Get The Edge An Introduction To Aruba Networking Solutions Lab Guide Rev.22.11 With Covers

Get the Edge:
An Introduction to
Aruba Networking
Solutions
Remote Labs
TRAINING MANUAL
EDU-$&17-RLABS-v22.11
Get the Edge:
An Introduction
to Aruba
Networking
Solutions
Rev 22.11
Lab Guide
JANUARY 2022
Get the Edge: An Introduction to Aruba Networking Solutions
Copyright
© 2022 Aruba Networks, Inc. AirWave®, Aruba Networks®, Aruba Mobility
Management System®, Bluescanner, For Wireless That Works®, Mobile Edge
Architecture, People Move. Networks Must Follow., RFProtect, The All Wireless
Workplace Is Now Open For Business, and The Mobile Edge Company® are
trademarks of Aruba Networks, Inc. All rights reserved. All other trademarks are the
property of their respective owners.
Open Source Code
Certain Aruba products include Open Source software code developed by third
parties, including software code subject to the GNU General Public License ("GPL"),
GNU Lesser General Public License ("LGPL"), or other Open Source Licenses. The
Open Source code used can be found at this site:
http://www.arubanetworks.com/open_source
Legal Notice
The use of Aruba Networks, Inc. switching platforms and software, by all individuals
or corporations, to terminate other vendors' VPN client devices constitutes complete
acceptance of liability by that individual or corporation for this action and
indemnifies, in full, Aruba Networks, Inc. from any and all legal actions that might
be taken against it with respect to infringement of copyright on behalf of those
vendors.
Warranty
This hardware product is protected by the standard Aruba warranty of one year
parts/labor. For more information, refer to the ARUBACARE SERVICE AND SUPPORT
TERMS AND CONDITIONS.
Altering this device (such as painting it) voids the warranty.
SKU: EDU-ACNT-RLABS-22.11
JANUARY 2022
Get the Edge: An
Introduction to Aruba
Networking Solutions
Get the Edge: An Introduction

to Aruba Networking Solutions
LAB GUIDE TABLE OF CONTENTS
Lab 0: Testing Lab Connectivity (Optional) ......................................................................... 1
Overview ................................................................................................................................. 1
Objectives ............................................................................................................................... 1
Task 1: Aruba Training Lab Access ......................................................................................... 3
Task 2: Testing Connectivity.................................................................................................... 4
Lab 1: Numerical Conversion ............................................................................................... 9
Overview ................................................................................................................................. 9
Objectives ............................................................................................................................... 9
Task 1: Convert Binary to Decimal ........................................................................................ 10
Task 2: Convert Decimal to Binary ........................................................................................ 12
Task 3: Convert Binary to Hexadecimal ................................................................................. 13
Task 4: Convert Hexadecimal to Binary ................................................................................. 15
Lab 2: Packet Exploration ................................................................................................... 19
Overview ............................................................................................................................... 19
Objectives ............................................................................................................................. 19
Task 1: Discover Headers and Encapsulation ....................................................................... 20
Task 2: UDP Header ............................................................................................................. 31
Lab 3: Initial Switch Setup .................................................................................................. 36
Overview ............................................................................................................................... 36
Objectives ............................................................................................................................. 36
Task 1: Explore the AOS-CX Switch CLI ............................................................................... 37
Task 2: Configure Initial Settings ........................................................................................... 48
Task 3: Create and Explore Checkpoints .............................................................................. 55
Feb 2022 rev.22.11 # | © Copyright 2022 Hewlett Packard Enterprise Development LP | Confidential – For Training Purposes Only
Get the Edge: An
Introduction to Aruba
Networking Solutions
Lab 4: Configure Layer 2 Switching Features and Protocols .......................................... 60

Overview ............................................................................................................................... 60
Objectives ............................................................................................................................. 60
Task 1: Assign PCs to VLAN 2 .............................................................................................. 61
Task 2: Explore MAC Address Table ..................................................................................... 66
Task 3: Configure Initial Settings on Switch-2........................................................................ 76
Task 4: Enable Link Between Switches ................................................................................. 80
Task 5: Extend Connectivity for VLAN 2 ................................................................................ 90
Task 6: Enable Spanning Tree .............................................................................................. 94
Task 7: Save Your Configurations ........................................................................................104
Lab 5: IP Routing ................................................................................................................105
Overview ..............................................................................................................................105
Objectives ............................................................................................................................105
Task 1: Move PC-1 to VLAN 3..............................................................................................106
Task 2: Add a Default Gateway on VLANs 2 and 3 ..............................................................110
Task 3: Routed Link..............................................................................................................122
Task 4: Static Routes ...........................................................................................................128
Task 5: Default Route ...........................................................................................................134
Task 6: DHCP Relay ............................................................................................................140
Task 7: Save Your Configurations ........................................................................................143
Lab 6: 802.11 Analysis .......................................................................................................144
Overview ..............................................................................................................................144
Objectives ............................................................................................................................144
Task 1: Detect WLANs .........................................................................................................145
Task 2: 802.11 Management Frames Analysis .....................................................................154
Lab 7: Configuring a WLAN with Aruba Central...............................................................165
Objectives ............................................................................................................................165
Overview ..............................................................................................................................165
Task 1: Add the Aruba Access Point ....................................................................................166
Task 2: Connect to Aruba Central ........................................................................................169
Task 3: Configure your AP ...................................................................................................176
Task 4: Create a New SSID..................................................................................................193
Feb 2022 rev.22.11 # | © Copyright 2022 Hewlett Packard Enterprise Development LP | Confidential – For Training Purposes Only
Get the Edge: An Introduction to
Aruba Networking Solutions
Lab 0
Lab 0 – Testing Lab Connectivity (optional)
Overview
The Aruba Training Lab provides you with the equipment you need for completing several lab
activities. You should know the purpose and access procedures to this equipment.
• PC-1: This client is used for traffic analysis & connectivity testing.
• PC-2: This client is only used as a connectivity testing target. You won’t access it.
• Windows Server: This is a DHCP, Web and TFTP server, you will also use it for
connectivity testing.
• AOS 10 AP: This Access Point will be used for deploying a WLAN via Aruba Central
• vCX-1 switch: This will be one of the virtual switches you will configure, it provides
connectivity to PC-1, PC-2 and the AP.
• vCX-2 switch: This will be one of the virtual switches you will configure, it provides
connectivity to the Windows Server.
Objectives
After completing this lab, you will have all the information needed to support the hands-on labs in
this course.
Rev 22.11 | © Copyright 2020 Hewlett Packard Enterprise Development LP | Confidential – For Training Purposes Only
1
Lab 0
Figure 0-1: Lab Topology
2
Lab 0
Task 1: Aruba Training Lab Access

Objective
The objective is to check that you have connectivity to the remote lab and can successfully login.
This will ensure that you have access to your remote lab equipment during this training.
Steps
1. On your local computer, launch a web browser, and enter to the Aruba Training Lab web
portal at the URL:https://arubatraininglab.computerdata.com.
2. Enter your username and password (if you do not have one, ask your instructor for the
credentials), and click the Sign in button.
Figure 0-2: Sign in
3
Lab 0
Task 2: Testing Connectivity

Objective
The objective is to test connectivity and authentication credentials for each of the devices.
Working from the Aruba Training Lab diagram, you will connect to and log into the Access
switches and your client PCs.
vCX-1 and vCX-2
1. To connect to the console of the vCX-1 switch, right-click on the icon in the lab diagram
and select “Open Console.”
Figure 0-3: Open Console of 6300-A
2. A new browser tab should open with a blank, black screen.

3. Press [enter] a couple times, and you will see a user prompt.
4. Login using admin and no password.
5. Repeat steps 1 to 4 on vCX-2.
4
Lab 0
Figure 0-4: Open Console of 6300-B
6300 login: admin

Password:
Please configure the 'admin' user account password.

Enter new password:
Confirm new password:
6300#
PC-1 and Windows Server
6. To access the desktop PC-1, just Right-click on the icon in the lab diagram and select
“Open Desktop.”
5
Lab 0
Figure 0-5: Open Console of PC-1
7. A new browser tab will open with the remote desktop.
Figure 0-6: PC-1’s desktop
NOTE: It may take a few minutes for the PC-1 desktop to come up. Also, if your
Aruba Training Lab has been idle for a while after you login, you may need to
log out of the lab interface and log back in and then launch the desktop again.
8. Repeat steps 6 and 7 on the Windows Server.
6
Lab 0
Figure 0-7: Open Console of Windows Server
Aruba Central
1. Using your personal computer, open a web browser and connect to

https://central.arubanetworks.com.
2. Verify that the Availability Zone has been set to the zone assigned to you in your lab access
credentials.
3. Enter the username and email that was assigned to you.
7
Lab 0
Figure 0-8: Aruba Central Login
Note. The Central username uses email format, and this lab environment uses
arubatraininglabs.net as domain.
4. Click Continue.
5. You will gain access to the Single Sign On (SSO) authentication web page.
6. Re-enter the same email as username and enter the password assigned to you.
Figure 0-7: Aruba Training Labs Sign-On
Note. Be patient, the first time you login into Central it could take up to 30 seconds.
7. You should now be in the main Central dashboard.
You have completed Lab 0!
8
Lab 1
Lab 1 - Numerical Conversion
Overview
Welcome to the training course. This lab manual will be your companion in your networking
education journey. It contains different activities such as configuration, debugging and verification,
troubleshooting, topology discovery, subnetting, traffic analysis, demonstrations and more, with
the main goal of sharing with you the knowledge and required skills for deploying a small sized
single site campus network using AOS-CX switching platforms.
This training assumes no previous networking knowledge and is intended to teach solid
fundamental concepts. Some tasks will cover details in depth, from the ground up.
The current lab covers practicing binary and hexadecimal conversions. You need to understand
this binary and hexadecimal conversions so you can understand how to configure, diagnose, and
troubleshoot your network.
Objectives
After completing this lab, you will be able to:
• Convert decimal numbers to binary, hexadecimal and back.
9
Lab 1
Task 1: Convert Binary to Decimal

Objectives
Convert the following binary into decimal values.
a. 11001110
b. 10101001
c. 111000
d. 10001
e. 11111100
Steps
1. Fill out Table 1-1 with the “Power of two” information shown in Module 1 – Numerical
Systems.
2. Use table 1-1 for completing your conversions.
TIP: In your time off, practice writing the table down. The more times you do it
the easier it is for you to remember it. This is a good shortcut for decimal to
binary conversion whenever a calculator isn’t close.
10
Lab 1
Table 1-1: Power of Two: Binary to decimal

Power of 2
Decimal
Exercise a
Binary
Decimal
Exercise b
Binary
Decimal
Exercise c
Binary
Decimal
Exercise d
Binary
Decimal
Exercise e
Binary
Decimal
11
Lab 1
Task 2: Convert Decimal to Binary

Objectives
Convert the following decimal values into binary using the power of two method.
a. 124
b. 147
c. 26
d. 235
Steps
1. Fill out Table 1-2 with the “power of two” information shown in Module 1 – Numerical
Systems.
2. Use table 1-2 for completing your conversions.
Table 1-2: Power of 2: Decimal to binary

Power of 2
Decimal
Exercise a
Binary
Exercise b
Binary
Exercise c
Binary
Exercise d
Binary
12
Lab 1
Task 3: Convert Binary to Hexadecimal

Objectives
Convert the following binary values into hexadecimal.
a. 01110110
b. 01101101
c. 11001010
d. 0111000
Steps
1. Fill out Table 1-3 with the “Decimal to Hexadecimal” information shown in Module 1 –
Numerical Systems.
Use table 1-3 for completing your conversions.
Table 1-3: Binary to Hexadecimal
Binary Hexadecimal
13
Lab 1
a. Convert 01110110
b. Convert 01101101
c. Convert 11001010
d. Convert 0111000
14
Lab 1
Task 4: Convert Hexadecimal to Binary

Objectives
Convert the following hexadecimal values into binary using the division method.
a. 0xFB
b. 0xC390
c. 0x8F4E
d. 0xCD
Steps
a. Convert 0xFB
b. Convert 0xC390
c. Convert 0x8F4E
d. Convert 0xCD
15
Lab 1
Solutions: Task 1 – Convert Binary to Decimal
Exercise a
Binary 1 1 0 0 1 1 1 0
Decimal 128 64 0 0 8 4 2 1
128+64+8+4+2 = 206
Exercise b
Binary 1 0 1 0 1 0 0 1
Decimal 128 0 32 0 8 0 2 1
128 + 32 + 8 + 1 = 169
Exercise c
Binary 0 0 1 1 1 0 0 0
Decimal 0 0 32 16 8 0 0 0
32 + 16 + 8 = 56
Exercise d
Binary 0 0 0 1 0 0 0 1
Decimal 0 0 0 16 0 0 0 1
16 + 1 = 17
Exercise e
Binary 1 1 1 1 1 1 0 0
Decimal 128 64 32 16 8 4 2 0
128 + 64 + 32 +16 + 8 + 4 + 2 = 252
16
Lab 1
Solutions: Task 2 – Convert Decimal to Binary
Exercise a
Binary 0 1 1 1 1 1 0 0
Exercise b
Binary 1 0 0 1 0 0 1 1
Exercise c
Binary 0 0 0 1 1 0 1 0
Exercise d
Binary 1 1 1 0 1 0 1 1
Solutions: Task 3 – Convert Binary to Hexadecimal
Exercise a
01110110 = 0x76
Exercise b
01101101 = 0x6D
Exercise c
11001010 = 0xCA
Exercise d
0111000 = 0x38
17
Lab 1
Solutions: Task 4 – Convert Hexadecimal to Binary
Exercise a
0xFB = 1111 1011
Exercise b
0xC390 = 1100 0011 1001 0000
Exercise c
0x8F4E = 1000 1111 0100 1110
Exercise d
0xCD = 1100 1101
18
Lab 2
Lab 2 - Packet Exploration

Overview
In the current lab you will explore Ethernet, IP, TCP and UDP packet headers and be familiar with
their contents and characteristics such as length, fields, and flags.
Learning how to perform packet analysis and understanding the contents of the headers is a great
troubleshooting tool that you can use for determining what the problem is when communications
are not occurring as expected. It can be used to validate if the packets are created and transmitted,
if the connections are established, if the destination is responding, or even to conclude if there is
a problem on any of the layers of the OSI model.
Objectives

• Capture packets using Wireshark
• Explore layer 2, 3 and 4 headers
• Identify most significant fields in headers
19
Lab 2
Task 1: Discover Headers and Encapsulation

Objectives
A key step for learning data forwarding and networking protocols is being able to look at packets
and identify their OSI model headers, and the headers’ contents.
In this task you will explore Ethernet, IP, UDP and TCP headers.
Figure 2-1: Task 1 Topology
Steps
PC-1
1. Open a console session to Wired/Wireless PC-1.

