CDI-AOS-CX 10.4 Switching Portfolio Launch - Lab V4.01

Aruba OS-CX Switch Enablement Field Training
Lab Guide
Lab 0: Remote Lab Access Overview ............................................................................... 5

Objectives ..................................................................................................................... 5
Lab equipment .............................................................................................................. 5
Task 1: Remote Training Lab Access ............................................................................... 6
Initial Access and Control ............................................................................................. 6
Lab 1: VSF Setup ................................................................................................................. 9
Lab1.1 Initialization Lab environment ............................................................................... 9
Task 1 Initial Lab Setup .................................................................................................... 9
Steps ............................................................................................................................ 9
Objectives ................................................................................................................... 11
Steps .......................................................................................................................... 11
Lab 1.2: VSF setup ............................................................................................................ 14
Objectives ................................................................................................................... 14
Steps .......................................................................................................................... 14
Lab 1.3: VSF Split detection ............................................................................................. 17
Objectives ................................................................................................................... 17
Steps .......................................................................................................................... 17
Lab 2: Configuring VSX .................................................................................................... 20
Objects ............................................................................................................................ 20
Steps ............................................................................................................................... 20
Task 1: Prepare the Base Configuration ......................................................................... 20
Objectives ................................................................................................................... 20
Steps .......................................................................................................................... 20
Task 2: Configuring VSX ISL .......................................................................................... 23
Objectives ................................................................................................................... 23
| © Copyright 2019 Hewlett Packard Enterprise Development LP | Confidential – For Training Purposes Only
AOS-CX Enablement Field Training 2019 Lab Guide
Steps .......................................................................................................................... 23
Task 3: VSX LAG ............................................................................................................ 27
Objectives ................................................................................................................... 27
Steps .......................................................................................................................... 27
Task 4: Configuring VSX Keepalive ................................................................................ 31
Objectives ................................................................................................................... 31
Steps .......................................................................................................................... 31
Task 5: Configuring VSX Active-Gateway ...................................................................... 34
Objectives ................................................................................................................... 34
Steps .......................................................................................................................... 34
Task 6: VSX Redundancy ............................................................................................... 38
Objectives ................................................................................................................... 38
Steps .......................................................................................................................... 38
Task 7: VSX Split-Brain .................................................................................................. 41
Objectives ................................................................................................................... 41
Steps .......................................................................................................................... 41
Lab 3: Configuring OSPF Routing Protocol with NetEdit.............................................. 45
Objects ............................................................................................................................ 45
Task 1: NetEdit Users and Password ............................................................................. 45
Objectives ....................................................................................................................... 45
Steps ............................................................................................................................... 45
Task 2: Import and manage devices ............................................................................... 48
Objectives ....................................................................................................................... 48
Steps ............................................................................................................................... 48
Task 3: Create a configuration plan for AGG and Core switches ................................... 55
Objectives ....................................................................................................................... 55
Steps ............................................................................................................................... 55
Lab 4: Access Control ...................................................................................................... 69
Objectives ....................................................................................................................... 69
Task1 Preparing Access control Lab. ............................................................................. 69
Steps ............................................................................................................................... 69
Task 2 MAC-authentication............................................................................................. 71
Steps ............................................................................................................................... 71
AOS-CX enablement Field Training 2019 2 Confidential – For Training Purposes Only
Task 3 Dot1X authentication ........................................................................................... 73

Steps ............................................................................................................................... 73
Task 4 Captive Portal authentication .............................................................................. 77
Steps ............................................................................................................................... 77
Lab 5: Dynamic Segmentation ......................................................................................... 81
Objectives ....................................................................................................................... 81
Task 1: lab preparing ...................................................................................................... 81
Task 2 Downloadable user role (DUR) ........................................................................... 87
Task 3 Local user role (LUR) and Dynamic-segmentation lab (Tunneling) .................... 93
Lab 6: Configuring Static L2 VXLAN ............................................................................... 99
Physical Diagram ............................................................................................................ 99
Logical Diagram ............................................................................................................ 100
Task 1: Prepare the Base Config for the Lab................................................................ 101
Objectives ..................................................................................................................... 101
Steps ............................................................................................................................. 101
Task 2: VXLAN Configuration ....................................................................................... 108
Objectives ..................................................................................................................... 108
Steps ............................................................................................................................. 108
Lab 7: EVPN ..................................................................................................................... 112
Network Diagram .......................................................................................................... 112
Task 1: Setup Environment........................................................................................... 113
Objectives ..................................................................................................................... 113
Steps ............................................................................................................................. 113
Task 2: Configure L2 EVPN .......................................................................................... 116
Objectives ..................................................................................................................... 116
Steps ............................................................................................................................. 116
Task 3: Configure centralized routing for EVPN ........................................................... 121
Objectives ..................................................................................................................... 121
Steps ............................................................................................................................. 121
APPENDIX LAB -A: Configure DCBX (Optional lab) .................................................... 123
Objectives ................................................................................................................. 123
Task 1: Prepare the Base Config for the Lab................................................................ 123
Objectives ..................................................................................................................... 123
Steps ............................................................................................................................. 123

Task 2: Enabling DCBX ................................................................................................ 124
Objectives ..................................................................................................................... 124
Steps ............................................................................................................................. 124
Task 3: Priority Flow Control (PFC) and APP TLV ....................................................... 126
Objectives ..................................................................................................................... 126
Steps – PFC.................................................................................................................. 126
Steps – APP TLV .......................................................................................................... 129
Task 4: Enhanced Traffic Selection (ETS) .................................................................... 132
Objectives ..................................................................................................................... 132
Steps ............................................................................................................................. 132
APPENDIX LAB -B: ERPS (Optional lab) ...................................................................... 135
Objects .......................................................................................................................... 135
Network Diagram .......................................................................................................... 135
Task 1: Prepare Lab Environment ................................................................................ 136
Objectives ................................................................................................................. 136
Steps ........................................................................................................................ 136
Task 2: Configure ERPS ............................................................................................... 140
Objectives ................................................................................................................. 141
Steps ........................................................................................................................ 141
Task 3: ERPS operations.............................................................................................. 148
Objectives ................................................................................................................. 148
Steps ........................................................................................................................ 148
Lab 0: Remote Lab Access Overview

The Aruba remote lab portal provides you with an Aruba AOS-CX switches, NetEdit, Virtual
Laptops, ClearPass server as well as the servers you need for your training. You should be aware
of the procedures to access every device and client available in the remote lab portal.
Objectives
After completing this lab:
• You will know how to access the Aruba remote lab portal.
Lab equipment
• Per table (per student)
– 3x 8325 switches using AOS-CX 10.04
– 2x 6300 switches using AOS-CX 10.04
– 1x Mobility Controller 7005 running AOS version 8.5
– 1x Wired client (VM) Windows 10 Enterprise
– 1x Netedit version 2.0
• Per class shared equipment

– 1x 6300 + 2x 8325 switches (Backbone area)
– DHCP/DNS/AD Server
– NTP Server
– ClearPass Server version 6.8
Task 1: Remote Training Lab Access

During this training, you will use Aruba’s remote lab dashboard. The remote lab dashboard center
provides you with the AOS-CX switches, virtual laptops, and Mobility controller that you will need for
your training. This task will test your access to the remote lab.
Initial Access and Control
Launch a web browser and browse to the Aruba Training Lab at the portal:
https://arubatraininglab.computerdata.com
1. Enter the username and the password (if you don’t have one, ask your instructor for the
credentials) and click the Sign in button.
Remote Lab Topology
IP sheet
Table (X) ( ) Assigned by the instructor

Write down your Table number
here
Device (Hostname) OOBM IP Write Down Your Username/ Password Note

OOBM IP below
CORE (TX-8325-Core) 10.251.X.1/24 DG:10.251.X.254 Username: admin Access it by Aruba

Training Lab
Password: admin
AGG-1 (TX-8325-A) 10.251.X.2/24 DG:10.251.X.254 Username: admin Access it by Aruba

Training Lab
Password: admin
AGG-2 (TX-8325-B) 10.251.X.3/24 DG:10.251.X.254 Username: admin Access it by Aruba

Training Lab
Password: admin
ACC-1 (TX-6300-A) 10.251.X.4/24 DG:10.251.X.254 Username: admin Access it by Aruba

Training Lab
Password: admin
ACC-2 (TX-6300-B) 10.251.X.5/24 DG:10.251.X.254 Username: admin Access it by Aruba

Training Lab
Password: admin
Mobility controller 7005 10.1.X4.100/24 DG:10.1.X4.1 Username: admin Access it by Aruba

Training Lab
(MC-X) (controller IP Not OOBM) Password: password
Username: admin
NetEdit 2.0 10.251.X.200 Password: password Access it from
Windows 10
Username: neadmin
Password: password
DHCP/DNS 10.253.1.21 N/A Preconfigured
NTP server 10.253.1.15 AUTH KEY 1: Preconfigured

aruba123
ClearPass 6.8 cppm.arubatraining.com Username: readonly Access it from

win10
10.253.1.100 Password: readonly
Windows 10 wired 10.251.X.90 N/A Access it by Aruba

Client Training Lab
Don’t forget: In these labs, the value ‘X’ is your assigned student table number, which will be
assigned by instructor.
You have completed Lab 0!
Lab 1: VSF Setup
Lab1.1 Initialization Lab environment
Task 1 Initial Lab Setup

Lab 1 provides instructions on how to set up your remote lab environment with an initial setup that
you can use in other labs moving forward. This will make it easy for you to revert to the initial setup
at any time. You will also learn various systems and hardware related commands that you will find
useful during troubleshooting the hardware platform.
Note: Please remember that students’ tables share core switches. Never issue a command on
those switches unless your lab guide or instructor asks you to do so.
Task 1: Configure Access and Aggregation Switches
Steps
1. Open a console connection to your ACC-1(TX-6300-A) switch.
2. Log in with username admin / admin password (just press enter at the password prompt) or
try (admin/enable).
3. Check if there is checkpoint “ZERO” and Recovery config to checkpoint ZERO.
T01-6300-A# show checkpoint list

CPC20191004171718
CPC20191006002511
startup-config-backup
CPC20191006223123
startup-config
ZERO
CPC20191008035856
CPC20191008043910
CPC20191008161537
T01-6300-A# copy checkpoint ZERO running-config

Configuration changes will take time to process, please be patient.
T01-6300-A#
Note: If there is no ZERO checkpoint, then do the next steps from 4 to 7.
4. Configure Out-Of-Band Management Interface IP-Address on switches ACC-1.
Switch Management IP ( OOBM )
TX-6300-A 10.251.X.4/24
TX-6300-A(config)#
interface mgmt
no shutdown
ip static <10.251.X.4>/24
default <10.251.X.254>
exit
!
session-timeout 0
ssh server vrf mgmt
https-server vrf mgmt
https-server rest access-mode read-write
end
!
5. Change the admin password to 'admin'. This is the default password used on switches in the
lab.
TX-6300-A(config)# user admin password
Enter password: admin
Confirm password: admin
6. Disable the session timeout. This is convenient while working on the labs.
QUESTION: What is the default console session timeout value? You can use the system help
(?) to find out.
TX-6300-A(config)# session-timeout ?
<0-43200> Idle timeout range in minutes. Value 0 disables the timeout
(Default: 30)
TX-6300-A(config)# session-timeout 0
ANSWER: The console session default idle timeout is 30 minutes.
7. Save the current running configuration to the startup. If you reboot the system manually or
accidentally, this is the state the system will return to after a reboot.
TX-6300-A(config)# exit
TX-6300-A# write memory
TX-6300-A# copy run checkpoint ZERO
8. Repeat the steps above for

a. ACC-2(TX-6300-B)
b. AGG-1(TX-8325-A)
c. AGG-2(TX-8325-B)
d. CORE(TX-8325-Core)
Please refer to the IP sheet in the lab0 to configure their management IPs.
Task 2 System and Hardware Status
Objectives
This task will show various system- and hardware-related commands that useful during
troubleshooting the hardware platform.
Steps
1. Open a console connection to the ACC-1(TX-6300-A)
2. Review the environment information.
TX-6300-A# show environment

show environment fan
Fan tray information
------------------------------------------------------------------------------
Mbr/Tray Description Status Serial Number Fans
------------------------------------------------------------------------------
1/1 N/A Aruba 6300M Fan Tray ready N/A 2
1/2 N/A Aruba 6300M Fan Tray ready N/A 2
Fan information
---------------------------------------------------------------------------
Mbr/Tray/Fan Product Serial Number Speed Direction Status RPM
---------------------------------------------------------------------------
1/1/1 N/A N/A slow front-to-back ok 4057
show environment led

Mbr/Name State Status
-------------------------------
1/locator off ok
show environment power-supply

Product Serial PSU Wattage
Mbr/PSU Number Number Status Maximum
--------------------------------------------------------------
1/1 JL086A CN74GZ901Z OK 680
1/2 N/A N/A Absent 0
show environment temperature

Temperature information
------------------------------------------------------------------------------
Current
Mbr/Slot-Sensor Module Type temperature Status
------------------------------------------------------------------------------
1/1-PHY-01-04 line-card-module 40.00 C normal
<<<-output omitted->>>
3. Review the system information, including the device serial number information.
TX-6300-A# show system
Hostname : TX-6300-A
System Description : FL.10.04.0001AA
System Contact :
System Location :
Vendor : Aruba
Product Name : JL659A 6300M 48SR5 CL6 PoE 4SFP56 Swch
Chassis Serial Nbr : SG9ZKMY037
Base MAC Address : 9020c2-257b00
ArubaOS-CX Version : FL.10.04.0001AA
Time Zone : UTC
Up Time : 21 hours, 10 minutes
CPU Util (%) : 19
4. Review the top CPU processes.

TX-6300-A# top cpu
5. Review the top memory processes.

TX-6300-A#top memory
6. Review the capacities of the platform.

TX-6300-A# show capacities
7. To review the current load of the system compared to the maximum, check the capacities
status. The value reflects the current use.
TX-6300-A# show capacities-status
Lab 1.2: VSF setup
Objectives
In this lab, you will need to establish a chain VSF stack, Verify VSF stack status.
Steps
1. Open a console connection to the ACC-1(TX-6300-A)
2. Configure at least one VSF link interface on the desired stack master. In this case, TX-6300-A
will be the master. Assigning a port to a VSF link invokes a 'port stealing' method, which clears
all protocol settings from the interface and precludes any further configuration beyond setting
the port as enabled or disabled.
TX-6300-A(config)# interface 1/1/21-1/1/22

T1-6300-A(config-if<1/1/21-1/1/22>)#)# shutdown
TX-6300-A(config)# interface 1/1/28
T1-6300-A(config-if)# shutdown
T1-6300-A(config-if)# exit
TX-6300-A(config)# vsf member 1
TX-6300-A(vsf-member-1)# link 1 1/1/27
3. Open a console connection to the ACC-2(TX-6300-B)

On each new member, configure one or more VSF links, then renumber the member, which will
cause it to reboot.
TX-6300-B(config)# interface 1/1/21-1/1/22

T1-6300-B(config-if<1/1/21-1/1/22>)# shutdown
TX-6300-B(config)# interface 1/1/28
T1-6300-B(config-if)# shutdown
T1-6300-B(config-if)# exit
TX-6300-B(config)# vsf member 1
TX-6300-B(vsf-member-1)# link 1 1/1/27
TX-6300-B(vsf-member-1)# exit
TX-6300-B(config)# vsf renumber-to 2
This will save the VSF configuration and reboot the switch.
Do you want to continue (y/n) y
4. After the switch boots with its new member ID, connect its VSF link(s) to the stack; it will
automatically reboot. Once the new member has booted, verify that the stack is operating
normally.
TX-6300-A(config)# show vsf

MAC Address : f8:60:f0:03:5a:80
Secondary :
Topology : Chain
Status : No Split
Split Detection Method : none
Mbr Mac Address type Status
ID
--- ------------------- -------------- ---------------
1 f8:60:f0:03:5a:80 JL668A Master
2 90:20:c2:24:50:80 JL659A Member
5. Verify interface names have been changed by the VSF stack.

TX-6300-A(config)# show interface brief
-------------------------------------------------------------------------------------
Port Native Mode Type Enabled Status Reason Speed
-------------------------------------------------------------------------------------
1/1/1 -- routed 5G-SmartRate yes up 1000
1/1/2 -- routed 5G-SmartRate yes up 1000
1/1/3 -- routed 5G-SmartRate no down Administratively down --
…..
….
2/1/1 -- routed 1GbT no down Administratively down --
…..
2/1/25 1 access SFP+DAC1 yes up 10000
2/1/26 1 access SFP+DAC1 yes up 10000
2/1/27 -- routed SFP+DAC1 yes up 10000
2/1/28 1 access SFP+DAC1 yes down Waiting for link --
Note. The last four Ports all support SFP56 transceiver, but they may connect different
transceivers. In this output, 2/1/25 to 2/1/28 connect 10G DAC cables.
6. Only the Last four SFP56 ports support the VSF link. Try to add 1/1/24 ad VSF link. Notice the
warning of “not vsf capable” and choose “n” to not assign the interface to the VSF link.
TX-6300-A(config)# vsf member 1

Specified interface is not vsf capable.
Do you want to continue (y/n)? n
7. If there is no master in the VSF stack, once Master reboot, all VSF members will reboot. To
reduce the number of required reboots, designate a secondary member on the master.
TX-6300-A(config)# vsf secondary-member 2
This will save the configuration and reboot the specified switch.
Do you want to continue (y/n)? y
The member 2 will reboot and change to standby. Once Member2 comes back from rebooting,
check VSF again.
TX-6300-A(config)# show vsf

MAC Address : f8:60:f0:03:5a:80
Secondary : 2
Topology : Chain
Status : No Split
Split Detection Method : none
ID
--- ------------------- -------------- ---------------
1 f8:60:f0:03:5a:80 JL668A Master
2 90:20:c2:24:50:80 JL659A Standby
8. We can understand how VSF members link each other by checking VSF topology. This
command shows an ASCII-art representation of the stack topology and interconnects, which
allows a user to quickly narrow down a failure point.
TX-6300-A# show vsf topology
9. Show detailed information about the specific member, including its memory and CPU utilization.
TX-6300-A# show vsf member 2

MAC Address : 90:20:c2:26:ec:c0
Type : JL661A
Model. : 6300M 48-port 1GbE Class4 PoEand 4-portSFP56 Switch
Status : Standby
ROM Version : FL.01.X1.0015-internal
Serial Number : SG9ZKN001L
Uptime : 11 minutes
CPU Utilization : 4%
Memory Utilization : 13%
VSF Link 1 : Down
VSF Link 2 : Up, connected to peer member 1, link 2
Lab 1.3: VSF Split detection
Objectives
In this lab, we will and understand the VSF redundancy mechanism by simulating VSF link failure.
Steps
Enable split detection on the master. Open the console of the master:
TX-6300-A(config)# vsf split-detect mgmt

TX-6300-A(config)# end
TX-6300-A# show vsf
MAC Address : 90:20:c2:25:7b:00
Secondary : 2
Topology : Chain
Status : No Split
Split Detection Method : mgmt
ID
--- ------------------- -------------- ---------------
1 90:20:c2:25:7b:00 JL659A Master
2 90:20:c2:26:ec:c0 JL661A Standby
Check which VSF link is active.
TX-6300-A# show vsf link

VSF Member 1
Link Peer Peer
Link State Member Link Interfaces
---- ---------- ------- ------ ---------------------------
1 up 2 1 1/1/27
VSF Member 2
Link Peer Peer
Link State Member Link Interfaces
---- ---------- ------- ------ ---------------------------
1 up 1 1 2/1/27
Shutdown the active VSF link to simulate master is down

TX-6300-A# conf t
TX-6300-A(config)# int 1/1/27
TX-6300-Aconfig-if-vsf)# shutdown
This may cause the stack to split.
Check vsf status on the switch (TX-6300-A). It displayed it is still master and active
Fragment.
TX-6300-A# show vsf
MAC Address : 90:20:c2:25:7b:00
Secondary : 2
Topology : Standalone
Status : Active Fragment


ID
--- ------------------- -------------- ---------------
1 90:20:c2:25:7b:00 JL659A Master
2 JL661A In Other Fragment
Log in to the console of standby. Please note that currently the standby’s hostname will be
same with master. Log into it with admin/admin.
Notice, please don’t connect the management IP. Why?
standby:
TX-6300-A login: admin
Password: admin
sh vsfLast login: 2019-08-29 22:11:52 from 16.116.146.237
User "admin" has logged in 25 times in the past 30 days
Check vsf status on the switch (TX-6300-B). It displayed it is master but inactive Fragment.
TX-6300-A# show vsf

MAC Address : 90:20:c2:25:7b:00
Secondary : 2
Topology : Standalone
Status : Inactive Fragment

ID
--- ------------------- -------------- ---------------
1 JL659A In Other Fragment
2 90:20:c2:26:ec:c0 JL661A Master
Remember that the secondary fragment (Inactive fragment) will shut down all interfaces.
Check interface status by show interface brief.
TX-6300-A# show interface brief

-------------------------------------------------------------------------------------
VLAN (Mb/s)
-------------------------------------------------------------------------------------
2/1/1 1 access 1GbT yes down Disabled by VSF --
…
2/1/25 1 access SFP+DAC1 yes down Disabled by VSF --
2/1/27 -- routed SFP+DAC1 yes down Waiting for link --
Here you can notice all interfaces are shutdown except the VSF link. The disabling reason is
“Disabled by feature”.
Log in to the console of switch-1 (master) Recover the VSF link. The switch-2 will reboot and
became standby again.

