Access and Services Aggregation Configuration

The access-aggregation layer provides default gateway services to the layer 2 access switches and consolidates bandwidth from the lower speed access ports into high-speed uplinks to the core. Service aggregation switches provide connectivity to gateways, policy servers, and WAN or Internet gateways.

Configure the Aggregation Switch Groups

The following procedures describe the configuration of aggregation switches in CLI format. The switch configuration may be created offline in a text editor and copied into MultiEdit or it may be typed directly in MultiEdit. Switches in the group receive the configuration when synchronized to Central.

The following figure shows the access aggregation and services aggregation switches used in the following procedures.

Wired Aggregation

Enable MultiEdit for the Group

The base configuration of the switch was previously described in the Switch Group Configuration section of this guide. The following procedure completes the switch configuration using the HPE Aruba Networking Central MultiEdit tool, a CLI-based configuration editor built into Central.

Step 1 Login to HPE Greenlake and navigate to Central.

Step 2 In the filter dropdown, select an aggregation switch Group name. On the left menu, select Devices.

Step 3 In the upper right of the Switches page, select Config (or AOS-CX).

Step 4 In the upper left of the Switches page, move the slider right to enable MultiEdit.

Step 5 Select all the aggregation switches. In the lower right window, click EDIT CONFIG.

Note: The following steps provide a chunk of configuration that can be pasted into the MultiEdit window. After pasting the configuration chunk, right-click any device-specific values. A Modify Parameters window appears on the right to allow input of individual device values.

Complete NTP Configuration

CX switches may select an NTP server from the default NTP configuration. To ensure the switches use the NTP servers previously configured, the default NTP configuration must be removed.

Delete the following configuration line from the MultiEdit window:

ntp server pool.ntp.org minpoll 4 maxpoll 4 iburst

Configure Global OSPF and Multicast Routing

In the following procedure, OSPF and PIM protocols are enabled globally, and a unique IP loopback address is configured on each aggregation switch.

Step 1 Configure the global OSPF routing instance with area 0, enable passive-interface default to avoid unwanted OSPF adjacencies, and enable graceful-restart. Use a pre-allocated loopback IP address as the router-id.

router ospf 1
    passive-interface default
    router-id 10.0.1.1
    area 0.0.0.0
    graceful-restart restart-interval 30

Note: The switch configuration is formatted automatically on input. Paste CLI at the begining, end, or on a new line anywhere in the configuration.

Step 2 The router-id above is used for AG1-1. Right click on the router-id value. In the Modify Parameters popup window, assign a unique router-id for each switch, then click SAVE CHANGES.

Step 3 Configure the global multicast routing instance.

router pim
    enable
    active-active

Step 4 Create the loopback 0 interface and use a pre-allocated IP address. This should match the one used as the OSPF router-id. Enable OSPF in area 0 and PIM sparse mode on the interface.

interface loopback 0
    ip address 10.0.1.1/32
    ip ospf 1 area 0
    ip pim-sparse enable

Step 5 The IP address entered above is used for AG1-1. Right click on the IP address value. In the popup window, assign a unique loopback IP for each switch, then click SAVE CHANGES.

Configure OSPF Routed Interfaces

In this procedure, point-to-point routed-only ports (ROPs) are configured on aggregation switches connected to the core, and a routed-transit VLAN is configured between each aggregation VSX pair.

This procedure assumes a consistent cabling scheme is implemented when connecting aggregation switches to core switches. For example, port 1/1/53 on all aggregation switches with the same physical port layout connects to CR1-1 and port 1/1/54 connects to CR1-2. Typically, all aggregation switches are the same model to allow standardization of cabling and configuration. Configure uplinks in groups of switches where the same uplink ports are connected to the same core routers.

The following configuration is added to aggregation switches:

• IP address assignments on ROPs using /31 subnets.
• Point-to-point OSPF in area 0 to share IP prefixes between aggregation and core blocks.
• OSPF between each aggregation VSX pair using a routed-transit VLAN.
• PIM sparse mode to support multicast routing in the campus.

