adjacent devices and to learn about adjacent LLDP devices.
  • Page 496 System module Description Documented in Switch hardware/ software guide Multicast Listener Discovery (MLD): Multicast and Routing Guide IPv6 protocol used by a router to discover the presence of multicast listeners. MLD can also optimize IPv6 multicast traffic flow with the snooping feature.
  • Page 497 System module Description Documented in Switch hardware/ software guide sflow Flow sampling: sFlow is an industry Management and Configuration standard sampling technology, Guide defined by RFC 3176, used to continuously monitor traffic flows on all ports providing network-wide visibility into the use of the network. snmp Simple Network Management Management and Configuration...
  • Page 498 System module Description Documented in Switch hardware/ software guide stack Stack management: Uses a single Advanced Traffic Management IP address and standard network Guide cabling to manage a group (up to 16) of switches in the same IP subnet (broadcast domain), resulting in a reduced number of IP addresses and simplified management of small workgroups...
  • Page 499 System module Description Documented in Switch hardware/ software guide tftp Trivial File Transfer Protocol: Basic Operation Guide Supports the download of files to the switch from a TFTP network server. timep Time Protocol: Synchronizes and Management and Configuration ensures a uniform time among Guide interoperating devices.
  • Page 500: Using The Cli

    System module Description Documented in Switch hardware/ software guide vlan Static 802.1Q VLAN operations, Advanced Traffic Management including port-and protocol-based Guide configurations that group users by logical function instead of physical location • A port-based VLAN creates a layer-2 broadcast domain comprising member ports that bridge IPv4 traffic among themselves.
  • Page 501: Clearing Event Log Entries

    Displays only major log events. Displays only error event class. Displays only performance log events. Displays only warning log events. Displays only informational log events. Displays only debug log events. command Displays only command logs. filter Displays only log filter configuration and status information. <option- Displays all Event Log entries that contain the specified text.
  • Page 502: Using Log Throttling To Reduce Duplicate Event Log And Snmp Messages

    Using log throttling to reduce duplicate Event Log and SNMP messages A recurring event can generate a series of duplicate Event Log messages and SNMP traps in a relatively short time. As a result, the Event Log and any configured SNMP trap receivers may be flooded with excessive, exactly identical messages.
  • Page 503: Example: Of Event Counter Operation

    If PIM operation causes the same event to occur six more times during the initial log throttle period, there are no further entries in the Event Log. However, if the event occurs again after the log throttle period has expired, the switch repeats the message (with an updated counter) and starts a new log throttle period.
  • Page 504: Reporting Information About Changes To The Running Configuration

    This value always comprises the first instance of the duplicate message in the current log throttle period plus all previous occurrences of the duplicate message occurring since the switch last rebooted. Reporting information about changes to the running configuration Syslog can be used for sending notifications to a remote syslog server about changes made to the running configuration.
  • Page 505: Hostname In Syslog Messages

    • Use the debug commandto configure messaging reports for the following event types: ◦ ACL "deny" matches ◦ Dynamic ARP protection events ◦ DHCP snooping events ◦ DIPLD events ◦ Events recorded in the switch's Event Log ◦ IP routing events (IPv4 and IPv6) ◦...
  • Page 506 IP-ADDR Adds an IPv4 address to the list of receiving syslog servers. IPV6-ADDR Adds an IPv6 address to the list of receiving syslog servers. origin-id Sends the Syslog messages with the specified origin-id. notify Notifies the specified type sent to the syslog server(s). priority-descr A text string associated with the values of facility, severity, and system-module.
  • Page 507: Viewing The Identification Of The Syslog Message Sender

    NOTE: When the syslog server receives messages from the switch, the IPv6 address of the switch is partly displayed. Example: Configured Host Ipv6 Address: 2001::1 Expected Syslog message: Syslog message: USER.INFO: Oct 11 02:40:02 2001::1 00025 ip: ST1CMDR: VLAN60: ip address configured on vlan 60 Actual Truncated syslog message: Syslog message: USER.INFO: Oct 11 02:40:02 2001:: 00025 ip: ST1CMDR: VLAN60: ip address configured on vlan 60...
  • Page 508 Syntax: show debug Default option is ip-address. The following shows the output of the show debug command when configured without loggin origin-id. Output of the show debug command when configured without login origin-id Debug Logging Origin identifier: Outgoing Interface IP Destination: None Enabled debug types:...
  • Page 509: Snmp Mib

    SNMP MIB SNMP support will be provided through the following MIB objects. HpicfSyslogOriginId = textual-convention Description This textual convention enumerates the origin identifier of syslog message. Syntax: integer ip-address hostname none Status current hpicfSyslogOriginId OBJECT-TYPE Description Specifies the content of a Hostname field in the header of a syslog message. Syntax: HpicfSyslogOriginId Max-access...
  • Page 510: Debug/Syslog Configuration Commands

    Debug/syslog configuration commands Event notification logging — Automatically sends switch-level event messages to the switch's Event Log. Debug and syslog do not affect this operation, but add the capability of directing Event Log messaging to an external device. <syslog-ip-addr> logging command Enables syslog messaging to be sent to the specified IP address.
  • Page 511 debug Command Sends ACL syslog logging to configured debug destinations. When there is a match with a "deny" statement, directs the resulting message to the configured debug destinations. Sends debug logging to configured debug destinations for all ACL, Event Log, IP-OSPF, and IP-RIP options.
  • Page 512 fib: Displays IP Forwarding Information Base messages and events.forwarding: Sends IPv4 forwarding messages to the debug destinations.ospf: Sends OSPF event logging to the debug destinations.ospfv3: Enables debug messages for OSPFv3.packet: Sends IPv4 packet messages to the debug destinations. pim [packet [filter {source <...
  • Page 513: Configuring Debug/Syslog Operation

    ipv6 dhcpv6-client: Sends DHCPv6 client debug messages to the configured debug destination.dhcpv6-relay: Sends DHCPv6 relay debug messages to the configured debug destination.forwarding: Sends IPv6 forwarding messages to the debug destination(s)nd: Sends IPv6 debug messages for IPv6 neighbor discovery to the configured debug destinations.
  • Page 514 a. Enter the logging <syslog-ip-addr> command at the global configuration level to configure the syslog server IP address and enable syslog logging. Optionally, you may also specify the destination subsystem to be used on the syslog server by entering the logging facility command.If no other syslog server IP addresses are configured, entering the logging command enables both debug messaging to a syslog server and the event debug message type.
  • Page 515: Viewing A Debug/Syslog Configuration

    Viewing a debug/syslog configuration Use the show debug command to display the currently configured settings for: • Debug message types and Event Log message filters (severity level and system module) sent to debug destinations • Debug destinations (syslog servers or CLI session) and syslog server facility to be used Syntax: show debug Displays the currently configured debug logging destinations and message types selected for debugging...
  • Page 516 messages sent to the syslog server, specify a set of messages by entering the logging severity and logging system-module commands. Figure 87: Syslog configuration to receive event log messages from specified system module and severity levels As shown at the top of Figure 87: Syslog configuration to receive event log messages from specified system module and severity levels on page 516, if you enter the show debug command when no syslog server IP address is configured, the configuration settings for syslog server facility, Event Log severity level, and system module are not displayed.
  • Page 517: Debug Command