TX-6300-A(config-if)# no shutdown
Configure access VLAN X5 for Windows client.
On ACC-1
TX-6300-A(config)# VLAN X5
T1-6300-A(config-vlan-1)# exit
TX-6300-A(config-if)# no routing
TX-6300-A(config-if)# vlan access X5
Configure Interface VLAN and default gateway in VRF default for testing
TX-6300-A# conf t
TX-6300-A(config)# int vlan X5
TX-6300-A(config-if-vlan)# ip address 10.1.X5.99/24
TX-6300-A(config-if-vlan)# exit
TX-6300-A(config)# ip route 0.0.0.0/0 10.1.X5.1
TX-6300-A(config)#
Save the configuration and save it to checkpoints as lab1-done-<student-name>.
On ACC-1(TX-6300-A)
TX-6300-A# copy running-config checkpoint Lab1-done-[student-name]
Lab 2: Configuring VSX
Objects
In this lab, you will configure VSX between switches TX-8325-A and TX-8325-B. You will begin by
setting IP interfaces, VLANs. Next, you will configure VSX. With VSX, two switches can form a single
logical entity for the peer devices from a layer-2 perspective. This allows the creation of distributed link
aggregation (MC-LAG) while keeping each switch’s management and control plane independent.
Steps
1. Prepare base config.
2. Configure VSX ISL.
3. Configure VSX LAG
4. Configure VSX Keepalive
5. Configure VSX Active-Gateway
6. VSX redundancy
7. VSX split Brain
Task 1: Prepare the Base Configuration
Objectives
– Enable aggregation layer switch interfaces.
– Configure VLANs, IP Interfaces, Loopback interface.
Steps
1. Open a console connection to both TX-8325-A and TX-8325-B switches.
2. Verify your switch interfaces.
TX-8325-A(config)# show int brief

----------------------------------------------
VLAN (Mb/s)
----------------------------------------------------------------------------------
1/1/3 -- routed -- no down No XCVR installed --
1/1/5 -- routed SFP-BT yes up 1000
<<<Output Omitted>>>
1/1/45 -- routed SFP28DAC3 yes up 25000
Note: The default configuration for all interfaces is 25Gbps/40Gbps transceivers since
we will use 1Gbps and 10Gbps interfaces; you will need to convert the first port-group
(ports 1/1/1-1/1/12) to support those speeds.
3. Enable 10Gbps and 1Gbps support on your switch.
TX-8325-A(config)# system interface-group 1 speed 10g

Changing the group speed will disable all member interfaces that
do not match the new speed.
Continue (y/n)? y
Note: 8325-48 ports switches have four interface-groups, each group may support either
1/10Gbps or 25/40Gbps. Port distribution is as follows:
Group 1: 1/1/1-1/1/12
Group 2: 1/1/13-1/1/24
Group 3: 1/1/25-1/1/36
Group 4: 1/1/37-1/1/48
4. Shutdown the interfaces that are not in use by this training

On AGG-1 (TX-8325-A)
TX-8325-A(config-if-<1/1/7-1/1/8>)# shutdown
TX-8325-A(config-if-<1/1/7-1/1/8>)# exit
TX-8325-A(config-if)# shutdown
TX-8325-A(config-if)# exit
On AGG-2 (TX-8325-B)
TX-8325-B(config-if)# shutdown
TX-8325-B(config-if-<1/1/7-1/1/8>)# shutdown
TX-8325-B(config-if-<1/1/7-1/1/8>)# exit
TX-8325-B(config-if)# exit
5. Configure LAG 10 for the ISL link.
AGG-1
TX-8325-A(config)# int lag 10
TX-8325-A(config-lag-if)# no routing
TX-8325-A(config-lag-if)# no shutdown
TX-8325-A(config-lag-if)# lacp mode active
TX-8325-A(config-lag-if)# lacp rate fast
TX-8325-A(config-lag-if)# vlan trunk allowed all

TX-8325-A(config-lag-if)# exit
TX-8325-A(config-if)# lag 10
AGG-2
TX-8325-B(config)# interface lag 10
TX-8325-B(config-lag-if)# no shutdown
TX-8325-B(config-lag-if)# no routing
TX-8325-B(config-lag-if)# lacp mode active
TX-8325-B(config-lag-if)# lacp rate fast
TX-8325-B(config-lag-if)# vlan trunk allowed all
TX-8325-B(config-lag-if)# exit
TX-8325-B(config-if)# no shutdown
TX-8325-B(config-if)# lag 10
6. Save your configuration.
AGG-1
TX-8325-A# copy running-config checkpoint Lab2-task1-[student-name]
TX-8325-A#
AGG-2
TX-8325-B(config)# exit
TX-8325-B# write memory
TX-8325-B# copy running-config checkpoint Lab2-task1-[student-name]
TX-8325-B#
Task 2: Configuring VSX ISL
Objectives
The purpose of this task is to configure AGG-1 and AGG-2 switches with the Inter-Switch Link (ISL).
Steps
2. Configure the ISL. You will use LAG 10 for ISL link and verify that the LAG 10 is functional,
and LACP is reporting peers on the interfaces 1/1/46.
TX-8325-A# show lacp interfaces
State abbreviations :
A - Active P - Passive F - Aggregable I - Individual
S - Short-timeout L - Long-timeout N - InSync O - OutofSync
C - Collecting D - Distributing
X - State m/c expired E - Default neighbor state
Actor details of all interfaces:

------------------------------------------------------------------------------
Intf Aggr Port Port State System-ID System Aggr Forwarding
Name Id Pri Pri Key State
------------------------------------------------------------------------------
1/1/46 lag10 47 1 ASFNCD 90:20:c2:ba:e7:00 65534 10 up
Partner details of all interfaces:

------------------------------------------------------------------------------
Intf Aggr Port Port State System-ID System Aggr
Name Id Pri Pri Key
------------------------------------------------------------------------------
1/1/46 lag10 47 1 ASFNCD 90:20:c2:bb:05:00 65534 10
3. Next, go to the VSX configuration mode and select LAG 10 as your ISL link. Set VSX
system MAC 00:00:00:AB:CD:XX, and also, set the role for AGG-1 switch as primary.
Table Mac-Address
Table 1 00:00:00:AB:CD:01
Table 2 00:00:00:AB:CD:02
Table 3 00:00:00:AB:CD:03
Table 4 00:00:00:AB:CD:04
Table 5 00:00:00:AB:CD:05
Table 6 00:00:00:AB:CD:06
Table 7 00:00:00:AB:CD:07
Table 8 00:00:00:AB:CD:08
Table 9 00:00:00:AB:CD:09
Table 10 00:00:00:AB:CD:0A
Table 11 00:00:00:AB:CD:0B
Table 12 00:00:00:AB:CD:0C
Table 13 00:00:00:AB:CD:0D
Table 14 00:00:00:AB:CD:0E
TX-8325-A(config)# vsx
TX-8325-A(config-vsx)# system-mac 00:00:00:AB:CD:XX
TX-8325-A(config-vsx)# inter-switch-link lag 10
TX-8325-A(config-vsx)# role primary
4. Repeat the step above on AGG-2, but set the role as secondary.
TX-8325-B(config)# vsx
TX-8325-B(config-vsx)# system-mac 00:00:00:AB:CD:XX
TX-8325-B(config-vsx)# inter-switch-link lag 10
TX-8325-B(config-vsx)# role secondary
5. Check VSX brief output to verify roles and ISL state.
TX-8325-A(config-vsx)# show vsx brief

ISL State : In-Sync
Device State : Peer-Established
Keepalive State : Keepalive-Init
Device Role : primary
Number of Multi-chassis LAG interfaces : 0
TX-8325-B(config-vsx)# show vsx brief

ISL State : In-Sync
Keepalive State : Keepalive-Init
Device Role : secondary
6. Check VSX status output – note the platform information, software version, and
system-MAC.
TX-8325-A# show vsx status

VSX Operational State
---------------------
ISL channel : In-Sync
ISL mgmt channel : operational
Config Sync Status : in-sync
NAE : peer_reachable
HTTPS Server : peer_reachable
Attribute Local Peer
------------ -------- --------
ISL link lag10 lag10
ISL version 2 2
System MAC 00:00:00:ab:cd:01 00:00:00:ab:cd:01
Platform 8325 8325

Software Version GL.10.04.0001X GL.10.04.0001X
Device Role primary secondary
7. Review the configuration inter-switch-link settings from the AGG-1 switch. This provides
role and timer information of the ISL from the local switch and peer VSX switch.
Note: the option vsx-peer allows you to check the information from the other
VSX switch.
TX-8325-A# show vsx configuration inter-switch-link

Inter-Switch Link : lag10
Hello Interval : 1 Second
Dead Interval : 20 Seconds
Hold Time : 0 Seconds
Peer detect interval : 300 Seconds
System MAC : 00:00:00:ab:cd:01
Multichassis LAGs :
TX-8325-A# show vsx configuration inter-switch-link vsx-peer

Inter-Switch Link : lag10
Hold Time : 0 Seconds
Peer detect interval : 300 Seconds
System MAC : 00:00:00:ab:cd:01
Multichassis LAGs :
8. Review the configuration consistency on both switches. This provides information about
the active code version of both switches and the configured VLAN list of the ISL.
TX-8325-A# show vsx config-consistency

Configurations Local Peer
------------------ ------ ------
Software Version GL.10.04.0001X GL.10.04.0001X
System Profile Leaf Leaf
ISL hello interval 1 1
ISL dead interval 20 20
ISL hold interval 0 0
Keepalive hello interval 1 1
Keepalive dead interval 3 3
Keepalive UDP port 7678 7678
VSX VLAN List

-------------
Local ISL VLANs : 1
Peer ISL VLANs : 1
VSX Active Forwarding

---------------------
Interface VLANs : None
Peer Interface VLANs : None
STP Configurations Local Peer

------------------ ------ ------
STP Enabled No No
STP Mode mstp mstp
MST hello time(in seconds) 2 2
MST maximum age(in seconds) 20 20
MST maximum hops 20 20
MST Config Name 00:00:00:ab:cd:01 00:00:00:ab:cd:01
MST Config Revision - 0
MST Config Digest - -
MST number of instances 0 0
RPVST VLAN List:

----------------
Local:
Peer :
Task 3: VSX LAG
Objectives
Define a VSX LAG (MC-LAG) from AGG-1 and AGG-2 switches to VSF stack built-in lab1.
Steps
1. Create VLAN X0-X5 and define a new interface LAG on AGG-1 and AGG-2
AGG-1 (TX-8325-A)
TX-8325-A# conf t
TX-8325-A(config)# VLAN X0-X5
TX-8325-A(config-vlan-<X0-X5>)# exit
TX-8325-A(config)#
TX-8325-A(config)# int lag 12 multi-chassis
TX-8325-A(config-lag-if)# description To-VSF
TX-8325-A(config-lag-if)# vlan trunk allow X0,X5
TX-8325-A(config-lag-if)# int 1/1/1-1/1/2
TX-8325-A(config-if)# end
2. Repeat these steps on AGG-2. Make sure to use the same LAG ID (12) and assign
interface 1/1/1 and 1/1/2.
AGG-2 (TX-8325-B)
TX-8325-B# conf t
TX-8325-B(config)# vlan X0-X5
TX-8325-B(config-vlan-<X0-X5>)# exit
TX-8325-B(config)#
TX-8325-B(config)# int lag 12 multi-chassis
TX-8325-B(config-lag-if)# description To-VSF
TX-8325-B(config-lag-if)# lacp mode active
TX-8325-B(config-lag-if)# vlan trunk allowed X0,X5
TX-8325-B(config-lag-if)# int 1/1/1-1/1/2
3. Configure lacp on the access switch
On ACC-1 (TX-6300-A)
TX-6300-A(config)# int lag 1

TX-6300-A(config-lag-if)# exit
TX-6300-A(CONFIG)#
TX-6300-A(config)# int 1/1/25-1/1/26,2/1/25-2/1/26
TX-6300-A(config-if-<1/1/25-1/1/26,2/1/25-2/1/26>)# no shutdown
TX-6300-A(config-if-<1/1/25-1/1/26,2/1/25-2/1/26>)# lag 1
TX-6300-A(config-if-<1/1/25-1/1/26,2/1/25-2/1/26>)# end
4. Check the LACP interface status.

------------------------------------------------------------------------------
------------------------------------------------------------------------------
1/1/46 lag10 47 1 ASFNCD 90:20:c2:ba:d8:00 65534 10 up
1/1/1 lag12(mc) 1 1 ASFNCD 00:00:00:ab:cd:01 65534 12 up

------------------------------------------------------------------------------
Name Id Pri Pri Key
------------------------------------------------------------------------------
1/1/46 lag10 47 1 ASFNCD 90:20:c2:ba:e7:00 65534 10
1/1/1 lag12(mc) 114 1 ASFNCD 90:20:c2:25:7b:00 65534 1
1/1/2 lag12(mc) 50 1 ASFNCD 90:20:c2:25:7b:00 65534 1
TX-8325-A# show lacp interfaces vsx-peer

------------------------------------------------------------------------------
------------------------------------------------------------------------------
1/1/46 lag10 11 1 ASFNCD 90:20:c2:ba:e7:00 65534 10 up
------------------------------------------------------------------------------
Name Id Pri Pri Key
------------------------------------------------------------------------------
1/1/46 lag10 11 1 ASFNCD 90:20:c2:ba:d8:00 65534 10
1/1/1 lag12(mc) 115 1 ASFNCD 90:20:c2:25:7b:00 65534 1
1/1/2 lag12(mc) 51 1 ASFNCD 90:20:c2:25:7b:00 65534 1
ACC-1

------------------------------------------------------------------------------
------------------------------------------------------------------------------
1/1/49 lag1 50 1 ASFNCD 90:20:c2:25:7b:00 65534 1 up
1/1/50 lag1 51 1 ASFNCD 90:20:c2:25:7b:00 65534 1 up
2/1/49 lag1 114 1 ASFNCD 90:20:c2:25:7b:00 65534 1 up
2/1/50 lag1 115 1 ASFNCD 90:20:c2:25:7b:00 65534 1 up

------------------------------------------------------------------------------
Name Id Pri Pri Key
------------------------------------------------------------------------------
1/1/49 lag1 2 1 ASFNCD 00:00:00:ab:cd:01 65534 12
1/1/50 lag1 1002 1 ASFNCD 00:00:00:ab:cd:01 65534 12
2/1/49 lag1 1 1 ASFNCD 00:00:00:ab:cd:01 65534 12
2/1/50 lag1 1001 1 ASFNCD 00:00:00:ab:cd:01 65534 12
5. Check the more detailed output with the multi-chassis option, which will also show
information about the MCLAG member ports of the peer switch.
TX-8325-A# show lacp interfaces multi-chassis

------------------------------------------------------------------------------
Intf Aggregate Port Port State System-ID System Aggr
name id Priority Priority Key
------------------------------------------------------------------------------
1/1/1 lag12(mc) 1 1 ASFNCD 00:00:00:ab:cd:01 65534 12
------------------------------------------------------------------------------
Intf Aggregate Partner Port State System-ID System Aggr
name Port-id Priority Priority Key
------------------------------------------------------------------------------
1/1/1 lag12(mc) 114 1 ASFNCD 90:20:c2:25:7b:00 65534 1
1/1/2 lag12(mc) 50 1 ASFNCD 90:20:c2:25:7b:00 65534 1
Remote Actor details of all interfaces:

------------------------------------------------------------------------------
Intf Aggregate Port Port State System-ID System Aggr
name id Priority Priority Key
------------------------------------------------------------------------------
Remote Partner details of all interfaces:

