Table of Contents
Aruba CX 6400v2 / 6200 Series Switches
hpe_a00094242en_us_vsx_configuration_best_practices_for_aruba_cx_6400_8320_8325_8360_8400_v1.3.pdf
Laboratory
Configuring a Layer 2 static aggregation group
Configuring a Layer 3 static aggregation group
Note: ISL stands for Inter-Switch Link, and it is a Cisco proprietary protocol. It works by adding a 26-byte header and a 4-byte trailer to the original Ethernet frame, creating a new ISL frame. The header contains the VLAN ID, which identifies the VLAN to which the frame belongs; ISL adds more overhead to the Ethernet frame compared to IEEE 802.1Q due to its proprietary encapsulation, which can impact network performance, especially in high-throughput environments. In contrast, IEEE 802.1Q has a lower overhead, making it more efficient in terms of bandwidth utilization.
VLAN Aggregation Mode-------IEEE 802.1Q and ISL
IEEE 802.1Q
IEEE 802.1Q, commonly known as “Dot One Q”, is an IEEE-certified protocol for attaching VLAN identification information to data frames.
Here, please recall the standard format of Ethernet data frames.
The VLAN identification information attached by IEEE 802.1Q is located between the “Sending Source MAC Address” and the “Type Field” (Type Field) in the data frame. The specific content is 2 bytes of TPID (Tag Protocol Identifier) and 2 bytes of TCI (Tag Control Information), a total of 4 bytes.
Add 4 bytes of content to the data frame, so the CRC value will naturally change. At this time, the CRC on the data frame is the value obtained by recalculating the entire data frame including them after inserting TPID and TCI.
When the data frame leaves the aggregation link, the TPID and TCI will be removed, and a CRC recalculation will be performed at this time.
The position of the TPID field in the Ethernet packet is the same as the position of the protocol type field in the packet without a VLAN tag. The value of TPID is fixed to 0x8100, which indicates the 802.1Q type carried by the network frame, and the switch uses it to determine that the IEEE 802.1Q-based VLAN information is attached to the data frame. The actual VLAN ID is 12 bits in TCI. Since there are 12 bits in total, up to 4096 VLANs can be identified.
The VLAN information attached based on IEEE 802.1Q is like a tag attached when transferring items. Therefore, it is also called “Tagging VLAN” (Tagging VLAN).
ISL (Inter-Switch Link)
ISL is a protocol similar to IEEE 802.1Q supported by Cisco products for attaching VLAN information to the aggregation link.
After using ISL, 26 bytes of “ISL Header” will be appended to the header of each data frame, and 4 words obtained by calculating the entire data frame including the ISL header on the frame tail band Section CRC value. In other words, a total of 30 bytes of information have been added.
In an environment where ISL is used, when a data frame leaves the convergence link, simply remove the ISL header and the new CRC. Since the original data frame and its CRC are completely preserved, there is no need to recalculate the CRC.
ISL is like wrapping the entire original data frame with an ISL header and a new CRC, so it is also called an “Encapsulated VLAN” (Encapsulated VLAN).
It should be noted that neither the “Tagging VLAN” of IEEE802.1Q or the “Encapsulated VLAN” of ISL is a very strict term. In different books and reference materials, the above words may be mixed and used, so you need to pay special attention when studying.
And because ISL is a Cisco unique protocol, it can only be used for interconnection between Cisco network devices.
¿Maximum transmission unit - MTU -)?
Note: For Ethernet networks, the recommended MTU size is usually 9000 bytes. This is because Ethernet networks are designed to handle larger frames, making it easier to achieve higher performance with JUMBO Frames.
Note: What is MTU 9198 (Jumbo frames)?; this is the value of the global jumbos IP MTU (or L3 MTU) supported by the switch. The default value is set to 9198 bytes (a value that is 18 bytes less than the largest possible maximum frame size of 9216 bytes). This object can be used only in switches that support max-frame-size and ip- mtu configuration.
Note: What is the best MTU setting (WAN)?; it is generally recommended that the MTU for a WAN interface connected to a PPPoE DSL network be 1492. In fact, with auto MTU discovery, 1492 is discovered to be the maximum allowed MTU. However, having an MTU of 1452 is most optimal.
¿What is power over ethernet PoE?
VSX/VSF - CLI test configuration
2.aos-cx-simulator-vsx-part-2-lab-guide.pdf
Virtual MAC and System-MAC Guidance
One of the main VSX best practice is to set VSX system-mac and not leave it blank with default HW system-mac being used. By doing so, the VSX system-mac is independent from the physical hardware MAC address and in case of hardware replacement of the VSX primary, the new switch can be configured with the same configuration than the previous primary unit with no impact on the VSX secondary as the cluster ID remains unchanged. With such practice, VSX primary HW replacement is hitless for the VSX secondary. (Otherwise the VSX secondary would have to join a new cluster ID, ID from VSX primary, and would turn-off temporary its VSX LAG ports).