Step 1 Create the routed-transit VLAN.

vlan 3999
    name ROUTED_TRANSIT_VLAN

Step 2 Configure AG1-1 physical interfaces connected to the core and the routed-transit VLAN SVI, which establishes OSPF between VSX members.

interface 1/1/53
    description AG1-1_TO_CORE1-1
    no shutdown
    ip mtu 9198
    ip address 172.18.101.1/31
    no ip ospf passive
    ip ospf network point-to-point
    ip ospf 1 area 0
    ip pim-sparse enable
interface 1/1/54
    description AG1-1_TO_CORE1-2
    no shutdown
    ip mtu 9198
    ip address 172.18.101.3/31
    no ip ospf passive
    ip ospf network point-to-point
    ip ospf 1 area 0
    ip pim-sparse enable
interface vlan 3999
    description ROUTED_TRANSIT_VLAN
    no shutdown
    ip mtu 9198
    ip address 172.18.101.100/31
    no ip ospf passive
    ip ospf network point-to-point
    ip ospf 1 area 0
    ip pim-sparse enable

Step 3 Assign per switch physical interface descriptions. Right click on the top interface description value. In the popup window, assign an interface description corresponding to each switch, then click SAVE CHANGES. Right click on the second interface description value to assign appropriate values, then click SAVE CHANGES.

Example interface descriptions.

Step 4 Assign unique IP addresses for physical and routed-transit VLAN interfaces. Right click on the top interface IP address assignment. In the popup window, assign a unique interface IP address for each corresponding switch, then click SAVE CHANGES. Repeat this step to assign unique IP addresses for the second physical port and the routed-transit VLAN SVI.

Example IP assignments.

Step 5 At the bottom right of the MultiEdit window, click Save.

Note: Devices with modified configuration automatically synchronize. Synchronization status is updated on the Configuration Status page and process step execution can be observed by clicking Audit Trail on the left menu.

Step 6 When Config Status has returned to the “Sync” state for the modified devices, select List from the upper right.

Step 7 If only a subset of aggreation switch uplinks were configured, repeat this procedure for each set of aggregation switches with a consistent front port layout.

Verify OSPF Operation

Central provides a remote console capability that allows for CLI access on any managed switch. Use this to run CLI show commands at validation steps throughout this guide.

Step 1 On the left menu, select Tools.

Step 2 On the Console tab, assign the following settings, then select Create New Session.

• Device Type: Switch

• Switch: Device name

• Username: admin

• Password: password

Step 3 In the Remote Console window, type the command show ip ospf neighbors, then press ENTER. The output shown below indicates healthy OSPF sessions to core switches and between a VSX aggregation pair.

Verify Multicast Operation

Step 1 In a Remote Console window, type the command show ip pim rp-set, then press ENTER. The output shown below indicates the core switch anycast RP is learned on the aggregation switch.

Step 2 In a Remote Console window, type the command show ip pim neighbor, then press ENTER. The output below shows PIM neighbors on core uplink ports and the routed-transit VLAN.

Plan VSX MAC Addresses

A Locally Administered Address (LAA) should be used when assigning a VSX system-mac and active gateway MAC addresses in upcoming procedures. An LAA is a MAC in one of the four formats shown below:

x2-xx-xx-xx-xx-xx 
x6-xx-xx-xx-xx-xx 
xA-xx-xx-xx-xx-xx 
xE-xx-xx-xx-xx-xx

The x positions can contain any valid hex value. For more details on the LAA format, see the IEEE tutorial guide.

Step 1 Determine VSX System MAC addresses.

Each VSX pair uses a VSX system MAC address for control plane protocols such as Spanning-Tree and Link Aggregation Control Protocol (LACP). The same VSX MAC address is configured on both VSX pair members, and it must be unique per pair.

The following values are assigned to VSX pairs in this guide:

Step 2 Determine Active Gateway MAC addresses.

An active gateway IP provides Layer 3 gateway redundancy across members of a VSX pair. The active gateway MAC associates a virtual MAC address with an active gateway IP. Only a small number of unique virtual MAC assignments may be configured per switch. In most cases, the same active gateway MAC address may be re-used for each active gateway IP assignment on switches in a VSX pair.

Use a unique Active Gateway MAC assignment per VSX pair for troubleshooting purposes. The following MAC values are assigned in this guide:

Configure VSX

VSX is a redundancy strategy used to combine the Layer 2 data plane of two AOS-CX switches into a single, logical switch. Management and control plane functions remain independent. VSX is supported on 6400, 8400, 83xx, and 9300 switch models.

Aggregation switches use VSX to create loop-free, redudnant paths to access layer switches.

Use this procedure to configure VSX on redundant aggregation pairs.

