10-Sep-25
Aggregation Switch Reference Configuration
hostname %HOSTNAME%
banner motd !
**********************************************************
NOTICE TO USERS
This is a private computer system and is the property of
Aruba Networks. It is for authorized use only.
users (authorized or unauthorized) have no explicit or
implicit expectation of privacy while connected to this
system.
Any or all uses of this system and all files on this system
may be intercepted, monitored, recorded, copied, audited,
inspected, and disclosed to an authorized site, Aruba networks,
and law enforcement personnel
(foreign and domestic).
By using this system, the user consents to such interception,
monitoring, recording, copying, auditing, inspection, and
disclosure at the discretion of an authorized site or Aruba Networks
personnel.
Unauthorized or improper use of this system may result in
administrative disciplinary action and civil and criminal
penalties. By continuing to use of this system you indicate
your awareness of and consent to these terms and conditions
of use. LOG OFF IMMEDIATELY if you do not agree to the
conditions stated in this warning.
***********************************************************
!
allow-unsupported-transceiver
user admin group administrators password ciphertext AQBapYgH7fQfCF/KrVb/BQgUokVkgVv3Uy40a9ORbWmjXSAkYgAAAARIutMR8CXywenaYnWmITrkEhZYN1gqxgeaCc629vQ4cRc2RtSBzMZz/ewMjXmxdyCPF9uTiuMqjfeJ7p06obLWUNn0jytGDYpkGhrWLkfzK4vBKOLjfHl35xsIR/dviTUp
clock timezone pst8pdt
no ip icmp redirect
ntp server %NTP1_IP%
ntp server %NTP2_IP%
ntp enable
!
!
!
!
tacacs-server host %TACACS_SERVER1_IP% key Plaintext %TACACS_KEY%
tacacs-server host %TACACS_SERVER2_IP% key Plaintext %TACACS_KEY%
aaa authentication allow-fail-through
!
aaa group server tacacs ClearPass
server %TACACS_SERVER1_IP%
server %TACACS_SERVER2_IP%
aaa authentication login console group ClearPass local
aaa authentication login ssh group ClearPass local
aaa authorization commands default group local ClearPass
ssh server vrf default
ssh server vrf mgmt
vlan 11
name AP_MGMT
ip igmp snooping enable
vlan 15
name NET_MGMT
ip igmp snooping enable
vlan 20
name EMPLOYEE_WIRED
ip igmp snooping enable
vlan 25
name EMPLOYEE_WLAN
ip igmp snooping enable
vlan 30
name IOT
ip igmp snooping enable
vlan 40
name GUEST
ip igmp snooping enable
vlan 50
name REJECT_AUTH
ip igmp snooping enable
vlan 51
name CRITICAL_AUTH
ip igmp snooping enable
vlan 3999
name ROUTED_TRANSIT_VLAN
vlan 4000
name UBT_CLIENT
spanning-tree
spanning-tree priority 4
interface mgmt
no shutdown
ip static %LOCAL_MGMT_IP%/%MGMT_SUBNET_MASK%
default-gateway %MGMT_GW_IP%
# Define a VSX LAG for each downstream access switch/switch stack
interface lag 1 multi-chassis
description %DOWNSTREAM_SWITCH%
no shutdown
no routing
vlan trunk native 15
vlan trunk allowed %VLAN_RANGE%
lacp mode active
lacp fallback
spanning-tree root-guard
interface lag 256
no shutdown
no routing
vlan trunk native 1
vlan trunk allowed all
lacp mode active
interface 1/1/1
description %DOWNSTREAM_SWITCH_NAME%
no shutdown
mtu 9198
lag 1
interface 1/1/49
description ISL_INTERFACE
no shutdown
mtu 9198
lag 256
interface 1/1/50
description ISL_INTERFACE
no shutdown
mtu 9198
lag 256
interface loopback 1
ip address %LOOPBACK0_IP%/32
ip ospf 1 area 0.0.0.0
ip pim-sparse enable
interface 1/1/53
description %AGG_SW_NAME%_TO_CORE1-1
no shutdown
ip mtu 9198
ip address %PTP_IP%/31
no ip ospf passive
