Advanced Campus Access Mobility v23.41 (ACAM)

  Welcome to this Week's Class

navigate to https://rubbernecks-arubanetworks.blogspot.com

Topology notes:

• if you are on pod 86, agg-1:
• 1/1/14 is for keepalive
• 1/1/15-1/1/16 is for ISL

Be sure you have downloaded the course learner guide as per the instructions you received in an email from HPE last week.  Check your email history, spam folder, etc... for the keyword "OnSecure" if you cannot find the email.  You only have 10 days to print this learner guide (PDF or paper), and one year of access to the online document.

Click here for this week's lab access spreadsheet

• Lab Notes

• webgate: how to copy and paste while doing the labs
• ask me for the link password

• if you received a lab access voucher with your course:

Directions to reserve the lab:

 

Please visit https://hpelabsonline.com to reserve the lab.

 

Enter your voucher # and hit submit.

Follow the prompts to add your Basic Info and select your time zone.

Select the date and time you would like your lab access to begin.

Click “complete reservation with voucher.”

 

You will receive an email confirmation from donotreply@computerdata.com

Tips on how to google our site for documentation

• googling for AOS-Switch-related topics
• site:hpe.com -inurl:pdf -inurl:cx inurl:16\.11 "dhcp-snooping"

• googling for AOS-CX-related topics
• site:arubanetworks.com -inurl:pdf inurl:cx inurl:10\.13 "dhcp-snooping"

• search option notes:

• site:x only searched that domain
• -inurl:x don't report links with this text in the URL
• inurl:x only report on links with text
• (ideal for finding specific version documentation)

Helpful Links

• about Aruba training and this course

• aruba: Aruba Worldwide Education Services training portal
• datacard: Advanced Campus Access for Mobility, Rev. 23.41
• datasheet: HPE Network Switching Expert Written Exam (HPE7-A07)
• datasheet: HPE Campus Access Mobility Expert Practical Exam (HPE4-A51)
• aruba: Self-Directed Remote Labs (ACAM)

• where to find more information

• asp: ESP Campus Design
• aruba: AOS10, WiFi, Location Services
• aruba: Aruba Technical Product Documentation Portal
• here you find:
• Technology Briefs
• Validated Reference Designs
• Aruba Validated Designs
• Compliancy Documentation related to GDPR
• airheads: community.arubanetworks.com
• abc: Airheads Broadcasting Channel
• afp: Partner Technical Webinars

• where to find online documentation

• asp: Aruba Documentation Portal
• techdocs: The CLI Bank (all products)
• asp: Central Latest Online Help
• youtube: Preparing Sites for New Central
• airheads: ClearPass Policy Manager 6.11-release-notifications
• techdocs: ClearPass Policy Manager 6.11 Web_Help

• Manage and Monitor Hybrid IT Infrastructure
• hpe: OpsRamp: AIOps Powered IT Operations

• AOS-CX specific links

• aruba: feature-navigator.arubanetworks.com
• aruba: CX switch software feature packs
• abc: AOS-CX Software Release Technical Update
• aruba: HPE ArubaNetworking 3D Catalog
• td: AOS-S and AOS-CX Transceiver Guide Edition
• asp: CX Documentation Portal
• asp: CX_10.13 EVPN VXLAN Guide
• asp: CX_10.13 IP Services Guide
• asp: CX_10.13 Security Guide
• asp: CX_10.13 NAE
• asp: CX_10.13 Monitoring Guide
• asp: CX_10.13 ACLs and Classifier Policies Guide - 6[34]00,81xx,8360
• asp: CX_10.13 CoPP Guide
• asp: CX_10.13 IP Routing
• asp: CX_10.13 Fundamentals Guide
• hpe: DS_4100i Series
• hpe: DS_5420 Series
• hpe: DS_6000 Series
• hpe: DS_6100 Series
• hpe: DS_6200 Series
• hpe: DS_6300 Series
• hpe: DS_6400 Series
• hpe: DS_8100 Series
• hpe: DS_8320 Series
• hpe: DS_8325 Series
• hpe: DS_8360 Series V2
• hpe: DS_8400 Series
• hpe: DS_9300 Series
• hpe: DS_10000 Series

