Link Search Menu Expand Document
calendar_month 07-Mar-24

Access and Services Aggregation Configuration

The access-aggregation layer provides default gateway services to the layer 2 access switches and consolidates bandwidth from the lower speed access ports into high-speed uplinks to the core. The services-aggregation layer provides a function similar to the gateways, policy servers, and WAN or Internet gateways.

Table of contents

Configure the Aggregation Switch Groups

The following procedures describe the creation of an aggregation switch configuration in CLI format. The switch configuration may be created offline in a text editor and copied into MultiEdit or it may be typed directly in MultiEdit in a UI group of Central. Switches in the group receive the configuration when synchronized to Central.

The following figure shows the access aggregation and services aggregation switches in the ESP Campus.

Wired Aggregation

Enable MultiEdit for the Group

The base configuration of the switch was previously described in the Switch Group Configuration section of this guide. The following procedure completes the switch configuration using the Aruba Central MultiEdit tool, a CLI-based configuration editor built into Central.

Step 1 Navigate to Central and login using administrator credentials.

Step 2 On the Aruba Central Account Home page, launch the Network Operations app.

Step 3 In the filter dropdown, select an aggregation switch Group name. On the left menu, select Devices.

Step 4 In the upper right of the Switches page, select Config.

Step 5 In the upper left of the Switches page, move the slider right to enable MultiEdit.

Step 6 Select the devices for editing. In the lower right window, click EDIT CONFIG.

Note: The following steps provide a chunk of configuration that can be pasted into the MultiEdit window. After pasting the configuration chunk, right-click any device-specific values. A Modify Parameters window appears on the right to allow input of individual device values.

Configure OSPF and Multicast Routing

In the following steps, OSPF routing is configured to peer on point-to-point IP links using interface addresses in a /30 subnet. Then, PIM-Sparse Mode is enabled on the same links to ensure that multicast streams coming from the core can flow to the access VLANs.

The figure below can be used as a reference point for the implemented configuration.

OSPF Topology

Note: The switch configuration is formatted automatically on input. Paste CLI at the begining, end, or on a new line anywhere in the configuration.

Step 1 Configure the global OSPF routing instance with area 0 and enable passive-interface default to avoid unwanted OSPF adjacencies. Use a pre-allocated loopback IP address as the router-id.

router ospf 1 area 0 
  passive-interface default
  router-id 10.0.3.1

When creating a template for chassis switch configuration, enable graceful restart.

  graceful-restart restart-interval 30

Step 2 Configure the global multicast routing instance.

router pim
  enable
  active-active

Step 3 Create the loopback 0 interface and use a pre-allocated IP address. This should match the one used as the OSPF router-id. Enable OSPF in area 0 and PIM sparse mode on the interface.

interface loopback 0
  ip address 10.0.3.1/32
  ip ospf 1 area 0
  ip pim-sparse enable

Step 4 Configure OSPF and PIM-SM on the physical interfaces. Configure a large IP MTU, turn off passive mode, associate the OSPF router instance from above, and enable PIM sparse mode on the interface.

interface 1/1/1 
  description AG1_TO_CORE
  no shutdown
  ip mtu 9198
  ip address 172.18.103.1/30
  no ip ospf passive
  ip ospf network point-to-point
  ip ospf 1 area 0
  ip pim-sparse enable

Step 5 Repeat the previous step for each interface connected between the aggregation and core switches.

Example: Aggregation 1 Switches

AG1 IP AddressSubnetSource DevicePeer Device
172.18.103.1172.18.103.0/30AG1-SW1Core 1
172.18.103.9172.18.103.8/30AG1-SW2Core 1
172.18.103.5172.18.103.4/30AG1-SW1Core 2
172.18.103.13172.18.103.12/30AG1-SW2Core 2

Example: Aggregation 2 Switches

AG2 IP AddressSubnetSource DevicePeer Device
172.18.102.1172.18.102.0/30AG2-SW1Core 1
172.18.102.9172.18.102.8/30AG2-SW2Core 1
172.18.102.5172.18.102.4/30AG2-SW1Core 2
172.18.102.13172.18.102.12/30AG2-SW2Core 2

Example: Service Aggregation Switches

Service AG IP AddressSubnetSource DevicePeer Device
172.18.106.1172.18.106.0/30S2-1Core 1
172.18.106.9172.18.106.8/30S2-2Core 1
172.18.106.13172.18.106.12/30S2-2Core 2
172.18.106.5172.18.106.4/30S2-1Core 2

Step 6 At the bottom right of the MultiEdit window, click Save.

Step 7 When Config Status has returned to the “Sync” state for the modified devices, select List from the upper right.

Verify OSPF Operation

Central provides a remote console capability that allows for CLI access on any managed switch. Use this to run CLI show commands at validation steps throughout this guide.

