Download Print this page

Hewlett Packard Enterprise Aruba 2920 Management And Configuration Manual

Hewlett Packard Enterprise Aruba 2920 Management And Configuration Manual

For arubaosswitch 16.05

Table Of Contents

Table of Contents

Advertisement

Quick Links

Aruba 2920 Management and

Configuration Guide for ArubaOS-

Switch 16.05

Part Number: 5200-4205a

Published: April 2018

Edition: 2

Table of Contents

Advertisement

Table of Contents

Troubleshooting

Need help?

Need help?

Do you have a question about the Aruba 2920 and is the answer not in the manual?

Questions and answers

Summary of Contents for Hewlett Packard Enterprise Aruba 2920

Page 1 Aruba 2920 Management and Configuration Guide for ArubaOS- Switch 16.05 Part Number: 5200-4205a Published: April 2018 Edition: 2...
Page 2 Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. Links to third-party websites take you outside the Hewlett Packard Enterprise website. Hewlett Packard Enterprise has no control over and is not responsible for information outside the Hewlett Packard Enterprise website. Acknowledgments ®...
Page 3: Table Of Contents
Contents Chapter 1 About this guide................Applicable products..........................24 Switch prompts used in this guide......................Chapter 2 Time Protocols................General steps for running a time protocol on the switch................25 TimeP time synchronization......................SNTP time synchronization......................25 NTP time synchronization......................Command........................timesync Selecting a time synchronization protocol....................26 Disabling time synchronization........................
Page 4 Changing the keepalive retries (CLI)..................93 Configuring UDLD for tagged ports..................Viewing UDLD information (CLI)....................Viewing summary information on all UDLD-enabled ports (CLI)........Viewing detailed UDLD information for specific ports (CLI)..........95 Clearing UDLD statistics (CLI)................... Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 5 Uplink failure detection..........................96 Configuration guidelines for UFD....................enable/disable........................98 UFD track data configuration......................UFD minimum uplink threshold configuration................show uplink-failure-detection......................99 UFD operating notes........................Error log............................Invalid port error messages......................100 Chapter 4 Power Over Ethernet (PoE/PoE+) Operation......101 Introduction to PoE..........................terminology..........................101 Planning and implementing a PoE configuration...................
Page 6 Dynamic/static LACP interoperation.................156 Trunk group operation using the "trunk" option..................156 How the switch lists trunk data.......................156 Outbound traffic distribution across trunked links.................. Trunk load balancing using port layers....................Enabling trunk load balancing..................... Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 7 Chapter 6 Port Traffic Controls..............Rate-limiting............................All traffic rate-limiting........................Configuring in/out rate-limiting..................161 Displaying the current rate-limit configuration..............Operating notes for rate-limiting..................ICMP rate-limiting..........................Guidelines for configuring ICMP rate-limiting................166 Configuring ICMP rate-limiting....................Using both ICMP rate-limiting and all-traffic rate-limiting on the same interface......167 Viewing the current ICMP rate-limit configuration...............
Page 8 Viewing sFlow Configuration and Status (CLI)..............Configuring UDLD Verify before forwarding...................227 UDLD time delay......................... Restrictions........................228 UDLD configuration commands....................Show commands.........................229 RMON generated when user changes UDLD mode..............LLDP..............................General LLDP operation......................LLDP-MED........................Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 9 Packet boundaries in a network topology................... LLDP operation configuration options..................Enable or disable LLDP on the switch................231 Enable or disable LLDP-MED..................Change the frequency of LLDP packet transmission to neighbor devices....... Change the Time-To-Live for LLDP packets sent to neighbors........Transmit and receive mode....................
Page 10 Display the DHCPv4 server IP pool information...............283 Display DHCPv4 server global configuration information..........283 Event log............................. Event Log Messages......................284 LLDP Management TLV Transmission disablement................Overview............................. Commands..........................286 [no] lldp config basicTlvEnable management_addr............286 lldp config......................... Show commands.........................287 Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 11 Chapter 9 Captive Portal for ClearPass............. Requirements............................289 Best Practices............................Limitations..............................290 Features..............................290 High Availability...........................290 Load balancing and redundancy....................Captive Portal when disabled........................ Disabling Captive Portal......................291 Configuring Captive Portal on CPPM.....................291 Import the HP RADIUS dictionary....................Create enforcement profiles......................292 Create a ClearPass guest self-registration.................
Page 12 Troubleshooting............................. Dynamic configuration not displayed when using “show running-config”........340 Switch does not detect the rogue AP TLVs................. The show run command displays non-numerical value for untagged-vlan.......340 Show commands.........................341 Validation Rules...........................341 Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 13 Chapter 12 Device Profile for custom device types........344 Procedure for creating a device identity and associating a device type..........Chapter 13 Dynamically detecting LLDP device profiles......device-profile..........................345 device-profile type-device........................device-profile device-type enable..................346 Associating a profile with a device......................device-profile device-type associate...............347 show device-profile status.......................347 show device-profile config........................348...
Page 14 Using the menu to view and search MAC addresses............398 Finding the port connection for a specific device on a VLAN........... Viewing and searching port-level MAC addresses............Determining whether a specific device is connected to the selected port......Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 15 MSTP data............................. show spanning-tree........................400 IP IGMP status............................401 show ip igmp..........................VLAN information...........................403 show vlan............................ Configuring a source switch in a local mirroring session............... Selecting all traffic on a port interface for mirroring according to traffic direction........405 Viewing all mirroring sessions configured on the switch................
Page 16 An attempt to copy a client public-key file into the switch has failed and the switch lists one of the following messages..................440 Client ceases to respond ("hangs") during connection phase..........440 TACACS-related problems......................Event Log......................... All users are locked out of access to the switch...............440 Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 17 No communication between the switch and the TACACS+ server application....Access is denied even though the username/password pair is correct......441 Unknown users allowed to login to the switch..............441 System allows fewer login attempts than specified in the switch configuration....442 TimeP, SNTP, or Gateway problems...................
Page 18 Switching to a new configuration....................526 Rolling back to a stable configuration using job scheduler............Commands used in switch configuration restore without reboot............528 Configuration backup..........................cfg-backup..........................529 show config files........................529 Configuration restore without reboot .....................531 Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 19 cfg-restore..........................531 Force configuration restore....................cfg-restore non-blocking..................534 cfg-restore recovery-mode................... cfg-restore verbose....................cfg-restore config_bkp..................Configuration restore with force option..................System reboot commands....................540 Configuration restore without force option.................. show cfg-restore status....................541 Viewing the differences between a running configuration and a backup configuration....543 Show commands to show the SHA of a configuration................
Page 20 Overview............................. [no] aaa authentication captive-portal profile................Validation rules......................... Policy commands...........................590 Overview............................. policy user........................... [no] policy user..........................policy resequence........................Commands in the policy-user context..................(policy-user)# class......................User role configuration...........................592 aaa authorization user-role......................Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 21 Error log..........................593 captive-portal-profile........................594 policy............................reauth-period..........................594 Validation rules......................... VLAN commands........................vlan-id..........................595 vlan-name.........................595 VLAN range commands.........................596 Applying a UDR............................. aaa port-access local-mac apply user-role................. VXLAN show commands........................show captive-portal profile......................show user-role..........................598 show port-access clients......................Chapter 27 Port QoS Trust Mode..............Overview..............................Configuration commands........................
Page 22 TR-069........................ Zero-touch configuration process....................643 Zero-touch configuration setup and execution................CLI commands............................646 Configuration setup........................ACS password configuration.......................647 When encrypt-credentials is off..................When encrypt-credentials is on..................ACS URL configuration ......................ACS username configuration...................... Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 23 configuration........................CPE password configuration.......................649 When encrypt-credentials is on..................When encrypt-credentials is off..................CPE username configuration...................... Enable/disable CWMP........................ Show commands.........................650 CWMP configuration and status query................650 Event logging............................System logging..........................651 Status/control commands......................652 Network Out-of-Band Management (OOBM)..........654 Concepts..............................654 Example:............................. OOBM and switch applications....................OOBM configuration..........................
Page 24: Chapter 1 About This Guide
This guide provides information on how to configure, manage, and monitor basic switch operation. Applicable products This guide applies to these products: Aruba 2920 Switch Series (J9726A, J9727A, J9728A, J9729A, J9836A) Switch prompts used in this guide Examples in this guide are representative and may not match your particular switch/environment. Examples use...
Page 25: Chapter 2 Time Protocols
In the factory-default configuration, time synchronization is disabled by default. NOTE: Because the Aruba 2920 Switch Series does not contain an RTC (real time clock) chip, Hewlett Packard Enterprise recommends configuring one of the time synchronization protocols supported.
Page 26: Ntp Time Synchronization
Update the system clock using TIMEP or SNTP. Update the system clock using NTP. Selecting a time synchronization protocol Procedure 1. Select the time synchronization protocol: TimeP, SNTP, or NTP. 2. Enable the protocol; the choices are: Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 27: Disabling Time Synchronization
a. TimeP: DHCP or Manual b. SNTP: Broadcast or Unicast c. NTP: Broadcast or Unicast 3. Configure the remaining parameters for the time protocol you selected. The switch retains the parameter settings for both time protocols even if you change from one protocol to the other.
Page 28: Viewing And Configuring Sntp (Menu)
Move the cursor to the System Name field. 3. Use the Space bar to move the cursor to the Time Sync Method field. 4. Use the Space bar to select SNTP, then move to the SNTP Mode field. Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 29 If you are unsure which version to use, Hewlett Packard Enterprise recommends leaving this value at the default setting of 3 and testing SNTP operation to determine whether any change is necessary.
Page 30: Viewing And Configuring Sntp (Cli)
SNTP Configuration Time Sync Mode: Timep SNTP Mode : Unicast Poll Interval (sec) [720] : 719 Priority SNTP Server Address Protocol Version -------- ------------------------------ ---------------- 2001:db8::215:60ff:fe79:8980 10.255.5.24 fe80::123%vlan10 Syntax: show management Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 31: Configuring (Enabling Or Disabling) The Sntp Mode
This command can help you to easily examine and compare the IP addressing on the switch. It lists the IP addresses for all time servers configured on the switch, plus the IP addresses and default gateway for all VLANs configured on the switch. Display showing IP addressing for all configured time servers and VLANs switch(config)# show management Status and Counters - Management Address Information...
Page 32 Procedure 1. View the current time synchronization. 2. Select SNTP as the time synchronization mode. 3. Enable SNTP for Broadcast mode. 4. View the SNTP configuration again to verify the configuration. Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 33 The commands and output would appear as follows: Figure 4: Enabling SNTP operation in Broadcast Mode switch(config)# show sntp SNTP Configuration Time Sync Mode: Timep SNTP Mode : disabled Poll Interval (sec) [720] :720 switch(config)# timesync sntp switch(config)# sntp broadcast switch(config)# show sntp SNTP Configuration Time Sync Mode: Sntp...
Page 34 If the SNTP server you specify uses SNTP v4 or later, use the sntp server command to specify the correct version number. For example, suppose you learned that SNTP v4 was in use on the server you specified above Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 35 (IP address 10.28.227.141). You would use the following commands to delete the server IP address , re-enter it with the correct version number for that server. Specifying the SNTP protocol version number switch(config)# no sntp server 10.28.227.141 switch(config)# sntp server 10.28.227.141 4 switch(config)# show sntp SNTP Configuration Time Sync Mode: Sntp...
Page 36 Disabling time synchronization by disabling the SNTP mode switch(config)# no sntp switch(config)# show sntp SNTP Configuration Time Sync Mode: Sntp SNTP Mode : disabled Poll Interval (sec) [720] : 600 IP Address Protocol Version ------------- ----------------- 10.28.227.141 Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 37: Sntp Client Authentication
Note that even though the Time Sync Mode is set to Sntp, time synchronization is disabled because no sntp has disabled the SNTP Mode parameter. SNTP client authentication Enabling SNTP authentication allows network devices such as HPE switches to validate the SNTP messages received from an NTP or SNTP server before updating the network time.
Page 38: Configuring A Trusted Key
When authentication succeeds, the time in the packet is used to update the time on the switch. Configuring a key-id as trusted (CLI) Enter the following command to configure a key-id as trusted. Syntax: sntp authentication key-id <key-id> trusted no sntp authentication key-id <key-id> trusted Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 39: Associating A Key With An Sntp Server (Cli)
Trusted keys are used during the authentication process. You can configure the switch with up to eight sets of key-id/key-value pairs. One specific set must selected for authentication; this is done by configuring the set as trusted. The key-id itself must already be configured on the switch. To enable authentication, at least one key-id must be configured as trusted.
Page 40: Configuring Unicast And Broadcast Mode For Authentication
SNTP Authentication : Enabled Time Sync Mode: Sntp SNTP Mode : Unicast Poll Interval (sec) [720] : 720 Priority SNTP Server Address Protocol Version KeyId -------- ------------------------------------ ---------------- ----- 10.10.10.2 fe80::200:24ff:fec8:4ca8 Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 41: Saving Configuration Files And The Include-Credentials Command
Viewing all SNTP authentication keys that have been configured on the switch (CLI) Enter the show sntp authentication command, as shown in Show sntp authentication command output on page 41. Show sntp authentication command output switch(config)# show sntp authentication SNTP Authentication Information SNTP Authentication : Enabled Key-ID Auth Mode...
Page 42 50 sntp server priority 1 10.10.10.2.3 sntp server priority 2 fe80::200:24ff:fec8:4ca8 4 NOTE: The SNTP authentication line and the Key-ids are not displayed. You must reconfigure SNTP authentication. Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 43: Timep: Selecting And Configuring
If include-credentials is configured, the SNTP authentication configuration is saved in the configuration file. When the show config command is entered, all of the information that has been configured for SNTP authentication displays, including the key-values. Figure 5: Saved SNTP Authentication information when include-credentials is configured TimeP: Selecting and configuring The following table shows TimeP parameters and their operations.
Page 44: Viewing, Enabling, And Modifying The Timep Protocol (Menu)
TIMEP TimeP Mode [Disabled] : DHCP Poll Interval (min) [720] : 720 Time Zone [0] : Daylight Time Rule [None] : None • Use the Spacebar to select the Manual mode. Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 45: Viewing The Current Timep Configuration (Cli)
◦ Move the cursor to the Server Address field. ◦ Enter the IP address of the TimeP server you want the switch to use for time synchronization. NOTE: This step replaces any previously configured TimeP server IP address. ◦ Move the cursor to the Poll Interval field, then go to step 6. 6.
Page 46: Configuring (Enabling Or Disabling) The Timep Mode
Like DHCP mode, configuring TimeP for manual mode enables TimeP. However, for manual operation, you must also specify the IP address of the TimeP server. (The switch allows only one TimeP server.) Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 47 Syntax: timesync timep Selects TimeP. Syntax: ip timep manual <ip-addr> Activates TimeP in manual mode with a specified TimeP server. Syntax: no ip timep Disables TimeP. Enabling TimeP in DHCP Mode Because the switch provides a TimeP polling interval (default:720 minutes), you need only these two commands for a minimal TimeP DHCP configuration: Syntax: timesync timep...
Page 48 Specifies how long the switch waits between time polling intervals. The default is 720 minutes and the range is 1 to 9999 minutes. (This parameter is separate from the poll interval parameter used for SNTP operation.) Example: To change the poll interval to 60 minutes: Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 49: Sntp Unicast Time Polling With Multiple Sntp Servers
switch(config)# ip timep interval 60 Disabling time synchronization without changing the TimeP configuration (CLI) Syntax: no timesync Disables time synchronization by changing the Time Sync Mode configuration to Disabled. This halts time synchronization without changing your TimeP configuration. The recommended method for disabling time synchronization is to use the timesync command.
Page 50: Displaying All Sntp Server Addresses Configured On The Switch (Cli)
CLI to replace one of the existing addresses with a new one, you must delete the unwanted address before you configure the new one. Deleting addresses Syntax: no sntp server <ip-addr> Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 51: Operating With Multiple Sntp Server Addresses Configured (Menu)
Deletes a server address. If there are multiple addresses and you delete one of them, the switch re-orders the address priority. Example: To delete the primary address in the above Example: and automatically convert the secondary address to primary: switch(config)# no sntp server 10.28.227.141 Operating with multiple SNTP server addresses configured (Menu) When you use the Menu interface to configure an SNTP server IP address, the new address writes over the...
Page 52: Ntp
Enable/disable NTP. max-association Maximum number of Network Time Protocol (NTP) associations. server Configure a NTP server to poll for time synchronization. trap Enable/disable NTP traps. unicast Operate in unicast mode. Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 53: Ntp Enable
Example switch(config)# no ntp This will delete all NTP configurations on this device. Continue [y/n]? ntp enable This command is used to enable or disable NTP on the switch. Syntax ntp enable Example switch(config)# ntp enable Enable/disable NTP. Description Enable or disable NTP. Use [no] to disable NTP. Restrictions Validation Error/Warning/Prompt...
Page 54: Ntp Authentication Key-Id
Authenticate using SHA1. trusted Set this authentication key as trusted. ntp max-association This command is used to configure the maximum number of servers associated with this NTP client. Syntax ntp max-association <number> Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 55: Ntp Server
Options max-association <number> Sets the maximum number of NTP associations. Description Configure maximum number of servers associated with the client. Up to eight servers can be configured as the maximum. Restrictions The range for a maximum number of NTP associations is 1–8. Example Switch(config)# ntp max-associations...
Page 56 <IP-ADDR> key key-id min-poll <4-17> Enter an integer number. switch(config)# ntp server <IP-ADDR> key key-id prefer max-poll <max-poll-val> min-poll <min-poll-val> iburst Enable initial burst (iburst) mode. burst Enable burst mode. Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 57: Ntp Server Key-Id
Switch(config)# ntp server IP-ADDR key key-id prefer maxpoll <number> minpoll <number> iburst Restrictions Validation Error/Warning/Prompt Authentication key-id has not been If authentication key-id not configured configured. Key-id is not trusted. If Key-id is not marked as trusted NTP max poll value should be more than When min poll value is more than max poll value min poll value.
Page 58: Debug Ntp
Trap name resulting in send notification when stratum level of NTP changes. ntp-peer-change Trap name resulting in send notification when a (new) syspeer has been selected. ntp-new-association Trap name resulting in send notification when a new association is mobilized. Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 59: Show Ntp Statistics
ntp-remove-association Trap name resulting in send notification when an association is demobilized. ntp-config-change Trap name resulting in send notification when the NTP configuration has changed. ntp-leapsec-announced Trap name resulting in send notification when a leap second has been announced. ntp-alive-heartbeat Trap name resulting in send notification periodically (as defined by ntpEntHeartbeatInterval) to indicate that the NTP entity is still alive.
Page 60: Show Ntp Status
1 00:00:00 1990 show ntp associations Syntax show ntp associations [detail <IP-ADDR>] Description Show the status of configured NTP associations. Options detail Show the detailed status of NTP associations configured for the system. Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 61: Show Ntp Authentication
Switch(config)# show ntp associations NTP Associations Entries Address When Poll Reach Delay Offset Dispersion -------------- -- ---- ----- ------ ------- ------- ---------- 121.0.23.1 1024 0.000 0.000 0.000 231.45.21.4 1024 0.000 0.000 0.000 55.21.56.2 1024 0.000 0.000 0.000 23.56.13.1 u 209 1024 54.936 -6.159...
Page 62: Validation Rules
"none", a message displays. If the authentication method is anything other Not legal combination of authentication methods. than two-factor and the two-factor authentication method options are set, a message displays. Table Continued Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 63 Validation Error/Warning/Prompt If two-factor authentication is set and user SSH client is not supported when the two-factor tries to SSH into another system using ssh authentication is enabled. <ip | hostname> command, a message displays. If timeSync is in SNTP or Timep when NTP Timesync is not configured to NTP.
Page 64: Event Log Messages
W 01/01/15 18:24:03 03398: ssh: The two-factor authentication for SSH session failed as “ssh-server” certificate is not installed. When NTP client enabled. NTP client is enabled. When NTP client disabled. NTP client is disabled. Table Continued Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 65: Monitoring Resources
Event Message When NTP found a new broadcast server. A new broadcast server at %s. When system clock was updated with new time. The system clock time was changed by %ld sec %lu nsec. The new time is %s. When NTP stratum was updated. The NTP Stratum was changed from %d to %d.
Page 66: Viewing Information On Resource Usage
Resource usage in the policy enforcement engine is based on how these features are configured on the switch: Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 67: Usage Notes For Show Resources Output
• Resource usage by dynamic port ACLs is determined as follows: Dynamic port ACLs configured by a RADIUS server for an authenticated client determine the current resource consumption for this feature on a specified slot. When a client session ends, the resources in use for that client become available for other uses.
Page 68: When Insufficient Resources Are Available
Throttling or blocking of newly detected clients with high rate-of-connection requests (as defined by the current VT configuration).The switch continues to generate Event Log notifications (and SNMP trap notification, if configured) for new instances of high-connection-rate behavior detected by the VT feature. Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 69: Chapter 3 Port Status And Configuration
Chapter 3 Port Status and Configuration Viewing port status and configuring port parameters Connecting transceivers to fixed-configuration devices If the switch either fails to show a link between an installed transceiver and another device or demonstrates errors or other unexpected behavior on the link, check the port configuration on both devices for a speed and/or duplex (mode) mismatch.
Page 70 Auto-10: Allows the port to negotiate between half-duplex (HDx) and full-duplex (FDx) while keeping speed at 10 Mbps. Also negotiates flow control (enabled or disabled). Hewlett Packard Enterprise recommends auto-10 for links between 10/100 auto-sensing ports connected with Cat 3 cabling. (Cat 5 cabling is required for 100 Mbps links.).
Page 71: Viewing Port Configuration (Menu)
Status or Description parameter 10-Gigabit CX4 Copper Ports: Auto: The port operates at 10 gigabits FDx and negotiates flow control. Lower speed settings or half-duplex are not allowed. 10-Gigabit SC Fiber-Optic Ports (10-GbE SR, 10-GbE LR, 10-GbE ER): Auto: The port operates at 10 gigabits FDx and negotiates flow control. Lower speed settings or half-duplex are not allowed.
Page 72: Configuring Ports (Menu)
Auto Disable 1000T | Yes Auto Disable 1000T | Yes Auto Disable 1000T | Yes Auto Disable Trk1 Trunk 1000T | Yes Auto Disable Trk2 Trunk Actions-> Cancel Edit Save Help Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 73: Viewing Port Status And Configuration (Cli)
Cancel changes and return to previous screen. Use arrow keys to change action selection and <Enter> to execute action. 2. Press [E] (for Edit). The cursor moves to the Enabled field for the first port. For further information on configuration options for these features, see the online help provided with this screen.
Page 74: Dynamically Updating The Show Interfaces Command (Cli/Menu)