Step 1 Select Devices from the left menu, and click Config (or AOS-CX) in the upper right. With MultiEdit enabled, select a set of aggregation switches that have the same physical front port layout and click Edit Config. If all aggregation switches are the same model, select all service and aggregation switches.

Note: Switches with different physical port layouts typically use different port numbers for the VSX inter-switch link.

Step 2 Configure a LAG interface to be used as the inter-switch link (ISL) for the VSX pair. Allow all VLANs on this LAG for simplified configuration management.

interface lag 256
    no shutdown
    no routing
    vlan trunk native 1
    vlan trunk allowed all 
    lacp mode active

Step 2 Assign physical ports to the ISL LAG interface. A minimum of two ports is required and a maximum of eight are supported. The CLI below shows example interface numbers.

interface 1/1/49
    description ISL_INTERFACE
    no shutdown
    lag 256
    mtu 9198
interface 1/1/50
    description ISL_INTERFACE
    no shutdown
    lag 256
    mtu 9198

Step 3 Enable the VSX instance with the ISL LAG interface, the management IP information and VRF for the keep-alive session, a primary or secondary role, and shared system-mac.

vsx
    inter-switch-link lag 256
    keepalive peer 172.16.108.22 source 172.16.108.21 vrf mgmt
    role primary
    system-mac 02:01:00:00:01:00

Note: The management (mgmt) interface is used as a keep-alive interface for VSX. Ensure that the mgmt IP interface of the primary switch is reachable from the secondary switch and vice versa.

The system MAC must be the same value on each switch in a VSX pair, but otherwise unique within a Layer 2 network segment. It is best practice to assign a unique system MAC to each VSX pair throughout the campus network.

Step 4 The keepalive IP address assignments, roles, and system-mac above are used for AG1-1. Right click on the keepalive peer IP address value. In the popup window, configure the IP address assigned to the mgmt interface of the peer member in each VSX pair, then click SAVE CHANGES.

Step 5 Right click on the keepalive source IP address value. In the popup window, configure the IP address assigned to the local mgmt interface for each switch, then click SAVE CHANGES.

Step 6 Right click on the role value. In the popup window, configure secondary on the secondary VSX members of each VSX pair, then click SAVE CHANGES.

Step 7 Right click on the system-mac value. Set the MAC address value based on the planned MAC address assignments defined in the Plan MAC Addresses procedure, then click SAVE CHANGES.

Step 8 At the bottom right of the MultiEdit window, click Save.

Step 9 If necessary, repeat this procedure for each set of aggregation switches with a consistent front port layout.

Validate VSX Configuration

In a Remote Console window, type the command show vsx status, then press enter. The output shown below indicates a healthy VSX deployment.

Configure Access VLANs

Access aggregation switches provide Layer 2 and Layer 3 services to downstream access switches, access points, and host devices.

VLANs on aggregation switches provide IP services to the access layer using switch virtual interfaces (SVIs). SVIs provide IP default gateways and multicast group management. Aggregation switches distribute local IP subnets with the broader campus using OSPF. PIM-SM and IGMP enable multicast streaming.

Use the following procedures to configure management and user VLANs for the aggregation switches.

Step 1 Select Devices from the left menu, and click AOS-CX in the upper right. With MultiEdit enabled, select all access aggregation switches and click Edit Config.

Note: The set of VLAN SVIs configured on service aggregation switches is distinct from access aggregation switches, so they are typically configured in a separate workflow.

Step 2 Define the access VLAN numbers and names, and enable IGMP snooping.

vlan 11
    name AP_MGMT
    ip igmp snooping enable
vlan 15
    name NET_MGMT
    ip igmp snooping enable
vlan 20
    name EMPLOYEE_WIRED
    ip igmp snooping enable
vlan 25
    name EMPLOYEE_WLAN
    ip igmp snooping enable
vlan 30
    name IOT
    ip igmp snooping enable
vlan 40
    name GUEST
    ip igmp snooping enable
vlan 50
    name REJECT_AUTH
    ip igmp snooping enable
vlan 51
    name CRITICAL_AUTH
    ip igmp snooping enable

Configure Access Aggregation Network Management SVIs

It is best practice to have a distinct infrastructure management subnet for switches and wireless access points. The following procedure configures a general network management VLAN SVI on access aggregation switches. The same procedure is repeated to configure an AP management VLAN SVI.

Step 1 Configure the following elements on the switch network management VLAN SVI.

