Access and Services Aggregation Configuration
The access-aggregation layer provides default gateway services to the layer 2 access switches and consolidates bandwidth from the lower speed access ports into high-speed uplinks to the core. The services-aggregation layer provides a function similar to the gateways, policy servers, and WAN or Internet gateways.
Table of contents
Configure the Aggregation Switch Groups
The following procedures describe the creation of an aggregation switch configuration in CLI format. The switch configuration may be created offline in a text editor and copied into MultiEdit or it may be typed directly in MultiEdit in a UI group of Central. Switches in the group receive the configuration when synchronized to Central.
The following figure shows the access aggregation and services aggregation switches in the ESP Campus.
Wired Aggregation
Enable MultiEdit for the Group
The base configuration of the switch was previously described in the Switch Group Configuration section of this guide. The following procedure completes the switch configuration using the Aruba Central MultiEdit tool, a CLI-based configuration editor built into Central.
Step 1 Login to HPE Greenlake and navigate to Aruba Central.
Step 2 In the filter dropdown, select an aggregation switch Group name. On the left menu, select Devices.
Step 3 In the upper right of the Switches page, select Config.
Step 4 In the upper left of the Switches page, move the slider right to enable MultiEdit.
Step 5 Select the devices for editing. In the lower right window, click EDIT CONFIG.
Note: The following steps provide a chunk of configuration that can be pasted into the MultiEdit window. After pasting the configuration chunk, right-click any device-specific values. A Modify Parameters window appears on the right to allow input of individual device values.
Configure OSPF and Multicast Routing
In the following steps, OSPF routing is configured to peer on point-to-point IP links using interface addresses in a /30 subnet. Then, PIM-Sparse Mode is enabled on the same links to ensure that multicast streams coming from the core can flow to the access VLANs.
The figure below can be used as a reference point for the implemented configuration.
OSPF Topology
Note: The switch configuration is formatted automatically on input. Paste CLI at the begining, end, or on a new line anywhere in the configuration.
Step 1 Configure the global OSPF routing instance with area 0 and enable passive-interface default to avoid unwanted OSPF adjacencies. Use a pre-allocated loopback IP address as the router-id.
router ospf 1 area 0
passive-interface default
router-id 10.0.3.1
When creating a template for chassis switch configuration, enable graceful restart.
graceful-restart restart-interval 30
Step 2 Configure the global multicast routing instance.
router pim
enable
active-active
Step 3 Create the loopback 0 interface and use a pre-allocated IP address. This should match the one used as the OSPF router-id. Enable OSPF in area 0 and PIM sparse mode on the interface.
interface loopback 0
ip address 10.0.3.1/32
ip ospf 1 area 0
ip pim-sparse enable
Step 4 Configure OSPF and PIM-SM on the physical interfaces. Configure a large IP MTU, turn off passive mode, associate the OSPF router instance from above, and enable PIM sparse mode on the interface.
interface 1/1/1
description AG1_TO_CORE
no shutdown
ip mtu 9198
ip address 172.18.103.1/30
no ip ospf passive
ip ospf network point-to-point
ip ospf 1 area 0
ip pim-sparse enable
Step 5 Repeat the previous step for each interface connected between the aggregation and core switches.
Example: Aggregation 1 Switches
AG1 IP Address | Subnet | Source Device | Peer Device |
---|---|---|---|
172.18.103.1 | 172.18.103.0/30 | AG1-SW1 | Core 1 |
172.18.103.9 | 172.18.103.8/30 | AG1-SW2 | Core 1 |
172.18.103.5 | 172.18.103.4/30 | AG1-SW1 | Core 2 |
172.18.103.13 | 172.18.103.12/30 | AG1-SW2 | Core 2 |
Example: Aggregation 2 Switches
AG2 IP Address | Subnet | Source Device | Peer Device |
---|---|---|---|
172.18.102.1 | 172.18.102.0/30 | AG2-SW1 | Core 1 |
172.18.102.9 | 172.18.102.8/30 | AG2-SW2 | Core 1 |
172.18.102.5 | 172.18.102.4/30 | AG2-SW1 | Core 2 |
172.18.102.13 | 172.18.102.12/30 | AG2-SW2 | Core 2 |
Example: Service Aggregation Switches
Service AG IP Address | Subnet | Source Device | Peer Device |
---|---|---|---|
172.18.106.1 | 172.18.106.0/30 | S2-1 | Core 1 |
172.18.106.9 | 172.18.106.8/30 | S2-2 | Core 1 |
172.18.106.13 | 172.18.106.12/30 | S2-2 | Core 2 |
172.18.106.5 | 172.18.106.4/30 | S2-1 | Core 2 |
Step 6 At the bottom right of the MultiEdit window, click Save.