------------------------------------------------------------------------------
Intf Aggregate Partner Port State System-ID System Aggr
name Port-id Priority Priority Key
------------------------------------------------------------------------------
1/1/2 lag12(mc) 51 1 ASFNCD 90:20:c2:25:7b:00 65534 1
1/1/1 lag12(mc) 115 1 ASFNCD 90:20:c2:25:7b:00 65534 1
Task 4: Configuring VSX Keepalive
Objectives
In this task, you will configure the VSX keepalive feature to defend VSX peers against a split-brain
scenario. A split-brain is the situation that occurs when the Inter-Switch Link (ISL) between the two core
switches completely disconnects, while the links to the peer devices are still online.
Because the two core switches cannot synchronize LACP states, MAC and ARP tables, and
configuration anymore, this leads to unpredictable traffic flows.
To handle this scenario, you can configure an additional keepalive between the two core switches.
When the ISL is down, and the two core switches can still reach each other over the peer keepalive,
they know there is an issue with the ISL. The low priority VSX member will disable all its ports.
This will effectively 'remove' that device from the network. (Even when it is technically still 'online,' it will
not be visible to any device as all the port are disabled).
The result is that only one VSX member will be visible for the network, and that system will ensure that
the system learns all MAC addresses in a consistent way. The peer devices would simply think that one
port of their LAG (LACP) is down – the port that connects to the 'lost' member of the VSX peer.
The peer keep-alive feature is an IP-based exchange between the two core switches. To ensure that
this IP address does not interfere with any other active IP or subnet in the network, you should
configure a separate routing space (VRF), independent of the regular routing table.
Steps
1. Open a console connection to both AGG-1 and AGG-2 switches.
2. On AGG-1, configure a VRF for keepalive, bind interface 1/1/47 and assign IP address
10.1.X8.41/30.
TX-8325-A# conf t
TX-8325-A(config)# vrf keepalive
TX-8325-A(config-vrf)# int 1/1/47
TX-8325-A(config-if)# vrf attach keepalive
TX-8325-A(config-if)# ip address 10.1.X8.41/30
TX-8325-A(config-if)#
3. On AGG-2, configure a VRF for keepalive, bind interface 1/1/47 and assign IP address
10.1.X8.42/30.
TX-8325-B# conf t
TX-8325-B(config)# vrf keepalive
TX-8325-B(config-vrf)# int 1/1/47
TX-8325-B(config-if)# vrf attach keepalive
TX-8325-B(config-if)# ip address 10.1.X8.42/30
TX-8325-B(config-if)#
4. Test connectivity between AGG-1 and AGG-2 on vrf keepalive.
TX-8325-B# ping <10.1.X8.41> vrf keepalive

PING 10.1.18.41 (10.1.18.41) 100(128) bytes of data.
108 bytes from 10.1.18.41: icmp_seq=1 ttl=64 time=13.7 ms
--- 10.1.18.41 ping statistics ---

5 packets transmitted, 5 received, 0% packet loss, time 4087ms
rtt min/avg/max/mdev = 0.171/2.922/13.736/5.407 ms
TX-8325-B#
5. Configure VSX keepalive on AGG-1.
TX-8325-A(config-vsx)# keepalive peer 10.1.X8.42 source 10.1.X8.41 vrf keepalive
TX-8325-A(config-vsx)# exit
6. Configure VSX keepalive on AGG-2.
TX-8325-B(config)# vsx
TX-8325-B(config-vsx)# keepalive peer 10.1.X8.41 source 10.1.X8.42 vrf keepalive
TX-8325-B(config-vsx)# exit
7. Review the VSX keepalive configuration.
TX-8325-A(config)# show vsx configuration keepalive

Keepalive Interface : 1/1/47
Keepalive VRF : keepalive
Source IP Address : 10.1.18.41
Peer IP Address : 10.1.18.42
UDP Port : 7678
TX-8325-A(config)# show vsx configuration keepalive vsx-peer

Keepalive Interface : 1/1/47
Keepalive VRF : keepalive
Source IP Address : 10.1.18.42
Peer IP Address : 10.1.18.41
UDP Port : 7678
8. Check VSX split recovery configuration.
TX-8325-A(config)# show vsx configuration split-recovery

Split Recovery Mode : Enabled
9. Review VSX brief, note keepalive state.
TX-8325-A(config)# show vsx brief

ISL State : In-Sync
Keepalive State : Keepalive-Established
10. Review the show vsx status keepalive and note the packets Tx and Rx.
TX-8325-A(config)# show vsx status keepalive

Last Established : Thu Oct 3 13:28:52 2019
Last Failed : Thu Oct 3 13:27:47 2019
Peer System Id : 00:00:00:ab:cd:01
Peer Device Role : secondary
Keepalive Counters
Keepalive Packets Tx : 220
Keepalive Packets Rx : 152
Keepalive Timeouts : 0
Keepalive Packets Dropped : 0
Task 5: Configuring VSX Active-Gateway
Objectives
In this task, you will configure the active-gateway function. This feature allows the configuration of the
same IP address with the same MAC address on the two core switches.
The result is a configuration where both core switches can actively participate in the layer 3 routing
process, as opposed to VRRP, where only one core switch can act as the router for a subnet.
You would typically configure this feature in combination with the VSX LAG feature that provides
active-active layer 2 functionality.
The active-gateway feature is not a protocol since the core switches do not exchange keepalive or
other control. The administrator simply configures the same IP and the same MAC on both core
switches. The core switch that receives the ARP request first will respond to the request and perform
the layer 3 routings.
The actual decision as to which core switch performs the routing will be the result of the layer 2 LAG
(LACP) traffic distribution that the connected peer switches perform over the VSX LAG. It can be
different for different sets of hosts depending on the hashing decision.
Steps
Open a console connection to both AGG-1 and AGG-2 switches.
Configure active-gateway on AGG-1:
a. Enable the L3 counters (not required for the active-gateway feature, but will provide
L3 statistics on the VLAN interface).
b. Use the VIP address and the virtual MAC provided below. Remember, the network
should not use the range/MAC, and you must configure the same VIP/vMAC on both
switches.
VLAN X0 10.1.X0.0/24
Active-Gateway 10.1.X0.1
vMAC 00:00:00:00:10:FE
VLAN X3 10.1.X3.0/24
vMAC 00:00:00:00:13:FE
VLAN X4 10.1.X4.0/24
vMAC 00:00:00:00:14:FE
VLAN X5 10.1.X5.0/24
vMAC 00:00:00:00:15:FE

TX-8325-A(config-if-vlan)# ip add 10.1.X0.2/24
TX-8325-A(config-if-vlan)# l3-counters
TX-8325-A(config-if-vlan)# active-gateway ip 10.1.X0.1 mac 00:00:00:00:10:FE
TX-8325-A(config-if-vlan)# no shutdown


TX-8325-A(config-if-vlan)# int vlan X5

Configure active-gateway on AGG-2.
TX-8325-B(config)# int vlan X0

TX-8325-B(config-if-vlan)# ip add 10.1.X0.3/24
TX-8325-B(config-if-vlan)# l3-counters
TX-8325-B(config-if-vlan)# active-gateway ip 10.1.X0.1 mac 00:00:00:00:10:FE
TX-8325-B(config-if-vlan)# no shutdown


TX-8325-B(config-if-vlan)# int vlan X5

Review active-gateway on the VLAN interface.
AGG-1 (TX-8325-A)
TX-8325-A# show interface vlanX5
Interface vlan15 is up
Admin state is up
Link transitions: 0
Description:
Hardware: Ethernet, MAC Address: 90:20:c2:ba:e7:00
IPv4 address 10.1.15.2/24
active-gateway ip mac 00:00:00:00:15:fe
active-gateway ip 10.1.15.1
Rx
L3:
1 packets, 68 bytes
Tx
L3:
0 packets, 0 bytes
AGG-2 (TX-8325-B)
TX-8325-B# show interface vlanX5
Interface vlan15 is up
Admin state is up
Link transitions: 0
Description:
Hardware: Ethernet, MAC Address: 90:20:c2:bb:05:00
IPv4 address 10.1.15.3/24
active-gateway ip mac 00:00:00:00:15:fe
active-gateway ip 10.1.15.1
Rx
L3:
12 packets, 1636 bytes
Tx
L3:
0 packets, 0 bytes
Verify the operation
Before this, do a continuous ping to the gateway from ACC-1 switch.
ACC-1 (TX-6300-A)
T1-6300-A# ping 10.1.X5.1 repetetions 2000
a. Disable interface vlan X5 on switch AGG-1
TX-8325-A(config)# int vlan <X5>

TX-8325-A(config-if-vlan)# shutdown
Warning: Active gateway is configured on this interface vlan15.
Shutting down the interface may result in traffic loss.
TX-8325-A# sh ip int brief

Interface IP Address Interface Status
link/admin
vlanX0 10.1.X0.2/24 up/up
vlanX5 10.1.X5.2/24 down/down
b. Verify that ACC-1 (6300-A) can still reach active-gateway IP.

c. Enable VLAN interface X5 on AGG-1.
AGG-1
TX-8325-A(config-if-vlan)# int vlan <X5>

AGG-2
TX-8325-B(config-if-vlan)# shutdown
d. Verify that ACC-A can still reach the active-gateway IP, stop continuous ping, and ensure
there is no packet loss. This confirms that both AGG-1 and AGG-2 handle the active-gateway
IP. There is no heart-beat like the VRRP protocol since the active gateway IP is active (as the
name suggests) on both switches. This is different from VRRP, where only one host actively
hosts the VRRP IP address.
e. Enable VLAN interface X5 on AGG-2.

Save your configuration
AGG-1
TX-8325-A# copy running-config checkpoint lab2-task5-[student-name]
AGG-2
TX-8325-B# copy running-config checkpoint lab2-task5-[student-name]
Task 6: VSX Redundancy
Objectives
– Add MCLAG11 to the mobility controller
– Simulate a failure on the VSX primary switch.
– Monitor communications and VSX during the outage.
Steps
Add MCLAG11 to the mobility controller
On AGG-1
TX-8325-A(config)# int lag 11 multi-chassis
TX-8325-A(config-lag-if)# int 1/1/5
On AGG-2
TX-8325-B(config)# int lag 11 multi-chassis
TX-8325-B(config-lag-if)# vlan trunk allowed all
TX-8325-B(config-lag-if)# lacp mo active
TX-8325-B(config-lag-if)# int 1/1/5
Note: LACP should have been pre-configured on MC. If not, please refer to the below
configuration to redo this:
vlan X3
interface gigabitethernet 0/0/1
description "GE0/0/1"
trusted
trusted vlan 1-4094
switchport mode trunk
lacp group 1 mode active
lacp timeout short
interface gigabitethernet 0/0/2
description "GE0/0/2"
trusted
trusted vlan 1-4094
lacp group 1 mode active
lacp timeout short
interface port-channel 1
switchport trunk allow vlan all
trusted
write memory
Check VSX brief and VSX status.
AGG-1
TX-8325-A# show vsx brief

ISL State : In-Sync

---------------------

------------ -------- --------
ISL version 2 2
Platform 8325 8325
Software Version GL.10.04.0001P GL.10.04.0001P
AGG-2
TX-8325-B# show vsx brief
ISL State : In-Sync
TX-8325-B# show vsx status

---------------------

------------ -------- --------
ISL version 2 2
Platform 8325 8325
Device Role secondary primary
Start a continuous ping to 10.1.X4.100(MC) from ACC-1(TX-6300-A).
TX-6300-A# ping 10.1.X4.100 repetitions 2000
Boot your primary VSX switch AGG-1.
AGG-1
TX-8325-A# boot system
Checking for updates needed to programmable devices...

Done checking for updates.
This will reboot the entire switch and render it unavailable

until the process is complete.
Continue (y/n)? y
The system is going down for reboot.
reboot: Restarting system
During AGG-1 reboot, check the VSX brief on your AGG-2 switch.
TX-8325-B# show vsx brief
ISL State : Out-Of-Sync
Device State : Split-System-Primary
Keepalive State : Keepalive-Failed
Wait for AGG-1 to finish the reboot and check the VSX brief and VSX status.
ISL State : In-Sync
Device State : Sync-Secondary-Linkup-Delay
Note: After a VSX switch reboots, it has no entries for ARP, MAC, and routes. If downstream
VSX LAG ports activate before the switch relearns all this information, traffic drops. To avoid a
traffic drop, VSX LAGs on the rebooted switch stay down until the restoration of LACP, MAC,
ARP databases, and MSTP states, if it uses MSTP. The learning process for the VSX LAGs
has two phases:
Initial sync phase: The LACP states, MAC address table, ARP table, and potentially MSTP
states download from the forwarding switch to the freshly-rebooted switch.
Link-up delay phase: The system installs downloaded entries into the ASIC and establishes
router adjacencies with core nodes and learned upstream routes. You can configure the link-
up delay phase with the linkup-delay-timer <DELAY-TIMER> command. The default value is
180 seconds. Set the link-up delay timer to the maximum value of 600 seconds for a network
with many MAC addresses, a large ARP table, or a large routing table.
Task 7: VSX Split-Brain
Objectives
During this task, you will simulate failures on both the ISL and keepalive links between your
VSX pair. You will also monitor VSX behavior during those failures.
You will begin by disabling the keepalive interface on your AGG-1 switch and then re-
enabling the keepalive interface and disabling the ISL link, simulating a split-brain scenario.
Steps
Check your VSX brief and VRF Keepalive information and ensure VSX is working properly.
AGG-1
ISL State : In-Sync
TX-8325-A# show vrf keepalive

VRF Configuration:
------------------
VRF Name : keepalive
Interfaces Status
-----------------------------
1/1/47 up
Disable keepalive interface on the AGG-1 switch.

Test connectivity to 10.1.X4.100 from TX-6300-A, it should be successful.

Check VSX status.
---------------------

------------ -------- --------
ISL version 2 2
Platform 8325 8325
Check the VSX brief.

ISL State : In-Sync
Keepalive State : Keepalive-Failed
TX-8325-A#
Note: A keepalive failure will not affect your VSX functionality. When this occurs, VSX
is still working, but, in case of failure of ISL (inter-switch link), split-brain may occur,
which would then cause unpredictable traffic flows.
Re-enable your keepalive interface and Check your VSX brief information.

TX-8325-A(config-if)# show vsx brief

ISL State : In-Sync
TX-8325-A(config-if)#
You will now simulate an ISL failure by disabling interfaces 1/1/46 on switch AGG-1.
TX-8325-A(config-if-1/1/46)# shutdown
TX-8325-A(config-if-1/1/46)# exit
TX-8325-A(config)#
Check your VSX brief.

ISL State : Out-Of-Sync
Device State : Split-System-Primary
Check your MC-LAG.
TX-8325-A(config)# show lacp interfaces

------------------------------------------------------------------------------

------------------------------------------------------------------------------
1/1/46 lag10 down

------------------------------------------------------------------------------
Name Id Pri Pri Key
------------------------------------------------------------------------------
1/1/46 lag10
1/1/3 lag11(mc) 3 255 ALFNCD 00:1a:1e:02:bc:90 1 2
1/1/1 lag12(mc) 114 1 ASFNCD 90:20:c2:25:7b:00 65534 1
1/1/2 lag12(mc) 50 1 ASFNCD 90:20:c2:25:7b:00 65534 1
Look at the interface brief information for the reason that interface 1/1/1 is down.
AGG-2
TX-8325-B# show int brief
-------------------------------------------------------------------------------------
VLAN (Mb/s)
-------------------------------------------------------------------------------------
1/1/1 1 trunk SFP+DAC1 yes down Disabled by VSX --
1/1/2 1 trunk SFP+DAC1 yes down Disabled by VSX --
Keepalive response in ISL failure scenarios

• ISL link is down, but the switches are still up and running. In this case, VSX switches
use their keepalive connection to determine that they are both running. Once they determine
that, the user-configured primary VSX switch keeps its multi-chassis (VSX) LAG links up, and
the secondary VSX switch forces its VSX LAG links to go down with the appropriate reason.
Once the ISL link is up, the MAC and ARP tables of the primary switch synchronize to the
secondary switch. Then, the configured delay timer starts. Once the delay timer expires, the
secondary VSX switch brings up its VSX LAG links.
• ISL link and one of the VSX switches are down. The running switch sees that the ISL and
keepalive connections are both down. Independent of the user-configured role (primary or
secondary), the switch that is up continues to keep its VSX LAG links up. Subsequently,
when the peer switch returns, the ISL link comes up first. Then, the returned VSX peer switch
synchronizes its MAC and ARP tables from the peer switch that stayed up. After the
synchronization completes, the delay time starts. Once the delay timer expires, the VSX peer
switch brings up its VSX LAG links.
Re-enable interfaces 1/1/46 on switch AGG-1(TX-8325-A).

TX-8325-A(config-if-1/1/46)# no shutdown
Wait for the linkup-delay timer and check your VSX brief information and status.

TX-8325-A(config)# show vsx status
Save your configuration.

