Aruba S3500 Ethernet switches
Aruba S3500 Mobility Access switches are cool:
- Dual power supply
- Decent free firmware access
- Good POE support
- Reasonably quiet
- Stackable
- 2x 10Gbits/sec SFP+ ports available after stacking
- Generic fs.com DACs work splendidly
- Nifty profile-based configuration
- Takes Cisco pinout console cables
- 48 1000baseT ports (no robbing the modular connector ports to make the SFP ports go)
- Fully featured OS that doesn't require licensing of nifty features
- Dedicated management network interface located at rear of chassis.
Less than perfect, but totally livable things about these switches:
- It's not a whitebox switch. Must run factory firmware. (Maybe next time. Maybe...)
- Stacking is not super amaze balls fast between switches at 2x 10Gbits/sec, full duplex. That should not be a problem as the idea is more that this extends the 10 and 40 Gbits/sec network core out to 1000baseT land. So hopefully not a huge issue.
I got a brand new switch. How do get access?
https://community.arubanetworks.com/t5/Wireless-Access/Aruba-S3500-password-recovery/td-p/31922 says to do this on the console:
User:password Password:forgetme! (aruba) >enable Password:enable (aruba) #configure terminal Enter Configuration commands, one per line. End with CNTL/Z (aruba) (config) #mgmt-user admin root Password: TheNewAdminPassw0rd Re-Type password:TheNewAdminPassw0rd (aruba) (config) #exit (aruba) #exit (aruba) >exit User:admin Password:TheNewAdminPassw0rd (aruba) >enable Password:enable (aruba) #configure terminal Enter Configuration commands, one per line. End with CNTL/Z (aruba) (config) #enable secret Password:TheNewEnableSecr3t Re-Type password:TheNewEnableSecr3t (aruba) (config) #exit (aruba) #write memory (aruba) #
(It very correctly does not work over the network. Serial console port only. It's in the back.)
It is also possible to wipe the switch's config using the front panel menus.
Yay! I'm in. How do I wipe the config?
It's not hard, I promise.
User: admin Password: ******* (foo) >enable Password:****** (foo) #write erasecmp: /mswitch/commands/corvina.cfg: No such file or directory All the configuration will be deleted. Press 'y' to proceed :y Write Erase successful (foo) #
"Corvina" seems to be the internal product name for this model. Reboot the switch and it will mostly be cleared of any config that has been set. If that is not wiped enough, try
(foo) #write erase all cmp: /mswitch/commands/corvina.cfg: No such file or directory Switch configuration and databases will be erased. The stacking database will not be erased, use 'restore factory_default stacking' for full factory default. Press 'y' to proceed :y Write Erase successful (foo) #
And if there's stacking config that needs to be wiped, too, bring in the 8 inch gun:
(foo) #restore factory_default stacking All configuration and stack settings will be restored to factory default on this member after reload. Press 'y' to proceed with reload: [y/n]: y System will now restart
And wait for it to start again. Stacking and all other config will have been wiped when it starts up again.
Default credentials and stuffs
Default management user is admin with a password of admin123. The default enable secret is enable.
I'm completely defaulted, fresh and clean, and ready to start the day. What do we do next?
Let's get network manageable! Network manageable! Let's get into network manageable!
(Olivia Newton John song) The twisted pair copper Ethernet port on the back of the switch is know as "MGMT" in the switch OS. Configuration is not too surprising:
(ArubaS3500-48P-US) #configure terminal Enter Configuration commands, one per line. End with CNTL/Z (ArubaS3500-48P-US) (config) #interface mgmt (ArubaS3500-48P-US) (mgmt) #ip address 172.16.10.17 255.255.255.0 (ArubaS3500-48P-US) (mgmt) #ipv6 address fd9d:f2a4:416d:0010::17 prefix_len 64 (ArubaS3500-48P-US) (mgmt) #exit (ArubaS3500-48P-US) (config) #exit (ArubaS3500-48P-US) #write memory Saving Configuration... Save failed: Admin password same as default password Use "mgmt-user admin" command in configuration mode to change the admin password. (ArubaS3500-48P-US) #
Denied! Admin user's password must be changed before config can be saved. So...