You can create show commands displaying the information that you want to see in any order you want by using the custom option. Syntax: show interfaces custom [port-list] column-list Select the information that you want to display. Supported columns are shown in the table below. Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 75 Table 4: Supported columns, what they display, and examples: Parameter column Displays Examples port Port identifier type Port type 100/1000T status Port status up or down speed Connection speed and duplex 1000FDX mode Configured mode auto, auto-100, 100FDX MDI mode auto, MDIX flow Flow control...
Page 76: Error Messages Associated With The Show Interfaces Command
| Kbits/sec Pkts/sec Util | Kbits/sec Pkts/sec Util ----- -------- + ---------- --------- ----- + ---------- --------- ----- 1000FDx 1000FDx 1000FDx 1000FDx 1000FDx 1000FDx 100FDx | 624 00.62 | 496 00.49 Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 77: Operating Notes For Viewing Port Utilization Statistics
Operating notes for viewing port utilization statistics • For each port on the switch, the command provides a real-time display of the rate at which data is received (Rx) and transmitted (Tx) in terms of kilobits per second (KBits/s), number of packets per second (Pkts/s), and utilization (Util) expressed as a percentage of the total bandwidth available.
Page 78: Enabling Or Disabling Ports And Configuring Port Mode (Cli)
For example, to enter the context level for port C6 and then configure that port for 100FDx: switch(config)# int e c6 switch(eth-C6)# speed-duplex 100-full Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 79: Enabling Or Disabling Flow Control (Cli)
If port C8 was disabled, and you wanted to enable it and configure it for 100FDx with flow-control active, you could do so with either of the following command sets: Figure 8: Two methods for changing a port configuration For more on flow control, see Enabling or disabling flow control (CLI) on page 79. Enabling or disabling flow control (CLI) NOTE: You must enable flow control on both ports in a given link.
Page 80 10GigFD 10GbE-T | No Down 10GigFD 10GbE-T | No Down 10GigFD 10GbE-T | No Down 10GigFD 10GbE-T | No Down 10GigFD 10GbE-T | No Down 10GigFD 10GbE-T | No Down 10GigFD Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 81: Port Shutdown With Broadcast Storm
Port shutdown with broadcast storm A LAN broadcast storm arises when an excessively high rate of broadcast packets flood the LAN. Occurrence of LAN broadcast storm disrupts traffic and degrades network performance. To prevent LAN traffic from being disrupted, an enhancement of fault-finder commands adds new options, and the corresponding MIBs, that trigger a port disablement when a broadcast storm is detected on that port.
Page 82: Snmp Mib
:: = { hpicfFaultFinder 5 } hpicfFfBcastStormControlPortConfigTable OBJECT-TYPE • syntax sequence: HpicfFfBcastStormControlPortConfigEntry • max-access: not-accessible • status: current • description: This table provides information about broadcast storm control configuration of all ports.::= {hpicfFfBcastStormControlPortConfig 1} hpicfFfBcastStormControlPortConfigEntry OBJECT-TYPE Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 83 • syntax HpicfFfBcastStormControlPortConfigEntry • max-access: not-accessible • status: current • description: This object provides information about broadcast storm control configuration of each port. • index: {hpicfffbcaststormcontrolportindex}::= {hpicfFfBcastStormControlPortConfigTable 1} hpicfFfBcastStormControlPortConfigEntry ::= Syntax sequence:hpicfFfBcastStormControlPortIndex InterfaceIndex, hpicfFfBcastStormControlMode Integer, hpicfFfBcastStormControlRisingpercent Integer32, hpicfFfBcastStormControlRisingpps Integer32, hpicfFfBcastStormControlAction Integer, hpicfFfBcastStormControlPortDisableTimer Unsigned32 hpicfFfBcastStormControlPortIndex OBJECT-TYPE •...
Page 84 This time period is specified in seconds. The default value is zero which means that the port remains disabled and is not enabled again. • DEFVAL {0} ::= {hpicfFfBcastStormControlPortConfigEntry 6} Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 85: Configuring Auto-Mdix
Configuring auto-MDIX Copper ports on the switch can automatically detect the type of cable configuration (MDI or MDI-X) on a connected device and adjust to operate appropriately. This means you can use a "straight-through" twisted-pair cable or a "crossover" twisted-pair cable for any of the connections—the port makes the necessary adjustments to accommodate either one for correct operation.
Page 86: Configuring Auto-Mdix (Cli)
Flow Ctrl MDI ------ --------- + ------- ------------ --------- ---- 10GbE-T | Yes Auto Disable Auto 10GbE-T | Yes Auto Disable 10GbE-T | Yes Auto Disable MDIX 10GbE-T | Yes Auto Disable Auto Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 87: Using Friendly (Optional) Port Names
10GbE-T | Yes Auto Disable Auto 10GbE-T | Yes Auto Disable Auto 10GbE-T | Yes Auto Disable Auto 10GbE-T | Yes Auto Disable Auto Displaying the current MDI operating mode switch(config)# show interfaces brief Status and Counters - Port Status | Intrusion Flow Bcast Port...
Page 88: Configuring A Single Port Name (Cli)
Name : Draft-Server:Trunk Port : A8 Type : 10GbE-T Name : Draft-Server:Trunk Displaying friendly port names with other port data (CLI) You can display friendly port name data in the following combinations: Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 89: Listing All Ports Or Selected Ports With Their Friendly Port Names (Cli)
Syntax: show name Displays a listing of port numbers with their corresponding friendly port names and also quickly shows you which ports do not have friendly name assignments. (show name data comes from the running-config file.) Syntax: show interface <port-number> Displays the friendly port name, if any, along with the traffic statistics for that port.
Page 90: Including Friendly Port Names In Per-Port Statistics Listings (Cli)
A1 with a friendly port name. Notice that the command sequence saves the friendly port name for port A1 in the startup-config file. The name entered for port A2 is not saved because it was executed after write memory. Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 91: Uni-Directional Link Detection (Udld)
Listing of the startup-config file with a friendly port name configured (and saved) switch(config)# int A1 name Print_Server@10.25.101.43 switch(config)# write mem switch(config)# int A2 name Herbert's_PC switch(config)# show config Startup configuration: ; J9091A Configuration Editor; Created on release xx.15.05.xxxx hostname "HPSwitch" interface AQ name "Print_Server@10.25.101.43 exit...
Page 92: Configuring Udld
Determines the maximum number of retries to send UDLD control packets. The num parameter specifies the maximum number of times the port will try the health check. You can specify a value from 3 to 10. Default: 5 Syntax: [no] interface <port-list> link-keepalive vlan <vid> Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 93: Enabling Udld (Cli)
Assigns a VLAN ID to a UDLD-enabled port for sending tagged UDLD control packets.Under default settings, untagged UDLD packets can still be transmitted and received on tagged only ports; however, a warning message is logged. The no form of the command disables UDLD on the specified ports. Default: UDLD packets are untagged;...
Page 94: Viewing Udld Information (Cli)
Clears UDLD statistics. This command clears the packets sent, packets received, and transitions counters in the show link-keepalive statistics display. Viewing summary information on all UDLD-enabled ports (CLI) Enter the show link-keepalive command. Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 95: Viewing Detailed Udld Information For Specific Ports (Cli)
Example: Figure 11: Example: of show link-keepalive command Viewing detailed UDLD information for specific ports (CLI) Enter the show link-keepalive statistics command. Example: Figure 12: Example: of show link-keepalive statistics command Clearing UDLD statistics (CLI) Enter the following command: switch# clear link-keepalive statistics Chapter 3 Port Status and Configuration...
Page 96: Uplink Failure Detection
For an example of teamed NICs in conjunction with UFD, see Figure 13: Teamed NICs in conjunction with UFD on page 97.) For an example of teamed NICs with a failed uplink, see Figure 14: Teamed NICs with a failed uplink on page 97. Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 97 NOTE: For UFD functionality to work as expected, the NIC teaming must be in Network Fault Tolerance (NFT) mode. Figure 13: Teamed NICs in conjunction with UFD Figure 14: Teamed NICs with a failed uplink Chapter 3 Port Status and Configuration...
Page 98: Configuration Guidelines For Ufd
Used to configure ports given as LtM and ports given as LtD for track-id. This command will also accept trunk interfaces. Options [no] ufd track-id <track-id> From within track-id context: [no] links-to-monitor <port-list> [no] links-to-disable <port-list> Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 99: Ufd Minimum Uplink Threshold Configuration
uplink-failure-detection-track switch(config)# uplink-failure-detection-track 10 links-to-monitor 18,19,20 links-to-disable 1,2,3 The above command is used to configure ports 18,19,20 as LtM and ports 1,2,3 as LtD for track-id 10. switch(config)# no uplink-failure-detection-track 10 This command will remove any track data associated with track-id 10. switch(config)# no uplink-failure-detection-track 10 links-to-monitor 18 links-to-disable 1 This command will remove port 18 as LtM and port 1 as LtD from track-id 10.
Page 100: Ufd Operating Notes
Invalid port(s) specified as links-to-disable. • When a user specifies an invalid LtD port an error message similar to the following is displayed.Invalid port(s) specified as links-to-disable. Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 101: Chapter 4 Power Over Ethernet (Poe/Poe+) Operation
Chapter 4 Power Over Ethernet (PoE/PoE+) Operation Introduction to PoE PoE technology allows IP telephones, wireless LAN access points, and other appliances to receive power and transfer data over existing ethernet LAN cabling. For more information about PoE technology, see the PoE/PoE+ planning and implementation guide, which is available on the HPE Networking website at http://www.hpe.com/ networking.
Page 102: Assigning Poe Ports To Vlans
"searching". If the PSE cannot supply the required amount of power, it does not supply any power. For PoE using a Type 1 device, a PSE will not supply any power to a PD unless the PSE has at least 17 watts available. For Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 103: Configuration Options
example, if a PSE has a maximum available power of 382 watts and is already supplying 378 watts, and is then connected to a PD requiring 10 watts, the PSE will not supply power to the PD. For PoE+ using Type 2 devices, the PSE must have at least 33 watts available. Configuration options In the default configuration, all ports in a switch covered in this guide are configured to support PoE operation.
Page 104: Power Priority Operation
The no form of the command disables PoE operation on <port-list>. Default: All PoE ports are initially enabled for PoE operation at Low priority. If you configure a higher priority, this priority is retained until you change it. Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 105: Enabling Support For Pre-Standard Devices
Enabling support for pre-standard devices The HPE switches covered in this guide also support some pre-802.3af devices. For a list of the supported devices, see the FAQ for your switch model. Syntax: [no] power-over-ethernet pre-std-detect Detects and powers pre-802.3af standard devices. NOTE: The default setting for the pre-std-detect PoE parameter changed.
Page 106: Manually Configuring Poe Power Levels
# int A6 poe-allocate-by value or in interface context: switch(eth-A6) # poe-allocate-by value 2. Select a value: switch(config) # int A6 poe-value 15 or in interface context: switch(eth-A6) # poe-value 15 Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 107: Configuring Poe Redundancy
To view the settings, enter the show power-over-ethernet command, shown in Figure 15: PoE allocation by value and the maximum power delivered on page 107. Figure 15: PoE allocation by value and the maximum power delivered switch(config)# show power-over-ethernet A6 Status and Counters - Port Power Status for port A6 Power Enable : Yes...
Page 108: Changing The Threshold For Generating A Power Notice
Suppose slots A, B, and C each have a PoE module installed. In this case, executing the following command sets the global notification threshold to 70% of available PoE power: switch(config)# power-over-ethernet threshold 70 Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 109: Poe/Poe+ Allocation Using Lldp Information
With this setting, if module B is allocated 100 watts of PoE power and is using 68 watts, and then another PD is connected to the module in slot B that uses 8 watts, the 70% threshold of 70 watts is exceeded. The switch sends an SNMP trap and generates this Event Log message: Slot B POE usage has exceeded threshold of 70%.
Page 110: Enabling Or Disabling Ports For Allocating Power Using Lldp
If the PD goes into power-saving mode, the power supplied is reduced; if the need for power increases, the amount supplied is increased. PoE and LLDP interact to meet the current power demands. Syntax: int <port-list> poe-lldp-detect [enabled | disabled] Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 111: Viewing Poe When Using Lldp Information
Allows the data link layer to be used for power negotiation between a PD on a PoE port and LLDP. Default: Disabled Example: You can enter this command to enable LLDP detection: switch(config) # int 7 PoE-lldp-detect enabled or in interface context: switch(eth-7) # PoE-lldp-detect enabled NOTE: Detecting PoE information via LLDP affects only power delivery;...
Page 112 A3 LLCP Remote Device Information Detail Local Port : A3 ChassisType : mac-address ChassisId : 00 16 35 ff 2d 40 PortType : local PortId : 23 SysName : HPSwitch Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 113: Operating Note
System Descr : HP Switch 3500-24, revision W.14.xx PortDescr : 23 Pvid : 55 System Capabilities Supported : bridge, router System Capabilities Enabled : bridge Remote Management Address Type : ipv4 Address : 10.0.102.198 Poe Plus Information Detail Poe Device Type : Type2 PD Power Source : Only PSE...
Page 114: Viewing Poe Status On All Ports
Power Priority Lists the power priority (Low, High, and Critical) configured on ports enabled for PoE. (For more information on this topic, see Configuring PoE operation on page 104.) Table Continued Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 115 Alloc by Displays how PoE is allocated (usage, class, value). Alloc Power The maximum amount of PoE power allocated for that port (expressed in watts).Default: 17 watts for PoE; 33 watts for PoE+. Actual Power The power actually being used on that port. Configured Type If configured, shows the user-specified identifier for the port.
Page 116: Viewing The Poe Status On Specific Ports
Shows the number of times PDs requesting power on the port have been denied because of insufficient power available. Each occurrence generates an Event Log message. Voltage The total voltage, in volts, being delivered to PDs. Table Continued Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 117 Power The total power, in watts, being delivered to PDs. LLDP Detect Port is enabled or disabled for allocating PoE power, based on the link-partner's capabilities via LLDP. Configured Type If configured, shows the user-specified identifier for the port. If not configured, the field is empty.
Page 118: Using The Hpe 2920 Switch With An External Power Supply
575W (combined system and PoE power). • HPE X3312 165W PSU (J9739) is a 12V power supply unit providing non-PoE power. It is not accepted in PoE switches. Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 119: Using The Xps For Additional Poe Power
Figure 17: HPE 640 RPS/EPS with supported power supplies on page 119 shows an Example: of the three PSUs installed in the XPS zones and the power that they provide. Figure 17: HPE 640 RPS/EPS with supported power supplies In addition to the voltage and power differences between the three PSUs, the non-PoE J9739A PSU has a mechanical key that is different from the PoE PSUs.
Page 120 As shown in Maximum PoE power available with 575W PSU in 640 RPS/EPS, though, when a 575W PSU is installed in Zone 1 and all four ports are enabled, there is redundancy protection, but zero watts of external PoE power from the XPS. Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 121: Operating Rules
The following table illustrates three basic setups for 2920 Switches and using an 640 RPS/EPS for extra PoE power. Table 10: Example: basic setups for switches using the XPS Power Total power # of Switches/ Switch PSU RPS/EPS PSU Description Available per Zone Model...
Page 122: Using Redundant (N+1) Power
Auto search on “640”, select the device in the list, and click on Display selected. Then click on the links that have “manuals” in them to get to the web page that lists the available manuals. Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 123: Configuring The Hpe 2920 Poe Switches To Use The Xps
Configuring the HPE 2920 PoE switches to use the XPS To configure the HPE 2920 PoE Switches to use the PoE power from the XPS, you will issue external-power- supply commands to the switches. By default, all the available PoE power is shared equally by all the switches connected to a given XPS zone.
Page 124: Restoring The Default External Power Supply Settings
This will reset the external power supply to factory default configurations. This might shutdown powered PoE ports on the connected switches. Continue (y/n)? y Configuring external power supply, this might take up to a minute... Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 125: Distributing Power To Specified Ports
Distributing power to specified ports Syntax: external-power-supply [member < member-id >] power-share <xps ports> [force] Configures the XPS to distribute power to the ports specified. The amount of XPS power received by each XPS port depends on the number of ports that have been specified. NOTE: This command is not available in stacking member context.
Page 126: Reducing Allocated External Power
IPS, will retain their power. The lowered number switch ports have a higher PoE priority. Hewlett Packard Enterprise recommends that you should not use the force option at times when PoE power to the PDs must be maintained. Use the external-power-supply allow and external-power-supply <xps ports>...
Page 127: Non-Poe Configuration
Non-PoE configuration If the non-PoE switch and the XPS are in their default configurations, run the show external-power-supply briefcommand to verify that there is adequate XPS power to provide redundancy power to the switch. If the non-PoE switch has auto-recovery disabled and the XPS is not providing redundancy support to the switch, execute the commands as shown in Enabling an XPS for a non-PoE switch configuration on page 127.
Page 128: Poe Configuration For Full Poe Power To One Xps Port
External Power Supply PSU Module : J9737A Voltage / Wattage : 54V / 1050W Current Zone Zone State : Powered Zone Record Version Cable Port Connection Ext. Mbr System Name Allow Status Enabled Power Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 129: Poe Configuration For Multiple Switches
----- ----- ------------ ------- ------- --- ----------- Available 700 W HP-2920-48G-POE+ Unavailable HP-2920-48G-POE+ Unavailable HP-2920-24G-PoEP Unavailable HP-2920-24G-PoEP Output displaying PoE power available switch(config)# show power-over-ethernet Status and Counters - System Power Status System Power Status : Full redundancy PoE Power Status : No redundancy Chassis power-over-ethernet: Total Available Power...
Page 130 This would change allocated power for XPS port 1A,1B,1C,1D to 60W. This might result in PoE powered ports connected in system 1A to be shutdown. Continue (y/n) y For more information, see Example: of using the force option on page 125. Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 131: Viewing Power Information
Viewing power information Syntax: show external-power-supply [member < member-id >] {<brief | detail | info>} Displays information about the XPS operational and configuration parameters. If the switch is a member of a stack of switches, the member-id must be specified to obtain information about the zone to which the member is connected.
Page 132: Examples For Show External-Power-Supply
: 54V / 1050W Current Zone Zone State : Powered Zone Record Version Cable Port Connection Ext. Mbr System Name Allow Status Enabled Power ----- ----- ------------ ------- ------- --- ----------- Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 133 Available HP-Stack-2920 Available HP-Stack-2920 Available HP-Stack-2920 Available HP-Stack-2920 The output varies depending on the switch from which the command is executed. An asterisk next to the port ID indicates where the command was executed. In Output when command is executed from PoE switch 1C connected to a PoE zone on page 133 the command is executed from a non-Stack PoE switch connected to XPS port 1C in a PoE zone.
Page 134 : J9727A MAC Address : 0021f7-78c6c1 Software Version : WB.15.13.0000x Serial Number : SG2ZFLX099 Internal Power Supply Rating : 54V / 575W External Power : 0 W Connection Status : Available Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 135: Examples For Show Power-Over-Ethernet Commands
Auto Recovery : Yes Cable Record Version Supported Zone Record Version: 3 Examples for show power-over-ethernet commands Output showing both internal and external power supplies connected switch(config)# show power-over-ethernet Status and Counters - System Power Status for member 1 System Power Status : Full redundancy PoE Power Status : No redundancy...
Page 136: Example: For Show Running-Config Command
"public" unrestricted oobm ip address dhcp-bootp exit vlan 1 name "DEFAULT_VLAN" no untagged 5-6 untagged 1-4,7-24,A1-A2,B1-B2 ip address dhcp-bootp exit vlan 2 name "VLAN2" untagged 5-6 Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 137: Poe Event Log Messages
no ip address ipv6 enable ipv6 mld enable exit external-power-supply member 1 auto disable PoE Event Log messages Please see the event log message reference guide for information about Event Log messages. To see these manuals, go to http://www.hpe.com/networking. Auto search the model number for your switch, for Example: “HPE Switch 2920”, then select the device from the list and click on Product manuals.
Page 138: Chapter 5 Port Trunking
Port security does not operate on a trunk group. If you configure port security on one or more ports that are later added to a trunk group, the switch resets the port security parameters for those ports to the factory-default configuration. Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 139: Port Trunk Features And Operation
For most installations, Hewlett Packard Enterprise Switch recommends that you leave the port Mode settings at Auto (the default). LACP also operates with Auto-10, Auto-100, and Auto-1000 (if negotiation selects FDx), and 10FDx, 100FDx, and 1000FDx settings.
Page 140: Using Keys To Control Dynamic Lacp Trunk Configuration
The switch uses the links you configure with the Port/Trunk Settings screen in the menu interface or the trunk command in the CLI to create a static port trunk. The switch offers two types of static trunks: LACP and Trunk. Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 141 Table 11: Trunk types used in static and dynamic trunk groups Trunking method LACP Trunk Dynamic Static The following table describes the trunking options for LACP and Trunk protocols. Table 12: Trunk configuration protocols Protocol Trunking Options LACP (802.3ad) Provides dynamic and static LACP trunking options. •...
Page 142 All of the switch trunk protocols use the SA/DA (source address/destination address) method of distributing traffic across the trunked links. See Outbound traffic distribution across trunked links on page 157. Table Continued Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 143 Spanning Tree: 802.1D (STP) and 802.1w (RSTP) Spanning Tree operate as a global setting on the switch (with one instance of Spanning Tree per switch). 802.1s (MSTP) Spanning Tree operates on a per-instance basis (with multiple instances allowed per switch). For each Spanning Tree instance, you can adjust Spanning Tree parameters on a per-port basis.A static trunk of any type appears in the Spanning Tree configuration display, and you can configure Spanning Tree parameters for a static trunk in the same way that you would...
Page 144: Viewing And Configuring A Static Trunk Group (Menu)
This procedure uses the Port/Trunk Settings screen to configure a static port trunk group on the switch. Procedure 1. Follow the procedures in the preceding IMPORTANT note. 2. From the Main Menu, select: 2. Switch Configuration… 2. Port/Trunk Settings Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 145 3. Press [E] (for Edit) and then use the arrow keys to access the port trunk parameters. Figure 20: Example: of the menu screen for configuring a port trunk group 4. In the Group column, move the cursor to the port you want to configure. 5.
Page 146: Viewing And Configuring Port Trunk Groups (Cli)
146, the command does not include a port list, so the switch lists all ports having static trunk membership. A show trunk listing without specifying ports switch# show trunks Load Balancing Port | Name Type | Group Type Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 147: Viewing Static Lacp And Dynamic Lacp Trunk Data
---- + ----------------------- --------- + ----- ----- | Print-Server-Trunk 10/100TX | Trk1 Trunk | Print-Server-Trunk 10/100TX | Trk1 Trunk 10/100TX | Trk2 Trunk 10/100TX | Trk2 Trunk Viewing static LACP and dynamic LACP trunk data Syntax: show lacp Lists data for only the LACP-configured ports. Example: Ports A1 and A2 have been previously configured for a static LACP trunk.
Page 148: Configuring A Static Trunk Or Static Lacp Trunk Group
Syntax: no trunk <port-list> Removes the specified ports from an existing trunk group. Example: To remove ports C4 and C5 from an existing trunk group: switch(config)# no trunk c4-c5 Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 149: Enabling A Dynamic Lacp Trunk Group
Unless spanning tree is running on your network, removing a port from a trunk can result in a loop. To help prevent a broadcast storm when you remove a port from a trunk where spanning tree is not in use, Hewlett Packard Enterprise recommends that you first disable the port or disconnect the link on that port.
Page 150: Viewing Existing Port Trunk Groups (Webagent)
Thus, to display a listing of dynamic LACP trunk ports, you must use the show lacp command. In most cases, trunks configured for LACP on the switches operate as described in the following table. Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 151 Table 14: LACP trunk types LACP port trunk Operation configuration Dynamic LACP This option automatically establishes an 802.3ad-compliant trunk group, with LACP for the port Type parameter and DynX for the port Group name, where X is an automatically assigned value from 1 to 60, depending on how many dynamic and static trunks are currently on the switch.
Page 152: Default Port Operation
The following table lists the elements of per-port LACP operation. To display this data for a switch, execute the following command in the CLI: switch# show lacp Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 153: Lacp Notes And Restrictions
Table 15: LACP port status data Status Meaning name Port Numb Shows the physical port number for each port configured for LACP operation (C1, C2, C3 …). Unlisted port numbers indicate that the missing ports that are assigned to a static trunk group are not configured for any trunking.
Page 154: 802.1X (Port-Based Access Control) Configured On A Port
VLANs and dynamic LACP A dynamic LACP trunk operates only in the default VLAN (unless you have enabled GVRP on the switch and use Forbid to prevent the ports from joining the default VLAN). Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 155: Blocked Ports With Older Devices
If you want to use LACP for a trunk on a non-default VLAN and GVRP is disabled, configure the trunk as a static trunk. Blocked ports with older devices Some older devices are limited to four ports in a trunk. When eight LACP-enabled ports are connected to one of these older devices, four ports connect, but the other four ports are blocked.
Page 156: Half-Duplex, Different Port Speeds, Or Both Not Allowed In Lacp Trunks
Appears in the output from the CLI show lacp command. Interface option Dynamic LACP trunk Static LACP trunk group Static non-protocol group Menu interface CLI show trunk CLI show interfaces Table Continued Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 157: Outbound Traffic Distribution Across Trunked Links
Interface option Dynamic LACP trunk Static LACP trunk group Static non-protocol group CLI show lacp CLI show spanning- tree CLI show igmp CLI show config Outbound traffic distribution across trunked links The two trunk group options (LACP and trunk) use SA/DA pairs for distributing outbound traffic over trunked links. That is, the switch sends traffic from the same source address to the same destination address through the same trunked link, and may also send traffic from the same source address to a different destination address through the same link or a different link, depending on the mapping of path assignments among the links in the trunk.
Page 158: Trunk Load Balancing Using Port Layers