• Maximum IP MTU
• Unique IP address
• Active gateway IP and MAC addresses
• DHCP IP helper addresses
• OSPF router instance from above
• PIM-SM
• IGMP

interface vlan 15
    description NET_MGMT
    ip mtu 9198
    ip address 10.1.15.2/24
    active-gateway ip mac 02:01:00:00:00:01
    active-gateway ip 10.1.15.1
    ip helper-address 10.10.120.198
    ip helper-address 10.10.120.199
    ip ospf 1 area 0.0.0.0
    ip igmp enable
    ip pim-sparse enable

Note: The ip helper-address command enables the forwarding of DHCP requests from endpoints to DHCP servers on other subnets. Multiple DHCP servers can be defined.

Step 2 The ip address assignment, active-gateway ip, and active-gateway ip mac values above are used for AG1-1. Right click on the ip address value. In the popup window, configure a unique IP address for VLAN 15 on each aggregation switch, then click SAVE CHANGES.

Step 3 Right click on the active-gateway ip value. In the popup window, configure the redundant IP gateway address for each aggregation VSX pair, then click SAVE CHANGES.

Step 4 Right click on the active-gateway ip mac value. In the popup window, configure the active gateway MAC address planned for each aggregation VSX pair, then click SAVE CHANGES.

Step 5 Repeat this procedure for the VLAN 11 AP management SVI. The same Active Gateway MAC address should be configured for both VLAN 15 and VLAN 11, based on VSX pair planning. The table below summarizes the configuration values.

Configure Access Aggregation Host SVIs

The following procedure configures one VLAN SVI supporting hosts on all access aggregation switches.

Step 1 Configure the following elements on a host VLAN SVI.

• Unique IP address
• Active gateway IP and MAC addresses
• DHCP IP helper addresses
• OSPF router instance from above
• PIM-SM
• IGMP

Note: The default 1500 byte IP MTU does not need to be modified on host facing VLANs. GRE tunnels or future VXLAN tunnels that require additional overhead are not implemented on host facing VLANs.

interface vlan 20
    description EMPLOYEE_WIRED
    ip address 10.1.20.2/24
    active-gateway ip mac 02:01:00:00:00:01
    active-gateway ip 10.1.20.1
    ip helper-address 10.10.120.198
    ip helper-address 10.10.120.199
    ip ospf 1 area 0.0.0.0
    ip igmp enable
    ip pim-sparse enable

Step 2 The ip address assignment and active-gateway ip mac value are used for AG1-1. Right click on the ip address value. In the popup window, configure a unique IP address for VLAN 20 on each aggregation switch, then click SAVE CHANGES.

Step 3 Right click on the active-gateway ip value. In the popup window, configure the redundant IP gateway address for each aggregation VSX pair, then click SAVE CHANGES.

Step 3 Right click on the active-gateway ip mac value. In the popup window, configure a the active gateway MAC address planned for each aggregation VSX pair, then click SAVE CHANGES.

Step 4 Repeat this procedure for each host VLAN. The same Active Gateway MAC address should be configured on all VLANs within a VSX pair. The following table summarizes VLAN values used on the AG1 VSX pair as an example.

Step 5 At the bottom right of the MultiEdit window, click Save.

Configure Services Aggregation VLAN SVIs

The services aggregation switches contain a similar set of VLANs as the aggregation switches, but they do not contain access point management VLANs. Additionally, they include a VLAN for providing NTP, DNS, authentication, and other services to the campus.

If necessary, select Devices from the left menu, and click Config (or AOS-CX) in the upper right. With MultiEdit enabled, select all service aggregation switches and click Edit Config. Configure the service aggreggation SVIs using the Configure Access Aggregation Host SVIs procedure by substituting appropriate values. The table below summarizes an example set of service aggregation SVI values.

Configure Spanning Tree

VSX LAGs provide a loop free topology between network infrastructure switches. Spanning-tree is enabled to provide a backup loop prevention mechanism from user connected devices and switch misconfiguration.

Aggregation switches are configured with a low priority value and Root Guard is enabled on access switch connections to ensure they become the spanning-tree root.

For the widest possible interoperability, configure Multiple Spanning Tree Protocol (MSTP) as the loop protection protocol.

Step 1 If needed, select Devices from the left menu, and click AOS-CX in the upper right. With MultiEdit enabled, select all aggregation switches and click Edit Config.