    To configure syslog operation in these ways with the debug/syslog feature disabled on the switch, enter the commands shown in Figure 88: Debug/syslog configuration for multiple debug types and multiple destinations on page 517. Figure 88: Debug/syslog configuration for multiple debug types and multiple destinations Debug command At the manager level, use the debug command to perform two main functions: •...
  • Page 518 When a match occurs on an ACL "deny" ACE (with log configured), the switch sends an ACL message to configured debug destinations. For information on ACLs, see the "Access Control Lists (ACLs)" in the latest version of the following guides: •...
  • Page 519: Debug Destinations

    ip [rip [database rip {<database | event | trigger>} —Enables the specified RIP | event | message type for the configured destination(s). database—Displays trigger]] database changes. event—Displays RIP events. trigger—Displays trigger messages. ipv6 [dhcpv6-client | nd NOTE: See the "IPv6 Diagnostic and Troubleshooting" in the | packet] IPv6 configuration guide for your switch for more detailed IPv6 debug options.
  • Page 520: Logging Command

    logging Enables syslog logging to configured syslog servers so that the debug message types specified by the debug <debug-type> command (see Debug messages on page 517) are sent.(Default: Logging disabled)To configure a syslog server IP address, see Configuring a syslog server on page 521. NOTE: Debug messages from the switches covered in this guide have a debug severity level.
  • Page 521: Configuring A Syslog Server

    Configuring a syslog server Syslog is a client-server logging tool that allows a client switch to send event notification messages to a networked device operating with syslog server software. Messages sent to a syslog server can be stored to a file for later debugging analysis.
  • Page 522 Blocking the messages sent to configured syslog servers from the currently configured debug message type Enter the no debug <debug-type> command. (See Debug messages on page 517.) Disabling syslog logging on the switch without deleting configured server addresses Enter the no debug destination logging command. Note that, unlike the case in which no syslog servers are configured, if one or more syslog servers are already configured and syslog messaging is disabled, configuring a new server address does not re-enable syslog messaging.
  • Page 523: Adding A Description For A Syslog Server

    (UDP port 9512 is used.) Syntax: [no] logging facility <facility-name> The logging facility specifies the destination subsystem used in a configured syslog server. (All configured syslog servers must use the same subsystem.) Hewlett Packard Enterprise recommends the default (user) subsystem unless your application specifically requires another subsystem.
  • Page 524: Adding A Priority Description

    Syntax: logging <ip-addr> [control-descr ZZZZTRISHZZZZ <text_string>] no logging <ip-addr> [control-descr] An optional user-friendly description that can be associated with a server IP address. If no description is entered, this is blank. If <text_string> contains white space, use quotes around the string. IPv4 addresses only. Use the no form of the command to remove the description.
  • Page 525: Configuring The System Module Used To Select The Event Log Messages Sent To A Syslog Server

    Information Information on a normal switch event. Debug Reserved for switch internal diagnostic information. Using the logging severity command, you can select a set of Event Log messages according to their severity level and send them to a syslog server. Messages of the selected and higher severity will be sent. To configure a syslog server, see Configuring a syslog server on page 521.
  • Page 526: Operating Notes For Debug And Syslog

    • The identity of the user causing an event is logged. • When the command log is exhausted by 80% and wraparound occurs, the event is logged and a trap is generated. • Log messages have a maximum of 240 characters (the RMON event maximum string length) and are stored in the command log buffer.
  • Page 527: Diagnostic Tools

    • If the default severity value is in effect, all messages that have severities greater than the default value are passed to syslog. For example, if the default severity is "debug," all messages that have severities greater than debug are passed to syslog. •...
  • Page 528: Testing The Path Between The Switch And Another Device On An Ip Network

    For an Example: of the text screens, see Figure 89: Ping test and link test screen on the WebAgent on page 528. Figure 89: Ping test and link test screen on the WebAgent Destination IP Address is the network address of the target, or destination, device to which you want to test a connection with the switch.
  • Page 529 timeout <1-60> Timeout interval in seconds; the ECHO REPLY must be received before this time interval expires for the ping to be successful. Default: 5 source {< ip-addr | vid | Source IP address, VLAN ID, or loopback address used for the ping. loopback <0-7>>} The source IP address must be owned by the router.If a VLAN is specified, the IP address associated with the specified VLAN is used.
  • Page 530: Issuing Single Or Multiple Link Tests

    switch# ping The destination address is unreachable. Halting a ping test To halt a ping test before it concludes, press [Ctrl] [C]. NOTE: To use the ping (or traceroute) command with host names or fully qualified domain names, see DNS resolver on page 544.
  • Page 531 <1-5>] [source {<ip-address | source-vlan <vid> | loopback <0-7>}] [dstport <1-34000>] [srcport <1-34000>] [ip-option {<record-route | loose-source-route | strict-source-route | include-timestamp | include-timestamp-and-address | include timestamp-from>}] [< timeout 1-120 >] Lists the IP address or hostname of each hop in the route, plus the time in microseconds for the traceroute packet reply to the switch for each hop.
  • Page 532: Halting An Ongoing Traceroute Search

    Source port. [srcport < 1-34000 >] Specify an IP option, such as loose or strict source routing, or an include-timestamp [ip-option] option:[include-timestamp]: Adds the timestamp option to the IP header. The timestamp displays the amount of travel time to and from a host.Default: 9[include-timestamp-and-address]: Records the intermediate router's timestamp and IP address.Default: 4[loose-source-route <IP-addr>] : Prompts for the IP address of each source IP on the path.It allows you to specify the...
  • Page 533: If A Network Condition Prevents Traceroute From Reaching The Destination

    Continuing from the previous Example: (Figure 91: A completed traceroute enquiry on page 532), executing traceroute with an insufficient maxttl for the actual hop count produces an output similar to this: Figure 92: Incomplete traceroute because of low maxttl setting If a network condition prevents traceroute from reaching the destination Common reasons for traceroute failing to reach a destination include: •...
  • Page 534: Viewing The Configuration File (Webagent)

    show config Displays the startup configuration. show running-config Displays the running-config file. For more information and examples of how to use these commands, see “Switch Memory and Configuration” in the basic operation guide. Viewing the configuration file (WebAgent) To display the running configuration using the WebAgent: 1.
  • Page 535: Saving Show Tech Command Output To A Text File

    MAC Age Time (sec) : 300 Time Zone Daylight Time Rule : None Software revision : XX.14.xx Base MAC Addr : 001871-c42f00 ROM Version : XX.12.12 Serial Number : SG641SU00L Up Time : 23 hours Memory - Total : CPU Util (%) : 10 Free : IP Mgmt - Pkts Rx...
  • Page 536: Customizing Show Tech Command Output

    Procedure 1. In Hyperterminal, click on Transfer|Capture Text…. Figure 94: Capture text window of the Hyperterminal application 2. In the File field, enter the path and file name in which you want to store the show tech output. Figure 95: Entering a path and filename for saving show tech output 3.
  • Page 537 Syntax: copy <source> show-tech Specifies the operational and configuration data from one or more source files to be displayed by the show tech command. Enter the command once for each data file that you want to include in the display. Default: Displays data from all source files, where <source>...
  • Page 538: Viewing More Information On Switch Operation

    tftp config {<startup-config | Downloads the contents of a configuration file from a remote running-config} <ip-addr> <remote- host to show tech command output, where: file> {<pc | unix>} <ip-addr> : Specifies the IP address of the remote host device. <remote-file>: Specifies the pathname on the remote host for the configuration file whose contents you want to include in the command output.
  • Page 539: Searching For Text Using Pattern Matching With Show Command

