Differences

This shows you the differences between two versions of the page.

--- aruba_networks:switch:6400:6400_configuration_example_script [2025/05/09 09:29] – aperez
+++ aruba_networks:switch:6400:6400_configuration_example_script [2025/10/03 19:47] (current) – aperez
@@ Line 361: / Line 361: @@
 When IGMP snooping is not enabled, the snooping switch floods multicast packets to all hosts in a VLAN. IGMP L2 snooping switch provides the benefit of conserving bandwidth on those segments of the network where no node has expressed interest in receiving packets addressed to the group address. When IGMP snooping is enabled, the L2 snooping switch forwards multicast packets of known multicast groups to only the receivers.
+====== Multicast — UDP Ports and Recommended Addressing ======
+===== 1. General Concept =====
+* Multicast is based on **IP Multicast addresses (224.0.0.0 – 239.255.255.255)** + **UDP**.
+* **TCP is not applicable to multicast**, only UDP is viable.
+* **UDP ports** define the application/service that uses the multicast group.
+===== 2. Common UDP Ports in Multicast =====
+^ Application / Protocol              ^ Typical Multicast Address ^ UDP Port Used ^
+| **RTP/RTSP (Streaming)**            | 239.x.x.x / 232.x.x.x     | 5004–5005 |
+| **SAP/SDP (Session Announce)**      | 224.2.127.254             | 9875 |
+| **mDNS / AirGroup (Apple)**         | 224.0.0.251               | 5353 |
+| **SSDP / UPnP discovery**           | 239.255.255.250           | 1900 |
+| **NTP (multicast sync)**            | 224.0.1.1                 | 123 |
+| **OSPF (routing)**                  | 224.0.0.5 / 224.0.0.6     | (IP protocol, no UDP) |
+| **PIM / IGMP control**              | 224.0.0.x                 | (no UDP/TCP) |
+| **Videoconferencing (dynamic RTP)** | 239.x.x.x                 | 16384–32767 |
+| **IPTV / DVB**                      | 232.x.x.x / 239.x.x.x     | 5000–5500 |
+| **GDOI/GMS (Key management)**       | 224.0.0.x                 | 848 |
+===== 3. Recommended Addressing =====
+* **Administratively Scoped Range**: **239.0.0.0/8**
+  * Equivalent to “private IP” in multicast (similar to RFC1918 for unicast).
+  * Not routed on the Internet, designed for internal/private use.
+* Within this range it is recommended to:
+  * Allocate blocks **per project or application**, e.g.:
+    * 239.16.0.0/16 → Internal video traffic (e.g., 239.16.x.x).
+    * 239.20.0.0/16 → Telemetry and IoT sensors.
+  * Keep sub-ranges clearly separated to avoid overlap.
+* Avoid local control addresses (224.0.0.x) as they are reserved for routing protocols.
+* For IPTV, streaming, or lab testing, **239.16.x.x** or **239.20.x.x** are valid and safe inside a private network.
+===== 4. Restrictions =====
+* Avoid **reserved or widely used ports**:
+  * 123 (NTP), 1900 (SSDP), 5004 (RTP), 5353 (mDNS), 9875 (SAP).
+* Aruba CX (e.g., 6400) with IGMP Snooping **does not filter by UDP port**, only by multicast IP address.
+* Transport ports matter only for the **end application** (client/server).
+===== 5. Safe Port Recommendations =====
+* **Do not use:** 0–1023 (well-known).
+* **Safe for internal/lab services:**
+  * **20000–29999 UDP** → recommended for internal video/audio streams.
+  * **40000–49999 UDP** → good option for lab testing and telemetry.
+===== 6. Best Practices on Aruba =====
+* Validate group membership with:
+  ``show igmp-snooping groups vlan <ID>``
+* Confirm only interested ports receive traffic:
+  ``show ip igmp interface vlan <ID>``
+* Example:
+  * Group: **239.16.0.2**
+  * UDP Port: **20001**
+  * Traffic will be delivered **only** to ports that issued an **IGMP Join**.
+----
+**Summary:**
+✔ Multicast uses **UDP**.
+✔ Commonly occupied ports include 123, 1900, 5004, 5353, 9875.
+✔ To avoid conflicts, use internal ranges **20000–29999** or **40000–49999**.