Step 7 When Config Status has returned to the “Sync” state for the modified devices, select List from the upper right.
Verify OSPF Operation
Central provides a remote console capability that allows for CLI access on any managed switch. Use this to run CLI show commands at validation steps throughout this guide.
Step 8 On the left menu, select Tools.
Step 9 On the Console tab, assign the following settings, then select Create New Session.
Device Type: Switch
Switch: Device name
Username: admin
Password: password
Step 10 In the Remote Console window, type the command show ip ospf neighbors
, then press ENTER. The output shown below indicates healthy OSPF sessions to core switches.
Verify Multicast Operation
Step 11 In a Remote Console window, type the command show ip pim neighbor vrf default
, then press ENTER. The output shown below indicates multicast routing is running on configured VLANs.
Plan MAC Addresses
A Locally Administered Address (LAA) should be used when assigning a VSX system-mac and active gateway MAC addresses in upcoming procedures. An LAA is a MAC in one of the four formats shown below:
x2-xx-xx-xx-xx-xx
x6-xx-xx-xx-xx-xx
xA-xx-xx-xx-xx-xx
xE-xx-xx-xx-xx-xx
The x positions can contain any valid hex value. For more details on the LAA format, see the IEEE tutorial guide.
Step 1 Determine VSX System MAC addresses.
Each VSX pair uses a VSX system MAC address for control plane protocols such as Spanning-Tree and Link Aggregation Control Protocol (LACP). The same VSX MAC address is configured on both VSX pair members, and it must be unique per pair.
The following values are assigned to VSX pairs in this guide:
VSX Pair | VSX System MAC |
---|---|
RSVCP-CR1-AG1 | 02:01:00:00:01:00 |
RSVCP-CR1-AG2 | 02:01:00:00:02:00 |
RSVCP-CR1-AG3 | 02:01:00:00:03:00 |
RSVCP-CR1-SS2 | 02:01:00:00:04:00 |
Step 2 Determine Active Gateway MAC addresses.
An active gateway IP provides Layer 3 gateway redundancy across members of a VSX pair. The active gateway MAC associates a virtual MAC address with an active gateway IP. Only a small number of unique virtual MAC assignments may be configured per switch. The same active gateway MAC address should be re-used for each active gateway IP assignment.
The following MAC values are assigned in this guide:
VSX Pair | Active Gateway MAC for all subnets/VLANs on VSX Pair |
---|---|
RSVCP-CR1-AG1 | A2:01:00:00:00:01 |
RSVCP-CR1-AG2 | A2:02:00:00:00:01 |
RSVCP-CR1-AG3 | A2:03:00:00:00:01 |
RSVCP-CR1-SS2 | A2:04:00:00:00:01 |
Configure VSX
VSX is a redundancy protocol used to combine the Layer 2 data plane of two AOS-CX switches into a single logical switch fabric. Management and control plane functions remain independent. VSX is supported on 6400, 8400, and 83xx switch models.
Spanning tree should be enabled with aggregation switches acting as the root bridge. Gateways and access switches are configured with high bridge IDs to prevent them from becoming a root bridge.
Use this procedure to configure VSX on each switch.
Step 1 Configure a LAG interface to be used as the inter-switch link (ISL) for the VSX pair. Allow all VLANs on this LAG for simplified configuration management.
interface lag 256
no shutdown
no routing
vlan trunk native 1
vlan trunk allowed all
lacp mode active
Step 2 Configure the ports of the LAG interface. A minimum of two ports is required and a maximum of eight are supported. The CLI below shows example interface numbers. To simplify the copy-paste procedure, copy only the configuration lines below the interface and paste them under the correct interface in MultiEdit.
interface 1/1/49
description ISL_INTERFACE
no shutdown
lag 256
mtu 9198
interface 1/1/50
description ISL_INTERFACE
no shutdown
lag 256
mtu 9198
Step 3 Enable the VSX instance with the ISL LAG interface, the management IP information and VRF for the keep-alive session, a primary or secondary role, and shared system-mac. Primary and secondary examples are shown for clarity. Paste the configuration into MultiEdit one time only, then edit individual switch values as needed.