3. L2-based: If the packet protocol is an IP packet use Layer 2 information. 4. For all options, if the packet is not an IP packet, use Layer 2 information. Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 159: Enabling Trunk Load Balancing
Enabling trunk load balancing Enter the following command to enable load balancing. Syntax: trunk-load-balance L3-based | [L4-based >] This option enables load balancing based on port layer information. The configuration is executed in global configuration context and applies to the entire switch. Default: L3-based load balancing L2-based: Load balance based on Layer 2 information.
Page 160 EDP exit snmp-server community "public" unrestricted Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 161: Chapter 6 Port Traffic Controls
Chapter 6 Port Traffic Controls Rate-limiting CAUTION: Rate-limiting is intended for use on edge ports in a network. It is not recommended for use on links to other switches, routers, or servers within a network, or for use in the network core. Doing so can interfere with applications the network requires to function properly.
Page 162: Displaying The Current Rate-Limit Configuration
0 (zero) on a port blocks all traffic on that port. However, if this is the desired behavior on the port, Hewlett Packard Enterprise recommends using the <port-list> disable command instead of configuring a rate limit of 0.
Page 163 Listing the rate-limit configuration switch# show rate-limit all 1-6 All-Traffic Rate Limit Maximum % | Inbound Radius | Outbound Radius Port | Limit Mode Override | Limit Mode Override ------ + --------- -------- ----------- + --------- -------- -------- | Disabled Disabled No-override | 200 kbps No-override...
Page 164: Operating Notes For Rate-Limiting
: Operation is not allowed for a trunked port. NOTE: Rate-limiting on a trunk is allowed for the queues traffic type on the Aruba 2920 switches. See Configuring egress per-queue rate-limiting (2920 and 5400R switches only).
Page 165: Icmp Rate-Limiting
NOTE: Rate-limiting is applied to the available bandwidth on a port and not to any specific applications running through the port. If the total bandwidth requested by all applications is less than the configured maximum rate, then no rate-limit can be applied. This situation occurs with a number of popular throughput-testing applications, as well as most regular network applications.
Page 166: Guidelines For Configuring Icmp Rate-Limiting
Configures inbound ICMP traffic rate-limiting. You can configure a rate limit from either the global configuration level (as shown above) or from the interface context level. The no form of the command disables ICMP rate- limiting on the specified interfaces. Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 167: Using Both Icmp Rate-Limiting And All-Traffic Rate-Limiting On The Same Interface
(Default: Disabled.) percent <1-100> Values in this range allow ICMP traffic as a percentage of the bandwidth available on the interface. kbps <0-10000000> Specifies the rate at which to forward traffic in kilobits per second. Causes an interface to drop all incoming ICMP traffic and is not recommended. See the caution.
Page 168: Viewing The Current Icmp Rate-Limit Configuration
Rate-limiting on a trunk is not allowed for the all, bcast, icmp, and mcast traffic types. Neither all- traffic nor ICMP rate-limiting are supported on ports configured in a trunk group. Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 169: Notes On Testing Icmp Rate-Limiting
NOTE: Rate-limiting on a trunk is allowed for the queues traffic type on the HPE 2920 switches. See Configuring egress per-queue rate-limiting (2920 and 5400R switches only). • ICMP percentage-based rate-limits are calculated as a percentage of the negotiated link speed: For example, if a 100 Mbps port negotiates a link to another switch at 100 Mbps and is ICMP rate-limit configured at 5%, the inbound ICMP traffic flow through that port is limited to 5 Mbps.
Page 170: Icmp Rate-Limiting Trap And Event Log Messages
= 1 ifDescr.2 = 2 ifDescr.3 = 3 ifDescr.4 = 4 ifDescr.5 = 5 ifDescr.6 = 6 ifDescr.7 = 7 ifDescr.8 = 8 ifDescr.9 = 9 ifDescr.10 = 10 Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 171: Configuring Inbound Rate-Limiting For Broadcast And Multicast Traffic
ifDescr.11 = 11 ifDescr.12 = 12 ifDescr.13 = 13 ifDescr.14 = 14 ifDescr.15 = 15 ifDescr.16 = 16 ifDescr.17 = 17 ifDescr.18 = 18 ifDescr.19 = 19 ifDescr.20 = 20 ifDescr.21 = 21 ifDescr.22 = 22 ifDescr.23 = 23 ifDescr.24 = 24 ifDescr.210 = Trk1 ifDescr.211 = Trk2 ifDescr.330 = DEFAULT_VLAN...
Page 172: Operating Notes
| Disabled Disabled No-override | Disabled Disabled No-override Operating Notes The following information is displayed for each installed transceiver: • Port number on which transceiver is installed. • Type of transceiver. Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 173: Configuring Egress Per-Queue Rate-Limiting (2920 And 5400R Switches Only)
• Product number — Includes revision letter, such as A, B, or C. If no revision letter follows a product number, this means that no revision is available for the transceiver. • Part number — Allows you to determine the manufacturer for a specified transceiver and revision number. •...
Page 174: Rate-Limit Queues Out Command
60 50 70 60 40 80 90 30 exit snmp-server community "public" unrestricted oobm ip address dhcp-bootp exit vlan 1 name "DEFAULT_VLAN" untagged 1-9,13-24,A1-A2,B1-B2,Trk1 ip address dhcp-bootp exit spanning-tree Trk1 priority 4 Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 175: Show Rate-Limit Queues
show rate-limit queues Syntax: show rate-limit queues <port-list> Using the show rate-limit command with the queues option added in software release 15.18 enables you to specify both individual ports and port trunk names to display the output. If nothing is specified, all physical ports and any static, non-DT trunks are displayed with their current settings previously configured with the rate- limit queues command.
Page 176: Rate-Limiting Unknown Unicast Traffic
Set a rate limit for unicast flood traffic. switch(eth-2)# rate-limit unknown-unicast Set a rate limit for incoming unicast flood traffic. switch(eth-2)# rate-limit unknown-unicast in kbps percent switch(eth-2)# rate-limit unknown-unicast in percent 10 Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 177: Rate-Limit Unknown-Unicast In Kbps
switch(eth-2)# show rate-limit bcast Show broadcast traffic rate limits. icmp Show ICMP traffic rate limits. mcast Show multicast traffic rate limits. queues Show limits for outgoing queue traffic. unknown-unicast Show unicast flood traffic rate limits. switch(eth-2)# show rate-limit unknown-unicast [ethernet] PORT-LIST The ports to show information for.
Page 178: Show Rate-Limit Unknown-Unicast
| Inbound Limit Mode ----- + ------------- --------- | 10 kbps | 10 | Disabled Disabled | Disabled Disabled | Disabled Disabled | Disabled Disabled | Disabled Disabled | Disabled Disabled | Disabled Disabled Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 179: Rate-Limiting Unknown Unicast Traffic
| Disabled Disabled | Disabled Disabled | Disabled Disabled | Disabled Disabled | Disabled Disabled | Disabled Disabled | Disabled Disabled | Disabled Disabled | Disabled Disabled Rate-limiting Unknown Unicast Traffic Unknown unicast traffic consists of unicast packets with unknown destination MAC addresses. The switch floods the unicast packets to all interfaces that are members of the VLAN.
Page 180: Rate-Limit Unknown-Unicast In Kbps
Set a rate limit for incoming unicast flood traffic. switch(eth-1)# rate-limit unknown-unicast kbps percent switch(eth-1)# rate-limit unknown-unicast in kbps 100 switch(eth-1)# show rate-limit Show total traffic rate limits. bcast Show broadcast traffic rate limits. Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 181: Show Rate-Limit Unknown-Unicast
icmp Show ICMP traffic rate limits. mcast Show multicast traffic rate limits. queues Show limits for outgoing queue traffic. unknown-unicast Show unicast flood traffic rate limits. switch(eth-1)# show rate-limit unknown-unicast Unknown-Unicast Traffic Rate Limit Maximum % Port | Inbound Limit Mode ----- + ------------- --------- | 100 kbps...
Page 182: Guaranteed Minimum Bandwidth (Gmb)
1 (low) 2 (low) 0 (normal) 3 (normal) 4 (medium) 5 (medium) 6 (high) 7 (high) The switch processes outbound traffic from an untagged port at the "0" (normal) priority level. Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 183: Impacts Of Qos Queue Configuration On Gmb Operation
You can use GMB to reserve a specific percentage of each port's available outbound bandwidth for each of the eight priority queues. This means that regardless of the amount of high-priority outbound traffic on a port (including each port in a static trunk), you can ensure that there will always be bandwidth reserved for lower- priority traffic.
Page 184: Configuring Gmb For Outbound Traffic
You must specify a bandwidth percent value for all except the highest priority queue, which may instead be set to "strict" mode. The sum of the bandwidth percentages below the top queue cannot exceed 100%. (0 is a value for a queue percentage setting.) Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 185 Configuring a total of less than 100% across the eight queues results in unallocated bandwidth that remains harmlessly unused unless a given queue becomes oversubscribed. In this case, the unallocated bandwidth is apportioned to oversubscribed queues in descending order of priority. For example, if you configure a minimum of 10% for queues 1 to 7 and 0% for queue 8, the unallocated bandwidth is available to all eight queues in the following prioritized order: Queue 8 (high priority)
Page 186: Viewing The Current Gmb Configuration
HP Switch(interface 1–5) # bandwidth-min output 2 3 30 10 10 10 15 strict Viewing the current GMB configuration This command displays the per-port GMB configuration in the running-config file. Syntax: show bandwidth output <port-list|trk_#> Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 187: Gmb Operating Notes
Without <port-list|trk_#> , this command lists the GMB configuration for all ports and static trunks on the switch. With <port-list|trk_#> , this command lists the GMB configuration for the specified ports and static trunks. This command operates the same way in any CLI context. If the command lists Disabled for a port or trunk, there are no bandwidth minimums configured for any queue on the port or trunk.
Page 188: Jumbo Traffic-Handling
VLANs. This can occur in situations where a non-jumbo VLAN includes some ports that do not belong to another, jumbo-enabled VLAN and some ports that do belong Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 189: Configuring Jumbo Frame Operation
to another, jumbo-enabled VLAN. In this case, ports capable of receiving jumbo frames can forward them to the ports in the VLAN that do not have jumbo capability, as shown in Figure 27: Forwarding jumbo frames through non-jumbo ports on page 189. Figure 27: Forwarding jumbo frames through non-jumbo ports Jumbo frames can also be forwarded out non-jumbo ports when the jumbo frames received inbound on a jumbo-enabled VLAN are routed to another, non-jumbo VLAN for outbound transmission on ports that have no...
Page 190 VLANS. (See Figure 29: Listing the VLAN memberships for a range of ports on page 190.) Figure 29: Listing the VLAN memberships for a range of ports Syntax: show vlans <vid> Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 191: Enabling Or Disabling Jumbo Traffic On A Vlan
Shows port membership and jumbo configuration for the specified vid . (See Figure 30: Example: of listing the port membership and jumbo status for a VLAN on page 191.) Figure 30: Example: of listing the port membership and jumbo status for a VLAN Enabling or disabling jumbo traffic on a VLAN Syntax: vlan <vid>...
Page 192: Configuring Ip Mtu
• The original way to configure jumbo frames remains the same, which is per-VLAN, but you cannot set a maximum frame size per-VLAN. Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 193: Troubleshooting
• Jumbo support must be enabled for a VLAN from the CLI or through SNMP. • Setting the maximum frame size does not require a reboot. • When you upgrade to a version of software that supports setting the maximum frame size from a version that did not, the max-frame-size value is set automatically to 9216 bytes.
Page 194: Chapter 7 Fault-Finder Port-Level Link-Flap
Re-enable the port after waiting for the specified number of seconds. The default value is 0, which indicates that the port will not be automatically enabled. sensitivity Indicate the sensitivity of the link-flap control threshold within a 10-second interval. Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 195 • Low indicates 10 link-flaps. • Medium indicates 6 link-flaps. • High indicates 3 link-flaps. Parameters action Configure the action taken when a fault is detected. ethernet PORT-LIST Enable link-flap control on a list of ports. warn Warn about faults found. warn-and-disable Warn and disable faulty component.
Page 196: Show Fault-Finder Link-Flap
Left ------ ----- + ------ ----------- ------------------ ---------- ------------ Down warn-and-disable 65535 45303 switch# show fault-finder link-flap Link | Port Disable Disable Time Port Flap | Status Sensitivity Action Timer Left Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 197: Event Log
------ ----- + ------ ----------- ------------------- ---------- ------------ Down warn-and-disable 65535 45303 None None Down warn-and-disable Down High warn-and-disable NOTE: This example displays only the list of ports configured via the above per-port config commands, does not include the global configuration ports. Event Log Cause Message...
Page 198: Chapter 8 Configuring For Network Management Applications
1. Type a model number of your switch (For example, 8212) or product number in the Auto Search text box. 2. Select an appropriate product from the drop down list. 3. Click the Display selected button. Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 199: Snmpv1 And V2C Access To The Switch
If you want to restrict access to one or more specific nodes, you can use the switch's IP Authorized Manager feature. (See the access security guide for your switch.) CAUTION: If network management security is a concern, Hewlett Packard Enterprise recommends that you change the write access for the "public" community to "Restricted."...
Page 200: Enabling And Disabling Switch For Access From Snmpv3 Agents
Syntax: show snmpv3 restricted-access Enabling SNMPv3 The snmpv3 enable command allows the switch to: • Receive SNMPv3 messages. • Configure initial users. • Restrict non-version 3 messages to "read only" (optional). Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 201: Snmpv3 Users
The initial user record can be downgraded and provided with fewer features, but not upgraded by adding new features. For this reason, Hewlett Packard Enterprise recommends that when you enable SNMPv3, you also create a second user with SHA authentication and DES privacy.
Page 202 Listing Users To display the management stations configured to access the switch with SNMPv3 and view the authentication and privacy protocols that each station uses, enter the show snmpv3 user command. Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 203 Syntax: show snmpv3 user Display of the management stations configured on VLAN 1 on page 203 displays information about the management stations configured on VLAN 1 to access the switch. Display of the management stations configured on VLAN 1 switch# configure terminal switch(config)# vlan 1 switch(vlan-1)# show snmpv3 user Status and Counters - SNMPv3 Global Configuration Information...
Page 204: Group Access Levels
Manager Write View – access to all managed objects except the following: ◦ vacmContextTable ◦ vacmAccessTable ◦ vacmViewTreeFamilyTable • OperatorReadView – no access to the following: ◦ icfSecurityMIB ◦ hpSwitchIpTftpMode ◦ vacmContextTable Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 205: Snmpv3 Communities
◦ vacmAccessTable ◦ vacmViewTreeFamilyTable ◦ usmUserTable ◦ snmpCommunityTable • Discovery View – Access limited to samplingProbe MIB. NOTE: All access groups and views are predefined on the switch. There is no method to modify or add groups or views to those that are predefined on the switch. SNMPv3 communities SNMP commuities are supported by the switch to allow management applications that use version 2c or version 1 to access the switch.
Page 206: Viewing And Configuring Non-Version-3 Snmp Communities (Menu)
If you need information on the options in each field, press [Enter] to move the cursor to the Actions line, then select the Help option. When you are finished with Help, press [E] (for Edit) to return the cursor to the parameter fields. Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 207: Listing Community Names And Values (Cli)
3. Enter the name you want in the Community Name field, and use the Space bar to select the appropriate value in each of the other fields. (Use the [Tab] key to move from one field to the next.) 4. Press [Enter] , then [S] (for Save ). Listing community names and values (CLI) This command lists the data for currently configured SNMP community names (along with trap receivers and the setting for authentication traps—see SNMP notifications on page 208).
Page 208: Snmp Notifications
• SNMPv2c informs • SNMP v3 notification process, including traps This section describes how to configure a switch to send network security and link-change notifications to configured trap receivers. Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 209: Supported Notifications
Supported Notifications By default, the following notifications are enabled on a switch: • Manager password changes • SNMP authentication failure • Link-change traps: when the link on a port changes from up to down (linkDown) or down to up (linkUp) •...
Page 210: Snmp Trap Receivers
IPv4 or IPv6 address. You can specify up to ten trap receivers (network management stations). (The default community name is public.) Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 211: Snmp Trap When Mac Address Table Changes
An SNMP trap is generated when a laptop/PC is removed from the back of an IP phone and the laptop/PC MAC address ages out of the MAC table for the Aruba 2920 switch. The mac-notify trap feature globally enables the generation of SNMP trap notifications on MAC address table changes (learns/moves/removes/ages.)
Page 212: Snmpv2C Informs
[no] snmp-server host {< ipv4-addr | ipv6-addr >} <community name> inform [retries < count >] [timeout < interval >] Enables (or disables) the inform option for SNMPv2c on the switch and allows you to configure options for sending SNMP inform requests. Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 213: Configuring Snmpv3 Notifications (Cli)
retries Maximum number of times to resend an inform request if no SNMP response is received. (Default: 3) timeout Number of seconds to wait for an acknowledgement before resending the inform request. (Default: 15 seconds) NOTE: The retries and timeout values are not used to send trap requests. To verify the configuration of SNMPv2c informs, enter the show snmp-server command, as shown in Display of SNMPv2c inform configuration on page 213 (note indication of inform Notify Type in bold below): Display of SNMPv2c inform configuration...
Page 214 Syntax: [no] snmpv3 targetaddress {< ipv4-addr | ipv6-addr >} <name> Configures the IPv4 or IPv6 address, name, and configuration filename of the SNMPv3 management station to which notification messages are sent. Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 215 Name of the SNMPv3 station's parameters file.The params <parms_name> parameters filename configured with params params_name must match the params params_name value entered with the snmpv3 params command in Step 6. Specifies the SNMPv3 notifications (identified by one or taglist <tag_name> [tag_name] … more tag_name values) to be sent to the IP address of the SNMPv3 management station.
Page 216: Network Security Notifications
ARP protection events • Inability to establish a connection with the RADIUS or TACACS+ authentication server • DHCP snooping events • Dynamic IP Lockdown hardware resources consumed • Link change notification Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 217 • Invalid password entered in a login attempt through a direct serial, Telnet, or SSH connection • Manager password changes • Port-security (web, MAC, or802.1X) authentication failure • SNMP authentication failure • Running configuration changes Enabling or disabling notification/traps for network security failures and other security events (CLI) For more information, see Network security notifications on page 216.
Page 218: Enabling Link-Change Traps (Cli)
By default, a switch is enabled to send a trap when the link state on a port changes from up to down (linkDown) or down to up (linkUp). To reconfigure the switch to send link-change traps to configured trap receivers, enter the snmp-server enable traps link-change command. Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 219: Source Ip Address For Snmp Notifications
Syntax: [no] snmp-server enable traps link-change <port-list> [all] Enables or disables the switch to send a link-change trap to configured trap receivers when the link state on a port goes from up to down or down to up. Enter all to enable or disable link-change traps on all ports on the switch. Readable interface names in traps The SNMP trap notification messages for linkup and linkdown events on an interface includes IfDesc and IfAlias var-bind information.
Page 220 Display of source IP address configuration switch(config)# show snmp-server SNMP Communities Community Name MIB View Write Access ---------------- -------- ------------ public Manager Unrestricted Trap Receivers Link-Change Traps Enabled on Ports [All] : All Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 221: Viewing Snmp Notification Configuration (Cli)
Excluded MIBs Snmp Response Pdu Source-IP Information Selection Policy : dstIpOfRequest Trap Pdu Source-IP Information Selection Policy : Configured IP dstIpOfRequest: The destination IP address of the interface on which an SNMP request is received i s used as the source IP address in SNMP replies. Viewing SNMP notification configuration (CLI) Syntax: show snmp-server...
Page 222: Displaying Information About The Mac-Count-Notify Option
------------ The interface context can be used to configure the value for sending a trap. Configuring mac-count-notify traps from the interface context switch(config)# interface 5 HP Switch (eth-5)# mac-count-notify traps 35 Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 223: Advanced Management: Rmon
The show snmp-server traps command displays whether the MAC Address Count feature is enabled or disabled. Information about SNMP traps, including MAC address count being Enabled/Disabled switch(config)# show snmp-server traps Trap Receivers Link-Change Traps Enabled on Ports [All] : All Traps Category Current Status ____________________________...
Page 224: Cli-Configured Sflow With Multiple Instances
The command enables an sFlow receiver/destination. The receiver-instance number must be a 1, 2, or 3. By default, the udp destination port number is 6343. To disable an sFlow receiver/destination, enter no sflow <receiver-instance> oobm: Use the OOBM port to reach the specified sFlow receiver. Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 225: Viewing Sflow Configuration And Status (Cli)
sFlow destination is OOBM port switch (config#) sflow 1 destination 192.168.2.3 6000 oobm Output showing OOBM support enabled switch# show sflow 1 destination Destination Instance sflow : Enabled Datagrams Sent Destination Address : 192.168.2.3 Receiver Port : 6343 Owner : Administrator, CLI-Owned, Instance 1 Timeout (seconds) : 2147479533 Max Datagram Size...
Page 226 Max Datagram Size shows the currently set value (typically a default value, but this can also be set by the management station). Syntax: show sflow <receiver instance> sampling-polling <port-list/range> Displays status information about sFlow sampling and polling. Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 227: Configuring Udld Verify Before Forwarding
The show sflow instance sampling-polling [port-list] command displays information about sFlow sampling and polling on the switch, as shown in Figure 38: Example: of viewing sFlow sampling and polling information on page 227. You can specify a list or range of ports for which to view sampling information. Figure 38: Example: of viewing sFlow sampling and polling information NOTE: The sampling and polling instances (noted in parentheses) coupled to a specific receiver instance are assigned dynamically, and so the instance numbers may not always match.
Page 228: Restrictions
Configure the interval for link-keepalive. The link-keepalive interval is the time between sending two UDLD packets. The time interval is entered in deciseconds (1/10 sec). The default keepalive interval is 50 deciseconds. Example: A value of 10 is 1 sec., 11 is 1.1 sec. Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 229: Show Commands
Syntax: HP Switch(config)# link-keepalive retries <number> Maximum number of sending attempts for UDLD packets before declaring the link as faulty. Default keepalive attempt is 4. Show commands Syntax: switch(config)# show link-keepalive Sample output: Total link-keepalive enabled ports: 8 Keepalive Retries : 4 Keepalive Interval: 5 sec Keepalive Mode : verify-then-forward Physical Keepalive Adjacent UDLD...
Page 230: General Lldp Operation
The commands in the LLDP sections affect both LLDP and LLDP-MED operation. For information on operation and configuration unique to LLDP-MED, see LLDP-MED (media-endpoint-discovery) on page 245. Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 231: Enable Or Disable Lldp On The Switch
Enable or disable LLDP on the switch In the default configuration, LLDP is globally enabled on the switch. To prevent transmission or receipt of LLDP traffic, you can disable LLDP operation. Enable or disable LLDP-MED In the default configuration for the switches, LLDP-MED is enabled by default. (Requires that LLDP is also enabled.) For more information, see LLDP-MED (media-endpoint-discovery) on page 245.
Page 232 Uses the switch's assigned name. System Description Enable/Disable Enabled Includes switch model name and running software version, and ROM version. Port Description Enable/Disable Enabled Uses the physical port identifier. Table Continued Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 233: Remote Management Address
Data type Configuration options Default Description System capabilities Enable/Disable Enabled Identifies the switch's supported primary capabilities (bridge, router). System capabilities Enable/Disable Enabled Identifies the primary 3,66 3 enabled switch functions that are enabled, such as routing. The Packet Time-to-Live value is included in LLDP data packets. Subelement of the Chassis ID TLV.
Page 234: Lldp Operating Rules
The commands in this section affect both LLDP and LLDP-MED operation. for information on operation and configuration unique to LLDP-MED, refer to “LLDP-MED (Media-Endpoint-Discovery)”. Syntax: show lldp config Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 235 Displays the LLDP global configuration, LLDP port status, and SNMP notification status. For information on port admin status, see Configuring per-port transmit and receive modes (CLI) on page 240. show lldp config produces the following display when the switch is in the default LLDP configuration: Viewing the general LLDP configuration switch(config)# show lldp config LLDP Global Configuration...
Page 236: Configuring Global Lldp Packet Controls
The switch preserves the current LLDP configuration when LLDP is disabled. After LLDP is disabled, the information in the LLDP neighbors database remains until it times-out. (Default: Enabled) Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 237 Disabling LLDP switch(config)# no lldp run Changing the packet transmission interval (CLI) This interval controls how often active ports retransmit advertisements to their neighbors. Syntax: lldp refresh-interval <5-32768> Changes the interval between consecutive transmissions of LLDP advertisements on any given port. (Default: 30 seconds) NOTE: The refresh-interval must be greater than or equal to (4 x delay-interval).
Page 238 Extending the reinitialization-delay interval delays the ability of the port to reinitialize and generate LLDP traffic following an LLDP disable/enable cycle. Changing the reinitialization delay interval (CLI) Syntax: setmib lldpReinitDelay.0 -i <1-10> Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 239: Configuring Snmp Notification Support
Uses setmib to change the minimum time (reinitialization delay interval) an LLDP port will wait before reinitializing after receiving an LLDP disable command followed closely by a txonly or tx_rx command. The delay interval commences with execution of the lldp admin-status port-list disable command. (Default: 2 seconds;...
Page 240: Configuring Per-Port Transmit And Receive Modes (Cli)
The no form of the command deletes the specified IP address. If there are no IP addresses configured as management addresses, the IP address selection method returns to the default operation. Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 241 Default: The port advertises the IP address of the lowest-numbered VLAN (VID) to which it belongs. If there is no IP address configured on the VLANs to which the port belongs, and if the port is not configured to advertise an IP address from any other (static) VLAN on the switch, the port advertises an address of 127.0.0.1.) NOTE: This command does not accept either IP addresses acquired through DHCP or Bootp, or IP...
