Professional Documents
Culture Documents
CDI-AOS-CX 10.4 Switching Portfolio Launch - Lab V4.01
CDI-AOS-CX 10.4 Switching Portfolio Launch - Lab V4.01
CDI-AOS-CX 10.4 Switching Portfolio Launch - Lab V4.01
Lab Guide
| © Copyright 2019 Hewlett Packard Enterprise Development LP | Confidential – For Training Purposes Only
AOS-CX Enablement Field Training 2019 Lab Guide
Steps .......................................................................................................................... 23
Task 3: VSX LAG ............................................................................................................ 27
Objectives ................................................................................................................... 27
Steps .......................................................................................................................... 27
Task 4: Configuring VSX Keepalive ................................................................................ 31
Objectives ................................................................................................................... 31
Steps .......................................................................................................................... 31
Task 5: Configuring VSX Active-Gateway ...................................................................... 34
Objectives ................................................................................................................... 34
Steps .......................................................................................................................... 34
Task 6: VSX Redundancy ............................................................................................... 38
Objectives ................................................................................................................... 38
Steps .......................................................................................................................... 38
Task 7: VSX Split-Brain .................................................................................................. 41
Objectives ................................................................................................................... 41
Steps .......................................................................................................................... 41
Lab 3: Configuring OSPF Routing Protocol with NetEdit.............................................. 45
Objects ............................................................................................................................ 45
Task 1: NetEdit Users and Password ............................................................................. 45
Objectives ....................................................................................................................... 45
Steps ............................................................................................................................... 45
Task 2: Import and manage devices ............................................................................... 48
Objectives ....................................................................................................................... 48
Steps ............................................................................................................................... 48
Task 3: Create a configuration plan for AGG and Core switches ................................... 55
Objectives ....................................................................................................................... 55
Steps ............................................................................................................................... 55
Lab 4: Access Control ...................................................................................................... 69
Objectives ....................................................................................................................... 69
Task1 Preparing Access control Lab. ............................................................................. 69
Steps ............................................................................................................................... 69
Task 2 MAC-authentication............................................................................................. 71
Steps ............................................................................................................................... 71
AOS-CX enablement Field Training 2019 2 Confidential – For Training Purposes Only
AOS-CX Enablement Field Training 2019 Lab Guide
AOS-CX enablement Field Training 2019 3 Confidential – For Training Purposes Only
AOS-CX Enablement Field Training 2019 Lab Guide
AOS-CX enablement Field Training 2019 4 Confidential – For Training Purposes Only
AOS-CX Enablement Field Training 2019 Lab Guide
Objectives
After completing this lab:
• You will know how to access the Aruba remote lab portal.
Lab equipment
• Per table (per student)
– 3x 8325 switches using AOS-CX 10.04
– 2x 6300 switches using AOS-CX 10.04
– 1x Mobility Controller 7005 running AOS version 8.5
– 1x Wired client (VM) Windows 10 Enterprise
– 1x Netedit version 2.0
AOS-CX enablement Field Training 2019 5 Confidential – For Training Purposes Only
AOS-CX Enablement Field Training 2019 Lab Guide
Launch a web browser and browse to the Aruba Training Lab at the portal:
https://arubatraininglab.computerdata.com
1. Enter the username and the password (if you don’t have one, ask your instructor for the
credentials) and click the Sign in button.
AOS-CX enablement Field Training 2019 6 Confidential – For Training Purposes Only
AOS-CX Enablement Field Training 2019 Lab Guide
AOS-CX enablement Field Training 2019 7 Confidential – For Training Purposes Only
AOS-CX Enablement Field Training 2019 Lab Guide
IP sheet
Username: admin
NetEdit 2.0 10.251.X.200 Password: password Access it from
Windows 10
Username: neadmin
Password: password
Don’t forget: In these labs, the value ‘X’ is your assigned student table number, which will be
assigned by instructor.
AOS-CX enablement Field Training 2019 8 Confidential – For Training Purposes Only
AOS-CX Enablement Field Training 2019 Lab Guide
Note: Please remember that students’ tables share core switches. Never issue a command on
those switches unless your lab guide or instructor asks you to do so.
Steps
1. Open a console connection to your ACC-1(TX-6300-A) switch.
2. Log in with username admin / admin password (just press enter at the password prompt) or
try (admin/enable).
3. Check if there is checkpoint “ZERO” and Recovery config to checkpoint ZERO.
TX-6300-A 10.251.X.4/24
AOS-CX enablement Field Training 2019 9 Confidential – For Training Purposes Only
AOS-CX Enablement Field Training 2019 Lab Guide
TX-6300-A(config)#
interface mgmt
no shutdown
ip static <10.251.X.4>/24
default <10.251.X.254>
exit
!
session-timeout 0
ssh server vrf mgmt
https-server vrf mgmt
https-server rest access-mode read-write
end
!
5. Change the admin password to 'admin'. This is the default password used on switches in the
lab.
TX-6300-A(config)# user admin password
Enter password: admin
Confirm password: admin
6. Disable the session timeout. This is convenient while working on the labs.
QUESTION: What is the default console session timeout value? You can use the system help
(?) to find out.
TX-6300-A(config)# session-timeout ?
<0-43200> Idle timeout range in minutes. Value 0 disables the timeout
(Default: 30)
TX-6300-A(config)# session-timeout 0
7. Save the current running configuration to the startup. If you reboot the system manually or
accidentally, this is the state the system will return to after a reboot.
TX-6300-A(config)# exit
TX-6300-A# write memory
TX-6300-A# copy run checkpoint ZERO
Please refer to the IP sheet in the lab0 to configure their management IPs.
AOS-CX enablement Field Training 2019 10 Confidential – For Training Purposes Only
AOS-CX Enablement Field Training 2019 Lab Guide
Objectives
This task will show various system- and hardware-related commands that useful during
troubleshooting the hardware platform.
Steps
1. Open a console connection to the ACC-1(TX-6300-A)
2. Review the environment information.
AOS-CX enablement Field Training 2019 11 Confidential – For Training Purposes Only
AOS-CX Enablement Field Training 2019 Lab Guide
3. Review the system information, including the device serial number information.
TX-6300-A# show system
Hostname : TX-6300-A
System Description : FL.10.04.0001AA
System Contact :
System Location :
Vendor : Aruba
Product Name : JL659A 6300M 48SR5 CL6 PoE 4SFP56 Swch
Chassis Serial Nbr : SG9ZKMY037
Base MAC Address : 9020c2-257b00
ArubaOS-CX Version : FL.10.04.0001AA
Time Zone : UTC
Up Time : 21 hours, 10 minutes
CPU Util (%) : 19
<<<-output omitted->>>
<<<-output omitted->>>
AOS-CX enablement Field Training 2019 12 Confidential – For Training Purposes Only
AOS-CX Enablement Field Training 2019 Lab Guide
<<<-output omitted->>>
7. To review the current load of the system compared to the maximum, check the capacities
status. The value reflects the current use.
TX-6300-A# show capacities-status
<<<-output omitted->>>
AOS-CX enablement Field Training 2019 13 Confidential – For Training Purposes Only
AOS-CX Enablement Field Training 2019 Lab Guide
Objectives
In this lab, you will need to establish a chain VSF stack, Verify VSF stack status.
Steps
1. Open a console connection to the ACC-1(TX-6300-A)
2. Configure at least one VSF link interface on the desired stack master. In this case, TX-6300-A
will be the master. Assigning a port to a VSF link invokes a 'port stealing' method, which clears
all protocol settings from the interface and precludes any further configuration beyond setting
the port as enabled or disabled.
4. After the switch boots with its new member ID, connect its VSF link(s) to the stack; it will
automatically reboot. Once the new member has booted, verify that the stack is operating
normally.
AOS-CX enablement Field Training 2019 14 Confidential – For Training Purposes Only
AOS-CX Enablement Field Training 2019 Lab Guide
Note. The last four Ports all support SFP56 transceiver, but they may connect different
transceivers. In this output, 2/1/25 to 2/1/28 connect 10G DAC cables.
6. Only the Last four SFP56 ports support the VSF link. Try to add 1/1/24 ad VSF link. Notice the
warning of “not vsf capable” and choose “n” to not assign the interface to the VSF link.
7. If there is no master in the VSF stack, once Master reboot, all VSF members will reboot. To
reduce the number of required reboots, designate a secondary member on the master.
TX-6300-A(config)# vsf secondary-member 2
This will save the configuration and reboot the specified switch.
Do you want to continue (y/n)? y
The member 2 will reboot and change to standby. Once Member2 comes back from rebooting,
check VSF again.
AOS-CX enablement Field Training 2019 15 Confidential – For Training Purposes Only
AOS-CX Enablement Field Training 2019 Lab Guide
8. We can understand how VSF members link each other by checking VSF topology. This
command shows an ASCII-art representation of the stack topology and interconnects, which
allows a user to quickly narrow down a failure point.
9. Show detailed information about the specific member, including its memory and CPU utilization.
AOS-CX enablement Field Training 2019 16 Confidential – For Training Purposes Only
AOS-CX Enablement Field Training 2019 Lab Guide
Objectives
In this lab, we will and understand the VSF redundancy mechanism by simulating VSF link failure.
Steps
Enable split detection on the master. Open the console of the master:
VSF Member 2
Link Peer Peer
Link State Member Link Interfaces
---- ---------- ------- ------ ---------------------------
1 up 1 1 2/1/27
Check vsf status on the switch (TX-6300-A). It displayed it is still master and active
Fragment.
TX-6300-A# show vsf
MAC Address : 90:20:c2:25:7b:00
Secondary : 2
Topology : Standalone
AOS-CX enablement Field Training 2019 17 Confidential – For Training Purposes Only
AOS-CX Enablement Field Training 2019 Lab Guide
Log in to the console of standby. Please note that currently the standby’s hostname will be
same with master. Log into it with admin/admin.
Notice, please don’t connect the management IP. Why?
standby:
TX-6300-A login: admin
Password: admin
sh vsfLast login: 2019-08-29 22:11:52 from 16.116.146.237
User "admin" has logged in 25 times in the past 30 days
Check vsf status on the switch (TX-6300-B). It displayed it is master but inactive Fragment.
Remember that the secondary fragment (Inactive fragment) will shut down all interfaces.
Check interface status by show interface brief.
AOS-CX enablement Field Training 2019 18 Confidential – For Training Purposes Only
AOS-CX Enablement Field Training 2019 Lab Guide
Here you can notice all interfaces are shutdown except the VSF link. The disabling reason is
“Disabled by feature”.
Log in to the console of switch-1 (master) Recover the VSF link. The switch-2 will reboot and
became standby again.
On ACC-1
TX-6300-A(config)# VLAN X5
T1-6300-A(config-vlan-1)# exit
TX-6300-A(config)# interface 1/1/1
TX-6300-A(config-if)# no routing
TX-6300-A(config-if)# vlan access X5
Configure Interface VLAN and default gateway in VRF default for testing
TX-6300-A# conf t
TX-6300-A(config)# int vlan X5
TX-6300-A(config-if-vlan)# ip address 10.1.X5.99/24
TX-6300-A(config-if-vlan)# exit
TX-6300-A(config)# ip route 0.0.0.0/0 10.1.X5.1
TX-6300-A(config)#
On ACC-1(TX-6300-A)
TX-6300-A(config)# exit
TX-6300-A# write memory
Configuration changes will take time to process, please be patient.
TX-6300-A# copy running-config checkpoint Lab1-done-[student-name]
Configuration changes will take time to process, please be patient.
AOS-CX enablement Field Training 2019 19 Confidential – For Training Purposes Only
AOS-CX Enablement Field Training 2019 Lab Guide
Objects
In this lab, you will configure VSX between switches TX-8325-A and TX-8325-B. You will begin by
setting IP interfaces, VLANs. Next, you will configure VSX. With VSX, two switches can form a single
logical entity for the peer devices from a layer-2 perspective. This allows the creation of distributed link
aggregation (MC-LAG) while keeping each switch’s management and control plane independent.
Steps
1. Prepare base config.
2. Configure VSX ISL.
3. Configure VSX LAG
4. Configure VSX Keepalive
5. Configure VSX Active-Gateway
6. VSX redundancy
7. VSX split Brain
Objectives
– Enable aggregation layer switch interfaces.
– Configure VLANs, IP Interfaces, Loopback interface.
Steps
1. Open a console connection to both TX-8325-A and TX-8325-B switches.
Note: The default configuration for all interfaces is 25Gbps/40Gbps transceivers since
we will use 1Gbps and 10Gbps interfaces; you will need to convert the first port-group
(ports 1/1/1-1/1/12) to support those speeds.
AOS-CX enablement Field Training 2019 20 Confidential – For Training Purposes Only
AOS-CX Enablement Field Training 2019 Lab Guide
Note: 8325-48 ports switches have four interface-groups, each group may support either
1/10Gbps or 25/40Gbps. Port distribution is as follows:
Group 1: 1/1/1-1/1/12
Group 2: 1/1/13-1/1/24
Group 3: 1/1/25-1/1/36
Group 4: 1/1/37-1/1/48
On AGG-2 (TX-8325-B)
TX-8325-B(config)# interface 1/1/4
TX-8325-B(config-if)# shutdown
TX-8325-B(config)# interface 1/1/7-1/1/8
TX-8325-B(config-if-<1/1/7-1/1/8>)# shutdown
TX-8325-B(config-if-<1/1/7-1/1/8>)# exit
TX-8325-B(config)# interface 1/1/25-1/1/26
TX-8325-B(config-if-<1/1/25-1/1/26>)# shutdown
TX-8325-B(config-if-<1/1/25-1/1/26>)# exit
TX-8325-B(config)# interface 1/1/45
TX-8325-B(config-if)# shutdown
TX-8325-B(config-if)# exit
AGG-1
TX-8325-A(config)# int lag 10
TX-8325-A(config-lag-if)# no routing
TX-8325-A(config-lag-if)# no shutdown
TX-8325-A(config-lag-if)# lacp mode active
TX-8325-A(config-lag-if)# lacp rate fast
AOS-CX enablement Field Training 2019 21 Confidential – For Training Purposes Only
AOS-CX Enablement Field Training 2019 Lab Guide
AGG-1
TX-8325-A(config)# exit
TX-8325-A# write memory
Configuration changes will take time to process, please be patient.
TX-8325-A# copy running-config checkpoint Lab2-task1-[student-name]
Configuration changes will take time to process, please be patient.
TX-8325-A#
AGG-2
TX-8325-B(config)# exit
TX-8325-B# write memory
Configuration changes will take time to process, please be patient.
TX-8325-B# copy running-config checkpoint Lab2-task1-[student-name]
Configuration changes will take time to process, please be patient.
TX-8325-B#
AOS-CX enablement Field Training 2019 22 Confidential – For Training Purposes Only
AOS-CX Enablement Field Training 2019 Lab Guide
Objectives
The purpose of this task is to configure AGG-1 and AGG-2 switches with the Inter-Switch Link (ISL).