ip ospf network point-to-point
ip ospf 1 area 0
ip pim-sparse enable
interface 1/1/54
description %AGG_SW_NAME%_TO_CORE1-2
no shutdown
ip mtu 9198
ip address %PTP_IP%/31
no ip ospf passive
ip ospf network point-to-point
ip ospf 1 area 0
ip pim-sparse enable
interface vlan 11
description AP_MGMT
ip mtu 9198
ip address %UNIQUE_IP%/%SUBNET_MASK%
active-gateway ip mac %VIRTUAL_GW_MAC%
active-gateway ip %VIRTUAL_GW_IP%
ip helper-address %HELPER1_IP%
ip helper-address %HELPER2_IP%
ip ospf 1 area 0.0.0.0
ip igmp enable
ip pim-sparse enable
interface vlan 15
description NET_MGMT
ip mtu 9198
ip address %UNIQUE_IP%/%SUBNET_MASK%
active-gateway ip mac %VIRTUAL_GW_MAC%
active-gateway ip %VIRTUAL_GW_IP%
ip helper-address %HELPER1_IP%
ip helper-address %HELPER2_IP%
ip ospf 1 area 0.0.0.0
ip igmp enable
ip pim-sparse enable
interface vlan 20
description EMPLOYEE_WIRED
ip mtu 9198
ip address %UNIQUE_IP%/%SUBNET_MASK%
active-gateway ip mac %VIRTUAL_GW_MAC%
active-gateway ip %VIRTUAL_GW_IP%
ip helper-address %HELPER1_IP%
ip helper-address %HELPER2_IP%
ip ospf 1 area 0.0.0.0
ip igmp enable
ip pim-sparse enable
interface vlan 25
description EMPLOYEE_WLAN
ip mtu 9198
ip address %UNIQUE_IP%/%SUBNET_MASK%
active-gateway ip mac %VIRTUAL_GW_MAC%
active-gateway ip %VIRTUAL_GW_IP%
ip helper-address %HELPER1_IP%
ip helper-address %HELPER2_IP%
ip ospf 1 area 0.0.0.0
ip igmp enable
ip pim-sparse enable
interface vlan 30
description IOT
ip mtu 9198
ip address %UNIQUE_IP%/%SUBNET_MASK%
active-gateway ip mac %VIRTUAL_GW_MAC%
active-gateway ip %VIRTUAL_GW_IP%
ip helper-address %HELPER1_IP%
ip helper-address %HELPER2_IP%
ip ospf 1 area 0.0.0.0
ip igmp enable
ip pim-sparse enable
interface vlan 40
description GUEST
ip mtu 9198
ip address %UNIQUE_IP%/%SUBNET_MASK%
active-gateway ip mac %VIRTUAL_GW_MAC%
active-gateway ip %VIRTUAL_GW_IP%
ip helper-address %HELPER1_IP%
ip helper-address %HELPER2_IP%
ip ospf 1 area 0.0.0.0
ip igmp enable
ip pim-sparse enable
interface vlan 50
description REJECT_AUTH
ip mtu 9198
ip address %UNIQUE_IP%/%SUBNET_MASK%
active-gateway ip mac %VIRTUAL_GW_MAC%
active-gateway ip %VIRTUAL_GW_IP%
ip helper-address %HELPER1_IP%
ip helper-address %HELPER2_IP%
ip ospf 1 area 0.0.0.0
ip igmp enable
ip pim-sparse enable
interface vlan 51
description CRITICAL_AUTH
ip mtu 9198
ip address %UNIQUE_IP%/%SUBNET_MASK%
active-gateway ip mac %VIRTUAL_GW_MAC%
active-gateway ip %VIRTUAL_GW_IP%
ip helper-address %HELPER1_IP%
ip helper-address %HELPER2_IP%
ip ospf 1 area 0.0.0.0
ip igmp enable
ip pim-sparse enable
interface vlan 3999
description ROUTED_TRANSIT_VLAN
ip address %UNIQUE_IP%/%SUBNET_MASK%
ip mtu 9198
ip ospf 1 area 0.0.0.0
no ip ospf passive
ip ospf network point-to-point
ip pim-sparse enable
exit
interface vlan 4000
description UBT_CLIENT
ip mtu 9198
ip address %UNIQUE_IP%/%SUBNET_MASK%
active-gateway ip mac %VIRTUAL_GW_MAC%
active-gateway ip %VIRTUAL_GW_IP%
ip helper-address %HELPER1_IP%
ip helper-address %HELPER2_IP%
ip ospf 1 area 0.0.0.0
ip igmp enable
ip pim-sparse enable
vsx
system-mac %VSX_SYSTEM_MAC%
inter-switch-link lag 256
role %VSX_ROLE%
keepalive peer %PEER_MGMT_IP% source %LOCAL_MGMT_IP% vrf mgmt
ip dns domain-name example.local
ip dns server-address 10.2.120.98
ip dns server-address 10.2.120.99
!
!
!
!
!
router ospf 1
router-id %LOOPBACK0_IP%
passive-interface default
area 0.0.0.0
graceful-restart restart-interval 30
router pim
enable
active-active
https-server vrf default
https-server vrf mgmt