2. Open Wireshark, there should be a shortcut on the Desktop.
Figure 2-2: Wireshark shortcut
NOTE: Wireshark is a well-known, open-source packet analyzer tool. It is

capable of capturing traffic in different media types such as Ethernet, 802.11,
Bluetooth, USB and more. It is supported on main desktop operating systems
20
Lab 2
such as Microsoft Windows, MacOS and many Linux distributions. For more
information, please go to:
www.wireshark.org
https://wikipedia.org/wiki/Wireshark
3. Expand the “View” menu and uncheck the “Packet Bytes” option.
Figure 2-3: Wireshark View > Packet Bytes
4. Double click the Lab NIC entry. That will begin the packet capture in that interface.
Figure 2-4: Wireshark NICs
5. Identify the components shown in figure 2-5.
21
Lab 2
Figure 2-5: Wireshark Sections
6. On filter toolbar type “ip.addr == 10.254.1.22” with no quotes and hit [Enter]. That will
instruct Wireshark to only display packets to and from that server.
7. Open a browser and type “10.254.1.22” IP address in the URL field and hit [Enter]. A page
will pop up.
Figure 2-6: Web page
22
Lab 2
8. Move back to Wireshark. You should see a long list of entries that represent every single
Data Unit exchanged with the server in order to download the page.
9. Click on the stop capture button, but do not close the Wireshark window.
Figure 2-7: Wireshark Stop
TIP: You can use the magnifying glass to increase the size of the packets.
10. Scroll all the way up.
Figure 2-8: Data packets
You will first see three packets listed as “SYN”, “SYN, ACK” and “ACK” under the Info column.
23
Lab 2
What do they mean?
________________________________________________________________________
________________________________________________________________________
What are these three packets for?
________________________________________________________________________
________________________________________________________________________
11. Select the entry that lists “GET / HTTP/1.1” in the Info column. Five entries will appear in
the “Packet Details” section including Frame details and Data Link, Network, Transport and
Application headers.
Figure 2-9: Data headers
What protocols are listed in “Frame details” section and what OSI model layers do they
belong to?
Data Link header: __________________________________________________________
Network header: ___________________________________________________________
Transport header: __________________________________________________________
Application header: ________________________________________________________
24
Lab 2
12. Click, then expand the “Ethernet II” entry.
Figure 2-10: Data Link layer header
What is the length of the header?
________________________________________________________________________
What are the values of Destination and Source fields?
________________________________________________________________________
What is the Type value (also known as Ethertype)?
________________________________________________________________________
TIP: You can see the header length at the very bottom of the window.
13. Click, then expand the “Internet Protocol Version 4” entry.
25
Lab 2
Figure 2-11: Network layer header
________________________________________________________________________
What is the protocol version?
________________________________________________________________________
What is the Time to live value?
________________________________________________________________________
ANSWER: TTL is an 8-bit field with an initial value when the packet is created,
every time the packet crosses a layer 3 boundary then TTL is decreased by 1,
when it reaches 0 the packet gets discarded.
What is the Protocol number?
________________________________________________________________________
What does the IP protocol number represent and what is its main purpose of this field?
________________________________________________________________________
________________________________________________________________________
26
Lab 2
________________________________________________________________________
ANSWER: IP protocol number or Protocol for short, is a numeric identification

of the upper layer protocol contained in the packet’s payload. The IANA has
assigned unique values to each IP protocol, e.g. ICMP is IP protocol 1, TCP is
6, UDP is 17 and GRE is 47.
What are the values of the Destination and Source fields?
________________________________________________________________________
14. Click, then expand the “Transport Control Protocol” entry.
Figure 2-12: Transport layer header
________________________________________________________________________
What are the first two fields?
________________________________________________________________________
________________________________________________________________________
27
Lab 2
What are they for?
________________________________________________________________________
What is the sequence number for?
________________________________________________________________________
15. Expand “Flags”.
Figure 2-13: TCP flags
Do you know any of them?
________________________________________________________________________
Please do some research and find out what the following flags are for?
Acknowledgement: _________________________________________________________
________________________________________________________________________
________________________________________________________________________
Reset: ___________________________________________________________________
28
Lab 2
________________________________________________________________________
________________________________________________________________________
Syn: _____________________________________________________________________
________________________________________________________________________
________________________________________________________________________
Fin: _____________________________________________________________________
________________________________________________________________________
________________________________________________________________________
ANSWER: Flag types are:

• Acknowledgement: Indicates that the acknowledgement field is
significant. All packets after the initial SYN packet sent by the client
should have this flag set.
• Reset: Reset the connection. Seen on rejected connections.
• Syn: Synchronize the sequence numbers. Seen on new connections.
• Fin: No more data from sender. Seen after a connection is closed.
What is the Window size?
________________________________________________________________________
What is the Window size for?
________________________________________________________________________
ANSWER: The window size field is the number of bytes the sender will buffer
for the response. During 3-way handshake both sender and receiver will say
how large their receive window is.
29
Lab 2
16. Expand the “Hypertext Transfer Protocol” entry.
Figure 2-14: Application Header
IMPORTANT: In Hyper Transfer Protocol or HTTP’s header there are 4 main

commands: GET, PUSH, PUT and DELETE. Usually after the 3-way handshake, the
first HTTP payload has a GET instruction in order to download the web page.
After requesting the web page, there will be a lot of packets coming from the server.
These are acknowledged by the client and displayed as the black with red entries
(image below), they contain the web page itself. Once the page is fully loaded in the
browser there is a FIN segment coming from the client signaling the end of the session.
It is followed by similar one from the server, and finally a last ACK is sent by the client.
30
Lab 2
Task 2: UDP header

Objectives
Now you will look into a UDP header and compare it with the TCP one.
Steps
PC-1
1. Click the restart button then click “Continue without Saving” button, or, if you stopped your
packet capture in the previous task, simply click “Start Capturing Packets”. This will clean
up the packet capture.
Figure 2-16: Wireshark restart
2. Open 3CDaemon, there should be a shortcut on the Desktop.
31
Lab 2
Figure 2-17: 3CDaemon
3. Click on the “Tftp Client” tab.

4. For TFTP Server Address type “10.254.1.22”
5. On Operation select “Receive File”.
6. For Remote File Name type IANS.txt.
7. Click the “…” button next to “Local File Name” field, then select Desktop as destination
directory and type IANS.txt as the file name.
8. Click Save button.
Figure 2-18: 3CDaemon – Local File
9. Back in TFTP Client click the Go button. The software will begin a TFTP connection and
download the file.
32
Lab 2
Figure 2-19: TFTP client settings
10. Move to Wireshark. You will see a new capture with all packets involved in the transfer.
Figure 2-20: TFTP traffic capture
Is there any Three-way handshake session establishment?
________________________________________________________________________
11. Click the first packet (Read Request).

12. Select and expand the “User Datagram Protocol” entry in the Packet Details section.
33
Lab 2
Figure 2-21: User Datagram Protocol
________________________________________________________________________
What is the first impression when comparing with the TCP header (Task 1 step 13)?
________________________________________________________________________
________________________________________________________________________
What fields do they have in common?
________________________________________________________________________
Can you see any Acknowledgment flag embedded in the header?
________________________________________________________________________
13. Click and expand the “Trivial File Transfer Protocol” entry.
NOTE: This is the TFTP application header, just by looking in its contents you
can tell this is the IANS.txt file request sent by the client.
14. Click the last packet (Acknowledgement). It will automatically show the TFTP header
contents
34
Lab 2
Figure 2-22: TFTP Traffic Capture
What is the Opcode field value?
________________________________________________________________________
IMPORTANT: Due the lack of acknowledgement at the transport level, some UDP
based applications do support the feature at Layer 7 level, this is the case of TFTP.
Also notice how, unlike TCP, the transmission suddenly stops without any FIN signaling
at the transport layer. This is because at the application layer level the TFTP server told
the client how many bytes the file has, once those bytes were sent and acknowledged
(again at Layer 7), then both parties assume the session is over.
35
Lab 3
Lab 3 – Initial Switch Setup

Overview
BrilliantAcademy is a college that just started operations a few months ago. The faculty members
have determined the need to install a Local Area Network for supporting teachers, students, and
computer lab equipment. In most cases Windows PCs and smart devices will require wired and
wireless access to file sharing, web servers, and the Internet. Because of this, you have been
contacted to provide network consulting services, as well as take care of configuring and managing
the switching and WLAN equipment that has been recently purchased.
This lab is intended to introduce the ArubaOS-CX Code and Command Line Interface. You will
explore the different contexts and use the context sensitive help to discover what commands you
have available on each. You will also run initial configuration commands that will prepare the switch
for a deployment in an Enterprise Network. You will also explore show commands that provide
valuable diagnostic information.
Objectives

• Set your devices to factory values
• Navigate through the AOS-CX command line interface (CLI)
• Define a hostname on vCX-1 switch
• Disable unused interfaces
• Save device’s configuration and create checkpoints
36
Lab 3
Task 1: Explore the AOS-CX Switch CLI
Objectives
In this task, you will delete the initial configuration (startup-config checkpoint) and reboot your
switch. Then you will explore and become more familiar with the AOS-CX switch CLI. Do not be
afraid to try out different commands on the CLI, you will learn by experimenting!
Steps
vCX-1
1. Open a console connection to the vCX-1. Login using admin and no password. You will
be taken directly to Manager Context
2. Erase the startup-config checkpoint.
switch# erase startup-config

Erase checkpoint startup-config ? (y/n): y
switch#
3. Reboot the switch. You will be asked to save the configuration and confirm to reboot the
unit. Answer n and y respectively.
switch# boot system

Checking if the configuration needs to be saved...
37
Lab 3
Do you want to save the current configuration (y/n)? n
This will reboot the entire switch and render it unavailable

until the process is complete.
Continue (y/n)? y
The system is going down for reboot.
4. After the switch completes booting, login using admin and no password.
5. Hit the [?] key to show the available commands that you can execute in the current
command context.
switch# ?
aruba-central Configure Aruba-Central
auto-confirm Disables user confirmation, and executes the operation without
prompting
boot Reboot all or part of the system; configure default boot
parameters
checkpoint Checkpoint information
clear Reset functions
configure Configuration from vty interface
copy Copy data or files to/from the switch
debug Configure debug logging
diagnostics Change diagnostic commands availability
disable Turn off privileged mode command
end End current mode and change to enable mode
erase Erase device information or files
exit Exit current mode and change to previous mode
https-server HTTPS Server management
list Print command list
mtrace Multicast traceroute for tracing multicast routing path
from a receiver to a source
no Negate a command or set its defaults
page Enable page break
ping Send IPv4 ping requests to a device on the network
ping6 Send IPv6 ping requests to a device on the network
port-access Port based network access.
repeat Repeat a list of commands from history
show Show running system information
ssh Configure SSH.
start-shell Start Bash shell
top Top command
traceroute Trace the IPv4 route to a device on the network
traceroute6 Trace the IPv6 route to a device on the network
usb Commands to control the USB Port
vsx VSX execution command
vsx-configmate VSX configuration validation utility
write Write running configuration to memory, network, or terminal
38
Lab 3
TIP: Page through the commands available at this level. Some important
commands available at this level include.
– show, which enables you to examine current configuration parameters