Steps
1. Open a console connection to both TX-8325-A and TX-8325-B switches.
2. Configure the ISL. You will use LAG 10 for ISL link and verify that the LAG 10 is functional,
and LACP is reporting peers on the interfaces 1/1/46.
State abbreviations :
A - Active P - Passive F - Aggregable I - Individual
S - Short-timeout L - Long-timeout N - InSync O - OutofSync
C - Collecting D - Distributing
X - State m/c expired E - Default neighbor state
3. Next, go to the VSX configuration mode and select LAG 10 as your ISL link. Set VSX
system MAC 00:00:00:AB:CD:XX, and also, set the role for AGG-1 switch as primary.
Table Mac-Address
Table 1 00:00:00:AB:CD:01
Table 2 00:00:00:AB:CD:02
Table 3 00:00:00:AB:CD:03
Table 4 00:00:00:AB:CD:04
Table 5 00:00:00:AB:CD:05
Table 6 00:00:00:AB:CD:06
Table 7 00:00:00:AB:CD:07
Table 8 00:00:00:AB:CD:08
AOS-CX enablement Field Training 2019 23 Confidential – For Training Purposes Only
AOS-CX Enablement Field Training 2019 Lab Guide
Table 9 00:00:00:AB:CD:09
Table 10 00:00:00:AB:CD:0A
Table 11 00:00:00:AB:CD:0B
Table 12 00:00:00:AB:CD:0C
Table 13 00:00:00:AB:CD:0D
Table 14 00:00:00:AB:CD:0E
TX-8325-A(config)# vsx
TX-8325-A(config-vsx)# system-mac 00:00:00:AB:CD:XX
TX-8325-A(config-vsx)# inter-switch-link lag 10
TX-8325-A(config-vsx)# role primary
4. Repeat the step above on AGG-2, but set the role as secondary.
TX-8325-B(config)# vsx
TX-8325-B(config-vsx)# system-mac 00:00:00:AB:CD:XX
TX-8325-B(config-vsx)# inter-switch-link lag 10
TX-8325-B(config-vsx)# role secondary
6. Check VSX status output – note the platform information, software version, and
system-MAC.
AOS-CX enablement Field Training 2019 24 Confidential – For Training Purposes Only
AOS-CX Enablement Field Training 2019 Lab Guide
7. Review the configuration inter-switch-link settings from the AGG-1 switch. This provides
role and timer information of the ISL from the local switch and peer VSX switch.
Note: the option vsx-peer allows you to check the information from the other
VSX switch.
8. Review the configuration consistency on both switches. This provides information about
the active code version of both switches and the configured VLAN list of the ISL.
AOS-CX enablement Field Training 2019 25 Confidential – For Training Purposes Only
AOS-CX Enablement Field Training 2019 Lab Guide
AOS-CX enablement Field Training 2019 26 Confidential – For Training Purposes Only
AOS-CX Enablement Field Training 2019 Lab Guide
Objectives
Define a VSX LAG (MC-LAG) from AGG-1 and AGG-2 switches to VSF stack built-in lab1.
Steps
1. Create VLAN X0-X5 and define a new interface LAG on AGG-1 and AGG-2
AGG-1 (TX-8325-A)
TX-8325-A# conf t
TX-8325-A(config)# VLAN X0-X5
TX-8325-A(config-vlan-<X0-X5>)# exit
TX-8325-A(config)#
TX-8325-A(config)# int lag 12 multi-chassis
TX-8325-A(config-lag-if)# no routing
TX-8325-A(config-lag-if)# no shutdown
TX-8325-A(config-lag-if)# description To-VSF
TX-8325-A(config-lag-if)# vlan trunk allow X0,X5
TX-8325-A(config-lag-if)# lacp mode active
TX-8325-A(config-lag-if)# lacp rate fast
TX-8325-A(config-lag-if)# int 1/1/1-1/1/2
TX-8325-A(config-if)# lag 12
TX-8325-A(config-if)# no shutdown
TX-8325-A(config-if)# end
2. Repeat these steps on AGG-2. Make sure to use the same LAG ID (12) and assign
interface 1/1/1 and 1/1/2.
AGG-2 (TX-8325-B)
TX-8325-B# conf t
TX-8325-B(config)# vlan X0-X5
TX-8325-B(config-vlan-<X0-X5>)# exit
TX-8325-B(config)#
TX-8325-B(config)# int lag 12 multi-chassis
TX-8325-B(config-lag-if)# no routing
TX-8325-B(config-lag-if)# no shutdown
TX-8325-B(config-lag-if)# description To-VSF
TX-8325-B(config-lag-if)# lacp mode active
TX-8325-B(config-lag-if)# lacp rate fast
TX-8325-B(config-lag-if)# vlan trunk allowed X0,X5
TX-8325-B(config-lag-if)# int 1/1/1-1/1/2
TX-8325-B(config-if)# lag 12
TX-8325-B(config-if)# no shutdown
On ACC-1 (TX-6300-A)
TX-6300-A(config)# int lag 1
TX-6300-A(config-lag-if)# no shutdown
TX-6300-A(config-lag-if)# no routing
TX-6300-A(config-lag-if)# lacp mode active
TX-6300-A(config-lag-if)# lacp rate fast
AOS-CX enablement Field Training 2019 27 Confidential – For Training Purposes Only
AOS-CX Enablement Field Training 2019 Lab Guide
TX-6300-A(CONFIG)#
TX-6300-A(config)# int 1/1/25-1/1/26,2/1/25-2/1/26
TX-6300-A(config-if-<1/1/25-1/1/26,2/1/25-2/1/26>)# no shutdown
TX-6300-A(config-if-<1/1/25-1/1/26,2/1/25-2/1/26>)# lag 1
TX-6300-A(config-if-<1/1/25-1/1/26,2/1/25-2/1/26>)# end
State abbreviations :
A - Active P - Passive F - Aggregable I - Individual
S - Short-timeout L - Long-timeout N - InSync O - OutofSync
C - Collecting D - Distributing
X - State m/c expired E - Default neighbor state
State abbreviations :
A - Active P - Passive F - Aggregable I - Individual
S - Short-timeout L - Long-timeout N - InSync O - OutofSync
C - Collecting D - Distributing
X - State m/c expired E - Default neighbor state
AOS-CX enablement Field Training 2019 28 Confidential – For Training Purposes Only
AOS-CX Enablement Field Training 2019 Lab Guide
------------------------------------------------------------------------------
Intf Aggr Port Port State System-ID System Aggr
Name Id Pri Pri Key
------------------------------------------------------------------------------
1/1/46 lag10 11 1 ASFNCD 90:20:c2:ba:d8:00 65534 10
1/1/1 lag12(mc) 115 1 ASFNCD 90:20:c2:25:7b:00 65534 1
1/1/2 lag12(mc) 51 1 ASFNCD 90:20:c2:25:7b:00 65534 1
ACC-1
State abbreviations :
A - Active P - Passive F - Aggregable I - Individual
S - Short-timeout L - Long-timeout N - InSync O - OutofSync
C - Collecting D - Distributing
X - State m/c expired E - Default neighbor state
5. Check the more detailed output with the multi-chassis option, which will also show
information about the MCLAG member ports of the peer switch.
State abbreviations :
A - Active P - Passive F - Aggregable I - Individual
S - Short-timeout L - Long-timeout N - InSync O - OutofSync
C - Collecting D - Distributing
X - State m/c expired E - Default neighbor state
AOS-CX enablement Field Training 2019 29 Confidential – For Training Purposes Only
AOS-CX Enablement Field Training 2019 Lab Guide
------------------------------------------------------------------------------
Intf Aggregate Partner Port State System-ID System Aggr
name Port-id Priority Priority Key
------------------------------------------------------------------------------
1/1/1 lag12(mc) 114 1 ASFNCD 90:20:c2:25:7b:00 65534 1
1/1/2 lag12(mc) 50 1 ASFNCD 90:20:c2:25:7b:00 65534 1
AOS-CX enablement Field Training 2019 30 Confidential – For Training Purposes Only
AOS-CX Enablement Field Training 2019 Lab Guide
Objectives
In this task, you will configure the VSX keepalive feature to defend VSX peers against a split-brain
scenario. A split-brain is the situation that occurs when the Inter-Switch Link (ISL) between the two core
switches completely disconnects, while the links to the peer devices are still online.
Because the two core switches cannot synchronize LACP states, MAC and ARP tables, and
configuration anymore, this leads to unpredictable traffic flows.
To handle this scenario, you can configure an additional keepalive between the two core switches.
When the ISL is down, and the two core switches can still reach each other over the peer keepalive,
they know there is an issue with the ISL. The low priority VSX member will disable all its ports.
This will effectively 'remove' that device from the network. (Even when it is technically still 'online,' it will
not be visible to any device as all the port are disabled).
The result is that only one VSX member will be visible for the network, and that system will ensure that
the system learns all MAC addresses in a consistent way. The peer devices would simply think that one
port of their LAG (LACP) is down – the port that connects to the 'lost' member of the VSX peer.
The peer keep-alive feature is an IP-based exchange between the two core switches. To ensure that
this IP address does not interfere with any other active IP or subnet in the network, you should
configure a separate routing space (VRF), independent of the regular routing table.
Steps
1. Open a console connection to both AGG-1 and AGG-2 switches.
2. On AGG-1, configure a VRF for keepalive, bind interface 1/1/47 and assign IP address
10.1.X8.41/30.
TX-8325-A# conf t
TX-8325-A(config)# vrf keepalive
TX-8325-A(config-vrf)# int 1/1/47
TX-8325-A(config-if)# vrf attach keepalive
TX-8325-A(config-if)# ip address 10.1.X8.41/30
TX-8325-A(config-if)# no shutdown
TX-8325-A(config-if)#
3. On AGG-2, configure a VRF for keepalive, bind interface 1/1/47 and assign IP address
10.1.X8.42/30.
TX-8325-B# conf t
TX-8325-B(config)# vrf keepalive
TX-8325-B(config-vrf)# int 1/1/47
TX-8325-B(config-if)# vrf attach keepalive
TX-8325-B(config-if)# ip address 10.1.X8.42/30
TX-8325-B(config-if)# no shutdown
TX-8325-B(config-if)#
AOS-CX enablement Field Training 2019 31 Confidential – For Training Purposes Only
AOS-CX Enablement Field Training 2019 Lab Guide
TX-8325-A(config)# vsx
TX-8325-A(config-vsx)# keepalive peer 10.1.X8.42 source 10.1.X8.41 vrf keepalive
TX-8325-A(config-vsx)# exit
TX-8325-B(config)# vsx
TX-8325-B(config-vsx)# keepalive peer 10.1.X8.41 source 10.1.X8.42 vrf keepalive
TX-8325-B(config-vsx)# exit
AOS-CX enablement Field Training 2019 32 Confidential – For Training Purposes Only
AOS-CX Enablement Field Training 2019 Lab Guide
10. Review the show vsx status keepalive and note the packets Tx and Rx.
Keepalive Counters
Keepalive Packets Tx : 220
Keepalive Packets Rx : 152
Keepalive Timeouts : 0
Keepalive Packets Dropped : 0
AOS-CX enablement Field Training 2019 33 Confidential – For Training Purposes Only
AOS-CX Enablement Field Training 2019 Lab Guide
Objectives
In this task, you will configure the active-gateway function. This feature allows the configuration of the
same IP address with the same MAC address on the two core switches.
The result is a configuration where both core switches can actively participate in the layer 3 routing
process, as opposed to VRRP, where only one core switch can act as the router for a subnet.
You would typically configure this feature in combination with the VSX LAG feature that provides
active-active layer 2 functionality.
The active-gateway feature is not a protocol since the core switches do not exchange keepalive or
other control. The administrator simply configures the same IP and the same MAC on both core
switches. The core switch that receives the ARP request first will respond to the request and perform
the layer 3 routings.
The actual decision as to which core switch performs the routing will be the result of the layer 2 LAG
(LACP) traffic distribution that the connected peer switches perform over the VSX LAG. It can be
different for different sets of hosts depending on the hashing decision.
Steps
Open a console connection to both AGG-1 and AGG-2 switches.
Configure active-gateway on AGG-1:
a. Enable the L3 counters (not required for the active-gateway feature, but will provide
L3 statistics on the VLAN interface).
b. Use the VIP address and the virtual MAC provided below. Remember, the network
should not use the range/MAC, and you must configure the same VIP/vMAC on both
switches.
VLAN X0 10.1.X0.0/24
Active-Gateway 10.1.X0.1
vMAC 00:00:00:00:10:FE
VLAN X3 10.1.X3.0/24
Active-Gateway 10.1.X3.1
vMAC 00:00:00:00:13:FE
VLAN X4 10.1.X4.0/24
Active-Gateway 10.1.X4.1
vMAC 00:00:00:00:14:FE
VLAN X5 10.1.X5.0/24
Active-Gateway 10.1.X5.1
vMAC 00:00:00:00:15:FE
AOS-CX enablement Field Training 2019 34 Confidential – For Training Purposes Only
AOS-CX Enablement Field Training 2019 Lab Guide
AGG-1 (TX-8325-A)
TX-8325-A# show interface vlanX5
Interface vlan15 is up
Admin state is up
Link transitions: 0
AOS-CX enablement Field Training 2019 35 Confidential – For Training Purposes Only
AOS-CX Enablement Field Training 2019 Lab Guide
Description:
Hardware: Ethernet, MAC Address: 90:20:c2:ba:e7:00
IPv4 address 10.1.15.2/24
active-gateway ip mac 00:00:00:00:15:fe
active-gateway ip 10.1.15.1
Rx
L3:
1 packets, 68 bytes
Tx
L3:
0 packets, 0 bytes
AGG-2 (TX-8325-B)
TX-8325-B# show interface vlanX5
Interface vlan15 is up
Admin state is up
Link transitions: 0
Description:
Hardware: Ethernet, MAC Address: 90:20:c2:bb:05:00
IPv4 address 10.1.15.3/24
active-gateway ip mac 00:00:00:00:15:fe
active-gateway ip 10.1.15.1
Rx
L3:
12 packets, 1636 bytes
Tx
L3:
0 packets, 0 bytes
ACC-1 (TX-6300-A)
AOS-CX enablement Field Training 2019 36 Confidential – For Training Purposes Only
AOS-CX Enablement Field Training 2019 Lab Guide
AGG-2
TX-8325-B(config)# int vlan X5
TX-8325-B(config-if-vlan)# shutdown
d. Verify that ACC-A can still reach the active-gateway IP, stop continuous ping, and ensure
there is no packet loss. This confirms that both AGG-1 and AGG-2 handle the active-gateway
IP. There is no heart-beat like the VRRP protocol since the active gateway IP is active (as the
name suggests) on both switches. This is different from VRRP, where only one host actively
hosts the VRRP IP address.
AGG-1
TX-8325-A# write memory
Configuration changes will take time to process, please be patient.
TX-8325-A# copy running-config checkpoint lab2-task5-[student-name]
Configuration changes will take time to process, please be patient.
AGG-2
TX-8325-A# write memory
Configuration changes will take time to process, please be patient.