    Displays information on the activity on all switch ports (see "Viewing Port Status and Configuring Port Parameters" in the "Port Status and Configuration" ). show interfaces-display Displays the same information as the show interfaces command and dynamically updates the output every three seconds.
  • Page 540 no untagged B21-B24 exit vlan 20 name "VLAN20" untagged B21-B24 no ip address exit policy qos "michael" exit sequence 10 deny tcp 2001:db8:255::/48 2001:db8:125::/48 exit no autorun password manager Displays all lines that do not contain “ipv6”. Pattern matching with begin option switch(config)# show run | begin ipv6 ipv6 enable no untagged 21-24...
  • Page 541: Displaying The Information You Need To Diagnose Problems

    Displaying the information you need to diagnose problems Use the following commands in a troubleshooting session to more accurately display the information you need to diagnose a problem. Syntax: alias Creates a shortcut alias name for commonly used commands and command options. Syntax: kill Terminates a currently running, remote troubleshooting session.
  • Page 542: Resetting To The Factory-Default Configuration

    NOTE: Hewlett Packard Enterprise recommends that you save your configuration to a TFTP server before resetting the switch to its factory-default configuration. You can also save your configuration via Xmodem to a directly connected PC. Resetting to the factory-default configuration Using the CLI This command operates at any level except the Operator level.
  • Page 543 NOTE: The following procedure requires the use of Xmodem and copies an OS image into primary flash only. This procedure assumes you are using HyperTerminal as your terminal emulator. If you use a different terminal emulator, you may need to adapt this procedure to the operation of your particular emulator.
  • Page 544: Dns Resolver

    5. You then see this prompt: You have invoked the console download utility. Do you wish to continue? (Y/N)>_ 6. At the above prompt: a. Enter y (for Yes) b. Select Transfer|File in HyperTerminal. c. Enter the appropriate filename and path for the OS image. d.
  • Page 545 ◦ The IP address of a DNS server available to the switch ◦ The domain suffix of a domain available to the configured DNS serverthen: ◦ A DNS-compatible command that includes the host name of a device in the same domain as the configured domain suffix can reach that device.
  • Page 546: Configuring And Using Dns Resolution With Dns-Compatible Commands

    Configuring and using DNS resolution with DNS-compatible commands The DNS-compatible commands include ping and traceroute.) Procedure 1. Determine the following: a. The IP address for a DNS server operating in a domain in your network. b. The priority (1 to 3) of the selected server, relative to other DNS servers in the domain. c.
  • Page 547: Using Dns Names With Ping And Traceroute: Example

    This optional DNS command configures the domain suffix that is automatically appended to the host name entered with a DNS-compatible command. When the domain suffix and the IP address for a DNS server that can access that domain are both configured on the switch, you can execute a DNS-compatible command using only the host name of the desired target.
  • Page 548 Entity Identity Switch IP address Document server IP address With the above already configured, the following commands enable a DNS-compatible command with the host name docserver to reach the document server at Configuring switch "A" in Example: network domain to support DNS resolution switch(config)# ip dns server-address switch(config)# ip dns domain-name Ping and traceroute execution for the network in Example: network domain...
  • Page 549: Viewing The Current Dns Configuration

    Viewing the current DNS configuration The show ip command displays the current domain suffix and the IP address of the highest priority DNS server configured on the switch, along with other IP configuration information. If the switch configuration currently includes a non-default (non-null) DNS entry, it will also appear in the show run command output. Figure 101: Example: of viewing the current DNS configuration Operating notes •...
  • Page 550: Event Log Messages

    Event Log messages Please see the Event Log Message Reference Guide for information about Event Log messages. Locating a switch (Locator LED) To locate where a particular switch is physically installed, use the chassislocate command to activate the blue Locator LED on the switch's front panel. Syntax: chassislocate [blink | on | off] Locates a switch by using the blue Locate LED on the front panel.
  • Page 551: Chapter 14 Job Scheduler

    Chapter 14 Job Scheduler Job Scheduler The Job Scheduler feature enables the user to schedule commands or jobs on the switch for one time or multiple times. This is similar in concept to the UNIX ‘cron’ utility. The user can schedule any CLI command that the user would otherwise enter interactively.
  • Page 552: Show Job

    Usage job <JOB NAME> at <([DD:]HH:]MM on <WEEKDAY-LIST>)> config-save <COMMAND> count <1-1000> job <JOB NAME> at <[HH:]MM on [MM/]DD> config-save <COMMAND> count <1-1000> job <JOB NAME> at <EVENT> config-save <COMMAND> job <JOB NAME> delay <([DD:]HH:]MM> config-save <COMMAND> count <1-1000> job <JOB NAME> enable | disable [no] job <JOB NAME>...
  • Page 553 Show job <JOB NAME> switch# show job a1 Job Information Job Name : a1 Runs At : 01:24 Config Save : No Repeat Count: -- Job Status : Enabled Run Count Error Count : 0 Command : show time Job Status : Enabled Output from Last Run --------------------...
  • Page 554: Chapter 15 Configuration Backup And Restore Without Reboot

    Chapter 15 Configuration backup and restore without reboot Overview The traditional way of restoring a configuration from a backup configuration file required a switch reboot for the new configurations to be effective. There were network outages and a planned downtime for even minor changes. The switch configuration can now be restored from a backup configuration without reboot.
  • Page 555: Switching To A New Configuration

    Switching to a new configuration Procedure 1. Back up the configuration using cfg-backup running-config config <config_name> command. In the following example, the configuration name used is “stable”. cfg-backup running-config config stable 2. Check the backup configuration using show config files command. switch(config)# show config files Configuration files: id | act pri sec | name...
  • Page 556: Rolling Back To A Stable Configuration Using Job Scheduler

    Adding commands : 2 Seconds Removing commands : 0 Seconds Rolling back to a stable configuration using job scheduler Procedure 1. Configure the job using alias with the required configuration. alias <name> <command-list> job <name> delay [[DD:]HH:]MM <command> To schedule a job execution with cfg-restore operation once after 15 minutes (00:00:15): alias "cfg_rollback"...
  • Page 557: Commands Used In Switch Configuration Restore Without Reboot

    Run Count Error Count Skip Count Command : cfg_rollback switch(config)# show cfg-restore status Status : Success Config File Name : stable Source : Flash Time Taken : 9 Seconds Last Run : Tue Nov 28 20:50:00 2017 Recovery Mode : Enabled Failure Reason Number of Add Commands : 27...
  • Page 558: Cfg-Backup

    cfg-backup Syntax cfg-backup {running-config | startup-config} config <FILE-NAME> Description Backs up the selected configuration to the flash file mentioned. When the firmware is downgraded to lower versions, the details of only three configuration files appear in the show config files command. Command context config Parameters...
  • Page 559 Examples switch# show config files Configuration files: id | act pri sec | name ---+-------------+--------- | config | add | modify | golden_config | poe2 To show the details of saved configuration files: switch(config)# show config files details Show details of saved configuration files. switch(config)#show config files details Backup Configuration files: File Name...
  • Page 560: Configuration Restore Without Reboot

    no ip address exit Configuration restore without reboot The cfg-restore without reboot command restores the configuration without reboot from a backup configuration to the running configuration of the switch. The details about the difference between a running and a backup configuration can be displayed using cfg- restore {flash | tftp | sftp} <FILE-NAME>...
  • Page 561 force Forces a reboot if configuration in restored configuration requires a reboot. Applies the configuration with reboot if the configuration has reboot required commands or system-wide change commands. After a forced reboot, the name of the configuration changes. non-blocking Configuration restoration in non-blocking mode, where actual process happens in the background. recovery-mode Enables or disables recovery-mode.
  • Page 562: Force Configuration Restore

    system-wide change commands present. non-blocking Config restoration in non-blocking mode. recovery-mode To enable/disable recovery-mode. verbose Provide the details of config restore status and the list of commands to be added or deleted. switch(config)# cfg-restore flash add non-blocking diff Provide the list of changes that will be applied on the running configuration.
  • Page 563: Cfg-Restore Non-Blocking