Page 242: Support For Port Speed And Duplex Advertisements
Using SNMP to compare local and remote information can help in locating configuration mismatches. (Default: Enabled) NOTE: For LLDP operation, this TLV is optional. For LLDP-MED operation, this TLV is mandatory. Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 243: Port Vlan Id Tlv Support On Lldp
Port VLAN ID TLV support on LLDP The port-vlan-id option enables advertisement of the port VLAN ID TLV as part of the regularly advertised TLVs. This allows discovery of a mismatch in the configured native VLAN ID between LLDP peers. The information is visible using show commands and is logged to the Syslog server.
Page 244: Snmp Support
MIB object lldpXdot1ConfigPortVlanTxEnable in the lldpXdot1ConfigPortVlanTable. The port VLAN ID TLV local information can be obtained from the MIB object lldpXdot1LocPortVlanId in the local information table lldpXdot1LocTable. Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 245: Lldp-Med (Media-Endpoint-Discovery)
The port VLAN ID TLV information about all the connected peer devices can be obtained from the MIB object lldpXdot1RemPortVlanId in the remote information table lldpXdot1RemTable. LLDP-MED (media-endpoint-discovery) LLDP-MED (ANSI/TIA-1057/D6) extends the LLDP (IEEE 802.1AB) industry standard to support advanced features on the network edge for Voice Over IP (VoIP) endpoint devices with specialized capabilities and LLDP- MED standards-based functionality.
Page 246: Lldp-Med Endpoint Support
IP media and offer all Class 1 and Class 2 features, plus location identification and emergency 911 capability, Layer 2 switch support, and device information management. LLDP-MED operational support The switches offer two configurable TLVs supporting MED-specific capabilities: Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 247: Lldp-Med Fast Start Control
• medTlvEnable (for per-port enabling or disabling of LLDP-MED operation) • medPortLocation (for configuring per-port location or emergency call data) NOTE: LLDP-MED operation also requires the port speed and duplex TLV (dot3TlvEnable), which is enabled in the default configuration. Topology change notifications provide one method for monitoring system activity. However, because SNMP normally employs UDP, which does not guarantee datagram delivery, topology change notification should not be relied upon as the sole method for monitoring critical endpoint device connectivity.
Page 248 Web browser.) The QoS and voice VLAN policy elements can be statically configured with the following CLI commands: vlan <vid> voice vlan <vid> {<tagged | untagged> <port-list>} int <port-list> qos priority <0-7> vlan <vid> qos dscp <codepoint> Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 249 NOTE: A codepoint must have an 802.1p priority before you can configure it for use in prioritizing packets by VLAN-ID. If a codepoint you want to use shows No Override in the Priority column of the DSCP policy table (display with show qos-dscp map, then use qos-dscp map <codepoint>...
Page 250: Location Data For Lldp-Med Devices
You can configure a switch port to advertise location data for the switch itself, the physical wall-jack location of the endpoint (recommended), or the location of a DHCP server supporting the switch, endpoint, or both. You also have the option of configuring these different address types: Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 251 • Civic address: physical address data such as city, street number, and building information • ELIN (Emergency Location Identification Number): an emergency number typically assigned to MLTS (Multiline Telephone System) Operators in North America • Coordinate-based location: attitude, longitude, and altitude information (Requires configuration via an SNMP application.) Configuring location data for LLDP-MED devices Syntax:...
Page 252 An ELIN is a valid NANP format telephone number assigned to MLTS operators in North America by the appropriate authority. The ELIN is used to route emergency (E911) calls to a PSAP. (Range: 1-15 numeric characters) Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 253 Configuring coordinate-based locations Latitude, longitude, and altitude data can be configured per switch port using an SNMP management application. For more information, see the documentation provided with the application. A further source of information on this topic is RFC 3825-Dynamic host configuration protocol option for coordinate-based location configuration information.
Page 254: Viewing Switch Information Available For Outbound Advertisements
<port-list> command to change the selection of information that is included in actual outbound advertisements. In the default LLDP configuration, all information displayed by this command is transmitted in outbound advertisements. Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 255: Displaying The Current Port Speed And Duplex Configuration On A Switch Port
In the default configuration, the switch information currently available for outbound LLDP advertisements appears similar to the display in the following example. Displaying the global and per-port information available for outbound advertisements switch(config)# show lldp info local-device LLDP Local Device Information Chassis Type : mac-address Chassis Id : 00 23 47 4b 68 DD System Name : HP Switch1...
Page 256: Viewing Advertisements Currently In The Neighbors Mib
An LLLDP-MED listing of an advertisement received from an LLDP-MED (VoIP telephone) source switch(config)# show lldp info remote-device 1 LLDP Remote Device Information Detail Local Port : A2 ChassisType : network-address ChassisId : 0f ff 7a 5c PortType : mac-address Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 257: Displaying Lldp Statistics
PortId : 08 00 0f 14 de f2 SysName : HP Switch System Descr : HP Switch, revision xx.15.06.0000x PortDescr : LAN Port System Capabilities Supported : bridge, telephone System Capabilities Enabled : bridge, telephone Remote Management Address MED Information Detail EndpointClass :Class3 Media Policy Vlan id...
Page 258 The number of LLDP neighbors dropped on the port because of Time-to- Live expiring. Examples: A global LLDP statistics display switch(config)# show lldp stats LLDP Device Statistics Neighbor Entries List Last Updated : 2 hours Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 259: Lldp Over Oobm
New Neighbor Entries Count : 20 Neighbor Entries Deleted Count : 20 Neighbor Entries Dropped Count : 0 Neighbor Entries AgeOut Count : 20 LLDP Port Statistics Port | NumFramesRecvd NumFramesSent NumFramesDiscarded ------ + -------------- ------------- ------------------ | 97317 97843 | 21 | 446 A per-port LLDP statistics display...
Page 260 [2] : 2 LLDP Reinit Interval [2] : 2 LLDP Notification Interval [5] : 5 LLDP Fast Start Count [5] : 5 LLDP Port Configuration Port | AdminStatus NotificationEnabled Med Topology Trap Enabled Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 261 ------ + ----------- ------------------- ------------------------- | Tx_Rx False False | Tx_Rx False False | Tx_Rx False False | Tx_Rx False False | Tx_Rx False False | Tx_Rx False False | Tx_Rx False False | Tx_Rx False False | Tx_Rx False False OOBM | Tx_Rx...
Page 262 This command shows LLDP information about a local device for the specified oobm ports. Syntax show lldp info local-device oobm Example switch(config)# show lldp info local-device oobm LLDP Local Port Information Detail Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 263 Port : OOBM PortType : local PortId : 4000 PortDesc : OOBM Pvid : n/a show lldp info remote-device oobm This command shows LLDP information about a remote device for the specified oobm ports. Syntax show lldp info remote-device oobm Example switch(config)# show lldp info remote-device oobm LLDP Remote Device Information Detail...
Page 264: Lldp Operating Notes
LLDP advertises only one IP address per port, even if multiple IP addresses are configured by lldp config port-list ipAddrEnable on a given port. 802.1Q VLAN Information LLDP packets do not include 802.1Q header information and are always handled as untagged packets. Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 265: Effect Of 802.1X Operation
Effect of 802.1X Operation If 802.1X port security is enabled on a port, and a connected device is not authorized, LLDP packets are not transmitted or received on that port. Any neighbor data stored in the neighbor MIB for that port prior to the unauthorized device connection remains in the MIB until it ages out.
Page 266: Cdp Operation And Commands
MIB, see the documentation provided with the particular SNMP utility. Viewing the current CDP configuration of the switch CDP is shown as enabled/disabled both globally on the switch and on a per-port basis. Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 267: Viewing The Current Cdp Neighbors Table Of The Switch
Syntax: show cdp Lists the global and per-port CDP configuration of the switch. The following example shows the default CDP configuration. Default CDP configuration switch(config)# show cdp Global CDP information Enable CDP [Yes] : Yes (Receive Only) Port CDP ---- -------- enabled enabled enabled...
Page 268: Enabling And Disabling Cdp Operation
VLAN ID in a reply packet to the phone using the VLAN Reply TLV (type 0x0e). The phone then begins tagging all packets with the advertised voice VLAN ID. Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 269 NOTE: A voice VLAN must be configured before the voice VLAN can be advertised. For example, to configure VLAN 10 as a voice VLAN tagged for ports 1 through 10, enter these commands: switch(config)# vlan 10 switch(vlan-10)# tagged 1-10 switch(vlan-10)# voice switch(vlan-10)# exit The switch CDP packet includes these TLVs: •...
Page 270: Filtering Cdp Information
MAC address learns from untagged VLAN traffic from IP phones. This means that normal protocol processing occurs for the packets, but the addresses associated with these packets is not learned or reported by the software Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 271: Configuring The Switch To Filter Untagged Traffic
address management components. This enhancement also filters out the MAC address learns from LLDP and 802.1x EAPOL packets on untagged VLANs. The feature is configured per-port. Configuring the switch to filter untagged traffic Enter this command to configure the switch not to learn CDP, LLDP, or EAPOL traffic for a set of interfaces. Syntax: [no] ignore-untagged-mac <port-list>...
Page 272: Filtering Pvid Mismatch Log Messages
On a DHCP server, an IP pool is configured with various options. These options signify additional information about the network. Options are supported with explicit commands such as boot-file. Option codes that Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 273: Bootp Support
correspond to explicit commands can not be configured with a generic option command; the generic option command requires an option code and TLV. NOTE: RFC 2132 defines various network information that a client may request when trying to get the lease. BootP support The DHCP server also functions as BootP server.
Page 274: Change In Server Behavior
DHCP pool context. A maximum of 128 pools are supported. Syntax [no] dhcp-server pool < pool-name> Configure the DHCPv4 server IP address pool with either a static IP or a network IP range. Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 275 pool DHCPv4 server IP address pool. ASCII-STR Enter an ASCII string. authoritative Configure the DHCP server authoritative for a pool. bootfile-name Specify the boot file name which is used as a boot image. default-router List of IP addresses of the default routers. dns-server List of IP addresses of the DNS servers.
Page 276: Authoritative
Configure the DHCP pool context to the DNS IP servers that are available to a DHCP client. List of IP addresses of the DNS servers. Two IP addresses must be separated by comma. A maximum of eight DNS servers can be configured. Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 277: Configure A Domain Name
Configure a domain name Syntax [no] domain-name <name> Configure the DNS domain name for translation of hostnames to IP addresses. Configure lease time Syntax [no] lease [DD:HH:MM | infinite] DD:HH:MM Enter lease period. Lease Lease period of an IP address. Configure the lease time for an IP address in the DHCP pool.
Page 278: Configure Subnet And Mask
Range of IP addresses for the DHCPv4 server address pool. ip-addr Low IP address. High IP address. Configure the DHCP pool to the range of IP address for the DHCP address pool. Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 279: Configure The Static Binding Information
Configure the static binding information Syntax [no] static-bind ip<IP-ADDR/MASK-LENGTH> mac <MAC-ADDR> Specify client IP address. static-bind Static binding information for the DHCPv4 server address pool. ip-addr / mask-length Interface IP address or mask. Specify client MAC address. mac-addr Enter a MAC address. Configure static binding information for the DHCPv4 server address pool.
Page 280: Change The Number Of Ping Packets
URL Format: "tftp://<ip-address>/<filename>". database Specifies DHCPv4 database agent and the interval between database updates and database transfers. timeout Seconds to wait for the transfer before failing. ascii-str Database URL. <15-86400> Delay in seconds. Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 281: Configure A Dhcp Server To Send Snmp Notifications
<0-86400> Timeout in seconds. Specifies DHCPv4 database agent and the interval between database updates and database transfers. Configure a DHCP server to send SNMP notifications Syntax [no] snmp-server enable traps dhcp-server dhcp-server Traps for DHCP-Server. Configure a DHCP server to send SNMP notifications to the SNMP entity. This command enables or disables event traps sent by the switch.
Page 282: Reset All Dhcp Server And Bootp Counters
Show DHCPv4 server conflicts information for the device. Display address conflicts found by a DHCPv4 server when addresses are offered by a client. Display DHCPv4 server database agent Syntax show dhcp-server database Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 283: Display Dhcpv4 Server Statistics
Database Show DHCPv4 server database information for the device. Display DHCPv4 server database agent information. Display DHCPv4 server statistics Syntax show dhcp-server statistics statistics Show DHCPv4 server statistics information for the device. Display DHCPv4 server statistics. Display the DHCPv4 server IP pool information Syntax show dhcp-server pool <pool-name>...
Page 284: Event Log Messages
Dynamic binding for IP address %s is freed Dynamic binding for a specific IP address is freed. All the dynamic IP bindings are freed All the dynamic IP bindings are freed. Table Continued Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 285 Events Debug messages Remote binding database is configured at %s Remote binding database is configured for a specific URL. Remote binding database is disabled Remote biding database is disabled. Binding database read from %s at %s Binding database is read from the specified URL at the specified time Failed to read the remote binding database at %s Failed to read the remote binding from the...
Page 286: Lldp Management Tlv Transmission Disablement
The command [no] lldp config <PORT NO> basicTlvEnable management_addr suppresses the IP address to be advertised. Commands [no] lldp config basicTlvEnable management_addr Syntax In the configure context: [no] lldp config <PORT_NUM> basicTlvEnable management_addr Description Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 287: Lldp Config
The feature suppresses the IPv4 or IPv6 address as well as suppresses the MAC address if the [no] ip address is configured. By default this management address TLV is enabled in switch. No other TLV (except management address TLV) suppression will occur when this command is used. Parameters Management_addr Management TLV...
Page 288 * management_addr IpAddress Advertised: Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 289: Chapter 9 Captive Portal For Clearpass
Chapter 9 Captive Portal for ClearPass The Captive Portal feature allows the support of the ClearPass Policy Manager (CPPM) into the ArubaOS-Switch product line. The switch provides configuration to allow you to enable or disable the Captive Portal feature. By default, Captive Portal is disabled to avoid impacting existing installations as this feature is mutually exclusive with the following web-based authentication mechanisms: Web Authentication, EWA, MAFR, and BYOD Redirect.
Page 290: Best Practices
Replication of client data is only done when MAC or 802.1X authentication has resulted in a successful authentication. Load balancing and redundancy The following options are available to create load balancing and provide redundancy for CPPM: Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 291: Captive Portal When Disabled
• Virtual IP use for a CPPM server cluster • CPPM servers configured in the switch RADIUS server group • External load balancer Captive Portal when disabled By default, Captive Portal is disabled. If the Captive Portal feature is disabled and the switch receives a redirect URL attribute from the RADIUS server as part of the Access-Accept, it will view the redirect as an error.
Page 292: Create Enforcement Profiles
URL, replacing the IP address with your CPPM address. This will cause the client to be redirected to the Captive Portal on CPPM. You can add other attributes, such as a VLAN to isolate onboarding clients, or a rate limit to help prevent DoS attacks. Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 293: Create A Clearpass Guest Self-Registration
NOTE: The HPE-Captive-Portal-URL value must be a URL normalized string. The scheme and host must be in lower case, for example http://www.example.com/. Create a ClearPass guest self-registration Procedure 1. From the Customize Guest Registration window, select Server-initiated as the Login Method. 2.
Page 294: Configure The Login Delay
By default, Captive Portal is disabled. Once enabled, you are redirected to the URL supplied via the HPE- Captive-Portal-URL VSA. Captive Portal is enabled on a global/switch wide basis. Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 295: Configure The Url Key
Configure the URL key You can optionally configure a URL hash key to provide some security for the Captive Portal exchange with CPPM. The key is a shared secret between CPPM and the switch. When configured, the switch generates a HMAC-SHA1 hash of the entire redirect URL, and appends the hash to the URL to be sent to CPPM as part of the HTTP redirect.
Page 296: Show Certificate Information
Cause The failure is due to a mutual exclusion restriction. Action 1. Check which one of the following are enabled: BYOD redirect, MAC authentication failure redirect, or web- based authentication. Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 297: Unable To Enable Feature
2. Disabled the enabled authentication method found in step 1. 3. Run the aaa authentication captive-portal enable command. Unable to enable feature Symptom One of the following messages is displayed: • BYOD redirect cannot be enabled when captive portal is enabled. •...
Page 298: Unable To Configure A Url Hash Key
Use the following show commands to view the various configurations and certificates. Command Description show running-config Shows the running configuration. show config Shows the saved configuration. show ip Shows the switch IP addresses. Table Continued Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 299: Debug Command
Command Description show captive-portal Captive portal configuration. show port-access clients [port] Consolidated client view; the detailed option shows [detailed] the Access Policy that is applied. The IP address is only displayed if dhcp-snooping is enabled. For the summary view (without the detailed option), only the untagged VLAN is displayed.
Page 300: Chapter 10 Zero Touch Provisioning With Airwave And Central
ZTP. If an Enterprise network spans multiple campuses and branches using WAN to communicate, use Activate-based ZTP. DHCP-based ZTP with AirWave Configuring DHCP-based ZTP with AirWave ZTP auto-configures your switches as follows: Procedure 1. The switch boots up with the factory default configuration. Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 301 2. The switch sends out a DHCP discovery from the primary VLAN interface. a. The preferred configuration method uses DHCP option 43 value as a string to parse AirWave configuration. Switch would expect a DHCP option 60 with value ArubaInstantAP along with DHCP option 43 to parse AirWave details b.
Page 302: Limitations
Configure AirWave details in DHCP (preferred method) To configure a DHCP server for AirWave, from a Windows Server 2008, do the following steps: Procedure From the Start menu, select Server Manager. Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 303 Select Roles -> DHCP -> Server -> w2k8 -> IPv4. Right-click IPv4 and select Set Predefined Options... Chapter 10 Zero Touch Provisioning with AirWave and Central...
Page 304 The Predefined Options and Values screen is displayed. Click Add..Enter the desired Name (any), Data type (select String), Code (enter 60), and Description (any). Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 305 Click OK. From the Predefined Options and Values screen, under Value, enter the String ArubaInstantAP. The string is case-sensitive and must be ArubaInstantAP. Click OK. Under IPv4, expand Scope. Right-click Scope Options and select Configure Options... Chapter 10 Zero Touch Provisioning with AirWave and Central...
Page 306 The ASCII value has the following format: <Group>:<Topfolder>,<AMP IP>,<shared secret> 11. To add sub-folders, use the following format:<Group>:<Topfolder>:<folder1>,<AMP IP>,<shared secret> 12. Under the General tab, select 060 AirWave. Click OK. Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 307: Configure Airwave Details In Dhcp (Alternative Method)
NOTE: No changes are required to the 060 option. 13. You can verify the AirWave details as follows: switch# show amp-server switch# show run Configure AirWave details in DHCP (alternative method) To configure a DHCP server for ZTP and AirWave, from a Windows Server 2008, do the following steps: NOTE: Use these steps to configure ZTP for every switch by selecting a different Vendor Class for each type of switch.
Page 308 Select Roles -> DHCP -> Server -> w2k8 -> IPv4. Right-click IPv4 and select Define Vendor Classes... Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 309 The DHCP Vendor Classes window is displayed. Click Add..To get the vendor-specific value of a switch, go to the switch console and enter: switch# show dhcp client vendor-specific In our example, the command returns the following value: Processing of Vendor Specific Configuration is enabled Vendor Class Id = HP J9729A 2920-24G-PoE+ Switch dslforum.org Chapter 10 Zero Touch Provisioning with AirWave and Central...
Page 310 From the New Class window, enter the desired Display name (any) and the Description (any). For the ASCII field, enter the exact value that you got by executing the show command performed in the previous step. In this example, Hewlett Packard Enterprise J9729A 2920-24G-PoE+ Switch dslforum.org. Click OK.
Page 311 10. From the Predefined Options and Values window, select Option class. The Option Class displayed is the one that you configured under DHCP Vendor Class. In this example, the Option Class is switch. 11. Click Add..12. From the Option Type window, enter the desired Class (any), the Data type (select string), the Code (enter 146), and the Description (any).
Page 312 14. Under the Predefined Options and Values window, enter the Value String. In this example, we enter hpeSwitch:hp2920,90.1.1.10, admin. The String has the following format: <Group>:<Topfolder>,<AMP IP>,<shared secret> 15. To add sub-folders, use the following format:<Group>:<Topfolder>:<folder1>,<AMP IP>,<shared secret> 16. Click OK. Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 313 17. Under IPv4, expand Scope. Right-click Scope Options and select Configure Options... 18. From the Scope Options window: a. Select the Advanced tab. b. Under Vendor class, select the desired switch. In this example, switch. c. Select the 146 hpswitch option. d.
Page 314: Configure Airwave Details Manually
In any of the above scenarios, you need to manually configure to reach the AirWave server using the amp- server command. This command helps you configure the AirWave IP address, group, folder, and shared secret. You must have the manager role to execute this command. For example: Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 315: Amp-Server
switch(config)# amp-server ip 192.168.1.1 group "group" folder "folder" secret "branch1024" The show amp-server command shows the configuration details: AirWave Configuration details AMP Server IP : 192.168.1.1 AMP Server Group : GROUP AMP Server Folder : folder AMP Server Secret : branch1024 AMP Server Config Status: Configured amp-server Syntax...
Page 316: Debug Ztp
To upgrade with nonminimal configuration set from any 15.xx version to version 16.01, see Image Upgrade. • Once DHCP server or Activate offers Airwave/Central details, ZTP is disabled. If the details are offered again, it is ignored. Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 317: Image Upgrade
Image Upgrade If you upgrade from any 15.xx version to version 16.xx, the following minimal set of configuration is validated to enable or disable the ZTP process: • If the switch has any other VLAN apart from the default VLAN, ZTP gets disabled. •...
Page 318: Ipsec For Airwave Connectivity
Internet), the communication between the switch and AirWave server can be protected. You can configure IPsec tunnel using any of the following methods: • Activate ZTP • DHCP ZTP with option 138 • Manual configuration Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 319: Ipsec Tunnel Establishment
IPsec Tunnel Establishment • IPsec tunnel for AirWave is auto-configured. The switch decides to create IPsec tunnel only when an Aruba controller IP is present in the device before establishing the connection to AirWave. • If the controller IP is not provided, the switch will try to establish a direct connection to AirWave. •...
Page 320: Airwave Controller Ip Configuration Commands
Configure Remote Access VPN session to protect specific switch generated traffic. It also supports secure ZTP of Airwave Management Platform (AMP) server. Configure Remote Access VPN session to protect specific switch generated traffic. Secure ZTP is not supported. Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 321: Show Commands
<ip-addr> IP address of the VPN. Usage switch(config)# aruba-vpn type switch(config)# aruba-vpn type amp switch(config)# aruba-vpn type amp peer-ip switch(config)# aruba-vpn type any NOTE: • When you configure aruba-vpn type as any, the switch creates a tunnel and updates the inner-ip.
Page 322: Show Ip Route
Display brief configuration and status for all tunnels. Usage show interfaces tunnel aruba-vpn show interfaces tunnel brief show interfaces [tunnel] [<TUNNEL-LIST> | <TUNNEL-NAME> | brief | type] switch(config)# show interfaces tunnel aruba-vpn Tunnel Configuration : Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 323: Show Crypto-Ipsec Sa
Tunnel : tunnel-129 Tunnel Name : aruba-vpn-tunnel Tunnel Status : Enabled Source Address : 192.168.20.10 Destination Address : 171.0.0.3 Mode : IPsec IPv4 : Value from IPv4 header : 64 IPv6 : Disabled : 1280 Current Tunnel Status : Tunnel State : Up Destination Address Route : 0.0.0.0/0...
Page 324: Show Running-Configuration
Central will automatically program the Activate portal with the required switch details and the group to which the switch must check in. The following diagram illustrates the working of Central ZTP: Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 325 Switch being provisioned Branch 1 Activate Router/ WAN Router Firewall Internet WAN Router Corporate Aruba Central Servers Branch 2 Switch being provisioned The workflow is as follows: 1. The switches being provisioned in branches boot and connect to the Activate on the cloud. 2.
Page 326: Led Blink Feature
ZTP and Airwave registration. Authorize the new switch and then push the Golden Configuration template from Airwave. Example Enable Aruba Central server support switch(config)# aruba-central enable Disable Aruba Central server support Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 327: Aruba-Central Support-Mode
switch(config)# aruba-central disable Enter support mode to enable all CLI configuration commands switch(config)# aruba-central support-mode enable This mode will enable all CLI configuration commands, including those normally reserved by the Aruba Central service. Use of this mode may invalidate the configuration provisioned through Aruba Central server. Continue (y/n)? aruba-central support-mode Syntax...
Page 328: Activate Software-Update Enable
NOTE: This switch is not connected to Activate, hence communication error is shown in “Server Software Version” and “Server Software Image URL” field. activate software-update update Syntax switch#(config) activate software-update update Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 329: Show Activate Software-Update
Description Updates the software for Activate. Options primary Update primary software image using the Aruba Activate server. secondary Update secondary software image using the Aruba Activate server. Example switch# activate software-update update This command will save the current configuration, update the selected software image, and reboot the system to the selected partition.