TX-8325-B(config)# exit
TX-8325-B# copy running-config checkpoint lab2-task5-[student-name]
Configuration changes will take time to process, please be patient.
AOS-CX enablement Field Training 2019 37 Confidential – For Training Purposes Only
AOS-CX Enablement Field Training 2019 Lab Guide
Objectives
– Add MCLAG11 to the mobility controller
– Simulate a failure on the VSX primary switch.
– Monitor communications and VSX during the outage.
Steps
Open a console connection to both AGG-1 and AGG-2 switches.
Add MCLAG11 to the mobility controller
On AGG-1
TX-8325-A(config)# int lag 11 multi-chassis
TX-8325-A(config-lag-if)# no routing
TX-8325-A(config-lag-if)# no shutdown
TX-8325-A(config-lag-if)# vlan trunk allowed all
TX-8325-A(config-lag-if)# lacp mode active
TX-8325-A(config-lag-if)# lacp rate fast
TX-8325-A(config-lag-if)# int 1/1/5
TX-8325-A(config-if)# no shutdown
TX-8325-A(config-if)# lag 11
On AGG-2
TX-8325-B(config)# int lag 11 multi-chassis
TX-8325-B(config-lag-if)# no shutdown
TX-8325-B(config-lag-if)# no routing
TX-8325-B(config-lag-if)# vlan trunk allowed all
TX-8325-B(config-lag-if)# lacp mo active
TX-8325-B(config-lag-if)# lacp rate fast
TX-8325-B(config-lag-if)# int 1/1/5
TX-8325-B(config-if)# no shutdown
TX-8325-B(config-if)# lag 11
Note: LACP should have been pre-configured on MC. If not, please refer to the below
configuration to redo this:
vlan X3
interface gigabitethernet 0/0/1
description "GE0/0/1"
trusted
trusted vlan 1-4094
switchport mode trunk
lacp group 1 mode active
lacp timeout short
interface gigabitethernet 0/0/2
description "GE0/0/2"
trusted
trusted vlan 1-4094
switchport mode trunk
lacp group 1 mode active
lacp timeout short
interface port-channel 1
switchport mode trunk
switchport trunk allow vlan all
trusted
write memory
AOS-CX enablement Field Training 2019 38 Confidential – For Training Purposes Only
AOS-CX Enablement Field Training 2019 Lab Guide
AGG-1
AGG-2
TX-8325-B# show vsx brief
ISL State : In-Sync
Device State : Peer-Established
Keepalive State : Keepalive-Established
Device Role : secondary
Number of Multi-chassis LAG interfaces : 2
AOS-CX enablement Field Training 2019 39 Confidential – For Training Purposes Only
AOS-CX Enablement Field Training 2019 Lab Guide
AGG-1
TX-8325-A# write memory
TX-8325-A# boot system
During AGG-1 reboot, check the VSX brief on your AGG-2 switch.
TX-8325-B# show vsx brief
ISL State : Out-Of-Sync
Device State : Split-System-Primary
Keepalive State : Keepalive-Failed
Device Role : secondary
Number of Multi-chassis LAG interfaces : 2
Wait for AGG-1 to finish the reboot and check the VSX brief and VSX status.
TX-8325-A# show vsx brief
ISL State : In-Sync
Device State : Sync-Secondary-Linkup-Delay
Keepalive State : Keepalive-Established
Device Role : primary
Number of Multi-chassis LAG interfaces : 2
Note: After a VSX switch reboots, it has no entries for ARP, MAC, and routes. If downstream
VSX LAG ports activate before the switch relearns all this information, traffic drops. To avoid a
traffic drop, VSX LAGs on the rebooted switch stay down until the restoration of LACP, MAC,
ARP databases, and MSTP states, if it uses MSTP. The learning process for the VSX LAGs
has two phases:
Initial sync phase: The LACP states, MAC address table, ARP table, and potentially MSTP
states download from the forwarding switch to the freshly-rebooted switch.
Link-up delay phase: The system installs downloaded entries into the ASIC and establishes
router adjacencies with core nodes and learned upstream routes. You can configure the link-
up delay phase with the linkup-delay-timer <DELAY-TIMER> command. The default value is
180 seconds. Set the link-up delay timer to the maximum value of 600 seconds for a network
with many MAC addresses, a large ARP table, or a large routing table.
AOS-CX enablement Field Training 2019 40 Confidential – For Training Purposes Only
AOS-CX Enablement Field Training 2019 Lab Guide
Objectives
During this task, you will simulate failures on both the ISL and keepalive links between your
VSX pair. You will also monitor VSX behavior during those failures.
You will begin by disabling the keepalive interface on your AGG-1 switch and then re-
enabling the keepalive interface and disabling the ISL link, simulating a split-brain scenario.
Steps
Open a console connection to both AGG-1 and AGG-2 switches.
Check your VSX brief and VRF Keepalive information and ensure VSX is working properly.
AGG-1
TX-8325-A# show vsx brief
ISL State : In-Sync
Device State : Peer-Established
Keepalive State : Keepalive-Established
Device Role : primary
Number of Multi-chassis LAG interfaces : 1
AOS-CX enablement Field Training 2019 41 Confidential – For Training Purposes Only
AOS-CX Enablement Field Training 2019 Lab Guide
Note: A keepalive failure will not affect your VSX functionality. When this occurs, VSX
is still working, but, in case of failure of ISL (inter-switch link), split-brain may occur,
which would then cause unpredictable traffic flows.
Re-enable your keepalive interface and Check your VSX brief information.
You will now simulate an ISL failure by disabling interfaces 1/1/46 on switch AGG-1.
TX-8325-A(config)# int 1/1/46
TX-8325-A(config-if-1/1/46)# shutdown
TX-8325-A(config-if-1/1/46)# exit
TX-8325-A(config)#
State abbreviations :
A - Active P - Passive F - Aggregable I - Individual
S - Short-timeout L - Long-timeout N - InSync O - OutofSync
C - Collecting D - Distributing
X - State m/c expired E - Default neighbor state
AOS-CX enablement Field Training 2019 42 Confidential – For Training Purposes Only
AOS-CX Enablement Field Training 2019 Lab Guide
Look at the interface brief information for the reason that interface 1/1/1 is down.
AGG-2
TX-8325-B# show int brief
-------------------------------------------------------------------------------------
Port Native Mode Type Enabled Status Reason Speed
VLAN (Mb/s)
-------------------------------------------------------------------------------------
1/1/1 1 trunk SFP+DAC1 yes down Disabled by VSX --
1/1/2 1 trunk SFP+DAC1 yes down Disabled by VSX --
1/1/3 -- routed -- no down No XCVR installed --
1/1/4 -- routed -- no down No XCVR installed --
1/1/5 -- routed -- no down No XCVR installed --
AOS-CX enablement Field Training 2019 43 Confidential – For Training Purposes Only
AOS-CX Enablement Field Training 2019 Lab Guide
Wait for the linkup-delay timer and check your VSX brief information and status.
AGG-2
TX-8325-B(config)# exit
TX-8325-B# write memory
Configuration changes will take time to process, please be patient.
TX-8325-B# copy running-config checkpoint Lab2-done-[student-name]
Configuration changes will take time to process, please be patient.
AOS-CX enablement Field Training 2019 44 Confidential – For Training Purposes Only
AOS-CX Enablement Field Training 2019 Lab Guide
Objectives
– Create a new user and password for NetEdit
Steps
Open an RDP connection to Windows10 Client.
Navigate to Control Panel à Network and Internet à Network and Sharing
Center à Change adaper settings
Disable the LabNIC adapter and make sure OOBM is enabled.
Login using username “admin” and no password. You will be required to change the
password when you log in to NetEdit for the first time. Change the password to
‘password’ and click OK.
AOS-CX enablement Field Training 2019 45 Confidential – For Training Purposes Only
AOS-CX Enablement Field Training 2019 Lab Guide
Create an additional admin user. On the left menu, select the sixth option from the
top and go to the Users page. Note by default there is only one user account:
admin.
Enter the username ‘neadmin’ and Role “ADMIN”, then click ADD USER.
AOS-CX enablement Field Training 2019 46 Confidential – For Training Purposes Only
AOS-CX Enablement Field Training 2019 Lab Guide
The new user will use the temporary password for the first login then a change
password pop-up will appear.
You may try to logout on the top right corner . Select the
admin icon to get the option to logout and re-login as the new user (neadmin) with
the temporary password. Then change the password to ‘password’
Now logout as the ‘neadmin’ user and log back in using the admin account.
To access the HELP menu, select the “?” in the top right corner and then
select Documentation.
AOS-CX enablement Field Training 2019 47 Confidential – For Training Purposes Only
AOS-CX Enablement Field Training 2019 Lab Guide
Objectives
– Import AGG and Core switches into NetEdit
– Assign attributes to your switches
Steps
Open an RDP connection to Windows10 Client.
Navigate to Control Panel à Network and Internet à Network and Sharing
Center à Change adaper settings
Disable the LabNIC adapter and make sure OOBM is enabled.
AOS-CX enablement Field Training 2019 48 Confidential – For Training Purposes Only
AOS-CX Enablement Field Training 2019 Lab Guide
AOS-CX enablement Field Training 2019 49 Confidential – For Training Purposes Only
AOS-CX Enablement Field Training 2019 Lab Guide
AOS-CX enablement Field Training 2019 50 Confidential – For Training Purposes Only
AOS-CX Enablement Field Training 2019 Lab Guide
i. Scroll down, under the Seed Addresses section, click on the “+” sign.
l. Click DISCOVER.
AOS-CX enablement Field Training 2019 51 Confidential – For Training Purposes Only
AOS-CX Enablement Field Training 2019 Lab Guide
m. Wait for a few seconds, and you will see AGG, ACC1 and CORE switches are
discovered.
• Name: AGG-SWITCHES
• Type: TEXT
• Default value: AGG
• Click at CREATE
AOS-CX enablement Field Training 2019 52 Confidential – For Training Purposes Only
AOS-CX Enablement Field Training 2019 Lab Guide
Using the left menu, go to Devices page and click at the action menu and select TX-
8325-A and TX-8325-B devices, then select Edit Attributes.
Select attribute name “AGG-SWITCHES” and value “AGG”, then select “SAVE”.
On the Devices list, select the IP address of the TX-8325-A to go to its details page,
verify the attribute you just applied.
AOS-CX enablement Field Training 2019 53 Confidential – For Training Purposes Only
AOS-CX Enablement Field Training 2019 Lab Guide
Search devices as the new attribute. Enter attributes name: AGG-SWITCHES and
value: AGG in the searching box. Then you can see only the two aggregation
devices.
AOS-CX enablement Field Training 2019 54 Confidential – For Training Purposes Only
AOS-CX Enablement Field Training 2019 Lab Guide
Objectives
– Create a configuration plan
– Configure OSPF on switches AGG switches using NetEdit.
Steps
Open an RDP connection to Windows10 Client.
Navigate to Control Panel à Network and Internet à Network and Sharing Center à
Change adaper settings
Disable the LabNIC adapter and make sure OOBM is enabled.
Enter ‘Deploy OSPF on AGG” as a plan name and add a description, then click
CREATE.
AOS-CX enablement Field Training 2019 55 Confidential – For Training Purposes Only
AOS-CX Enablement Field Training 2019 Lab Guide
Copy the below configuration at the bottom of the script. Change the “X” to real table
number.
Note: Notice you should make sure there are spaces for the sub-commands, and these IP
addresses and lag numbers for the interfaces (highlighted) are variable.
router ospf 1
area 0
interface loopback 0
ip address 10.1.X7.1/32
ip ospf 1 area 0
interface vlanX5
ip ospf 1 area 0
interface vlanX3
ip ospf 1 area 0
interface lag 2
ip address 10.1.X8.33/30
lacp mode active
lacp rate fast
ip ospf 1 area 0.0.0.0
ip ospf network point-to-point
no shutdown
exit
interface 1/1/48
no shutdown
lag 2
exit
interface lag 3
ip address 10.1.X8.37/30
lacp mode active
lacp rate fast
ip ospf 1 area 0.0.0.0
ip ospf network point-to-point
no shutdown
interface vlan X0
ip helper-address 10.253.1.254
AOS-CX enablement Field Training 2019 56 Confidential – For Training Purposes Only
AOS-CX Enablement Field Training 2019 Lab Guide
interface vlan X1
ip helper-address 10.253.1.21
interface vlan X2
ip helper-address 10.253.1.21
interface vlan X3
ip helper-address 10.253.1.21
interface vlan X4
ip helper-address 10.253.1.21
interface vlan X5
ip helper-address 10.253.1.21
Adjust parameters.
a. Scroll down to interface loopback 0 and right click under the IP address.
b. Adjust loopback IP address accoding to the follow information:
TX-8325-A 10.1.X7.2
TX-8325-B 10.1.X8.2
c. Click APPLY.
AOS-CX enablement Field Training 2019 57 Confidential – For Training Purposes Only
AOS-CX Enablement Field Training 2019 Lab Guide
TX-8325-A 2
TX-8325-B 3
AOS-CX enablement Field Training 2019 58 Confidential – For Training Purposes Only
AOS-CX Enablement Field Training 2019 Lab Guide
g. Return to PLAN.
h. Click on DEPLOY
AOS-CX enablement Field Training 2019 59 Confidential – For Training Purposes Only
AOS-CX Enablement Field Training 2019 Lab Guide
AOS-CX enablement Field Training 2019 60 Confidential – For Training Purposes Only
AOS-CX Enablement Field Training 2019 Lab Guide
c. Copy the below configuration at the bottom of the script. Change the “X” to
real table number.
Note: You can use Notepad++ to edit your script the shortcut is located in
Desktop.
router ospf 1
area 0
interface loopback 0
ip address 10.1.X7.1/32
ip ospf 1 area 0
interface lag 2
no shutdown
lacp mode active
lacp rate fast
ip address 10.1.X8.34/30
ip ospf 1 area 0
ip ospf network point-to-point
interface 1/1/1
lag 2
no shutdown
interface lag 3
lacp mode active
lacp rate fast
ip address 10.1.X8.38/30
ip ospf 1 area 0
ip ospf network point-to-point
no shutdown
interface 1/1/2
lag 3
no shutdown
interface 1/1/27
shutdown
Note: The below part is for connecting Backbone to get route to server
farm.
vlan (10+X)05
interface vlan (10+X)05
AOS-CX enablement Field Training 2019 61 Confidential – For Training Purposes Only
AOS-CX Enablement Field Training 2019 Lab Guide
ip address 10.1.X8.17/30
ip ospf 1 area 0
interface 1/1/47
no routing
no shutdown
vlan trunk allow (10+X)05
vlan (10+X)06
interface vlan (10+X)06
ip address 10.1.X8.21/30
ip ospf 1 area 0
interface 1/1/48
no routing
no shutdown
vlan trunk allow (10+X)06
AOS-CX enablement Field Training 2019 62 Confidential – For Training Purposes Only
AOS-CX Enablement Field Training 2019 Lab Guide
no shutdown
vlan trunk allowed 1706
d. Select VALIDATE to confirm there is no error. If there is some error, please fix
that then paste the command again.