    In the preceding output, Command : console terminal none shows that cfg-restore failed because a reboot is required. After the switch reboots and comes up, the golden_config becomes the active configuration. NOTE: In case of a switch reboot, the switch comes up with the configuration associated with the primary or secondary.
  • Page 564: Cfg-Restore Recovery-Mode

    switch(config)# show cfg-restore status Status : Success Config File Name : add Source : Flash Time Taken : 2 Seconds Last Run : Sun Oct 22 22:09:02 2017 Recovery Mode : Enabled Failure Reason Number of Add Commands Number of Remove Commands : 10 Time Taken for Each Phase : Calculating diff : 1 Seconds...
  • Page 565 exit switch(config)# show config modify ; JL255A Configuration Editor; Created on release #WC.16.05.0000x ; Ver hostname "Aruba-2930F-24G-PoEP-4SFPP" module 1 type jl255a ip default-gateway ip routing snmp-server community "public" unrestricted vlan 1 name "DEFAULT_VLAN" untagged 1-28 ip address dhcp-bootp exit vlan 100 name "VLAN100"...
  • Page 566: Cfg-Restore Verbose

    ip routing snmp-server community "public" unrestricted vlan 1 name "DEFAULT_VLAN" untagged 1-28 ip address dhcp-bootp exit vlan 100 name "VLAN100" no ip address exit cfg-restore verbose Syntax cfg-restore {flash | tftp | sftp} <FILE-NAME> verbose Description Provides the details of configuration restore status and the list of commands to be added or deleted along with cfg-restore.
  • Page 567: Cfg-Restore Config_Bkp

    exit vlan 4 name "VLAN4" no ip address exit vlan 5 name "VLAN5" no ip address exit Successfully applied configuration 'config' to running configuration. cfg-restore config_bkp Syntax cfg-restore {tftp <ip-address> | sftp <ip-address>} config_bkp Description Downloads and restores a configuration from the TFTP or SFTP server, without rebooting the switch. NOTE: The commands from the restored configuration will be executed on the running configuration.
  • Page 568: Configuration Restore With Force Option

    Time Taken for Each Phase : Calculating diff : 1 Seconds Adding commands : 0 Seconds Removing commands : 0 Seconds switch(config)# show config files Configuration files: id | act pri sec | name ---+-------------+--------- | config Configuration restore with force option Prerequisites Back up the configuration using traditional copy config or cfg-backup commands.
  • Page 569: System Reboot Commands

    For startup-default config file1: switch(config)# show config files Configuration files: id | act pri sec | name --+-------------+--------- | config | file1 | file2 System reboot commands Following commands require a system reboot: • secure-mode standard • secure-mode enhanced • mesh id [0-9] •...
  • Page 570: Configuration Restore Without Force Option

    Configuration restore without force option If the two configuration files backed up are file1 and file2: Prerequisites Backup the configuration using either the traditional copy config or the cfg-backup commands. Procedure 1. Execute the show config files command. By default, the config file provides all the associations. switch(config)# show config files Configuration files: id | act pri sec | name...
  • Page 571 • whether a recovery-mode was enabled • the number of add and delete commands • reboot commands present (if any), and • the split time taken for each phase Examples switch(config)# show cfg-restore latest-diff Shows the difference between running and back-up configuration.
  • Page 572: Viewing The Differences Between A Running Configuration And A Backup Configuration

    NOTE: The number of add and delete commands is calculated excluding the exit commands in the configuration file. Viewing the differences between a running configuration and a backup configuration Prerequisites Use the cfg-restore {flash | tftp | sftp} <FILE-NAME> diff command to view the list of configuration changes that are removed, modified, or added to the running configuration.
  • Page 573 Configuration delete list: vlan 1 no untagged 11-13,15-18 untagged 3-10 exit vlan 100 untagged 11-13 exit vlan 300 name "VLAN300" untagged 15-18 no ip address exit Configuration add list: vlan 1 no untagged 3-10 untagged 11-13,15-18 exit vlan 100 untagged 3-5 exit vlan 200 name "VLAN200"...
  • Page 574: Show Commands To Show The Sha Of A Configuration

    exit switch(config)# Show commands to show the SHA of a configuration The show commands provide SHA details of the running and startup configurations. show hash Syntax show {config | running-config} hash {recalculate} Description Shows SHA ID of startup or running configuration. Command context config Examples...
  • Page 575: Scenarios That Block The Configuration Restoration Process

    To display the hash calculated for the running configuration: switch(config)# show running-config hash The hash must be calculated. This may take several minutes. Continue (y/n)? y Calculating hash... Running configuration hash: 6d88 0880 98af e8a8 b564 15cd 368e 4269 9d61 4bfa This hash is only valid for comparison to a baseline hash if the configuration has not been explicitly changed (such as with a CLI command) or implicitly changed (such as by the...
  • Page 576 0000:01:39:51.58 CFG mCfgRestoreMgr:cfg-restore to config file "backup_conif" started. 0000:01:39:56.45 CFG mCfgRestoreMgr:cfg-restore diff calculated, number of commands to add =0 number of commands to delete = 3. 0000:01:39:56.45 CFG mCfgRestoreMgr:cfg-restore iteration count = 1. 0000:01:39:56.51 CFG mCfgRestoreMgr:Command executed = no vlan 2 tagged 9, Status = Success.
  • Page 577: Chapter 16 Virtual Technician

    Chapter 16 Virtual Technician Virtual Technician is a set of tools aimed at aiding network switch administrators in diagnosing and caring for their networks. VT provides tools for switch diagnoses when faced with unforeseen issues. To improve the Virtual Technician features of our devices have added the following tools: •...
  • Page 578: Show Cdp Neighbors Detail

    show cdp neighbors detail Syntax show cdp neighbors detail Description Shows CDP neighbors on specified port only. show cdp neighbor detail CDP neighbors information Port : 1/13 Device ID : Address Type : IP Address : Platform Capability : Switch Device Port : 00 1b 4f 49 e7 76...
  • Page 579: User Diagnostic Crash Via Front Panel Security (Fps) Button

    User diagnostic crash via Front Panel Security (FPS) button Allows the switch’s front panel Clear button to manually initiate a diagnostic reset. In the case of an application hang, this feature allows you to perform reliable diagnostics by debugging via the front panel Clear button. Diagnostic reset is controlled via Front Panel Security (FPS) options.
  • Page 580: [No] Front-Panel-Security Diagnostic-Reset

    Syntax front-panel-security diagnostic-reset <CLEAR-BUTTON | SERIAL-CONSOLE> Description Enables the diagnostic reset so that the switch can capture diagnostic data. • To initiate diagnostic reset via the clear button, press the clear button for at least 30 seconds but not more than 40 seconds.
  • Page 581: [No] Front-Panel-Security Diagnostic-Reset Clear-Button

    Syntax front-panel-security diagnostic-reset clear-button Description This command will enable diagnostic-reset via clear button. The user will be allowed to perform diagnostic reset by depressing the clear button for 30 seconds and not more than 40 seconds. Front-panel-security diagnostic-rest clear-button front-panel-security diagnostic-rest clear-button Diagnostic Reset - Enabled clear-button...
  • Page 582: Diagnostic Table

