Advanced Switching Troubleshooting and Solutions v25.11 (ASTSv2)

 Welcome to this week's class

navigate to https://rubbernecks-arubanetworks.blogspot.com

Be sure you have downloaded the course learner guide as per the instructions you received in an email from HPE last week.  Check your email history, spam folder, etc... for the keyword "OnSecure" if you cannot find the email.  You only have 10 days to print this learner guide (PDF or paper), and one year of access to the online document.

• Click here for this week's lab access spreadsheet
• ask me for the link password

Lab Notes

• webgate: how to copy and paste while doing the labs
• ask me for the link password

• if you received a lab access voucher with your course:

Directions to reserve the lab:

 

Please visit https://hpelabsonline.com to reserve the lab.

 

Enter your voucher # and hit submit.

Follow the prompts to add your Basic Info and select your time zone.

Select the date and time you would like your lab access to begin.

Click “complete reservation with voucher.”

 

You will receive an email confirmation from donotreply@computerdata.com

Tips on how to google our site for documentation

• googling for AOS-Switch-related topics
• site:hpe.com -inurl:pdf -inurl:cx inurl:16\.11 "dhcp-snooping"

• googling for AOS-CX-related topics
• site:arubanetworks.com -inurl:pdf inurl:cx inurl:10\.13 "dhcp-snooping"

• search option notes:

• site:x only searched that domain
• -inurl:x don't report links with this text in the URL
• inurl:x only report on links with text
• (ideal for finding specific version documentation)

Helpful Links

• about Aruba training and this course

• aruba: Aruba Worldwide Education Services training portal
• datacard: HPE Aruba Networking Certified Expert - Switching
• datasheet: HPE Network Switching Expert Written Exam (Exam HPE7-A09)
• datasheet: HPE Network Switching Expert Practical Exam (Exam HPE4-A53))
• aruba: Self-Directed Remote Labs (ASTSv2)

• where to find more information

• aruba: Aruba Technical Product Documentation Portal
• here you find:
• Technology Briefs
• Validated Reference Designs
• Aruba Validated Designs
• Compliancy Documentation related to GDPR
• airheads: community.arubanetworks.com
• abc: Airheads Broadcasting Channel
• afp: Partner Technical Webinars

• where to find online documentation

• techdocs: The CLI Bank (all products)
• airheads: ClearPass Policy Manager 6.11-release-notifications
• techdocs: ClearPass Policy Manager 6.11 Web_Help
• techdocs: ArubaOS_8.12_Web_Help

• AOS-CX specific links

• aruba: feature-navigator.arubanetworks.com
• aruba: CX switch software feature packs
• abc: AOS-CX Software Release Technical Update
• aruba: HPE ArubaNetworking 3D Catalog
• td: AOS-S and AOS-CX Transceiver Guide Edition
• asp: CX Documentation Portal
• asp: CX_10.13 EVPN VXLAN Guide
• asp: CX_10.13 IP Services Guide
• asp: CX_10.13 Security Guide
• asp: CX_10.13 NAE
• asp: CX_10.13 Monitoring Guide
• asp: CX_10.13 ACLs and Classifier Policies Guide - 6[34]00,81xx,8360
• asp: CX_10.13 CoPP Guide
• asp: CX_10.13 IP Routing
• asp: CX_10.13 Fundamentals Guide
• hpe: DS_4100i Series
• hpe: DS_5420 Series
• hpe: DS_6000 Series
• hpe: DS_6100 Series
• hpe: DS_6200 Series
• hpe: DS_6300 Series
• hpe: DS_6400 Series
• hpe: DS_8100 Series
• hpe: DS_8320 Series
• hpe: DS_8325 Series
• hpe: DS_8360 Series V2
• hpe: DS_8400 Series
• hpe: DS_9300 Series
• hpe: DS_10000 Series