Please use locally administered unicast MAC Address when assigning system-mac or active-gateway virtual MAC address. There are 4 ranges reserved for private use for unicast (with second least significant bit of the first octet of the unicast address set to 1). x is any Hexadecimal value.
- x2-xx-xx-xx-xx-xx
- x6-xx-xx-xx-xx-xx
- xA-xx-xx-xx-xx-xx
- xE-xx-xx-xx-xx-xx
In this document, 02:01:00:00:01:00 is used or system-mac and 12:01:00:00:01:00 is used for active-gateway Virtual MAC.
The scope of this VMAC is purely link-local. Consequently, the same Virtual MAC address value can be used on any L3 VLAN interface (SVI).
If some servers or systems have dual-attachment to two different SVIs, and the system administrator would like to see distinct MAC addresses for the next-hops over these separate interfaces, then 16 VMACs are available. For dual-stack IPv4 and IPv6, 16 VMACs can be used for IPv4 and the same VMACs can be used for IPv6. It is however a best practice to use only 8 VMACs for IPv4 and 8 different VMACs for IPV6.
Note: any other allocation rules can be chosen according to administrative rules in place by the network operational team. Multicast orbroadcast MAC addresses must not be used for System-mac.
vsx-sync
Switch 8360-1
8360-1#conf 8360-1#hotname 8360-1 8360-1#int mgmt 8360-1#ip static 10.1.1.12/24 8360-1#no shut 8360-1#end 8360-1#wr mem 8360-1#sh ver //must have the same software version// 8360-1#int lag 256 8360-1#no shut 8360-1#description ISL Link 8360-1#no routing 8360-1#vlan trunk native 1 8360-1#vlan trunk allowed all 8360-1#lacp mode active 8360-1#exit //over QSFP28 DAC X 2 // 8360-1#interface 1/1/25 8360-1#no shut 8360-1#mtu 9198 8360-1#description ISL port 1 8360-1#lag 256 8360-1#interface 1/1/26 8360-1#no shut 8360-1#mtu 9198 8360-1#description ISL port 2 8360-1#lag 256 8360-1#exit 8360-1#wr mem 8360-1#sh interface lag 256 8360-1#sh lacp interfaces //over SFP+ DAC// 8360-1#config t 8360-1#vrf keepAlive 8360-1#exit 8360-1#interface 1/1/24 8360-1#no shut 8360-1#vrf attach keepAlive 8360-1#routing 8360-1#ip address 192.168.99.1/30 8360-1#end 8360-1#wr mem //test// 8360-1#ping 192.168.99.2 vrf keepAlive 8360-1#conf 8360-1#vsx 8360-1#system-mac 02:01:00:00:01:00 8360-1#inter-switch-link lag 256 8360-1#role primary 8360-1#vsx-sync vsx-global 8360-1#end 8360-1#wr mem 8360-1#sh vsx status 8360-1#sh run | begin vsx 8360-1#sh run vsx-sync 8360-1#sh vsx brief 8360-1#conf 8360-1#vsx 8360-1#keepalive peer 192.168.99.2 source 192.168.99.1 vrf keepAlive 8360-1#end 8360-1#wr mem 8360-1#sh vsx brief 8360-1#sh vsx status config-sync 8360-1#conf 8360-1#vsx 8360-1#vsx-sync aaa acl-log-timer bfd-global bgp copp-policy dhcp-relay dhcp-server dns icmp-tcp lldp loop- protect-global mac-lockout mclag-interfaces neighbor ospf qos-global route-map sflow-global snmp ssh stp-global time vsx-global 8360-1#end 8360-1#wr mem //Lag multi-chassis// 8360-1#config 8360-1#interface lag 1 multi-chassis 8360-1#description Access VSX LAG 8360-1#no shut 8360-1#vlan trunk allowed 10,20 8360-1#exit 8360-1#interface 1/1/1 8360-1#no shut 8360-1#mtu 9100 8360-1#description LAG1 Port 8360-1#lag 1 8360-1#end 8360-1#wr mem //VLAN 10 - VIP - 10.1.10.1// //VLAN 20 - VIP - 10.1.20.1// 8360-1#conf 8360-1#interface vlan 10 8360-1#vsx-sync active-gateways 8360-1#ip mtu 9100 8360-1#ip address 10.1.10.2/24 8360-1#active-gateway ip mac 12:01:00:00:01:00 8360-1#active-gateway ip 10.1.10.1 8360-1#no shut 8360-1#exit 8360-1#interface vlan 20 8360-1#vsx-sync active-gateways 8360-1#ip mtu 9100 8360-1#ip address 10.1.20.2/24 8360-1#active-gateway ip mac 12:01:00:00:01:00 8360-1#active-gateway ip 10.1.20.1 8360-1#end 8360-1#wr mem 8360-1# 8360-1#