– copy, which enables you to back up the switch configuration
– ping and traceroute, which are connectivity test tools
6. List the parameters available for the show command. By typing “show” followed by [?].
switch# show ?
aaa Authentication, Authorization and Accounting.
access-list Access control list (ACL)
accounting Show local accounting information
active-gateway Show active gateway settings
alias Short names configured for a set of commands
allow-unsafe-updates Show allowed non-failsafe updates
arp Show IPv4 addresses from neighbor table
banner Show one of the configured system banners
bfd BFD information
bgp BGP specific commands
bluetooth Display information about Bluetooth wireless management
boot-history Display boot history details
capacities Show system capacities and its values.
capacities-status Show system capacities status and its values.
cdp Show various CDP settings
checkpoint Checkpoint information
---- output omitted ---
7. Scroll through.
8. Delete the “show” command and type “disable”.
switch# disable
switch>
How has the prompt changed?
________________________________________________________________________
ANSWER: This turns privileged mode off, which means only basic commands with no
control upon the device will be available.
39
Lab 3
9. Hit the [?] key to show the available commands that you can execute in this non-Privileged
command context.
switch> ?
clear Reset functions
enable Turn on privileged mode command
list Print command list
mtrace Multicast traceroute for tracing multicast routing path from a
receiver to a source
no Negate a command or set its defaults
page Enable page break
ping Send IPv4 Ping requests to a device on the network
ping6 Send IPv6 Ping requests to a device on the network
repeat Repeat a list of commands from history
show Show running system information
top Top command
IMPORTANT: Available commands in both privileged and no privileged modes

are different, this is used as a basic role-based access control for defining what
operators can do when logged into the device.
10. Type “enable” and hit enter, this will turn privileged mode back again.
switch> enable
switch#
11. Type “co” then hit the [tab] key twice to list commands that start with “co”:
switch# co[tab][tab]
What does the CLI display?
________________________________________________________________________
12. Type “con” followed by a single [tab] hit.
switch# configure
40
Lab 3
What has just happened to the command?
________________________________________________________________________
TIP: You can execute any command as soon as you have entered an
unambiguous character string. For instance, conf [Enter] will have the same
effect as configure [Enter].
13. Hit [Enter] key. This takes you to global configuration mode, where you can start making
changes that take immediate effect upon the device’s configuration.
switch# configure
switch(config)#
14. Hit [?] key to show the available commands that you can execute in the global config mode.
switch(config)# ?
aaa Configure Authentication, Authorization and Accounting
feature
access-list Access control list (ACL)
alias Create a short name for the specified command(s).
apply Apply a configuration record
banner Customize login banner
bfd Enable Bidirectional Forwarding Detection (BFD)
bluetooth Configure Bluetooth wireless management
cdp Configure CDP operating mode
checkpoint Configure checkpoint related feature
class Configure classifier class
cli-session Configure CLI session management
NOTE: You can notice how commands available here are different than in
previous CLI modes due the configuration nature of them.
15. Type “interface 1/1/1” then hit [enter]. You will be moved to the interface sub configuration
mode.
switch(config)# interface 1/1/1

switch(config-if)#
16. Hit [?] key. Again, you will see a different list of available commands for this sub context.
41
Lab 3
switch(config-if)# ?
aaa Configure Authentication, Authorization and Accounting feature.
apply Apply a configuration record
arp Configure ARP commands
bfd Set BFD configuration
cdp Configure CDP operating mode
description Add an interface description
dhcpv4-snooping Configure DHCPv4-Snooping
dhcpv6-snooping Configure DHCPv6-Snooping
end End current mode and change to enable mode
17. Type “end” and hit [Enter].
switch(config-if)# end
switch#
What has just happened to the command prompt?
________________________________________________________________________
________________________________________________________________________
Next, you will enter a command that is invalid, and then fix issues with it by using the command-recall
feature.
18. Enter this command exactly as shown: “show hitory”.
switch# show hitory

Invalid input: hitory
19. Recall the command by pressing the [Up] arrow key.

20. Go to the beginning of the command with the [CTRL][a] shortcut.
21. Go to the end of the command line with the [CTRL][e] shortcut.
22. With the [Left] and [Right] arrow keys, move your cursor to the correct position in “hitory”
and place the letter “s”.
23. Press the [Enter] key at any time (no matter where your cursor is) to execute the command.
TIP: Repeating commands can be a useful way to enter similar commands more
quickly, as well as to correct mistakes in commands.
42
Lab 3
switch# show history

6 disable
5 enable
4 configure
3 interface 1/1/1
2 end
1 show hitory
switch#
24. Recall the wrong command by pressing the [Up] arrow key.
25. Add “system” to the show command followed by “?”.
switch# show system ?

inventory Show installed hardware information
resource-utilization Utilization metrics of various system resources
serviceos Display serviceOS information
vsx-peer Displays VSX peer switch information
<cr>
switch# show system
What options are available for the “show system” command?
________________________________________________________________________
NOTE: Notice the <cr> at the end, this means that you can execute the
command without supplying any further parameters.
26. Try “show system” command. This command will also show current hostname, description
SNMP contact and location, serial number, base MAC address, up time, etc.
switch# show system

Hostname : switch
System Description : Virtual.10.07.0010
System Contact :
System Location :
Vendor : Aruba
Product Name : ABC123 ArubaOS-CX_OVA
Chassis Serial Nbr : OVA29D09A
Base MAC Address : 080009-29d09a
ArubaOS-CX Version : Virtual.10.07.0010
Time Zone : UTC
43
Lab 3
Up Time : 23 minutes
CPU Util (%) : 5
Memory Usage (%) : 30
switch#
What is current Hostname?
________________________________________________________________________
What is the Product Name?
________________________________________________________________________
What is Chassis serial number?
________________________________________________________________________
What is system base MAC address?
________________________________________________________________________
What is system Up Time?
________________________________________________________________________
IMPORTANT: This training lab was developed using virtual CX switches, hence
the product name output reads “ABC123 ArubaOS-CX_OVA”, making reference
that this VM was deployed using an Aruba supplied OVA. Real switches will
normally display the SKU followed by the prodcuct name. E.g “JL668A 6300F
24G 4SFP56 Sw”
27. Execute the “list” command.
switch# list
show hostname
show domain-name
list
44
Lab 3
configure { terminal }
disable
exit
end
page
page <2-1000>
no page
show running-config vsx-sync {vsx-peer}
show running-config vsx-sync peer-diff {vsx-peer}
show running-config {all |vsx-peer}
show session-timeout {vsx-peer}
start-shell
auto-confirm
no auto-confirm
diagnostics
no diagnostics
show history {timestamp}
repeat { id <A:1-500>|count <1-1000>|delay <1-1000> }
show vrf {vsx-peer}
show vrf VRF {vsx-peer}
-- MORE --, next page: Space, next line: Enter, quit: q
28. Press “q” to leave the command list.
-- MORE --, next page: Space, next line: Enter, quit: q

switch#
IMPORTANT: “list” command shows the right syntax for all commands available
at the current context along with their variants and extensions. This can be
helpful for discovering new commands and previewing their different forms.
29. Execute the “show version” command.
switch# show version

-----------------------------------------------------------------------------
ArubaOS-CX
(c) Copyright Hewlett Packard Enterprise Development LP
-----------------------------------------------------------------------------
Version : Virtual.10.07.0010
Build Date :
Build ID : ArubaOS-CX:Virtual.10.07.0010:c075dcdbb1f5:202106100007
Build SHA : c075dcdbb1f5c2d88d501045bc6386f1dfa49bbc
Active Image :
Service OS Version :
BIOS Version :
switch#
45
Lab 3
What main AOS-CX code version is running in the system?
________________________________________________________________________
30. Execute the “show capacities” command (be prepared for a long output).
switch# show capacities
System Capacities:
Capacities Name Value
---------------------------------------------------------------------------------
Maximum number of route map entries in a single route-map 16
Maximum number of route-maps 64
Maximum number of SVIs supported in the system 4094
Maximum number of UBT zones per VRF 1
Maximum number of UBT zones 8
Maximum number of active UDLD interface 42
Maximum number of routes (IPv4+IPv6) on the system 16000
Maximum number of IPv4 routes on the system 12000
Maximum number of IPv6 routes on the system 4000
Maximum number of VLANs supported in the system 4094
Maximum number of unique IPv4 VRRP VRIDs configurable between 1 to 255 8
Maximum number of unique IPv6 VRRP VRIDs configurable between 1 to 255 8
Maximum number of VRRP IPv4 addresses supported 1024
Maximum number of VRRP IPv4 addresses supported per virtual router 16
Maximum number of VRRP IPv4 virtual routers supported per port 8
What is the maximum amount of IP routes (IPv4 and IPv6 combined) supported in the system?
________________________________________________________________________
What is the maximum amount of VLANs supported in the system?
________________________________________________________________________
TIP: A similar command: “show capacities-status” displays similar information

plus the number of resources/entries already consumed by the current device
state.
31. Execute the “show interface 1/1/1” command.
46
Lab 3
IMPORTANT: Output displays among many things, the interface state, interface
type, current speed, and duplex settings, MTU configured, if a L2 port then VLAN
mode: access or trunk, and interface counters.
switch# show interface 1/1/1
Interface 1/1/1 is down (Administratively down)

Admin state is down
State information: Administratively down
Link state: down
Link transitions: 0
Description:
Hardware: Ethernet, MAC Address: 08:00:09:29:d0:9a
MTU 1500
Type --
Half-duplex
qos trust none
Speed 0 Mb/s
L3 Counters: Rx Disabled, Tx Disabled
Auto-negotiation is off
Flow-control: off
Error-control: off
MDI mode: none
Rate collection interval: 300 seconds
switch#
What is the interface Admin state?
________________________________________________________________________
47
Lab 3
Task 2: Configure Initial Settings

Objectives
In this task, you will explore the AOS-CX configuration script and make minor customization
changes like setting a hostname, setting interface descriptions, and disabling unused ports. Also,
you will ask the system to display the event log contents.
Steps
vCX-1
1. Open a console connection to the vCX-1. Login using admin and no password.
2. Issue the “show running-config” command to display the current configuration of the
system.
NOTE: You will notice that most portions of the configuration are shown by listing
the switch ports and their settings. The code version and actual admin account
are listed first.
switch# show running-config

Current configuration:
!
!Version ArubaOS-CX Virtual.10.07.0010
!export-password: default
led locator on
!
!
!
48
Lab 3
!
!
!
ssh server vrf mgmt
vlan 1
interface mgmt
no shutdown
ip dhcp
!
!
!
!
!
https-server vrf mgmt
switch#
NOTE: You will notice that the whole output fits within the screen. This is
because in the case of 8000 series and Virtual switches, the command’s output
will only include VLAN 1, mgmt. port, ssh and https services when the switch is
in factory defaults. Once you start changing port settings and other parameters
then they will be included in the show running-configuration command’s output.
In the case of 6000 series switches, the command will display the port’s
configurations even if the device is in factory defaults.
3. Move to configuration mode and change the switch’s hostname to Switch-1.
switch# configure terminal

switch(config)# hostname Switch-1
Switch-1
4. Apply the console session timeout to 1 day (1440 minutes) to prevent a logout during the
lab activities.
Switch-1(config)# session-timeout 1440

Switch-1(config)# end
TIP: An alternative method you can use is the next configuration script:
Switch-1(config)# cli-session
Switch-1(config-cli-session)# timeout 1440
49
Lab 3
Switch-1(config-cli-session)# exit
5. Use “show interface brief” for displaying a table of ports and their more relevant settings.
Switch-1# show interface brief

------------------------------------------------------------------------------------------
--------------------
Port Native Mode Type Enabled Status Reason Speed Description
VLAN (Mb/s)
-----------------------------------------------------------------------------------------
1/1/1 -- routed -- no down Administratively down -- --
1/1/48 -- routed -- no down No XCVR installed -- --
Switch-1#
What are the ports “Mode” values?
________________________________________________________________________
What ports are enabled?
________________________________________________________________________
NOTE: 8000 series and Virtual switches have L3 routed ports by default, unlike 6000
series switches that come with L2 switchports (VLAN and Spanning Tree capable), be
aware that the port Mode can be changed on all ArubaOS-CX switches.
6. Enable port 1/1/1.
Switch-1(config)# interface 1/1/1

Switch-1(config-if)# no shutdown
Switch-1(config-if)#
50
Lab 3
7. Convert port 1/1/1 into a layer 2 switchport.
Switch-1(config-if)# no routing
Switch-1(config-if)# exit
8. Issue the “show interface brief” command again.
Switch-1(config)# show interface brief

------------------------------------------------------------------------------------------
--------------------
Port Native Mode Type Enabled Status Reason Speed Description
VLAN (Mb/s)
------------------------------------------------------------------------------------------
1/1/1 1 access -- yes up 1000 --
What is the Enabled and Status values of port 1/1/1?
________________________________________________________________________
9. Display the “event log” in reverse mode.
Switch-1(config)# show events -r -n 8

---------------------------------------------------
Event logs from current boot
---------------------------------------------------
2022-01-25T00:36:26.733693+00:00 Switch-1 hpe-restd[443]: Event|4646|LOG_INFO|AMM|-|Aruba
Activate server https://devices-v2.arubanetw
orks.com is not reachable through any supported VRF.
2022-01-25T00:36:26.494393+00:00 Switch-1 hpe-rdiscd[478]:
Event|3910|LOG_INFO|AMM|1/1|Interface: 1/1/1 is deleted from router discovery
2022-01-25T00:36:26.490742+00:00 Switch-1 intfd[480]: Event|401|LOG_INFO|AMM|1/1|Interface
port_admin set to up for 1/1/1 interface
2022-01-25T00:36:17.076897+00:00 Switch-1 portd[598]:
Event|1703|LOG_INFO|AMM|1/1|Interface 1/1/1, configured administratively up
2022-01-25T00:36:17.076791+00:00 Switch-1 intfd[480]: Event|401|LOG_INFO|AMM|1/1|Interface
port_admin set to up for 1/1/1 interface
2022-01-25T00:35:22.729379+00:00 Switch-1 hpe-restd[443]: Event|4650|LOG_INFO|AMM|-|Unable
to fetch Aruba Central location from activ
ate via VRF .
51
Lab 3
2022-01-25T00:35:22.728242+00:00 Switch-1 hpe-restd[443]: Event|4646|LOG_INFO|AMM|-|Aruba

Activate server https://devices-v2.arubanetw
orks.com is not reachable through any supported VRF.
2022-01-25T00:34:57.018064+00:00 Switch-1 log-mgmtd[395]:
Event|1231|LOG_INFO|AMM|1/1|Remote syslog server restarted due to configurat
ion change.
What link stats messages can you see at top related to 1/1/1
________________________________________________________________________
________________________________________________________________________
What other messages in the event log do you get?
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
ANSWER: You should see notifications informing you that port 1/1/1 is coming UP and
is being deleted from router discovery because you are making it a Layer 2 port. Also,
since AOS-CX switches periodically attempt to contact the Aruba Activate Cloud service
and the switch has no internet connectivity the device complains that the service is
unreachable.
10. Define interface descriptions for port 1/1/1. Do not leave the interface yet.