Step 2 Configure spanning tree globally and set the lowest priority value to ensure the aggregation switches are the root.

spanning-tree
spanning-tree priority 4

Note: MSTP is the default spanning-tree protocol on an HPE Aruba Networking CX switch and is selected simply by enabling spanning-tree.

Step 3 At the bottom right of the MultiEdit window, click Save.

Configure VSX LAG Interfaces

Configure a VSX multi-chassis interface for each downstream switch or switch stack. This enables both members of an aggregation VSX pair to provide a loop-free, redundant path to the aggregation layer.

Service aggregation switches use VSX LAGs to both downstream switches and HPE Aruba Networking gateways.

Step 1 If needed, select Devices from the left menu, and click AOS-CX in the upper right. With MultiEdit enabled, select one set of aggregation switches and click Edit Config.

Note: Typically, connections from VSX aggregation pairs to downstream switches and gateways are configured on a per VSX pair basis. When a consistent physical topology permits, select more than one VSX aggregation pair to edit.

Step 2 Configure a VSX multi-chassis LAG and enable LACP fallback to allow for safe zero-touch provisioning of downstream devices. Assign the network management VLAN as native, and specify the set of host and management VLANs allowed to the downstream device. Enable LACP active to intiate LAG formation, and spanning-tree root guard to ensure downstream switches do not become the root.

interface lag 1 multi-chassis
    no shutdown
    no routing
    vlan trunk native 15
    vlan trunk allowed 11,15,20,25,30,40,50-51
    lacp mode active
    lacp fallback
    spanning-tree root-guard

Step 3 Repeat the previous step for each VSX LAG required to connect downstream switches and gateways.

Step 4 Assign physical ports to VSX LAG interfaces. The CLI below shows example interface numbers. To simplify the copy and paste procedure, copy only the configuration lines below the interface and paste them under the correct interface context in MultiEdit.

interface 1/1/1
    description DOWNLINK_TO_ACCESS_SW_OR_GW
    no shutdown
    lag 1 
    mtu 9198

Step 5 Repeat the previous step for each MC-LAG interface.

Step 6 At the bottom right of the MultiEdit window, click Save.

Configure Services Aggregation Internet Connection

The services aggregation VSX pair establishes a redundant connection to the Internet. In the example below, a service aggregation VSX pair is configured with OSPF to a redundant, active/passive firewall pair.

It is best practice to tag the VLAN used to connect to the firewalls on a VSX LAG. This supports adding per VRF connections to the firewalls in the future without changing the Layer 2 configuration from access mode to trunk mode.

Step 1 Define the VLAN and SVI used to connect to the upstream firewall for Internet connectivity.

vlan 1086
    name RSVCP-FW

interface vlan 1086
    description RSVCP-FW
    ip address 100.100.8.17/29
    vsx active-forwarding
    ip mtu 9000
    ip ospf 1 area 0.0.0.0
    no ip ospf passive
    ip ospf cost 10
    exit

no ip icmp redirect

Note: The VLAN SVI uses a /29 subnet to allow three addresses on a broadcast OSPF segment between the service aggregation VSX pair members and the active upstream firewall.

VSX active-forwarding shares MAC addresses between a VSX pair to optimize traffic forwarding received from the firewall without using the ISL. ICMP redirect must be disabled to allow VSX active-forwarding.

The IP MTU between the service aggregation VSX members and the firewall must match. The typical maximum IP MTU for most firewalls is 9000 bytes.

Step 2 Right click on the ip address value. In the popup window, configure a unique IP address for VLAN 1086 on each aggregation switch, then click SAVE CHANGES.

Step 3 Configure the VSX LAGs connecting to the upstream firewall. One LAG is defined for each physical firewall.

interface lag 251 multi-chassis
    description RSVCP-FW1-1
    no shutdown
    no routing
    vlan trunk native 1
    vlan trunk allowed 1086
    lacp mode active
    exit

interface lag 252 multi-chassis
    description RSVCP-FW1-2
    no shutdown
    no routing
    vlan trunk native 1
    vlan trunk allowed 1086
    lacp mode active
    exit

Note: Both firewalls are connected at Layer 2, but only the primary firewall will become an OSPF neighbor with both service aggregation VSX members in an active/passive configuration.

Step 4 Assign physical ports to the the Internet VSX LAG interface.

interface 1/1/45
    no shutdown
    mtu 9198
    lag 251
    exit

interface 1/1/46
    no shutdown
    mtu 9198
    lag 252
    exit

Step 5 At the bottom right of the MultiEdit window, click Save.