Switch 8360-2
8360-2#conf 8360-2#hotname 8360-2 8360-2#int mgmt 8360-2#ip static 10.1.1.11/24 8360-2#no shut 8360-2#end 8360-2#wr mem 8360-2#int lag 256 8360-2#no shut 8360-2#description ISL Link 8360-2#no routing 8360-2#vlan trunk native 1 8360-2#vlan trunk allowed all 8360-2#lacp mode active 8360-2#exit //over QSFP28 DAC X 2 // 8360-2#interface 1/1/25 8360-2#no shut 8360-2#mtu 9198 8360-2#description ISL port 1 8360-2#lag 256 8360-2#interface 1/1/26 8360-2#no shut 8360-2#mtu 9198 8360-2#description ISL port 2 8360-2#lag 256 8360-2#exit 8360-2#wr mem 8360-2#sh interface lag 256 8360-2#sh lacp interfaces //over SFP+ DAC// 8360-2#config t 8360-2#vrf keepAlive 8360-2#exit 8360-2#interface 1/1/24 8360-2#no shut 8360-2#vrf attach keepAlive 8360-2#routing 8360-2#ip address 192.168.99.2/30 8360-2#end 8360-2#wr mem //test// 8360-2#ping 192.168.99.1 vrf keepAlive 8360-2#config 8360-2#vsx 8360-2#inter-switch-link lag 256 8360-2#role secondary 8360-2#end 8360-2#wr mem 8360-2#sh vsx status 8360-2#sh run | begin vsx 8360-2#sh vsx brief 8360-2#conf 8360-2#vsx 8360-2#keepalive peer 192.168.99.1 source 192.168.99.2 vrf keepAlive 8360-2#end 8360-2#wr mem 8360-2#sh vsx brief 8360-2#sh vsx status keepAlive 8360-2#sh run | beg vsx 8360-2#vlan 10,20 8360-2#vsx-sync 8360-2#exit 8360-2#wr mem 8360-2#sh vlan 8360-2#conf 8360-2#interface lag 1 multi-chassis 8360-2#no shut 8360-2#exit 8360-2#interface 1/1/1 8360-2#no shut 8360-2#mtu 9100 8360-2#description LAG1 Port 8360-2#lag 1 8360-2#end 8360-2#wr mem 8360-2#sh run int lag 1 //VLAN 10 - VIP - 10.1.10.1// //VLAN 20 - VIP - 10.1.20.1// 8360-2#conf 8360-2#interface vlan 10 8360-2#ip mtu 9100 8360-2#ip address 10.1.10.3/24 8360-2#no shut 8360-2#exit 8360-2#interface vlan 20 8360-2#ip mtu 9100 8360-2#ip address 10.1.20.3/24 8360-2#no shut 8360-2#exit 8360-2#end 8360-2#wr mem 8360-2#sh run int vlan 10 8360-2#sh vsx status 8360-2#sh vsx brief
VSF
Switch 6200-1
6200-1#conf 6200-1#hotname 6200-1 6200-1#int mgmt 6200-1#ip static 10.1.1.21/24 6200-1#no shut 6200-1#end 6200-1#wr mem 6200-1#conf 6200-1#vsf member 1 6200-1#link 1 1/1/27 6200-1#link 2 1/1/28 6200-1#exit 6200-1#vsf secondary-member 2 this will save the configuration and reboot the specified switch. Do you want to continue (y/n)? y 6200-1#end 6200-1#wr mem 6200-1#conf 6200-1#vlan 10,20 6200-1#no shut 6200-1#exit 6200-1#interface lag 1 6200-1#no shut 6200-1#vlan trunk allowed 10,20 6200-1#lacp 6200-1#lacp mode active 6200-1#exit 6200-1#interface 1/1/25,2/1/25 6200-1#no shut 6200-1#mtu 9100 6200-1#lag 1 6200-1#exit 6200-1#int 1/1/1 6200-1#no shut 6200-1#vlan access 10 6200-1#end 6200-1#wr mem //SFP+ DAC (ARUBAOS)// 6200-1#sh lacp interfaces multi-chassis 6200-1#
Switch 6200-2
6200-2#conf 6200-2#hotname 6200-2 6200-2#int mgmt 6200-2#ip static 10.1.1.22/24 6200-2#no shut 6200-2#end 6200-2#wr mem 6200-2#conf 6200-2#vsf member 1 6200-2#link 1 1/1/27 6200-2#link 2 1/1/28 6200-2#end 6200-2#conf 6200-2#vsf renumber-to 2 this will save the VSF configuration and reboot the switch. Do you want to continue (y/n)? y 6200-2#end 6200-2#wr mem
Verification setting
6200-1#sh vsf 6200-1#sh vsf link 6200-1#sh vsf topology 6200-1# 6200-1#
aos-cx_simulator_lab_-_ipv4_dhcp_lab_guide.pdf
United States of America rangos de direcciones IP
QinQ vs VLAN vs VXLAN: A Comprehensive Introduction of Switch Functions
Redundancy with opnsense UTM