Switch-1(config-if)# description TO_PC-1
11. Inside of interface 1/1/1 type the “show running-config current-context” command.
Switch-1(config-if)# show running-config current-context

interface 1/1/1
no shutdown
description TO_PC-1
no routing
vlan access 1
exit
52
Lab 3
Switch-1(config-if)# end
IMPORTANT: This command is a shortcut for displaying only the commands available
at the context/subcontext level. Get used to it, since it is of great use when configuring
and editing ports, protocols, access control lists, etcetera.
12. Run the “show interface 1/1/1” command followed by “| include Description”.
NOTE: The information will be filtered out, listing the lines that include the
“Description” string only, hence it is removing any other line part of that
command’s regular output.
Switch-1# show interface 1/1/1 | include Description

Description: TO_PC-1
NOTICE: The pipe (|) command filters the output of show commands according
to the criteria specified by the parameter include, exclude, count, begin, or
redirect.
Strings of characters that follow the filtering tool (e.g. “Description” in command
above) are case sensitive. Typing the wrong capitalization may lead to the
absence of output.
13. Try the same command but use “| begin 4 Interface” instead.
NOTE: The information will be filtered out, listing only the lines that include the
“Interface” string along with the 4 subsequent lines.
Switch-1# show interface 1/1/1 | begin 4 Interface

Interface 1/1/1 is up
Admin state is up
Link state: up
Link transitions: 0
Switch-1#
How was the output modified now?
________________________________________________________________________
53
Lab 3
________________________________________________________________________
54
Lab 3
Task 3: Create and Explore Checkpoints.
Objectives
You have made some configuration changes in vCX-1, now is a good time to keep those changes
stored in the system and protect them from any power cycle events. Next you will explore
checkpoints, see how they are created, and make your own to save your progress.
Steps
Switch-1
14. Open a console connection to Switch-1.

15. Show the current system’s checkpoints.
Switch-1# show checkpoint

NAME TYPE WRITER DATE(YYYY/MM/DD) IMAGE VERSION
CPC20220125004945_Switch-1_X86-64 latest System 2022-01-25T00:49:45Z Virtual.10.07.0010
CPC20220125000732_X86-64 checkpoint System 2022-01-25T00:07:32Z Virtual.10.07.0010
CPC20220124232012_X86-64 checkpoint System 2022-01-2 4T23:20:12Z Virtual.10.07.0010
StartOfClass checkpoint User 2022-01-25T02:35:09Z Virtual.10.07.0010
Switch-1#
How many entries did you get?
________________________________________________________________________
Who is the writer of the checkpoints?
55
Lab 3
________________________________________________________________________
IMPORTANT: AOS-CX systems are 100% database driven. This means that
configuration scripts you save are stored in a local database instead of a regular
configuration file. The database is periodically tracked and whenever the changes are
made, they will be automatically stored after a 5-minute idle period. Any new
configuration change, followed by a 5-minute idle period, will create a new checkpoint
that can later be used to back up or restore the running configuration state of the
system.
On demand checkpoints can be generated by saving the running-configuration or

creating custom checkpoints.
16. Issue the “write memory” command.
Switch-1# write memory

Copying configuration: [Success]
Switch-1#
17. List the checkpoints again.

startup-config startup User. 2022-01-25T01:17:36Z Virtual.10.07.0010
Switch-1#
Is there any new checkpoint?
________________________________________________________________________
What is its name?
________________________________________________________________________
Who is the writer?
________________________________________________________________________
IMPORTANT:
56
Lab 3
The “show checkpoint” command shows the list of checkpoints along with more detailed
data about them, like checkpoint type, user who created it, date and time it was created
and OS release that was running when they were created. Keeping track of when
checkpoints are created is important during regular maintenance tasks. This is the
reason configuring all switches with Network Time Protocol server is important.
Since IP connectivity is not enabled yet, you will continue working without setting up an
NTP server and trust the system clock for now. NTP configuration will be covered in a
later Module.
18. Create a checkpoint called Lab3 using the running-configuration as the source.
Switch-1# copy running-config checkpoint Lab3

Switch-1#
19. Display the checkpoints one more time.

Lab3 latest User 2022-01-25T01:21:11Z Virtual.10.07.0010
startup-config startup User. 2022-01-25T01:17:36Z Virtual.10.07.0010
Switch-1#
What is the type?
________________________________________________________________________
20. Now make a checkpoint called Lab3_final using the running-config as the source.
Switch-1# copy running-config checkpoint Lab3_final

Copying configuration: [Failure]
cannot create duplicate checkpoint, configuration already exists in checkpoint Lab3
Switch-1#
What error message did you get?
57
Lab 3
________________________________________________________________________
NOTE: AOS-CX cannot have two different configuration snapshots with identical
contents in its database (that would not be resource efficient). If you want to rename a
checkpoint, then you will have to delete it first, then create a new one.
21. Erase checkpoint Lab3.
Switch-1# erase checkpoint Lab3

Erase checkpoint Lab3 ? (y/n): y
Switch-1#
22. Try creating the checkpoint again.
Switch-1# copy running-config checkpoint Lab3_final

Switch-1#
23. Last display the contents of Lab3_final checkpoint
Switch-1# show checkpoint Lab3_final

Checkpoint configuration:
!
!Version ArubaOS-CX Virtual.10.07.0010
!export-password: default
hostname Switch-1
led locator on
!
!
!
!
!
!
ssh server vrf mgmt
vlan 1
interface mgmt
no shutdown
ip dhcp
interface 1/1/1
no shutdown
description TO_PC-1
no routing
vlan access 1
!
58
Lab 3
Switch-1#
IMPORTANT:
Checkpoints can be restored by using the copy command and applying the
checkpoint’s contents into the running-configuration (or startup configuration
and invoking the “boot system” command), like in the example below.
Switch-1# checkpoint rollback Lab3_final

Switch-1#
Or
Switch-1# copy checkpoint Lab3_final running-config

Configuration changes will take time to process, please be patient.
Switch-1#
59
Lab 4
Lab 4 - Configure layer 2 switching features

and protocols
Overview
At this point the Switch-1 switch is up and running and ready for configuration. The next task in
your initial network deployment at BrilliantAcademy will be to place a wired user group (in this case
teachers) in a custom VLAN in order to enable inter-user communication. Next you will add a
second switch for adding more ports and increase scalability to the network. Finally, a redundant
inter-switch link will be enabled for making your network fault-tolerant, on which you will enable
both multiple VLAN support and Spanning Tree to avoiding Layer 2 loops.
Objectives

• Create a custom VLAN and assign it to access ports
• Configure clients with static IP addresses
• Explore the Switch MAC address table
• Enable an Interswitch link
• Configure trunk ports by enabling 802.1Q tagging on them
• Extend the broadcast domain
• Enable Inter-switch client communication
• Add redundant L2 links
• Deploy Spanning Tree Protocol to avoid loops.
60
Lab 4
Task 1: Assign PCs to VLAN 2
Objectives
In this task you will create the employee VLAN and configure Windows PCs with IP addresses of
the corresponding IP segment according to the network design. Then you will verify IP connectivity
between clients and explore the MAC address table.
Steps
Switch-1
1. Open a console connection to Switch-1. Login with admin and no password.
2. Remember, in aOS-CX virtual switches, ports are routed by default. First we will need to
make interface 1/1/2 an L2 port and enable it.
Switch-1# config terminal

Switch-1(config-if)# description PC-2
3. Use the “show vlan” command to display current Virtual Local Area Networks configured
in the switch. You should only see VLAN 1 assigned to all ports. This is the default setting
for the switch.
61
Lab 4
Switch-1(config)# show vlan
---------------------------------------------------------------------------------
VLAN Name Status Reason Type Interfaces
---------------------------------------------------------------------------------
1 DEFAULT_VLAN_1 up ok default 1/1/1-1/1/2
Switch-1(config)#
4. Create VLAN 2 and name it TEACHERS.
Switch-1(config)# vlan 2
Switch-1(config-vlan-2)# name TEACHERS
Switch-1(config-vlan-2)# exit
5. Repeat the “show vlan” command.
---------------------------------------------------------------------------------
---------------------------------------------------------------------------------
1 DEFAULT_VLAN_1 up ok default 1/1/1-1/1/2
2 TEACHERS down no_member_port static
Switch-1(config)#
Is the output reflecting your previous configuration change?
________________________________________________________________________
What is the newly created VLAN status?
________________________________________________________________________
What caused the new VLAN to have this status?
________________________________________________________________________
ANSWER: Since the VLAN has not been assigned to any enabled physical port,
the status is down. No MAC address learning process is happening in the switch
for that VLAN.
62
Lab 4
6. Assign VLAN 2 to interfaces 1/1/1 and 1/1/2 as an access VLAN.

Switch-1(config-if)# vlan access 2
Switch-1(config-if)# interface 1/1/2
7. Try the “show vlan” command again.
---------------------------------------------------------------------------------
---------------------------------------------------------------------------------
1 DEFAULT_VLAN_1 down no_member_forwarding default
2 TEACHERS up ok static 1/1/1-1/1/2
Switch-1(config)#
What is the VLAN 2 status now?
________________________________________________________________________
NOTE: Currently, only ports 1/1/1 and 1/1/2 are UP. When you replaced VLAN
1 with VLAN 2 on the ports, both VLANs will still appear, but VLAN 1 is no longer
associated with any port in the UP state. Therefore, VLAN 1’s status was
changed to down.
8. Issue the “show vlan port 1/1/1” command.
Switch-1(config)# show vlan port 1/1/1
-------------------------------------------------------------------------------
VLAN Name Mode Mapping
-------------------------------------------------------------------------------
2 TEACHERS access port
Switch-1(config)#
What VLAN is present on the interface and what is its mode?
63
Lab 4
________________________________________________________________________
9. Use the “show vlan summary” command. This command shows the VLAN count in the
system.
Switch-1(config)# show vlan summary

Number of existing VLANs: 2
Number of static VLANs: 2
Number of dynamic VLANs: 0
10. Issue the “show interface 1/1/1” command. You will be able to see VLAN ID and VLAN
Mode at the bottom of the command.
Switch-1(config)# show interface 1/1/1
Interface 1/1/1 is up
Admin state is up
Link state: up
Link transitions: 0
Hardware: Ethernet, MAC Address: 08:00:09:29:d0:e3
MTU 1500
Full-duplex
qos trust none
Speed 1000 Mb/s
Auto-negotiation is off
Flow-control: off
Error-control: off
MDI mode: none
VLAN Mode: access
Access VLAN: 2
11. Finally, try the “show interface brief” command followed by a filtering option “| begin 5
Port”.
NOTE: The information will be filtered out, listing only the lines that include the
“Port” string along with the 5 subsequent lines.
Switch-1(config)# show interface brief | begin 5 Port

Port Native Mode Type Enabled Status Reason Speed
VLAN (Mb/s)
--------------------------------------------------------------------------------
1/1/1 2 access 1GbT yes up 1000
1/1/2 2 access 1GbT yes up 1000
1/1/3 -- routed -- no down Administratively down --
64
Lab 4
NOTE: The pipe (|) command filters the output of show commands according to
the criteria specified by the parameter include, exclude, count, begin, or redirect.
Strings of characters that follow the filtering tool (e.g. “Port” in the example
above) are case sensitive. Incorrect capitalization may lead to the absence of
output or other unexpected result.
What is the value under Native VLAN for ports 1/1/1 and 1/1/2 vs 1/1/3?
________________________________________________________________________
65
Lab 4
Task 2: Explore MAC Address Table
Objectives
In this second task, you will statically define IP addresses to PC-1 and PC-2, so they can achieve
intra VLAN layer 3 connectivity, and users on those machines can start collaborating to run their
company’s daily operations.
Steps
PC-1
1. Access PC-1’s console.

2. Under search field in the task bar, type “control panel”. Windows will automatically display
all items matching the string.
3. Click the top result (Control Panel). A new window will pop up.
66
Lab 4
Figure 4-3: Windows Search
4. In Control Panel, click “View network status and tasks” under Network and Internet.
Figure 4-4: Windows Control Panel
5. Click at “Change adapter settings” on the left options.
67
Lab 4
Figure 4-5: Change adapter settings
6. Double click “Lab NIC” to access the NIC Status Window.
NOTICE: There is an interface called “Do NOT Touch!”, please repeat with me,
“do not touch!!!” If changes are made to that NIC (like modifying the IP address
or disabling the interface) the access to this virtual machine will be disrupted.
Only the lab support team will be able to recover the system and that process
may delay your lab progress.
Figure 4-6: Network and Sharing Center
7. In Lab NIC status window, click “Properties” button.
68
Lab 4
Figure 4-7: Lab NIC Status
8. In Lab NIC Properties section, select “Internet Protocol Version 4 (TCP/IPv4), then click
“Properties” button.
69
Lab 4
v
Figure 4-8: Lab NIC Properties
9. In Internet Protocol Version 4 (TCP/IPv4) Properties, choose “Use the following IP

address:” under General tab.
10. Type 10.0.2.1 and 255.255.255.0 under IP address and Subnet mask respectively. Delete
the address in Default gateway and leave it blank
70
Lab 4
Figure 4-9: Internet Protocol Version 4 Properties
11. Click “OK” button, then “Close” button twice.