Page 330: Debug Ztp
The ZTP process for stacked switches with Central is similar to the one for a standalone switch, with the exception that only the commander in the stack checks in with Central. For switches supported on Central when stacking is ON, refer to the Aruba Central Switch Configuration Guide. Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 331: Chapter 11 Auto Configuration Upon Aruba Ap Detection
Egress rate limiting is not supported on the Aruba 2530 Switch Series. • The egress-bandwidth is only supported for devices running on: ◦ Aruba 2920 Switch Series ◦ Aruba 2930F Switch Series ◦ Aruba 5400R zl2 Switch Series v2 & v3 modules •...
Page 332: Profile Manager And 802.1X
2 To remove device from switch: switch(config)# no device-identity name abc 3. Show device identity configuration: switch(config)# show device-identity lldp Device Identity Configuration Index Device name Subtype Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 333: Device-Profile Name
------ ---------------------- ---------- ------- a1b2c3 device-profile name Syntax [no] device-profile name <PROFILE-NAME> [untagged-vlan <VLAN-ID> | tagged-vlan <VLAN-LIST> | cos <COS-VALUE> | ingress-bandwidth <Percentage> | egress-bandwidth <Percentage> | {poe-priority {critical | high | low} | speed-duplex {auto | auto-10 | auto-100 | ...} | poe-max-power <Watts>] Description This command is used to create an user-defined profile.
Page 334: Device-Profile Type
◦ Aruba 2930F Switch Series • The egress-bandwidth is only supported for Aruba 2920 and Aruba 5400R Switch Series v2 & v3. • The egress-bandwidth option is not supported and not displayed in the CLI for the Aruba 2530 switch.
Page 335: Rogue Ap Isolation
Enables automatic profile association. disable Disables automatic profile association. Options Removes the device type association and disables the feature for the device type. By default, this feature is disabled. Restrictions Only one device type is supported, aruba-ap, and it is used to identify all the Aruba access points. Rogue AP Isolation The Rogue AP Isolation feature detects and blocks any unauthorized APs in the network.
Page 336: Feature Interactions
If rogue-ap-isolation blocks a MAC before it is configured to be authorized, packets from such MACs will be dropped until one of the following happens: • Rogue action is changed to LOG. • Rogue-AP isolation feature is disabled. Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 337: L3 Mac
• The MAC is not detected as rogue anymore. • LLDP is disabled on the port (or globally). Once a MAC has been authorized by one of these features, it will not be blocked by Rogue AP isolation. A RMON will be logged to indicate the failure to block.
Page 338: Rogue-Ap-Isolation
Configures the action to take for the rogue AP packets. This function is disabled by default. Parameters action Configure the action to take for rogue AP packets. By default, the rogue AP packets are blocked. Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 339: Rogue-Ap-Isolation Whitelist
Options Logs traffic to or from any rogue access points. block Blocks and logs traffic to or from any rogue access points. rogue-ap-isolation whitelist syntax [no] rogue-ap-isolation whitelist <MAC-ADDRESS> Description Configures the rogue AP Whitelist MAC addresses for the switch. Use this command to add to the whitelist the MAC addresses of approved access points or MAC addresses of clients connected to the rogue access points.
Page 340: Troubleshooting
The show run command displays one of the following values for untagged-vlan: • no untagged-vlan • untagged-vlan : None Cause The no device-profile or the no rogue-ap-isolation whitelist command is executed to configure untagged-vlan to 0. Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 341: Show Commands
Action No action is required. Show commands Use the following show commands to view the various configurations and status. Command Description show device-profile Shows the device profile configuration and status. show device-profile config Shows the device profile configuration details for a single profile or all profiles.
Page 342 The maximum number of whitelist MACs allowed is 128. rogue-ap-whitelist <MAC> Cannot add the whitelist entry because the specified MAC address is already configured as a lock-out MAC. Table Continued Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 343 Validation Error/Warning/Prompt lock-out <MAC> Cannot add the lock-out entry because the specified MAC address is already configured as a whitelist MAC. Cannot add an entry for the MAC address <MAC- lockout-mac <MAC-ADDRESS>ORstatic-mac <MAC-ADDRESS> vlan <vlan-id> interface ADDRESS> because it is already blocked by rogue- <interface>ORvlan <vlan-id>...
Page 344: Chapter 12 Device Profile For Custom Device Types
To remove device from switch: switch(config)# no device-identity name abc 3. Show device identity configuration: switch(config)# show device-identity lldp Device Identity Configuration Index Device name Subtype ------ ---------------------- ---------- ------- a1b2c3 Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 345: Chapter 13 Dynamically Detecting Lldp Device Profiles
Chapter 13 Dynamically detecting LLDP device profiles LLDP device profile detection dynamically uses organization-specific TLV to detect and apply profiles to devices. Organizational Unique Identifiers (OUI) and subtypes are detected based on the configuration of the switch. A maximum of 16 devices can be detected and defined using LLDP. Requirements The device-identity must be configured with a name.
Page 346: Device-Profile Device-Type Enable
Enable the device d1 using the command device-profile device-type <d1> enable. switch(config)# device-profile device-type d1 enable Disable the device d1 using the command device-profile device-type d1 disable. switch (config)# device-profile device-type d1 disable Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 347: Associating A Profile With A Device
Associating a profile with a device Associate a profile with a device by using the command device-profile device-type <DEVICE-NAME> associate <PROFILE-NAME>. Associated devices can be Aruba Access Points, ArubaOS-Switch Switches, scs-wan-cpe, or association can be by the device profile. The feature is disabled by default. device-profile device-type associate Syntax device-profile device-type <DEVICE-NAME>...
Page 348: Show Device-Profile Config
Configuration for device-profile : default-aos-profile untagged-vlan tagged-vlan : None ingress-bandwidth : 100% egress-bandwidth : 100% speed-duplex : auto poe-max-power : Class/LLDP poe-priority : critical allow-jumbo-frames: Disabled Configuration for device-profile : default-scs-profile untagged-vlan tagged-vlan : None Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 349: Show Device-Identity
ingress-bandwidth : 100% egress-bandwidth : 100% speed-duplex : auto poe-max-power : Class/LLDP poe-priority : critical allow-jumbo-frames: Disabled allow-jumbo-frames: Disabled Configuration for device-profile : default-device-profile untagged-vlan tagged-vlan : None ingress-bandwidth : 100% egress-bandwidth : 100% speed-duplex : auto poe-max-power : Class/LLDP poe-priority : critical allow-jumbo-frames: Disabled...
Page 350 "DEFAULT_VLAN" untagged 1-28 ip address dhcp-bootp exit device-profile name "ram" exit device-profile type “scs-wan-cpe” associate "ram" enable exit device-profile type-device "cpe" associate "ram" enable exit device-profile type-device "phone" associate "default-device-profile" exit Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 351: Chapter 14 Lacp-Mad
Chapter 14 LACP-MAD LACP-MAD commands Configuration command The following command defines whether LACP is enabled on a port, and whether it is in active or passive mode when enabled. When LACP is enabled and active, the port sends LACP packets and listens to them. When LACP is enabled and passive, the port sends LACP packets only if it is spoken to.
Page 352 These devices simply forward LACP-MAD TLVs received on one interface to the other interfaces on the trunk. LACP-MAD passthrough can be enabled for 24 LACP trunks. By default, LACP-MAD passthrough is disabled. Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 353: Chapter 15 Scalability Ip Address Vlan And Routing Maximum Values
Chapter 15 Scalability IP Address VLAN and Routing Maximum Values The following table lists the switch scalability values for the areas of VLANs, ACLs, hardware, ARP, and routing. Subject Maximum IPv4 ACLs total named (extended or standard) Up to 2048 (minus any IPv4 numeric standard or extended ACL assignments and any RADIUS-assigned ACLs) total numbered standard Up to 99...
Page 354 DHCPv6 Helper Addresses 32 unique addresses; multiple instances of same address counts as 1 towards maximum Actual availability depends on combined resource usage on the switch. See Monitoring resources on page 65. Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 355: Chapter 16 Static Ip Visibility
Chapter 16 Static IP Visibility Only IP addresses assigned by the DHCP server are visible in RADIUS accounting on an ArubaOS-Switch. Visibility of statically assigned IP addresses in RADIUS accounting is available with a command that enables and disables static IP visibility for an authenticated client. IP client-tracker Syntax ip client-tracker [trusted | untrusted]...
Page 356 Port : 22 Authentication Type : mac-based Client Status : authenticated Session Time : 64 seconds Client Name : 0000005daa34 Session Timeout : 0 seconds MAC Address : 000000-5daa34 : n/a Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 357 Access Policy Details : COS Map : Not Defined In Limit Kbps : Not Set Untagged VLAN : 20 Out Limit Kbps : Not Set Tagged VLANs : No Tagged VLANs Port Mode : 1000FDx RADIUS ACL List : No Radius ACL List IPV6 Address : 2000::10 Chapter 16 Static IP Visibility...
Page 358: Chapter 17 File Transfers
The switch is properly connected to your network and has already been configured with a compatible IP address and subnet mask. • The TFTP server is accessible to the switch via IP. Before you use the procedure, do the following: Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 359: Downloading From A Server To Primary Flash Using Tftp (Menu)
• Obtain the IP address of the TFTP server in which the software file has been stored. • If VLANs are configured on the switch, determine the name of the VLAN in which the TFTP server is operating. • Determine the name of the software file stored in the TFTP server for the switch (For example, E0820.swi). NOTE: If your TFTP server is a UNIX workstation, ensure that the case (upper or lower) that you specify for the filename is the same case as the characters in the software filenames on the server.
Page 360 From the Main Menu, select 2. Switch Configuration... 2. Port/Trunk Settings b. Check the Firmware revision line. For troubleshooting information on download failures, see Troubleshooting TFTP download failures on page 361. Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 361: Troubleshooting Tftp Download Failures
Troubleshooting TFTP download failures Cause When using the menu interface, if a TFTP download fails, the Download OS (Operating System, or software) screen indicates the failure as seen in the following figure. Figure 44: Example: of message for download failure Some of the causes of download failures include: •...
Page 362: Downloading From A Server To Flash Using Tftp (Cli)
NOTE: If you use auto-tftp to download a new image in a redundant management system, the active management module downloads the new image to both the active and standby modules. Rebooting after the auto-tftp process completes reboots the entire system. Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 363: Enabling Tftp (Cli)
Enabling TFTP (CLI) TFTP is enabled by default on the switch. If TFTP operation has been disabled, you can re-enable it by specifying TFTP client or server functionality with the tftp [client|server] command at the global configuration level. Syntax: [no] tftp [client | server] Disables/re-enables TFTP for client or server functionality so that the switch can: •...
Page 364: Using Scp And Sftp
You can use SFTP just as you would TFTP to transfer files to and from the switch, but with SFTP, your file transfers are encrypted and require authentication, so they are more secure than they would be using TFTP. SFTP works only with SSH version 2 (SSH v2). Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 365: Enabling Scp And Sftp
NOTE: SFTP over SSH version 1 (SSH v1) is not supported. A request from either the client or the switch (or both) using SSH v1 generates an error message. The actual text of the error message differs, depending on the client software in use. Some examples are: Protocol major versions differ: 2 vs.
Page 366 While SFTP is enabled, TFTP and auto-TFTP cannot be enabled from the CLI. Attempting to enable either non-secure TFTP option while SFTP is enabled produces one of the following messages in the CLI: Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 367: Enabling Ssh V2 (Required For Sftp)
SFTP must be disabled before enabling tftp. SFTP must be disabled before enabling auto-tftp. Similarly, while SFTP is enabled, TFTP cannot be enabled using an SNMP management application. Attempting to do so generates an "inconsistent value" message. (An SNMP management application cannot be used to enable or disable auto-TFTP.) •...
Page 368: Scp/Sftp Operating Notes
"" crash-data-K "" crash-data-L " " crash-log crash-log-a crash-log-b crash-log-c crash-log-d crash-log-e"" crash-log-f"" crash-log-g crash-log-h" " crash-log-I" " crash-log-J" " crash-log-K" " crash-log-L" " event log +---os primary secondary \---ssh Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 369: Troubleshooting Ssh, Sftp, And Scp Operations
+---mgr_keys authorized_keys \---oper_keys authorized_keys \---core port_1-24.cor core-dump for ports 1-24 (stackable switches only) port_25-48.cor core-dump for ports 25-48 (stackable switches only) Once you have configured your switch for secure file transfers with SCP and SFTP, files can be copied to or from the switch in a secure (encrypted) environment and TFTP is no longer necessary.
Page 370: Using Xmodem To Download Switch Software From A Pc Or Unix Workstation
5. Press [Enter] and then execute the terminal emulator commands to begin Xmodem binary transfer. For example, using HyperTerminal: a. Click on Transfer, then Send File. b. Enter the file path and name in the Filename field. Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 371: Downloading To Primary Or Secondary Flash Using Xmodem And A Terminal Emulator (Cli)
c. In the Protocol field, select Xmodem. d. Click on the [Send] button. The download then commences. It can take several minutes, depending on the baud rate set in the switch and in your terminal emulator. 6. After the primary flash memory has been updated with the new software, you must reboot the switch to implement the newly downloaded software.
Page 372: Using Usb To Transfer Files To And From The Switch
Some USB flash drives may not be supported on your switch. Consult the latest Release Notes for information on supported devices. Downloading switch software using USB (CLI) This procedure assumes that: Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 373 Procedure 1. A software version for the switch has been stored on a USB flash drive. (The latest software file is typically available from the HPE Switch Networking website at http://www.hpe.com 2. The USB device has been plugged into the switch's USB port. Before you use the procedure: •...
Page 374: Switch-To-Switch Download
Where two switches in your network belong to the same series, you can download a software image between them by initiating a copy tftp command from the destination switch. The options for this CLI feature include: Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 375: Using Airwave To Update Switch Software
• Copy from primary flash in the source to either primary or secondary in the destination. • Copy from either primary or secondary flash in the source to either primary or secondary flash in the destination. Downloading from primary only (CLI) Syntax: copy tftp flash <ip-addr>...
Page 376: Copying Software Images
To use this method, a USB flash memory device must be connected to the switch's USB port. Syntax: copy flash usb <filename> Uses the USB port to copy the primary flash image from the switch to a USB flash memory device. Example: Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 377: Transferring Switch Configurations
To copy the primary image to a USB flash drive: Procedure 1. Insert a USB device into the switch's USB port. 2. Execute the following command: switch# copy flash usb k0800.swi 3. where k0800.swi is the name given to the primary flash image that is copied from the switch to the USB device.
Page 378: Tftp: Copying A Customized Command File To A Switch (Cli)
Xmodem: Copying a configuration file to a serially connected PC or UNIX workstation (CLI) To use this method, the switch must be connected via the serial port to a PC or UNIX workstation. You will need Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 379: Xmodem: Copying A Configuration File From A Serially Connected Pc Or Unix Workstation (Cli)
• Determine a filename to use • Know the directory path you will use to store the configuration file. Syntax: copy {<startup-config | running-config>} xmodem {<pc | unix>} copy config <filename> xmodem {<pc | unix>} Uses Xmodem to copy a designated configuration file from the switch to a PC or UNIX workstation. For more information, see "Multiple Configuration Files"...
Page 380: Usb: Copying A Configuration File To A Usb Device (Cli)
To use this method, the switch must be connected via the USB port to a USB flash drive on which is stored the configuration file you want to copy. To execute the command, you will need to know the name of the file to copy. Syntax: copy usb startup-config <filename> Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 381: Transferring Acl Command Files
Copies a configuration file from a USB device to the startup configuration file on the switch. Example: To copy a configuration file from a USB device to the switch: Procedure 1. Insert a USB device into the switch's USB port. 2.
Page 382: Xmodem: Uploading An Acl Command File From A Serially Connected Pc Or Unix Workstation (Cli)
Uses Xmodem to copy and execute an ACL command from a PC or UNIX workstation. Depending on the ACL commands used, this action does one of the following in the running-config file: Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 383: Single Copy Command
• Creates a new ACL. • Replaces an existing ACL. (See "Creating an ACL Offline" in the "Access Control Lists (ACLs)" in the latest access security guide for your switch.) • Adds to an existing ACL. Single copy command When a switch crashes, five files relating to the crash; core-dump, crash-data, crash-log, fdr-log, and event-log are created and should be copied for review.
Page 384 USB or xmodem terminal. flash Copy the switch system image file. SFTP server Copy data from a SFTP server. startup-config Copy in-flash configuration file. ssh-client-known-hosts Copy the known hosts file. Table Continued Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 385 Data file Operation note ssh-server-pub-key Copy the switch's SSH server public key. running-config Copy running configuration file. TFTP Copy data from a TFTP server. Copy data from a USB flash drive. xmodem Use xmodem on the terminal as the data source. Destination Specify the copy target.
Page 386: Multiple Management Switches
Multiple management switches Syntax copy crash-files slot-id Copy interface management crash files. mm-active Copy active management module crash files. mm-standby Copy standby management module crash files. Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 387: Stacking Switches
Destination SFTP TFTP Xmodem Slot-ID MM-active MM-standby Stacking switches Syntax copy crash-files member Copy stack member crash files. Options for member Option Destination SFTP TFTP xmodem management interfaces Standalone switches Syntax copy crash-files Options Option Destination SFTP TFTP xmodem management interfaces Crash file options Syntax...
Page 388: Usb: Uploading An Acl Command File From A Usb Device (Cli)
Copies and executes the named text file from a USB flash drive and executes the ACL commands in the file. <filename.txt> A text file containing ACL commands and stored in the USB flash drive The type of workstation used to create the text file. {<unix | pc>} Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 389: Copying Diagnostic Data To A Remote Host, Usb Device, Pc Or Unix Workstation
Depending on the ACL commands used, this action does one of the following in the running-config file: Procedure 1. Creates a new ACL. 2. Replaces an existing ACL. (See "Creating an ACL Offline" in the "Access Control Lists (ACLs)" chapter in the latest Access Security Guide for your switch.) 3.
Page 390: Copying Command Output To A Destination Device (Cli)
<ip-address> <filepath_filename> copy event-log usb <filename> copy event-log xmodem <filename> These commands copy the Event Log content to a remote host, or to a serially connected PC or UNIX workstation. Example: Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 391: Copying Command Log Output To A Destination Device (Cli)
To copy the event log to a PC connected to the switch: Figure 49: Sending event log content to a file on an attached PC Copying Command Log output to a destination device (CLI) Syntax: copy command-log [sftp | smm | tftp | usb | xmodem] Description This command copies the Command Log content to a remote host or to a serially-connected PC or UNIX workstation.
Page 392: Flight Data Recorder (Fdr)
Copies all the log files from both management modules and all slots. mm-active Copies the active management module's log. mm-standby Copies the standby management module's log. slot Retrieves the crash log from the module in the identified slots. Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 393: Chapter 18 Monitoring And Analyzing Switch Operation
Chapter 18 Monitoring and Analyzing Switch Operation Overview The switches have several built-in tools for monitoring, analyzing, and troubleshooting switch and network operation: • Status: Includes options for displaying general switch information, management address data, port status, port and trunk group statistics, MAC addresses detected on each port or VLAN, and STP, IGMP, and VLAN data. •...
Page 394: Clear Statistics
This command clears all counters and statistics for all interfaces except SNMP. Parameters and options <PORT-LIST> Clears the counters and statistics for specific ports. global Clears all counters and statistics for all interfaces except SNMP. Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 395: Accessing Port And Trunk Statistics (Menu)
Accessing port and trunk statistics (Menu) Procedure 1. From the Main Menu, select 1. Status and Counters ... , and then select 4. Port Counters. Figure 50: Example of port counters on the menu interface 2. To view details about the traffic on a particular port, use the ↓ key to highlight that port number, and then select Show Details .
Page 396: Show Mac-Add Detail
Vxlan Tunnels. stack-Switch# show mac-address detail Status and Counters - Port Address Table MAC Address Port VLAN Age (d:h:m:s.ms) ------------- ------ ---- ---------------- 009c02-d80f28 1/2 0000:00:00:30.18 3464a9-abe500 1/2 0030:07:01:20.23 Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 397: Show Mac-Address Detail
show mac-address <MAC-ADDRESS> detail Syntax Syntax show mac-address <MAC-ADDRESS> detail Description Specifies the age and existing details of the specific mac address given. manager Parameters <MAC-ADDRESS> Specifies the mac-address being requested in detail. Examples Show mac-address detail for f0921c-b6e97e. switch# show mac-address f0921c-b6e97e detail Status and Counters - Port Address Table MAC Address Port...
Page 398: Using The Menu To View And Search Mac Addresses
1. From the Main Menu, select 1. Status and Counters ... , and then select 5. VLAN Address Table. 2. Use the arrow keys to scroll to the VLAN you want, and then press Enter on the keyboard to select it. Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 399: Finding The Port Connection For A Specific Device On A Vlan
The switch then displays the MAC address table for that VLAN (Figure 52: Example of the address table on page 399.) Figure 52: Example of the address table 3. To page through the listing, use Next page and Prev page . Finding the port connection for a specific device on a VLAN This feature uses a device's MAC address that you enter to identify the port used by that device.
Page 400: Determining Whether A Specific Device Is Connected To The Selected Port
Displays the global and regional spanning-tree status for the switch, and displays the per-port spanning-tree operation at the regional level. Values for the following parameters appear only for ports connected to active devices: Designated Bridge, Hello Time, PtP, and Edge. Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 401: Ip Igmp Status
show spanning-tree command output Figure 54: show spanning-tree command output IP IGMP status show ip igmp Syntax show ip igmp <VLAN-ID> [config] [group <IP-ADDR>|groups] [statistics] Description Global command that lists IGMP status for all VLANs configured in the switch, including: Chapter 18 Monitoring and Analyzing Switch Operation...
Page 402 IGMP Service Statistics Total VLANs with IGMP enabled Current count of multicast groups joined IGMP Joined Groups Statistics VLAN ID VLAN Name Filtered Flood ------- -------------------------------- ------------ ------------ VLAN2 Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 403: Vlan Information
VLAN information show vlan Syntax show vlan <VLAN-ID> Description Lists the maximum number of VLANs to support, existing VLANS, VLAN status (static or dynamic), and primary VLAN. Parameters and options <VLAN-ID> Lists the following for the specified VLAN: • Name, VID, and status (static/dynamic) •...
Page 404: Configuring A Source Switch In A Local Mirroring Session
Enter the mirror port command on the source switch to configure an exit port on the same switch. To create the mirroring session, use the information gathered in High-level overview of the mirror configuration process on page 408. Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 405: Selecting All Traffic On A Port Interface For Mirroring According To Traffic Direction
Syntax mirror 1 - 4 port exit-port-# [name name-str] no mirror 1- 4 Assigns the exit port to use for the specified mirroring session and must be executed from the global configuration level. 1 - 4 Identifies the mirroring session created by this command. (Multiple sessions on the switch can use the same exit port.) name name-str Optional alphanumeric name string used to identify the session...
Page 406: Viewing All Mirroring Sessions Configured On The Switch
IPv6 traffic for mirroring. If a remote mirroring endpoint is configured on the switch, the following information is displayed. Otherwise, the output displays: There are no Remote Mirroring endpoints currently assigned. Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 407: Viewing The Mirroring Configuration For A Specific Session
Type Indicates whether the mirroring session is local (port), remote (IPv4), or MAC-based (mac) for local or remote sessions. UDP Source Addr The IP address configured for the source VLAN or subnet on which the monitored source interface exists. In the configuration of a remote session, the same UDP source address must be configured on the source and destination switches.
Page 408: Using The Menu To Configure Local Mirroring
2. Create an IPv4 or IPv6 traffic class using the class command to select the packets that you want to mirror in a session on a preconfigured local or remote destination device. A traffic class consists of match criteria, which consist of match and ignore commands. Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 409 • match commands define the values that header fields must contain for a packet to belong to the class and be managed by policy actions. • ignore commands define the values which, if contained in header fields, exclude a packet from the policy actions configured for the class.
Page 410: Classifier-Based Mirroring Restrictions
For this reason, Hewlett Packard Enterprise strongly recommends that you first configure the exit switch in a remote mirroring session before you apply a mirroring service policy on a port or VLAN interface.
Page 411: Mirroring Configuration Examples
◦ You can configure only one mirroring session (destination) for each class. ◦ You can configure the same mirroring session for different classes. • If a mirroring session is configured with a classifier-based mirroring policy on a port or VLAN interface, no other traffic-selection criteria (MAC-based or all inbound and/or outbound traffic) can be added to the session.
Page 412: Maximum Supported Frame Size
(The MTU on the switches covered by this manual is 9220 bytes for frames having an 802.1Q VLAN tag, and 9216 bytes for untagged frames.) Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 413: Effect Of Downstream Vlan Tagging On Untagged, Mirrored Traffic
Table 26: Maximum frame sizes for mirroring Frame type Maximum VLAN tag Frame Frame mirrored to remote configuration frame size mirrored port to local port Data Data IPv4 header Untagged Non-jumbo (default 1518 1518 1464 config.) Jumbo on all VLANs 9216 9216 9162...
Page 414: Operating Notes For Traffic Mirroring