Changing admin user's password
(ArubaS3500-48P-US) (config) #mgmt-user admin root Password:******** Re-Type password:******** (ArubaS3500-48P-US) (config) #exit (ArubaS3500-48P-US) #write memory Saving Configuration... Configuration Saved. (ArubaS3500-48P-US) #
Network managability. Take two.
The twisted pair copper Ethernet port on the back of the switch is known as "MGMT" in the switch OS. Configuration is not too surprising:
(ArubaS3500-48P-US) #configure terminal Enter Configuration commands, one per line. End with CNTL/Z (ArubaS3500-48P-US) (config) #interface mgmt (ArubaS3500-48P-US) (mgmt) #ip address 172.16.10.17 255.255.255.0 (ArubaS3500-48P-US) (mgmt) #exit (ArubaS3500-48P-US) (config) #exit (ArubaS3500-48P-US) #write memory (ArubaS3500-48P-US) #
And now an SSH client can connect to 172.16.0.72 as user admin with the password set above. Note that there is no route to another IPv4 subnet. So, must be inside the same address space. But that is fixable, too. It's a profile thing. The IP profile...
(new-aruba-s3500-0) #configure terminal
Enter Configuration commands, one per line. End with CNTL/Z
(new-aruba-s3500-0) (config) #ip-profile
(new-aruba-s3500-0) (ip-profile) #default-gateway 172.16.10.2
(new-aruba-s3500-0) (ip-profile) #exit
(new-aruba-s3500-0) (config) #exit
(new-aruba-s3500-0) #write memory
Saving Configuration......
Configuration Saved.
(new-aruba-s3500-0) #show ip route
Codes: C - connected
O - OSPF, O(IA) - OSPF inter area
O(E1) - OSPF external type 1, O(E2) - OSPF external type 2
O(N1) - OSPF NSSA type 1, O(N2) - OSPF NSSA type 2
M - mgmt, S - static, * - candidate default
D - DHCP
Gateway of last resort is 172.16.10.2 to network 0.0.0.0 at cost 0
S * 0.0.0.0 /0 [0] via 172.16.10.2
M 172.16.10.0/24 is directly connected: mgmt
M 172.16.10.15/32 is directly connected: mgmt
(new-aruba-s3500-0) #
And there's a web UI, too
Point browser to MGMT's IP address and enjoy the loveli lakes, the wonderful telephone system, mani interesting furry animals, the majestic moose...
Sorry. Enjoy the better than average web interface.
Set the switch's name
(ArubaS3500-48P-US) #configure terminal Enter Configuration commands, one per line. End with CNTL/Z (ArubaS3500-48P-US) (config) #hostname aruba-s3500-1 (aruba-s3500-1) (config) #exit (aruba-s3500-1) #write memory Saving Configuration... Configuration Saved. (aruba-s3500-1) #
See the nifty change of prompt there?
And of course, we must update the firmwares
Firmware images can be downloaded from the Aruba Networks web site without registration. And also the HPE Networking Portal (after registering for an account.) The HPE Networking site has more recent images available without charge than the Aruba site does.
After a firmware image has been collected, we want to see what images are currently installed on the switch:
(aruba-s3500-1) #show image version ---------------------------------- Partition : 0:0 (/dev/ud1) Software Version : ArubaOS 7.2.2.1 (Digitally Signed - Production Build) Build number : 38712 Label : 38712 Built on : Wed Jun 19 07:05:29 PDT 2013 ---------------------------------- Partition : 0:1 (/dev/ud2) **Default boot** Software Version : ArubaOS 7.4.1.8 (Digitally Signed - Production Build) Build number : 59498 Label : 59498 Built on : Fri May 5 00:44:01 PDT 2017 (aruba-s3500-1) #
And check what version is currently running:
(aruba-s3500-1) #show version Aruba Operating System Software. ArubaOS (MODEL: ArubaS3500-48P-US), Version 7.4.1.8 Website: http://www.arubanetworks.com Copyright (c) 2016 Aruba, a Hewlett Packard Enterprise company. Compiled on 2017-05-05 at 00:44:01 PDT (build 59498) by p4build ROM: System Bootstrap, Version CPBoot 1.0.37.0 (build 36057) Built: 2012-11-06 23:15:03 Built by: p4build@re_client_36057 Switch uptime is 33 days 20 hours 27 minutes 39 seconds Reboot Cause: Power cycle/failure (0xee:0xee:0x3) Processor XLS 208 (revision A1) with 1023M bytes of memory. 955M bytes of System flash Activation Key: Not available or unable to contact Activate (aruba-s3500-1) #
Since we're running the image in partition 1, we'll update what's in partition 0 over the network:
(aruba-s3500-1) #copy scp: 172.16.10.3 itops ArubaOS_MAS_7.4.1.10_65516 system: partition 0
Password:*************
Uploading partition 0
Press 'q' to abort.