12. Under search field in the task bar, type “command”. Windows will automatically display all
items matching the string.
Figure 4-10: Windows Search 2
13. Click the top result (Command Prompt). A new window will pop up.
14. Type “ipconfig” and hit [Enter]. This command will display IPv4 settings of all NICs in the
system.
71
Lab 4
15. Confirm the Ethernet adapter called Lab NIC has the IPv4 address you just configured.
Figure 4-11: ipconfig
16. Type “ipconfig -all” version of the command and hit [Enter]. This command displays
additional information like DNS servers IP addresses (if configured) and the NICs physical
MAC address.
Figure 4-12: ipconfig -all
What is PC-1’s Lab NIC MAC address?
________________________________________________________________________
72
Lab 4
This is the typical IP address configuration process in a Windows system.
NOTICE: PC-2 has already been preconfigured with 10.0.2.2, you will use that
address as a ping target to validate connectivity and the forwarding tables.
17. From PC-1, ping PC-2’s IP address (10.0.2.2). Ping should be successful.
Figure 4-13: Ping to PC-2
18. Inspect PC-1’s ARP table by entering the command “arp -a -N 10.0.2.1” this is the windows
command to view the arp table for the network adapter with that IP address.
73
Lab 4
Figure 4-14: ARP entry
What is the MAC address associated with PC-2’s IP?
________________________________________________________________________
Switch-1
19. In Switch-1, display the mac-address-table.
Switch-1# show mac-address-table

MAC age-time : 300 seconds
Number of MAC addresses : 2
MAC Address VLAN Type Port

--------------------------------------------------------------
00:50:56:A5:88:2B 2 dynamic 1/1/1
00:50:56:A5:C6:05 2 dynamic 1/1/2
Switch-1#
Can you see both PC-1 and PC-2’s MACs?
________________________________________________________________________
20. Using the output information, write down the client’s MAC addresses in the bottom figure,
along with ports and VLAN IDs.
74
Lab 4
Figure 4-15: Switch-1’s MAC Address Table
Were these MAC addresses discovered on the ports that you expected?
________________________________________________________________________
TIP: There are multiple forms of the “show mac-address-table” command that
can be used for displaying only entries that match a certain criteria, such as an
address learned in a particular VLAN or port, or learned dynamically versus
configured statically in the MAC table, use the [?] key at the end of the command
for displaying the options.
Switch-1# show mac-address-table ?

address Show a specific MAC address
count Number of MAC addresses
detail
dynamic Show learnt MAC addresses
hsc. Show MAC addresses learnt by the Hardware Switch
Controller
lockout Show MAC lockout address information
port Show MAC addresses learnt on port
static Show static MAC address information
vlan Show MAC addresses learnt on VLANs
vsx-peer Displays VSX peer switch information
<cr>
75
Lab 4
Task 3: Configure Initial Settings on Switch-2
Objectives
Task 3 defines the initial settings for Switch-2. Then you will move to the Windows Server and
assign an IP address to its NIC.
76
Lab 4
Steps
vCX-2
1. Open a console connection to the vCX-2. Login using admin and no password. You will
be taken directly to Manager Context
2. Erase the startup-config checkpoint.
switch# erase startup-config

Erase checkpoint startup-config? (y/n): y
switch#
3. Reboot the switch. You will be asked to save the configuration and confirm to reboot the
unit. Answer n and y respectively.
switch# boot system

Checking if the configuration needs to be saved...
Do you want to save the current configuration (y/n)? n
This will reboot the entire switch and render it unavailable

until the process is complete.
Continue (y/n)? y
The system is going down for reboot.
4. After the switch completes booting, login using admin and no password.
5. Move to configuration mode and change the switch’s hostname to Switch-2 and set session
timeout to 1440 minutes.
switch# configure terminal

switch(config)# hostname Switch-2
Switch-2(config)# session-timeout 1440
Switch-2(config)#
6. Access interface 1/1/1 and set a description (this interface connects to the Windows
Server).
77
Lab 4
Switch-2(config-if)# description Windows Server
7. Enable the port and make it a Layer 2 port
You will now give the Windows Server an IP address.
Windows Server
8. Open a remote session to the Windows Server

9. Click on the start menu>control panel>Network and Internet>Network and Sharing
Center. Double Click on Lab NIC. Click on Properties>Internet Protocol Version 4
(TCP/IPv4)>Properties. Configure 10.0.2.10 as the IP address and 255.255.255.0 as the
Subnet mask. Delete the IP address in Default gateway and leave it blank.
Figure 4-17: Windows Server IP
78
Lab 4
10. Open the Command Prompt by clicking on the icon in the task bar
11. Ping PC-2’s IP address (10.0.2.2).
Figure 4-18: Ping failure.
NOTE: When destination IP address is within the source’s IP segment and ping
test result is “Destination host unreachable” it means that the Layer 3 to Layer 2
address resolution using Address Resolution Protocol (ARP) has failed and the
ICMP echo message was not sent at all. However, if result is “timeout” then it
means that host was able to resolve destination’s MAC and ICMP packet was
sent, but there is no reply coming back.
Was ping successful?
________________________________________________________________________
Why?
________________________________________________________________________
ANSWER: Ping is not successful because the destination IP address belongs to a

device that is physically plugged into another switch (Switch-1). Switch-1 and Switch-2
are not currently connected. Provisioning the Interswitch link in the next task will fix this
issue.
79
Lab 4
Task 4: Enable Link Between Switches
In this task you will enable an ethernet connection between Access switches in order to increase
the number of ports on the network. Next, you will explore the information that Link Layer Discovery
Protocol (LLDP) can provide.
Steps
Switch-1
1. Open a console connection to the Switch-1.

2. Enable interface 1/1/8 and make it a layer 2 switchport.
Switch-1# configure terminal

Switch-1(config-if)#no shutdown
Switch-2(config-if)#no routing
Switch-1(config-if)#end
Switch-2
3. Move to the Switch-2.

4. Enable interface 1/1/8 a layer 2 switchport.

Switch-2(config-if)#no shutdown
80
Lab 4
Switch-2(config-if)#no routing
Switch-2(config-if)#end
Switch-2#
5. Confirm interface 1/1/8 came up. Using the “show interface brief” command followed by
the filter “| exclude down”.
NOTE: The information will be filtered out, listing all the lines except the ones
that contain the “down” string.
Switch-2# show interface brief | exclude down

-------------------------------------------------------------------------------------
Port Native Mode Type Enabled Status Reason Speed
VLAN (Mb/s)
-------------------------------------------------------------------------------------
1/1/1 1 access --- yes up 1000
1/1/8 1 access --- yes up 1000
Switch-2#
NOTE: The pipe (|) command filters the output of show commands according to
the criteria specified by the parameter include, exclude, count, begin, or redirect.
Strings of characters that follow the filtering tool (e.g. “down” in command above)
are case sensitive. Typing the wrong capitalization may lead to the absence of
output.
Is port 1/1/8 up?
________________________________________________________________________
What are the port 1/1/1 and port 1/1/8 speeds?
________________________________________________________________________
IMPORTANT: In wired networking it is common practice to use faster speed

links for connections between switches than those to the clients. Best practice
for switch-to-switch connections is to limit oversubscription ratios to 24:1 or less
(depending on the traffic generated by the endpoints). This guarantees that
regardless of the traffic pattern, the link between switches does not get
congested. Due to constraints of the virtual CX switches, we are limited to 1gb
speeds on all connections.
81
Lab 4
Next you will use LLDP to analyze the information the protocol can provide regarding what device
is connected to specific interfaces.
NOTE: LLDP is on by default on AOS-CX switches.
6. Issue the “show lldp configuration” command.
Switch-2(config)# show lldp configuration
LLDP Global Configuration

=========================
LLDP Enabled : Yes

LLDP Transmit Interval : 30
LLDP Hold Time Multiplier : 4
LLDP Transmit Delay Interval : 2
LLDP Reinit Time Interval : 2
LLDP Trap Enabled : No
TLVs Advertised
===============
Management Address
Port Description
Port VLAN-ID
System Capabilities
System Description
System Name
OUI
LLDP Port Configuration

=======================
PORT TX-ENABLED RX-ENABLED INTF-TRAP-ENABLED

--------------------------------------------------------------------------
1/1/1 Yes Yes Yes
1/1/2 Yes Yes Yes
1/1/3 Yes Yes Yes
1/1/4 Yes Yes Yes
What is the current LLDP state?
________________________________________________________________________
What are the transmit interval and hold time multiplier values?
________________________________________________________________________
82
Lab 4
What are the LLDP transmit and receive modes on all of the ports?
________________________________________________________________________
7. Issue the “show lldp local device” command. This will show the information the local
device shares/advertises with LLDP messages.
Switch-2(config)# show lldp local-device
Global Data
===========
Chassis-ID : 08:00:09:5b:19:f1
System Name : Switch-2
System Description : Aruba ABC123 Virtual.10.07.0010
Management Address : 08:00:09:5b:19:f1
Capabilities Available : Bridge, Router
Capabilities Enabled : Bridge, Router
TTL : 120
Port Based Data

===============
Port-ID : 1/1/1
Port-Desc : "1/1/1"
Port Mgmt-Address : 08:00:09:5b:19:f1
Port VLAN ID : 1
Parent Interface : interface 1/1/1
Port-ID : 1/1/8
Port-Desc : "1/1/8"
Port VLAN ID : 1
Port-ID : mgmt
Port-Desc : "mgmt"
Switch-2#
What is the “System Description”?
________________________________________________________________________
What are the available capabilities supported by the system?
________________________________________________________________________
83
Lab 4
IMPORTANT: AOS-CX systems have IP routing service enabled by default and cannot
be disabled. This means they will automatically populate entries in the Routing Table
for whatever IP segment they are configured with in Layer 3 ports (ether physical or
logical) and start moving packets at Layer 3 between those segments. IP routing cannot
be disabled in these systems.
8. Write down System Name and Chassis ID in the figure below.
Figure 4-20: LLDP Discovery.
What interfaces are currently running the protocol?
________________________________________________________________________
Steps
Switch-1
9. Move to Switch-1.
10. Issue the “show lldp neighbor-info” command. You should see only one entry in the
output.
Switch-1# show lldp neighbor-info
LLDP Neighbor Information

=========================
Total Neighbor Entries : 1

Total Neighbor Entries Deleted : 0
Total Neighbor Entries Dropped : 0
Total Neighbor Entries Aged-Out : 0
LOCAL-PORT CHASSIS-ID PORT-ID PORT-DESC TTL SYS-NAME

--------------------------------------------------------------------------------
84
Lab 4
1/1/8 08:00:09:5b:19:f1 1/1/8 1/1/8 120 Switch-2

Switch-1#
Does the entry match the Chassis-ID and System Name seen in step 8?
________________________________________________________________________
What is the local port?
________________________________________________________________________
What is the remote port?
________________________________________________________________________
11. Try the same command but specify the local interface number at the end of the command.
Switch-1# show lldp neighbor-info 1/1/8
Port : 1/1/8
Neighbor Entries : 1
Neighbor Entries Deleted : 0
Neighbor Entries Dropped : 0
Neighbor Entries Aged-Out : 0
Neighbor Chassis-Name : Switch-2
Neighbor Chassis-Description : Aruba ABC123 Virtual.10.07.0010
Neighbor Chassis-ID : 08:00:09:5b:19:f1
Neighbor Management-Address : 08:00:09:5b:19:f1
Chassis Capabilities Available : Bridge, Router
Chassis Capabilities Enabled : Bridge, Router
Neighbor Port-ID : 1/1/8
Neighbor Port-Desc : 1/1/8
Neighbor Port VLAN ID : 1
TTL : 120
Neighbor PoE information : DOT3

Neighbor Power Type : PSE
Neighbor Power Priority : Unknown
Neighbor Power Source : Unknown
PD Requested Power Value : 0.00 W
PSE Allocated Power Value : 0.00 W
Neighbor Power Supported : Yes
Neighbor Power Enabled : Yes
Neighbor Power Class : Class0
Neighbor Power Paircontrol : No
PSE Power Pairs : SIGNAL
PD Associated TLV : dot3
PD Requested TLV types : None
85
Lab 4
Neighbor Mac-Phy details

Neighbor Auto-neg Supported : false
Neighbor Auto-Neg Enabled : false
Neighbor Auto-Neg Advertised : Other
Neighbor MAU type :
Neighbor EEE information : DOT3

Neighbor TX Wake time : 0 us
Neighbor RX Wake time : 0 us
Neighbor Fallback time : 0 us
Neighbor TX Echo time : 0 us
Neighbor RX Echo time : 0 us
Switch-1#
NOTE: This version of the command displays the detailed data of the neighbor just like
the command, “show lldp local-device” used earlier on Switch-2.
12. Finally, run “show lldp local-device” on Switch-1. Then use the output of this step and the
previous step to complete the remaining fields of Figure 4-9.
Switch-1# show lldp local-device
Global Data
===========
Chassis-ID : 08:00:09:29:d0:9a
System Name : Switch-1
System Description : Aruba ABC123 Virtual.10.07.0010
Management Address : 08:00:09:29:d0:9a
Capabilities Available : Bridge, Router
Capabilities Enabled : Bridge, Router
TTL : 120
Port Based Data

===============
Port-ID : 1/1/1
Port-Desc : "1/1/1"
Port Mgmt-Address : 08:00:09:29:d0:9a
Port VLAN ID : 2
Port-ID : 1/1/2
Port-Desc : "1/1/2"
Port VLAN ID : 2
Port-ID : 1/1/8
Port-Desc : "1/1/8"
Port VLAN ID : 0
86
Lab 4
Port-ID : mgmt
Port-Desc : "mgmt"
Switch-1#
NOTE: Understanding LLDP and the information it provides can help you verify
and troubleshoot Layer 1 communication between devices.
Now that you are sure about which ports are used, you are ready to set the interface descriptions.
13. Set descriptions on both switches’ interface 1/1/8

Switch-1(config-if)# description TO_SWITCH-2_PORT-8

Switch-2(config-if)# description TO_SWITCH-1_PORT-8
Windows Server
14. Move back to Windows Server and ping PC-2’s IP address (10.0.2.2).
87
Lab 4
Figure 4-21: Destination host unreachable.
________________________________________________________________________
Why?
________________________________________________________________________
ANSWER: Even though a link between both switches has been enabled, ping still fails.
In order to better understand why, you should explore the mac-address-table of either
switch. Let’s do it on Switch-1.
15. Open console session to Switch-1 and use the “show mac-address-table” command.