Note: The management (mgmt) interface is used as a keep-alive interface for VSX. Ensure that the mgmt IP interface of the secondary switch is reachable from the primary switch and vice versa.
Note: The system MAC must be the same value on each switch in the VSX pair, but otherwise unique within the network.
Example: Primary VSX Switch
vsx
inter-switch-link lag 256
keepalive peer 172.16.108.58 source 172.16.108.56 vrf mgmt
role primary
system-mac 02:01:00:00:01:00
Example: Secondary VSX Switch
vsx
inter-switch-link lag 256
keepalive peer 172.16.108.56 source 172.16.108.58 vrf mgmt
role secondary
system-mac 02:01:00:00:01:00
Step 4 At the bottom right of the MultiEdit window, click Save.
Validate VSX Configuration
Step 5 In a Remote Console window, type the command show vsx status
, then press enter. The output shown below indicates a healthy VSX deployment.
Configure the Access VLANs
The Layer 3 aggregation switch is the default gateway for access switches and advertises the interface VLAN routes to the rest of the network.
Use this procedure to configure the VLANs for the aggregation switches.
Step 1 If needed, select Devices from the left menu, click Config in the upper right, and, with MultiEdit enabled, begin a new Edit Config session.
Step 1 Define the access VLAN numbers and names.
vlan 2
name ZTP_NATIVE
vlan 3
name EMPLOYEE
...
vlan 14
name CRITICAL_AUTH
vlan 15
name MGMT
Step 3 Configure the VLAN and IP services. Configure a large IP MTU, set DHCP IP helper addresses, associate the OSPF router instance from above, enable PIM-SM, and enable IGMP on the interface.
interface vlan 2
description ZTP_NATIVE
ip mtu 9198
ip address 10.2.2.2/24
ip helper-address 10.2.120.98
ip helper-address 10.2.120.99
ip ospf 1 area 0.0.0.0
ip igmp enable
ip pim-sparse enable
Note: The ip helper-address command enables the forwarding of DHCP requests from endpoints to DHCP servers on other subnets. Multiple DHCP servers can be defined.
Step 4 Repeat the previous step for each VLAN.
Step 5 At the bottom right of the MultiEdit window, click Save.
Example: Access Aggregation
VLAN Name | VLAN ID | Access Agg 1 | Access Agg 2 | Network/Mask | Reserved Active gateway IP | Reserved Active gateway MAC address | IP helper address |
---|---|---|---|---|---|---|---|
ZTP_NATIVE | 2 | 10.2.2.2 | 10.2.2.3 | 10.2.2.0/24 | 10.2.2.1 | A2:01:00:00:00:01 | 10.2.120.98 10.2.120.99 |
EMPLOYEE | 3 | 10.2.3.2 | 10.2.3.3 | 10.2.3.0/24 | 10.2.3.1 | A2:01:00:00:00:01 | 10.2.120.98 10.2.120.99 |
VISITOR | 12 | 10.2.12.2 | 10.2.12.3 | 10.2.12.0/24 | 10.2.12.1 | A2:01:00:00:00:01 | 10.2.120.98 10.2.120.99 |
REJECT_AUTH | 13 | 10.2.13.2 | 10.2.13.3 | 10.2.13.0/24 | 10.2.13.1 | A2:01:00:00:00:01 | 10.2.120.98 10.2.120.99 |
CRITICAL_ AUTH | 14 | 10.2.14.2 | 10.2.14.3 | 10.2.14.0/24 | 10.2.14.1 | A2:01:00:00:00:01 | 10.2.120.98 10.2.120.99 |
MGMT | 15 | 10.2.15.2 | 10.2.15.3 | 10.2.15.0/24 | 10.2.15.1 | A2:01:00:00:00:01 | 10.2.120.98 10.2.120.99 |
Example: Service Aggregation 1
VLAN Name | VLAN ID | Service Agg 1 | Service Agg 2 | Network/Mask | Reserved Active gateway IP | Reserved Active gateway MAC | IP helper address |
---|---|---|---|---|---|---|---|
EMPLOYEE | 103 | 10.6.103.2 | 10.6.103.3 | 10.6.103.0/24 | 10.6.103.1 | A2:04:00:00:00:01 | 10.2.120.98 10.2.120.99 |