• airheads: ArubaOS-CX ArubaOS Switch ComWare and Cisco IOS

• AP Datasheets

• Remote APs
• www.arubanetworks.com/assets/ds/DS_AP500HSeries.pdf
• www.arubanetworks.com/assets/ds/DS_AP500RSeries.pdf
• www.arubanetworks.com/assets/ds/DS_AP600HSeries.pdf
• www.arubanetworks.com/assets/ds/DS_AP600RSeries.pdf

• Indoor APs
• www.arubanetworks.com/assets/ds/DS_AP503Series.pdf
• www.arubanetworks.com/assets/ds/DS_AP500Series.pdf
• www.arubanetworks.com/assets/ds/DS_AP510Series.pdf
• www.arubanetworks.com/assets/ds/DS_AP530Series.pdf
• www.arubanetworks.com/assets/ds/DS_AP550Series.pdf
• www.arubanetworks.com/assets/ds/DS_AP610Series.pdf
• www.arubanetworks.com/assets/ds/DS_AP630Series.pdf
• www.arubanetworks.com/assets/ds/DS_AP650Series.pdf
• www.arubanetworks.com/assets/ds/DS_AP720Series.pdf
• www.arubanetworks.com/assets/ds/DS_AP730Series.pdf
• www.arubanetworks.com/assets/ds/DS_AP740Series.pdf
• www.arubanetworks.com/assets/ds/DS_AP750Series.pdf

• Outdoor/Ruggedized APs
• www.arubanetworks.com/assets/ds/DS_AP518Series.pdf
• www.arubanetworks.com/assets/ds/DS_AP560Series.pdf
• www.arubanetworks.com/assets/ds/DS_AP570Series.pdf
• www.arubanetworks.com/assets/ds/DS_AP580Series.pdf
• www.arubanetworks.com/assets/ds/DS_AP670Series.pdf
• www.arubanetworks.com/assets/ds/DS_AP760Series.pdf

• GW Datasheets

• www.arubanetworks.com/assets/ds/DS_7000Series.pdf
• www.arubanetworks.com/assets/ds/DS_7200Series.pdf
• www.arubanetworks.com/assets/ds/DS_9000Series.pdf
• www.arubanetworks.com/assets/ds/DS_9100Series.pdf
• www.arubanetworks.com/assets/ds/DS_9200Series.pdf

Day 1 - Lecture Modules & Labs

M00: Course Introduction

M01: Troubleshooting Principles

• asp: AI Operations
• asp: live events
• youtube: Troubleshoot user connectivity with Central
• youtube: Central Enhancements - Troubleshooting Your Network
• asp: 802.11 Reason Codes
• central: Configuring Global Firewall Parameters

• Lab 0 - Enterprise Business Scenario

• read scenario

• Lab 1 - Testing Remote Lab Connectivity

• 0.1: HPE Aruba Networking Training Remote Lab Access
• 0.2: Testing Connectivity

• issue p.25, t2.19 (for v23.415 solution guide)
• you cannot power cycle HQ-SM AP
• solution: connect to your hq-edge switch
• show lldp neighbor-info 1/1/6 (confirm it is directly connected to the switch, not by a fan-out switch, it was in our case)
• no power
• power
• issue p.27, t2.32
• when you test connectivity to PC-1, since it is using VNC instead of RDP, you will get a password prompt for the student userid, type in the password "aruba" to complete the login
• issue p.29, t2.42
• arubatraininglab.computerdata.com/dashboard
• notice at the top, you will find your central credentials
• 
• issue p.30, t2.44 
• new central needs to be disabled in order to complete these labs, notice the slider bar, top right on your screen, move it to the left as shown below