--------------------------------------------------------------
00:50:56:b1:a9:86 1 dynamic 1/1/8
00:50:56:b1:ae:e8 2 dynamic 1/1/2
Switch-1#
TIP: This output may give you more entries than the ones in example above (e.g. PC-
1), ignore all but the interfaces to PC-2 and the Windows Server’s.
What Port and VLAN is PC-2 seen on?
88
Lab 4
________________________________________________________________________
What Port and VLAN is the Windows Server seen on?
________________________________________________________________________
ANSWER: As you can see these two devices are on different ports (which is
expected) and also on different VLANs. The Windows Server is seen on VLAN
1 because that is the only VLAN that exists on Switch-2, and the only VLAN it
forwards is its 1/1/8 interface.
NOTE: As seen in this step, understanding the fundamentals of layer 2

forwarding and exploring the MAC Address table of switches are key tools for
troubleshooting the lack of connectivity between two endpoints.
89
Lab 4
Task 5: Extend Connectivity for VLAN 2
Objectives
After finding the root cause that prevents communication between two endpoints it is time to apply
a configuration that solves the issue. You will proceed now to extend VLAN 2 to Switch-2 switch.
Steps
Switch-1
1. Configure Switch-1’s interface 1/1/8 as trunk link that permits VLANs 1 and 2

Switch-1(config-if)# vlan trunk allowed 1-2
Switch-1#
2. Display trunk interfaces.
Switch-1# show interface trunk
----------------------------------------------------------------------
Port Native VLAN Trunk VLANs
----------------------------------------------------------------------
1/1/8 1 1-2
Switch-1#
90
Lab 4
Switch-2
3. Move to Switch-2.
4. Create VLAN 2 and name it TEACHERS.

Switch-2(config-vlan-2)# name TEACHERS
5. Configure Switch-2’s interface 1/1/8 as trunk link that permits VLANs 1 and 2.

6. Last configure interface 1/1/1 as access port in VLAN 2.

7. Confirm VLAN 2 is now member of ports 1/1/1 and 1/1/8.
Switch-2# show vlan
---------------------------------------------------------------------------------
----------------------------------------------------------------------------------
2 TEACHERS up ok static 1/1/1-1/1/2,1/1/8
Switch-2#
8. Display trunk interfaces. You should have only one trunk port.
Switch-2# show interface trunk
----------------------------------------------------------------------
Port Native VLAN Trunk VLANs
----------------------------------------------------------------------
1/1/8 1 1-2
91
Lab 4
Switch-2#
9. Move back to the Windows Server and ping PC-2’s IP address (10.0.2.2).
Figure 4-23: Ping successful.
________________________________________________________________________
Let’s now explore the MAC address tables of both switches and trace the MAC addresses of each station
in order to confirm they are learned in the expected ports and VLANs.
Switch-1 and Switch-2
10. Display the mac address table of both Switch-1 and Switch-2.


--------------------------------------------------------------
00:50:56:b1:a9:86 2 dynamic 1/1/1
00:50:56:b1:ae:e8 2 dynamic 1/1/8
Switch-2#

92
Lab 4
--------------------------------------------------------------
00:50:56:b1:a9:86 2 dynamic 1/1/8
00:50:56:b1:ae:e8 2 dynamic 1/1/2
Switch-1#
11. With the information shown please fill out the fields on the Figure below.
Figure 4-24: MAC tables
93
Lab 4
Task 6: Enable Spanning Tree
Objectives
At this point you have extended connectivity for the TEACHERS user group with an inter-switch
link. However, if the link should fail, the faculty members will not be able to reach the Windows
Server. To provide redundancy for this link, you have proposed adding a second link. First, some
important measures must be taken in order to prevent Layer 2 loops.
In this task you will validate the default operational status of Spanning-Tree, identify the Bridge ID
of the switches, then modify the Bridge Priority on one of them to anticipate what port will be
blocked in the process for avoiding the loop. This information will allow you to draw the current
logical Common Spanning Tree (CST) topology. Once the network is protected against Layer 2
loops you will proceed to add a second link and test redundancy.
Steps
Switch-1
1. Access the terminal session to Switch-1.

2. Validate what is the current state of Spanning-Tree.
Switch-1# show spanning-tree

Spanning-tree is disabled
Switch-1#
94
Lab 4
What is the default status of the protocol?
________________________________________________________________________
ANSWER: Spanning-Tree Protocol is disabled by default on 8000 series and

Virtual switches and enabled on 6000 series devices.
3. Turn Spanning-Tree on.
Switch-1# config t
Switch-1(config)# spanning-tree
Switch-1(config)#
4. Validate what is the current status of Spanning-Tree again.
Switch-1(config)# show spanning-tree

Spanning tree status : Enabled Protocol: MSTP
MST0
Root ID Priority : 32768
MAC-Address: 08:00:09:29:d0:9a
This bridge is the root
Hello time(in seconds):2 Max Age(in seconds):20
Forward Delay(in seconds):15
Bridge ID Priority : 32768

Port Role State Cost Priority Type BPDU-Tx BPDU-Rx TCN-Tx TCN-
Rx
------------ -------------- ---------- -------------- ---------- -------------------------
1/1/1 Designated Forwarding 20000 128 P2P 26 0 0 0
Number of topology changes : 0

Last topology change occurred : 0 seconds ago
Switch-1(config)#
What are the Bridge ID Priority and MAC address?
________________________________________________________________________
95
Lab 4
IMPORTANT: Both the Bridge ID Priority and Switch MAC address are
combined to form what is known as Bridge ID. In the example of the output
above, Switch-1’s Bridge ID is 32768.08:00:09:29:d0:9a. Notice that the priority
goes first and has a higher weight than the MAC. This priority can be configured
in a multiplies of 4096 and comes in a range between 0 to 61440 and the default
value as you can see is 32768.
Since the identifier uses the MAC of the switch then every switch in your network
will have a different Identifier.
What is the Bridge ID of the Root Bridge?
________________________________________________________________________
ANSWER: Root’s Bridge ID is identical to Switch-1’s, therefore Switch-1 is the

Root Bridge. The reason is that only Switch-1 is running STP, hence it is the
only candidate for the role and is becoming the Root.
What is the state of the ports?
________________________________________________________________________
ANSWER: The ports are UP and in Forwarding state. Root Bridge’s ports will
always be in this state unless there is a local loop.
Switch-2
5. Access the terminal session to Switch-2.

6. Turn Spanning-Tree on.
Switch-2# config t
Switch-2(config)# spanning-tree
Switch-2(config)#
7. Validate what is the current state of Spanning-Tree.
96
Lab 4

MST0

MAC-Address: 08:00:09:5b:19:f1
Port Role State Cost Priority Type BPDU-Tx BPDU-Rx TCN-Tx TCN-Rx
------------ -------------- ---------- -------------- ---------- ---------------- --------
-- ---------- ---------- ----------
1/1/8 Root Forwarding 20000 128 P2P Bound 0 0 0 0

Switch-2(config)#
What is Switch-2’s Bridge ID?
________________________________________________________________________
What is the Root Bridge’s Bridge ID now?
________________________________________________________________________
ANSWER: Since now there are two switches running STP, there will be a Root
Bridge election, where the device that has the lowest Bridge ID will become the
root. Therefore, depending on what switch has the lowest value, either Swtich-
1 or Switch-2 can be elected root. According to the output above, Switch-1
remains the root.
What is the state of the ports?
________________________________________________________________________
ANSWER: All ports should be in Forwarding state because no loops have been
detected.
97
Lab 4
At this point you have two switches running STP with a single link between them. Either Switch-1
or Switch-2 is the root. The root switch elected is determined by comparing the Bridge IDs, the
one with the lowest Bridge ID wins the election.
Since both devices share the same default Bridge Priority (32768) then the MAC address was
the tie breaker. However, depending on the MAC address alone for the Root Bridge election is
not a good practice. A better option is to define a lower Bridge Priority on the device that we want
to be the root switch.
You will proceed to decrease the Bridge Priority on Switch-2 and make sure it always gets
elected Root.
8. Set the Bridge Priority to 0 on Switch-2.
Switch-2(config)# spanning-tree priority 0
9. Validate the new Bridge ID on Switch-2

MST0
This bridge is the root
What is the Bridge ID now?
________________________________________________________________________
What switch is the Root Bridge?
________________________________________________________________________
You will proceed to add a second link between both switches.
98
Lab 4
10. Enable interface 1/1/7 and configure it with trunk settings permitting VLAN 1 and 2.

Switch-1
11. Move to Switch-1 and confirm port 1/1/8 is a root port.

MST0

------------ -------------- ---------- -------------- ---------- ---------------- --------
-- ---------- ----------
---------
1/1/8 Root Forwarding 2000 128 P2P Bound 183 35 2
4

Switch-1(config)#
IMPORTANT: A Root Port on a non-root bridge is considered the closest

interface from that switch to the Root Bridge. This interface is typically moved to
Forwarding mode and sends and traffic.
99
Lab 4
12. Enable interface 1/1/7 and configure it with trunk settings permitting VLAN 1 and 2.

13. Validate the role and state of the inter-switch links on Switch-1.
Switch-1# show spanning-tree

MST0

------------ -------------- ---------- -------------- ---------- ---------------- --------
1/1/7 Root Forwarding 20000 128 P2P Bound 3 9 2
1/1/8 Alternate Blocking 20000 128 P2P Bound 183 93 2

Switch-1#
What interface is the Root port now?
________________________________________________________________________
What is the role and state of port 1/1/8
________________________________________________________________________
IMPORTANT: An Alternate Port is considered a redundant Layer 2 interface that

directly or indirectly can take traffic from the local device all the way up to the
100
Lab 4
root, however because if its very nature of being redundant it may generate
Layer 2 loops if it is not blocked.
Alternate ports are always in blocking state and ready to become active in
Forwarding mode if the Root port on the local device fails.
PC-1
14. Move to PC-1 and begin a continuous ping to the Windows Server (10.0.2.10). The ping
should be successful.
Figure 4-26: Ping to Windows Server
You will now simulate a link failure by bringing one of the inter-switch links down.
Switch-1
15. Move back to Switch-1 and disable the Root port (1/1/7).
Switch-1(config)# int 1/1/7

Switch-1(config-if)# shutdown
16. Verify the Role and state of the interfaces again.
101
Lab 4

MST0

------------ -------------- ---------- -------------- ---------- ---------------- --------
-- ---------- ---------- -
---------
1/1/7 Disabled Blocking 20000 128 P2P 21 589 6 4
1/1/8 Root Forwarding 20000 128 P2P Bound 19 2292 6 1
0

Switch-1(config)#
What interface is the Root port now?
________________________________________________________________________
What is the role and state of port 1/1/7?
________________________________________________________________________
PC-1
17. Move back to PC-1.
What is the status of the ping?
________________________________________________________________________
102
Lab 4
Figure 4-27: Continuous Ping
ANSWER: The ping is running even after the simulated failure, thanks to the
switchover of port 1/1/8 from Alternate to Root.
103
Lab 4
Task 7: Save Your Configurations
Objectives
You will now save your configurations.
Steps
1. Save the current Access switches’ configuration in the startup checkpoint.