AOS-CX enablement Field Training 2019 63 Confidential – For Training Purposes Only
AOS-CX Enablement Field Training 2019 Lab Guide
g. Click on COMMIT.
AOS-CX enablement Field Training 2019 64 Confidential – For Training Purposes Only
AOS-CX Enablement Field Training 2019 Lab Guide
AGG-1
TX-8325-A# show ip ospf neighbors
OSPF Process ID 1 VRF default
==============================
Core
AGG-1
TX-8325-A# show ip route
AOS-CX enablement Field Training 2019 65 Confidential – For Training Purposes Only
AOS-CX Enablement Field Training 2019 Lab Guide
<Output committed>
Ping ClearPass (10.253.1.23) server from TX-6300-A. If the ping is successful, you are ready
for the next lab.
Save the configuration on TX-8325-A, TX-8325-B, TX-8325-Core
TX-8325-A
int loopback 0
Ip add 10.1.X7.2/32
TX-8325-B
int loopback 0
Ip add 10.1.X7.3/32
TX-8325-B
TX-8325-B(config)# router ospf 1
TX-8325-B(config-ospf-1)# area 0
TX-8325-Core
TX-8325-CORE(config)# router ospf 1
TX-8325-CORE(config-ospf-1)# area 0
int vlan X5
Ip ospf 1 area 0
AOS-CX enablement Field Training 2019 66 Confidential – For Training Purposes Only
AOS-CX Enablement Field Training 2019 Lab Guide
int vlan X3
Ip ospf 1 area 0
interface lag 2
ip address 10.1.X8.33/30
lacp mode active
lacp rate fast
ip ospf 1 area 0.0.0.0
ip ospf network point-to-point # Make sure the ospf network match peer’s.
no shutdown
exit
interface 1/1/48
no shutdown
lag 2
exit
interface vlan X0
ip helper-address 10.253.1.254
interface vlan X1
ip helper-address 10.253.1.254
interface vlan X2
ip helper-address 10.253.1.254
interface vlan X3
ip helper-address 10.253.1.254
interface vlan X4
ip helper-address 10.253.1.254
interface vlan X5
ip helper-address 10.253.1.254
TX-8325-B
int loopback 0
Ip ospf 1 area 0
int vlan X5
Ip ospf 1 area 0
int vlan X3
Ip ospf 1 area 0
interface lag 3
ip address 10.1.X8.37/30
lacp mode active
lacp rate fast
ip ospf 1 area 0.0.0.0
ip ospf network point-to-point # Make sure the ospf network match peer’s.
no shutdown
exit
interface 1/1/48
no shutdown
lag 3
exit
interface vlan X0
ip helper-address 10.253.1.254
interface vlan X1
ip helper-address 10.253.1.254
interface vlan X2
ip helper-address 10.253.1.254
interface vlan X3
ip helper-address 10.253.1.254
AOS-CX enablement Field Training 2019 67 Confidential – For Training Purposes Only
AOS-CX Enablement Field Training 2019 Lab Guide
interface vlan X4
ip helper-address 10.253.1.254
interface vlan X5
ip helper-address 10.253.1.254
TX-8325-Core
Note: The below part is for connecting Backbone to get the route to server
farm.
TX-8325-CORE(config)#vlan (10+X)05
TX-8325-CORE(config)#interface vlan (10+X)05
TX-8325-CORE(config-if)#IP address 10.1.X8.17/30
TX-8325-CORE(config-if)#Ip ospf 1 area 0
TX-8325-CORE(config)#interface 1/1/47
TX-8325-CORE(config-if)#no shutdown
TX-8325-CORE(config-if)#no routting
TX-8325-CORE(config-if)#vlan trunk allow (10+X)05
TX-8325-CORE(config)#vlan (10+X)06
TX-8325-CORE(config)#interface vlan (10+X)06
TX-8325-CORE(config-if)#IP address 10.1.X8.21/30
TX-8325-CORE(config-if)#Ip ospf 1 area 0
TX-8325-CORE(config)#interface 1/1/48
TX-8325-CORE(config-if)#no shutdown
TX-8325-CORE(config-if)#no routting
TX-8325-CORE(config-if)#vlan trunk allow (10+X)06
Note: Make sure the adjacency switches have the same MTU setting and
OSPF networking type.
AOS-CX enablement Field Training 2019 68 Confidential – For Training Purposes Only
AOS-CX Enablement Field Training 2019 Lab Guide
Steps
Open an RDP connection to Windows 10 and check the current IP address. Make sure the
“OOBM” NIC property for TCP/IP setting for IP address is STATIC, and the IP ADDRESS is
10.251.X.90/24 and the default gateway should be 10.251.X.254
Log into Clearpass (10.253.1.23) with “readonly/readonly” and check ClearPass configuration
that the switch is configured as an authenticating device (NAS and Services).
a. NAS configuration (Preconfigured), Navigate to (Configuration à Network à
Devices) to check the configuration.
AOS-CX enablement Field Training 2019 69 Confidential – For Training Purposes Only
AOS-CX Enablement Field Training 2019 Lab Guide
Note: In this case, we use “Allow all MAC AUTH methods” for the testing
AOS-CX enablement Field Training 2019 70 Confidential – For Training Purposes Only
AOS-CX Enablement Field Training 2019 Lab Guide
Task 2 MAC-authentication
Steps
Note: If you have completed Lab 3 OSPF routing, then you don’t need to statically
configure IP address on your Win10 client 6300 NIC.
IP helper-address needs to be configured under in vlan X5 on AGG switches.
Authentication Details
----------------------
Status : mac-auth Authenticated
Auth Precedence : dot1x - Not attempted, mac-auth - Authenticated
Authorization Details
AOS-CX enablement Field Training 2019 72 Confidential – For Training Purposes Only
AOS-CX Enablement Field Training 2019 Lab Guide
Note: Note: We have two Authentication methods configured in the same interface.
Which one will be the priority? Answer this question in Step5.
AOS-CX enablement Field Training 2019 73 Confidential – For Training Purposes Only
AOS-CX Enablement Field Training 2019 Lab Guide
b. Scroll down and enable Wired AutoConfig service on the windows client.
c. Navigate to Control Panel à Network and Internet à Network and Sharing Center à
Change adaper settings
d. Right click on the LabNIC and click on Properties.
e. Click on Authentication tab.
f. Click on Settings.
g. Uncheck the box Verify the server’s identity by validating the certificate.
AOS-CX enablement Field Training 2019 74 Confidential – For Training Purposes Only
AOS-CX Enablement Field Training 2019 Lab Guide
h. Click OK.
AOS-CX enablement Field Training 2019 75 Confidential – For Training Purposes Only
AOS-CX Enablement Field Training 2019 Lab Guide
The following table detail the 4 user accounts that have been created on ClearPass.
Note: If you have completed Lab 3 OSPF routing, then you don’t need to
statically configure IP address on your Win10 client 6300 NIC.
IP helper-address needs to be configured under in vlan X5 on AGG switches.
Test Dot1x by disabling and enabling the Ethernet interface named “LabNIC” on Win10 client
to trigger dot1x authentication.
Note: Don’t touch or disable the management interface. Otherwise, you will lose the
connection to the windows client.
Check client authentication status on the switch and answer the questions in Step 2.
Authentication Details
----------------------
Status : dot1x Authenticated
Auth Precedence : dot1x - Authenticated, mac-auth - Not attempted
AOS-CX enablement Field Training 2019 76 Confidential – For Training Purposes Only
AOS-CX Enablement Field Training 2019 Lab Guide
TX-6300-A(config)#class ip dhcp
10 match udp any any eq 67
20 match udp any any eq 68
TX-6300-A(config-class-ip)#exit
Create a Portal Redirection traffic policy with traffic class built in the last step.
AOS-CX enablement Field Training 2019 77 Confidential – For Training Purposes Only
AOS-CX Enablement Field Training 2019 Lab Guide
AOS-CX enablement Field Training 2019 78 Confidential – For Training Purposes Only
AOS-CX Enablement Field Training 2019 Lab Guide
Note: If you have completed Lab 3 OSPF routing, then you don’t need to statically
configure IP address on your Win10 client 6300 NIC.
IP helper-address needs to be configured under in vlan X5 on AGG switches.
Verify the Captive portal configuration and if the Portal page can pop up.
Enter 10.253.1.254 in the browser to trigger the captive portal page.
You should be redirected to the Clearpass portal page as below. If the web page displays
the WebGUI of 6300 switch, that means your web traffic is not redirected correctly. (Note:
10.253.1.254 is IP address of 6300 infrastructure Core switch)
AOS-CX enablement Field Training 2019 79 Confidential – For Training Purposes Only
AOS-CX Enablement Field Training 2019 Lab Guide
Name : test
Type : local
URL : https://10.253.1.23/guest/portal1.php
Authentication Details
----------------------
Status : dot1x Authenticated
Auth Precedence : dot1x - Authenticated, mac-auth - Not attempted
Authorization Details
----------------------
Role : portal-role
Status : Applied
AOS-CX enablement Field Training 2019 80 Confidential – For Training Purposes Only
AOS-CX Enablement Field Training 2019 Lab Guide
Note: It may take a few minutes to sync the time with the NTP server.
NTP : Enabled
NTP Authentication : Enabled
NTP Server Connections : Using the mgmt VRF
Note: If the NTP is not working, you can manually change the time of the TX-6300-A
switch to make sure that it has same time with Clearpass.
AOS-CX enablement Field Training 2019 81 Confidential – For Training Purposes Only
AOS-CX Enablement Field Training 2019 Lab Guide
Note: The below steps about HTTPS SERVER generation are for reference, which
have been preconfigured. You don’t need to do these steps in the lab.
b. Make sure the CN filed is matching the DNS record of the ClearPass server, and the
private key should be aruba123. (Preconfigured)
AOS-CX enablement Field Training 2019 82 Confidential – For Training Purposes Only
AOS-CX Enablement Field Training 2019 Lab Guide
c. Download the CSR file. Private Key is stored in the system. You can now upload a
certificate alone without using Private Key. (Preconfigured)
Now we will utilize the ClearPass built-in Onboarding CA to generate a new HTTPS
server certificate for the Clearpass HTTPs server.
d. Click on the Menu on the right above corner and click Onboarding.
e. Navigate to Onboard à Certificate Authorities.
f. Click the default CA” Local Certificate Authority”, then Click “Certificates”.
(Preconfigured)
g. Then click “Upload a certificate signing request” to upload the CSR file we just
generated. (Preconfigured)
AOS-CX enablement Field Training 2019 83 Confidential – For Training Purposes Only
AOS-CX Enablement Field Training 2019 Lab Guide
h. Make sure choosing HTTPS as certificate and check the “Approval” option, then click
“Submit Certificate Signing Request”. (Preconfigured)
AOS-CX enablement Field Training 2019 84 Confidential – For Training Purposes Only
AOS-CX Enablement Field Training 2019 Lab Guide
l. Once Finish, you will need to re-login with new https server certificates.
m. Then you can verify the CN field is right. In the case, the CN should be the FQDN of the
ClearPass server.
AOS-CX enablement Field Training 2019 85 Confidential – For Training Purposes Only
AOS-CX Enablement Field Training 2019 Lab Guide
AOS-CX enablement Field Training 2019 86 Confidential – For Training Purposes Only
AOS-CX Enablement Field Training 2019 Lab Guide
Steps:
Download CA cert from ClearPass
a. Login into ClearPass server (10.253.1.23) using readonly/readonly credentials.
b. Navigate to Onboard à Certificate Authorities.
c. Click the default CA, Local Certificate Authority.
d. Click Certificates.
f. Click on ClearPass Onboard Local Certificate Authority (first entry, not signing).
g. Click Export certificate.
AOS-CX enablement Field Training 2019 87 Confidential – For Training Purposes Only
AOS-CX Enablement Field Training 2019 Lab Guide
h. Select Base-64 Encoded (.pem) for Format, make sure the box for Include
certificate trust chain is checked.
i. Click Export Certificate.
AOS-CX enablement Field Training 2019 88 Confidential – For Training Purposes Only
AOS-CX Enablement Field Training 2019 Lab Guide
Example:
TX-6300-A# configure terminal
TX-6300-A(config)# crypto pki ta-profile cppm
TX-6300-A(config-ta-cppm)# ta-certificate
Paste the certificate in PEM format below, then hit enter and ctrl-D:
TX-6300-A(config-ta-cert)# -----BEGIN CERTIFICATE-----
TX-6300-A(config-ta-cert)# MIIEsDCCA5igAwIBAgIBAjANBgkqhkiG9w0BAQ0FADCByDELMAkGA1UEBhMCVVMx
TX-6300-A(config-ta-cert)# EzARBgNVBAgMCkNhbGlmb3JuaWExEjAQBgNVBAcMCVN1bm55dmFsZTEXMBUGA1UE
<omitted>
TX-6300-A(config-ta-cert)# FoRNtIrhUBDV5MxOIdOr27gVlecnFvFkjF6ohx5VVHzf6o0Iaw2EtfgdTTM26tBa
TX-6300-A(config-ta-cert)# aQUrxogAhG2HU3o2cgrbNlxb3ck4JDFZMZJ3igSEJX/gGJJd0EnYzljQLVwB4Ma7
TX-6300-A(config-ta-cert)# st806A==
TX-6300-A(config-ta-cert)# -----END CERTIFICATE-----
TX-6300-A(config-ta-cert)# -----BEGIN CERTIFICATE-----
TX-6300-A(config-ta-cert)# MIIEgzCCA2ugAwIBAgIBATANBgkqhkiG9w0BAQ0FADCByDELMAkGA1UEBhMCVVMx
TX-6300-A(config-ta-cert)# EzARBgNVBAgMCkNhbGlmb3JuaWExEjAQBgNVBAcMCVN1bm55dmFsZTEXMBUGA1UE
TX-6300-A(config-ta-cert)# fG+uqq4QoTVGeYTkfIxodiAoBtXlQkhHQbI7TzLprpN7xa7DaK3Ygln0pFxoY5jl
TX-6300-A(config-ta-cert)# QCr/ckGh6CAkyOgStPIxt8bBakx/pC0uwJ/JOyujjde4zUXOFhCZ3G84Pwqcq8s0
TX-6300-A(config-ta-cert)# r4D4jvdSM5B/9twQZPAklCxJZpII1juGvmC2sl0h3YPTx6TGiJr2Ox8JKeL0LOcV
TX-6300-A(config-ta-cert)# dHrjw1GV+A==
TX-6300-A(config-ta-cert)# -----END CERTIFICATE-----
TX-6300-A(config-ta-cert)# <<<Here you enter Control + D>>>
The certificate you are importing has the following attributes:
Subject: C = US, ST = California, L = Sunnyvale, O = Aruba Networks, CN = ClearPass Onboard Local
Certificate Authority (Signing), emailAddress = 50e5c793-eebb-4b0d-92b5-53d26facf87c@example.com
Issuer: C = US, ST = California, L = Sunnyvale, O = Aruba Networks, CN = ClearPass Onboard Local
Certificate Authority, emailAddress = 50e5c793-eebb-4b0d-92b5-53d26facf87c@example.com
Serial Number: 0x02
TA certificate import is allowed only once for a TA profile
Do you want to accept this certificate (y/n)? y
TX-6300-A(config-ta-cppm)#
Note. You can also upload the certificate into the switch using TFTP. The Windows 10
client has a TFTP server application in Desktop.