Secure file copy:................................................
Image is signed;
File copied successfully.
Saving file to flash:..........................................
Member-0:The system will boot from partition 0 during the next reboot.
(aruba-s3500-1) #
And to confirm the updated image is in place:
(aruba-s3500-1) #show image version ---------------------------------- Partition : 0:0 (/dev/ud1) **Default boot** Software Version : ArubaOS 7.4.1.10 (Digitally Signed - Production Build) Build number : 65516 Label : 65516 Built on : Tue Jun 26 04:31:13 PDT 2018 ---------------------------------- Partition : 0:1 (/dev/ud2) Software Version : ArubaOS 7.4.1.8 (Digitally Signed - Production Build) Build number : 59498 Label : 59498 Built on : Fri May 5 00:44:01 PDT 2017 (aruba-s3500-1) #
After rebooting the switch, confirm the new software is running like so:
(aruba-s3500-1) #show version Aruba Operating System Software. ArubaOS (MODEL: ArubaS3500-48P-US), Version 7.4.1.10 Website: http://www.arubanetworks.com Copyright (c) 2016 Aruba, a Hewlett Packard Enterprise company. Compiled on 2018-06-26 at 04:31:13 PDT (build 65516) by p4build ROM: System Bootstrap, Version CPBoot 1.0.37.0 (build 36057) Built: 2012-11-06 23:15:03 Built by: p4build@re_client_36057 Switch uptime is 12 minutes 58 seconds Reboot Cause: User reboot (0x86:0x78:0x4023) Processor XLS 208 (revision A1) with 1023M bytes of memory. 955M bytes of System flash Activation Key: Not available or unable to contact Activate (aruba-s3500-1) #
and revel in the shininess of the new bits!
Profiles? Aren't those racist?
The ArubaOS "profile" concept is used to configure nearly everything about the ports, VLANs, security, and a everything else the switch can do. It seems very useful -- encapsulate assorted settings in profiles and assign them where they are needed. We'll be using them extensively below.
Basic switching things
Port speed settings
These are configured with profiles. I mentioned that would come up, I think. Best to just demonstrate instead of being an exhaustive reference manual. Physical port parameters are set with the enet-link-profile. If we wanted a 10baseT only switch port, we could do something like this:
(aruba-s3500-48p-0) #configure terminal Enter Configuration commands, one per line. End with CNTL/Z (aruba-s3500-48p-0) (config) #interface-profile enet-link-profile tenmbitsonly (aruba-s3500-48p-0) (Ethernet Link "tenmbitsonly") #duplex half (aruba-s3500-48p-0) (Ethernet Link "tenmbitsonly") #speed 10 (aruba-s3500-48p-0) (Ethernet Link "tenmbitsonly") #flowcontrol off (aruba-s3500-48p-0) (Ethernet Link "tenmbitsonly") #no autonegotiation (aruba-s3500-48p-0) (Ethernet Link "tenmbitsonly") #exit (aruba-s3500-48p-0) (config) #exit (aruba-s3500-48p-0) #show interface-profile enet-link-profile tenmbitsonly Ethernet Link "tenmbitsonly" (N/A) ---------------------------------- Parameter Value --------- ----- Speed 10 Duplex half Autonegotiation Disabled Flowcontrol off (aruba-s3500-48p-0) #
to create the profile. This is a 10baseT only profile. No flow control. Half duplex. No negotiating with the other end. Apply it to interface 0/0/10 like so:
(aruba-s3500-48p-0) #configure terminal (aruba-s3500-48p-0) (config) # interface gigabitethernet 0/0/10 (aruba-s3500-48p-0) (gigabitethernet "0/0/10") #enet-link-profile tenmbitsonly (aruba-s3500-48p-0) (gigabitethernet "0/0/10") #exit (aruba-s3500-48p-0) (config) #exit (aruba-s3500-48p-0) #
And we can see how it's being applied to port 0/0/10 like so:
(aruba-s3500-48p-0) #show interface-config gigabitethernet 0/0/10 gigabitethernet "0/0/10" ------------------------ Parameter Value Config Derivation --------- ----- ----------------- Interface MSTP Profile default default Interface Rapid PVST Profile default default Interface GVRP Profile N/A gigabitethernet0/0/10 Interface Tunneled Node Profile N/A gigabitethernet0/0/10 Interface VOIP Profile N/A gigabitethernet0/0/10 Interface LLDP Profile lldp-factory-initial default Interface PoE Profile poe-factory-initial default Interface Ethernet Link Profile tenmbitsonly gigabitethernet0/0/10 Interface OAM Profile N/A gigabitethernet0/0/10 Interface LACP Profile N/A gigabitethernet0/0/10 Interface QoS Profile N/A gigabitethernet0/0/10 Interface Policer Profile N/A gigabitethernet0/0/10 Interface AAA Profile N/A gigabitethernet0/0/10 Interface Shutdown Disabled default Interface MTU 1514 default Interface Ingress ACL N/A gigabitethernet0/0/10 Interface Egress ACL N/A gigabitethernet0/0/10 Interface QoS Trust Mode aruba-device default Interface Description N/A default Interface Switching Profile default default Interface Security Profile N/A gigabitethernet0/0/10 Ingress Port Mirroring Profile N/A gigabitethernet0/0/10 Egress Port Mirroring Profile N/A gigabitethernet0/0/10 Static IGMP Multicast Router port for the VLANs 0 default Static MLD Multicast Router port for the VLANs 0 default Interface Trusted Mode Enabled default HSL backup interface N/A gigabitethernet0/0/10 HSL preemption mode Off default HSL preemption delay 100 default (aruba-s3500-48p-0) #
LLDP things
Once again, these are set with profiles. In this bit we are going to create 2 new profiles copied from the default. We are going to want LLDP on everything except the WAN interfaces. No need for Comcast/Xfinity/whatevertheycallthemselvesnow to know they're plugged into a switch instead of directly into a general purpose computer.
First profile will be called "LLDPallTheThings":
(aruba-s3500-48p-0) #configure terminal Enter Configuration commands, one per line. End with CNTL/Z (aruba-s3500-48p-0) (config) #interface-profile lldp-profile LLDPallTheThings (aruba-s3500-48p-0) (LLDP Profile "LLDPallTheThings") #lldp receive (aruba-s3500-48p-0) (LLDP Profile "LLDPallTheThings") #lldp transmit (aruba-s3500-48p-0) (LLDP Profile "LLDPallTheThings") #med enable (aruba-s3500-48p-0) (LLDP Profile "LLDPallTheThings") #lldp med-tlv-select network-policy (aruba-s3500-48p-0) (LLDP Profile "LLDPallTheThings") #lldp med-tlv-select power-management (aruba-s3500-48p-0) (LLDP Profile "LLDPallTheThings") #end (aruba-s3500-48p-0) #end (aruba-s3500-48p-0) #
And a second policy for listen-only interfaces (like our consumer Comcast DOCSIS service):
(aruba-s3500-48p-0) #configure terminal Enter Configuration commands, one per line. End with CNTL/Z (aruba-s3500-48p-0) (config) #interface-profile lldp-profile LLDPreceiveOnly (aruba-s3500-48p-0) (LLDP Profile "LLDPreceiveOnly") #no lldp transmit (aruba-s3500-48p-0) (LLDP Profile "LLDPreceiveOnly") #lldp receive (aruba-s3500-48p-0) (LLDP Profile "LLDPreceiveOnly") #med enable (aruba-s3500-48p-0) (LLDP Profile "LLDPreceiveOnly") #lldp med-tlv-select network-policy (aruba-s3500-48p-0) (LLDP Profile "LLDPreceiveOnly") #lldp med-tlv-select power-management (aruba-s3500-48p-0) (LLDP Profile "LLDPreceiveOnly") #end (aruba-s3500-48p-0) #write memory Saving Configuration... Configuration Saved. (aruba-s3500-48p-0) #
Applying this profile to one or more ports can be done with an Interface Group. To illustrate, we'll create an interface group for outside-facing WAN ports and apply it only port port 0/0/47:
We'll probably want to put that on port 1/0/47 (same port on the 1th stack member switch) when we're done, too.