Step 8 On the left menu, select Tools.

Step 9 On the Console tab, assign the following settings, then select Create New Session.

  • Device Type: Switch

  • Switch: Device name

  • Username: admin

  • Password: password

Step 10 In the Remote Console window, type the command show ip ospf neighbors, then press ENTER. The output shown below indicates healthy OSPF sessions to core switches.

Verify Multicast Operation

Step 11 In a Remote Console window, type the command show ip pim neighbor vrf default, then press ENTER. The output shown below indicates multicast routing is running on configured VLANs.

Configure the Access VLANs

The Layer 3 aggregation switch is the default gateway for access switches and advertises the interface VLAN routes to the rest of the network.

Use this procedure to configure the VLANs for the aggregation switches.

Step 1 If needed, select Devices from the left menu, click Config in the upper right, and, with MultiEdit enabled, begin a new Edit Config session.

Step 1 Define the access VLAN numbers and names.

vlan 2
  name ZTP_NATIVE
vlan 3
  name EMPLOYEE
...
vlan 14
  name CRITICAL_AUTH
vlan 15
  name MGMT

Step 3 Configure the VLAN and IP services. Configure a large IP MTU, set DHCP IP helper addresses, associate the OSPF router instance from above, enable PIM-SM, and enable IGMP on the interface.

interface vlan 2
  description ZTP_NATIVE
  ip mtu 9198
  ip address 10.2.2.2/24
  ip helper-address 10.2.120.98
  ip helper-address 10.2.120.99
  ip ospf 1 area 0.0.0.0
  ip igmp enable
  ip pim-sparse enable

Note: The ip helper-address command enables the forwarding of DHCP requests from endpoints to DHCP servers on other subnets. Multiple DHCP servers can be defined.

Step 4 Repeat the previous step for each VLAN.

Step 5 At the bottom right of the MultiEdit window, click Save.

Example: Access Aggregation

VLAN NameVLAN IDAccess Agg 1Access Agg 2Network/MaskReserved Active gateway IPIP helper address
ZTP_NATIVE210.2.2.210.2.2.310.2.2.0/2410.2.2.110.2.120.98
10.2.120.99
EMPLOYEE310.2.3.210.2.3.310.2.3.0/2410.2.3.110.2.120.98
10.2.120.99
VISITOR1210.2.12.210.2.12.310.2.12.0/2410.2.12.110.2.120.98
10.2.120.99
REJECT_AUTH1310.2.13.210.2.13.310.2.13.0/2410.2.13.110.2.120.98
10.2.120.99
CRITICAL_ AUTH1410.2.14.210.2.14.310.2.14.0/2410.2.14.110.2.120.98
10.2.120.99
MGMT1510.2.15.210.2.15.310.2.15.0/2410.2.15.110.2.120.98
10.2.120.99

Example: Service Aggregation 1

VLAN NameVLAN IDService Agg 1Service Agg 2Network/MaskReserved Active gateway IPIP helper address
EMPLOYEE10310.6.103.210.6.103.310.6.103.0/2410.6.103.110.2.120.98
10.2.120.99
VISITOR11210.6.112.210.6.112.310.6.112.0/2410.6.112.110.2.120.98
10.2.120.99
REJECT_AUTH11310.6.113.210.6.113.310.6.113.0/2410.6.113.110.2.120.98
10.2.120.99
CRITICAL_ AUTH11410.6.114.210.6.114.310.6.114.0/2410.6.114.110.2.120.98
10.2.120.99
MGMT11510.6.115.210.6.115.310.6.115.0/2410.6.115.110.2.120.98
10.2.120.99

Configure VSX

VSX is a redundancy protocol used to combine the Layer 2 data plane of two AOS-CX switches into a single logical switch fabric. Management and control plane functions remain independent. VSX is supported on 6400, 8400, and 83xx switch models.

Spanning tree should be enabled with aggregation switches acting as the root bridge. Gateways and access switches are configured with high bridge IDs to prevent them from becoming a root bridge.

Use this procedure to configure VSX on each switch.