AOS-CX enablement Field Training 2019 89 Confidential – For Training Purposes Only
AOS-CX Enablement Field Training 2019 Lab Guide
Interface 1/1/1 is up
Admin state is up
Link transitions: 1
Description:
Hardware: Ethernet, MAC Address: 88:3a:30:92:85:e7
MTU 1500
Type 1GbT
Full-duplex
qos trust none
Speed 1000 Mb/s
Auto-negotiation is on
Flow-control: off
Error-control: off
MDI mode: MDIX
VLAN Mode: access
Access VLAN: 1
Rx
58985 input packets 10501319 bytes
0 input error 6 dropped
0 CRC/FCS
Tx
24569 output packets 2890519 bytes
0 input error 0 dropped
0 collision
On Windows 10 client, change the Dot1x authentication profile on the LabNIC interface and
replace the credentials with:
a. Username: tX-user3
b. Password: password
The new authentication will use a new enforcement profile (Send DUR-POE-DSCP-Role),
which includes Aruba-CPPM-role for the Dot1x authentication service.
Note: you may ignore “poe-priority critical” setting because this setting is for PoE.
Verify the role has been pushed to switch and if dscp trust mode has been changed.
AOS-CX enablement Field Training 2019 90 Confidential – For Training Purposes Only
AOS-CX Enablement Field Training 2019 Lab Guide
Interface 1/1/1 is up
Admin state is up
Link transitions: 17
Description:
Hardware: Ethernet, MAC Address: 88:3a:30:92:f4:a7
MTU 1500
Type 1GbT
Full-duplex
qos trust dscp
Speed 1000 Mb/s
Auto-negotiation is on
Flow-control: off
Error-control: off
MDI mode: MDI
VLAN Mode: access
Access VLAN: 15
Rx
<<Omitted output>>
Authentication Details
----------------------
Status : dot1x Authenticated
Auth Precedence : dot1x - Authenticated, mac-auth - Not attempted
Authorization Details
----------------------
Role : Send_DUR_POE_DSCP_Role-3002-1
Status : Applied
Name : Send_DUR_POE_DSCP_Role-3002-1
Type : clearpass
Status: Completed
----------------------------------------------
Reauthentication Period :
Authentication Mode :
Session Timeout :
Client Inactivity Timeout :
Description :
Tunneled Node Server Zone :
AOS-CX enablement Field Training 2019 91 Confidential – For Training Purposes Only
AOS-CX Enablement Field Training 2019 Lab Guide
AOS-CX enablement Field Training 2019 92 Confidential – For Training Purposes Only
AOS-CX Enablement Field Training 2019 Lab Guide
Steps:
Note: 10.1.X5.99 is the ip of VLAN X5 of the TX-6300-A switch, which has been configured in
previous lab.
Note: In this case, we have only one IP configured on ClearPass, so here we use VLAN X5 IP
of ACC switch as ubt source IP. If we need to build a tunnel with a data port of ClearPass
(second port), then the ubt source IP should be accessible by the Data port of ClearPass.
4. Check enforcement profile of Dot1x service to push Aruba user role name “tunnel-mc” to
switch. (Preconfigured)
AOS-CX enablement Field Training 2019 93 Confidential – For Training Purposes Only
AOS-CX Enablement Field Training 2019 Lab Guide
7. You may need to add DHCP helper address setting pointing to 10.253.1.21 on the interface
vlanX3 of AGG-1 and AGG-2.
AGG-1 (TX-8325-A)
interface vlan X3
ip help-address 10.253.1.21
ip ospf 1 area 0
AGG-2 (TX-8325-B)
interface vlan X3
ip help-address 10.253.1.21
ip ospf 1 area 0
8. On Win10 Client, make sure it uses DHCP for the Ethernet interface of LabNIC.
Note: The client will get an IP belonging to 10.1.X3.0/24 from DHCP server
10.253.1.21 once the authentication is successful.
9. On Win10 Client, Disable and enable the interface named LabNIC to simulate a new Dot1X
authentication to trigger the switch to build a tunnel with MC.
In this task, please use the following credentials:
a. Username: tX-user4
b. Password: password
Note: “tX-user4/password” will push the tunneled role name to switch in the dynamic
segmentation lab part.
AOS-CX enablement Field Training 2019 94 Confidential – For Training Purposes Only
AOS-CX Enablement Field Training 2019 Lab Guide
User Tunneled User Mac Tunneled Node Mac Vlan UAC IP Address Key Tunnel Index Flags
---- ----------------- ----------------- ---- -------------- --- ------------ -----
t1-user4 00:50:56:b1:3c:b3 88:3a:30:97:a6:00 1000(13) 10.1.14.100 1 tunnel 10 UAC
Note: You can notice that in the command output, 1000 means the reserved VLAN to
tunnel user traffic, and VLAN 13 (X3) is the user VLAN.
à Continue
à Continue
AOS-CX enablement Field Training 2019 95 Confidential – For Training Purposes Only
AOS-CX Enablement Field Training 2019 Lab Guide
12. Check how many licenses will be consumed by the VSF stack On MC. One or more?
AP Licenses
-----------
Type Number
---- ------
AP Licenses 16
PEF Licenses 16
Controller License True
Overall AP License Limit 16
AP Usage
--------
Type Count
---- -----
Active CAPs 0
Standby CAPs [Counted Against Total] 0
Active RAPs 0
AOS-CX enablement Field Training 2019 96 Confidential – For Training Purposes Only
AOS-CX Enablement Field Training 2019 Lab Guide
Remote-node APs 0
Active MUX 0
Active PUTN 1
Total APs 1
Remaining AP Capacity
---------------------
Type Number
---- ------
CAPs 15
RAPs 15
13. This step is just telling that you also can use a downloadable role so that you won’t need to
configure role and tunnel setting on the switch.
Attach the Aruba-CPPM-role setting for reference. You don’t need to do this optional lab.
TX-6300-A(config)# exit
TX-6300-A# write memory
Configuration changes will take time to process, please be patient.
TX-6300-A# copy running-config checkpoint Lab5-done-[student-name]
Configuration changes will take time to process, please be patient
TX-8325-A(config)# exit
TX-8325-A# write memory
Configuration changes will take time to process, please be patient.
TX-8325-A# copy running-config checkpoint Lab5-done-[student-name]
AOS-CX enablement Field Training 2019 97 Confidential – For Training Purposes Only
AOS-CX Enablement Field Training 2019 Lab Guide
TX-8325-B(config)# exit
TX-8325-B# write memory
Configuration changes will take time to process, please be patient.
TX-8325-B# copy running-config checkpoint Lab5-done-[student-name]
Configuration changes will take time to process, please be patient.
AOS-CX enablement Field Training 2019 98 Confidential – For Training Purposes Only
AOS-CX Enablement Field Training 2019 Lab Guide
Physical Diagram
AOS-CX enablement Field Training 2019 99 Confidential – For Training Purposes Only
AOS-CX Enablement Field Training 2019 Lab Guide
Logical Diagram
AOS-CX enablement Field Training 2019 100 Confidential – For Training Purposes Only
AOS-CX Enablement Field Training 2019 Lab Guide
Steps
Open a console connection to TX-6300-A, TX-6300-B, TX-8325-A, TX-8325-B, and TX-8325-
Core switches.
Revert the above switches to factory default.
a. On TX-6300-A
Username: admin
Password: <blank> <hit enter>
b. On TX-6300-B
Username: admin
Password: <blank> <hit enter>
Note. If your Access switches are not part of VSF then you will have to erase the
configuration using the following commands:
c. On TX-8325-A
d. On TX-8325-B
AOS-CX enablement Field Training 2019 101 Confidential – For Training Purposes Only
AOS-CX Enablement Field Training 2019 Lab Guide
e. On TX-8325-Core
Shutdown the unused ports, disable spanning-tree and set the admin account on TX-6300-A
6300(config)# hostname TX-6300-A
TX-6300-A(config)# no spanning-tree
TX-6300-A(config)# interface 1/1/1
TX-6300-A(config-if)# shutdown
TX-6300-A(config-if)# exit
TX-6300-A(config)# interface 1/1/21-1/1/22
TX-6300-A(config-if-<1/1/21-1/1/22>)# shutdown
TX-6300-A(config-if-<1/1/21-1/1/22>)# exit
TX-6300-A(config)# interface 1/1/26-1/1/28
TX-6300-A(config-if-<1/1/26-1/1/28>)# shutdown
TX-6300-A(config-if-<1/1/26-1/1/28>)# exit
TX-6300-A(config)# user admin password
Enter password: admin
Confirm password: admin
TX-6300-A(config)# session-timeout 0
Shutdown the unused ports, disable spanning-tree and set the admin account on TX-6300-B
6300(config)# hostname TX-6300-B
TX-6300-B(config)# no spanning-tree
TX-6300-B(config)# interface 1/1/1
TX-6300-B(config-if)# shutdown
TX-6300-B(config-if)# exit
TX-6300-B(config)# interface 1/1/21-1/1/22
TX-6300-B(config-if-<1/1/21-1/1/22>)# shutdown
TX-6300-B(config-if-<1/1/21-1/1/22>)# exit
TX-6300-B(config)# interface 1/1/25
TX-6300-B(config-if)# shutdown
TX-6300-B(config-if)# exit
TX-6300-B(config)# interface 1/1/27-1/1/28
TX-6300-B(config-if-<1/1/26-1/1/28>)# shutdown
TX-6300-B(config-if-<1/1/26-1/1/28>)# exit
TX-6300-B(config)# user admin password
Enter password: admin
Confirm password: admin
TX-6300-B(config)# session-timeout 0
AOS-CX enablement Field Training 2019 102 Confidential – For Training Purposes Only
AOS-CX Enablement Field Training 2019 Lab Guide
Note: If there was not ZERO checkpoint and you erase the configuration, please enter the
following commands:
Note: If there was not ZERO checkpoint and you erase the configuration, please enter the
following commands:
AOS-CX enablement Field Training 2019 103 Confidential – For Training Purposes Only
AOS-CX Enablement Field Training 2019 Lab Guide
AOS-CX enablement Field Training 2019 104 Confidential – For Training Purposes Only
AOS-CX Enablement Field Training 2019 Lab Guide
Connect to the TX-8325-Core switch, and we will configure it as an L2 to connect our leaves
switches to the spines.
Note: If there was not ZERO checkpoint and you erase the configuration, please enter the
following commands:
AOS-CX enablement Field Training 2019 105 Confidential – For Training Purposes Only
AOS-CX Enablement Field Training 2019 Lab Guide
TX-6300-A will act as client in this topology, enter the following configuration:
TX-6300-B will act as client in this topology, enter the following configuration:
Check that TX-8325-A and TX-8325-B have OSPF routes to each other through the Spine
switches.
AOS-CX enablement Field Training 2019 106 Confidential – For Training Purposes Only
AOS-CX Enablement Field Training 2019 Lab Guide
TX-8325-A(config-if)# end
TX-8325-A# ping 10.1.X7.3
PING 10.1.17.3 (10.1.17.3) 100(128) bytes of data.
108 bytes from 10.1.17.3: icmp_seq=1 ttl=63 time=0.125 ms
108 bytes from 10.1.17.3: icmp_seq=2 ttl=63 time=0.210 ms
108 bytes from 10.1.17.3: icmp_seq=3 ttl=63 time=0.179 ms
108 bytes from 10.1.17.3: icmp_seq=4 ttl=63 time=0.239 ms
108 bytes from 10.1.17.3: icmp_seq=5 ttl=63 time=0.125 ms
TX-8325-A
TX-8325-A# write memory
Configuration changes will take time to process, please be patient.
TX-8325-A# copy running-config checkpoint VLANX-BASE-XX < XX = your initials
Configuration changes will take time to process, please be patient.
TX-8325-B
TX-8325-A# write memory
Configuration changes will take time to process, please be patient.
TX-8325-B# copy running-config checkpoint VLANX-BASE-XX < XX = your initials
Configuration changes will take time to process, please be patient.
TX-6300-A
TX-6300-A# write memory
Configuration changes will take time to process, please be patient.
TX-6300-A# copy running-config checkpoint VLANX-BASE-XX < XX = your initials
Configuration changes will take time to process, please be patient.
TX-6300-B
TX-6300-B# write memory
Configuration changes will take time to process, please be patient.
TX-6300-B# copy running-config checkpoint VLANX-BASE-XX < XX = your initials
Configuration changes will take time to process, please be patient.
TX-8325-Core
AOS-CX enablement Field Training 2019 107 Confidential – For Training Purposes Only
AOS-CX Enablement Field Training 2019 Lab Guide
Objectives
– Configure Switches 8325-A and 8325-B as VTEPs
– Create VXLAN tunnels between 8325-A and 8325-B.
Steps
TX-8325-A
TX-8325-A(config)# interface vxlan 1
TX-8325-A(config-vxlan-if)# no shutdown
TX-8325-B
TX-8325-B(config)# interface vxlan 1
TX-8325-B(config-vxlan-if)# no shutdown
TX-8325-A
TX-8325-A(config-vxlan-if)# source ip 10.1.X7.2
TX-8325-B
TX-8325-B(config-vxlan-if)# source ip 10.1.X7.3
TX-8325-A
TX-8325-A(config-vxlan-if)# vni 1000+X
TX-8325-B
TX-8325-B(config-vxlan-if)# vni 1000+X
AOS-CX enablement Field Training 2019 108 Confidential – For Training Purposes Only
AOS-CX Enablement Field Training 2019 Lab Guide
TX-8325-A
TX-8325-A(config-vni-1001)# vtep-peer 10.1.X7.3
TX-8325-B
TX-8325-B(config-vni-1001)# vtep-peer 10.1.X7.2
TX-8325-A
TX-8325-A(config-vni-1001)# vlan X0
TX-8325-B
TX-8325-B(config-vni-1001)# vlan X0
Open a console connection to TX-6300-A and start a ping to 10.1.X0.2, ping should succeed,
also verify ARP mapping to remote client
---------------------------------------------------------------------------
-------------------------------------------------------------------------------
AOS-CX enablement Field Training 2019 109 Confidential – For Training Purposes Only
AOS-CX Enablement Field Training 2019 Lab Guide
TX-8325-A
TX-8325-A(config)# show interface vxlan1
Interface vxlan1 is up
Admin state is up
Description:
Underlay VRF: default
Destination UDP port: 4789
VTEP source IPv4 address: 10.1.17.2
TX-8325-B
TX-8325-B(config)# show interface vxlan1
Interface vxlan1 is up
Admin state is up
Description:
Underlay VRF: default
Destination UDP port: 4789
VTEP source IPv4 address: 10.1.17.3
TX-8325-A
TX-8325-A(config)# show interface vxlan vteps
Source Destination Origin Status VNI VLAN
---------------- ---------------- ------------ --------------------- --------- ----
10.1.17.2 10.1.17.3 static operational 1001 10
TX-8325-B
TX-8325-B(config)# show interface vxlan vteps
Source Destination Origin Status VNI VLAN
---------------- ---------------- ------------ --------------------- --------- ----
10.1.17.3 10.1.17.2 static operational 1001 10
AOS-CX enablement Field Training 2019 110 Confidential – For Training Purposes Only
AOS-CX Enablement Field Training 2019 Lab Guide
TX-8325-A
TX-8325-A(config)# end
TX-8325-B
TX-8325-B(config)# end
AOS-CX enablement Field Training 2019 111 Confidential – For Training Purposes Only
AOS-CX Enablement Field Training 2019 Lab Guide
Lab 7: EVPN
In this lab, you will configure switches TX-8325-A and TX-8325-B as a VSX pair, acting as Leaf switch
in a Spine and Leaf topology. VXLAN tunnels will transport L2 frames across the routed network. As
learned in the previous lab, creating tunnels manually could be overwhelming to the IT team. In this
lab you will configure EVPN and MP-BGP, allowing switches to dynamically create VTEPs peers and
VXLAN tunnels.