+✔ For private addressing, use **239.0.0.0/8** (e.g., 239.16.x.x for video, 239.20.x.x for IoT) and separate per application.
 {{ :aruba_networks:switch:igmp-snooping-overview_603x386.png?600 | }}
@@ Line 1809: / Line 1879: @@
-{{:aruba_networks:switch:6400:ospf_final.png?600|}}
+----
+{{ :aruba_networks:switch:6400:ospf_final.png?600 |}}
+----
 ================
-SIDE-A 6400-A
+**SIDE-A 6400-A**
 ================
+  Example set vlan L2 to both SW 6400 A and B:
+  vlan 508
+      name ST
+      vsx-sync
+      ip igmp snooping enable
+      ip igmp snooping version 2
+      ip igmp snooping apply access-list mygroup1
   vsx
@@ Line 1846: / Line 1931: @@
       description Vlan 508 ST
       vsx-sync active-gateways
-      ip mtu 9100
+      ip mtu 1500
       ip address 10.28.72.2/23
       active-gateway ip mac 12:01:00:00:01:00
@@ Line 1852: / Line 1937: @@
       ip helper-address 10.28.64.22
       ip ospf 1 area 0.0.0.0
   interface vlan 514
       description Vlan 514 AC
       vsx-sync active-gateways
-      ip mtu 9100
+      ip mtu 1500
       ip address 172.16.40.2/23
       active-gateway ip mac 12:01:00:00:01:00
@@ Line 1865: / Line 1950: @@
       description Vlan 530
       vsx-sync active-gateways
-      ip mtu 9100
+      ip mtu 1500
       ip address 10.28.216.2/23
       active-gateway ip mac 12:01:00:00:01:00
@@ Line 1891: / Line 1976: @@
 ================
-SIDE-A 6400-B
+**SIDE-A 6400-B**
 ================
@@ Line 1924: / Line 2009: @@
       description Vlan 508 ST
       vsx-sync active-gateways
-      ip mtu 9100
+      ip mtu 1500
       ip address 10.28.72.3/23
       active-gateway ip mac 12:01:00:00:01:00
@@ Line 1934: / Line 2019: @@
       description Vlan 514 AC
       vsx-sync active-gateways
-      ip mtu 9100
+      ip mtu 1500
       ip address 172.16.40.3/23
       active-gateway ip mac 12:01:00:00:01:00
@@ Line 1943: / Line 2028: @@
       description Vlan 530
       vsx-sync active-gateways
-      ip mtu 9100
+      ip mtu 1500
       ip address 10.28.216.3/23
       active-gateway ip mac 12:01:00:00:01:00
@@ Line 1967: / Line 2052: @@
 ================
-SIDE-B 6400-A
+**SIDE-B 6400-A**
 ================
+  Example set vlan L2 to both SW 6400 A and B:
+  vlan 708
+      name ST
+      vsx-sync
+      ip igmp snooping enable
+      ip igmp snooping version 2
+      ip igmp snooping apply access-list mygroup1
   vsx
@@ Line 2000: / Line 2095: @@
       description Vlan 708 ST
       vsx-sync active-gateways
-      ip mtu 9100
+      ip mtu 1500
       ip address 10.56.72.2/23
       active-gateway ip mac 12:01:00:00:01:00
@@ Line 2006: / Line 2101: @@
       ip helper-address 10.56.64.22
       ip ospf 1 area 0.0.0.0
   interface vlan 714
       description Vlan 714 AC
       vsx-sync active-gateways
-      ip mtu 9100
+      ip mtu 1500
       ip address 172.20.40.2/23
       active-gateway ip mac 12:01:00:00:01:00
@@ Line 2016: / Line 2111: @@
       ip helper-address 10.56.64.22
       ip ospf 1 area 0.0.0.0
   interface vlan 730
       description VLAN 730 9K
       vsx-sync active-gateways
-      ip mtu 9100
+      ip mtu 1500
       ip address 10.56.216.2/23
       active-gateway ip mac 12:01:00:00:01:00
@@ Line 2044: / Line 2139: @@
       ip ospf network point-to-point
 ================
-SIDE-B 6400-B
+**SIDE-B 6400-B**
 ================
@@ Line 2064: / Line 2158: @@
       vsx-sync
       description TRANSIT VLAN
   router ospf 1
       router-id 172.22.0.4
@@ Line 2076: / Line 2170: @@
       ip address 172.22.0.4/32
       ip ospf 1 area 0.0.0.0
   interface vlan 708
       description Vlan 708 ST
       vsx-sync active-gateways
-      ip mtu 9100
+      ip mtu 1500