• airheads: ArubaOS-CX ArubaOS Switch ComWare and Cisco IOS
• www.arubanetworks.com/resource/aruba-cx-10000-with-pensando-at-a-glance
• afp: AOS-CX_Enablement (login required)
• afp: Switching_Intelligent_Edge_Competitive_Videos (login required)

• fbi: Threat to U.S. Critical Infrastructure
• fbi: Cyberthreat to Threat to Entire Nation
• web: Ransomware Payments Exceed $1 Billion in 2023
• web: 60 minutes cyber-espionage in the Wind Industry

• Manage and Monitor Hybrid IT Infrastructure
• hpe: OpsRamp: AIOps Powered IT Operations

Day 1 - Lecture Modules & Labs

M00: Course Introduction

• Lab 0 - Testing Lab Connectivity
• 0.1: Training Lab Access
• 0.2: Testing Connectivity

M01: Plan the Wired Networks Solution

• Lab 1 - Initial Setup
• 1.1: Factory Reset the Switches
• task 1.4, if you dont have 10.05.0021 code on your switch secondary partition, run the following command
• from your 6300 switches console:
• copy tftp://10.252.1.21;blocksize=20000/ArubaOS-CX_6400-6300_10_05_0021.swi secondary vrf mgmt
• from your 6300 serviceOS:
• ip addr 10.251.9.x 255.255.255.0 10.251.9.1
• tftp://10.252.1.21;blocksize=20000/ArubaOS-CX_6400-6300_10_05_0021.swi secondary vrf mgmt
• update primary ArubaOS-CX_6400-6300_10_05_0021.swi
• boot
• on your 8325 switches:
• copy tftp://10.252.1.21;blocksize=20000/ArubaOS-CX_8325_10_05_0021.swi secondary vrf mgmt
• 1.2: Load the Initial Configuration
• important: page 15, step 12, if you did not use the recommended switch password, set it correctly now
• for each switch (agg1, agg2, sw1,sw2) type in the following:
• conf
• user admin password plaintext aruba123
• exit
• write mem
• otherwise step 12 script will fail due to invalid credentials
• 1.3: Verify Device Access

M02: Troubleshooting

• asp: how-to-kill-existing-session-of-tshark
• abc: Aruba UXI Training
• abc: Simplified Zebra Agent onboarding Experience
• blog: Web Application Testing with Selenium and UXI

• # start-shell
• # sudo ip netsh exec swns tcpdump -i any port 3799
• swns = default vrf
• VRF_1 = mgmt vrf
• VRF_2... = custom vrf(s)

• Lab 2 - Troubleshooting Tools (optional)
• 2.1: Introduction to show commands and support files
• 2.2: Diagnostic tools
• 2.3: Debugging options
• 2.4: Traffic mirroring and packet captures

M03: Monitoring and Automation Tools

• asp: What is baselining and how can I add it to my NAE script?

• Lab 3 - Monitoring and Automation Tools
• 3.1: HPE Aruba Networking Central
• 3.2: RESTAPI
• 3.3: NAE

Day 2 - Lecture Modules & Labs

M04: VSX-VSF-L2 Technologies

• asp: AOS-CX 10.12 VSX Guide (6400, 8xxx, 9300, 10000)
• asp: AOS-CX 10.13 Layer 2 Bridging Guide - 8,9,10xxx
• airheads: l3-counters interface command explained

• Lab 4 - VSX and Layer2 Technologies
• 4.1: Configure VSX
• 4.2: Apply some VSX Best Practices
• 4.3: Configure STP with VSX
• 4.4: Configure loop protection in the Access Layer

M05: L3 Routing-OSPF

• RFC: OSPF version 2 (2328)
• youtube: Bidirectional Forwarding Detection Echo Function
• asp: AOS-CX_10.12 IP Routing Guide
• asp: PBR next-hop router reachability (probed every 5s)
• asp: ip ospf authentication (hmac-sha-512)