    NOTE: By default, user initiated diagnostic reset is enabled. Diagnostic table To accomplish this Do this Result Soft Reset (Standalone Press and release the Reset button The switch operating system is cleared switch) gracefully (such as data transfer completion, temporary error conditions are cleared), then reboots and runs self tests.
  • Page 583: Validation Rules

    Validation rules Validation Error Extra ‘token’ passed after diagnostic-reset. Invalid input: <token>. FPS Error Log Event Message RMON_BOOT_CRASH_RECORD1 Diagnostic reset sequence detected on serial console; user has initiated diagnostic reset. On detection on local serial RMON_BOOT_CRASH_RECORD1 SMM: Diagnostic reset sequence detected on serial console;...
  • Page 584: User Initiated Diagnostic Crash Via The Serial Console

    Event Message Console print STKM: HA Sync in progress; user initiated diagnostic request via the serial console rejected. Retry after sometime. Printed on the device console. When standby is in sync state, we don’t want to crash the commander. So we report to the user to retry later Console print STKM: Member is booting;...
  • Page 585: Serial Console Error Messages

    Description Disables the diagnostic-reset via serial console. No front-panel-security diagnostic-reset serial-console no front-panel-security diagnostic-reset serial-console Diagnostic Reset - Disabled CAUTION: Disabling the diagnostic reset prevents the switch from capturing diagnostic data on those rare events where the switch becomes unresponsive to user input because of unknown reasons. Ensure that you are familiar with the front panel security options before proceeding.
  • Page 586: Chapter 17 Ip Service Level Agreement

    Chapter 17 IP Service Level Agreement Overview IP Service Level Agreement (IP SLA) is a feature that helps administrators collect information about network performance in real time. With increasing pressure on maintaining agreed-upon Service Level Agreements on Enterprises and ISPs alike, IP SLA serves as a useful tool. Any IP SLA test involves a source node and a destination node.
  • Page 587 • DNS, which measures the time taken for a DNS resolution. This measures the difference between the time taken to send a request to the DNS server and the time the IP SLA source receives a reply. • User Datagram Protocol (UDP) Jitter, which measures RTT, one way jitter and one way delays. •...
  • Page 588: How Ip Sla Works

    NOTE: 5400R requires V3 modules ◦ UDP Jitter ◦ UDP Jitter Voip ◦ UDP Echo ◦ TCP connect ◦ ICMP echo ◦ DHCP • Measurement of RTT and jitter values is in milliseconds. • IPv6 SLA for UDP jitter and VoIP is not supported. •...
  • Page 589: Ip-Sla Clear

    Description Configure the IP Service Level Agreement (SLA) parameters. The value of ID can range from 1-255. Options clear Clear history records, message statistics, and threshold counters of particular SLA entry. dhcp Configure DHCP as the IP SLA test mechanism. disable Disable the IP SLA.
  • Page 590: [No] Ip-Sla History-Size

    Options records Clear history records, message statistics, and threshold counters of particular SLA entry. [no] ip-sla <ID> history-size Syntax [no] ip-sla <ID> history-size Description Configure the number of history records to be stored for the IP SLA. The maximum supported size is 50 and the default value for history-size is 25.
  • Page 591: [No] Ip-Sla Monitor Threshold-Config

    [no] ip-sla <ID> monitor threshold-config Syntax [no] ip-sla <ID> monitor threshold-config [rtt | srcTodstTime | dstToSrcTime] threshold-type [immediate | consecutive <COUNT>] threshold-value <UPPER-LIMIT> <LOWER-LIMIT> action-type [trap | log | trap-log | none] Description Set upper and lower threshold parameters. • threshold-type immediate: Take action immediately when the monitored parameters cross the threshold upper limit (subsequent notifications for upper thresholds are not generated until the parameter values go lower than the configured lower threshold value).
  • Page 592: [No] Ip-Sla Schedule

    Description Configure action to be taken when test gets completed. • trap: Send snmp-trap when configured threshold is hit. • log: Only log the event when configured threshold is hit. • trap-log: Send snmp-trap and log the event when configured threshold is hit. •...
  • Page 593: [No] Ip-Sla Udp-Jitter-Voip

    • Payload-size: Payload size of the test packet. Value can range from 68-8100. Default value is 68. • Num-of-packets: Number of packets sent in one probe. Default is 10. Allowed range: 10-1000. • Packet-interval: Inter packet gap in milliseconds.Time between consecutive packets within a probe. Default is 20ms.
  • Page 594: Show Ip-Sla History

    Source Address : History Bucket Size : 5 TOS: 32 Schedule: Frequency (seconds) : 60 Life : [Forever | 144 seconds] Start Time : Tue Oct 27 22:12:16 2015 Next Scheduled Run Time : Tue Oct 27 22:43:16 2015 Threshold-Monitor is : Enabled Threshold Config: RTT...
  • Page 595: Show Ip-Sla Results

    show ip-sla <ID> message-statistics SLA ID : 1 Status : Running SLA Type : UDP-Echo Destination Address : Source Address : Destination Port : 2000 History Bucket Size : 25 Payload Size : 500 TOS : 0 Messages: Destination Address Unreachable : 0 Probes Skipped Awaiting DNS Resolution : 0 DNS Resolution Failed : 0...
  • Page 596: Show Ip-Sla Aggregated-Results

    Positive SD Number Positive DS Number Positive SD Sum : 52 Positive DS Sum : 38 Positive SD Average : 10 Positive DS Average : 10 Positive SD Square Sum : 754 Positive DS Square Sum : 460 Min Negative SD Min Negative DS Max Negative SD : 13...
  • Page 597: Show Ip-Sla Responder

    Positive SD Number Positive DS Number Positive SD Sum : 52 Positive DS Sum : 38 Positive SD Average : 10 Positive DS Average : 10 Positive SD Square Sum : 754 Positive DS Square Sum : 460 Min Negative SD Min Negative DS Max Negative SD : 13...
  • Page 598: Show Tech Ip-Sla

    show ip-sla responder statistics IP SLA Responder : Active Number of packets received : 31 Number of error packets received : 0 Number of packets sent Recent Sources : [07:23:49.085 UTC Sun Oct 25 2015] UDP [07:22:49.003 UTC Sun Oct 25 2015] TCP [07:20:48.717 UTC Sun Oct 25 2015] TCP [07:18:48.787 UTC Sun Oct 25 2015] TCP [07:17:48.871 UTC Sun Oct 25 2015] TCP...
  • Page 599 Schedule: Frequency (seconds) : 60 Life : Forever Start Time : Mon Jun 13 10:42:52 2016 Next Scheduled Run Time : Mon Jun 13 10:46:52 2016 Threshold-Monitor is : Enabled Threshold Config : RTT Threshold Type : Immediate Upper Threshold : 10 Lower Threshold Action Type...
  • Page 600: Clear Ip-Sla Responder Statistics

    ========== IP SLA show tech END ============== ======== IP SLA Server show tech BEGIN ============ Responder not active IP SLA Responder: Inactive ======== IP SLA Server show tech END ============ === The command has completed successfully. === clear ip-sla responder statistics Syntax clear ip-sla responder statistics <SLA-TYPE>...
  • Page 601: Validation Rules

    Validation rules Validation Error/Warning/Prompt Enabling SLA without configuring SLA type. Cannot enable IP SLA, no valid source/destination configured. IP address given for source or destination is Invalid IP address. multicast or broadcast. Configure the SLA type with a source IP which Destination IP cannot be configured as the same as one of the is configured in the same switch.
  • Page 602 Validation Error/Warning/Prompt Configuring IP SLA with invalid values. Invalid configuration for IP SLA. Change the IP SLA configuration when the SLA Configuration changes not allowed when IP SLA is enabled. is enabled. When IP address vs port number configured for Error: Socket for configured address, port is already in use, an SLA is already in use choose different port number...
  • Page 603: Event Log Messages