 

M02: Wired Campus Network

• web: BGP_4-Byte_ASN_Format_Converter

• Lab 2 - Wired Infrastructure
• 2.1: Wired zero-touch provisioning (ZTP)
• issue p.36, t1.12
• if you cannot type "erase all zeroize"
• type "aruba-central support-mode", then try again
• you may need to do this with other commands throughout the lab 
• 2.2: Validate the VSX cluster
• issue p.43, t2.2 switch "Not in Sync (Login Pending)"
• if you see a switch with config status = not in sync
• you may find the following asp link helpful
• asp: Not in Sync (Login Pending)
• however, in my case, the fix was much simpler
• select the device in config mode
• click the "system > properties" card
• set the device level password, you will get an error saying it cannot apply, but it worked anyway
• check sync status, notice it is now in sync
• 2.3: hq-edge switch provisioning
• 2.4: bo-edge switch provisioning
• 2.5: Underlay routing provisioning
• 2.6: Inter-site routing configuration

Day 2 - Lecture Modules & Labs

M03: Wireless Campus Network

• techdocs: CPPM authentication methods
• central: MPSK local
• asp: Aruba IAP - How to Troubleshoot Aruba Central Server Connectivity Issues

• Lab 3 - Wireless Infrastructure
• 3.1: Configure hq-gw using the setup dialog
• 3.2: Configuring the gateway in HPE Aruba Networking Central
• 3.3: Review the existing auto cluster
• 3.4: Deploying the HQ APs
• link for Headquarters.png file to upload into Central
• 3.5: Deploying the BO gateway and AP
• link for BranchOffice.png file to upload into Central

• Lab 4 - Wireless Infrastructure
• 4.1: Headquarters guest WLAN
• 4.2: Test ClearPass guest access
• 4.3: Guest WLAN using HPE Aruba Networking Central Cloud Guest
• 4.4: Test Cloud Guest access

• Lab 5 - Wireless Infrastructure
• 5.1: Headquarters corporate WLAN
• 5.2: Test the headquarters corporate WLAN
• 5.3: After-hours web redirect
• 5.4: Branch office corporate WLAN
• issue p.234, t4.15 User Authentication details not valid
• 
  
  
• login to webgate, you should see valid Entra ID credentials along side your HPE ANW Central login details
• 5.5: Test the branch office corporate WLAN

• Lab 6 - Wireless Infrastructure
• 6.1: IoT WLAN with ClearPass MPSK
• 6.2: Test the HQ IoT WLAN
• 6.3: IoT WLAN with local MPSK
• 6.4: Test the BO IoT WLAN
• 6.5: Zero configuration networking

• Lab 7 - Wireless Infrastructure
• 7.1: Wireless IDS/IPS
• 7.2: Spectrum analysis

Day 3 - Lecture Modules & Labs

M04: Wired Authentication

• Lab 8 - Wired User Authentication
• 8.1: hq-edge for access control and 802.1X
• 8.2: Enable MAC authentication
• 8.3: Captive portal authentication
• 8.4: Device profiling
• issue p.382, t4.24
• the AP may have a different sys-desc than described in the lab guide, confirm it with the following command:

show lldp neighbor-info 1/1/6 | include System-Desc
Neighbor System-Description    : ArubaOS (MODEL: 505H), Version Aruba IAP

• change the ArubaAP-LLDP lldp-group match statement as needed 
• port-access lldp-group ArubaAP-LLDP
•    match sys-desc AOS
•    match sys-desc ArubaOS
• 8.5: APX
• 8.6: Wired cached re-authentication and the critical role

M05: Overlay Network

• techdocs: VXLAN with BGP EVPN
• techdocs: class gbp-ip
• airheads: QUIC or ECH with Brightcloud Opentext

• Lab 9 - Overlay Network
• 9.1: Centralized overlay (UBT)
• 9.2: Test UBT
• 9.3: Distributed overlay (VXLAN with EVPN)
• 9.4: GBP