Switch-1#

Switch-2#
104
Lab 5
Lab 5 – IP Routing
Overview
After proving the resiliency and robustness of the network, BrilliantAcademy faculty members are
eager to support the second user group, STUDENTS, and offer them access to the server as well
as the Internet.
In this lab you will create an additional VLAN and use inter-VLAN routing along with a Default
Gateway to enable Layer 3 connectivity between them. But this is not enough to create
connectivity. You will be asked to deploy static routes to interconnect remote segments between
them and to the Internet. Once the IPv4 routing is configured, you will add functions on the
Gateway to allow clients receiving addressing information via DHCP using a centralized Server.
As an added value a deep dive into packet exchange, L3 to L2 address resolution and how they
correlate for inter-VLAN routing is included.
Objectives

• Assign IP addresses to SVIs
• Enable Inter-VLAN routing
• Configure Static Routes.
• Configure a Default Route
• Run traffic analysis using Wireshark
• Describe the end-to-end packet delivery
105
Lab 5
Task 1: Move PC-1 to VLAN 3
Objectives
You will now create VLAN 3 on Switch-1 and move PC-1 on it. Then you will test inter-VLAN
communication at Layer 2.
Steps
Switch-1
1. Access Switch-1’s console, then create VLAN 3 and name it STUDENTS.
Switch-1# config t
Switch-1(config-vlan-3)# name STUDENTS
2. Move PC-1 to VLAN 3

106
Lab 5
3. Confirm port 1/1/1 is associated to VLAN 3.
Switch-1(config)# show vlan 3
------------------------------------------------------------------------------------------
----------------------
VLAN Name Status Reason Type
Interfaces
------------------------------------------------------------------------------------------
----------------------
3 STUDENTS up ok static 1/1/1
Switch-1(config)#
PC-1
4. Move to PC-1 and ping PC-2’s IP address (10.0.2.2).
Figure 5-2: Destination host unreachable
Was the ping successful?
________________________________________________________________________
ANSWER: The ping was not successful because now both PCs are in different
broadcast domains, which prevents the Layer 2 communication between
devices.
107
Lab 5
5. Change the IP address of PC-1 to 10.0.3.1/24 to make it belong to VLAN 3’s IP segment
(10.0.3.0/24).
Figure 5-3: IP Settings
NOTE: In networking it is a common practice to match an octet of the IP segment

with the VLAN ID of the network. E.g. 10.0.3.0/24 for VLAN 3.
6. Try the ping again.
108
Lab 5
Figure 5-4: General failure
________________________________________________________________________
ANSWER: The ping was not successful because even when each PC has an IP
address of a different segment and inter-VLAN Layer 3 communication (also
known as inter-VLAN routing) is in theory possible, there is no Layer 3 device
capable of providing the IP routing service yet.
IMPORTANT: A “PING: transmit failed. General failure.” message in Microsoft

Windows systems means that the destination is not local and there is no route
entry in the routing table that matches it, therefore the Layer 3 to Layer 2 address
resolution can’t be completed and packet won’t be Layer 2 encapsulated which
in turn prevents it from being transmitted.
The solution is to either add a static route or define a Default Gateway.
109
Lab 5
Task 2: Add a default gateway on VLANs 2 and 3.
Objectives
You will now create VLAN 3 on Switch-1 and move PC-1 on it. Then you will test inter-VLAN
communication at Layer 2.
Steps
Switch-1
1. Move back to Switch-1 and create the Switch Virtual Interface (SVI) for VLAN 2 and assign
it the 10.0.2.254/24 IP address.
2. Create the SVI for VLAN 3 and assign it the 10.0.3.254/24 IP address
Switch-1(config)# interface vlan 2

Switch-1(config-if-vlan)# ip address 10.0.2.254/24
Switch-1(config-if-vlan)# exit
Switch-1(config-if-vlan)# end
3. Validate the IP addressing you assigned.
110
Lab 5
Switch-1# show ip int brief | include up

vlan2 10.0.2.254/24 up/up
vlan3 10.0.3.254/24 up/up
Switch-1(config)#
4. Inspect the IP routing table on Switch-1.
Switch-1(config)# show ip route
Displaying ipv4 routes selected for forwarding
Origin Codes: C - connected, S - static, L - local

R - RIP, B - BGP, O - OSPF
Type Codes: E - External BGP, I - Internal BGP, V - VPN, EV - EVPN
IA - OSPF internal area, E1 - OSPF external type 1
E2 - OSPF external type 2
VRF: default
Prefix Nexthop Interface VRF(egress) Origin/ Distance/

Age
Type Metric
------------------------------------------------------------------------------------------
---------------
10.0.2.0/24 - vlan2 - C [0/0]
-
10.0.2.254/32 - vlan2 - L [0/0]
-
10.0.3.0/24 - vlan3 - C [0/0]
-
10.0.3.254/32 - vlan3 - L [0/0]
-
Total Route Count : 4
Switch-1#
What networks does it have?
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
111
Lab 5
5. Ping both PC-1 (10.0.3.1) and PC-2 (10.0.2.2). Pings should be successful.
PC-1
Switch-1# ping 10.0.3.1

PING 10.0.3.1 (10.0.3.1) 100(128) bytes of data.
108 bytes from 10.0.3.1: icmp_seq=1 ttl=128 time=6.40 ms
--- 10.0.3.1 ping statistics ---

5 packets transmitted, 5 received, 0% packet loss, time 4004ms
rtt min/avg/max/mdev = 1.626/2.658/6.397/1.870 ms


Switch-1#
6. Move to PC-1 and ping PC-2’s IP address (10.0.2.2).
________________________________________________________________________
ANSWER: The ping was not successful because even though both clients
reside on different VLANs with the proper addresses and a Layer 3 device is
available and ready to perform routing, PC-1 is not configured to use Switch-1
as a Default Gateway yet.
7. Add a default gateway for PC-1
112
Lab 5
Figure 5-6: NIC IP settings
8. Try the ping again. It should be successful.
113
Lab 5
Figure 5-7: Successful ping
Now you will proceed to analyze how the Layer 2 and Layer 3 addresses are used on inter-VLAN
routing.
9. Open Wireshark and start a packet capture on the Lab NIC.

Add the “(arp && not arp.isgratuitous) || ip.addr == 10.0.2.2” filter with no quotes
and hit hit [Enter]. That will instruct Wireshark to only display ARP non gratuitous
messages and IP packets that include PC-2’s IP address.
10. Clear the ARP table on PC-1. You will have to run Command Prompt as administrator.
a. Click on the Start menu and type command
b. Right click on Command Prompt and choose “Run as administrator”
c. Confirm the User Account Control message by clicking “Yes”
d. Enter the command "arp -d” without the quotes into the command prompt window.
Figure 5-8: Run command prompt as Administrator
114
Lab 5
Figure 5-9: Run as Administrator
Figure 5-10: Clear ARP table
11. Confirm there is no entry in the 10.0.3.0/24 subnet in the ARP table of the Lab NIC using
the “arp -a -N 10.0.3.1” command. If you see a 10.0.3.254 record, then clear the table and
verify again.
115
Lab 5
Figure 5-11: ARP table
12. Ping PC-2’s address (10.0.2.2).

13. Once all four pings complete move back to Wireshark and stop the capture.
116
Lab 5
Figure 5-12: ARP Request
What is the first packet sent by PC-1?
________________________________________________________________________
Who is it targeted to?
________________________________________________________________________
ANSWER: The first packet is an ARP request targeted to PC-1’s gateway

(10.0.3.254). Since PC-1 is trying to reach a destination in a remote segment,
then it knows it needs its Default Gateway assistance. Therefore PC-1 needs to
know its Gateway’s MAC to use it as the Layer 2 destination of the ICMP echo
packet.
What is the second packet in the capture?
________________________________________________________________________
117
Lab 5
What information does it contain?
________________________________________________________________________
ANSWER: The second packet is an ARP reply that contains the MAC address
of the Gateway in VLAN 3.
Figure 5-13: ARP Reply
14. Inspect the first ICMP echo packet.
118
Lab 5
Figure 5-14: ICMP echo
Who is the Layer 3 source and destination of the packet?
________________________________________________________________________
Who is the Layer 2 source and destination of the frame?
________________________________________________________________________
Why?
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
ANSWER:
At Layer 3, the source is PC-1, and the destination is PC-2. At Layer 2, the
source is also PC-1, but the destination is Switch-1’s MAC address on SVI 3.
This is because PC-1’s packet can only reach PC-2 by passing through Switch-
1. Switch-1 receives the packet, decapsulates it, and looks at the L3 destination.
It then performs an IP routing table lookup to determine that the outbound port
is interface VLAN 2.
Switch-1 creates a new Layer 2 Ethernet header with its own MAC address for
Interface VLAN 2 as the source, and PC-2’s MAC as the destination. The IP
header remains intact.
119
Lab 5
Based on this behavior, please write down the Layer 2 and Layer 3 source and destination addresses
the IP packet Switch-1 sends out in VLAN 2?
________________________________________________________________________
________________________________________________________________________
Assuming PC-2 responds back, what Layer 2 and Layer 3 source and destination addresses would the
ICMP Echo Reply have when the frame is delivered to Switch-1?
________________________________________________________________________
________________________________________________________________________
Assuming PC-2 responds back, what Layer 2 and Layer 3 source and destination addresses would the
ICMP Echo Reply have when the frame is delivered from Switch-1 to PC-1? This data you can see on 4TH
packet of the capture or the first ICMP echo reply you got.
________________________________________________________________________
________________________________________________________________________
Figure 5-15: ICMP echo reply
120
Lab 5
ANSWER: The PC-2’s MAC and Switch-1 VLAN 2’s MAC addresses should be
the source and the destination respectively for the frame that PC-2 is sending
out. Then these two addresses change for Switch-1 VLAN 3’s and PC-1’s MAC
addresses as Source and Destination respectively when the frame is sent by
Switch-1 to PC-1.
The source and destination IP addresses are PC-2’s and PC-1’s respectively for
both the packet before and after the routing event.
121
Lab 5
Task 3: Routed link.
Objectives
In this task you will configure port 1/1/8 on both switches as routed interfaces for creating a L3 link
between them. This link will subsequently be used as the transport for traffic between client PCs
and the Windows Server. You will also move the Windows Server to VLAN 10 and change its IP
address.
Steps
Switch-1
1. Move back to Switch-1 and configure port 1/1/8 as a routed port.

Switch-1(config-if)# routing
2. Assign the 10.0.0.1/24 IP address to port 1/1/8.
Switch-1(config-if)# ip address 10.0.0.1/24

122
Lab 5
3. Validate the IP address configuration.
Switch-1(config)# show ip interface brief | include up

1/1/8 10.0.0.1/24 up/up
vlan2 10.0.2.2/24 up/up
vlan3 10.0.3.254/24 up/up
Switch-1(config)#
4. Confirm the 10.0.0.0/24 IP segment is in Switch-1’s routing table.
Switch-1(config)# show ip route | include 1/1/8

10.0.0.0/24 - 1/1/8 - C [0/0] -
10.0.0.1/32 - 1/1/8 - L [0/0] -
Switch-1(config)#
Switch-2
5. Move back to Switch-2 and configure port 1/1/8 as a routed port.

Switch-2(config-if)# routing
6. Assign the 10.0.0.2/24 IP address to port 1/1/8.

7. Validate the IP address configuration.
Switch-2(config)# show ip interface brief | inc up

1/1/8 10.0.0.2/24 up/up
Switch-2(config)#
8. Ping Switch-1’s IP in port 1/1/8 (10.0.0.1). The ping should be successful.
Switch-2(config)# ping 10.0.0.1
123
Lab 5


Switch-2(config)#
9. Create VLAN 10 and name it SERVERS
Switch-2(config-vlan-10)# name SERVERS
10. Create SVI 10 and assign it the 10.0.10.254/24 IP address.

11. Move port 1/1/1 to VLAN 10.

12. Confirm both 10.0.0.0/24 and 10.0.10.0/24 IP segments are connected routes in Switch-2’s
routing table.

VRF: default
124
Lab 5

Age
Type Metric
------------------------------------------------------------------------------------------
---------------
10.0.0.0/24 - 1/1/8 - C [0/0]
-
10.0.0.2/32 - 1/1/8 - L [0/0]
-
10.0.10.0/24 - vlan10 - C [0/0]
-
10.0.10.254/32 - vlan10 - L [0/0]
-
Switch-2(config)#
Windows-Server
13. Move to the Windows Server and change the IP address of the Lab NIC to 10.0.10.10/24
and use 10.0.10.254 as the Default Gateway.
Figure 5-16: NIC IP settings
125
Lab 5
14. Ping Swtich-2’s VLAN 10 (10.0.10.254). Ping should be successful.
Figure 5-17: Successful ping
15. Ping PC-1 (10.0.3.1).
Figure 5-18: Request times out.
126
Lab 5
________________________________________________________________________
ANSWER: A “Request times out” message in Microsoft Windows systems

means the packet was properly encapsulated at layer 2 and sent out of the NIC.
If the layer 3 destination is not in the local network then it means an intermediary
layer 3 device could not deliver the packet most likely to either a host down
situation or a lack of the destination network in the routing table.
PC-1
16. Move to PC-1 and ping the Windows Server (10.0.10.10).
Figure 5-18: Request times out 2
________________________________________________________________________
ANSWER: No, the reason is that although PC-1 has a Default Gateway (Switch-
1) it does not have route to the 10.0.10.0/24 destination network.
127
Lab 5
Task 4: Static Routes
Objectives
In this task you will configure static routes on both Switch-1 and Switch-2 so they can reach each
other’s connected routes. Then you will add a route to the internet and test connectivity.
Figure 5-19: Task 4 Topology.
Steps
Switch-1
1. Move to Switch-1 and configure a static route to the 10.0.10.0/24 network using Switch-2
as the next-hop (10.0.0.2).
Switch-1(config)# ip route 10.0.10.0/24 10.0.0.2
2. Validate the entry is in the routing table.
Switch-1(config)# show ip route static
128
Lab 5

VRF: default

Age
Type Metric
------------------------------------------------------------------------------------------
---------------
10.0.10.0/24 10.0.0.2 1/1/8 - S [1/0]
00h:00m:07s
Switch-1(config)#
3. Ping the Windows Server (10.0.10.10). Ping should be successful.
Switch-1(config)#ping 10.0.10.10

Switch-1(config)#
PC-1
4. Move back to PC-1 and run a traceroute by entering the command “tracert 10.0.10.10”
without the quotes.
129
Lab 5
Figure 5-20: Traceroute
Was the trace complete?
________________________________________________________________________
What was the last stop? Why?
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
ANSWER: The last stop in the output is Switch-1. This is because even though
Switch-1 knows how to get to the 10.0.10.0/24 segment and achieve
bidirectional communication with devices in that network, this will only work if
traffic is sourced from the 10.0.0.0/24 segment. Similar to the ping you ran on
step 3. Switch-1 will by default use the closest interface to the destination for
generating its own packets (port 1/1/8 in that case).
As you validated in Task 3, the 10.0.0.0/24 is a connected network on Switch-2,

so when the Server Switch receives the traffic and responds back to Switch-1
these packets can be routed back with no interruptions by the Server’s Gateway
(Switch-2).
130
Lab 5
In PC-1’s traceroute however, the source belongs to the 10.0.3.0/24 segment

which is unknown by Switch-2. Hence even when the PC-1 to Windows Server
packets make it to their destinations, the replies get handed over to Switch-2
who in turn drops them because the lack of a matching entry in the routing table.
Switch-2
5. Move to Switch-2 and add a route to 10.0.3.0/24 using 10.0.0.1 (Switch-1) as the next-hop.
6. Add a second route to 10.0.2.0/24 using 10.0.0.1 (Switch-1) as the next-hop.
7. Validate that both networks are in the routing table.