AGG-1
AGG-2
TX-8325-B# copy running-config checkpoint Lab2-done-[student-name]
Lab 3: Configuring OSPF Routing Protocol with NetEdit

Objects
In this lab, you will use Aruba NetEdit to manage your switches configuration and configure
LACP, OSPF, loopback interface, etc while using NetEdit to ensure that your configuration
meets conformance validations test.
Task 1: NetEdit Users and Password
Objectives
– Create a new user and password for NetEdit
Steps
Open an RDP connection to Windows10 Client.
Navigate to Control Panel à Network and Internet à Network and Sharing
Center à Change adaper settings
Disable the LabNIC adapter and make sure OOBM is enabled.
Open a browser (Google Chrome or Firefox) to go to https://10.251.X.200 (accept the

unknown certificate and continue to open the page). The NetEdit login page should
appear:
Login using username “admin” and no password. You will be required to change the
password when you log in to NetEdit for the first time. Change the password to
‘password’ and click OK.
Create an additional admin user. On the left menu, select the sixth option from the
top and go to the Users page. Note by default there is only one user account:
admin.
Next, go to the Action menu (top-right) and select Add
Enter the username ‘neadmin’ and Role “ADMIN”, then click ADD USER.
IMPORTANT: Once it successfully adds, you’ll have a pop-up window with

a temporary password for the new user. You need to copy this password.
The new user will use the temporary password for the first login then a change
password pop-up will appear.
You may try to logout on the top right corner . Select the
admin icon to get the option to logout and re-login as the new user (neadmin) with
the temporary password. Then change the password to ‘password’
Now logout as the ‘neadmin’ user and log back in using the admin account.
To access the HELP menu, select the “?” in the top right corner and then
select Documentation.
Task 2: Import and manage devices
Objectives
– Import AGG and Core switches into NetEdit
– Assign attributes to your switches
Steps
Navigate to Control Panel à Network and Internet à Network and Sharing
Center à Change adaper settings
Open a browser (Google Chrome or Firefox) to go to https://10.251.X.200 log into

NetEdit using “neadmin/password”
On the left menu, select devices the third option from the top.
Go to Action (top right corner) and select “Discover Devices”.

a. Enter 10.251.X.0/24 in the field of Subnet:
b. Click 2 times on Add Credentials (next to Subnet field).

c. On Credentials Name enter admin.
d. Expand REST-required for ArubaOS-CX devices.

e. Enter admin for Username and Password.
f. Now expand SSH-required for Change Validation.

g. Enter admin for Username and Password.
h. Click CREATE.
i. Scroll down, under the Seed Addresses section, click on the “+” sign.
j. Assign “10.251.X.3” as a seed IP address, then click on ADD.
k. Check Seed Addresses box.
l. Click DISCOVER.
m. Wait for a few seconds, and you will see AGG, ACC1 and CORE switches are
discovered.
n. Create an attribute to be added to your new switches. On the left menu,

select Settings, at the Settings page select Attributes and add a new
attribute at the ‘+’ sign.
• Name: AGG-SWITCHES
• Type: TEXT
• Default value: AGG
• Click at CREATE
Using the left menu, go to Devices page and click at the action menu and select TX-
8325-A and TX-8325-B devices, then select Edit Attributes.
Select attribute name “AGG-SWITCHES” and value “AGG”, then select “SAVE”.
On the Devices list, select the IP address of the TX-8325-A to go to its details page,
verify the attribute you just applied.
Search devices as the new attribute. Enter attributes name: AGG-SWITCHES and
value: AGG in the searching box. Then you can see only the two aggregation
devices.
Task 3: Create a configuration plan for AGG and Core switches
Objectives
– Create a configuration plan
– Configure OSPF on switches AGG switches using NetEdit.
Steps
Navigate to Control Panel à Network and Internet à Network and Sharing Center à
Change adaper settings
Open a browser (Google Chrome or Firefox) to go to https://10.251.X.200 log into

NetEdit using “admin/password”
Go to Devices page by using the left menu.
Create a configuration Plan by selecting your AGG switches (TX-8325-A, TX-8325-B)
checking boxes and then selecting Action à Edit Config
Enter ‘Deploy OSPF on AGG” as a plan name and add a description, then click
CREATE.
Copy the below configuration at the bottom of the script. Change the “X” to real table
number.
Note: Notice you should make sure there are spaces for the sub-commands, and these IP
addresses and lag numbers for the interfaces (highlighted) are variable.
router ospf 1
area 0
interface loopback 0
ip address 10.1.X7.1/32
ip ospf 1 area 0
interface vlanX5
ip ospf 1 area 0
interface vlanX3
ip ospf 1 area 0
interface lag 2
lacp mode active
lacp rate fast
ip ospf 1 area 0.0.0.0
ip ospf network point-to-point
no shutdown
exit
interface 1/1/48
no shutdown
lag 2
exit
interface lag 3
lacp mode active
lacp rate fast
no shutdown
interface vlan X0
ip helper-address 10.253.1.254
interface vlan X1
interface vlan X2
interface vlan X3
interface vlan X4
interface vlan X5
Adjust parameters.
a. Scroll down to interface loopback 0 and right click under the IP address.
b. Adjust loopback IP address accoding to the follow information:
Device Loopback 0 IP address
TX-8325-A 10.1.X7.2
TX-8325-B 10.1.X8.2
c. Click APPLY.
d. Scroll down to interface 1/1/48

e. Change LAG information using the following table:
Device LAG-ID on interface 1/1/48
TX-8325-A 2
TX-8325-B 3
f. Click on VALIDATE to make sure there are no any errors.
g. Return to PLAN.
h. Click on DEPLOY
i. Confirm the operation.
j. You have a choice to ROLLBACK to previous configuration. Now click on

COMMIT to save the configuration.
k. Confirm the operation.
l. Now you can the deployment is successful.
Deploy OSPF on Core switch.

a. Choose “TX-8325-CORE” and choose “Edit Config” from the ACTION menu.
b. Create a Plan named “Deploy OSPF on CORE”, then select CREATE.
c. Copy the below configuration at the bottom of the script. Change the “X” to
real table number.
Note: You can use Notepad++ to edit your script the shortcut is located in
Desktop.
router ospf 1
area 0
ip ospf 1 area 0
interface lag 2
no shutdown
lacp mode active
lacp rate fast
ip ospf 1 area 0
interface 1/1/1
lag 2
no shutdown
interface lag 3
lacp mode active
lacp rate fast
ip ospf 1 area 0
no shutdown
interface 1/1/2
lag 3
no shutdown
interface 1/1/27
shutdown
Note: The below part is for connecting Backbone to get route to server
farm.
vlan (10+X)05
interface vlan (10+X)05
ip ospf 1 area 0
interface 1/1/47
no routing
no shutdown
vlan trunk allow (10+X)05
vlan (10+X)06
interface vlan (10+X)06
ip ospf 1 area 0
interface 1/1/48
no routing
no shutdown
vlan trunk allow (10+X)06
For example: Table7 will use the below configuration.

router ospf 1
area 0
ip address 10.1.77.1/32
ip ospf 1 area 0
exit
interface lag 2
no shutdown
lacp mode active
lacp rate fast
ip address 10.1.78.34/30
ip ospf 1 area 0
exit
interface 1/1/1
lag 2
no suhtdown
interface lag 3
no shutdown
lacp mode active
lacp rate fast
ip address 10.1.78.38/30
ip ospf 1 area 0
interface 1/1/2
lag 3
no shutdown
interface 1/1/27
shutdown
vlan 1705
interface vlan 1705
ip address 10.1.78.17/30
ip ospf 1 area 0
interface 1/1/47
no routing
no shutdown
vlan trunk allowed 1705
vlan 1706
interface vlan 1706
ip address 10.1.78.21/30
ip ospf 1 area 0
interface 1/1/48
no routing
no shutdown
vlan trunk allowed 1706
d. Select VALIDATE to confirm there is no error. If there is some error, please fix
that then paste the command again.
e. Click RETURN TO PLAN and DEPLOY it.
f. Confirm the operation by clicking DEPLOY.
g. Click on COMMIT.
h. Commit the operation.
Verified ospf neighbor and routing table.
AGG-1
TX-8325-A# show ip ospf neighbors
OSPF Process ID 1 VRF default
==============================
Total Number of Neighbors: 3
Neighbor ID Priority State Nbr Address Interface

-------------------------------------------------------------------------
10.1.17.1 n/a FULL 10.1.18.34 lag2
10.1.17.3 1 FULL/BDR 10.1.14.3 vlan14
10.1.17.3 1 FULL/BDR 10.1.15.3 vlan15
Core
T1-8320-CORE(config)# show ip ospf neighbors

==============================

-------------------------------------------------------------------------
10.1.17.2 n/a FULL 10.1.18.33 lag2
10.1.17.3 n/a FULL 10.1.18.37 lag3
10.1.7.1 1 FULL/DR 10.1.18.18 vlan1105 <vlan(10+x)05>
10.1.7.2 1 FULL/DR 10.1.18.22 vlan1106<vlan(10+x)06>
AGG-1
TX-8325-A# show ip route
Displaying ipv4 routes selected for forwarding
'[x/y]' deNotes [distance/metric]
10.1.10.0/24, vrf default

via vlan10, [0/0], connected
via vlan10, [0/0], local
via 10.1.88.6, [110/200], ospf
via 10.1.88.6, [110/200], ospf
via 10.1.88.2, [110/200], ospf
10.1.108.0/30, vrf default
via 10.1.88.2, [110/200], ospf
10.1.108.12/30, vrf default
via 10.1.88.6, [110/200], ospf
10.253.1.0/24, vrf default
via 10.1.88.2, [110/201], ospf
via 10.1.88.6, [110/201], ospf
<Output committed>
Ping ClearPass (10.253.1.23) server from TX-6300-A. If the ping is successful, you are ready
for the next lab.
Save the configuration on TX-8325-A, TX-8325-B, TX-8325-Core
Copy running checkpoint Lab3-done-[student-name]
Attach CLI commands here for reference.
Configure loopback interface for AGG-1/AGG-2/CORE

TX-8325-Core
Int loopback 0
Ip add 10.1.X7.1/32
TX-8325-A
int loopback 0
Ip add 10.1.X7.2/32
TX-8325-B
int loopback 0
Ip add 10.1.X7.3/32
Enable Router OSPF process globally

TX-8325-A
TX-8325-A(config)# router ospf 1

TX-8325-A(config-ospf-1)# area 0
TX-8325-B
TX-8325-B(config)# router ospf 1
TX-8325-B(config-ospf-1)# area 0
TX-8325-Core
TX-8325-CORE(config)# router ospf 1
TX-8325-CORE(config-ospf-1)# area 0
Enable IP OSPF process on interfaces

TX-8325-A
int loopback 0
Ip ospf 1 area 0
int vlan X5
Ip ospf 1 area 0
int vlan X3
Ip ospf 1 area 0
interface lag 2
lacp mode active
lacp rate fast
ip ospf network point-to-point # Make sure the ospf network match peer’s.
no shutdown
exit
interface 1/1/48
no shutdown
lag 2
exit
interface vlan X0
interface vlan X1
interface vlan X2
interface vlan X3
interface vlan X4
interface vlan X5
TX-8325-B
int loopback 0
Ip ospf 1 area 0
int vlan X5
Ip ospf 1 area 0
int vlan X3
Ip ospf 1 area 0
interface lag 3
lacp mode active
lacp rate fast
ip ospf network point-to-point # Make sure the ospf network match peer’s.
no shutdown
exit
interface 1/1/48
no shutdown
lag 3
exit
interface vlan X0
interface vlan X1
interface vlan X2
interface vlan X3
interface vlan X4
interface vlan X5
TX-8325-Core
TX-8325-CORE(config)# int loopback 0

TX-8325-CORE(config-loopback-if)# ip ospf 1 area 0
TX-8325-CORE(config-loopback-if)# int lag 2
TX-8325-CORE(config-lag-if)# lacp mode active
TX-8325-CORE(config-lag-if)# lacp rate fast
TX-8325-CORE(config-lag-if)# ip add 10.1.X8.34/30
TX-8325-CORE(config-lag-if)# ip ospf 1 area 0
TX-8325-CORE(config-lag-if)# ip ospf network point-to-point
TX-8325-CORE(config-lag-if)# int 1/1/1
TX-8325-CORE(config-if)# lag 2
TX-8325-CORE(config-if)# no shutdown
TX-8325-CORE(config-if)# int lag 3

TX-8325-CORE(config-lag-if)# lacp mode ac
TX-8325-CORE(config-lag-if)# lacp rate fast
TX-8325-CORE(config-lag-if)# ip add 10.1.X8.38/30
TX-8325-CORE(config-lag-if)# ip ospf 1 area 0
TX-8325-CORE(config-lag-if)# ip ospf network point-to-point
TX-8325-CORE(config-lag-if)# no shut
TX-8325-CORE(config-lag-if)# int 1/1/2
TX-8325-CORE(config-if)# lag 3
TX-8325-CORE(config-if)# exit
TX-8325-CORE(config)# int 1/1/27
Note: The below part is for connecting Backbone to get the route to server
farm.
TX-8325-CORE(config)#vlan (10+X)05
TX-8325-CORE(config)#interface vlan (10+X)05
TX-8325-CORE(config-if)#IP address 10.1.X8.17/30
TX-8325-CORE(config-if)#Ip ospf 1 area 0
TX-8325-CORE(config)#interface 1/1/47
TX-8325-CORE(config-if)#no shutdown
TX-8325-CORE(config-if)#no routting
TX-8325-CORE(config-if)#vlan trunk allow (10+X)05
TX-8325-CORE(config)#vlan (10+X)06
TX-8325-CORE(config)#interface vlan (10+X)06
TX-8325-CORE(config-if)#IP address 10.1.X8.21/30
TX-8325-CORE(config-if)#Ip ospf 1 area 0
TX-8325-CORE(config)#interface 1/1/48
TX-8325-CORE(config-if)#no shutdown
TX-8325-CORE(config-if)#no routting
TX-8325-CORE(config-if)#vlan trunk allow (10+X)06
Note: Make sure the adjacency switches have the same MTU setting and
OSPF networking type.
Lab 4: Access Control

Objectives
In this lab, you will configure MAC /Dot1X/Captive portal authentication on switches.
Task1 Preparing Access control Lab.
Steps
Configure DNS Server on the switch

TX-6300-A(config)# ip dns server-address 10.253.1.21 vrf mgmt
Configure Radius server on the switch
TX-6300-A(config)# radius-server host cppm.arubatraining.com key plaintext aruba123 vrf mgmt
Configure Radius server group on the switch

TX-6300-A(config)# aaa group server radius clearpass
TX-6300-A(config-sg)# server cppm.arubatraining.com vrf mgmt
TX-6300-A(config-sg)exit
Test connectivity to the ClearPass server and DNS resolution.
TX-6300-A# ping cppm.arubatraining.com vrf mgmt

PING cppm.arubatraining.com (10.253.1.23) 100(128) bytes of data.
Open an RDP connection to Windows 10 and check the current IP address. Make sure the
“OOBM” NIC property for TCP/IP setting for IP address is STATIC, and the IP ADDRESS is
10.251.X.90/24 and the default gateway should be 10.251.X.254
Note: DO NOT SHUTDOWN the Interface of “Do NOT Touch”, which is a

management interface!!!
Log into Clearpass (10.253.1.23) with “readonly/readonly” and check ClearPass configuration
that the switch is configured as an authenticating device (NAS and Services).
a. NAS configuration (Preconfigured), Navigate to (Configuration à Network à
Devices) to check the configuration.
b. Service for Dot1x Auth (Preconfigured)
c. Service for MAC-AUTHEN (Preconfigured)
Note: In this case, we use “Allow all MAC AUTH methods” for the testing
d. Service for CP-AUTH Guest Access – Web Login (preconfigured)
Task 2 MAC-authentication
Steps
Configure MAC authentication globally and
TX-6300-A(config)# aaa authentication port-access mac-auth radius server-group clearpass

TX-6300-A(config)# aaa authentication port-access mac-auth enable
Enable Authorization globally (Optional for CoA)
TX-6300-A(config)# radius dyn-authorization enable
Enable MAC authentication on Port 1/1/1 of the ACC switch.


TX-6300-A(config-if)# aaa authentication port-access mac-auth
TX-6300-A(config-if-macauth)# enable
Test MAC authentication.

a. Move to Windows 10 client and navigate to Control Panel à Network and Internet à
Network and Sharing Center à Change adaper settings
b. Enable Lab NIC.
c. Shutdown and no shutdown Port 1/1/1 to trigger MAC authentication.

Note: If you have completed Lab 3 OSPF routing, then you don’t need to statically
configure IP address on your Win10 client 6300 NIC.
IP helper-address needs to be configured under in vlan X5 on AGG switches.
TX-6300-A# show aaa authentication port-access interface all client-status

Port Access Client Status Details
Client 00:0c:29:a3:99:15, 000c29a39915

============================
Session Details
---------------
Port : 1/1/1
Session Time : 37s
Authentication Details
----------------------
Status : mac-auth Authenticated
Auth Precedence : dot1x - Not attempted, mac-auth - Authenticated
Authorization Details
Check the access track on ClearPass.
Task 3 Dot1X authentication

Steps
Configure Dot1X authentication globally.

TX-6300-A(config)# aaa authentication port-access dot1x authenticator radius server-group
clearpass
TX-6300-A(config)# aaa authentication port-access dot1x authenticator enable
Configure Dot1X authentication for Port 1/1/1

TX-6300-A(config-if)# aaa authentication port-access dot1x authenticator
TX-6300-A(config-if-dot1x-auth)# enable
Note: Note: We have two Authentication methods configured in the same interface.
Which one will be the priority? Answer this question in Step5.
T10-6300-A# show run int 1/1/1

interface 1/1/1
no shutdown
no routing
vlan access X5
aaa authentication port-access dot1x authenticator
enable
aaa authentication port-access mac-auth
enable
exit
Configure Dot1X on Windows Client

a. Click Start and type services.msc
b. Scroll down and enable Wired AutoConfig service on the windows client.
c. Navigate to Control Panel à Network and Internet à Network and Sharing Center à
Change adaper settings
d. Right click on the LabNIC and click on Properties.
e. Click on Authentication tab.
f. Click on Settings.
g. Uncheck the box Verify the server’s identity by validating the certificate.
h. Click OK.
i. Click Additional Settings.

j. Select User Authentication for Specify authentication mode.
k. Click on Save credentials.
l. Use the following credentials:

i. Username: tX-user1
ii. Password: password
m. Click OK.
n. Click OK.
o. Click OK.
The following table detail the 4 user accounts that have been created on ClearPass.
Username Password Description

tX-user1 password Standard dot1x authentication that does not
push any VSA to the switch.
tX-user2 password ClearPass will push the captive portal role name
to the switch.
tX-user3 password Will be used in the Downloadable user role lab.
tX-user4 password ClearPass will push tunneled role name to
switch in the Dynamic Segmentation lab (Lab 5).
Note: If you have completed Lab 3 OSPF routing, then you don’t need to
statically configure IP address on your Win10 client 6300 NIC.
Test Dot1x by disabling and enabling the Ethernet interface named “LabNIC” on Win10 client
to trigger dot1x authentication.
Note: Don’t touch or disable the management interface. Otherwise, you will lose the
connection to the windows client.
Check client authentication status on the switch and answer the questions in Step 2.
P10-6300-A# show aaa authentication port-access interface all client-status
Client 00:50:56:90:a1:bd, t1-user1

============================
Session Details
---------------
Port : 1/1/1
Session Time : 163s
----------------------
Status : dot1x Authenticated
Auth Precedence : dot1x - Authenticated, mac-auth - Not attempted
Task 4 Captive Portal authentication

Steps
Configure the captive portal traffic class.
TX-6300-A(config)# class ip clearpass-web

TX-6300-A(config-class-ip)# 10 match tcp any 10.253.1.23/32 eq 80
TX-6300-A(config-class-ip)# 20 match tcp any 10.253.1.23/32 eq 443
TX-6300-A(config-class-ip)#exit
TX-6300-A(config)#class ip dhcp
10 match udp any any eq 67
TX-6300-A(config-class-ip)#exit
TX-6300-A(config)# class ip dns

TX-6300-A(config)# class ip web-traffic

10 match tcp any any eq 80
20 match tcp any any eq 443
TX-6300-A(config)# class ip icmp

10 match icmp any any
Create a Portal Redirection traffic policy with traffic class built in the last step.
TX-6300-A(config)# port-access policy CLEARPASS-REDIRECT

10 class ip dns
10 comment DNS-PERMIT
20 class ip dhcp
20 comment DHCP-PERMIT
30 class ip clearpass-web action cir kbps 1024 cbs 2048 exceed drop
30 comment Allow to access Clearpass web portal page
40 class ip icmp
40 comment Allow icmp for testing
50 class ip web-traffic action redirect captive-portal
50 comment Redirect Http/Https traffic to Clearpass
switch(config)# show port-access policy

Access Policy Details:
======================
Policy Name : CLEARPASS-REDIRECT
Policy Type : local
SEQUENCE CLASS TYPE ACTION
----------- ------------------- ------------- -------------------------------
10 dns ipv4 permit
20 dhcp ipv4 permit
30 clearpass-web ipv4 cir kbps 1024 cbs 2048 exceed drop
40 icmp ipv4 permit
50 web-traffic ipv4 redirect captive-portal
Configure Captive-Portal profile
TX-6300-A(config)# aaa authentication port-access captive-portal-profile test

TX-6300-A(config-captive-portal)# url https://10.253.1.23/guest/portal1.php
TX-6300-A(config-captive-portal)# exit
Note: Portal.php page has been pre-configured in ClearPass.
Associate both to Port-access Role on the switch
TX-6300-A(config)# port-access role portal-role ###case sensitive

TX-6300-A(config-pa-role)# associate policy CLEARPASS-REDIRECT
T1-6300-A(config-pa-role)# associate captive-portal-profile test
Disable the OOBM interface of WIN10 client.