Day 4 - Lecture Modules & Labs

M06: Network Optimization

• abc: Aruba UXI Training
• abc: Simplified Zebra Agent onboarding Experience
• blog: Web Application Testing with Selenium and UXI
• abc: Web Application Testing with HPE Aruba Networks User Experience Insight (UXI/Selenium)
• abc: ArubaOS 8.9 Series – Part 11 – QoS & AirSlice
• skip ahead to 9m30s to get to AirSlice

• Lab 10 - Traffic Optimization
• 10.1: Wired QoS
• issue p.444, t1.11
• the fping directory may be on your C:Users\Student\Desktop directory instead of the C:Users\Student\Downloads directory
• 10.2: Test wired QoS
• 10.3: Wireless QoS

M07: Reporting and Network Management

• developer: REST API getting started
• developer: Streaming API getting started
• developer: Webhooks getting started
• developer: Monitoring Customers
• developer: Postman Collection
• partner: online Postman with HPE Central Collection
• developer: Webhooks getting started
• developer: Webhooks getting started

• Lab 11 - Management Access
• 11.1: Mobility gateways management access
• 11.2: AP management access
• 11.3: Switch management access

• Lab 12 - Monitoring Central Rest API
• 12.1: REST API OAuth 2.0
• 12.2: REST API Swagger interface
• 12.3: REST API using cURL and Postma
• 12.4: Refresh token
• 12.5: Webhook

• Lab 13 - Monitoring with UXI Sensors
• 13.1: HPE Aruba Networking Central reports
• 13.2: Monitoring with an HPE Aruba Networking UXI sensor
• 13.3: Integrate the UXI dashboard with HPE Aruba Networking Central

Day 5 - Lecture Modules & Labs

• Lab 14 - Troubleshooting Tickets
• 14.0: Prepare the Troubleshooting Setup 

• LAB Setup Notes

• you must have completed lab 1-10 prior to starting the trouble tickets:
• placeholder

• LAB notes

• 14.1: Ticket 1: The branch office can’t reach remote destinations
• 14.2: Ticket 2: The hq-gw can’t reach HPE Aruba Networking Central
• 14.3: Ticket 3: The HQ wired and wireless users can’t connect with each other
• 14.4: Ticket 4: Wireless contractors are having connectivity issues at HQ
• 14.5: Ticket 5: Wired contractors at HQ can’t connect
• 14.6: Ticket 6: HQ visitors don’t see the splash page
• 14.7: Ticket 7: Clients don’t have proper rights for the bo-iot-P-T WLAN
• 14.8: Ticket 8: BO IoT devices can’t properly communicate
• 14.9: Ticket 9: HQ phones don’t work anymore

Appendix

• Acronyms or Key terms

• ASIC: application specific integrated circuit

• TCAM: ternary content addressable memory (logic system: true, false, other

• L2 VNI
• an EVPN VXLAN Layer 2 overlay network allows host devices in the same subnet to send bridged or Layer 2 traffic to each other
• the network forwards the bridged traffic using a Layer 2 virtual network instance (VNI)
• interface vxlan 1
•    vni 10010
•       vlan 10

• L3 VNI
• configured per Tenant (VRF) to enable symmetrical IRB
• all VTEPs in the same VRF have an identical L3-VNI that is used for inter-vlan routing
• interface vxlan 1
•    vni 100001
•       routing
•       vrf VRF1

• EVPN type-2:
• advertises MAC addresses or MAC and IP addresses of clients connected to VNIs of a VTEP to all BGP routers within the same EVPN fabric (configured in the EVPN context)

• EVPN type-3: (aka IMET route)
• advertises which VNIs are configured on each VTEP, and the IP address of these VTEPs to all BGP routers within the same EVPN fabric (configured in the EVPN context)

• EVPN type-5:
• advertise IP prefixes and layer 3 VNIs of the subnets to other VTEPs that share the same global-scope route-target (configured in the VRF context)

• Unicast underlay:
• The primary purpose of the underlay in the VXLAN EVPN fabric is to advertise the reachability of Virtual Tunnel End Points (VTEPs) and BGP peering addresses.
• The primary criterion for choosing an underlay protocol is fast convergence in the event of node failures.