Effect of IGMP on mirroring If both inbound and outbound mirroring is operating when IGMP is enabled on a VLAN, two copies of mirrored IGMP frames may appear at the mirroring destination. Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 415 • Mirrored traffic not encrypted Mirrored traffic undergoes IPv4 encapsulation, but mirrored encapsulated traffic is not encrypted. • IPv4 header added The IPv4 encapsulation of mirrored traffic adds a 54-byte header to each mirrored frame. If a resulting frame exceeds the maximum MTU allowed in the network, it is dropped or truncated (according to the setting of the [truncation] parameter in the mirror command.) To reduce the number of dropped frames, enable jumbo frames in the mirroring path, including all intermediate switches and/or routers.
Page 416: Troubleshooting Traffic Mirroring
This procedure describes configuring the switch for monitoring when monitoring is disabled. (If monitoring has already been enabled, the screens will appear differently than shown in this procedure.) From the console Main Menu, select: 2. Switch Configuration... Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 417: Configuring Port And Static Trunk Monitoring (Cli)
3. Network Monitoring Port In the Actions menu, press [E] (for Edit). If monitoring is currently disabled (the default) then enable it by pressing the Space bar (or [Y]) to select Yes. Press the down arrow key to display a screen similar to the following and move the cursor to the Monitoring Port parameter.
Page 418: Configuring The Monitor Port
Elements in the monitor list can include port numbers and static trunk names at the same time. For example, with a port such as port 5 configured as the monitoring (mirror) port, you would use either of the following commands to select these interfaces for monitoring: Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 419 • Ports 6-9, and 14 • Trunk 2 Selecting ports and static trunks as monitoring sources switch(config)# int 6-9, 14 trk2, monitor To monitor a VLAN: Configuring VLAN monitoring switch(config)# vlan 20 monitor switch(config)# show monitor Network Monitoring Port Mirror Port: 5 Monitoring sources ------------------ VLAN_20...
Page 420: Chapter 19 Fans
To show chassis power supply and settings, see show system power-supply • To show system fans for VSF members, see show system fans vsf Examples Locating the system chassis by LED blink using the show system chassislocate command. Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 421: Show System Fans
Showing the general switch system information by using the show system command. show system fans Syntax show system fans Description Shows the state, status, and location of system fans. Command context manager and operator Usage Command can be executed using various command contexts. See examples for use of command context PoEP and VSF.
Page 422 | Chassis Sys-4 | Fan OK | PS 1 Sys-5 | Fan OK | PS 2 0 / 5 Fans in Failure State 0 / 5 Fans have been in Failure State Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 423: Show System Power-Supply
The state of all VSF switch members system fans is shown by using the command show system fans from within the VSF context. VSF-Switch# show system fans Fan Information VSF-Member | State | Failures | Location -------+-------------+----------+--------- Sys-1 | Fan OK | Fan Tray Sys-2 | Fan OK...
Page 424 Not Present J9830A IN43G4G05H Powered AC Power Consumption : 90 Watts AC MAIN/AUX Voltage : 210/118 Volts Power Supplied : 16 Watts Power Capacity : 2750 Watts Inlet Temp (C/F) : 30.9C/86.0F Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 425 Internal Temp (C/F) : 65.6C/149.0F Fan 1 Speed : 2000 RPM (37%) Fan 2 Speed : 1950 RPM (36%) 4 supply bays delivering power. Currently supplying 68 W / 4150 W total power. Use of the command show system power-supply fahrenheit shows the power supply status in Fahrenheit for all active switches.
Page 426 Two voltages are displayed for PS#4, as the J9830A includes two AC input IEC connectors. • Most power-supplies contain a single AC Input IEC connector and are labeled MAIN. Table Continued Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 427: Fan Failures And Snmp Traps
Field Description Power Supplied Actual voltage being supplied from the power-supply to the switch for general power and PoE. Power Capacity The maximum power that the power-supply can provide to the switch. Inlet Temp (C/F) The thermal sensor at the inlet of the power-supply - shown in both Celsius and Fahrenheit Internal Temp The thermal sensor internal to the power-supply (will vary depending...
Page 428: Troubleshooting
Use the Port Utilization Graph and Alert Log in the WebAgent included in the switch to help isolate problems. These tools are available through the WebAgent: ◦ Port Utilization Graph ◦ Alert log Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 429: Browser Or Telnet Access Problems
◦ Port Status and Port Counters screens ◦ Diagnostic tools (Link test, Ping test, configuration file browser) • For help in isolating problems, use the easy-to-access switch console built into the switch or Telnet to the switch console. For operating information on the Menu and CLI interfaces included in the console, see chapters 3 and 4.
Page 430: Unusual Network Activity
Invalid ARP source: IP address on IP address where both instances of IP address are the same address, indicating that the switch's IP address has been duplicated somewhere on the network. Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 431: Duplicate Ip Addresses In A Dhcp Network
Duplicate IP addresses in a DHCP network If you use a DHCP server to assign IP addresses in your network, and you find a device with a valid IP address that does not appear to communicate properly with the server or other devices, a duplicate IP address may have been issued by the server.
Page 432: The Switch Does Not Allow Management Access From A Device On The Same Vlan
Correctly and incorrectly specifying a single host Switch(config)# access-list 6 permit host 10.28.100.100 Switch(config)# access-list 6 permit host 10.28.100.100 255.255.255.255 Invalid input: 255.255.255.255 Switch(config)# access-list 6 permit host 10.28.100.100/32 Invalid input: 10.28.100.100/32 Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 433: Apparent Failure To Log All "Deny" Matches
• Correct. • Incorrect. No mask needed to specify a single host. • Incorrect. No mask needed to specify a single host. Apparent failure to log all "deny" matches Where the log statement is included in multiple ACEs configured with a "deny" option, a large volume of "deny" matches generating logging messages in a short period of time can impact switch performance.
Page 434: Igmp-Related Problems
1. Configure gateway security first for routing with specific permit and deny statements. 2. Permit authorized traffic. 3. Deny any unauthorized traffic that you have not already denied in step 1. IGMP-related problems Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 435: Ip Multicast (Igmp) Traffic That Is Directed By Igmp Does Not Reach Igmp Hosts Or A Multicast Router Connected To A Port
Removing a port from a trunk without first disabling the port can create a traffic loop that can slow down or halt your network. Before removing a port from a trunk, Hewlett Packard Enterprise recommends that you either disable the port or disconnect it from the LAN.
Page 436: The Switch Does Not Authenticate A Client Even Though The Radius Server Is Properly Configured And Providing A Response To The Authentication Request
Port Access Authenticator Status Port-access authenticator activated [No] : No Access Authenticator Authenticator Port Status Control State Backend State ---- ------ -------- -------------- -------------- Open Force Auth Idle Switch(config)# show port-access authenticator active Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 437: Radius Server Fails To Respond To A Request For Service, Even Though The Server's Ip Address Is Correctly Configured In The Switch
Switch(config)# show port-access authenticator e 9 Port Access Authenticator Status Port-access authenticator activated [No] : Yes Access Authenticator Authenticator Port Status Control State Backend State ---- ------ -------- -------------- -------------- Closed FU Force Unauth Idle Port A9 shows an “Open” status even though Access Control is set to Unauthorized (Force Auth). This is because the port-access authenticator has not yet been activated.
Page 438: Loss Of Communication When Using Vlan-Tagged Traffic
Dynamic Authorization UDP Port : 3799 Auth Acct DM/ Time Server IP Addr Port Port CoA Window Encryption Key --------------- ---- ---- --- ------ --------------- 10.33.18.119 1812 1813 119-only-key • Global RADIUS Encryption Key • Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 439: Mstp And Fast-Uplink Problems
MSTP and fast-uplink problems CAUTION: If you enable MSTP, Hewlett Packard Enterprise recommends that you leave the remainder of the MSTP parameter settings at their default values until you have had an opportunity to evaluate MSTP performance in your network. Because incorrect MSTP settings can adversely affect network performance, you should avoid making changes without having a strong understanding of how MSTP operates.
Page 440: Executing Ip Ssh Does Not Enable Ssh On The Switch
If the switch is functioning properly, but no username/password pairs result in console or Telnet access to the switch, the problem may be caused by how the TACACS+ server and/or the switch are configured. Use one of the following methods to recover: Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 441: No Communication Between The Switch And The Tacacs+ Server Application
• Access the TACACS+ server application and adjust or remove the configuration parameters controlling access to the switch. • If the above method does not work, try eliminating configuration changes in the switch that have not been saved to flash (boot-up configuration) by causing the switch to reboot from the boot-up configuration (which includes only the configuration changes made prior to the last write memory command.) If you did not use write memory to save the authentication configuration to flash, pressing the Reset button reboots the switch with the boot-up configuration.
Page 442: System Allows Fewer Login Attempts Than Specified In The Switch Configuration
VLAN_2 use the same link between switch "X" and switch "Y," as shown in Figure 65: Example: of correct VLAN port assignments on a link on page 442. Figure 65: Example: of correct VLAN port assignments on a link Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 443: Duplicate Mac Addresses Across Vlans
• If VLAN_1 (VID=1) is configured as "Untagged" on port 3 on switch "X," it must also be configured as "Untagged" on port 7 on switch "Y." Make sure that the VLAN ID (VID) is the same on both switches. •...
Page 444: Fan Failure
Syntax: fault-finder <link-flap> sensitivity {<low | medium | high} > action {<warn | warn-and-disable>} Default settings: Sensitivity = Medium; Action = Warn Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 445 Hewlett Packard Enterprise does not recommend automatic disabling of a port at the core or distribution layers when excessive broadcasts are detected, because of the potential to disable large parts of the network that may be uninvolved and for the opportunity to create a denial-of-service attack.
Page 446: Fault Finder Thresholds
Alert Log. Enabling fault finder using the CLI Enter this CLI command to enable fault detection: Syntax: [no] fault-finder [fault][sensitivity <low|medium|high>][action <warn|warn-and-disable>] Enables or disables Fault Finder and sets sensitivity. Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 447 When the warn-and-disable action option is configured, Fault Finder may also shut down a bad port in addition to sending an alert to the Alert Log. Default setting: fault-finder sensitivity medium action warn [fault]: Supported values are: • all: All fault types •...
Page 448 Too Long 1/10,000 20 secs If (late Cable — Outgoing collisions/ Excessive late total) >= collisions (a (sensitivity/ late collision 10,000) error occurs after the first 512 bit times) Table Continued Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 449 Condition Sensitivities Units (in Time period Fault finder triggering packets) reacts: fault finder Over 21257 36449 1/10,000 5 mins5 mins If (excessive bandwidth - OutgoingOne collisions/ High collision Packet total) >= rate -High (sensitivity/ drop rate 10,000)The count of dropped packets >= sensitivity during the last...
Page 450: Viewing Transceiver Information
10GbE SFP+ ER Transceiver J9144A 10GbE X2-SC LRM Transceiver J8438A 10Gbe X2-SC ER Transceiver Support indicators: • V - Validated to respond to DOM requests • N - No support of DOM Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 451: Viewing Information About Transceivers (Cli)
• D - Documented by the component suppliers as supporting DOM • NA - Not applicable to the transceiver (copper transceiver) NOTE: Not all transceivers support Digital Optical Monitoring. If DOM appears in the Diagnostic Support field of the show interfaces transceiver detail command, or the hpicfTransceiverMIB hpicfXcvrDiagnostics MIB object, DOM is supported for that transceiver.
Page 452: Information Displayed With The Detail Parameter
Wavelength For an optical transceiver: the central wavelength of the laser sent, in nm. If the transceiver supports multiple wavelengths, the values will be separated by a comma. Table Continued Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 453 Parameter Description Transfer Link-length supported by the transceiver in meters. The corresponding transfer medium is Distance shown in brackets following the transfer distance value, For example, 50um multimode fiber. If the transceiver supports multiple transfer media, the values are separated by a comma. Diagnostic Shows whether the transceiver supports diagnostics: Support...
Page 454 TX fault TX fault PMA/PMD transmitter local fault PMA/PMD transmitter local fault PCS Transmit local fault PCS transmit local fault PHY XS transmit local fault PHY SX transmit local fault Table Continued Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 455 Alarm Description TX bias high TX bias current is high TX bias low TX bias current is low TX power high TX power is high TX power low TX power is low Temp high Temperature is high Temp low Temperature is low An Example: of the output for the show interfaces transceiver [port-list] detail for a 1000SX transceiver is shown below.
Page 456: Viewing Transceiver Information For Copper Transceivers With Vct Support
Status to Fault Skew Polarity Mode ----- ----- ---------- --------- ----- --------- ------ 6 ns Normal MDIX 0 ns Normal 6 ns Normal MDIX 6 ns Normal Short Impedance Impedance Open Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 457 Copper cable diagnostic test results switch# show interfaces transceiver a23 detail Transceiver in A23 Interface Index : 23 Type : 1000T-sfp Model : J8177C Connector Type : RJ45 Wavelength : n/a Transfer Distance : 100m (copper), Diagnostic Support : VCT Serial Number : US051HF099 Link Status...
Page 458: Using The Event Log For Troubleshooting Switch Problems
The contents of the Event Log are not erased if you: • Reboot the switch by choosing the Reboot Switch option from the menu interface. • Enter the reload command from the CLI. Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 459: Event Log Entries
Event Log entries As shown in Figure 69: Format of an event log entry on page 459, each Event Log entry is composed of six or seven fields, depending on whether numbering is turned on or not: Figure 69: Format of an event log entry Item Description Severity...
Page 460 Access Security Guide auth Authorization: A connected client must receive authorization through web, AMC, RADIUS-based, TACACS+-based, or 802.1X authentication before it can send traffic to the switch. Table Continued Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 461 System module Description Documented in HPE Switch hardware/software guide Management and Configuration Cisco Discovery Protocol: Supports Guide reading CDP packets received from neighbor devices, enabling a switch to learn about adjacent CDP devices. HPE does not support the transmission of CDP packets to neighbor devices.
Page 462 Runtime logs are written to FDR memory while the switch is running, and crashtime logs are collected and stored in the FDR buffer during a switch crash. Table Continued Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 463 System module Description Documented in HPE Switch hardware/software guide Installation and Getting Started Find, Fix, and Inform: Event or alert Guide log messages indicating a possible topology loop that causes excessive Management and Configuration network activity and results in the Guide network running slow.
Page 464 The switch meshing feature provides redundant links, improved bandwidth use, and support for different port types and speeds. Table Continued Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 465 System module Description Documented in HPE Switch hardware/software guide lldp Link-Layer Discovery Protocol: Management and Configuration Supports transmitting LLDP packets Guide to neighbor devices and reading LLDP packets received from neighbor devices, enabling a switch to advertise itself to adjacent devices and to learn about adjacent LLDP devices.
Page 466 Rate-limiting: Enables a port to limit Management and Configuration the amount of bandwidth a user or Guide device may utilize for inbound traffic on the switch. Table Continued Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 467 System module Description Documented in HPE Switch hardware/software guide sflow Flow sampling: sFlow is an industry Management and Configuration standard sampling technology, Guide defined by RFC 3176, used to continuously monitor traffic flows on all ports providing network-wide visibility into the use of the network. snmp Simple Network Management Management and Configuration...
Page 468 IP Guide and is used to set up connections. telnet Session established on the switch Basic Operation Guide from a remote device through the Telnet virtual terminal protocol. Table Continued Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 469 System module Description Documented in HPE Switch hardware/software guide tftp Trivial File Transfer Protocol: Basic Operation Guide Supports the download of files to the switch from a TFTP network server. timep Time Protocol: Synchronizes and Management and Configuration ensures a uniform time among Guide interoperating devices.
Page 470: Using The Menu
I 10/25/13 17:42:51 00068 chassis: Slot F Inserted I 10/25/13 17:42:51 00690 udpf: DHCP relay agent feature enabled I 10/25/13 17:42:51 00433 ssh: Ssh server enabled I 10/25/13 17:42:51 00400 stack: Stack Protocol disabled Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 471: Using The Cli
I 10/25/13 17:42:51 00128 tftp: Enable succeeded I 10/25/13 17:42:51 00417 cdp: CDP enabled ---- Log events stored in memory 1-751. Log events on screen 690-704. Actions-> Back Next page Prev page Help Return to previous screen. Use up/down arrow to scroll one line, left/right arrow keys to change action selection, and <Enter>...
Page 472: Clearing Event Log Entries
As a result, the Event Log and any configured SNMP trap receivers may be flooded with excessive, exactly identical messages. To help reduce this problem, the switch uses log throttle periods to regulate (throttle) Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 473: Log Throttle Periods
duplicate messages for recurring events, and maintains a counter to record how many times it detects duplicates of a particular event since the last system reboot. When the first instance of a particular event or condition generates a message, the switch initiates a log throttle period that applies to all recurrences of that event.
Page 474: Example: Of Event Counter Operation
SNMP trap receivers.) Table 34: How the duplicate message counter increments Instances during 1st log Instances during 2nd log Instances during 3rd log Duplicate message throttle period throttle period throttle period counter Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 475: Reporting Information About Changes To The Running Configuration
This value always comprises the first instance of the duplicate message in the current log throttle period plus all previous occurrences of the duplicate message occurring since the switch last rebooted. Reporting information about changes to the running configuration Syslog can be used for sending notifications to a remote syslog server about changes made to the running configuration.
Page 476: Hostname In Syslog Messages
Use the logging origin-id command to specify the content for the hostname field. Syntax: logging origin-id [ip-address|hostname|none] [no] logging origin-id [ip-address|hostname|none] To reset the hostname field content back to default (IP-address), use the no form of the command. Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 477 filter Creates a filter to restrict which events are logged. IP-ADDR Adds an IPv4 address to the list of receiving syslog servers. IPV6-ADDR Adds an IPv6 address to the list of receiving syslog servers. origin-id Sends the Syslog messages with the specified origin-id. notify Notifies the specified type sent to the syslog server(s).
Page 478: Viewing The Identification Of The Syslog Message Sender
When hostname or none is configured using logging origin-id, the same displays as part of the show running-config command. Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 479 Syntax: show debug Default option is ip-address. The following shows the output of the show debug command when configured without loggin origin-id. Output of the show debug command when configured without login origin-id Debug Logging Origin identifier: Outgoing Interface IP Destination: None Enabled debug types:...
Page 480: Snmp Mib
A debug/syslog destination device can be a syslog server and/or a console session. You can configure debug and logging messages to be sent to: • Up to six syslog servers • A CLI session through a direct RS-232 console connection, or a Telnet or SSH session Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 481: Debug/Syslog Configuration Commands
Debug/syslog configuration commands Event notification logging — Automatically sends switch-level event messages to the switch's Event Log. Debug and syslog do not affect this operation, but add the capability of directing Event Log messaging to an external device. <syslog-ip-addr> logging command Enables syslog messaging to be sent to the specified IP address.
Page 482 Sends standard Event Log messages to configured debug destinations. (The same messages are also sent to the switch's Event Log, regardless of whether you enable this option.) Table Continued Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 483 fib: Displays IP Forwarding Information Base messages and events.forwarding: Sends IPv4 forwarding messages to the debug destinations.ospf: Sends OSPF event logging to the debug destinations.ospfv3: Enables debug messages for OSPFv3.packet: Sends IPv4 packet messages to the debug destinations. pim [packet [filter {source <...
Page 484: Configuring Debug/Syslog Operation
Display the current Syslog server list when Syslog logging is disabled. Configuring debug/syslog operation Procedure 1. To use a syslog server as the destination device for debug messaging, follow these steps: Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 485 a. Enter the logging <syslog-ip-addr> command at the global configuration level to configure the syslog server IP address and enable syslog logging. Optionally, you may also specify the destination subsystem to be used on the syslog server by entering the logging facility command.If no other syslog server IP addresses are configured, entering the logging command enables both debug messaging to a syslog server and the event debug message type.
Page 486: Viewing A Debug/Syslog Configuration
In the following Example:, no syslog servers are configured on the switch (default setting). When you configure a syslog server, debug logging is enabled to send Event Log messages to the server. To limit the Event Log Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 487 messages sent to the syslog server, specify a set of messages by entering the logging severity and logging system-module commands. Figure 72: Syslog configuration to receive event log messages from specified system module and severity levels As shown at the top of Figure 72: Syslog configuration to receive event log messages from specified system module and severity levels on page 487, if you enter the show debug command when no syslog server IP address is configured, the configuration settings for syslog server facility, Event Log severity level, and system module are not displayed.
Page 488: Debug Command
By default, no debug destination is enabled and only Event Log messages are enabled to be sent. NOTE: To configure a syslog server, use the logging <syslog-ip-addr> command. For more information, see Configuring a syslog server on page 492. Debug messages Syntax: [no] debug <debug-type> Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 489 When a match occurs on an ACL "deny" ACE (with log configured), the switch sends an ACL message to configured debug destinations. For information on ACLs, see the "Access Control Lists (ACLs)" in the latest version of the following guides: •...
Page 490: Debug Destinations
Use the debug destination command to enable (and disable)syslog messaging on a syslog server or to a CLI session for specified types of debug and Event Log messages. Syntax: [no] debug destination {<logging | session | buffer>} Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 491: Logging Command
logging Enables syslog logging to configured syslog servers so that the debug message types specified by the debug <debug-type> command (see Debug messages on page 488) are sent.(Default: Logging disabled)To configure a syslog server IP address, see Configuring a syslog server on page 492. NOTE: Debug messages from the switches covered in this guide have a debug severity level.
Page 492: Configuring A Syslog Server
Deleting syslog addresses in the startup configuration Enter a no logging command followed by the write memory command. Verifying the deletion of a syslog server address Display the startup configuration by entering the show config command. Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 493 Blocking the messages sent to configured syslog servers from the currently configured debug message type Enter the no debug <debug-type> command. (See Debug messages on page 488.) Disabling syslog logging on the switch without deleting configured server addresses Enter the no debug destination logging command. Note that, unlike the case in which no syslog servers are configured, if one or more syslog servers are already configured and syslog messaging is disabled, configuring a new server address does not re-enable syslog messaging.
Page 494: Adding A Description For A Syslog Server
[no] logging facility <facility-name> The logging facility specifies the destination subsystem used in a configured syslog server. (All configured syslog servers must use the same subsystem.) Hewlett Packard Enterprise recommends the default (user) subsystem unless your application specifically requires another subsystem. Options include:...
Page 495: Adding A Priority Description
Syntax: logging <ip-addr> [control-descr ZZZZTRISHZZZZ <text_string>] no logging <ip-addr> [control-descr] An optional user-friendly description that can be associated with a server IP address. If no description is entered, this is blank. If <text_string> contains white space, use quotes around the string. IPv4 addresses only. Use the no form of the command to remove the description.
Page 496: Configuring The System Module Used To Select The Event Log Messages Sent To A Syslog Server
NOTE: This setting has no effect on event notification messages that the switch normally sends to the Event Log. Enabling local command logging Use this command to enable local command logging. This satisfies the NDcPP certification requirement that: Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 497: Operating Notes For Debug And Syslog
• All administrative actions (commands) are logged locally. • Local command log storage can be enabled and disabled. • The identity of the user causing an event is logged. • When the command log is exhausted by 80% and wraparound occurs, the event is logged and a trap is generated.
Page 498: Diagnostic Tools
To start a ping or link test in the WebAgent: 1. In the navigation pane, click Troubleshooting. 2. Click Ping/Link Test. 3. Click Start. 4. To halt a link or ping test before it concludes, click Stop. Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 499: Testing The Path Between The Switch And Another Device On An Ip Network
For an Example: of the text screens, see Figure 74: Ping test and link test screen on the WebAgent on page 499. Figure 74: Ping test and link test screen on the WebAgent Destination IP Address is the network address of the target, or destination, device to which you want to test a connection with the switch.
Page 500 10.10.10.10 is alive, iteration 1, time = 15 ms 10.10.10.10 is alive, iteration 1, time = 15 ms 10.10.10.10 is alive, iteration 1, time = 15 ms switch# ping 10.10.10.10 timeout 2 10.10.10.10 is alive, time = 10 ms Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 501: Issuing Single Or Multiple Link Tests
switch# ping 10.11.12.13 The destination address is unreachable. Halting a ping test To halt a ping test before it concludes, press [Ctrl] [C]. NOTE: To use the ping (or traceroute) command with host names or fully qualified domain names, see DNS resolver on page 516.