• Lab 5 - Review of Layer3 Basics
• 5.1: Configure VSX with OSPF
• 5.2: Debugging OSPF
• 5.3: VSX Active Forwarding
• 5.4: OSPF Key-chain and Max-metric On Startup
• 5.5: PBR

Day 3 - Lecture Modules & Labs

M06: BGP

• asp: AOS-CX_10.13 BGP FAQ
• arubapedia: BGP for Specialists Series (Aruba SD-WAN - class4)
• techdoc: clear bgp (notice soft in/out reset options)

• web: regex101.com
• ^$

• Lab 6 - BGP
• 6.1: Verify the setup
• 6.2: Configure iBGP and eBGP peering
• 6.3: Using BGP peer groups
• 6.4: Controlling transit traffic
• 6.5: Outbound traffic route control
• 6.6: Inbound traffic route control
• 6.7: AS Path List exclusion
• 6.8: Using a Route Reflector for iBGP

M07: Route Redistribution

• Lab 7 - Route Redistribution
• 7.1: Load the start configurations
• 7.2: Route redistribution of static routes into OSPF 
• 7.3: Route Redistribution between OSPF and BGP
• issue (p.261) Lab diagram
• the bottom AS = AS65400
• but should say:
• AS64500
• 7.4: Route Redistribution with multiple links 

Day 4 - Lecture Modules & Labs

M08: VRF and Route Leaking

• afp: VRF-lite_Guide.pdf
• airheads: Static-and-Dynamic-Inter-VRF-route-leak-for-IPv4-or-IPv6
• my-blog: watch an animated example of static inter VRF routing implementation
• web: IP Options are not an option

• Lab 8 - VRF and Route Leaking
• 8.1: Prepare the base configuration 
• 8.2: Explore the Environment 
• 8.3: Static Route Leaking
• issue (p.308) task 8.3.12 says:
• router ospf 2 vrf branch
• but should say:
• router ospf 1 vrf branch
• 8.4: MP-BGP

M09: Multicast

• asp: AOS-CX 10.13 Multicast Guide
• asp: AOS-CX 10.13 Multicast Guide - (IGMP robustness)
• asp: AOS-CX 10.13 Multicast Guide - (active-active)
• wiki: Multicast address
• techdocs: IP multicast addresses
• iana: IPv4 Multicast Address Space Registry
• web: MAC address converter
• file: UDPMulticast Test (App from the lab)

• Lab 9 - Multicast
• 9.1: Load the start configurations
• 9.2: Configure PIM SM
• 9.3: Configure IGMP and verify multicast operation
• 9.4: Configure distributed RP
• 9.5: Understand the MAC - IP Multicast relation
• 9.6: VSX multicast failover
• 9.7: IGMP ACL

M10: QoS

• asp: AOS-CX 10.13 Quality of Service Guide - 83XX
• asp: AOS-CX 10.13 ACLs and Classifier Policies Guide - 83XX
• asp: AOS-CX 10.13 QoS Guide - 6[234]00 - queue action (WRED)
• How does green, yellow, red, AFCx1,x2,x3 affect drop probability?

• Lab 10 - Quality of Service
• 10.1: QoS Policies
• 10.2: Rate limiter and traffic shaping

Day 5 - Lecture Modules & Labs

M11: Dynamic Segmentation

• abc: AOS-CX_10.07 User Based Tunnel Enhancements
• asp: CPPM cert validation for DUR (url for getting the TA)

• Lab 11 - Dynamic Segmentation 
• 11.1: Prepare the configuration
• 11.2: Configure basic 802.1X authentication
• 11.3: RADIUS troubleshooting
• 11.4: Onboarding precedence order
• 11.5: User-based tunneling
• 11.6: User-based tunneling QoS
• 11.7: Downloadable user roles

M12: Network Security

• abc: ACL and Policy Overview (presented by Vincent Giles)
• asp: AOS-CX 10.12 ACLs and Classifier Policies Guide - 6300,6400,8100,8360
• asp: AOS-CX 10.12 Network Analytics Engine Guide - ADC