Network Diagram
AOS-CX enablement Field Training 2019 112 Confidential – For Training Purposes Only
AOS-CX Enablement Field Training 2019 Lab Guide
Steps
Open a console connection to Switches TX-8325-A, TX-8325-B.
Revert switches TX-8325-A and TX-8325-B to checkpoint VLANX-BASE-XX < XX = your
initials
TX-8325-A
TX-8325-A# copy checkpoint VLANX-BASE-XX running-config < XX = your initials
Configuration changes will take time to process, please be patient.
TX-8325-B
TX-8325-B# copy checkpoint VLANX-BASE-XX running-config < XX = your initials
Configuration changes will take time to process, please be patient.
TX-8325-A
TX-8325-A# configure terminal
TX-8325-A(config)# interface 1/1/46
TX-8325-A(config-if)# description VSX-ISL
TX-8325-A(config-if)# no routing
TX-8325-A(config-if)# vlan trunk allow all
TX-8325-A(config-if)# no shutdown
TX-8325-A(config-if)# exit
TX-8325-A(config)# interface 1/1/47
TX-8325-A(config-if)# description VSX-KA
TX-8325-A(config-if)# ip address 10.1.X8.41/30
TX-8325-A(config-if)# no shutdown
TX-8325-B
TX-8325-B# configure terminal
TX-8325-B(config)# interface 1/1/46
TX-8325-B(config-if)# description VSX-ISL
TX-8325-B(config-if)# no routing
TX-8325-B(config-if)# vlan trunk allow all
TX-8325-B(config-if)# no shutdown
TX-8325-B(config-if)# exit
TX-8325-B(config)# interface 1/1/47
TX-8325-B(config-if)# description VSX-KA
TX-8325-B(config-if)# ip address 10.1.X8.42/30
TX-8325-B(config-if)# no shutdown
Configure VSX
AOS-CX enablement Field Training 2019 113 Confidential – For Training Purposes Only
AOS-CX Enablement Field Training 2019 Lab Guide
TX-8325-A
TX-8325-A(config)# vsx
TX-8325-A(config-vsx)# inter-switch-link 1/1/46
TX-8325-A(config-vsx)# role primary
TX-8325-A(config-vsx)# keepalive peer 10.1.X8.42 source 10.1.X8.41
TX-8325-B
TX-8325-A(config)# vsx
TX-8325-B(config-vsx)# inter-switch-link 1/1/46
TX-8325-B(config-vsx)# role secondary
TX-8325-B(config-vsx)# keepalive peer 10.1.X8.41 source 10.1.X8.42
Configure VLAN <Z> from your pair table, use the following table for reference.
Table 1 20
Table 2 10
Table 3 40
Table 4 30
Table 5 60
Table 6 50
Table 7 80
Table 8 70
Table 9 100
Table 10 90
Table 11 120
Table 12 110
Table 13 140
Table 14 130
AOS-CX enablement Field Training 2019 114 Confidential – For Training Purposes Only
AOS-CX Enablement Field Training 2019 Lab Guide
TX-8325-A
TX-8325-A(config)# vlan <Z> ## Please refer to the previous table
TX-8325-B
T1-8325-B(config)# vlan <Z> ## Please refer to the previous table
T1-8325-B(config)# interface 1/1/2
T1-8325-B(config-if)# no routing
T1-8325-B(config-if)# vlan access <Z>
TX-8325-A
TX-8325-A(config)# interface loopback 1
TX-8325-A(config-if)# ip address 10.1.X7.10/32
TX-8325-A(config-if)# ip ospf 1 area 0
TX-8325-B
T1-8325-B(config)# interface loopback 1
T1-8325-B(config-if)# ip address 10.1.X7.10/32
T1-8325-B(config-if)# ip ospf 1 area 0
TX-6300-B
AOS-CX enablement Field Training 2019 115 Confidential – For Training Purposes Only
AOS-CX Enablement Field Training 2019 Lab Guide
Steps
TX-8325-A
TX-8325-A(config)# evpn
TX-8325-A(config-evpn)# vlan X0
TX-8325-A(config-evpn-vlan-X0)# rd auto
TX-8325-A(config-evpn-vlan-X0)# route-target both auto
TX-8325-A(config-evpn-vlan-X0)# exit
TX-8325-A(config-evpn)# vlan <Z>
TX-8325-A(config-evpn-vlan<Z>)# rd auto
TX-8325-A(config-evpn-vlan<Z>)# route-target both auto
TX-8325-A(config-evpn-vlan<Z>)# exit
TX-8325-A(config-evpn)# exit
TX-8325-B
TX-8325-B(config)# evpn
TX-8325-B(config-evpn)# vlan X0
TX-8325-B(config-evpn-vlan-X0)# rd auto
TX-8325-B(config-evpn-vlan-X0)# route-target both auto
TX-8325-B(config-evpn-vlan-X0)# exit
TX-8325-B(config-evpn)# vlan <Z>
TX-8325-B(config-evpn-vlan<Z>)# rd auto
TX-8325-B(config-evpn-vlan<Z>)# route-target both auto
TX-8325-B(config-evpn-vlan<Z># exit
TX-8325-B(config-evpn)# exit
1 10 100110 20 100220
2 20 100220 10 100110
3 30 100330 40 100440
4 40 100440 30 100330
5 50 100550 60 100660
6 60 100660 50 100550
AOS-CX enablement Field Training 2019 116 Confidential – For Training Purposes Only
AOS-CX Enablement Field Training 2019 Lab Guide
7 70 100770 80 100880
8 80 100880 70 100770
TX-8325-A
TX-8325-A(config)# interface vxlan 1
TX-8325-A(config-vxlan-if)# source ip 10.1.X7.10
TX-8325-A(config-vxlan-if)# no shutdown
TX-8325-A(config-vxlan-if)# vni (1000+X)+VID ####Please see table above
TX-8325-A(config-vni-100110)# vlan X0
TX-8325-A(config-vni-100110)# exit
TX-8325-A(config-vxlan-if)# vni (1000+Z)+VID ####Please see table above
TX-8325-A(config-vni-100220)# vlan <Z>
TX-8325-A(config-vni-100220)# exit
TX-8325-A(config-vxlan-if)# exit
TX-8325-B
TX-8325-B(config)# interface vxlan 1
TX-8325-B(config-vxlan-if)# source ip 10.1.X7.10
TX-8325-B(config-vxlan-if)# no shutdown
TX-8325-B(config-vxlan-if)# vni (1000+X)+VID – ####Please see table above
TX-8325-B(config-vni-100110)# vlan X0
TX-8325-B(config-vni-100110)# exit
TX-8325-B(config-vxlan-if)# vni (1000+Z)+VID – ####Please see table above
TX-8325-B(config-vni-100220)# vlan <Z>
TX-8325-B(config-vni-100220)# exit
TX-8325-B(config-vxlan-if)# exit
TX-8325-A
TX-8325-A(config)# router bgp 100
TX-8325-A(config-bgp)# neighbor 10.1.7.1 remote-as 100
TX-8325-A(config-bgp)# neighbor 10.1.7.1 update-source loopback 0
TX-8325-A(config-bgp)# neighbor 10.1.7.2 remote-as 100
TX-8325-A(config-bgp)# neighbor 10.1.7.2 update-source loopback 0
TX-8325-A(config-bgp)# address-family l2vpn evpn
TX-8325-A(config-bgp-l2vpn-evpn)# neighbor 10.1.7.1 activate
TX-8325-A(config-bgp-l2vpn-evpn)# neighbor 10.1.7.1 send-community extended
TX-8325-A(config-bgp-l2vpn-evpn)# neighbor 10.1.7.2 activate
TX-8325-A(config-bgp-l2vpn-evpn)# neighbor 10.1.7.2 send-community extended
TX-8325-A(config-bgp-l2vpn-evpn)# exit
AOS-CX enablement Field Training 2019 117 Confidential – For Training Purposes Only
AOS-CX Enablement Field Training 2019 Lab Guide
TX-8325-B
TX-8325-B(config)# router bgp 100
TX-8325-B(config-bgp)# neighbor 10.1.7.1 remote-as 100
TX-8325-B(config-bgp)# neighbor 10.1.7.1 update-source loopback 0
TX-8325-B(config-bgp)# neighbor 10.1.7.2 remote-as 100
TX-8325-B(config-bgp)# neighbor 10.1.7.2 update-source loopback 0
TX-8325-B(config-bgp)# address-family l2vpn evpn
TX-8325-B(config-bgp-l2vpn-evpn)# neighbor 10.1.7.1 activate
TX-8325-B(config-bgp-l2vpn-evpn)# neighbor 10.1.7.1 send-community extended
TX-8325-B(config-bgp-l2vpn-evpn)# neighbor 10.1.7.2 activate
TX-8325-B(config-bgp-l2vpn-evpn)# neighbor 10.1.7.2 send-community extended
TX-8325-B(config-bgp-l2vpn-evpn)# exit
VRF : default
BGP Summary
-----------
Local AS : 100 BGP Router Identifier : 10.1.17.10
Peers : 2 Log Neighbor Changes : No
Cfg. Hold Time : 180 Cfg. Keep Alive : 60
Interface vxlan1 is up
Admin state is up
Description:
Underlay VRF: default
Destination UDP port: 4789
VTEP source IPv4 address: 10.1.17.1
Start ping from your 6300-A to the pair table 6300-B, since both are in the same VLAN ping
will cross the VXLAN tunnel to the pair VSX leaf, ping should succeed.
TX-6300-A# ping 10.1.X0.11
PING 10.1.17.3 (10.1.10.11) 100(128) bytes of data.
108 bytes from 10.1.10.11: icmp_seq=1 ttl=63 time=0.125 ms
108 bytes from 10.1.10.11: icmp_seq=2 ttl=63 time=0.210 ms
108 bytes from 10.1.10.11: icmp_seq=3 ttl=63 time=0.179 ms
108 bytes from 10.1.10.11: icmp_seq=4 ttl=63 time=0.239 ms
108 bytes from 10.1.10.11: icmp_seq=5 ttl=63 time=0.125 ms
AOS-CX enablement Field Training 2019 118 Confidential – For Training Purposes Only
AOS-CX Enablement Field Training 2019 Lab Guide
AOS-CX enablement Field Training 2019 119 Confidential – For Training Purposes Only
AOS-CX Enablement Field Training 2019 Lab Guide
TX-8325-A
TX-8325-A(config)# end
TX-8325-B
TX-8325-B(config)# end
AOS-CX enablement Field Training 2019 120 Confidential – For Training Purposes Only
AOS-CX Enablement Field Training 2019 Lab Guide
Steps
Configure Active gateway for VLANs X0 and VLAN <Z> on TX-8325-A and TX-8325-B
TX-8325-A
TX-8325-A(config)# interface vlan X0
TX-8325-A(config-if-vlan)# ip address 10.1.X0.252/24
TX-8325-A(config-if-vlan)# active-gateway ip mac 00:00:00:00:00:aa
TX-8325-A(config-if-vlan)# active-gateway ip 10.1.X0.254
TX-8325-A(config-if-vlan)# exit
TX-8325-A(config)# interface vlan <Z>
TX-8325-A(config-if-vlan)# ip address 10.1.<Z>.252/24
TX-8325-A(config-if-vlan)# active-gateway ip mac 00:00:00:00:00:aa
TX-8325-A(config-if-vlan)# active-gateway ip 10.1.<Z>.254
TX-8325-B
TX-8325-A(config)# interface vlan X0
TX-8325-A(config-if-vlan)# ip address 10.1.X0.253/24
TX-8325-A(config-if-vlan)# active-gateway ip mac 00:00:00:00:00:aa
TX-8325-A(config-if-vlan)# active-gateway ip 10.1.X0.254
TX-8325-A(config-if-vlan)# exit
TX-8325-A(config)# interface vlan <Z>
TX-8325-A(config-if-vlan)# ip address 10.1.<Z>.253/24
TX-8325-A(config-if-vlan)# active-gateway ip mac 00:00:00:00:00:aa
TX-8325-A(config-if-vlan)# active-gateway ip 10.1.<Z>.254
TX-6300-A
TX-600-A# ip route 0.0.0.0/0 10.1.X0.254
TX-6300-B
TX-600-B# ip route 0.0.0.0/0 10.1.<Z>.254
AOS-CX enablement Field Training 2019 121 Confidential – For Training Purposes Only
AOS-CX Enablement Field Training 2019 Lab Guide
Ping from your TX-6300-A to the other table’s TX-6300-A, the ping should be successful.
TX-8325-A
TX-8325-A(config)# end
TX-8325-B
TX-8325-B(config)# end
AOS-CX enablement Field Training 2019 122 Confidential – For Training Purposes Only
AOS-CX Enablement Field Training 2019 Lab Guide
In this lab, you will configure DCBX and its features such as PFC, APP TLV and ETS.
Objectives
After completing this lab:
• You will have the required knowledge to implement ethernet lossless queues on AOS-CX
switches.
Objectives
– Setup a simple environment to configure DCB
Steps
1. Open a console connection to TX-8325-A and TX-8325-B switches.
2. Revert all switches to checkpoint ZERO.
Note. If there is no ZERO checkpoint, then enter the following commands to erase the
configuration:
AOS-CX enablement Field Training 2019 123 Confidential – For Training Purposes Only
AOS-CX Enablement Field Training 2019 Lab Guide
Objectives
– Enable DCBX on required interfaces.