Page 502 3) The source IPv4 address, VLAN ID, or Loopback address. [source {< ip- addr | vid | loopback <0-7> >}] Destination port. [dstport < 1-34000 >] Table Continued Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 503: Halting An Ongoing Traceroute Search
Source port. [srcport < 1-34000 >] Specify an IP option, such as loose or strict source routing, or an include-timestamp [ip-option] option:[include-timestamp]: Adds the timestamp option to the IP header. The timestamp displays the amount of travel time to and from a host.Default: 9[include-timestamp-and-address]: Records the intermediate router's timestamp and IP address.Default: 4[loose-source-route <IP-addr>] : Prompts for the IP address of each source IP on the path.It allows you to specify the...
Page 504: If A Network Condition Prevents Traceroute From Reaching The Destination
CLI using the commands described in this section. Viewing the startup or running configuration file Syntax: write terminal Displays the running configuration. Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 505: Viewing The Configuration File (Webagent)
show config Displays the startup configuration. show running-config Displays the running-config file. For more information and examples of how to use these commands, see “Switch Memory and Configuration” in the basic operation guide. Viewing the configuration file (WebAgent) To display the running configuration using the WebAgent: 1.
Page 506: Saving Show Tech Command Output To A Text File
(In this case, Microsoft Word provides the data in an easier-to-read format.) The following example uses the Microsoft Windows terminal emulator. If you are using a different terminal emulator application, see the documentation provided with the application. Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 507: Customizing Show Tech Command Output
Procedure 1. In Hyperterminal, click on Transfer|Capture Text…. Figure 79: Capture text window of the Hyperterminal application 2. In the File field, enter the path and file name in which you want to store the show tech output. Figure 80: Entering a path and filename for saving show tech output 3.
Page 508 Includes the contents of the running configuration file in show tech command output startup-config Includes the contents of the startup configuration file in show tech command output. Table Continued Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 509: Viewing More Information On Switch Operation
tftp config {<startup-config | Downloads the contents of a configuration file from a remote running-config} <ip-addr> <remote- host to show tech command output, where: file> {<pc | unix>} <ip-addr>: Specifies the IP address of the remote host device. <remote-file>: Specifies the pathname on the remote host for the configuration file whose contents you want to include in the command output.
Page 510: Searching For Text Using Pattern Matching With Show Command
Following are examples of what portions of the running config file display depending on the option chosen. Pattern matching with include option switch(config)# show run | include ipv6 ipv6 enable ipv6 enable Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 511 ipv6 access-list "EH-01" switch(config)# Displays only lines that contain “ipv6”. Pattern matching with exclude option switch(config)# show run | exclude ipv6 Running configuration: ; J9299A Configuration Editor; Created on release #WB.15.XX hostname "HP Switch" snmp-server community "notpublic" Unrestricted vlan 1 name "DEFAULT_VLAN"...
Page 512: Displaying The Information You Need To Diagnose Problems
Repeatedly executes one or more commands so that you can see the results of multiple commands displayed over a period of time. To halt the command execution, press any key on the keyboard. Syntax: setup Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 513: Restoring The Factory-Default Configuration
• • Clear/Reset button combination NOTE: Hewlett Packard Enterprise recommends that you save your configuration to a TFTP server before resetting the switch to its factory-default configuration. You can also save your configuration via Xmodem to a directly connected PC.
Page 514: Restoring A Flash Image
For Example: a. Change the switch baud rate to 115,200 Bps. => sp 115200 b. Change the terminal emulator baud rate to match the switch speed: Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 515 In HyperTerminal, select Call|Disconnect. Select File|Properties. III. Click on Configure. Change the baud rate to 115200. Click on [OK], then in the next window, click on [OK] again. Select Call|Connect. VII. Press [Enter] one or more times to display the => prompt. 4.
Page 516: Dns Resolver
DNS server in this same domain. This time, the operator wants to use the switch to trace the route to a host named "remote-01" in a different domain named common.group.net. Assuming this second domain is Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 517: Configuring And Using Dns Resolution With Dns-Compatible Commands
accessible to the DNS server already configured on the switch, a traceroute command using the target's fully qualified DNS name should succeed. Figure 83: Example: using the fully qualified domain name for an accessible target in another domain Configuring and using DNS resolution with DNS-compatible commands The DNS-compatible commands include ping and traceroute.) Procedure 1.
Page 518: Using Dns Names With Ping And Traceroute: Example
Configuring switch "A" with the domain name and the IP address of a DNS server for the domain enables the switch to use host names assigned to IP addresses in the domain to perform ping and traceroute actions on the devices in the domain. To summarize: Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 519 Entity Identity DNS server IP address 10.28.229.10 Domain name (and domain suffix for hosts in the pubs.outdoors.com domain) Host name assigned to 10.28.229.219 by the DNS docservr server Fully qualified domain name for the IP address used by docservr.pubs.outdoors.com the document server (10.28.229.219) Switch IP address 10.28.192.1 Document server IP address...
Page 520: Viewing The Current Dns Configuration
The DNS servers and domain configured on the switch must be accessible to the switch, but it is not necessary for any intermediate devices between the switch and the DNS server to be configured to support DNS operation. Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 521: Event Log Messages
• When multiple DNS servers are configured on the switch, they can reside in the same domain or different domains. • A DNS configuration must include the IP address for a DNS server that is able to resolve host names for the desired domain.
Page 522: Chapter 21 Job Scheduler
Specify the number of times the job should run. delay Specify the delay before running the job. enable Enable a job that is disabled or expired. disable Disable a job. By default, a job is enabled. Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 523: Show Job
Usage job <JOB NAME> at <([DD:]HH:]MM on <WEEKDAY-LIST>)> config-save <COMMAND> count <1-1000> job <JOB NAME> at <[HH:]MM on [MM/]DD> config-save <COMMAND> count <1-1000> job <JOB NAME> at <EVENT> config-save <COMMAND> job <JOB NAME> delay <([DD:]HH:]MM> config-save <COMMAND> count <1-1000> job <JOB NAME> enable | disable [no] job <JOB NAME>...
Page 524 Job Information Job Name : foo Runs At : 17:00 SxTWTxS Config Save : Yes Repeat Count: -- Run Count Error Count : 0 Command : savepower led Job Status : Enabled Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 525: Chapter 22 Configuration Backup And Restore Without Reboot
Chapter 22 Configuration backup and restore without reboot Overview The traditional way of restoring a configuration from a backup configuration file required a switch reboot for the new configurations to be effective. There were network outages and a planned downtime for even minor changes. The switch configuration can now be restored from a backup configuration without reboot.
Page 526: Switching To A New Configuration
Time Taken : 3 Seconds Last Run : Tue Nov 28 18:24:09 2017 Recovery Mode : Enabled Failure Reason Number of Add Commands : 14 Number of Remove Commands : 0 Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 527: Rolling Back To A Stable Configuration Using Job Scheduler
Time Taken for Each Phase : Calculating diff : 1 Seconds Adding commands : 2 Seconds Removing commands : 0 Seconds Rolling back to a stable configuration using job scheduler Procedure 1. Configure the job using alias with the required configuration. alias <name>...
Page 528: Commands Used In Switch Configuration Restore Without Reboot
The configuration backup creates a backup of the running or startup configuration of ArubaOS-Switch on-demand to the flash storage on the switch. The maximum number of backup files supported has increased from three to five. Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 529: Cfg-Backup
NOTE: When you downgrade configuration backup files from five to three, and if the current number of files is either a four or five, an error message Configuration file <name> stored in config index 5 is not supported in lower image versions is displayed. cfg-backup Syntax cfg-backup {running-config | startup-config} config <FILE-NAME>...
Page 530 1 type jl255a snmp-server community "public" unrestricted vlan 1 name "DEFAULT_VLAN" no untagged 3-10 untagged 1-2,11-28 ip address dhcp-bootp exit vlan 100 name "VLAN100" untagged 3-5 no ip address exit Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 531: Configuration Restore Without Reboot
vlan 200 name "VLAN200" untagged 6-10 no ip address exit Configuration restore without reboot The cfg-restore without reboot command restores the configuration without reboot from a backup configuration to the running configuration of the switch. The details about the difference between a running and a backup configuration can be displayed using cfg- restore {flash | tftp | sftp} <FILE-NAME>...
Page 532 10.100.0.12 config_file diff Provide the list of changes that will be applied on the running configuration. force Apply the configuration with reboot if the configuration has reboot required commands or Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 533: Force Configuration Restore
system-wide change commands present. non-blocking Config restoration in non-blocking mode. recovery-mode To enable/disable recovery-mode. verbose Provide the details of config restore status and the list of commands to be added or deleted. switch(config)# cfg-restore flash add non-blocking diff Provide the list of changes that will be applied on the running configuration.
Page 534: Cfg-Restore Non-Blocking
Performs restore in non-blocking mode. Command context config Example switch(config)# cfg-restore flash add non-blocking Current running-configuration will be replaced with 'add'. Continue (y/n)? y Configuration restore is in progress, configuration changes are temporarily disabled. switch(config)# Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 535: Cfg-Restore Recovery-Mode
switch(config)# show cfg-restore status Status : Success Config File Name : add Source : Flash Time Taken : 2 Seconds Last Run : Sun Oct 22 22:09:02 2017 Recovery Mode : Enabled Failure Reason Number of Add Commands Number of Remove Commands : 10 Time Taken for Each Phase : Calculating diff : 1 Seconds...
Page 536 Partially applied configuration 'modify' to running configuration. Aruba-2930F-24G-PoEP-4SFPP(config)# show running-config Running configuration: ; JL255A Configuration Editor; Created on release #WC.16.05.0000x ; Ver #12:08.1d.9b.3f.bf.bb.ef.7c.59.fc.6b.fb.9f.fc.ff.ff.37.ef:ba hostname "Aruba-2930F-24G-PoEP-4SFPP" module 1 type jl255a Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 537: Cfg-Restore Verbose
ip routing snmp-server community "public" unrestricted vlan 1 name "DEFAULT_VLAN" untagged 1-28 ip address dhcp-bootp exit vlan 100 name "VLAN100" no ip address exit cfg-restore verbose Syntax cfg-restore {flash | tftp | sftp} <FILE-NAME> verbose Description Provides the details of configuration restore status and the list of commands to be added or deleted along with cfg-restore.
Page 538: Cfg-Restore Config_Bkp
: TFTP Time Taken : 4 Seconds Last Run : Wed Nov 8 21:11:10 2017 Recovery Mode : Enabled Failure Reason Number of Add Commands Number of Remove Commands : 7 Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 539: Configuration Restore With Force Option
Time Taken for Each Phase : Calculating diff : 1 Seconds Adding commands : 0 Seconds Removing commands : 0 Seconds switch(config)# show config files Configuration files: id | act pri sec | name ---+-------------+--------- | config Configuration restore with force option Prerequisites Back up the configuration using traditional copy config or cfg-backup commands.
Page 540: System Reboot Commands
[0-9 | a-z | A-Z] • module [0-9 | a-z | A-Z] type <type> • igmp lookup-mode ip • flexible-module [a-z | A-Z] type <type> • stacking member [0-9] flexible-module [a-z | A-Z] type <type> Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 541: Configuration Restore Without Force Option
Configuration restore without force option If the two configuration files backed up are file1 and file2: Prerequisites Backup the configuration using either the traditional copy config or the cfg-backup commands. Procedure 1. Execute the show config files command. By default, the config file provides all the associations. switch(config)# show config files Configuration files: id | act pri sec | name...
Page 542 Failed to remove commands: Line: 12 vlan 10 Line: 15 no ipv6 nd snooping mac-check Failed to add commands: Line: 10 icmp 10.100.0.12 source-inter vlan 1 Line: 20 udp-echo 10.100.0.12 source vlan 1 Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 543: Viewing The Differences Between A Running Configuration And A Backup Configuration
NOTE: The number of add and delete commands is calculated excluding the exit commands in the configuration file. Viewing the differences between a running configuration and a backup configuration Prerequisites Use the cfg-restore {flash | tftp | sftp} <FILE-NAME> diff command to view the list of configuration changes that are removed, modified, or added to the running configuration.
Page 544 Show configuration restoration status. switch(config)# show cfg-restore latest-diff Configuration delete list: ip default-gateway 172.20.0.1 vlan 100 name "VLAN100" no ip address exit Configuration add list: vlan 10 name "VLAN10" no ip address Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 545: Show Commands To Show The Sha Of A Configuration
exit switch(config)# Show commands to show the SHA of a configuration The show commands provide SHA details of the running and startup configurations. show hash Syntax show {config | running-config} hash {recalculate} Description Shows SHA ID of startup or running configuration. Command context config Examples...
Page 546: Scenarios That Block The Configuration Restoration Process
Only read operation is allowed. Attempts to use write operation results in the Configuration restore is in progress, configuration changes are temporarily disabled error. The following show commands are blocked during a configuration restoration process: Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 547: Troubleshooting And Support
• show-tech • show config • show running-config • show startup-config Troubleshooting and support Switch configuration restore without reboot feature provides CLI support to: • display the number of commands with line number that failed to restore. • display the delta between running configuration and the configuration to be restored. More information Viewing the differences between a running configuration and a backup configuration on page 543 show cfg-restore status on page 541...
Page 548: Chapter 23 Virtual Technician
--------------- --------- Clear cdp counters Syntax clear cdp counters Description Allows a user to clear CDP statistics. Clear cdp counters Port No|Transmitted Frames|Received Frames|Discarded Frames|Error Frames ------- ----------------- -------------- --------------- --------- Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 549: Enable/Disable Debug Tracing For Mocana Code
Enable/Disable debug tracing for MOCANA code Debug security Syntax debug security ssl Description Enables the debug tracing for MOCANA code. Use the [no] parameter to disable debug tracing. Display all SSL messages. User diagnostic crash via Front Panel Security (FPS) button Allows the switch’s front panel Clear button to manually initiate a diagnostic reset.
Page 550: Front-Panel-Security Diagnostic-Reset
Disables the diagnostic reset feature so that the user is prevented from capturing diagnostic data and performing a diagnostic reset on the switch. Both the sub-options reset-via-serial-console and reset-via-clear- button will be disabled. This is necessary if the switch becomes unresponsive (hangs) for unknown reasons. Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 551: Front-Panel-Security Diagnostic-Reset Clear-Button
No front-panel-security diagnostic-reset no front-panel-security diagnostic-reset Clear Password - Enabled Reset-on-clear - Disabled Factory Reset - Enabled Password Recovery - Enabled Diagnostic Reset - Disabled CAUTION: Disabling the diagnostic reset prevents the switch from capturing diagnostic data on those rare events where the switch becomes unresponsive to user input because of unknown reasons.
Page 552: Show Front-Panel-Security
Press and release the Reset button Same as a standalone switch, except: switch) • If the Commander, the Standby switch will become Commander. • If the Standby, a new Standby will be elected. Table Continued Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 553: Validation Rules
To accomplish this Do this Result Hard Reset (Stacked Press and hold the Reset button for Same as a standalone switch, except: switch) more than 5 seconds (until all LEDs turn on), then release. • If the Commander, the Standby switch will become Commander.
Page 554: Fps Error Log
SMM: User has initiated diagnostic reset via the serial console. Sw_panic() message when triggered via RMON_BOOT_CRASH_RECORD1 STKM: User has initiated diagnostic reset via the serial console. Sw_panic() message when triggered via non- commander Table Continued Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 555: User Initiated Diagnostic Crash Via The Serial Console
Event Message Console print STKM: HA Sync in progress; user initiated diagnostic request via the serial console rejected. Retry after sometime. Printed on the device console. When standby is in sync state, we don’t want to crash the commander. So we report to the user to retry later Console print STKM: Member is booting;...
Page 556: Serial Console Error Messages
STKM: HA Sync in progress; user initiated diagnostic request via the serial console rejected. Retry after sometime. Console print STKM: Member is booting; user initiated diagnostic request via the serial console rejected. Retry after sometime. Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 557: Chapter 24 Ip Service Level Agreement
Chapter 24 IP Service Level Agreement Overview IP Service Level Agreement (IP SLA) is a feature that helps administrators collect information about network performance in real time. With increasing pressure on maintaining agreed-upon Service Level Agreements on Enterprises and ISPs alike, IP SLA serves as a useful tool. Any IP SLA test involves a source node and a destination node.
Page 558 The maximum number of Jitter responder sessions (UDP Jitter + Jitter For VoIP) supported is 10. The maximum number of Jitter initiator sessions (UDP Jitter + Jitter For VoIP) supported is 5. Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 559: How Ip Sla Works
• IMC (Intelligent Management Center) supports below IP SLA: ◦ DHCP • Measurement of RTT and jitter values is in milliseconds. • IPv6 SLA for UDP jitter and VoIP is not supported. • UDP jitter and UDP jitter for VoIP tests are not supported over Tunnel, Trunk, and OOBM interfaces. •...
Page 560: Ip-Sla Clear
<ID> clear Description Clear history records, message statistics, and threshold counters of a particular SLA entry. Options records Clear history records, message statistics, and threshold counters of particular SLA entry. Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 561: [No] Ip-Sla History-Size
[no] ip-sla <ID> history-size Syntax [no] ip-sla <ID> history-size Description Configure the number of history records to be stored for the IP SLA. The maximum supported size is 50 and the default value for history-size is 25. [no] ip-sla <ID> icmp-echo Syntax [no] ip-sla <ID>...
Page 562: [No] Ip-Sla Monitor Packet-Loss
Take no action. [no] ip-sla <ID> monitor test-completion Syntax [no] ip-sla <ID> monitor test-completion action-type [trap | log | trap-log | none] Description Configure action to be taken when test gets completed. Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 563: [No] Ip-Sla Schedule
• trap: Send snmp-trap when configured threshold is hit. • log: Only log the event when configured threshold is hit. • trap-log: Send snmp-trap and log the event when configured threshold is hit. • none: Take no action. [no] ip-sla <ID> schedule Syntax [no] ip-sla <ID>...
Page 564: [No] Ip-Sla Udp-Jitter-Voip
<ID> SLA ID: 1 Status: [Enabled | Admin-disabled | Scheduled | Expired | Running] SLA Type: [ICMP-echo | tcp-connect | UDP-echo | DHCP | DNS | udp-jitter | voip] Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 565: Show Ip-Sla History
Destination Hostname: www.hp.com Destination Address : 20.0.0.2 Source Address : 20.0.0.1 History Bucket Size : 5 TOS: 32 Schedule: Frequency (seconds) : 60 Life : [Forever | 144 seconds] Start Time : Tue Oct 27 22:12:16 2015 Next Scheduled Run Time : Tue Oct 27 22:43:16 2015 Threshold-Monitor is : Enabled...
Page 566: Show Ip-Sla Results
: 2008-05-29 13:56:17.6 Extended Results: Packet Loss in Test : 0% UDP-Jitter Results: RTT Number : 10 Min Positive SD Min Positive DS Max Positive SD : 21 Max Positive DS : 28 Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 567: Show Ip-Sla Aggregated-Results
Positive SD Number Positive DS Number Positive SD Sum : 52 Positive DS Sum : 38 Positive SD Average : 10 Positive DS Average : 10 Positive SD Square Sum : 754 Positive DS Square Sum : 460 Min Negative SD Min Negative DS Max Negative SD : 13...
Page 568: Show Ip-Sla Responder
Show the IP SLA responder statistics details. Options udp-jitter Show the IP SLA responder statistics for UDP Jitter SLA type. udp-jitter-voip Show the IP SLA responder statistics for UDP Jitter VoIP SLA type. Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 569: Show Tech Ip-Sla
show ip-sla responder statistics IP SLA Responder : Active Number of packets received : 31 Number of error packets received : 0 Number of packets sent Recent Sources : 10.12.80.100 [07:23:49.085 UTC Sun Oct 25 2015] UDP 10.12.80.100 [07:22:49.003 UTC Sun Oct 25 2015] TCP 10.12.80.100 [07:20:48.717 UTC Sun Oct 25 2015] TCP 10.12.80.100 [07:18:48.787 UTC Sun Oct 25 2015] TCP 10.12.80.100 [07:17:48.871 UTC Sun Oct 25 2015] TCP...
Page 570 Mon Jun 13 10:42:05 2016 Passed Mon Jun 13 10:42:52 2016 Passed Mon Jun 13 10:43:52 2016 Passed Mon Jun 13 10:44:52 2016 Passed Mon Jun 13 10:45:52 2016 Passed ICMP ID hash walk: Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 571: Clear Ip-Sla Responder Statistics
========== IP SLA show tech END ============== ======== IP SLA Server show tech BEGIN ============ Responder not active IP SLA Responder: Inactive ======== IP SLA Server show tech END ============ === The command has completed successfully. === clear ip-sla responder statistics Syntax clear ip-sla responder statistics <SLA-TYPE>...
Page 572: Validation Rules
SLA type with a value of ‘number of IP SLA type. packets per probe’ and ‘packet interval’ which is not satisfying the condition frequency > number of packets per probe * packet interval. Table Continued Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 573 Validation Error/Warning/Prompt Configuring IP SLA with invalid values. Invalid configuration for IP SLA. Change the IP SLA configuration when the SLA Configuration changes not allowed when IP SLA is enabled. is enabled. When IP address vs port number configured for Error: Socket for configured address, port is already in use, an SLA is already in use choose different port number...
Page 574: Event Log Messages
100, Action Type: Trap and Log. Actual Threshold: User adds DNS IP-SLA configuration I 08/09/16 02:47:12 05029 ipsla: The IP SLA 1 of SLA Type: DNS, Name server IPv4 Address: 10.0.0.1, Target Hostname: a.hp.com added Table Continued Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 575: Interoperability
Event Message User removes DNS IP-SLA configuration I 08/09/16 02:47:12 05030 ipsla: The IP SLA 1 of SLA Type: DNS, Name server IPv4 Address: 10.0.0.1, Target Hostname: a.hp.com removed. The packet loss threshold for the SLA has reached I 08/09/16 02:47:12 05023 ipsla: The IP SLA 1 of SLA Type: DNS, Packet loss is observed.
Page 576: Significance Of Jitter
The initiator timestamps the frame at a pre-defined location before sending the frame out to the configured destinations and re-timestamps the frame at a different location once it receives the same back from the responder. Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 577: Sla Measurements
IP SLA measurement engine This is an application running on the initiator. It processes response frames received from the IP SLA responder and computes one-way delay, jitter and RTT based on the timestamps present in the packet. This application aggregates this computed information across multiple probe samples and stores this for consumption by an NMS via SNMP or via the device CLI.
Page 578 This requires the Initiator and the Responder to be time synchronized with the same clock server. This is explained in the illustration below: Round trip time RTT is measured at the initiator on a per packet basis and is as illustrated below: Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 579: Chapter 25 Easing Wired/Wireless Deployment Feature Integration
Chapter 25 Easing Wired/Wireless Deployment feature integration Overview Auto device detection The command device-profile enables the user to define profiles and configure the associations of profiles to each device type. By creating a device profile, parameters will be defined for a connection interface by device type.
Page 580: Validation Rules
Configure this port as an untagged member of specified VLAN. tagged-vlan <VLAN-LIST> Configure this port as a tagged member of the specified VLANs. cos <COS-VALUE> Configure the Class of Service (CoS) priority for traffic from the device. Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 581: Associating A Device With A Profile
ingress-bandwidth <PERCENTAGE> Configure ingress maximum bandwidth for the device port. egress-bandwidth <PERCENTAGE> Configure egress maximum bandwidth for the device port. poe-max-power <WATTS> Configure the maximum PoE power for the device port (in watts). poe-priority Configure the PoE priority for the device port. Usage [no] device-profile name <PROFILE-NAME>...
Page 582: Configuring The Rogue-Ap-Isolation Command
Configures rogue AP Whitelist MAC addresses for the switch. This option is used to add MAC addresses of approved access points to the whitelist. <MAC-ADDR> Specify the MAC address of the device to be moved from the Rogue AP list to the whitelist. Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 583: Vxlan Show Commands
Usage rogue-ap-isolation [enable | disable] rogue-ap-isolation action [log | block] [no] rogue-ap-isolation whitelist <MAC-ADDRESS> VXLAN show commands VXLAN show commands include commands to display the status of a VXLAN feature, tunnels, and tunnel statistics. show device-profile Syntax Within the configure context: show device-profile Description Show device profile configuration and status.
Page 584: Show Command Device-Profile Status
Device Type Applied Device Profile ---- ----------- ---------------------- aruba-ap profile1 aruba-ap profile1 Show rogue-ap-isolation Syntax show rogue-ap-isolation Description Show rogue access point information. Options whitelist Show rogue access point whitelist information. Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 585 Usage show rogue-ap-isolation whitelist show rogue-ap-isolation Switch# show rogue-ap-isolation Rogue AP Isolation Rogue AP Status : Enable Rogue AP Action : Block Rogue AP MAC Neighbor Device ----------------- ----------------- 11:22:33:44:55:66 00:12:34:56:67:89 aa:bb:cc:dd:ee:ff 00:98:45:56:67:89 show rogue-ap-isolation whitelist Switch# show rogue-ap-isolation whitelist Rogue AP Whitelist Configuration Rogue AP MAC -----------------...
Page 586: Chapter 26 Local User Roles
If configured, untagged VLAN specified in the user role (VSA Derived Role, UDR, or Initial Role). ◦ Statically configured untagged and/or tagged VLANs of the port the user is on. Operational notes Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 587 • When user roles are enabled, all users that are connecting on ports where authentication is configured will have a user role applied. User role application happens even if the user fails to authenticate. If the user cannot be authenticated, the “Initial Role” will be applied to that user. •...
Page 588: Captive-Portal Commands
Two captive portal profiles are supported: • Predefined and read-only Predefined and read-only profile name is use-radius-vsa. • Customized [no] aaa authentication captive-portal profile Syntax [no] aaa authentication captive-portal profile <PROFILE-STR> [url <URL-STR>] Description Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 589: Validation Rules