Lab Access Errata

• if experiencing any problems with remote lab access (WebGate):
• be sure your browser is in private (incognito) mode
• restart your browser and clear your cache and cookies
• do not try to login unless you are 100 percent sure the login page is fully loaded (the tab favicon will look similar to an orange triangle)
• during login to Central, did you select the SSO option?
• if you need to restart your windows host
• in cmd.com type "shutdown /r /t 0"

Lab Troubleshooting Commands

• HPE ANW Central issues:
• commands to troubleshoot AP connectivity to Central
• reboot the AP by either means:
1. use webgate to reset the power
2. if the AP is connected to a CX PoE switch port:

hq-edge(config-if)# show power-over-ethernet brief

  Member 1 Power Status

    Available: 370.00 W  Reserved: 6.64 W  Remaining: 363.36 W

    Always-on PoE Enabled:1/1

    Quick PoE Enabled:None

PoE      Pwr Power    Pre-std Alloc         PSE Pwr PD Pwr PoE Port      PD     Cls Type

Port     Ena Priority Detect  Act           Rsrvd   Draw   Status        Sign

-------- --- -------- ------- ------------- ------- ------ ------------- ------ --- ----

1/1/1    Yes low      Off     usage         0.0 W   0.0 W  searching     N/A    N/A N/A

1/1/2    Yes low      Off     usage         0.0 W   0.0 W  searching     N/A    N/A N/A

1/1/3    Yes low      Off     usage         0.0 W   0.0 W  searching     N/A    N/A N/A

1/1/4    Yes low      Off     usage         0.0 W   0.0 W  searching     N/A    N/A N/A

1/1/5    Yes low      Off     usage         0.0 W   0.0 W  searching     N/A    N/A N/A

1/1/6    Yes low      Off     lldp-dot3     6.6 W   6.3 W  delivering    N/A    4   2

• if you see it is delivering power, type:
• interface 1/1/6
• no power
• power

• access boot ROM, validate L2/L3 path to Central
• mfginfo (to determine AP card0 serial number as admin password)
• apboot> mfginfo
• Inventory:
• Card 0: System
• Wired MAC           : 20:4c:03:c6:09:78
• Wired MAC Count     : 4
• Date Code           : 052620
• Serial              : CNKCK2R9NB
• Wireless MAC        : 24:62:ce:c5:c2:ce
• Wireless MAC Count  : 2
• Country             : CCODE-US-bb57c5b718e86164a118d99523adf1859129912b
• Card 1: CPU
• Assembly            : 2010258C
• Serial              : Y10592D81
• Date Code           : 051620
• Major Rev           : 02
• Minor Rev/Variant   : 00
• Card 2: Power
• Assembly            : 2010259C
• Serial              : Y10591512
• Date Code           : 051620
• Major Rev           : 02
• Minor Rev/Variant   : 00

• dhcp (test the DHCP client from the bootROM)

• failed DHCP example
• apboot> dhcp
• eth0 up: 1 Gb/s full duplex
• DHCP broadcast 1
• DHCP broadcast 2
• DHCP broadcast 3
• DHCP broadcast 4
• DHCP broadcast 5
• Retry count exceeded; starting again
• successful DHCP example
• apboot> dhcp
• eth0 up: 1 Gb/s full duplex
• DHCP broadcast 1
• DHCP IP address: 10.1.4.51
• DHCP subnet mask: 255.255.255.0
• DHCP def gateway: 10.1.4.1
• DHCP DNS server: 10.254.1.21
• DHCP DNS domain: aruba-training.com