Steps
1. Open a console connection to both TX-8325-A and TX-8325-B switches.
2. Check LLDP status.
TLVs Advertised
===============
Management Address
Port Description
Port VLAN-ID
System Capabilities
System Description
System Name
OUI
TX-8325-A
TX-8325-A# configure terminal
TX-8325-A(config)# interface 1/1/46
TX-8325-A(config-if)# no routing
TX-8325-A(config-if)# no shutdown
TX-8325-A(config-if)# exit
AOS-CX enablement Field Training 2019 124 Confidential – For Training Purposes Only
AOS-CX Enablement Field Training 2019 Lab Guide
TX-8325-B
TX-8325-B# configure terminal
TX-8325-B(config)# interface 1/1/46
TX-8325-B(config-if)# no routing
TX-8325-B(config-if)# no shutdown
TX-8325-B(config-if)# exit
TX-8325-A
TX-8325-A(config)# lldp dcbx
TX-8325-B
TX-8325-B(config)# lldp dcbx
TX-8325-A
TX-8325-A# show dcbx interface 1/1/46
DCBX admin state: enabled
DCBX operational state : active
TX-8325-B
TX-8325-B# show dcbx interface 1/1/46
DCBX admin state: enabled
DCBX operational state : active
AOS-CX enablement Field Training 2019 125 Confidential – For Training Purposes Only
AOS-CX Enablement Field Training 2019 Lab Guide
Steps – PFC
Check DCBX PFC on interfaces.
TX-8325-A
TX-8325-A# show dcbx interface 1/1/46
DCBX admin state: enabled
DCBX operational state : active
Local advertisement:
Willing : No
MacSec ByPass Capability : No
Max traffic classes : 1
Priority Enabled
0 False
1 False
2 False
3 False
4 False
5 False
6 False
7 False
<< Output omitted >>
TX-8325-B
TX-8325-B# show dcbx interface 1/1/46
DCBX admin state: enabled
DCBX operational state : active
Local advertisement:
Willing : No
MacSec ByPass Capability : No
Max traffic classes : 1
Priority Enabled
0 False
1 False
AOS-CX enablement Field Training 2019 126 Confidential – For Training Purposes Only
AOS-CX Enablement Field Training 2019 Lab Guide
2 False
3 False
4 False
5 False
6 False
7 False
<< Output omitted >>
TX-8325-A
TX-8325-A(config)# interface 1/1/46
TX-8325-A(config-if)# flow-control priority 4
The setting will not be applied until configuration is saved to startup-config and the switch is
rebooted.
NOTE: In order to enable or modify PFC on 8325 switch series, you must reboot the
switch, but don’t reboot your switch now, you will do it later.
TX-8325-A(config-if)# exit
AOS-CX enablement Field Training 2019 127 Confidential – For Training Purposes Only
AOS-CX Enablement Field Training 2019 Lab Guide
TX-8325-B(config-lag-if)# end
TX-8325-A
TX-8325-A# show dcbx interface 1/1/46
DCBX admin state: enabled
DCBX operational state : active
Local advertisement:
Willing : No
MacSec ByPass Capability : No
Max traffic classes : 1
Priority Enabled
0 False
1 False
2 False
3 False
4 True
5 False
6 False
7 False
Remote advertisement:
Willing : No
MacSec ByPass Capability : No
Max traffic classes : 1
Priority Enabled
0 False
1 False
AOS-CX enablement Field Training 2019 128 Confidential – For Training Purposes Only
AOS-CX Enablement Field Training 2019 Lab Guide
2 False
3 False
4 True
5 False
6 False
7 False
TX-8325-B
TX-8325-B# show dcbx interface 1/1/46
DCBX admin state: enabled
DCBX operational state : active
Local advertisement:
Willing : No
MacSec ByPass Capability : No
Max traffic classes : 1
Priority Enabled
0 False
1 False
2 False
3 False
4 True
5 False
6 False
7 False
Remote advertisement:
Willing : No
MacSec ByPass Capability : No
Max traffic classes : 1
Priority Enabled
0 False
1 False
2 False
3 False
4 True
5 False
6 False
7 False
TX-8325-A
TX-8325-A# show dcbx interface 1/1/46
DCBX admin state: enabled
DCBX operational state : active
<< Output omitted >>
AOS-CX enablement Field Training 2019 129 Confidential – For Training Purposes Only
AOS-CX Enablement Field Training 2019 Lab Guide
TX-8325-B
TX-8325-B# show dcbx interface 1/1/46
DCBX admin state: enabled
DCBX operational state : active
<< Output omitted >>
Local advertisement:
Protocol Port/Type Priority
-----------------------------------------
Configure APP TLV to prioritize iSCSI traffic with the CoS priority of 4.
TX-8325-A
TX-8325-A# config t
TX-8325-A(config)# dcbx application iscsi priority 4
TX-8325-A(config)# dcbx application tcp-sctp 860 priority 4
TX-8325-A(config)# dcbx application tcp-sctp 3260 priority 4
TX-8325-B
TX-8325-B# config t
TX-8325-B(config)# dcbx application iscsi priority 4
TX-8325-B(config)# dcbx application tcp-sctp 860 priority 4
TX-8325-B(config)# dcbx application tcp-sctp 3260 priority 4
TX-8325-A
TX-8325-A(config)# show dcbx interface 1/1/46
DCBX admin state: enabled
DCBX operational state : active
<< Output omitted >>
Local advertisement:
Protocol Port/Type Priority
-----------------------------------------
iscsi 4
tcp-sctp 860 4
AOS-CX enablement Field Training 2019 130 Confidential – For Training Purposes Only
AOS-CX Enablement Field Training 2019 Lab Guide
tcp-sctp 3260 4
TX-8325-B
TX-8325-B# show dcbx interface 1/1/46
DCBX admin state: enabled
DCBX operational state : active
<< Output omitted >>
Local advertisement:
Protocol Port/Type Priority
-----------------------------------------
iscsi 4
tcp-sctp 860 4
tcp-sctp 3260 4
AOS-CX enablement Field Training 2019 131 Confidential – For Training Purposes Only
AOS-CX Enablement Field Training 2019 Lab Guide
Objectives
– Configure DCBX ETS to control how much bandwidth queues receive.
Steps
Check default DCBX ETS configuration.
TX-8325-A
TX-8325-A# show dcbx interface 1/1/46
DCBX admin state: enabled
DCBX operational state : active
<< Output Omitted >>
Enhanced Transmission Selection (ETS)
--------------------------------------
Local advertisement:
Willing : No
MacSec ByPass Capability : No
Max traffic classes : 8
Remote advertisement:
Willing : No
MacSec ByPass Capability : No
Max traffic classes : 8
AOS-CX enablement Field Training 2019 132 Confidential – For Training Purposes Only
AOS-CX Enablement Field Training 2019 Lab Guide
Create a schedule-profile that assigns 60% bandwidth to queue 4 (iSCSI) and 40%
bandwidth to queue 0 (all other traffic).
AOS-CX enablement Field Training 2019 133 Confidential – For Training Purposes Only
AOS-CX Enablement Field Training 2019 Lab Guide
AOS-CX enablement Field Training 2019 134 Confidential – For Training Purposes Only
AOS-CX Enablement Field Training 2019 Lab Guide
Network Diagram
AOS-CX enablement Field Training 2019 135 Confidential – For Training Purposes Only
AOS-CX Enablement Field Training 2019 Lab Guide
Steps
Open a console connection to both AGG-1 and AGG-2 switches and Revert both switches to
Lab1-done checkpoint.
TX-8325-A
TX-8325-A# copy checkpoint ZERO running-config
Configuration changes will take time to process, please be patient.
TX-8325-B
TX-8325-B# copy checkpoint ZERO running-config
Configuration changes will take time to process, please be patient.
Verify that you have a clean config, with no LAG, VSX configuration, and routing protocol.
TX-8325-A
TX-8325-A# show run
Current configuration:
!Version ArubaOS-CX GL.10.04.0010
hostname TX-8325-A
cli-session
timeout 0
ssh server vrf mgmt
vlan 1
interface mgmt
no shutdown
ip static 10.251.X.2/24
default 10.251.X.254
TX-8325-B
TX-8325-B# show run
Current configuration:
!Version ArubaOS-CX GL.10.04.0010
hostname TX-8325-B
cli-session
timeout 0
ssh server vrf mgmt
vlan 1
interface mgmt
no shutdown
ip static 10.251.X.3/24
default 10.251.X.254
AOS-CX enablement Field Training 2019 136 Confidential – For Training Purposes Only
AOS-CX Enablement Field Training 2019 Lab Guide
TX-8325-A
TX-8325-A# configure terminal
TX-8325-A(config)# vlan X0-X5
TX-8325-A(config-vlan-<10-15>)# exit
TX-8325-A(config)# interface 1/1/46
TX-8325-A(config-if)# shutdown
TX-8325-A(config-if)# no routing
TX-8325-A(config-if)# vlan trunk allowed X0-X5
TX-8325-A(config-if)# exit
TX-8325-A(config-if)# interface 1/1/48
TX-8325-A(config-if)# no shutdown
TX-8325-A(config-if)# no routing
TX-8325-A(config-if)# vlan trunk allowed X0-X5
TX-8325-A(config-if)# exit
TX-8325-A(config)# interface 1/1/1
TX-8325-A(config-if)# no routing
TX-8325-A(config-if)# vlan access 15
TX-8325-A(config-if)# no shutdown
IMPORTANT: To avoid loops in your topology, the AGG-1 interface 1/1/46 should
stay in a shutdown state until ERPS configures completely.
TX-8325-B
TX-8325-B# configure terminal
TX-8325-B(config)# vlan X0-X5
TX-8325-B(config-vlan-<10-15>)# exit
TX-8325-B(config)# interface 1/1/46,1/1/48
TX-8325-B(config-if)# no shutdown
TX-8325-B(config-if)# no routing
TX-8325-B(config-if)# vlan trunk allowed X0-X5
Create IP interfaces.
TX-8325-A
TX-8325-A(config)# interface vlan X4
TX-8325-A(config-if-vlan)# ip address 10.1.X4.2/24
TX-8325-A(config-if-vlan)# exit
TX-8325-A(config)# interface vlan X5
TX-8325-A(config-if-vlan)# ip address 10.1.X5.2/24
TX-8325-A(config-if-vlan)# exit
AOS-CX enablement Field Training 2019 137 Confidential – For Training Purposes Only
AOS-CX Enablement Field Training 2019 Lab Guide
TX-8325-B
TX-8325-A(config)# interface vlan X4
TX-8325-A(config-if-vlan)# ip address 10.1.X4.3/24
TX-8325-A(config-if-vlan)# exit
TX-8325-A(config)# interface vlan X5
TX-8325-A(config-if-vlan)# ip address 10.1.X5.3/24
TX-8325-A(config-if-vlan)# exit
TX-8325-A
TX-8325-A(config)# int vlan X4
TX-8325-A(config-if-vlan)# vrrp X4 address-family ipv4
TX-8325-A(config-if-vrrp)# address 10.1.X4.1 primary
TX-8325-A(config-if-vrrp)# priority 150
TX-8325-A(config-if-vrrp)# no shutdown
TX-8325-A(config-if-vrrp)# exit
TX-8325-A(config-if-vlan)# exit
TX-8325-A(config)# router vrrp enable
TX-8325-A(config)# int vlan X5
TX-8325-A(config-if-vlan)# vrrp X5 address-family ipv4
TX-8325-A(config-if-vrrp)# address 10.1.X5.1 primary
TX-8325-A(config-if-vrrp)# no shutdown
TX-8325-A(config-if-vrrp)# exit
TX-8325-A(config-if-vlan)# exit
TX-8325-B
TX-8325-B(config)# int vlan X4
TX-8325-B(config-if-vlan)# vrrp X4 address-family ipv4
TX-8325-B(config-if-vrrp)# address 10.1.X4.1 primary
TX-8325-B(config-if-vrrp)# no shutdown
TX-8325-B(config-if-vrrp)# exit
TX-8325-B(config-if-vlan)# exit
TX-8325-B(config)# router vrrp enable
TX-8325-B(config)# int vlan X5
TX-8325-B(config-if-vlan)# vrrp X5 address-family ipv4
TX-8325-B(config-if-vrrp)# address 10.1.X5.1 primary
TX-8325-B(config-if-vrrp)# priority 150
TX-8325-B(config-if-vrrp)# no shutdown
TX-8325-B(config-if-vrrp)# exit
TX-8325-B(config-if-vlan)# exit
TX-8325-Core
AOS-CX enablement Field Training 2019 138 Confidential – For Training Purposes Only
AOS-CX Enablement Field Training 2019 Lab Guide
T1-8325-Core(config-if)# no routing
T1-8325-Core(config-if)# no shutdown
T1-8325-Core(config-if)# vlan trunk allow X0-X5
T1-8325-Core(config-if)# exit
T1-8325-Core(config)# interface 1/1/2
T1-8325-Core(config-if)# no routing
T1-8325-Core(config-if)# no shutdown
T1-8325-Core(config-if)# vlan trunk allow X0-X5
TX-8325-A
VRRP is enabled
Interface Grp A-F Pri Time Owner Pre State Master addr/Group addr
vlanX4 X4 IPv4 150 274 N Y MASTER 10.1.X4.2 10.1.X4.1
vlanX5 X5 IPv4 100 85 N Y BACKUP 10.1.X5.3 10.1.X5.1
TX-8325-B
VRRP is enabled
Interface Grp A-F Pri Time Owner Pre State Master addr/Group addr
vlanX4 X4 IPv4 100 73 N Y BACKUP 10.1.X4.2 10.1.X4.1
vlanX5 X5 IPv4 150 47 N Y MASTER 10.1.X5.3 10.1.X5.1
TX-8325-A
Note: Based on the previous labs is probable that you will have another default route to
10.1.X0.1, please remove it and make sure you are only using 10.1.X5.1.
AOS-CX enablement Field Training 2019 139 Confidential – For Training Purposes Only
AOS-CX Enablement Field Training 2019 Lab Guide
AOS-CX enablement Field Training 2019 140 Confidential – For Training Purposes Only
AOS-CX Enablement Field Training 2019 Lab Guide
Steps
Open a console connection to both AGG-1 and AGG-2 switches and create an ERPS ring
and configure ESPR ring member’s port.
TX-8325-A
TX-8325-A(config)# erps ring 1
TX-8325-A(config-erps-ring-1)# description ERPS-Ring
TX-8325-A(config-erps-ring-1)# port0 interface 1/1/46
Info: Port0/Port1 should be a tagged member of control and protected VLAN's.
TX-8325-A(config-erps-ring-1)# port1 interface 1/1/48
Info: Port0/Port1 should be a tagged member of control and protected VLAN's.
TX-8325-B
TX-8325-B(config)# erps ring 1
TX-8325-B(config-erps-ring-1)# description ERPS-Ring
TX-8325-B(config-erps-ring-1)# port0 interface 1/1/46
Info: Port0/Port1 should be a tagged member of control and protected VLAN's.
TX-8325-B(config-erps-ring-1)# port1 interface 1/1/48
Info: Port0/Port1 should be a tagged member of control and protected VLAN's.