Change the Dot1x authentication profile on the LabNIC interface and replace the credentials
with:
a. Username: tX-user2
b. Password: password
Note: If you have completed Lab 3 OSPF routing, then you don’t need to statically
configure IP address on your Win10 client 6300 NIC.
Verify the Captive portal configuration and if the Portal page can pop up.
Enter 10.253.1.254 in the browser to trigger the captive portal page.
You should be redirected to the Clearpass portal page as below. If the web page displays
the WebGUI of 6300 switch, that means your web traffic is not redirected correctly. (Note:
10.253.1.254 is IP address of 6300 infrastructure Core switch)
Note: There is no need to login into the captive portal.
T1-6300-A# show port-access captive-portal-profile
Captive Portal Profile Configuration
Name : test
Type : local
URL : https://10.253.1.23/guest/portal1.php
TX-6300-A# show aaa authentication port-access interface all client-status
Client 00:50:56:90:c9:5f, tX-user2

============================
Session Details
---------------
Port : 1/1/1
Session Time : 14947s
----------------------
----------------------
Role : portal-role
Status : Applied
Enable the OOBM interface of Windows10 client.

Disable the LabNIC interface of Windows 10 client.
Lab 5: Dynamic Segmentation

Objectives
In this lab, you will configure Local user role and Downloadable user role and Tunneling.
Task 1: lab preparing

Steps:
Configure the NTP server on the ACC-1 switch.
TX-6300-A(config)# ntp server 10.253.1.15 iburst
TX-6300-A(config)# ntp vrf mgmt
TX-6300-A(config)# ntp enable
TX-6300-A(config)# ntp authentication
TX-6300-A(config)# ntp authentication-key 1 sha1 aruba123 trusted
TX-6300-A(config)# clock timezone us/eastern
Note: It may take a few minutes to sync the time with the NTP server.
TX-6300-A(config)# show ntp status

NTP Status Information
NTP : Enabled
NTP Authentication : Enabled
NTP Server Connections : Using the mgmt VRF
System time : Fri Nov 15 12:51:38 EST 2019

NTP uptime : 10 hours, 57 minutes, 44 seconds
NTP Synchronization Information
NTP Server : 10.253.1.15 at stratum 2

Poll interval : 128 seconds
Time accuracy : Within -0.000185 seconds
Reference time : Fri Nov 15 2019 12:36:41.558 as per US/Eastern
TX-6300-A(config)# show clock
Note: If the NTP is not working, you can manually change the time of the TX-6300-A
switch to make sure that it has same time with Clearpass.
Configure radius dyn-authorization
TX-6300-A(config)# radius dyn-authorization enable
Note: The below steps about HTTPS SERVER generation are for reference, which
have been preconfigured. You don’t need to do these steps in the lab.
Configure new ClearPass HTTPS server cert on ClearPass. (Preconfigured)

a. Navigate to AdministrationàCertificatesàCertificate StoreàCreate Certificate Signing
Request
b. Make sure the CN filed is matching the DNS record of the ClearPass server, and the
private key should be aruba123. (Preconfigured)
Note: The CN is cppm.arubatraining.com matching DNS record of clearpass.
c. Download the CSR file. Private Key is stored in the system. You can now upload a
certificate alone without using Private Key. (Preconfigured)
Now we will utilize the ClearPass built-in Onboarding CA to generate a new HTTPS
server certificate for the Clearpass HTTPs server.
d. Click on the Menu on the right above corner and click Onboarding.
e. Navigate to Onboard à Certificate Authorities.
f. Click the default CA” Local Certificate Authority”, then Click “Certificates”.
(Preconfigured)
g. Then click “Upload a certificate signing request” to upload the CSR file we just
generated. (Preconfigured)
h. Make sure choosing HTTPS as certificate and check the “Approval” option, then click
“Submit Certificate Signing Request”. (Preconfigured)
i. Then export the Certificate. (Preconfigured)
j. Make sure the certificate includes a Certificate trust chain. (Preconfigured)
k. Go back to Policy Manage GUI, Navigate to Administrationà CertificatesàCertificate

StoreàImport Certificate (server certificate). (Preconfigured)
Note: Make sure the Usage is “HTTPS Server Certificate”.
l. Once Finish, you will need to re-login with new https server certificates.
m. Then you can verify the CN field is right. In the case, the CN should be the FQDN of the
ClearPass server.
Task 2 Downloadable user role (DUR)
Steps:
Download CA cert from ClearPass
a. Login into ClearPass server (10.253.1.23) using readonly/readonly credentials.
b. Navigate to Onboard à Certificate Authorities.
c. Click the default CA, Local Certificate Authority.
d. Click Certificates.
e. Select Certificate Authority for the Certificate Type dropdown menu.
f. Click on ClearPass Onboard Local Certificate Authority (first entry, not signing).
g. Click Export certificate.
h. Select Base-64 Encoded (.pem) for Format, make sure the box for Include
certificate trust chain is checked.
i. Click Export Certificate.
j. Save the file locally in the PC.

k. Open the file using Notepadd++ (a shortcut is in Desktop).
l. SSH 6300-A switch (10.251.X.4) from the Windows 10 client (PuTTY shortcut is
located in the Desktop).
Note. Make sure the OOBM interface in Windows 10 client is enabled and LabNIC
interface is disabled.
m. Login using admin/admin credentials.
Configure ta-cert profile.
TX-6300-A# configure terminal

TX-6300-A(config)# crypto pki ta-profile cppm
TX-6300-A(config-ta-cppm)# ta-certificate
Paste the certificate in PEM format below, then hit enter and ctrl-D:
Note. Is important to enter Control+D after pasting the certificate.
Example:
TX-6300-A(config)# crypto pki ta-profile cppm
TX-6300-A(config-ta-cppm)# ta-certificate
Paste the certificate in PEM format below, then hit enter and ctrl-D:
TX-6300-A(config-ta-cert)# -----BEGIN CERTIFICATE-----
TX-6300-A(config-ta-cert)# MIIEsDCCA5igAwIBAgIBAjANBgkqhkiG9w0BAQ0FADCByDELMAkGA1UEBhMCVVMx
TX-6300-A(config-ta-cert)# EzARBgNVBAgMCkNhbGlmb3JuaWExEjAQBgNVBAcMCVN1bm55dmFsZTEXMBUGA1UE
<omitted>
TX-6300-A(config-ta-cert)# FoRNtIrhUBDV5MxOIdOr27gVlecnFvFkjF6ohx5VVHzf6o0Iaw2EtfgdTTM26tBa
TX-6300-A(config-ta-cert)# aQUrxogAhG2HU3o2cgrbNlxb3ck4JDFZMZJ3igSEJX/gGJJd0EnYzljQLVwB4Ma7
TX-6300-A(config-ta-cert)# st806A==
TX-6300-A(config-ta-cert)# -----END CERTIFICATE-----
TX-6300-A(config-ta-cert)# -----BEGIN CERTIFICATE-----
TX-6300-A(config-ta-cert)# MIIEgzCCA2ugAwIBAgIBATANBgkqhkiG9w0BAQ0FADCByDELMAkGA1UEBhMCVVMx
TX-6300-A(config-ta-cert)# EzARBgNVBAgMCkNhbGlmb3JuaWExEjAQBgNVBAcMCVN1bm55dmFsZTEXMBUGA1UE
TX-6300-A(config-ta-cert)# fG+uqq4QoTVGeYTkfIxodiAoBtXlQkhHQbI7TzLprpN7xa7DaK3Ygln0pFxoY5jl
TX-6300-A(config-ta-cert)# QCr/ckGh6CAkyOgStPIxt8bBakx/pC0uwJ/JOyujjde4zUXOFhCZ3G84Pwqcq8s0
TX-6300-A(config-ta-cert)# r4D4jvdSM5B/9twQZPAklCxJZpII1juGvmC2sl0h3YPTx6TGiJr2Ox8JKeL0LOcV
TX-6300-A(config-ta-cert)# dHrjw1GV+A==
TX-6300-A(config-ta-cert)# -----END CERTIFICATE-----
TX-6300-A(config-ta-cert)# <<<Here you enter Control + D>>>
The certificate you are importing has the following attributes:
Subject: C = US, ST = California, L = Sunnyvale, O = Aruba Networks, CN = ClearPass Onboard Local
Certificate Authority (Signing), emailAddress = 50e5c793-eebb-4b0d-92b5-53d26facf87c@example.com
Issuer: C = US, ST = California, L = Sunnyvale, O = Aruba Networks, CN = ClearPass Onboard Local
Certificate Authority, emailAddress = 50e5c793-eebb-4b0d-92b5-53d26facf87c@example.com
Serial Number: 0x02
TA certificate import is allowed only once for a TA profile
Do you want to accept this certificate (y/n)? y
TX-6300-A(config-ta-cppm)#
Note. You can also upload the certificate into the switch using TFTP. The Windows 10
client has a TFTP server application in Desktop.
Check downloadable user account (duradmin/aruba123) on ClearPass (Preconfigured).

Notice that it uses a read-only administrator privilege level.
Add ClearPass downloadable username (duradmin) and password (aruba123) on switch.

P10-6300-A(config)# radius-server host cppm.arubatraining.com clearpass-username
duradmin clearpass-password plaintext aruba123 vrf mgmt
Check current interface dscp trust mode.
T01-6300-A# show interface 1/1/1
Interface 1/1/1 is up
Admin state is up
Link transitions: 1
Description:
Hardware: Ethernet, MAC Address: 88:3a:30:92:85:e7
MTU 1500
Type 1GbT
Full-duplex
qos trust none
Speed 1000 Mb/s
Auto-negotiation is on
Flow-control: off
Error-control: off
MDI mode: MDIX
VLAN Mode: access
Access VLAN: 1
Rx
58985 input packets 10501319 bytes
0 input error 6 dropped
0 CRC/FCS
Tx
24569 output packets 2890519 bytes
0 input error 0 dropped
0 collision
On Windows 10 client, change the Dot1x authentication profile on the LabNIC interface and
replace the credentials with:
The new authentication will use a new enforcement profile (Send DUR-POE-DSCP-Role),
which includes Aruba-CPPM-role for the Dot1x authentication service.
Note: you may ignore “poe-priority critical” setting because this setting is for PoE.
Verify the role has been pushed to switch and if dscp trust mode has been changed.
P10-6300-A# show interface 1/1/1
Interface 1/1/1 is up
Admin state is up
Link transitions: 17
Description:
Hardware: Ethernet, MAC Address: 88:3a:30:92:f4:a7
MTU 1500
Type 1GbT
Full-duplex
qos trust dscp
Speed 1000 Mb/s
Auto-negotiation is on
Flow-control: off
Error-control: off
MDI mode: MDI
VLAN Mode: access
Access VLAN: 15
Rx
<<Omitted output>>
Also check the below outputs.
P10-6300-A# show aaa authentication port-access interface all client-status
Client 00:50:56:90:a1:bd, t1-user3

============================
Session Details
---------------
Port : 1/1/1
Session Time : 163s
----------------------
----------------------
Role : Send_DUR_POE_DSCP_Role-3002-1
Status : Applied
P10-6300-A# show port-access role # this will display role type

Role Information:
Name : Send_DUR_POE_DSCP_Role-3002-1
Type : clearpass
Status: Completed
----------------------------------------------
Reauthentication Period :
Authentication Mode :
Session Timeout :
Client Inactivity Timeout :
Description :
Tunneled Node Server Zone :
Tunneled Node Server Secondary Role :

Access VLAN :
Native VLAN :
Allowed Trunk VLANs :
MTU :
QOS Trust Mode : dscp
PoE Priority : critical
Captive Portal Profile :
Policy :
Task 3 Local user role (LUR) and Dynamic-segmentation lab (Tunneling)
Steps:
1. Configure ubt-client-vlan and ubt source IP on ACC-1 (TX-6300-A)
TX-6300-A(config)# vlan 1000

TX-6300-A(config-vlan-1000)# exit
TX-6300-A(config)# ubt-client-vlan 1000
TX-6300-A(config)# ip source-interface ubt <10.1.X5.99>
Note: 10.1.X5.99 is the ip of VLAN X5 of the TX-6300-A switch, which has been configured in
previous lab.
Note: In this case, we have only one IP configured on ClearPass, so here we use VLAN X5 IP
of ACC switch as ubt source IP. If we need to build a tunnel with a data port of ClearPass
(second port), then the ubt source IP should be accessible by the Data port of ClearPass.
2. Configure Tunnel zone On ACC-1 (TX-6300-A)
TX-6300-A(config)# ubt zone test vrf default

TX-6300-A(config-ubt-test)# primary-controller ip <10.1.X4.100>
TX-6300-A(config-ubt-test)# enable
TX-6300-A(config-ubt-test)# exit
3. Configure Local user role named “tunnel-mc” on ACC-1 switch (6300-A)

TX-6300-A(config)#
TX-6300-A(config)# port-access role tunnel-mc
TX-6300-A(config-pa-role)# gateway-zone zone test gateway-role authenticated
TX-6300-A(config-pa-role)# exit
4. Check enforcement profile of Dot1x service to push Aruba user role name “tunnel-mc” to
switch. (Preconfigured)
5. Login to the Mobility Controller TX-MC (7005) using:

a. Username: admin
6. On MC, associate VLAN with a gateway-role pushed by the switch.
(MC) [mynode] (config)# user-role authenticated
(MC) [mynode] (config-submode)# vlan X3
(MC) ^[mynode] (config-submode)# write memory
7. You may need to add DHCP helper address setting pointing to 10.253.1.21 on the interface
vlanX3 of AGG-1 and AGG-2.
AGG-1 (TX-8325-A)
interface vlan X3
ip help-address 10.253.1.21
ip ospf 1 area 0
AGG-2 (TX-8325-B)
interface vlan X3
ip help-address 10.253.1.21
ip ospf 1 area 0
8. On Win10 Client, make sure it uses DHCP for the Ethernet interface of LabNIC.
Note: The client will get an IP belonging to 10.1.X3.0/24 from DHCP server
10.253.1.21 once the authentication is successful.
9. On Win10 Client, Disable and enable the interface named LabNIC to simulate a new Dot1X
authentication to trigger the switch to build a tunnel with MC.
In this task, please use the following credentials:
Note: “tX-user4/password” will push the tunneled role name to switch in the dynamic
segmentation lab part.
10. Check tunnel state on TX-MC (7005).
(TX-MC) [mynode] #show tunneled-node-mgr tunneled-users
Tunneled User Table Entries

---------------------------
Flags: U - User Anchor Controller(UAC),
S - Standby User Anchor Controller(S-UAC),
T - Tagged VLAN,
A - Authenticated on Tunneled Node,
C - Convert BC & MC into Unicast,
User Tunneled User Mac Tunneled Node Mac Vlan UAC IP Address Key Tunnel Index Flags
---- ----------------- ----------------- ---- -------------- --- ------------ -----
t1-user4 00:50:56:b1:3c:b3 88:3a:30:97:a6:00 1000(13) 10.1.14.100 1 tunnel 10 UAC
Note: You can notice that in the command output, 1000 means the reserved VLAN to
tunnel user traffic, and VLAN 13 (X3) is the user VLAN.
11. Some troubleshooting commands on MC.
(MC-X) [mynode] #show station-table
(MC-X) [mynode] #show user
à Continue
à Continue
(MC-X) [mynode] #show datapath session table
(MC) [mynode] #show tunneled-node-mgr trace-buf count 10
Nov 16 17:48:53 gsm Publish tun user 10.1.15.99 00:50:56:b1:3c:b3.