• boot (wait for login prompt, admin/card0 serial number)
• Booting OS partition 0
• Checking image @ 0x0
• Copying image from 0x84000000
• Image is signed; verifying checksum... passed
• SHA2 Signature available
• Signer Cert OK
• Policy Cert OK
• RSA signature verified using SHA2.
• Uncompressing Kernel Image ...
• show ip interface brief (check that br0 ip is from dhcp)
• show ip route (validate dfgw via br0)
• show ap debug cloud-server

• commands to troubleshoot AP issues
• show ap association
• show ap bss-table
• show ap debug auth-trace-buf
• show ap debug cloud-server
• show ap debug radio-state
• show ap debug radio-stats <0-1> (try "show radio stats" as well)
• make sure this output does not say the radio is disabled, if it is disabled despite being configured to be enabled in Central
• anticipate Central GROUP corruption, delete the group and recreate it
• show ap monitor ap-list
• show log ap-debug
• show overlay cluster-info
• show overlay tunnel
• show ata current-cfg
• validate you see the current configuration for each cluster your WLAN profile has associated with this AP, if not...
• anticipate Central GROUP corruption, delete the group and recreate it

Current Central is Up

Microbranch AP is Disabled

Microbranch System IP is 0.0.0.0/::

[Current Configuration For cluster(CORPORATE)]

<Tunnel list>

-----pub_ip=10.1.3.21, local_ip=10.1.3.21, vlan=1,3,31,33,63, mcast=0, Tun_Type=GRE, peer_device_type=Gateway

     key_exp=0, dstNatt=0, HBT_interval=3, HBT_Threshold=10

<SSID list for primary>

-----ssid=hq-corp-86-1, type=0

[Current Configuration For cluster(DMZ)]

<Tunnel list>

-----pub_ip=10.1.3.22, local_ip=10.1.3.22, vlan=1,3,33,63, mcast=0, Tun_Type=GRE, peer_device_type=Gateway

     key_exp=0, dstNatt=0, HBT_interval=3, HBT_Threshold=10

<SSID list for primary>

-----ssid=hq-guest-86-1, type=0

<SSID list for backup>

-----ssid=hq-corp-86-1, type=0

• show ata endpoint
• look for SM_STATE_CONNECTED, if you see a STALE state, check L2,L3 connectivity issues between AP and GW

ATA Endpoint Status

-------------------

UUID                                  IP ADDR    STATE               TUN DEV  TUN SPI(OUT/IN)    LINK TAG  VALID TIME(s)  TUNNEL TYPE  GRE VLANs        HBT(Jiff/Missed/Sent/Rcv)  INNER IP   UP TIME(s)

----                                  -------    -----               -------  ---------------    --------  -------------  -----------  ---------        -------------------------  --------   ----------

ddaf45d4-6c92-4858-a185-12c1bfce8df1  10.1.3.22  SM_STATE_CONNECTED  tun0     5481c900/b53ff100  inet      98617          GREoIPSec    1,3,31,33,61,63  47498/0/30919/30915        10.2.4.51  2025-08-27 17:27:52

Total Endpoints Count: 1

• commands to troubleshoot GW issues
• login as branchsupport / mac-address
• find mac from greenlake or switch forwarding tables
• show configuration setup-dialog
• show port status
• show datapath port
• show interface port-channel 0
• show lacp 0 neighbor
• show users
• show ip dhcp database
• show ip int br
• show running-config | begin 0/0/0
• show tunneled-node-mgr trace-buf

Lab Access Errata

• if experiencing any problems with remote lab access (WebGate):
• be sure your browser is in private (incognito) mode
• restart your browser and clear your cache and cookies
• do not try to login unless you are 100 percent sure the login page is fully loaded (the tab favicon will look similar to an orange triangle)
• during login to Central, did you select the SSO option?
• if you need to restart your windows host
• in cmd.com type "shutdown /r /t 0"