Create a captive-portal profile. Profiles are used in user roles to direct the user to a designated captive portal server. When the profile includes a web address, that web address is always used to contact the server. When no web address is specified, it is obtained from the RADIUS VSA. NOTE: A profile does not have to be pre-existing in the switch for it to be configured to a user role.
Page 590: Policy Commands
Create and enter newly created user policy context. Usage Switch (config)# policy user employee [no] policy user Syntax [no] policy user <POLICYNAME> Description Delete and remove specified user policy from switch configuration. Operating notes Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 591: Policy Resequence
• The user policy will include implicit “deny all” rules for both IPv4 and IPv6 traffic. • ipv4 or ipv6 classes must specify source address as any. Specifying host addresses or subnets will result in the following error message: Switch (policy-user)# class ipv4 class25 action priority 0 User policies cannot use classes that have a source IP address specified.
Page 592: User Role Configuration
• The user role feature is enabled with RADIUS authentication, but no user role VSA is returned. • User role does not exist. Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 593: Error Log
• Not enough TCAM resource available. • Access-Reject from RADIUS. • User role VSA is sent along with invalid attributes. • RADIUS not reachable. • VLAN configured on the user role does not exist. • Captive Portal profile does not exist. •...
Page 594: Captive-Portal-Profile
Set the reauthentication period for the user role. Use [0] to disable reauthentication. For RADIUS-based authentication methods, it will override the RADIUS session timeout. It also overrides any port-based reauth- period configuration with the exception that LMA does not support a reauth-period. Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 595: Validation Rules
Options <VALUE> Valid values are 0 – 999,999,999; a required configuration in user roles and it defaults to 0. (user-role)# reauth-period 100 Set the reauthentication value for the current user role: (user-role)# reauth-period 100 (user-role)# reauth-period 0 0 is used to disable reauthentication, and it is the default value. (user-role)# reauth-period 0 Validation rules Validation...
Page 596: Vlan Range Commands
VLAN-ID-LIST. After command execution, CLI returns to the global configuration context. Examples config# vlan 2-15 tagged A1-A20 config# vlan 5,10,13-20,25 tagged A1-A5,L2,L5-L10 config# vlan 2-20 tagged all config# no vlan 2-15 tagged A1-A5 config# no vlan 5,10,13-20 tagged A1-A5,L6 Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 597: Applying A Udr
Applying a UDR UDR can be used to assign user roles locally (that is, without RADIUS). LMA has been extended to allow applying a user role to a MAC address, MAC group, MAC mask, or MAC OUI. aaa port-access local-mac apply user-role Syntax [no] aaa port-access local-mac apply user-role <Role-Name>...
Page 598: Show User-Role
Employee local Guest predefined denyall show user-role <ROLE-NAME> Switch# show user-role captivePortalwithVSA User Role Information Name : captivePortalwithVSA Type : local Reauthentication Period (seconds) : 0 Untagged VLAN : 610 Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 599: Show Port-Access Clients
Captive Portal Profile : use-radius-vsa Policy : cppolicy show user-role detailed The example shows how to configure user roles to use Clearpass as a Captive Portal. The Captive Portal URL is specified in a RADIUS VSA. Switch# show user-role captivePortalwithVSA detailed User Role Information Name : captivePortalwithVSA...
Page 600 Statements for policy "policyIxia1" policy user "policyIxia1" 10 class ipv4 "classIxia1" action rate-limit kbps 11000 exit Statements for class IPv4 "classIxia1" class ipv4 "classIxia1" 10 match ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 exit Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 601: Chapter 27 Port Qos Trust Mode
Chapter 27 Port QoS Trust Mode Overview The Port QoS Trust feature restricts which packet QoS information may be used to determine inbound queue servicing and any priority information to be permitted into the local hop. Port QoS Trust Mode configuration allows preservation or removal of the inbound QoS priorities carried in Layer 2 (the VLAN cos or Priority CodePoint (PCP) value, known as the 802.1p priority tag) and/or in Layer 3 (the IP-ToS byte, in IP-Precedence or IP-Diffserv mode).
Page 602: Qos Dscp-Map
Description Shows port-based QoS trust configuration Options device Show list of trusted devices per-port. <port> Show trusted devices on a single port. Usage show qos trust [device | [ethernet <PORT-LIST> ] Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 603 show qos trust switch# show qos trust Port-based qos Trust Configuration Port Trust Mode | Device Trust State ---- --- ---- Default Default Device** | Trusted IP-Prec Dot1p None DSCP Device** Dot1p ** For a list of trusted devices per-port, use the command show qos trust device. To show trusted devices on a single port, use the command show qos trust device <PORT>.
Page 604: Validation Rules
QoS trust mode. QoS trust device when any port QoS The port QoS priority feature must be disabled priority is enabled. before configuring this port QoS trust mode. Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 605: Chapter 28 Tunneled Node
Chapter 28 Tunneled node Overview The tunneled node feature encapsulates incoming packets from end-hosts in Generic Routing Encapsulation (GRE) and forwards them to a Mobility Controller for additional processing. The Mobility Controller strips the GRE header and processes the packet for authentication and stateful firewall, which enables centralized security policy, authentication, and access control.
Page 606: Protocol Application Programming Interface (Papi)
Trying to delete the nonexisting profile. Record not found. Trying to delete the existing profile which is Cannot delete the tunneled node profile as applied on ports. one or more ports are using it. Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 607: Tunneled-Node-Server
tunneled-node-server From within the interface context: Syntax [no] tunneled-node-server Description Apply the tunneled node server on the port. Options tunneled-node-server Apply the tunneled node server on the port. Usage [no] tunneled-node-server Validation rules Validation Error/Warning/Prompt If meshing is configured, tunneled node Cannot apply tunneled node profile on a port profile is not allow applied on a port.
Page 608 It is mutually exclusive. this port. Tunneled node profile cannot be applied on Cannot apply tunneled node profile on the the trunks. Trunks. Table Continued Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 609: Tunneled-Node-Server
Validation Error/Warning/Prompt If DHCP Client is enabled on a VLAN, Cannot apply tunneled node profile on the tunneled node profile applied on the ports port because the port is part of the DHCP part of a VLAN is not allowed. It is mutually client enabled VLAN.
Page 610: Interface Tunneled-Node-Server
Configure the keepalive timeout for the tunneled node in seconds. Keepalive timeout seconds [1-40]. Default: 8 seconds. Options keepalive Configure the keepalive timeout for the tunneled node in seconds. backup-controller-ip From within the tunneled-node-profile context: Syntax [no] backup-controller-ip <IP-ADDR> Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 611: Fallback-Local-Switching
Description Configure the backup controller IP address for the tunneled node. Options backup-controller-ip Configure the backup controller IP address for the tunneled node. Usage [no] backup-controller-ip <IP-ADDR> fallback-local-switching From within the interface context: Syntax fallback-local-switching Description To switch traffic locally upon losing connectivity to the controller, you must configure the fallback option before connectivity fails.
Page 612: Validation Rules
Options state Display the tunneled node port state. statistics Display the tunneled node statistics. show tunneled-node-server state Tunneled node Port State Active Controller IP Address Port State ------ ------------------------- Port down Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 613: Clear Statistics Tunneled-Node-Server
show tunneled-node-server statistics Tunneled node Statistics Port : 2 Control Plane Statistics Bootstrap packets sent Bootstrap packets received Bootstrap packets invalid Tunnel Statistics Rx Packets Tx Packets Rx 5 Minute Weighted Average Rate (Pkts/sec) Tx 5 Minute Weighted Average Rate (Pkts/sec) Aggregate Statistics Heartbeat packets sent Heartbeat packets received...
Page 614: Restrictions
The packets from nontunneled node ports (in the same VLAN as tunnel-node port) will not be bridged to the tunneled-node ports and conversely. Features not allowed on a tunneled node port/VLAN with tunneled node ports/globally: Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 615: Papi Security
Feature Blocked globally/per port/ VLAN with tunneled- node-ports IP multicast routing Global Openflow Global Q-in-Q Global Distributed Trunking Global Mesh Global VXLAN Global IP address: manual and dhcp VLAN 802.1x, mac auth, webauth, LMA, port port security DIPLD (IPv4/IPv6) port DSNOOP (IPv4/IPv6) VLAN ARP protect...
Page 616: Papi Configurable Secret Key
Minimum key-value length allowed is 10 characters and maximum allowed is 64 characters. Usage Switch(config)# papi-security key-value <KEY-VALUE> Switch(config)# [no] papi-security <KEY-VALUE> papi-security key-value HP-2920-24G(config)# papi-security key-value TestKey12345678 HP-2920-24G(config)# no papi-security key-value Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 617 HP-2920-24G(config)# papi-security key-value Test Minimum key-value length allowed is 10 characters and maximum allowed is 64 characters. show run with encrypted key Switch(config)# sh run Running configuration: ;J9576A Configuration Editor ;Created on release #KA.16.02.0000x ;Ver #0e:01.f0.92.34.5f.3c.6b.fb.ff.fd.ff.ff.3f.ef:78 ;encrypt-cred +NXT3w7ky2IXNXadlJblS/1ZRi/o73Qq28XXcLkSCZq9PU30Kl+KMLMva8rQri5g hostname "HP-3810-48G-4SFPP" module 1 type j9576y module 2 type j9576x encrypt-credentials...
Page 618: Preventing Double Tunneling Of Aruba Access Points
Configure the maximum PoE power for the device port. poe-priority Configure the PoE priority for the device port. speed-duplex Configure the speed and duplex for the device port. tagged-vlan Configure this port as a tagged member of the specified Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 619 VLANs. untagged-vlan Configure this port as an untagged member of specified VLAN. Execute show run command to display the tunneled mode configuration in an enabled or disabled state: switch(config)# show run ; J9625A Configuration Editor; Created on release #KB.16.05.0000x ; Ver #0f:02.43.18.82.34.61.1c.28.f3.84.9c.63.ff.37.2f:da hostname "switch"...
Page 620 Configuration for device-profile : test untagged-vlan tagged-vlan : None ingress-bandwidth : 100% egress-bandwidth : 100% : None speed-duplex : auto poe-max-power : Class/LLDP poe-priority : critical allow-jumbo-frames : Disabled allow-tunneled-node: Enabled When tunneled-node is disabled: Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 621 switch(config)# show device-profile config Device Profile Configuration Configuration for device-profile : default-ap-profile untagged-vlan tagged-vlan : None ingress-bandwidth : 100% egress-bandwidth : 100% speed-duplex : auto poe-max-power : Class/LLDP poe-priority : critical allow-jumbo-frames : Disabled allow-tunneled-node: Disabled Device Profile Configuration Configuration for device-profile : test untagged-vlan tagged-vlan : None...
Page 622: Chapter 29 Time Domain Reflectometry
Use the ‘show cable-diagnostics’ command to view the results. Continue (y/n)? Y switch# show cable-diagnostics 1/1-1/10 Cable Diagnostic Status - Copper Ports Cable Cable Length or Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 623 Port Pair Status Distance to Fault ---- ------ ----------- --------------------- 1/10 1-2 Good cable tests switch# test cable-diagnostics 51 This command will cause a loss of link on all tested ports and will take several seconds per port to complete. Use the 'show cable-diagnostics' command to view the results.
Page 624 Cable Diagnostic Status - Transceiver Ports Cable Distance Pair Pair Port Pair Status to Fault Skew Polarity Mode ---- ------ ----------- ---------- ------ ---------- ------ Open 0 ns Open 0 ns Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 625: Show Cable-Diagnostics
Open 0 ns Open 0 ns Error message Error Message Cause The transceiver on port 1/A1 • usage of invalid(fiber-SFP+) port does not support cable diagnostics. • The selected range includes an entry for an invalid port. show cable-diagnostics Syntax show cable-diagnostics <PORT-LIST>...
Page 626 – J9995A — Aruba 8-port 1/2.5/5/10GBASE-T PoE+ MACsec v3 zl2 Module ◦ 3810M (JL076A — Aruba 3810M 40G 8 HPE Smart Rate PoE+ 1-slot Switch) • Not supported on v2 zl modules • Valid only on 100BASE-TX and 1000BASE-T ports Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 627: Chapter 30 Link Layer Discovery Protocol Bypass Authentication
Chapter 30 Link Layer Discovery Protocol bypass authentication Overview The Link Layer Discovery Protocol (LLDP) is a vendor-neutral link layer protocol in the Internet Protocol Suite used by Aruba network devices for advertising their identity, capabilities, and neighbors on an IEEE 802 local area network, principally wired ethernet.
Page 628: Validation Rules
If lldp-bypass is enabled on the port: is configured on the port: Cannot apply mesh or manual trunks on the port A1 when lldp-bypass is enabled on that port. Table Continued Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 629: Show Commands
Validation Error/Warning/Prompt When MAC-lockdown is enabled on the If lldp-bypass is enabled on the port: port: Cannot apply MAC lock-enable on the port A1 when lldp-bypass is enabled on that port. Security Warning when enabling lldp- bypass on the port. Enabling lldp-bypass on the port may give access to any Aruba-AP that sends a special LLDP TLV without...
Page 630: Show Port-Access Lldp-Bypass Config
Syntax show port-access lldp-bypass config Description Displays the lldp-bypass configuration applied on all switch ports. show port-access lldp-bypass config switch#show port-access lldp-bypass config Port Access lldp-bypass Configuration Port Enabled ------ ---------- Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 631: Error Log
Stackable switch: show port-access lldp-bypass config switch(config)#show port-access lldp-bypass config Port Access lldp-bypass Configuration Port Enabled ------ ---------- 1/52 2/26 3/26 Error Log Event Message CLIERR_CANNOT_ENABLE_LLDP_BYPASS_MA lldp-bypass is not allowed on the port where MAC- C_LOCKDOWN_ENABLED lockdown is enabled. lldp-bypass cannot be enabled on a port with MAC lock-enabled.
Page 632: Debug Log
0000:00:13:57.64 PSEC mPORTSECMCtrl: Received PROFMGR_DEVICE_CONNECTED event for 40e3d6-c6d492 on port A1. enabled port: When already connected Aruba-AP is 0000:00:13:07.96 PSEC mPORTSECMCtrl: Received PROFMGR_DEVICE_DISCONNECTED event for 40e3d6-c6d492 on port A1. disconnected/removed on lldp-bypass enabled port. Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 633: Chapter 31 Net-Destination And Net-Service
Chapter 31 Net-destination and Net-service Net-service Overview Net-service names are used as alias in defining ACL rules for defined lists. An alias of net-service will configure a list of hosts, networks, or subnets. Extended ACL can have both source IP, destination IP and port number along with protocol in its ACE. An alias- based ACE for an extended ACL therefore allows the use of an alias of net-service protocol and destination port.
Page 634: Net-Destination Overview
The use of net-service will also restrict the operators that can be specified for port number to equalsand range. Example - extended HP-Switch-5406Rzl2(config)# ip access-list extended aext1 HP-Switch-5406Rzl2(config-ext-nacl)# Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 635: Net-Destination Host |Position | Network
permit tcp host 10.100.12.1 gt 23 16.90.0.0 /16 range 200 400 HP-Switch-5406Rzl2(config-ext-nacl)# exit Limitations • Limited to IPv4 addresses per syntax. • Any changes made to an existing net-destination that is used by an ACL, will be applied on the ACL only when the rule is reapplied to it or when switch is rebooted.
Page 636: Show Net-Destination
Syntax show net-destination <NAME-STR> Description Show a host-specific net-destination. Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 637: Chapter 32 Websites
Chapter 32 Websites Networking Websites Hewlett Packard Enterprise Networking Information Library www.hpe.com/networking/resourcefinder Hewlett Packard Enterprise Networking Software www.hpe.com/networking/software Hewlett Packard Enterprise Networking website www.hpe.com/info/networking Hewlett Packard Enterprise My Networking website www.hpe.com/networking/support Hewlett Packard Enterprise My Networking Portal www.hpe.com/networking/mynetworking Hewlett Packard Enterprise Networking Warranty www.hpe.com/networking/warranty...
Page 638: Chapter 33 Support And Other Resources
• For live assistance, go to the Contact Hewlett Packard Enterprise Worldwide website: http://www.hpe.com/assistance • To access documentation and support services, go to the Hewlett Packard Enterprise Support Center website: http://www.hpe.com/support/hpesc Information to collect • Technical support registration number (if applicable) •...
Page 639: Customer Self Repair
Customer self repair Hewlett Packard Enterprise customer self repair (CSR) programs allow you to repair your product. If a CSR part needs to be replaced, it will be shipped directly to you so that you can install it at your convenience. Some parts do not qualify for CSR.
Page 640: Regulatory Information
Documentation feedback Hewlett Packard Enterprise is committed to providing documentation that meets your needs. To help us improve the documentation, send any errors, suggestions, or comments to Documentation Feedback (docsfeedback@hpe.com). When submitting your feedback, include the document title, part number, edition, and publication date located on the front cover of the document.
Page 641: Remote Device Deployment (Tr-069)
Appendix A Remote Device Deployment (TR-069) Remote Device Deployment (TR-069) Introduction TR-069 is a technical specification created by the Broadband Forum. The TR-069 protocol specifies client and server requirements to manage devices across the Internet by using a client server architecture to provide communication between the CPE (Customer Premises Equipment) and the ACS (Auto Configuration Server).
Page 642: Advantages Of
The zero-configuration mechanism is defined in the TR-069 specification. • TR-069 is suitable for large-scale device management. TR-069 support distributed architecture. The ACS can be distributed to multiple servers, each ACS can manage part of devices. Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 643: Zero-Touch Configuration Process
Zero-touch configuration process Auto configuration or “zero-touch” deployment is a recurring customer requirement, especially for remote-office deployments. New devices introduced inside a private network require management tools be co-located to configure them or update firmware, or require manual intervention to do configuration. TR-069 allows managing devices that reside in a private network via HTTP(S), enabling a new set of deployment and management models today, not possible using SNMP.
Page 644 In this example, the following steps to configure CPEs for a Campus Network environment. 1. Pre-configuration for all CPEs in BIMS. 2. CPEs get BIMS parameters from DHCP server. 3. CPEs initiate a connection to BIMS, then BIMS deploys the pre-configuration to CPEs. Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 645 Zero-touch configuration for Branch networks In this example, the following steps to configure CPEs for a Branch network environment. 1. Create the basic configuration for your spoke device manually, using the username/password from ISP and BIMS URL. 2. The IPSec VPN configuration is generated by IVM and deployed by BIMS. 3.
Page 646: Zero-Touch Configuration Setup And Execution
Zero-touch configuration setup and execution 1. DHCP configuration 2. BIMS configuration 3. Execution CLI commands Configuration setup Within the configure mode: Syntax: cwmp Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 647: Acs Password Configuration
Configure Auto Configuration Server (ACS) access. Configure Customer Premises Equipment (CPE) access. disable Disable the CPE WAN Management Protocol. NOTE: CWMP is automatically enabled. To conserve resources, reconfigure this setting using the cwmp disable command. enable Enable the CPE WAN Management Protocol. Syntax: [no] cwmp Configure Auto Configuration Server (ACS) access.
Page 648: When Encrypt-Credentials Is On
USERNAME-STR A username for ACS authentication (maximum length: 256 characters). CPE configuration Syntax: cwmp cpe password Configure the password used for authentication when the ACS connects to the switch. Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 649: Cpe Password Configuration
username Configure the username used for authentication when the ACS connects to the switch. CPE password configuration When encrypt-credentials is on Syntax: cwmp cpe password encrypted-key An encrypted password generated with the 'encrypt-credentials' command. plaintext Configure the password used for authentication when the ACS connects to the switch. Syntax: cwmp cpe password encrypted-key ASCII-STR...
Page 650: Enable/Disable Cwmp
: Disconnected Data Transfer Status : None Last ACS Connection Time : Wed Apr 9 16:56:00 2014 Time to Next Connection : 00:00:36 When CWMP is disabled Syntax: show cwmp status Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 651: Event Logging
CWMP status CWMP Status CWMP Status : Disabled CWMP configuration show cwmp configuration CWMP Configuration CWMP Status : Disabled Event logging The TR-069 client offers some tools to diagnose problems: • System logging • Status/control commands System logging The CPE implements the following system log notification codes and sample messages: •...
Page 652: Status/Control Commands
W 11/19/13 08:06:13 04200 http: Upload of SourceFile to http://10.0.11.240:9876/path canceled because of inexistent file. Status/control commands The following commands help assess the general state of TR–069 and control the source of the ACS configuration record: Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 653 Table 35: Status/control commands Command Result show cwmp status CWMP is Enabled ACS URL : https://16.93.62.32:9443 ACS URL is set by : Config ACS Username : bims Connection status : Disconnected Data transfer status : None Time of last successful connection : Thu Feb 20 01:16:59 2014 Interval upon to next connection : Null show cwmp...
Page 654: Network Out-Of-Band Management (Oobm)
The following table summarizes the switch management ports. Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 655: Example
Table 36: Switch management ports In band Out of band Networked Directly connected Networked Management interface Command line (CLI), Command line (CLI), Command line (CLI), menu, Web menu menu Communication plane Data plane Management plane Management plane Connection port Any data port Dedicated serial or USB Dedicated networked console port...
Page 656: Oobm And Switch Applications
OOBM configuration commands can be issued from the global configuration context (config) or from a specific OOBM configuration context (oobm). Entering the OOBM configuration context from the general configuration context Syntax: oobm Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 657: Enabling And Disabling Oobm
Enters the OOBM context from the general configuration context. Example: switch(config)# oobm HP Switch (oobm)# Enabling and disabling OOBM From the OOBM context: Syntax: enable disable From the general configuration context: Syntax: oobm enable oobm disable Enables or disables networked OOBM on the switch. OOBM is not compatible with a management VLAN.
Page 658: Setting The Oobm Port Speed
Configuring an IPv4 address for the OOBM interface is similar to VLAN IP address configuration, but it is accomplished within the OOBM context. From the OOBM context: Syntax: [no] ip address [dhcp-bootp|ip-address/mask-length] From the general configuration context: Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 659: Configuring An Oobm Ipv4 Default Gateway
Syntax: [no] oobm ip address [dhcp-bootp|ip-address/mask-length] Configures an IPv4 address for the switch's OOBM interface. You can configure an IPv4 address even when global OOBM is disabled; that address will become effective when OOBM is enabled. Example: HP Switch (oobm)# ip address 10.1.1.17/24 Configuring an OOBM IPv4 default gateway Configuring an IPv4 default gateway for the OOBM interface is similar to VLAN default gateway configuration, but it is accomplished within the OOBM context.
Page 660: Oobm Member Ipv6 Default-Gateway
Syntax ipv6 nd ra router-preference {low | medium | high} no ipv6 nd ra router-preference Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 661: Oobm Show Commands
Description Sets the router-preference configuration for communicating default router preferences from routers to hosts. Improves the ability of hosts to pick the appropriate router for an off-link destination by providing options at the operator level which set the router preference value as low, medium, or high. Depending on the router preference value set, the host receives the value as part of the IPv6 neighbor discovery router advertisement and chooses the best router for communication.
Page 662: Showing Oobm Ip Configuration
Description Shows the IPv6 service status for OOBM interfaces. Command context operator Example Shows the IPv6 service status for OOBM interfaces. switch# show oobm ipv6 Internet (IPv6) Service for OOBM Interface Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 663: Show Oobm Ipv6 (For Stacked Switches)
IPv6 Status : Enabled IPv6 Default Gateway : 1000::2 Address Intf Member IP Config IP Address/Prefix Length Status Status ------ ---------- ------------------------------------------- --------- ------ Global manual 1000::1/64 Global autoconfig fe80::42a8:f0ff:fe9e:901/64 show oobm ipv6 (for stacked switches) Syntax show oobm ipv6 Description Shows the OOBM IPv6 interface for a stacked switch.
Page 664: Application Server Commands
Default value is both for all servers. management and configuration Telnet: guide telnet-server [listen {<oobm | data | both>}] access security guide SSH: ip ssh [listen {<oobm | data | both>}] Table Continued Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 665: Application Client Commands
management and configuration SNMP: guide snmp-server [listen {<oobm | data | both>}] management and configuration TFTP: guide tftp server [listen {<oobm | data | both>}] management and configuration HTTP: guide web-management [listen {<oobm | data | both>}] In all cases, show running-config displays the server configurations. Use the no form of the command to prevent the server from running on either interface.
Page 666 Assume that you are configuring the switch in the left-hand rack to communicate on both the data and management networks. You might do the following: • Configure an IP address on the data network. • Verify that out-of-band management is enabled. (It is enabled by default.) Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 667 • Configure an IP address on the management network. • Verify that the switch can communicate on both networks. The CLI commands that follow would accomplish those tasks. (The first time through the process you might easily make the omission shown near the end of the example.) switch 41# config switch 41(config)# vlan 1 switch 41(vlan-1)# ip address 10.1.129.7/20...
Page 668: Configuration Backup And Restore Without Reboot
Multicast Filtering LLDP-MED Power over Ethernet (PoE and PoE+) Loop Protection Protocol Filters MAC Address Management RADIUS Authentication and Accounting Management VLAN RADIUS-Based Configuration Passwords and Password Clear Protection/include- credentials Table Continued Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 669 Encrypted-password QoS: Strict-Priority Queuing Port Monitoring QoS: Turn on/off VLAN Precedence Port Status QoS: Egress Queue Rate-limiting Rate-Limiting Syslog System Parameters (hostname, Banner) System Information Front-panel-security Telnet Access DLDP Traffic/Security Filters OOBM VLAN Mirroring (1 static VLAN)/Port mirroring Switch interconnect Voice VLAN Airwave Controller IP configuration Web Authentication RADIUS Support...
Page 670: Glossary
Enhanced Web Authentication Internet Protocol High Availability HMAC-SHA1 Hash-based Message Authentication Code used with the SHA-1 cryptographic hash function. HTTP Hypertext Transfer Protocol HTTPS Secure Hypertext Transfer Protocol Identifier Internet Protocol Table Continued Aruba 2920 Management and Configuration Guide for ArubaOS-Switch 16.05...
Page 671 Acronym Definition The third, or routing, layer of the open systems interconnection (OSI) model. The network layer routes data to different LANs and Wide Area Networks (WANs) based on network addresses. Local Area Network Media Access Control MAFR MAC Authentication Failure Redirect Management Interface Specification Network Management System PVOS...

Save PDF