Nov 16 17:48:53 <-- User bootstrap ack 10.1.15.99 00:50:56:b1:3c:b3 assignedvlan=13 L2=0 S-
UAC=N/A idx=-1 status=1:Success.
Nov 16 17:55:23 --> User Unbootstrap Req 10.1.15.99 00:50:56:b1:3c:b3 reason=5, key=1.
Nov 16 17:55:23 sos User tunnel removed 10.1.15.99 00:50:56:b1:3c:b3 tunnel 10.
Nov 16 17:55:23 gsm Delete tun user 10.1.15.99 00:50:56:b1:3c:b3.
Nov 16 17:55:23 <-- User Unbootstrap Ack 10.1.15.99 00:50:56:b1:3c:b3 key=1 status=1:Success.
Nov 16 17:55:23 --> User bootstrap req 10.1.15.99 00:50:56:b1:3c:b3 rsvd-vid=1 vlan=1000
key=1 role=authenticated flags=6 mtu=1500 server=0.0.0.0.
Nov 16 17:55:23 sos User tunnel created 10.1.15.99 00:50:56:b1:3c:b3 dormant=0 tunnel 10.
Nov 16 17:55:23 gsm Publish tun user 10.1.15.99 00:50:56:b1:3c:b3.
Nov 16 17:55:23 <-- User bootstrap ack 10.1.15.99 00:50:56:b1:3c:b3 assignedvlan=13 L2=0 S-
UAC=N/A idx=-1 status=1:Success.
12. Check how many licenses will be consumed by the VSF stack On MC. One or more?
(T1-MC) [mynode] #show license-usage ap
AP Licenses
-----------
Type Number
---- ------
AP Licenses 16
PEF Licenses 16
Controller License True
Overall AP License Limit 16
AP Usage
--------
Type Count
---- -----
Active CAPs 0
Standby CAPs [Counted Against Total] 0
Active RAPs 0
Remote-node APs 0
Active MUX 0
Active PUTN 1
Total APs 1
Remaining AP Capacity
---------------------
Type Number
---- ------
CAPs 15
RAPs 15
13. This step is just telling that you also can use a downloadable role so that you won’t need to
configure role and tunnel setting on the switch.
Attach the Aruba-CPPM-role setting for reference. You don’t need to do this optional lab.
Note: Configuration for Downloadable role in ClearPass

config terminal
vlan 1000
ubt-client-vlan 1000
ubt zone test-1 vrf default
primary-controller ip <10.1.X4.100>
enable
exit
port-access role tunnel-mc-1
gateway-zone zone test-1 gateway-role authenticated
exit
14. Save the configurations to checkpoint Lab5-done.
Configuration changes will take time to process, please be patient
TX-8325-B# copy running-config checkpoint Lab5-done-[student-name]
Lab 6: Configuring Static L2 VXLAN

In this lab, you will configure Switches 8325-A and 8325-B to act as VXLAN VTEPs, providing L2
connectivity for the 6300s.
You will start configuring a routing environment that will transport VXLAN Packets, and you will then
configure a VXLAN interface and configure your switches to act as VTEPs to your Virtual Network
Identifier (VNI).
Physical Diagram
Logical Diagram
Task 1: Prepare the Base Config for the Lab

Objectives
– Setup a routing environment to Transport VXLAN traffic
Steps
Open a console connection to TX-6300-A, TX-6300-B, TX-8325-A, TX-8325-B, and TX-8325-
Core switches.
Revert the above switches to factory default.
a. On TX-6300-A
TX-6300-A(config)# no vsf member 1

The master switch will be unconfigured and the secondary
switch will become the master
After the switch reboots login using the following credentials:
Username: admin
Password: <blank> <hit enter>
b. On TX-6300-B
TX-6300-A(config)# no vsf member 2

Unconfiguring the primary switch of the stack without a standby
will make the stack unusable
After the switch reboots login using the following credentials:
Username: admin
Password: <blank> <hit enter>
Note. If your Access switches are not part of VSF then you will have to erase the
configuration using the following commands:
TX-6300-A# erase startup-config

Do you want to save the current configuration (y/n)? n ### don’t save the configuration
Continue (y/n)? y
c. On TX-8325-A
TX-8325-A# copy checkpoint ZERO running-config
d. On TX-8325-B
TX-8325-B# copy checkpoint ZERO running-config
e. On TX-8325-Core
TX-8325-Core# copy checkpoint ZERO running-config
Note. If there is no ZERO checkpoint, then enter the following commands:
TX-8325# erase startup-config

TX-8325# boot system
Continue (y/n)? y
Shutdown the unused ports, disable spanning-tree and set the admin account on TX-6300-A
6300(config)# hostname TX-6300-A
TX-6300-A(config)# no spanning-tree
Shutdown the unused ports, disable spanning-tree and set the admin account on TX-6300-B
6300(config)# hostname TX-6300-B
TX-6300-B(config)# no spanning-tree
TX-6300-B(config)# user admin password
TX-6300-B(config)# session-timeout 0
Configure TX-8325-A Uplinks and shutdown unused ports.
Note: If there was not ZERO checkpoint and you erase the configuration, please enter the
following commands:
8325 login: admin

Password: <Hit enter>
8325# configure terminal

8325(config)# hostname TX-8325-A # X = Table number
Continue (y/n)? y

TX-8325-A(config)# interface 1/1/1,1/1/48
TX-8325-A(config-if-<1/1/1,1/1/48>)# no shutdown
TX-8325-A(config-if-<1/1/1,1/1/48>)# exit
TX-8325-A(config)# vlan (10+X)01,(10+X)02

TX-8325-A(config-vlan-<1101,1102>)# exit
TX-8325-A(config)# interface vlan (10+X)01
TX-8325-A(config-if)# vlan trunk allowed (10+X)01, (10+X)02
Configure TX-8325-B Uplinks and shutdown unused ports.
following commands:
8325 login: admin


8325(config)# hostname TX-8325-B # X = Table number
TX-8325-B(config)# user admin password
TX-8325-B(config)# session-timeout 0
TX-8325-B(config)# system interface-group 1 speed 10g
Continue (y/n)? y

TX-8325-A(config)# interface 1/1/2,1/1/48
TX-8325-A(config-if-<1/1/2,1/1/48>)# no shutdown
TX-8325-A(config-if-<1/1/2,1/1/48>)# exit
TX-8325-B(config)# system interface-group 1 speed 10g
TX-8325-B(config)# vlan (10+X)03,(10+X)04

TX-8325-B(config-vlan-<1103,1104>)# exit
TX-8325-B(config)# interface vlan (10+X)03
TX-8325-B(config-if-vlan)# ip address 10.1.X8.9/30
TX-8325-B(config-if-vlan)# exit
TX-8325-B(config-if-vlan)# ip address 10.1.X8.13/30
TX-8325-B(config-if)# no routing
TX-8325-B(config-if)# vlan trunk allowed (10+X)03, (10+X)04
Configure routing on TX-8325-A
TX-8325-A(config)# interface loopback 0

TX-8325-A(config)# router ospf 1
TX-8325-A(config-ospf-1)# router-id 10.1.X7.2
TX-8325-A(config-ospf-1)# area 0
TX-8325-A(config-ospf-1)# enable
TX-8325-A(config-ospf-1)# exit
TX-8325-A(config)# interface loop 0
TX-8325-A(config-loopback-if)# ip ospf 1 area 0
TX-8325-A(config-loopback-if)# exit
TX-8325-A(config-if-vlan)# ip ospf 1 area 0
TX-8325-A(config-if-vlan)# ip ospf 1 area 0
Configure routing on TX-8325-B
TX-8325-B(config)# interface loopback 0

TX-8325-B(config)# router ospf 1
TX-8325-B(config-ospf-1)# router-id 10.1.X7.3
TX-8325-B(config-ospf-1)# area 0
TX-8325-B(config-ospf-1)# enable
TX-8325-B(config-ospf-1)# exit
TX-8325-B(config)# interface loop 0
TX-8325-B(config-loopback-if)# ip ospf 1 area 0
TX-8325-B(config-loopback-if)# exit
TX-8325-B(config-if-vlan)# ip ospf 1 area 0

TX-8325-B(config-if-vlan)# ip ospf 1 area 0
Create a VLAN for ‘hosts’ on TX-8325-A
TX-8325-A(config)# vlan X0. # X = Table number

TX-8325-A(config-vlan-10)# exit
TX-8325-A(config)# no routing
TX-8325-A(config)# vlan access X0
TX-8325-A(config)# no shutdown
Create a VLAN for ‘hosts’ on TX-8325-B
TX-8325-B(config)# vlan X0 # X = Table number

TX-8325-B(config-vlan-10)# exit
TX-8325-B(config)# no routing
TX-8325-B(config)# vlan access X0
TX-8325-B(config)# no shutdown
Connect to the TX-8325-Core switch, and we will configure it as an L2 to connect our leaves
switches to the spines.
following commands:
8325 login: admin


8325(config)# hostname TX-8325-Core # X = Table number
TX-8325-Core(config)# user admin password
TX-8325-Core(config)# session-timeout 0
TX-8325-Core(config)# interface 1/1/1-1/1/56

TX-8325-Core(config-if<1/1/1-1/1/56>)# shutdown
TX-8325-Core(config-if<1/1/1-1/1/56>)# exit
TX-8325-Core(config)# vlan (10+X)01,(10+X)02,(10+X)03,(10+X)04
T1-8325-Core(config-vlan-<1101,1102,1103,1104>)# exit
TX-8325-Core(config)# interface 1/1/47
TX-8325-Core(config-if)# no routing
TX-8325-Core(config-if)# vlan trunk allowed (10+X)01,(10+X)03
TX-8325-Core(config-if)# no shutdown
TX-8325-Core(config-if)# exit

TX-6300-A will act as client in this topology, enter the following configuration:

TX-6300-A(config)# interface vlan 1
TX-6300-A(config-if)# no ip dhcp
TX-6300-B will act as client in this topology, enter the following configuration:
TX-6300-B# configure terminal

TX-6300-B(config)# interface vlan 1
TX-6300-B(config-if)# no ip dhcp
Check that TX-8325-A and TX-8325-B have OSPF routes to each other through the Spine
switches.
TX-8325-A# show ip route ospf

Displaying ipv4 routes selected for forwarding
'[x/y]' denotes [distance/metric]

via 10.1.18.6, [110/100], ospf
10.1.7.254/32, vrf default
via 10.1.18.2, [110/200], ospf
via 10.1.18.6, [110/200], ospf
via 10.1.18.2, [110/100], ospf

via 10.1.18.2, [110/200], ospf
via 10.1.18.6, [110/200], ospf
<<<Omitted output>>>
TX-8325-B# show ip ospf neighbors
==============================

-------------------------------------------------------------------------
10.1.7.1 1 FULL/BDR 10.1.18.10 vlan1103
10.1.7.2 1 FULL/BDR 10.1.18.14 vlan1104
Test communication from TX-8325-A to TX-8325-B
TX-8325-A# ping 10.1.X7.3
Create a configuration checkpoint
TX-8325-A
TX-8325-A# copy running-config checkpoint VLANX-BASE-XX < XX = your initials
TX-8325-B
TX-8325-B# copy running-config checkpoint VLANX-BASE-XX < XX = your initials
TX-6300-A
TX-6300-A# copy running-config checkpoint VLANX-BASE-XX < XX = your initials
TX-6300-B
TX-6300-B# copy running-config checkpoint VLANX-BASE-XX < XX = your initials
TX-8325-Core
TX-8325-Core# write memory

TX-8325-Core# copy running-config checkpoint VLANX-BASE-XX < XX = your initials
Task 2: VXLAN Configuration
Objectives
– Configure Switches 8325-A and 8325-B as VTEPs
– Create VXLAN tunnels between 8325-A and 8325-B.
Steps
Create and enable VXLAN interface on both leaf switches.
TX-8325-A
TX-8325-A(config)# interface vxlan 1
TX-8325-A(config-vxlan-if)# no shutdown
TX-8325-B
TX-8325-B(config)# interface vxlan 1
TX-8325-B(config-vxlan-if)# no shutdown
Configure source IP for VXLAN tunnels
TX-8325-A
TX-8325-A(config-vxlan-if)# source ip 10.1.X7.2
TX-8325-B
TX-8325-B(config-vxlan-if)# source ip 10.1.X7.3
Create a VXLAN VNI
TX-8325-A
TX-8325-A(config-vxlan-if)# vni 1000+X
TX-8325-B
TX-8325-B(config-vxlan-if)# vni 1000+X
Configure a VTEP peer for your VNI
TX-8325-A
TX-8325-A(config-vni-1001)# vtep-peer 10.1.X7.3
TX-8325-B
TX-8325-B(config-vni-1001)# vtep-peer 10.1.X7.2
Map vlan X0 to your VNI on both leaf switches
TX-8325-A
TX-8325-A(config-vni-1001)# vlan X0
TX-8325-B
TX-8325-B(config-vni-1001)# vlan X0
Open a console connection to TX-6300-A and start a ping to 10.1.X0.2, ping should succeed,
also verify ARP mapping to remote client
TX-600-A# ping 10.1.10.2

TX-600-A# show arp
IPv4 Address MAC Port Physical Port State
---------------------------------------------------------------------------
10.1.10.2 88:3a:30:97:0a:00 vlan1 1/1/25 reachable
Total Number Of ARP Entries Listed- 1.
-------------------------------------------------------------------------------
Verify interface VXLAN
TX-8325-A
TX-8325-A(config)# show interface vxlan1
Interface vxlan1 is up
Admin state is up
Description:
Underlay VRF: default
Destination UDP port: 4789
VTEP source IPv4 address: 10.1.17.2
VNI VLAN VTEP Peers Origin

---------- ------ ----------------- --------
1001 10 10.1.17.3 static
TX-8325-B
TX-8325-B(config)# show interface vxlan1
Admin state is up
Description:

---------- ------ ----------------- --------
1001 10 10.1.17.2 static
Verify VXLAN VTEPs
TX-8325-A
TX-8325-A(config)# show interface vxlan vteps
Source Destination Origin Status VNI VLAN
---------------- ---------------- ------------ --------------------- --------- ----
10.1.17.2 10.1.17.3 static operational 1001 10
TX-8325-B
TX-8325-B(config)# show interface vxlan vteps
Source Destination Origin Status VNI VLAN
---------------- ---------------- ------------ --------------------- --------- ----
10.1.17.3 10.1.17.2 static operational 1001 10
Verify MAC addresses learned
T1-8325-A# show mac-address-table

MAC age-time : 300 seconds
Number of MAC addresses : 5
MAC Address VLAN Type Port

--------------------------------------------------------------
88:3a:30:97:a6:10 10 dynamic 1/1/1
88:3a:30:97:0a:00 10 dynamic vxlan1(10.1.17.3)

88:3a:30:97:a6:00 10 dynamic 1/1/1
90:20:c2:bc:a8:00 1101 dynamic 1/1/48
90:20:c2:bb:8b:00 1102 dynamic 1/1/48
TX-8325-A

TX-8325-A# copy running-config checkpoint VXLAN-XX < XX = your initials
TX-8325-B
TX-8325-B(config)# end

TX-8325-B# copy running-config checkpoint VXLAN-XX < XX = your initials
You have completed Lab!
Lab 7: EVPN
In this lab, you will configure switches TX-8325-A and TX-8325-B as a VSX pair, acting as Leaf switch
in a Spine and Leaf topology. VXLAN tunnels will transport L2 frames across the routed network. As
learned in the previous lab, creating tunnels manually could be overwhelming to the IT team. In this
lab you will configure EVPN and MP-BGP, allowing switches to dynamically create VTEPs peers and
VXLAN tunnels.
Network Diagram
Task 1: Setup Environment

Objectives
– Revert switches 8325-A and 8325-B to the previous checkpoint
Steps
Open a console connection to Switches TX-8325-A, TX-8325-B.
Revert switches TX-8325-A and TX-8325-B to checkpoint VLANX-BASE-XX < XX = your
initials
TX-8325-A
TX-8325-A# copy checkpoint VLANX-BASE-XX running-config < XX = your initials
TX-8325-B
TX-8325-B# copy checkpoint VLANX-BASE-XX running-config < XX = your initials
Configure interfaces for VSX and keepalive
TX-8325-A
TX-8325-A(config-if)# description VSX-ISL
TX-8325-A(config-if)# vlan trunk allow all
TX-8325-A(config-if)# description VSX-KA
TX-8325-B
TX-8325-B(config-if)# description VSX-ISL
TX-8325-B(config-if)# vlan trunk allow all
TX-8325-B(config-if)# description VSX-KA
Configure VSX
TX-8325-A
TX-8325-A(config-vsx)# inter-switch-link 1/1/46
TX-8325-A(config-vsx)# role primary
TX-8325-A(config-vsx)# keepalive peer 10.1.X8.42 source 10.1.X8.41
TX-8325-B
TX-8325-B(config-vsx)# inter-switch-link 1/1/46
TX-8325-B(config-vsx)# role secondary
TX-8325-B(config-vsx)# keepalive peer 10.1.X8.41 source 10.1.X8.42
Configure VLAN <Z> from your pair table, use the following table for reference.
Table number VLAN <Z>
Table 1 20
Table 2 10
Table 3 40
Table 4 30
Table 5 60
Table 6 50
Table 7 80
Table 8 70
Table 9 100
Table 10 90
Table 11 120
Table 12 110
Table 13 140
Table 14 130
TX-8325-A
TX-8325-A(config)# vlan <Z> ## Please refer to the previous table
TX-8325-B
T1-8325-B(config)# vlan <Z> ## Please refer to the previous table
T1-8325-B(config)# interface 1/1/2
T1-8325-B(config-if)# no routing
T1-8325-B(config-if)# vlan access <Z>
Create a new loopback interface
TX-8325-A
TX-8325-A(config)# interface loopback 1
TX-8325-A(config-if)# ip ospf 1 area 0
TX-8325-B
T1-8325-B(config)# interface loopback 1
T1-8325-B(config-if)# ip address 10.1.X7.10/32
T1-8325-B(config-if)# ip ospf 1 area 0
Configure 6300-B to simulate client at vlan <Z>
TX-6300-B
T1-8325-B(config)# interface vlan 1

T1-8325-B(config-if)# ip address 10.1.<Z>.11/24
Task 2: Configure L2 EVPN

Objectives
– Configure BGP
– Create a VXLAN Interface without VTEPs
– Configure EVPN on 8325-A and 8325-B to dynamically creates VTEPs
Steps
Configure EVPN on leaf switches (TX-8325-A and TX-8325-B)
TX-8325-A
TX-8325-A(config)# evpn
TX-8325-A(config-evpn)# vlan X0
TX-8325-A(config-evpn-vlan-X0)# rd auto
TX-8325-A(config-evpn-vlan-X0)# route-target both auto
TX-8325-A(config-evpn-vlan-X0)# exit
TX-8325-A(config-evpn)# vlan <Z>
TX-8325-A(config-evpn-vlan<Z>)# rd auto
TX-8325-A(config-evpn-vlan<Z>)# route-target both auto
TX-8325-A(config-evpn-vlan<Z>)# exit
TX-8325-A(config-evpn)# exit
TX-8325-B
TX-8325-B(config)# evpn
TX-8325-B(config-evpn)# vlan X0
TX-8325-B(config-evpn-vlan-X0)# rd auto
TX-8325-B(config-evpn-vlan-X0)# route-target both auto
TX-8325-B(config-evpn-vlan-X0)# exit
TX-8325-B(config-evpn)# vlan <Z>
TX-8325-B(config-evpn-vlan<Z>)# rd auto
TX-8325-B(config-evpn-vlan<Z>)# route-target both auto
TX-8325-B(config-evpn-vlan<Z># exit
TX-8325-B(config-evpn)# exit
Configure VXLAN on leaf switches (TX-8325-A and TX-8325-B)