    Validation Error/Warning/Prompt Configure UDP Jitter/VoIP IPSLA Initiator Cannot enable IP SLA: The source VLAN cannot be a tunnel session with a source IP same as tunnel overlay overlay VLAN. VLAN Configure UDP Jitter/VoIP IPSLA Initiator Cannot enable IP SLA: The source VLAN cannot be a service session with a source IP same as a service tunnel endpoint.
  • Page 604: Interoperability

    Event Message User removes DNS IP-SLA configuration I 08/09/16 02:47:12 05030 ipsla: The IP SLA 1 of SLA Type: DNS, Name server IPv4 Address:, Target Hostname: removed. The packet loss threshold for the SLA has reached I 08/09/16 02:47:12 05023 ipsla: The IP SLA 1 of SLA Type: DNS, Packet loss is observed.
  • Page 605: Significance Of Jitter

    The above diagram shows a typical deployment, where voice & video traffic are exchanged between branch offices of an enterprise over the backbone network. Assessment of the network readiness is always helpful for hosting such services. Parameters like RTT, Jitter and one way delay are a good indicator of network health which assist a network administrator to diagnose latency related issues in the network.
  • Page 606: Sla Measurements

    IP SLA measurement engine This is an application running on the initiator. It processes response frames received from the IP SLA responder and computes one-way delay, jitter and RTT based on the timestamps present in the packet. This application aggregates this computed information across multiple probe samples and stores this for consumption by an NMS via SNMP or via the device CLI.
  • Page 607 One way delay One way delay is defined as the time difference between the Initiator transmitting the frame and the Responder receiving the frame. This requires the Initiator and the Responder to be time synchronized with the same clock server. This is explained in the illustration below: Round trip time RTT is measured at the initiator on a per packet basis and is as illustrated below: Chapter 17 IP Service Level Agreement...
  • Page 608: Chapter 18 Dynamic Segmentation

    Chapter 18 Dynamic Segmentation Definition of Terms Term Definition Dynamic Configuration Arbiter ClearPass ClearPass Policy Manager Generic Routing Encapsulation Switch Anchor Controller S-SAC Standby Switch Anchor Controller User Anchor Controller Switch Bootstrap Control plane protocol packets exchange process between a switch and an SAC to register a switch with the configured SAC.
  • Page 609: Benefits Of Dynamic Segmentation

    NOTE: Maximum supported user tunnels per switch or stack: 1024 Maximum supported user tunnels per port: 32 Benefits of Dynamic Segmentation The benefits of dynamic segmentation are: • Colorless ports / client flexibility • Client isolation • Same policy for wired or wireless clients •...
  • Page 610 To restrict user access, firewall and policies can be implemented for users tunneled to an Aruba Mobility Controller by using the built-in firewall capabilities of the controller. Figure 102: Wired Firewall Access ClearPass Policy Manager RADIUS/Local Mac Authentication Mobility Controller Cluster Back Back Back...
  • Page 611: Users/Devices And Policy Enforcement Recommendations

    Access and firewall policy is then implemented on the controller to isolate guest access to the rest of the campus network. Figure 103: Wired Guest Traffic Segmentation ClearPass Policy Manager RADIUS/Local Mac Authentication Primary Mobility Controller Back Back Back Back LED Mode LED Mode Reset Clear Status Console...
  • Page 612: Colorless Ports

    Type Enforcement Description Contractor Tunnel Contractors may need more access than a traditional guest user. Change in User/Device Tunnel User or device goes from a healthy to unhealthy state (OnGuard Posture checks, IntroSpect notification, Ingress Event Engine Notification) Colorless Ports Within a campus network with a few thousand switch access ports and numerous intermediate distribution frames (IDFs), network admins must put in effort to assign VLAN IDs to the devices.
  • Page 613: Configuring Port-Based Tunneling

    Configuring Port-Based Tunneling Jumbo frames must be enabled on all devices between the access switch and the controller to support the L2 GRE tunnels. Follow the steps below to configure port-based tunneling: Prerequisites It is recommended to create a specific VLAN for tunneled node operation. The VLAN: •...
  • Page 614: Operating Notes

    Tunnel Statistics Rx Packets : 302 Tx Packets : 0 Rx 5 Minute Weighted Average Rate (Pkts/sec) : 0 Tx 5 Minute Weighted Average Rate (Pkts/sec) : 0 Aggregate Statistics Heartbeat packets sent : 56607 Heartbeat packets received : 56607 Heartbeat packets invalid : 0 Fragmented Packets Dropped (Rx) : 0 Packets to Non-Existent Tunnel : 0...
  • Page 615: Restrictions

    Feature Mirrors (MAC, VLAN, port) PVST/RPVST/STP DLDP UDLD LLDP/CDP GVRP/MVRP LACP Uplink Failure Detection sFlow Loop protect Smartlink Global QoS (VLAN, port, rate limit) MAC lockout/lockdown ACL/Classifiers (ingress/egress) IGMP/MLD Broadcast-limit Energy Efficient Ethernet Flow Control • poe-allocate-by • poe-lldp-detect Rogue MAC detection LLDP auto provisioning Restrictions •...
  • Page 616: Preventing Double Tunneling Of Aruba Access Points

    • No support for fragmentation and reassembly for encapsulated frames that result in an MTU violation. Such frames will be dropped. • Packets from ports configured with Port-Based Tunnels will not be bridged with locally switched ports. Features that are blocked when Port-Based Tunnels are configured and the scope of the block (either globally, on a port basis or on a VLAN basis): Feature Blocked globally/per port/ VLAN with Port-...
  • Page 617: Preventing Double Tunneling Using Device Profile

    performance of APs connected to tunneled node ports, the following configuration parameter under the device profile feature prevents double tunneling. The parameter decides whether to allow or not, a tunneled node to be configured on the port on which the device- profile is applied.
  • Page 618 switch(config)# show run ; J9625A Configuration Editor; Created on release #KB.16.05.0000x ; Ver #0f: hostname "switch" snmp-server community "public" unrestricted device-identity name "cpe" lldp oui 33bbcc device-identity name "cpe" lldp sub-type 1 device-identity name "phone" lldp oui 112233 vlan 1 name "DEFAULT_VLAN"...
  • Page 619 show device-profile config Syntax show device-profile config Description Displays device profile configuration. Command context config Usage To verify whether tunneled-node is allowed (when “test” is device-profile name): switch(device-profile)# show device-profile config test To verify the output when tunneled-node is disabled: switch(device-profile)# no allow-tunneled-node switch(device-profile)# show device-profile config test Example...
  • Page 620: User-Based Tunneling

    ingress-bandwidth : 100% egress-bandwidth : 100% speed-duplex : auto poe-max-power : Class/LLDP poe-priority : critical allow-jumbo-frames : Disabled allow-tunneled-node: Disabled Device Profile Configuration Configuration for device-profile : test untagged-vlan tagged-vlan : None ingress-bandwidth : 100% egress-bandwidth : 100% : None speed-duplex : auto poe-max-power...
  • Page 621: How It Works