VISITOR | 112 | 10.6.112.2 | 10.6.112.3 | 10.6.112.0/24 | 10.6.112.1 | A2:04:00:00:00:01 | 10.2.120.98 10.2.120.99 |
REJECT_AUTH | 113 | 10.6.113.2 | 10.6.113.3 | 10.6.113.0/24 | 10.6.113.1 | A2:04:00:00:00:01 | 10.2.120.98 10.2.120.99 |
CRITICAL_ AUTH | 114 | 10.6.114.2 | 10.6.114.3 | 10.6.114.0/24 | 10.6.114.1 | A2:04:00:00:00:01 | 10.2.120.98 10.2.120.99 |
MGMT | 115 | 10.6.115.2 | 10.6.115.3 | 10.6.115.0/24 | 10.6.115.1 | A2:04:00:00:00:01 | 10.2.120.98 10.2.120.99 |
Configure VLAN Active Gateways
An active gateway provides the ability to have a default route through either switch in a VSX pair with each switch using the same local MAC address and IP address.
Step 1 Configure an active gateway on each VLAN using a local MAC address and IP address unique to the VLAN. If the VLAN is configured already according to the steps above, it is only necessary to paste the active-gateway lines.
Example: VLAN 2 on Primary VSX Switch
interface vlan 2
active-gateway ip mac a2:01:00:00:00:01
active-gateway ip 10.2.2.1
description ZTP_Native
ip mtu 9198
ip address 10.2.2.2/24
ip helper-address 10.2.120.98
ip helper-address 10.2.120.99
Example: VLAN 2 on Secondary VSX Switch
interface vlan 2
active-gateway ip mac a2:01:00:00:00:01
active-gateway ip 10.2.2.1
description ZTP_Native
ip mtu 9198
ip address 10.2.2.3/24
ip helper-address 10.2.120.98
ip helper-address 10.2.120.99
Configure Spanning Tree
For the widest possible interoperability, configure Multiple Spanning Tree Protocol (MSTP) as the loop protection protocol.
Step 1 Configure spanning tree globally and set the highest priority to ensure the aggregation switches are the root.
spanning-tree
spanning-tree priority 0
Note: MSTP is the default spanning-tree protocol on an Aruba CX switch and is selected simply by enabling spanning-tree.
Configure the Multi-Chassis LAG Interfaces
Configure an MC-LAG interface for each downstream access switch to enable uplink to both switches in the VSX pair without blocking.
Step 1 Enable spanning tree root guard and LACP fallback to allow for safe ZTP of access switches. Assign a native VLAN of two and trunk the allowed access VLANs previously created. Enable LACP active and LACP fallback to facilitate access switch provisioning. Enable PIM-SM routing.
interface lag 1 multi-chassis
no shutdown
no routing
vlan trunk native 2
vlan trunk allowed 1-3,5-6,13-15
lacp mode active
lacp fallback
spanning-tree root-guard
ip pim-sparse enable
Step 2 Repeat the previous step for each MC-LAG interface required for the connected access switches.
Step 3 Configure the ports of the LAG interface. The CLI below shows example interface numbers. To simplify the copy and paste procedure, copy only the configuration lines below the interface and paste them under the correct interface in MultiEdit.
interface 1/1/1
description DOWNLINK_TO_ACCESS_SW_OR_CTRL
no shutdown
lag 1
mtu 9198
Step 4 Repeat the previous step for each MC-LAG interface.
Step 5 At the bottom right of the MultiEdit window, click Save.
Devices in the group automatically synchronize the new configuration. Synchronization status is updated on the Configuration Status page and process step execution can be observed by clicking Audit Trail on the left menu.