Table- X VLAN X0 VNI-(1000+X)+VID VLAN <Z> VNI-(1000+Z)+VID
1 10 100110 20 100220
2 20 100220 10 100110
3 30 100330 40 100440
4 40 100440 30 100330
5 50 100550 60 100660
6 60 100660 50 100550
7 70 100770 80 100880
8 80 100880 70 100770
9 90 100990 100 1010100
10 100 1010100 90 100990
11 110 1011110 120 1012120
12 120 1012120 110 1011110
TX-8325-A
TX-8325-A(config)# interface vxlan 1
TX-8325-A(config-vxlan-if)# source ip 10.1.X7.10
TX-8325-A(config-vxlan-if)# no shutdown
TX-8325-A(config-vxlan-if)# vni (1000+X)+VID ####Please see table above
TX-8325-A(config-vni-100110)# vlan X0
TX-8325-A(config-vni-100110)# exit
TX-8325-A(config-vxlan-if)# vni (1000+Z)+VID ####Please see table above
TX-8325-A(config-vni-100220)# vlan <Z>
TX-8325-A(config-vni-100220)# exit
TX-8325-A(config-vxlan-if)# exit
TX-8325-B
TX-8325-B(config)# interface vxlan 1
TX-8325-B(config-vxlan-if)# source ip 10.1.X7.10
TX-8325-B(config-vxlan-if)# no shutdown
TX-8325-B(config-vxlan-if)# vni (1000+X)+VID – ####Please see table above
TX-8325-B(config-vni-100110)# vlan X0
TX-8325-B(config-vni-100110)# exit
TX-8325-B(config-vxlan-if)# vni (1000+Z)+VID – ####Please see table above
TX-8325-B(config-vni-100220)# vlan <Z>
TX-8325-B(config-vni-100220)# exit
TX-8325-B(config-vxlan-if)# exit
Configure MP-BGP on leaf switches (TX-8325-A and TX-8325-B)
TX-8325-A
TX-8325-A(config)# router bgp 100
TX-8325-A(config-bgp)# neighbor 10.1.7.1 remote-as 100
TX-8325-A(config-bgp)# neighbor 10.1.7.1 update-source loopback 0
TX-8325-A(config-bgp)# neighbor 10.1.7.2 remote-as 100
TX-8325-A(config-bgp)# neighbor 10.1.7.2 update-source loopback 0
TX-8325-A(config-bgp)# address-family l2vpn evpn
TX-8325-A(config-bgp-l2vpn-evpn)# neighbor 10.1.7.1 activate
TX-8325-A(config-bgp-l2vpn-evpn)# neighbor 10.1.7.1 send-community extended
TX-8325-A(config-bgp-l2vpn-evpn)# neighbor 10.1.7.2 activate
TX-8325-A(config-bgp-l2vpn-evpn)# neighbor 10.1.7.2 send-community extended
TX-8325-A(config-bgp-l2vpn-evpn)# exit
TX-8325-B
TX-8325-B(config)# router bgp 100
TX-8325-B(config-bgp)# neighbor 10.1.7.1 remote-as 100
TX-8325-B(config-bgp)# neighbor 10.1.7.1 update-source loopback 0
TX-8325-B(config-bgp)# neighbor 10.1.7.2 remote-as 100
TX-8325-B(config-bgp)# neighbor 10.1.7.2 update-source loopback 0
TX-8325-B(config-bgp)# address-family l2vpn evpn
TX-8325-B(config-bgp-l2vpn-evpn)# neighbor 10.1.7.1 activate
TX-8325-B(config-bgp-l2vpn-evpn)# neighbor 10.1.7.1 send-community extended
TX-8325-B(config-bgp-l2vpn-evpn)# neighbor 10.1.7.2 activate
TX-8325-B(config-bgp-l2vpn-evpn)# neighbor 10.1.7.2 send-community extended
TX-8325-B(config-bgp-l2vpn-evpn)# exit
Verify your BGP Neighbors
TX-8325-A# show bgp l2vpn evpn summary
VRF : default
BGP Summary
-----------
Local AS : 100 BGP Router Identifier : 10.1.17.10
Peers : 2 Log Neighbor Changes : No
Cfg. Hold Time : 180 Cfg. Keep Alive : 60
Neighbor Remote-AS MsgRcvd MsgSent Up/Down Time State AdminStatus

10.1.7.1 100 7 7 00h:01m:36s Established Up
10.1.7.2 100 7 7 00h:01m:11s Established Up
Verify your VXLAN Interface
TX-8325-A# show interface vxlan
Admin state is up
Description:

---------- ------ ----------------- --------
100110 10 10.1.27.10 evpn
100220 20 10.1.27.10 evpn
Start ping from your 6300-A to the pair table 6300-B, since both are in the same VLAN ping
will cross the VXLAN tunnel to the pair VSX leaf, ping should succeed.
TX-6300-A# ping 10.1.X0.11
Verify switches mac-address-table

a. Did you find the remote TZ-6300’s switch MAC address in the TX-8325 switch?
_______________________________________________________________
TX-8325-A# show mac-address-table
MAC age-time : 300 seconds
Number of MAC addresses : 13
MAC Address VLAN Type Port

--------------------------------------------------------------
90:20:c2:bc:ec:00 1 dynamic 1/1/46
88:3a:30:97:f7:4f 10 evpn vxlan1(10.1.27.10)
88:3a:30:97:f7:40 10 evpn vxlan1(10.1.27.10)
90:20:c2:bc:ec:00 10 dynamic 1/1/46
88:3a:30:97:a6:00 10 dynamic 1/1/1
88:3a:30:97:a6:10 10 dynamic 1/1/1
88:3a:30:97:b4:10 20 evpn vxlan1(10.1.27.10)
88:3a:30:97:b4:00 20 evpn vxlan1(10.1.27.10)
88:3a:30:97:0a:0f 20 dynamic 1/1/46
88:3a:30:97:0a:00 20 dynamic 1/1/46
90:20:c2:bc:ec:00 20 dynamic 1/1/46
90:20:c2:bc:a8:00 1101 dynamic 1/1/48
90:20:c2:bb:8b:00 1102 dynamic 1/1/48
Check BGP announcements for that MAC-Address
TX-8325-A

TX-8325-A# copy running-config checkpoint EVPN1-XX < XX = your initials
TX-8325-B

TX-8325-B# copy running-config checkpoint EVPN1-XX < XX = your initials
Task 3: Configure centralized routing for EVPN

Objectives
– Configure Active-Gateway on ODD VSX pair of 8325s
Steps
ODD TABLES ONLY
Configure Active gateway for VLANs X0 and VLAN <Z> on TX-8325-A and TX-8325-B
TX-8325-A
TX-8325-A(config)# interface vlan X0
TX-8325-A(config-if-vlan)# active-gateway ip mac 00:00:00:00:00:aa
TX-8325-A(config-if-vlan)# active-gateway ip 10.1.X0.254
TX-8325-A(config)# interface vlan <Z>
TX-8325-A(config-if-vlan)# ip address 10.1.<Z>.252/24
TX-8325-A(config-if-vlan)# active-gateway ip 10.1.<Z>.254
TX-8325-B
TX-8325-A(config-if-vlan)# active-gateway ip 10.1.X0.254
TX-8325-A(config)# interface vlan <Z>
TX-8325-A(config-if-vlan)# ip address 10.1.<Z>.253/24
TX-8325-A(config-if-vlan)# active-gateway ip 10.1.<Z>.254
ODD and EVEN TABLES
Configure default route for TX-6300-A and TX-6300-B
TX-6300-A
TX-600-A# ip route 0.0.0.0/0 10.1.X0.254
TX-6300-B
TX-600-B# ip route 0.0.0.0/0 10.1.<Z>.254
Ping from your TX-6300-A to the other table’s TX-6300-A, the ping should be successful.
TX-600-A# ping 10.1.<Z>.1
TX-8325-A

TX-8325-A# copy running-config checkpoint EVPN-L3-XX < XX = your initials
TX-8325-B

TX-8325-B# copy running-config checkpoint EVPN-L3-XX < XX = your initials
You have completed the EVPN Lab!
APPENDIX LAB -A: Configure DCBX (Optional lab)
In this lab, you will configure DCBX and its features such as PFC, APP TLV and ETS.
Objectives
After completing this lab:
• You will have the required knowledge to implement ethernet lossless queues on AOS-CX
switches.
Task 1: Prepare the Base Config for the Lab
Objectives
– Setup a simple environment to configure DCB
Steps
1. Open a console connection to TX-8325-A and TX-8325-B switches.
2. Revert all switches to checkpoint ZERO.
Note. If there is no ZERO checkpoint, then enter the following commands to erase the
configuration:
TX-8325# erase startup-config

TX-8325# boot system
Continue (y/n)? y
After a few minutes, login using the following credentials:

8325 login: admin
Enter the following commands:

8325(config)# hostname TX-8325-Y # X = Table number, Y = A or B
TX-8325-Y(config)# user admin password
TX-8325-Y(config)# session-timeout 0
TX-8325-Y(config)# system interface-group 1 speed 10g
Continue (y/n)? y
Task 2: Enabling DCBX
Objectives
– Enable DCBX on required interfaces.
Steps
2. Check LLDP status.
TX-8325-A# show lldp configuration
LLDP Global Configuration

=========================
LLDP Enabled : Yes

LLDP Transmit Interval : 30
LLDP Hold Time Multiplier : 4
LLDP Transmit Delay Interval : 2
LLDP Reinit Time Interval : 2
TLVs Advertised
===============
Management Address
Port Description
Port VLAN-ID
System Capabilities
System Description
System Name
OUI
LLDP Port Configuration

=======================
PORT TX-ENABLED RX-ENABLED

-----------------------------------------------
1/1/1 Yes Yes
1/1/2 Yes Yes
1/1/3 Yes Yes
1/1/4 Yes Yes
<< Output omitted >>
3. Enable interface 1/1/46 on both TX-8325-A and TX-8325-B.
TX-8325-A
TX-8325-B
4. Enable DCBX globally.
TX-8325-A
TX-8325-A(config)# lldp dcbx
TX-8325-B
TX-8325-B(config)# lldp dcbx
5. Verify DCBX on interfaces.
TX-8325-A
TX-8325-A# show dcbx interface 1/1/46
DCBX admin state: enabled
DCBX operational state : active
TX-8325-B
TX-8325-B# show dcbx interface 1/1/46
Task 3: Priority Flow Control (PFC) and APP TLV

Objectives
– Configure DCBX PFC on interfaces.
– Configure DCBX APP TLV to set priority 4 for iSCSI traffic.
Steps – PFC
Check DCBX PFC on interfaces.
TX-8325-A
Priority Flow Control (PFC)

---------------------------
Operational state : inactive
Local advertisement:
Willing : No
MacSec ByPass Capability : No
Max traffic classes : 1
Priority Enabled
0 False
1 False
2 False
3 False
4 False
5 False
6 False
7 False
TX-8325-B

---------------------------
Operational state : inactive
Willing : No
Priority Enabled
0 False
1 False
2 False
3 False
4 False
5 False
6 False
7 False
6. Configure TX-8325-A interface 1/1/46 to use priority 4 for PFC.
TX-8325-A
TX-8325-A(config-if)# flow-control priority 4
The setting will not be applied until configuration is saved to startup-config and the switch is
rebooted.
NOTE: In order to enable or modify PFC on 8325 switch series, you must reboot the
switch, but don’t reboot your switch now, you will do it later.
7. Configure interface 1/1/46 to trust QOS CoS marks.

TX-8325-A(config-if)# qos trust cos
8. Save your config and reboot switch TX-8325-A.



Continue (y/n)? Y
9. Configure TX-8325-B interface 1/1/46 to use priority 4 for PFC.

TX-8325-B
TX-8325-B(config-if)# flow-control priority 4
The setting will not be applied until configuration is saved to startup-config, and the switch is
rebooted.
10. Configure interface 1/1/46 to trust QOS CoS marks.
TX-8325-B(config-if)# qos trust cos
11. Save your config and reboot switch 8325-B.
TX-8325-B(config-lag-if)# end



Continue (y/n)? Y
12. Verify your configuration
TX-8325-A

---------------------------
Operational state : active
Willing : No
Priority Enabled
0 False
1 False
2 False
3 False
4 True
5 False
6 False
7 False
Remote advertisement:
Willing : No
Priority Enabled
0 False
1 False
2 False
3 False
4 True
5 False
6 False
7 False
TX-8325-B

---------------------------
Operational state : active
Willing : No
Priority Enabled
0 False
1 False
2 False
3 False
4 True
5 False
6 False
7 False
Willing : No
Priority Enabled
0 False
1 False
2 False
3 False
4 True
5 False
6 False
7 False
Steps – APP TLV

Verify default DCBX APP TLV.
TX-8325-A
Application Priority Map

-------------------------
Protocol Port/Type Priority
-----------------------------------------
TX-8325-B
Application Priority Map

-------------------------
-----------------------------------------
NOTE: There are no configured DCBX – APP TLVs, by default.
Configure APP TLV to prioritize iSCSI traffic with the CoS priority of 4.
TX-8325-A
TX-8325-A# config t
TX-8325-A(config)# dcbx application iscsi priority 4
TX-8325-A(config)# dcbx application tcp-sctp 860 priority 4
TX-8325-A(config)# dcbx application tcp-sctp 3260 priority 4
TX-8325-B
TX-8325-B# config t
TX-8325-B(config)# dcbx application iscsi priority 4
TX-8325-B(config)# dcbx application tcp-sctp 860 priority 4
TX-8325-B(config)# dcbx application tcp-sctp 3260 priority 4
Verify your configuration.
TX-8325-A
TX-8325-A(config)# show dcbx interface 1/1/46
-----------------------------------------
iscsi 4
tcp-sctp 860 4
tcp-sctp 3260 4
TX-8325-B
-----------------------------------------
iscsi 4
tcp-sctp 860 4
tcp-sctp 3260 4
Task 4: Enhanced Traffic Selection (ETS)
Objectives
– Configure DCBX ETS to control how much bandwidth queues receive.
Steps
Check default DCBX ETS configuration.
TX-8325-A
<< Output Omitted >>
Enhanced Transmission Selection (ETS)
--------------------------------------
Willing : No
Priority Traffic Class

0 1
1 0
2 2
3 3
4 4
5 5
6 6
7 7
Traffic Bandwidth Algorithm

Class Percentage
0 12 ETS
1 12 ETS
2 12 ETS
3 12 ETS
4 12 ETS
5 12 ETS
6 12 ETS
7 16 ETS
Willing : No

0 1
1 0
2 2
3 3
4 4
5 5
6 6
7 7

Class Percentage
0 12 ETS
1 12 ETS
2 12 ETS
3 12 ETS
4 12 ETS
5 12 ETS
6 12 ETS
7 16 ETS
Create a schedule-profile that assigns 60% bandwidth to queue 4 (iSCSI) and 40%
bandwidth to queue 0 (all other traffic).
TX-8325-A(config-lag-if)# qos schedule-profile myprofile

TX-8325-A(config-schedule)# strict queue 7
TX-8325-A(config-schedule)# dwrr queue 6 weight 1
Check your schedule-profile.
TX-8325-A(config-schedule)# show qos schedule-profile myprofile

queue_num algorithm weight max-bandwidth_kbps burst_KB
--------- --------- ------ ------------------ --------
0 dwrr 40
1 dwrr 1
2 dwrr 1
3 dwrr 1
4 dwrr 60
5 dwrr 1
6 dwrr 1
7 strict
Assign your schedule profile to the interface.

TX-8325-A(config-if)# apply qos schedule-profile myprofile
Verify your configuration.

Enhanced Transmission Selection (ETS)

--------------------------------------
Willing : No

0 1
1 0
2 2
3 3
4 4
5 5
6 6
7 7

Class Percentage
0 37 ETS
1 0 ETS
2 0 ETS
3 0 ETS
4 63 ETS
5 0 ETS
6 0 ETS
7 0 Strict
No need to save your configuration.
You have completed this lab!
APPENDIX LAB -B: ERPS (Optional lab)

Objects
In this lab, you will create an ERPS rings between switches AGG-1 and AGG-2 and core switch.
Then, you will test and monitor operations during normal and failure situations.
To provide a load balance, you will share your VLANs between two instances. Each instance will
have its own RPL owner and RPL port, sending data through opposite ways through the ring.
Network Diagram
Task 1: Prepare Lab Environment

Objectives
– Erase configurations from previous Labs and setup base configuration for the next tasks.
Steps
Open a console connection to both AGG-1 and AGG-2 switches and Revert both switches to
Lab1-done checkpoint.
TX-8325-A
TX-8325-B
TX-8325-B# copy checkpoint ZERO running-config
Verify that you have a clean config, with no LAG, VSX configuration, and routing protocol.
TX-8325-A
TX-8325-A# show run
Current configuration:
!Version ArubaOS-CX GL.10.04.0010
hostname TX-8325-A
cli-session
timeout 0
ssh server vrf mgmt
vlan 1
interface mgmt
no shutdown
ip static 10.251.X.2/24
default 10.251.X.254
TX-8325-B
TX-8325-B# show run
Current configuration:
!Version ArubaOS-CX GL.10.04.0010
hostname TX-8325-B
cli-session
timeout 0
ssh server vrf mgmt
vlan 1
interface mgmt
no shutdown
ip static 10.251.X.3/24
default 10.251.X.254
On TX-8325-A and TX-8325-B, configure interface speed.

Create VLANs on TX-8325-A and TX-8325-B
TX-8325-A
TX-8325-A(config)# vlan X0-X5
TX-8325-A(config-vlan-<10-15>)# exit
TX-8325-A(config-if)# vlan trunk allowed X0-X5
TX-8325-A(config-if)# interface 1/1/48
TX-8325-A(config-if)# vlan trunk allowed X0-X5
TX-8325-A(config-if)# vlan access 15
IMPORTANT: To avoid loops in your topology, the AGG-1 interface 1/1/46 should
stay in a shutdown state until ERPS configures completely.
TX-8325-B
TX-8325-B(config)# vlan X0-X5
TX-8325-B(config-vlan-<10-15>)# exit
TX-8325-B(config)# interface 1/1/46,1/1/48
TX-8325-B(config-if)# vlan trunk allowed X0-X5
Create IP interfaces.
TX-8325-A
TX-8325-B
Create routing redundancy.
TX-8325-A
TX-8325-A(config-if-vlan)# vrrp X4 address-family ipv4
TX-8325-A(config-if-vrrp)# address 10.1.X4.1 primary
TX-8325-A(config-if-vrrp)# priority 150
TX-8325-A(config-if-vrrp)# no shutdown
TX-8325-A(config-if-vrrp)# exit
TX-8325-A(config)# router vrrp enable
TX-8325-A(config-if-vlan)# vrrp X5 address-family ipv4
TX-8325-A(config-if-vrrp)# address 10.1.X5.1 primary
TX-8325-A(config-if-vrrp)# no shutdown
TX-8325-A(config-if-vrrp)# exit
TX-8325-B
TX-8325-B(config-if-vlan)# vrrp X4 address-family ipv4
TX-8325-B(config-if-vrrp)# address 10.1.X4.1 primary
TX-8325-B(config-if-vrrp)# no shutdown
TX-8325-B(config-if-vrrp)# exit
TX-8325-B(config)# router vrrp enable
TX-8325-B(config-if-vlan)# vrrp X5 address-family ipv4
TX-8325-B(config-if-vrrp)# address 10.1.X5.1 primary
TX-8325-B(config-if-vrrp)# priority 150
TX-8325-B(config-if-vrrp)# no shutdown
TX-8325-B(config-if-vrrp)# exit
Configure the TX-8325-Core switch.
TX-8325-Core
T1-8325-Core(config)# vlan X0-X5

T1-8325-Core(config-vlan-<10-15>)# exit
T1-8325-Core(config)# interface 1/1/1
T1-8325-Core(config-if)# no routing
T1-8325-Core(config-if)# no shutdown
T1-8325-Core(config-if)# vlan trunk allow X0-X5
T1-8325-Core(config-if)# exit
T1-8325-Core(config)# interface 1/1/2
T1-8325-Core(config-if)# no routing
T1-8325-Core(config-if)# no shutdown
T1-8325-Core(config-if)# vlan trunk allow X0-X5
Verify the VRRP brief.
TX-8325-A
TX-8325-A# show vrrp brief
VRRP is enabled
Interface Grp A-F Pri Time Owner Pre State Master addr/Group addr
vlanX4 X4 IPv4 150 274 N Y MASTER 10.1.X4.2 10.1.X4.1
vlanX5 X5 IPv4 100 85 N Y BACKUP 10.1.X5.3 10.1.X5.1
TX-8325-B
TX-8325-B# show vrrp brief
VRRP is enabled
Interface Grp A-F Pri Time Owner Pre State Master addr/Group addr
vlanX4 X4 IPv4 100 73 N Y BACKUP 10.1.X4.2 10.1.X4.1
vlanX5 X5 IPv4 150 47 N Y MASTER 10.1.X5.3 10.1.X5.1
TX-8325-A

TX-8325-A(config)# interface lag 12
TX-8325-A(config-if)# vlan trunk allow all
Configure TX-6300-A with an IP of VLAN X5 and a default route 10.1.X5.1.