       ip address 10.56.72.3/23
       active-gateway ip mac 12:01:00:00:01:00
@@ Line 2090: / Line 2184: @@
       description Vlan 714 AC
       vsx-sync active-gateways
-      ip mtu 9100
+      ip mtu 1500
       ip address 172.20.40.3/23
       active-gateway ip mac 12:01:00:00:01:00
@@ Line 2100: / Line 2194: @@
       description VLAN 730 9K
       vsx-sync active-gateways
-      ip mtu 9100
+      ip mtu 1500
       ip address 10.56.216.3/23
       active-gateway ip mac 12:01:00:00:01:00
@@ Line 2347: / Line 2441: @@
 ----
 ----
+====== Aruba 6300M Uplink Port Compatibility ======
+===== Summary =====
+During the deployment of a 10Gbps LAG between an Aruba 6300M and an Aruba 6400, the link failed to come up when using standard 10G SFP+ SR modules (e.g., JL260A) in ports 51 and 52. These ports are SFP28 with MACsec capabilities and may reject modules that do not support MACsec.
+After inserting the same SFP+ module into port 50 (SFP56 type, no MACsec), the link came up successfully at 10Gbps.
+This indicates that:
+  * Ports 51 and 52 require MACsec-capable transceivers.
+  * Ports 49 and 50 (SFP56) are fully backward compatible and work reliably with standard 10G SFP+ modules.
+  * It is recommended to use ports 49 and 50 for standard uplinks or non-MACsec LAGs.
+===== Uplink Port Compatibility Table =====
+^ Port       ^ Physical Type ^ Supported Speeds     ^ MACsec Support ^ Compatible Modules           ^ Recommended Use                           ^
+| 1/1/49     | SFP56         | 10G / 25G / 50G       | No             | SFP+, SFP28, SFP56            | Standard uplinks, LAGs, non-secure 10G    |
+| 1/1/50     | SFP56         | 10G / 25G / 50G       | No             | SFP+, SFP28, SFP56            | Standard uplinks, LAGs, non-secure 10G    |
+| 1/1/51     | SFP28         | 10G / 25G             | Yes            | SFP+ MACsec, SFP28 MACsec     | Secure uplinks only (MACsec modules)     |
+| 1/1/52     | SFP28         | 10G / 25G             | Yes            | SFP+ MACsec, SFP28 MACsec     | Secure uplinks only (MACsec modules)     |
+===== SFP/SFP+ Module Compatibility =====
+^ Module     ^ Speed     ^ MACsec Support ^ Compatible Ports ^ Notes                                      ^
+| JL260A     | 10G       | No             | 49, 50           | Standard SFP+ SR module, not for 51/52     |
+| JL261A     | 10G       | No             | 49, 50           | Standard SFP+ LR module                    |
+| JL685A     | 10G       | Yes            | 51, 52           | MACsec-capable SFP+ SR module              |
+| JL640A     | 25G       | Yes            | 51, 52           | SFP28 SR MACsec module                     |
+| JL563A     | 25G       | No             | 49, 50           | SFP28 SR non-MACsec module                 |
+===== Notes =====
+  * If a module is not MACsec-capable, it may not link on ports 51–52.
+  * Use the command ''show macsec summary'' to check MACsec status.
+  * Ensure both ends of a LAG use modules of the same type and speed.
+  * When in doubt, test modules on ports 49 or 50 for basic link validation.
+----
+----
+====== VXLAN Configuration between Aruba 6300 and Aruba 6400 ======
+This document outlines the required configuration and logical architecture to enable VXLAN Layer 2 extension between an Aruba 6300 and an Aruba 6400 switch. It includes the architecture summary, logical diagram, VNI-to-VLAN mapping, and complete CLI configuration focused solely on VXLAN.
+===== Architecture Summary =====
+This design extends Layer 2 domains using point-to-point VXLAN tunnels (ingress-replication). Each Aruba switch acts as a VXLAN Tunnel Endpoint (VTEP), using its Loopback interface as the source IP for encapsulation.