    User Connects Authenticate User User Specify Secondary Apply Intial Role Authenticated? Role Redirect Switch Apply User Role Traffic to Traffic Locally Controller Apply Secondary Role to Controller Traffic Switch Traffic to Destination How it works The functionality of User-Based Tunneling starts with the tunneled-node server information being discovered on the Aruba switch.
  • Page 622: Licensing Requirements

    an indication to the managed device that it has to enforce additional policies to the user traffic based on policy configuration associated with the secondary role and then from the tunnel. Tunneling to a Controller Cluster To ensure high availability, customers can tunnel traffic to a Controller Cluster instead of just to a standalone controller.
  • Page 623: Dependencies

    Remote-node APs Active MUX Active PUTN Total APs Remaining AP Capacity --------------------- Type Number ---- ------ CAPs 2047 RAPs 2047 show license client-table output on a Controller Cluster: (cluster1)# show license client-table Built-in limit: 0 License Client Table -------------------- Service Type System Limit Server Lic.
  • Page 624: Simplifying User-Based Tunneling With Reserved Vlan

    Controller Firmware Support • Standalone controller - 7000 Series and 7200 Series running ArubaOS or later • Clustered controller - 7000 Series and 7200 Series running ArubaOS or later ClearPass ClearPass version 6.7. AirWave AirWave version 8.2.6. NOTE: Even though AirWave 8.2.6 or above will work, AirWave 8.2.8 has additional enhancements to provide visibility to tunnels.
  • Page 625: Configuration And Show Commands

    • SAC multicast tunnels are no longer used in reserved VLAN mode. • The reserved VLAN configuration on the controller is optional. • The default VLAN cannot be configured as a reserved VLAN. • Migration from Port-Based Tunneling to User-Based Tunneling requires a disable and then, a re-enable of tunneling.
  • Page 626 enable Enter the manager command context. mode role-based Specifies the tunneled node server mode as role based. mode role-based reserved-vlan Specifies the VLAN used as tunneled node server reserved VLAN. Examples switch(config)# tunneled-node-server controller-ip switch(config)# tunneled-node-server backup-controller-ip switch(config)# tunneled-node-server keepalive 40 tunneled-node-server-redirect Syntax tunneled-node-server-redirect [secondary-role <ROLE-NAME>]...
  • Page 627 exit aaa authorization user-role name "testrole" policy "testpolicy" vlan-id 100 tunneled-node-server-redirect secondary-role "authenticated" exit NOTE: When the reserved-vlan option is used, the applied VLAN ID under the user-role "testrole" will not be considered. This is because the traffic will be redirected to the controller using reserved-vlan, and not the one configured on the switch.
  • Page 628 NOTE: Requires (config)#show run context: ; J9850A Configuration Editor; Created on release #KB.16.05.0000x ; Ver hostname "Anay5400R" module A type j9989a module B type j9986a module C type j9989a module D type j9986a module E type j9986a module F type j9986a class ipv4 "testclass"...
  • Page 629: Show Commands

    Mode : Role-based Vlan-Mode : no-vlan/vlan-extend Reserved-VLAN : reserved-VID/0 switch(config)# show vlan <reserved-vid> VLAN ID Name | Status | Voice | Jumbo -------------------------------------------------------------------- <VID> PUTN-ReservedVLAN | Port-based | No | No Show commands show user-role Syntax show user-role <role-name> Description Displays the user role information for the specified user role name.
  • Page 630 Command context manager Parameters <reserved-vid> Specifies the reserved VLAN ID. Examples switch(config)# show vlan <reserved-vid> Status and Counters - VLAN Information - VLAN <reserved-vid> VLAN ID : <reserved-vid> Name : TUNNELED_NODE_SERVER_RESERVED Status : Port-based Voice : No Jumbo : No Private VLAN : none Associated Primary VID : none...
  • Page 631 Example switch(config)# show tunneled-node-server Tunneled Node Server Information State : Enabled Primary Controller : Backup Controller : Keepalive Interval (seconds) : 1 Mode : Role-based Vlan-Mode : vlan-extend-disable Reserved-Vlan : 1111 switch# show tunneled-node-server state Local Master Server (LMS) State LMS Type IP Address State...
  • Page 632 User Count When the controller is a standalone: switch(eth-1/24)# show tunneled-node-server information SAC Information SAC : Standby-SAC : UAC List Information Cluster Name : Cluster Status : Disabled [ 0] :: [ 4] ::
  • Page 633 [0] :: [4] :: [8] :: Bucket Map Information Bucket Name : TUNNELED_NODE_ESSID Bucket Map Active : [0 .. 255] 0] :: (0, 1, 1) (1, 0, 1) (0, 1, 1) (1, 0, 1) (0, 1, 1) (1, 0, 1) 6] :: (0, 1, 1) (1, 0, 1) (0, 1, 1) (1, 0, 1) (0, 1, 1) (1, 0, 1) [ 12] :: (0, 1, 1) (1, 0, 1) (0, 1, 1) (1, 0, 1) (0, 1, 1) (1, 0, 1) [ 18] :: (0, 1, 1) (1, 0, 1) (0, 1, 1) (1, 0, 1) (0, 1, 1) (1, 0, 1)
  • Page 634 <DOWN> Specifies the clients which are not able to tunnel their traffic. PORT <PORT-ADDR> Specifies the port client status. MAC <MAC-ADDRESS> Specifies the client status based on the MAC address desired by the user. <UP> Displays the client status which are having their tunnels up and running. Example switch(config)# show tunneled-node-users Displays all the clients and their status.
  • Page 635: Commands To Configure Vlan Id In User Role

    Client Status : authenticated Session Time : 18972 seconds Client Name : 2c41387f35b9 Session Timeout : 0 seconds MAC Address : 2c4138-7f35b9 : n/a Downloaded user roles are preceded by * User Role Information Name : Voice_HPE Type Reauthentication Period (seconds) : 0 Untagged VLAN : 171 Tagged VLANs...
  • Page 636: Tunneled Node Profile On A Mobility Controller And Cluster

    ---------- ------------ ---- -------- ---- ----- ------- ------ ------------------- ---------- ------------ --------- None ArubaMM Building1.floor1 master ArubaMM up UPDATE SUCCESSFUL None C2 Building1.floor1 MD Aruba7210 up UNK (00:1a:1e:02:a6:40) N/A N/A None C1 Building1.floor1 MD Aruba7210 up UNK (00:1a:1e:02:a4:c0) N/A N/A Verify that all managed devices are added and the status is Update Successful.
  • Page 637 • Aruba Controller Version 8.3.0 onward ◦ To support Downloadable User Roles on controller, a new VSA (HP-CPPM-Seconday-Role) is introduced in ClearPass 6.7.0, which contains the secondary user role name. ◦ To use the Reserved VLAN mode in 16.08, a minimum version of 8.4 is required on the Controller.
  • Page 638: User-Based Tunneling In V6 Networks

    When the primary user role is downloaded onto the switch and the secondary user role is manually configured on the controller (not sent through VSA): NOTE: For more information on user roles, see Access Security Guide for ArubaOS-Switch for your switch.
  • Page 639: Papi-Security

    papi-security Syntax switch(config)# papi-security Description Configure MD5 key for enhanced PAPI security. Parameters enhanced-security The enhanced-security CLI must be enabled in Aruba controller for the connection to be truly secured. <KEY-STR> Configure MD5 key for enhanced PAPI security using a key-string parameter. <KEY-VALUE>...
  • Page 640: Frequently Asked Questions