TX-6300-A(config)# int vlan 1
TX-6300-A(config)# ip route 0.0.0.0/0 10.1.X5.1
Note: Based on the previous labs is probable that you will have another default route to
10.1.X0.1, please remove it and make sure you are only using 10.1.X5.1.
Ping 10.1.X5.1 from ACC switch (TX-6300-A). Ping should be successful.

TX-600-A# ping 10.1.15.1
Task 2: Configure ERPS

Objectives
– Create an ERPS ring and two instances.
Steps
Open a console connection to both AGG-1 and AGG-2 switches and create an ERPS ring
and configure ESPR ring member’s port.
TX-8325-A
TX-8325-A(config)# erps ring 1
TX-8325-A(config-erps-ring-1)# description ERPS-Ring
TX-8325-A(config-erps-ring-1)# port0 interface 1/1/46
Info: Port0/Port1 should be a tagged member of control and protected VLAN's.
TX-8325-A(config-erps-ring-1)# port1 interface 1/1/48
TX-8325-B
TX-8325-B(config)# erps ring 1
TX-8325-B(config-erps-ring-1)# description ERPS-Ring
TX-8325-B(config-erps-ring-1)# port0 interface 1/1/46
TX-8325-B(config-erps-ring-1)# port1 interface 1/1/48
TX-8325-Core
TX-8325-CORE(config)# erps ring 1
TX-8325-CORE(config-erps-ring-1)# description ERPS-Ring
TX-8325-CORE (config-erps-ring-1)# port0 interface 1/1/1
TX-8325-CORE(config-erps-ring-1)# port1 interface 1/1/2
Create and enable two instances on TX-8325-A and TX-8325-B, providing loops avoidance
and load balance.
Instance Protected VLAN Control VLAN
Instance-1 X4 X2
Instance-2 X5 X3
TX-8325-A
TX-8325-A(config-erps-ring-1)# instance 1
TX-8325-A(config-erps-ring-1-inst-1)# description ERPS-Instance1
TX-8325-A(config-erps-ring-1-inst-1)# control-vlan X2
TX-8325-A(config-erps-ring-1-inst-1)# protected-vlans X4
TX-8325-A(config-erps-ring-1-inst-1)# role rpl-owner
TX-8325-A(config-erps-ring-1-inst-1)# rpl port1
TX-8325-A(config-erps-ring-1-inst-1)# enable
TX-8325-A(config-erps-ring-1-inst-1)# exit
TX-8325-A(config-erps-ring-1)# instance 2
TX-8325-A(config-erps-ring-1-inst-2)# description ERPS-Instance2
TX-8325-A(config-erps-ring-1-inst-2)# control-vlan X3
TX-8325-A(config-erps-ring-1-inst-2)# protected-vlans X5
TX-8325-A(config-erps-ring-1-inst-2)# role rpl-neighbor
TX-8325-A(config-erps-ring-1-inst-2)# enable
TX-8325-B
TX-8325-B(config-erps-ring-1)# instance 1
TX-8325-B(config-erps-ring-1-inst-1)# description ERPS-Instance1
TX-8325-B(config-erps-ring-1-inst-1)# control-vlan X2
TX-8325-B(config-erps-ring-1-inst-1)# protected-vlans X4
TX-8325-B(config-erps-ring-1-inst-1)# role rpl-neighbor
TX-8325-B(config-erps-ring-1-inst-1)# enable
TX-8325-B(config-erps-ring-1-inst-1)# exit
TX-8325-B(config-erps-ring-1)# instance 2
TX-8325-B(config-erps-ring-1-inst-2)# description ERPS-Instance2
TX-8325-B(config-erps-ring-1-inst-2)# control-vlan X3
TX-8325-B(config-erps-ring-1-inst-2)# protected-vlans X5
TX-8325-B(config-erps-ring-1-inst-2)# role rpl-owner
TX-8325-B(config-erps-ring-1-inst-2)# rpl port0
TX-8325-B(config-erps-ring-1-inst-2)# enable
TX-8325-Core
TX-8325-CORE(config-erps-ring-1)# instance 1
TX-8325-CORE(config-erps-ring-1-inst-1)# description ERPS-Instance1
TX-8325-CORE(config-erps-ring-1-inst-1)# control-vlan X2
TX-8325-CORE(config-erps-ring-1-inst-1)# protected-vlans X4
TX-8325-CORE(config-erps-ring-1-inst-1)# role rpl-neighbor
TX-8325-CORE(config-erps-ring-1-inst-1)# enable
TX-8325-CORE(config-erps-ring-1-inst-1)# exit
TX-8325-CORE(config-erps-ring-1)# instance 2
TX-8325-CORE(config-erps-ring-1-inst-2)# description ERPS-Instance2
TX-8325-CORE(config-erps-ring-1-inst-2)# control-vlan X3
TX-8325-CORE(config-erps-ring-1-inst-2)# protected-vlans X5
TX-8325-CORE(config-erps-ring-1-inst-2)# role rpl-neighbor
TX-8325-CORE(config-erps-ring-1-inst-2)# enable
TX-8325-CORE(config-erps-ring-1-inst-2)# exit
Now that you have configured the ERPS ring and instances, enable TX-8325-A port 1/1/46

Verify your EPRS operation.
TX-8325-A
TX-8325-A# show erps summary
ERPS Summary
============
Flags: RO - RPL-Owner, RN - RPL-Neighbor, M - Major Ring,

S - Sub Ring, T - TCN Enabled,* - RPL port
Per-Instance Summary
====================
Ring Instance Port0 Port1 Status Flags
---- -------- ----- ----- ------ -----
1 1 1/1/46 1/1/48* Pending M,RO
1 2 1/1/46 1/1/48 Pending M
IMPORTANT: You have to wait for the default WTR timer (5mins by default) to get
the status idle. Check the below events about erps ring status changing.
TX-8325-B# page 20
TX-8325-B# show events –r
<output omit>
2019-10-03T11:51:14.284020+00:00 TX-8325-B hpe-mgmdd[2129]: Event|2622|LOG_INFO|AMM|1/1|Flood mode
is temporarily activated on ERPS ports 1/1/46 and 1/1/48 as ring state for ring id 1 changed to
idle.
2019-10-03T11:51:14.283007+00:00 TX-8325-B erps[2169]: Event|8503|LOG_INFO|AMM|1/1|Operational
state of the ring 1, instance 1 changed to Idle
2019-10-03T11:51:14.263203+00:00 TX-8325-B hpe-mgmdd[2129]: Event|2622|LOG_INFO|AMM|1/1|Flood mode
is temporarily activated on ERPS ports 1/1/46 and 1/1/48 as ring state for ring id 1 changed to
idle.
state of the ring 1, instance 2 changed to Idle
2019-10-03T11:49:41.841701+00:00 TX-8325-B hpe-restd[6925]: Event|4605|LOG_INFO|AMM|-|Session
ended for user admin, session 85OCAmwUdDakYxmbLN-_Ww==
2019-10-03T11:49:41.840942+00:00 TX-8325-B hpe-restd[6925]: Event|4608|LOG_INFO|AMM|-
|Authorization allowed for user admin, for resource SessionMgmt, with action POST
started for user admin, session 85OCAmwUdDakYxmbLN-_Ww==
|Authentication succeeded for user admin in session 85OCAmwUdDakYxmbLN-_Ww==
ended for user admin, session 1PulQPNZCZzHCYOrin3YGw==
|Authorization allowed for user admin, for resource SessionMgmt, with action POST
started for user admin, session 1PulQPNZCZzHCYOrin3YGw==
|Authentication succeeded for user admin in session 1PulQPNZCZzHCYOrin3YGw==
2019-10-03T11:46:16.250390+00:00 TX-8325-B lldpd[2109]: Event|104|LOG_INFO|AMM|1/1|LLDP neighbor
90:20:c2:ba:e7:00 added on 1/1/46
state of the ring 1, instance 2 changed to Pending
state of the ring 1, instance 1 changed to Pending
2019-10-03T11:46:13.204965+00:00 TX-8325-B intfd[2026]: Event|403|LOG_INFO|||Link status for
interface 1/1/46 is up
<output omit>
IMPORTANT: Note: In the lab, you can change WTR timer on all switches to 1 min to
reduce waiting time.
TX-8325-A
TX-8325-A(config)# erps ring 1
TX-8325-A(config-erps-ring-1)# wtr-interval 1
TX-8325-B
TX-8325-B(config)# erps ring 1
TX-8325-B(config-erps-ring-1)# wtr-interval 1
TX-8325-Core
TX-8325-CORE(config)# erps ring 1
TX-8325-CORE(config-erps-ring-1)# wtr-interval 1
TX-8325-B
TX-8325-B# show erps summary
ERPS Summary
============

====================
---- -------- ----- ----- ------ -----
1 1 1/1/46 1/1/48 Idle M
1 2 1/1/46* 1/1/48 Idle M,RO
TX-8325-Core
TX-8325-CORE# show erps summary
ERPS Summary
============

====================
---- -------- ----- ----- ------ -----
1 1 1/1/1 1/1/2 Idle M
1 2 1/1/1 1/1/2 Idle M
Note: Ring instance status may be in one of the following states:

• Idle: No protection switching. - GOOD
• Initializing: The ring instance is not operational.

• Protection: A local or remote link failure has triggered protection switching.
• Pending: Pending clearance of a previous protection switch.
• Down: Ring instance is not active.
Now take a closer look using “show erps status ring 1.”
TX-8325-A
TX-8325-A# show erps status ring 1
Status for ERPS Ring 1 Instance 1:
====================================
Ring ID : 1
Ring description : ERPS-ring
Instance ID : 1
Instance description : ERPS-RING-INTANCE1
Port0 : 1/1/46 (Up)
Port1 : 1/1/48 (Block)
Node Role (RPL) : Owner (port1)
Control VLAN : 12
Protected VLAN : 14
Subring (TCN) : No (No)
Revertive Operation : Revertive
MEG Level : 7
Transmission Interval : 5 sec
Guard Interval : 0 sec 500 ms
Hold-Off Interval : 0 sec 0 ms
WTR Interval : 1 min
Status : Idle
Oper Down Reason : None

====================================
Ring ID : 1
Instance ID : 2
Port0 : 1/1/46 (Up)
Port1 : 1/1/48 (Up)
Node Role (RPL) : Neighbor (None)
Control VLAN : 13
Protected VLAN : 15
MEG Level : 7
Status : Idle
TX-8325-B
TX-8325-B# show erps status ring 1

====================================
Ring ID : 1
Ring description : ERPS-Ring
Instance ID : 1
Port0 : 1/1/46 (Up)
Port1 : 1/1/48 (Up)
Control VLAN : 12
Protected VLAN : 14
MEG Level : 7
Status : Idle

====================================
Ring ID : 1
Instance ID : 2
Port1 : 1/1/48 (Up)
Control VLAN : 13
Protected VLAN : 15
MEG Level : 7
Status : Idle
IMPORTANT: Note that the RPL link blocking only occurs at the RPL owner at the
RPL interface.
Note: A ring instance has the following reasons for "down" state:
• Disabled: The administrator has disabled the ring instance.
• Inconsistent Port Config: The administrator has configured the same port as
port0 and port1 or the RPL port without a role.
• Incomplete Port Config: The admin has configured only one or no ring port.
• Protected VLANs Not Configured: Protected VLAN list is empty.
• Control VLAN Not Configured: The admin has not configured the control
VLAN.
• Insufficient HW Resource: Ring instance provisioning failed due to insufficient

HW resources.
• Control VLAN Overlap: The admin has configured the same control VLAN on
two or more ring instances.
• Protected VLAN Overlap: The administrator has configured the same
protected VLANs on two or more ring instances.
Ping 10.1.X5.1 from TX-6300-A switch. Ping should be successful.
Task 3: ERPS operations

Objectives
– Simulate a failure in an ERPS ring link and monitor communications and ports during a
failure.
Steps
Continuous ping to MC’s IP address (10.1.X4.100) from the TX-6300-A switch.
Open a console connection to both TX-8325-A and TX-8325-B switches.
On TX-8325-A switch, disable ERPS port0 (1/1/46).
The ping should be still successful.

Verify ERPS summary
TX-8325-A
TX-8325-A# show erps summary
ERPS Summary
============

====================
---- -------- ----- ----- ------ -----
1 1 1/1/46 1/1/48* Protection M,RO
1 2 1/1/46 1/1/48 Protection M
TX-8325-B
TX-8325-B# show erps summary
ERPS Summary
============

====================
---- -------- ----- ----- ------ -----
1 1 1/1/46 1/1/48 Protection M
1 2 1/1/46* 1/1/48 Protection M,RO
TX-8325-Core
TX-8325-CORE# show erps summary
ERPS Summary
============

====================
---- -------- ----- ----- ------ -----
1 1 1/1/1 1/1/2 Protection M
1 2 1/1/1 1/1/2 Protection M
Note: A protection state means that a protection switching has been triggered by a
local or remote link failure.
Verify ERPS port states
TX-8325-A
TX-8325-A# show erps status ring 1
====================================
Ring ID : 1
Instance ID : 1
Instance description : ERPS-RING-INTANCE1
Port1 : 1/1/48 (Up)
Control VLAN : 12
Protected VLAN : 14
MEG Level : 7
Status : Protection

====================================
Ring ID : 1
Instance ID : 2
Port1 : 1/1/48 (Up)
Control VLAN : 13
Protected VLAN : 15

MEG Level : 7
Status : Protection
TX-8325-B
TX-8325-B# show erps status ring 1

====================================
Ring ID : 1
Instance ID : 1
Port1 : 1/1/48 (Up)
Control VLAN : 12
Protected VLAN : 14
MEG Level : 7
Status : Protection

====================================
Ring ID : 1
Instance ID : 2
Port1 : 1/1/48 (Up)
Control VLAN : 13
Protected VLAN : 15
MEG Level : 7
Status : Protection
TX-8325-Core
TX-8325-CORE# show erps status ring 1
====================================
Ring ID : 1
Instance ID : 1
Port0 : 1/1/1 (Up)

Port1 : 1/1/2 (Up)
Control VLAN : 12
Protected VLAN : 14
MEG Level : 7
Status : Protection

====================================
Ring ID : 1
Instance ID : 2
Port0 : 1/1/1 (Up)
Port1 : 1/1/2 (Up)
Control VLAN : 13
Protected VLAN : 15
MEG Level : 7
Status : Protection
Compare your finding with previous task. What has changed?

_____________________________________________________
TX-8325-Core port0 and port1 are now in UP state. Why?

_____________________________________________________
AGG-1
TX-8325-A# copy running-config checkpoint APPX-ERPS-[student-name]
AGG-2

TX-8325-B# copy running-config checkpoint APPX-ERPS-[student-name]
You finished this lab!

CDI-AOS-CX 10.4 Switching Portfolio Launch - Lab V4.01

Uploaded by

Copyright:

Available Formats

You might also like

CDI-AOS-CX 10.4 Switching Portfolio Launch - Lab V4.01

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CDI-AOS-CX 10.4 Switching Portfolio Launch - Lab V4.01

Uploaded by

Copyright:

Available Formats

Aruba OS-CX Switch Enablement Field Training

Lab 0: Remote Lab Access Overview ............................................................................... 5

Task 3 Dot1X authentication ........................................................................................... 73

Steps ............................................................................................................................. 123

Lab 0: Remote Lab Access Overview

• Per class shared equipment

Task 1: Remote Training Lab Access

Initial Access and Control

Remote Lab Topology

Table (X) ( ) Assigned by the instructor

Device (Hostname) OOBM IP Write Down Your Username/ Password Note

CORE (TX-8325-Core) 10.251.X.1/24 DG:10.251.X.254 Username: admin Access it by Aruba

AGG-1 (TX-8325-A) 10.251.X.2/24 DG:10.251.X.254 Username: admin Access it by Aruba

AGG-2 (TX-8325-B) 10.251.X.3/24 DG:10.251.X.254 Username: admin Access it by Aruba

ACC-1 (TX-6300-A) 10.251.X.4/24 DG:10.251.X.254 Username: admin Access it by Aruba

ACC-2 (TX-6300-B) 10.251.X.5/24 DG:10.251.X.254 Username: admin Access it by Aruba

Mobility controller 7005 10.1.X4.100/24 DG:10.1.X4.1 Username: admin Access it by Aruba

DHCP/DNS 10.253.1.21 N/A Preconfigured

NTP server 10.253.1.15 AUTH KEY 1: Preconfigured

ClearPass 6.8 cppm.arubatraining.com Username: readonly Access it from

Windows 10 wired 10.251.X.90 N/A Access it by Aruba

You have completed Lab 0!

Lab 1: VSF Setup

Lab1.1 Initialization Lab environment

Task 1 Initial Lab Setup

Task 1: Configure Access and Aggregation Switches

T01-6300-A# show checkpoint list

T01-6300-A# copy checkpoint ZERO running-config

Note: If there is no ZERO checkpoint, then do the next steps from 4 to 7.

4. Configure Out-Of-Band Management Interface IP-Address on switches ACC-1.

Switch Management IP ( OOBM )

ANSWER: The console session default idle timeout is 30 minutes.

8. Repeat the steps above for

Task 2 System and Hardware Status

TX-6300-A# show environment

show environment led

show environment power-supply

show environment temperature

4. Review the top CPU processes.

5. Review the top memory processes.

6. Review the capacities of the platform.

Lab 1.2: VSF setup

TX-6300-A(config)# interface 1/1/21-1/1/22

3. Open a console connection to the ACC-2(TX-6300-B)

TX-6300-B(config)# interface 1/1/21-1/1/22

Do you want to continue (y/n) y

TX-6300-A(config)# show vsf

2 90:20:c2:24:50:80 JL659A Member

5. Verify interface names have been changed by the VSF stack.

TX-6300-A(config)# vsf member 1

TX-6300-A(config)# show vsf

2 90:20:c2:24:50:80 JL659A Standby

TX-6300-A# show vsf topology

TX-6300-A# show vsf member 2

Lab 1.3: VSF Split detection

TX-6300-A(config)# vsf split-detect mgmt

Check which VSF link is active.

TX-6300-A# show vsf link

Shutdown the active VSF link to simulate master is down