+  * VXLAN mode: Static EVPN
+  * Transport: VXLAN over IP using loopback source
+  * Encapsulation: Ingress-replication VXLAN
+  * MTU: Minimum 9100 on transport interfaces
+===== Logical Architecture =====
+  +------------------------+                   VXLAN Tunnel                   +------------------------+
+  | Aruba 6300 (VTEP)      |<----------------------------------------------->| Aruba 6400 (VTEP)      |
+  | Loopback: 172.22.32.3  |                                                 | Loopback: 172.22.32.4  |
+  | VLANs: 1, 700–732      |                                                 | VLANs: 1, 700–732      |
+  | VXLAN Interface: 1     |                                                 | VXLAN Interface: 1     |
+  +------------------------+                                                 +------------------------+
+Each switch encapsulates traffic from local VLANs into VXLAN using its loopback as the tunnel source.
+===== VXLAN Mapping Table: VLAN ↔ VNI ↔ Tunnel =====
+^ VLAN ID ^ VNI    ^ Description      ^ Local VTEP (6300) ^ Remote VTEP (6400) ^
+| 1       | 10001  | Management       | 172.22.32.3        | 172.22.32.4         |
+| 700     | 10700  | ServerVM         | 172.22.32.3        | 172.22.32.4         |
+| 701     | 10701  | ServerStack      | 172.22.32.3        | 172.22.32.4         |
+| 702     | 10702  | ISP1             | 172.22.32.3        | 172.22.32.4         |
+| ...     | ...    | ...              | ...                | ...                 |
+| 732     | 10732  | OldNet           | 172.22.32.3        | 172.22.32.4         |
+===== CLI Configuration – Aruba 6300 =====
+<code>
+interface 1/1/15
+    description PTP Link to ARUBA 6300 IP: 172.18.32.42
+    no shutdown
+    mtu 9100
+    routing
+    ip address 172.18.32.41/30
+    ip ospf 1 area 0.0.0.0
+    ip ospf network point-to-point
+ip route 172.22.32.5/32 172.18.32.42
+interface loopback 1
+    ip address 172.22.32.6/32
+    ip ospf 1 area 0.0.0.0
+interface vxlan 1
+    source ip 172.22.32.6
+    inter-vxlan-bridging-mode static-evpn
+    no shutdown
+    vni 10001
+        vlan 1
+        vtep-peer 172.22.32.5
+    vni 10700
+        vlan 700
+        vtep-peer 172.22.32.5
+    ...
+    vni 10732
+        vlan 732
+        vtep-peer 172.22.32.5
+router ospf 1
+    router-id 172.22.32.6
+    area 0.0.0.0
+</code>
+===== CLI Configuration – Aruba 6300 =====
+<code>
+interface 1/1/15
+    description PTP Link to ARUBA 6300 IP: 172.18.32.41
+    no shutdown
+    mtu 9100
+    routing
+    ip address 172.18.32.42/30
+    ip ospf 1 area 0.0.0.0
+    ip ospf network point-to-point
+ip route 172.22.32.6/32 172.18.32.41
+interface loopback 1
+    ip address 172.22.32.5/32
+    ip ospf 1 area 0.0.0.0
+interface vxlan 1
+    source ip 172.22.32.5
+    inter-vxlan-bridging-mode static-evpn
+    no shutdown
+    vni 10001
+        vlan 1
+        vtep-peer 172.22.32.6
+    vni 10700
+        vlan 700
+        vtep-peer 172.22.32.6
+    ...
+    vni 10732
+        vlan 732
+        vtep-peer 172.22.32.6
+router ospf 1
+    router-id 172.22.32.6
+    area 0.0.0.0
+</code>
+----
+----
+{{ :aruba_networks:switch:6400:vxlan_cli_ap.pdf |}}
+{{pdfjs 46em >:aruba_networks:switch:6400:vxlan_cli_ap.pdf}}
+----
+----
+{{ :cisco:switch:9500:mtu_utm_switch_6400_9500.pdf |}}
+{{pdfjs 46em >:cisco:switch:9500:mtu_utm_switch_6400_9500.pdf }}
+----
+----
+{{ :aruba_networks:switch:6400:mtu_pmtu.pdf |}}
+{{pdfjs 46em >:aruba_networks:switch:6400:mtu_pmtu.pdf }}
+----
+----