(aruba-s3500-48p-0) #configure terminal (aruba-s3500-48p-0) (config) #interface-group gigabitethernet outisde-wan-ports (aruba-s3500-48p-0) (gigabitethernet "outisde-wan-ports") # lldp-profile LLDPreceiveOnly (aruba-s3500-48p-0) (gigabitethernet "outisde-wan-ports") #apply-to add 0/0/47 (aruba-s3500-48p-0) (gigabitethernet "outisde-wan-ports") #exit (aruba-s3500-48p-0) (config) #exit (aruba-s3500-48p-0) #show interface-config gigabitethernet 0/0/47 gigabitethernet "0/0/47" ------------------------ Parameter Value Config Derivation --------- ----- ----------------- Interface MSTP Profile default outisde-wan-ports Interface Rapid PVST Profile default outisde-wan-ports Interface GVRP Profile N/A N/A Interface Tunneled Node Profile N/A N/A Interface VOIP Profile N/A N/A Interface LLDP Profile LLDPreceiveOnly outisde-wan-ports Interface PoE Profile default outisde-wan-ports Interface Ethernet Link Profile default outisde-wan-ports Interface OAM Profile N/A N/A Interface LACP Profile N/A N/A Interface QoS Profile N/A N/A Interface Policer Profile N/A N/A Interface AAA Profile N/A N/A Interface Shutdown Disabled outisde-wan-ports Interface MTU 1514 outisde-wan-ports Interface Ingress ACL N/A N/A Interface Egress ACL N/A N/A Interface QoS Trust Mode aruba-device outisde-wan-ports Interface Description N/A outisde-wan-ports Interface Switching Profile default outisde-wan-ports Interface Security Profile N/A N/A Ingress Port Mirroring Profile N/A N/A Egress Port Mirroring Profile N/A N/A Static IGMP Multicast Router port for the VLANs 0 outisde-wan-ports Static MLD Multicast Router port for the VLANs 0 outisde-wan-ports Interface Trusted Mode Enabled outisde-wan-ports HSL backup interface N/A N/A HSL preemption mode Off outisde-wan-ports HSL preemption delay 100 outisde-wan-ports (aruba-s3500-48p-0) #
VLANs and spanning trees and things like that, oh my!
Here are FnordNET, we have a number of VLANs in use. I'd like to get VLAN 1 retired, designate a small range for WAN connections, fully migrate things to the appropriate networks (server build/garage for installations; management for stuff like Aruba S3500 management interfaces, wireless access point management, UPS management, IPMI, etc; general purpose server network; Ceph public and cluster networks; and so on)
Create us a VLAN
Let's do just a few here to demonstrate. We'll carve out VLAN 10 for hardware management, VLANs 100-109 for Internet provider connections (but only set up 10 and 11 for now), VLAN 1000 general server things, VLAN 1001 for the clients network, 3900 for the guests... Let us begin with VLAN 10.
(aruba-s3500-48p-0) #configure terminal Enter Configuration commands, one per line. End with CNTL/Z (aruba-s3500-48p-0) (config) #vlan 10 (aruba-s3500-48p-0) (VLAN "10") #description "Hardware management network" (aruba-s3500-48p-0) (VLAN "10") #end (aruba-s3500-48p-0) #
Pretty painless. The switch now has VLAN 10 in its running configuration:
(aruba-s3500-48p-0) #show vlan VLAN CONFIGURATION ------------------ VLAN Description Ports ---- ----------- ----- 1 VLAN0001 GE0/0/0-47 GE0/1/0-1 10 Hardware management network (aruba-s3500-48p-0) #show vlan 10 VLAN CONFIGURATION ------------------ VLAN Description Ports ---- ----------- ----- 10 Hardware management network (aruba-s3500-48p-0) #show vlan 10 detail U - Untagged member, T - Tagged member * - Active interface Dot1q tag: 10, Description: Hardware management network (aruba-s3500-48p-0) #
So we now have VLAN 10 created and not attached to any ports. Which is not super useful. So we'll take care of that soon.