    ;encrypt-cred +NXT3w7ky2IXNXadlJblS/1ZRi/o73Qq28XXcLkSCZq9PU30Kl+KMLMva8rQri5g hostname "Switch" module 1 type j9576y module 2 type j9576x encrypt-credentials papi-security encrypted-key <"encrypted-key"> snmp-server community "public" unrestricted snmpv3 engineid "00:00:00:0b:00:00:50:65:f3:b4:a6:c0" oobm ip address dhcp-bootp exit vlan 1 name "DEFAULT_VLAN" untagged 1-52 ip address dhcp-bootp exit activate provision disable show run with include key show run Running configuration:...
  • Page 641 A heartbeat failure triggers the switch to: • Remove users anchored to the SAC. • Fail over to the s-SAC (Example: s-SAC now becomes the new SAC). What happens when the keepalive to a UAC fails? The users anchored to the UAC are removed and a message is logged to the same effect in the event log. Why should jumbo frames be enabled at the switch? Jumbo frames have to be enabled at the controller uplink VLAN as well as the client VLAN.
  • Page 642 A rebootstrap is initiated for users applied within that role containing updated role attributes in the bootstrap packet. These users move to registering state. Once an acknowledgment is received from the controller, users then move to registering state. This applies only to VLAN and secondary role changes. What happens on a client “MAC address move”? A rebootstrap is initiated for the client.
  • Page 643: Chapter 19 Cable Diagnostics

    Chapter 19 Cable Diagnostics The Time Domain Reflectometry (TDR) or Cable Diagnostics is a port feature supported on some switches running ArubaOS-Switch software. TDR is used to detect cable faults on 100BASE-TX and 1000BASE-T ports. Virtual cable testing The Virtual Cable Test (VCT) uses the same command as TDR. It is applicable only for GigT transceivers like copper transceiver (J8177C–ProCurve Gigabit 1000Base-T Mini-GBIC).
  • Page 644 ---- ------ ----------- --------------------- 1/10 1-2 Good cable tests switch# test cable-diagnostics 51 This command will cause a loss of link on all tested ports and will take several seconds per port to complete. Use the 'show cable-diagnostics' command to view the results. Continue (y/n)? Y switch# show cable-diagnostics 51 Cable Diagnostic Status - Transceiver Ports...
  • Page 645 switch# test cable-diagnostics 52 This command will cause a loss of link on all tested ports and will take several seconds per port to complete. Use the 'show cable-diagnostics' command to view the results. Continue (y/n)? switch# show cable-diagnostics 52 Cable Diagnostic Status - Transceiver Ports Cable Distance...
  • Page 646: Show Cable-Diagnostics

    Open 0 ns Open 0 ns Error message Error Message Cause The transceiver on port 1/A1 • usage of invalid(fiber-SFP+) port does not support cable • The selected range includes an entry for an invalid port. diagnostics. show cable-diagnostics Syntax show cable-diagnostics <PORT-LIST>...
  • Page 647 • Not supported on v2 zl modules • Valid only on 100BASE-TX and 1000BASE-T ports Chapter 19 Cable Diagnostics...
  • Page 648: Chapter 20 Virtual Switching Framework (Vsf)

    Chapter 20 Virtual Switching Framework (VSF) List of abbreviated terms Term Definition Virtual Switch Framework (front plane stacking) Front Plane Stacking Back Plane Stacking Management Module Interface Module GVRP GARP VLAN Registration Protocol GARP Generic Attribute Registration Protocol MVRP Multiple VLAN Registration Protocol Overview of VSF Aruba Virtual Switching Framework (VSF) technology virtualizes up to eight physical devices in the same layer into one virtual fabric which provides high availability and scalability.
  • Page 649 VSF allows supported switches connected to each other through normal Ethernet connections (copper or fiber) to behave like a single switch. Figure 104: Two devices using VSF technology appearing as a single node to the upper-layer and lower-layer devices IP network IP network Simplified to VSF fabric...
  • Page 650: Benefits Of Vsf

    connected ports. Each switch can have two VSF links. The switches behave as a single virtual switch. 2930F supports a maximum of four 10G ports. Figure 105: A 4–member VSF stack Switch 1 - Commander Switch 2 - Standby Switch 4 - Member Switch 3 - Member Up to 8 physical Ethernet connections all 1G or 10G...
  • Page 651: Vsf Domain Id

    VSF domain ID VSF uses VSF domain IDs to uniquely identify VSF fabrics and prevent VSF fabrics from interfering with one another. One VSF fabric forms one VSF domain. Figure 106: Two VSF domains Core network VSF fabric 1 Device A Device B (domain 10) VSF Link...
  • Page 652: Interface Naming Conventions

    and becomes a Commander, will retain its member ID, while the other will automatically be assigned a different unassigned member ID from the pool and reboot. NOTE: If the VSF member ID changes when joining a VSF virtual chassis, it will cause a reboot of that member and not the whole VSF virtual chassis.
  • Page 653: Supported Topologies

    NOTE: Changing the priority does not affect the commander immediately. It will take effect from the next stack reboot, during the commander election. Supported topologies • A VSF fabric can have up to eight members. • A VSF member can have up to two VSF links. •...
  • Page 654: Running-Configuration Synchronization

    Table 39: Supported ring topologies Members Ring topology 3–member 4–member 5–member 6–member 7–member 8–member Running-configuration synchronization VSF uses a strict running-configuration synchronization mechanism. In a VSF fabric, the Commander manages and retains the configuration of all the devices. All other devices obtain and use the running configuration from the Commander.
  • Page 655: Vsf Split

    VSF split A VSF split can occur due to a VSF link failure where all ports in the VSF link go down or any member is power- cycled or crashes in the chain topology. This failure results in independent VSF fabric fragment each having its own Commander role.
  • Page 656: Vsf Enable

    vsf enable Syntax vsf enable domain <DOMAIN-ID> Description Enable VSF on the switch. Allows for switches to be stacked using Ethernet ports. Parameters <DOMAIN-ID> The domain ID can be from 1 to 4294967295. NOTE: The command vsf enable causes the switch to reboot once and form the fabric. Upon reboot, the switch comes up in the "VSF enabled"...
  • Page 657: Vsf Domain

    • A VSF link is a logical port dedicated to the internal connection of a VSF virtual device. • A VSF link is effective only after it is bound to a physical port. • When an Ethernet port is bound to a VSF link, it carries VSF data traffic and VSF protocol packets. vsf domain Syntax vsf domain <DOMAIN-ID>...
  • Page 658: Vsf Member Reboot

    vsf member reboot Syntax boot vsf member <MEMBER-ID> Description Reboot the VSF member and have it rejoin the virtual chassis with the current configuration. If the boot option is specified, the switch will come back up with the existing member-ID and rejoin the virtual chassis with the current configuration.
  • Page 659: Vsf Member Priority

    Example switch# config switch(config)# vsf member 2 remove reboot Reboot the specified stack member. switch(config)# vsf member 2 remove reboot vsf member priority Syntax vsf member <MEMBER-ID> priority <PRIORITY> Description Assign a priority to the specified VSF virtual chassis member. The higher the priority, the more likely that the virtual chassis member will become the commander at the next virtual chassis reboot.
  • Page 660: Snmp-Server Enable Traps Vsf

    joins the VSF, it is provided this configuration. A new or missing VSF member can be configured as a provisioned device by using this command. Parameters <MEMBER-ID> The VSF member-ID for the member command/parameter. Member ID value can be in the range of 1 to 8. <TYPE>...
  • Page 661: Vsf Vlan-Mad

    Parameters <SPEED> The allowed values for port speeds are 1g and 10g. Usage [no] vsf port speed <SPEED> The no form of the command cannot be executed if there are ports configured on the link. All the ports in the link have to be unconfigured before setting the speed to default.
  • Page 662: Show Commands<