• Lab 12 - Network Security Features
• 12.1: ACL and resource usage
• 12.2: Control plane ACL
• 12.3: Control plane policing
• 12.4: DHCP Snooping
• 12.5: ARP inspection

M13: Conclusion

• Lab 13 - Troubleshooting Tickets
• 13.1: Prepare the Troubleshooting Setup 

• LAB Setup Notes

• if you want to start the TT without having completed all the labs:
• complete lab 1, task 1 and 2
• be sure you have created the OOBM checkpoint on Sw1,Sw2,Agg1 and Agg2
• see page 21, step 27, run ASTS-Lab01-config-depoy-all.cmd
• reboot all your switches, now you can start lab 13

• LAB notes

• complete each TT before moving to the next unless otherwise stated in the TT description
• if you encounter errors like missing classes or roles, etc while running each TT install script, that means your lab13-done checkpoint was not completed as per the lab guide
• check the lab13-done backups within the ASTS folder for SW-1, SW-1, Agg-1 and Agg-2
• any missing configuration must be within your lab13-done checkpoint for these scripts to work 

• 13.2: Trouble Ticket Setup 01
• 13.3: Trouble Ticket Setup 02
• 13.4: Trouble Ticket Setup 03
• 13.5: Trouble Ticket Setup 04
• 13.6: Trouble Ticket Setup 05
• 13.7: Trouble Ticket Setup 06
• 13.8: Trouble Ticket Setup 07
• 13.9: Trouble Ticket Setup 08

• Lab 14 - EVPN–VXLAN overlay network
• 14.1: Prepare the Setup
• 14.2: Review the underlay network based on OSPF
• 14.3: Configure and validate BGP EVPN peering
• 14.4: Configure L2 and L3 VNI for the overlay network
• 14.5: Connect external networks to EVPN-VXLAN fabric
• 14.6: Network access control in EVPN-VXLAN fabric
• 14.7: Troubleshooting EVPN-VXLAN fabric

Appendix

• Acronyms or Key terms

• ASIC: application specific integrated circuit

• TCAM: ternary content addressable memory (logic system: true, false, other

• L2 VNI
• an EVPN VXLAN Layer 2 overlay network allows host devices in the same subnet to send bridged or Layer 2 traffic to each other
• the network forwards the bridged traffic using a Layer 2 virtual network instance (VNI)
• interface vxlan 1
•    vni 10010
•       vlan 10

• L3 VNI
• configured per Tenant (VRF) to enable symmetrical IRB
• all VTEPs in the same VRF have an identical L3-VNI that is used for inter-vlan routing
• interface vxlan 1
•    vni 100001
•       routing
•       vrf VRF1

• EVPN type-2:
• advertises MAC addresses or MAC and IP addresses of clients connected to VNIs of a VTEP to all BGP routers within the same EVPN fabric (configured in the EVPN context)

• EVPN type-3: (aka IMET route)
• advertises which VNIs are configured on each VTEP, and the IP address of these VTEPs to all BGP routers within the same EVPN fabric (configured in the EVPN context)

• EVPN type-5:
• advertise IP prefixes and layer 3 VNIs of the subnets to other VTEPs that share the same global-scope route-target (configured in the VRF context)

• Unicast underlay:
• The primary purpose of the underlay in the VXLAN EVPN fabric is to advertise the reachability of Virtual Tunnel End Points (VTEPs) and BGP peering addresses.
• The primary criterion for choosing an underlay protocol is fast convergence in the event of node failures.

• Icon Key

• keyplaceholder

Lab Access Errata

• when experiencing any problems with remote lab access (WebGate):
• be sure your browser is in private (incognito) mode
• restart your browser and clear your cache and cookies
• do not try to login unless you are 100 percent sure the login page is fully loaded (the tab favicon will look similar to an orange triangle)
• during login to Central, did you select the SSO option?
• if you need to restart your windows host
• in cmd.com type "shutdown /r /t 0"