TX-8325-Core
TX-8325-CORE(config)# erps ring 1
TX-8325-CORE(config-erps-ring-1)# description ERPS-Ring
TX-8325-CORE (config-erps-ring-1)# port0 interface 1/1/1
Info: Port0/Port1 should be a tagged member of control and protected VLAN's.
TX-8325-CORE(config-erps-ring-1)# port1 interface 1/1/2
Info: Port0/Port1 should be a tagged member of control and protected VLAN's.
Create and enable two instances on TX-8325-A and TX-8325-B, providing loops avoidance
and load balance.
Instance-1 X4 X2
Instance-2 X5 X3
TX-8325-A
TX-8325-A(config-erps-ring-1)# instance 1
TX-8325-A(config-erps-ring-1-inst-1)# description ERPS-Instance1
AOS-CX enablement Field Training 2019 141 Confidential – For Training Purposes Only
AOS-CX Enablement Field Training 2019 Lab Guide
TX-8325-A(config-erps-ring-1-inst-1)# control-vlan X2
Info: Port0/Port1 should be a tagged member of control and protected VLAN's.
TX-8325-A(config-erps-ring-1-inst-1)# protected-vlans X4
TX-8325-A(config-erps-ring-1-inst-1)# role rpl-owner
TX-8325-A(config-erps-ring-1-inst-1)# rpl port1
TX-8325-A(config-erps-ring-1-inst-1)# enable
TX-8325-A(config-erps-ring-1-inst-1)# exit
TX-8325-A(config-erps-ring-1)# instance 2
TX-8325-A(config-erps-ring-1-inst-2)# description ERPS-Instance2
TX-8325-A(config-erps-ring-1-inst-2)# control-vlan X3
Info: Port0/Port1 should be a tagged member of control and protected VLAN's.
TX-8325-A(config-erps-ring-1-inst-2)# protected-vlans X5
TX-8325-A(config-erps-ring-1-inst-2)# role rpl-neighbor
TX-8325-A(config-erps-ring-1-inst-2)# enable
TX-8325-B
TX-8325-B(config-erps-ring-1)# instance 1
TX-8325-B(config-erps-ring-1-inst-1)# description ERPS-Instance1
TX-8325-B(config-erps-ring-1-inst-1)# control-vlan X2
Info: Port0/Port1 should be a tagged member of control and protected VLAN's.
TX-8325-B(config-erps-ring-1-inst-1)# protected-vlans X4
TX-8325-B(config-erps-ring-1-inst-1)# role rpl-neighbor
TX-8325-B(config-erps-ring-1-inst-1)# enable
TX-8325-B(config-erps-ring-1-inst-1)# exit
TX-8325-B(config-erps-ring-1)# instance 2
TX-8325-B(config-erps-ring-1-inst-2)# description ERPS-Instance2
TX-8325-B(config-erps-ring-1-inst-2)# control-vlan X3
Info: Port0/Port1 should be a tagged member of control and protected VLAN's.
TX-8325-B(config-erps-ring-1-inst-2)# protected-vlans X5
TX-8325-B(config-erps-ring-1-inst-2)# role rpl-owner
TX-8325-B(config-erps-ring-1-inst-2)# rpl port0
TX-8325-B(config-erps-ring-1-inst-2)# enable
TX-8325-Core
TX-8325-CORE(config-erps-ring-1)# instance 1
TX-8325-CORE(config-erps-ring-1-inst-1)# description ERPS-Instance1
TX-8325-CORE(config-erps-ring-1-inst-1)# control-vlan X2
Info: Port0/Port1 should be a tagged member of control and protected VLAN's.
TX-8325-CORE(config-erps-ring-1-inst-1)# protected-vlans X4
TX-8325-CORE(config-erps-ring-1-inst-1)# role rpl-neighbor
TX-8325-CORE(config-erps-ring-1-inst-1)# enable
TX-8325-CORE(config-erps-ring-1-inst-1)# exit
TX-8325-CORE(config-erps-ring-1)# instance 2
TX-8325-CORE(config-erps-ring-1-inst-2)# description ERPS-Instance2
TX-8325-CORE(config-erps-ring-1-inst-2)# control-vlan X3
Info: Port0/Port1 should be a tagged member of control and protected VLAN's.
TX-8325-CORE(config-erps-ring-1-inst-2)# protected-vlans X5
TX-8325-CORE(config-erps-ring-1-inst-2)# role rpl-neighbor
TX-8325-CORE(config-erps-ring-1-inst-2)# enable
TX-8325-CORE(config-erps-ring-1-inst-2)# exit
Now that you have configured the ERPS ring and instances, enable TX-8325-A port 1/1/46
AOS-CX enablement Field Training 2019 142 Confidential – For Training Purposes Only
AOS-CX Enablement Field Training 2019 Lab Guide
TX-8325-A
TX-8325-A# show erps summary
ERPS Summary
============
Per-Instance Summary
====================
Ring Instance Port0 Port1 Status Flags
---- -------- ----- ----- ------ -----
1 1 1/1/46 1/1/48* Pending M,RO
1 2 1/1/46 1/1/48 Pending M
IMPORTANT: You have to wait for the default WTR timer (5mins by default) to get
the status idle. Check the below events about erps ring status changing.
TX-8325-B# page 20
TX-8325-B# show events –r
<output omit>
2019-10-03T11:51:14.284020+00:00 TX-8325-B hpe-mgmdd[2129]: Event|2622|LOG_INFO|AMM|1/1|Flood mode
is temporarily activated on ERPS ports 1/1/46 and 1/1/48 as ring state for ring id 1 changed to
idle.
2019-10-03T11:51:14.283007+00:00 TX-8325-B erps[2169]: Event|8503|LOG_INFO|AMM|1/1|Operational
state of the ring 1, instance 1 changed to Idle
2019-10-03T11:51:14.263203+00:00 TX-8325-B hpe-mgmdd[2129]: Event|2622|LOG_INFO|AMM|1/1|Flood mode
is temporarily activated on ERPS ports 1/1/46 and 1/1/48 as ring state for ring id 1 changed to
idle.
2019-10-03T11:51:14.261929+00:00 TX-8325-B erps[2169]: Event|8503|LOG_INFO|AMM|1/1|Operational
state of the ring 1, instance 2 changed to Idle
2019-10-03T11:49:41.841701+00:00 TX-8325-B hpe-restd[6925]: Event|4605|LOG_INFO|AMM|-|Session
ended for user admin, session 85OCAmwUdDakYxmbLN-_Ww==
2019-10-03T11:49:41.840942+00:00 TX-8325-B hpe-restd[6925]: Event|4608|LOG_INFO|AMM|-
|Authorization allowed for user admin, for resource SessionMgmt, with action POST
2019-10-03T11:49:34.010063+00:00 TX-8325-B hpe-restd[6925]: Event|4604|LOG_INFO|AMM|-|Session
started for user admin, session 85OCAmwUdDakYxmbLN-_Ww==
2019-10-03T11:49:34.009700+00:00 TX-8325-B hpe-restd[6925]: Event|4602|LOG_INFO|AMM|-
|Authentication succeeded for user admin in session 85OCAmwUdDakYxmbLN-_Ww==
2019-10-03T11:48:48.136889+00:00 TX-8325-B hpe-restd[6925]: Event|4605|LOG_INFO|AMM|-|Session
ended for user admin, session 1PulQPNZCZzHCYOrin3YGw==
2019-10-03T11:48:48.136061+00:00 TX-8325-B hpe-restd[6925]: Event|4608|LOG_INFO|AMM|-
|Authorization allowed for user admin, for resource SessionMgmt, with action POST
2019-10-03T11:48:39.907303+00:00 TX-8325-B hpe-restd[6925]: Event|4604|LOG_INFO|AMM|-|Session
started for user admin, session 1PulQPNZCZzHCYOrin3YGw==
2019-10-03T11:48:39.906808+00:00 TX-8325-B hpe-restd[6925]: Event|4602|LOG_INFO|AMM|-
|Authentication succeeded for user admin in session 1PulQPNZCZzHCYOrin3YGw==
2019-10-03T11:46:16.250390+00:00 TX-8325-B lldpd[2109]: Event|104|LOG_INFO|AMM|1/1|LLDP neighbor
90:20:c2:ba:e7:00 added on 1/1/46
2019-10-03T11:46:14.247448+00:00 TX-8325-B erps[2169]: Event|8503|LOG_INFO|AMM|1/1|Operational
state of the ring 1, instance 2 changed to Pending
2019-10-03T11:46:14.231740+00:00 TX-8325-B erps[2169]: Event|8503|LOG_INFO|AMM|1/1|Operational
state of the ring 1, instance 1 changed to Pending
2019-10-03T11:46:13.204965+00:00 TX-8325-B intfd[2026]: Event|403|LOG_INFO|||Link status for
interface 1/1/46 is up
<output omit>
AOS-CX enablement Field Training 2019 143 Confidential – For Training Purposes Only
AOS-CX Enablement Field Training 2019 Lab Guide
IMPORTANT: Note: In the lab, you can change WTR timer on all switches to 1 min to
reduce waiting time.
TX-8325-A
TX-8325-A(config)# erps ring 1
TX-8325-A(config-erps-ring-1)# wtr-interval 1
TX-8325-B
TX-8325-B(config)# erps ring 1
TX-8325-B(config-erps-ring-1)# wtr-interval 1
TX-8325-Core
TX-8325-CORE(config)# erps ring 1
TX-8325-CORE(config-erps-ring-1)# wtr-interval 1
TX-8325-B
TX-8325-B# show erps summary
ERPS Summary
============
Per-Instance Summary
====================
Ring Instance Port0 Port1 Status Flags
---- -------- ----- ----- ------ -----
1 1 1/1/46 1/1/48 Idle M
1 2 1/1/46* 1/1/48 Idle M,RO
TX-8325-Core
TX-8325-CORE# show erps summary
ERPS Summary
============
Per-Instance Summary
====================
Ring Instance Port0 Port1 Status Flags
---- -------- ----- ----- ------ -----
1 1 1/1/1 1/1/2 Idle M
1 2 1/1/1 1/1/2 Idle M
AOS-CX enablement Field Training 2019 144 Confidential – For Training Purposes Only
AOS-CX Enablement Field Training 2019 Lab Guide
Now take a closer look using “show erps status ring 1.”
TX-8325-A
TX-8325-A# show erps status ring 1
Status for ERPS Ring 1 Instance 1:
====================================
Ring ID : 1
Ring description : ERPS-ring
Instance ID : 1
Instance description : ERPS-RING-INTANCE1
Port0 : 1/1/46 (Up)
Port1 : 1/1/48 (Block)
Node Role (RPL) : Owner (port1)
Control VLAN : 12
Protected VLAN : 14
Subring (TCN) : No (No)
Revertive Operation : Revertive
MEG Level : 7
Transmission Interval : 5 sec
Guard Interval : 0 sec 500 ms
Hold-Off Interval : 0 sec 0 ms
WTR Interval : 1 min
Status : Idle
Oper Down Reason : None
TX-8325-B
TX-8325-B# show erps status ring 1
AOS-CX enablement Field Training 2019 145 Confidential – For Training Purposes Only
AOS-CX Enablement Field Training 2019 Lab Guide
IMPORTANT: Note that the RPL link blocking only occurs at the RPL owner at the
RPL interface.
Note: A ring instance has the following reasons for "down" state:
• Disabled: The administrator has disabled the ring instance.
• Inconsistent Port Config: The administrator has configured the same port as
port0 and port1 or the RPL port without a role.
• Incomplete Port Config: The admin has configured only one or no ring port.
• Protected VLANs Not Configured: Protected VLAN list is empty.
• Control VLAN Not Configured: The admin has not configured the control
VLAN.
AOS-CX enablement Field Training 2019 146 Confidential – For Training Purposes Only
AOS-CX Enablement Field Training 2019 Lab Guide
AOS-CX enablement Field Training 2019 147 Confidential – For Training Purposes Only
AOS-CX Enablement Field Training 2019 Lab Guide
Steps
Continuous ping to MC’s IP address (10.1.X4.100) from the TX-6300-A switch.
Open a console connection to both TX-8325-A and TX-8325-B switches.
On TX-8325-A switch, disable ERPS port0 (1/1/46).
The ping should be still successful.
TX-8325-A
TX-8325-A# show erps summary
ERPS Summary
============
Per-Instance Summary
====================
Ring Instance Port0 Port1 Status Flags
---- -------- ----- ----- ------ -----
1 1 1/1/46 1/1/48* Protection M,RO
1 2 1/1/46 1/1/48 Protection M
TX-8325-B
TX-8325-B# show erps summary
ERPS Summary
============
Per-Instance Summary
====================
Ring Instance Port0 Port1 Status Flags
---- -------- ----- ----- ------ -----
1 1 1/1/46 1/1/48 Protection M
1 2 1/1/46* 1/1/48 Protection M,RO
AOS-CX enablement Field Training 2019 148 Confidential – For Training Purposes Only
AOS-CX Enablement Field Training 2019 Lab Guide
TX-8325-Core
TX-8325-CORE# show erps summary
ERPS Summary
============
Per-Instance Summary
====================
Ring Instance Port0 Port1 Status Flags
---- -------- ----- ----- ------ -----
1 1 1/1/1 1/1/2 Protection M
1 2 1/1/1 1/1/2 Protection M
Note: A protection state means that a protection switching has been triggered by a
local or remote link failure.
TX-8325-A
TX-8325-A# show erps status ring 1
Status for ERPS Ring 1 Instance 1:
====================================
Ring ID : 1
Ring description : ERPS-ring
Instance ID : 1
Instance description : ERPS-RING-INTANCE1
Port0 : 1/1/46 (Block)
Port1 : 1/1/48 (Up)
Node Role (RPL) : Owner (port1)
Control VLAN : 12
Protected VLAN : 14
Subring (TCN) : No (No)
Revertive Operation : Revertive
MEG Level : 7
Transmission Interval : 5 sec
Guard Interval : 0 sec 500 ms
Hold-Off Interval : 0 sec 0 ms
WTR Interval : 1 min
Status : Protection
Oper Down Reason : None
AOS-CX enablement Field Training 2019 149 Confidential – For Training Purposes Only
AOS-CX Enablement Field Training 2019 Lab Guide
TX-8325-B
TX-8325-Core
TX-8325-CORE# show erps status ring 1
Status for ERPS Ring 1 Instance 1:
====================================
Ring ID : 1
Ring description : ERPS-Ring
Instance ID : 1
AOS-CX enablement Field Training 2019 150 Confidential – For Training Purposes Only
AOS-CX Enablement Field Training 2019 Lab Guide
AGG-1
TX-8325-A(config)# exit
TX-8325-A# write memory
Configuration changes will take time to process, please be patient.
TX-8325-A# copy running-config checkpoint APPX-ERPS-[student-name]
Configuration changes will take time to process, please be patient.
AGG-2
AOS-CX enablement Field Training 2019 151 Confidential – For Training Purposes Only
AOS-CX Enablement Field Training 2019 Lab Guide
AOS-CX enablement Field Training 2019 152 Confidential – For Training Purposes Only