Step 1 Configure a LAG interface to be used as the inter-switch link (ISL) for the VSX pair. Allow all VLANs on this LAG for simplified configuration management.

interface lag 128
  no shutdown
  no routing
  vlan trunk native 1
  vlan trunk allowed all 
  lacp mode active

Step 2 Configure the ports of the LAG interface. A minimum of two ports is required and a maximum of eight are supported. The CLI below shows example interface numbers. To simplify the copy-paste procedure, copy only the configuration lines below the interface and paste them under the correct interface in MultiEdit.

interface 1/1/49
  description ISL_INTERFACE
  no shutdown
  lag 128
  mtu 9198
interface 1/1/50
  description ISL_INTERFACE
  no shutdown
  lag 128
  mtu 9198

Step 3 Configure a VRF for the layer 3 keep-alive interface between the VSX switch pair.

vrf VSX_KEEPALIVE

Step 4 Attach the keep-alive interface to the keep-alive VRF. Copy only the lines below interface.

interface 1/1/1 
  vrf attach VSX_KEEPALIVE 
  ip address 10.99.99.1/30

Step 5 Enable the VSX instance with the ISL LAG interface, the IP information and VRF for the keep-alive session, a primary or secondary role, and shared system-mac. Primary and secondary examples are shown for clarity. Paste the configuration into MultiEdit one time only, then edit individual switch values as needed.

Note: The system MAC must be the same value on each switch in the VSX pair, but otherwise unique within the network.

Step 6 At the bottom right of the MultiEdit window, click Save.

Example: Primary VSX Switch

vsx
  inter-switch-link lag 128
  keepalive peer 10.99.99.2 source 10.99.99.1 vrf VSX_KEEPALIVE
  role primary
  system-mac 02:01:00:00:01:00

Example: Secondary VSX Switch

vsx
  inter-switch-link lag 128
  keepalive peer 10.99.99.1 source 10.99.99.2 vrf VSX_KEEPALIVE
  role secondary
  system-mac 02:01:00:00:01:00

Validate VSX Configuration

Step 7 In a Remote Console window, type the command show vsx status, then press enter. The output shown below indicates a healthy VSX deployment.

Configure VLAN Active Gateways

An active gateway provides the ability to have a default route through either switch in a VSX pair with each switch using the same local MAC address and IP address.

Step 1 Configure an active gateway on each VLAN using a local MAC address and IP address unique to the VLAN. If the VLAN is configured already according to the steps above, it is only necessary to paste the active-gateway lines.

Example: VLAN 2 on Primary VSX Switch

interface vlan 2
  active-gateway ip mac 12:01:00:00:01:00
  active-gateway ip 10.2.2.1
  description ZTP_Native
  ip mtu 9198
  ip address 10.2.2.2/24
  ip helper-address 10.2.120.98
  ip helper-address 10.2.120.99

Example: VLAN 2 on Secondary VSX Switch

interface vlan 2
  active-gateway ip mac 12:01:00:00:01:00
  active-gateway ip 10.2.2.1
  description ZTP_Native
  ip mtu 9198
  ip address 10.2.2.3/24
  ip helper-address 10.2.120.98
  ip helper-address 10.2.120.99

Configure Spanning Tree

For the widest possible interoperability, configure Multiple Spanning Tree Protocol (MSTP) as the loop protection protocol.

Step 1 Configure spanning tree globally and set the highest priority to ensure the aggregation switches are the root.

spanning-tree
spanning-tree priority 0

Note: MSTP is the default spanning-tree protocol on an Aruba CX switch and is selected simply by enabling spanning-tree.

Configure the Multi-Chassis LAG Interfaces

Configure an MC-LAG interface for each downstream access switch to enable uplink to both switches in the VSX pair without blocking.

Step 1 Enable spanning tree root guard and LACP fallback to allow for safe ZTP of access switches. Assign a native VLAN of two and trunk the allowed access VLANs previously created. Enable LACP active and LACP fallback to facilitate access switch provisioning. Enable PIM-SM routing.

interface lag 1 multi-chassis
  no shutdown
  no routing
  vlan trunk native 2
  vlan trunk allowed 1-3,5-6,13-15
  lacp mode active
  lacp fallback
  spanning-tree root-guard
  ip pim-sparse enable

Step 2 Repeat the previous step for each MC-LAG interface required for the connected access switches.

Step 3 Configure the ports of the LAG interface. The CLI below shows example interface numbers. To simplify the copy and paste procedure, copy only the configuration lines below the interface and paste them under the correct interface in MultiEdit.

interface 1/1/1
  description DOWNLINK_TO_ACCESS_SW_OR_CTRL
  no shutdown
  lag 1 
  mtu 9198

Step 4 Repeat the previous step for each MC-LAG interface.

Step 5 At the bottom right of the MultiEdit window, click Save.

Devices in the group automatically synchronize the new configuration. Synchronization status is updated on the Configuration Status page and process step execution can be observed by clicking Audit Trail on the left menu.


Back to top

© Copyright 2024 Hewlett Packard Enterprise Development LP. The information contained herein is subject to change without notice. The only warranties for Hewlett Packard Enterprise products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein. Aruba Networks and the Aruba logo are registered trademarks of Aruba Networks, Inc. Third-party trademarks mentioned are the property of their respective owners. To view the end-user software agreement, go to Aruba EULA.