VRF: default

Age
Type Metric
------------------------------------------------------------------------------------------
---------------
10.0.2.0/24 10.0.0.1 1/1/8 - S [1/0]
00h:00m:14s
10.0.3.0/24 10.0.0.1 1/1/8 - S [1/0]
00h:00m:27s
Switch-2(config)#
131
Lab 5
PC-1
8. Move back to PC-1 and attempt the traceroute again. The trace should be successful.
Figure 5-20: Successful Traceroute
9. Ping the 1.1.1.1 internet address.
Figure 5-21: Unsuccessful Ping
132
Lab 5
At this point you have enabled bidirectional connectivity between the TEACHERS and STUDENTS
VLANs and the SERVERS one. However, the client PCs can’t reach the Internet yet.
133
Lab 5
Task 5: Default Route
Objectives
In this task you will configure a special form of a static route called Default route, which you will
use to provide BrilliantAcademy users with Internet, then you will test IP connectivity.
Steps
Switch-1
1. Move to Switch-1 and configure a static route to the 0.0.0.0/0 network using Switch-2 as
the next-hop (10.0.0.2).
134
Lab 5
Switch-1(config)#end
IMPORTANT: 0.0.0.0/0 is a prefix that matches all IPv4 destination addresses.

The /0 prefix length means that no single bit in the destination address of the
data packets must match any value in specific, therefore all packets will implicitly
match it.
2. Validate the entry is in the routing table.

VRF: default

Age
Type Metric
------------------------------------------------------------------------------------------
---------------
0.0.0.0/0 10.0.0.2 1/1/8 - S [1/0]
00h:00m:05s
10.0.10.0/24 10.0.0.2 1/1/8 - S [1/0]
00h:36m:38s
Switch-1(config)#
3. Ping the 1.1.1.1 IP address on the internet.
Switch-1(config)# ping 1.1.1.1

From 10.0.0.2 icmp_seq=1 Destination Net Unreachable
135
Lab 5

5 packets transmitted, 0 received, +4 errors, 100% packet loss, time 4005ms
Switch-1(config)#
________________________________________________________________________
4. Attempt a traceroute to 1.1.1.1.
Switch-1(config)# traceroute 1.1.1.1

traceroute to 1.1.1.1 (1.1.1.1), 1 hops min, 30 hops max, 3 sec. timeout, 3 probes
1 10.0.0.2 2.065ms !N 1.384ms !N *
Switch-1(config)#
Who is the last stop in the output?
________________________________________________________________________
________________________________________________________________________
Why are you getting these results?
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
ANSWER: Even though you have a default route on Switch-1 and traffic is
handed over to Switch-2 at layer 3, this latter device does not have a route to
the internet yet. Remember all intermediary devices must know how to reach
both the source and the destination networks to have successful bidirectional
communication.
Switch-2
5. Move to Switch-2 and configure a routed link to the Internet Gateway using port 1/1/9 and
the 10.254.1.1/24 IP address.
136
Lab 5

6. Ping the Internet Gateway (10.254.1.253). The ping should be successful.
Switch-2(config)# do ping 10.254.1.253

--- 10.254.1.253 ping statistics ---

Switch-2(config)#
7. Configure a static route to the 0.0.0.0/0 network using the internet Gateway as the next-hop
(10.254.1.253).
8. Validate the default route is in the routing table.

VRF: default

Age
Type Metric
------------------------------------------------------------------------------------------
---------------
0.0.0.0/0 10.254.1.253 1/1/9 - S [1/0]
06h:39m:05s
10.0.0.0/24 - 1/1/8 - C [0/0]
-
137
Lab 5
10.0.0.2/32 - 1/1/8 - L [0/0]

-
10.0.2.0/24 10.0.0.1 1/1/8 - S [1/0]
00h:26m:23s
10.0.3.0/24 10.0.0.1 1/1/8 - S [1/0]
00h:26m:36s
10.0.10.0/24 - vlan10 - C [0/0]
-
10.0.10.254/32 - vlan10 - L [0/0]
-
10.254.1.0/24 - 1/1/9 - C [0/0]
-
10.254.1.1/32 - 1/1/9 - L [0/0]
-
Switch-2(config)#
9. Ping the 1.1.1.1 Internet IP address. Ping should be successful.


Switch-2(config)#
Switch-1
10. Move to Switch-1 and attempt the ping again. It should be successful.


138
Lab 5
Switch-1(config)#
PC-1
11. Move back to PC-1 and ping the 1.1.1.1 address. Ping should be successful.
Figure 5-23: Ping to internet.
139
Lab 5
Task 6: DHCP Relay
Objectives
In this task you will configure a DHCP relay function on VLAN 2 and VLAN 3’s Default Gateway.
Thus, when Switch-1 hears DHCP discover messages from VLANs 2 and 3, it redirects them to
the Windows server. The server can then offer IP address information to those clients. This allows
for automatic IP address provisioning as opposed to non-scalable static addressing.
Steps
Switch-1
1. Move to Switch-1 and enable the DHCP Relay role on SVI 2 and SV3 pointing to 10.0.10.10
as the DHCP Server.

Switch-1(config-if-vlan)# ip helper-address 10.0.10.10
Switch-1(config-if-vlan)# interface vlan 3
Switch-1(config-if-vlan)#
IMPORTANT: Any L3 switch interface configured as a DHCP Relay will intercept

all inbound DHCP Discover and Requests broadcast messages. It encapsulates
140
Lab 5
them with a new DHCP header, with its own L3 interface IP address as the
source. It converts the packet to a Unicast packet and sends it to the Server.
The server receives the packet, with the Relay’s IP address included in the
DHCP header. It compares this address with any preconfigured IP pool it has. If
there is a match, the Server responds with an Offering back to the Relay. The
Relay then forwards this on to the client. Assuming the address is compatible,
the client uses this address.
PC-1
2. Change the Lab NIC IP settings from static configuration to dynamic provisioning.
Figure 5-25: Obtain an IP address automatically
3. Validate the client is receiving a valid IP address using the “ipconfig” command in the
command prompt. It should be in the .100 to .200 range.
141
Lab 5
Figure 5-26: DHCP assigned IP address
142
Lab 5
Task 7: Save Your Configurations
Objectives
You will now save your configurations.
Steps
1. Save the current Access switches’ configuration in the startup checkpoint.

Switch-1#

Switch-2#
143
Lab 06
Lab 06 – 802.11 analysis

Overview
You have deployed a solid, redundant, yet loop free wired network infrastructure with user
segmentation, Inter-vlan routing and internet services for wired clients. Now, BrilliantAcademy
needs to extend the service to wireless users as well and has purchased the required equipment
for that. However, before jumping into the deployment and configuration of the WLAN
infrastructure, you want to study the Radio Frequency environment at the facility and identify any
potential source of interference that you should avoid in the process.
In this lab you will analyze some Layer 1 and Layer 2 aspects of the WiFi. First using a freeware
tool, you will detect the WLANs that are propagated around PC-1, pick one and see its details such
as band, channel, RSSI, data rate, etc. Then you will open a packet capture and visualize the
802.11 management frames exchanges between a wireless station and an Access Point.
Objectives

• Discover the SSID of WLANs in the 2.4 and 5 Ghz bands.
• Measure the strength of a WiFi signal in dBs.
• Identifying the channel and Max Rate of a WLAN.
• Identify management frames on a packet capture.
• Validate the SSID to BSSID mapping in Beacons and Probe Requests.
144
Lab 06
Task 1: Detect WLANs
Objectives
In this task you will use a popular freeware tool called “inSSIDer Home” to detect different SSIDs
in the air and analyze their characteristics.
Steps
PC-1
1. Access PC-1’s console and open inSSIDer Home.
Figure 6-1: inSSIDer
2. Once inSSIDer Home is opened. Find your WLAN adapter, then click on NETWORKS.
145
Lab 06
Figure 6-2: WI-FI ADAPTER
This will display all WLANs PC-1 can detect with the network adapter used and listed in the
previous page.
Figure 6-3: NETWORKS
NOTE: The WLANs that you see may be different to the ones shown in the
figures, because it will depend on the 802.11 capabilities of the wireless adapter
and of the networks propagated by the nearby APs. The remote lab environment
146
Lab 06
is a very dense deployment of APs, so it is likely that you may see many SSIDs
that do not pertain to this course.
The new panel has 3 main sections. The first at the top left is the SSIDs list, that includes the
details of every detected WLAN, including the name, Signal (Signal strength), Channel, Security,
MAC Address or BSSID, Max Rate and the 802.11 PHY.
Figure 6-4: SSIDs list
The second at the top right is the SSID trend chart, which displays some details of the selected
SSID, along with a basic interference analysis.
Figure 6-5: SSID trend chart
147
Lab 06
Last of at the bottom you can see the representation of the advertised WLANs in a 2.4 GHz and a
5 GHz charts that show the RSSI on the Y axis and the band channel on the X axis.
Figure 6-6: WLAN Charts
3. Go to View > 2.4 GHz Band to remove the 5 Ghz band networks from the list and use the
bottom space for the 2.4 Ghz band chart only.
Figure 6-7: 2.4 GHz Band
4. Click on signal to sort the WLANs from the strongest to the weakest.
Figure 6-8: SIGNAL
5. Select the one of the SSIDs at the top.
148
Lab 06
Figure 6-9: Select SSID
6. Using the information listed on the SSID list answer the following questions.
What is the SSID?
________________________________________________________________________
What is the Signal strength or RSSI?
________________________________________________________________________
What unit of measure is the signal strength listed as?
________________________________________________________________________
What is the WLAN Security?
________________________________________________________________________
What is the WLAN’s MAC Address or BSSID?
________________________________________________________________________
What is the MAX Rate?
________________________________________________________________________
Which 802.11 amendment or standard are you using?
________________________________________________________________________
149
Lab 06
7. Focus on the trend chart and answer the following questions.
Has the WLAN had a consistent power level in the past minutes, or there are noticeable power changes
on it?
________________________________________________________________________
What channel is this WLAN advertised on?
________________________________________________________________________
How many networks does this WLAN have co-channel interference with?
________________________________________________________________________
Is this WLAN running Channel Bonding?
________________________________________________________________________
IMPORTANT: WLANs using Channel bonding are usually represented with a

channel number a “+” sign then another channel number (e.g. 6+10), meaning
that those two channel’s frequencies are combined together in order to make a
bigger one.
Also, a broader trapeze that includes the two channel numbers will be shown in
the bottom chart.
150
Lab 06
Optional steps: Only if there are SSIDs on the 5 GHz band.
8. Go to View > 5 GHz Band to remove the 2.4 Ghz band networks from the list and use the
bottom space for the 5 Ghz band chart only.
Figure 6-10: 5 GHz Band

9. Select the one of the SSIDs at the top.
Figure 6-11: SSID List
151
Lab 06
10. Using the information listed on the SSID list answer the following questions.
What is the SSID?
________________________________________________________________________
What is the Signal strength or RSSI?
________________________________________________________________________
What unit of measure is the signal strength listed as?
________________________________________________________________________
What is the WLAN Security?
________________________________________________________________________
What is the WLAN’s MAC Address or BSSID?
________________________________________________________________________
What is the MAX Rate?
________________________________________________________________________
Which 802.11 amendment or standard are you using?
________________________________________________________________________
11. Focus on the trend chart and answer the following questions.
Has the WLAN had a consistent power level in the past minutes, or there are noticeable power changes
on it?
________________________________________________________________________
What channel is this WLAN advertised on?
________________________________________________________________________
Is this WLAN running Channel Bonding?
________________________________________________________________________
How many networks does this WLAN have co-channel interference with?
________________________________________________________________________
12. Compare your step 7 and 11 answers.
What band appears to have more Co-channel interference?
152
Lab 06
________________________________________________________________________
Why?
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
NOTE: The 2.4 GHz Industrial Scientific and Medical (ISM) band has fewer
channels than the 5 GHz one and it is used by many non-WiFi consumer
products. This is why 2.4 GHz channel has considerably more co-channel
interference. Most Enterprise oriented networks will be typically designed and
deployed with the 5GHz band in mind for most of the communication
requirements while the 2.4 is mostly for backwards compatibility with legacy
devices.
End of Optional steps
153
Lab 06
Task 2: 802.11 Management Frames analysis
Objectives
In this task you will open a packet capture file in pcap format on PC-1 using Wireshark and look
for the most relevant frames used in a connect to a WiFi network. It includes:
• SSID discovery and the SSID to BSS Id resolution via Beacons, Probe Requests and Probe
Responses management frames.
• 802.11 connection with Authentication Request/Response and Association
Request/Response management frames.
• Traffic exchange using Data frames.
• The end of the connection via Deauthentication management frames.
NOTE: Due the monitor mode limitations of the WiFi adapters used in this lab,
a live capture is not possible, instead a pcap file has been provided that
correspond to a capture performed during an Apple Macbook client
(b0:be:83:41:a3:78) association to an Aruba Access Point (38:17:c3:3b:32:24)
on Channel 11.
Steps
PC-1
1. Access PC-1’s desktop.

2. Look for the capture1.pcapng file inside of the IANS folder on the Desktop. Then double
click it. This will open Wireshark.
154
Lab 06
Figure 6-12: capture1
3. Select the first frame, this is an 802.11 Beacon.

4. Expand the 802.11 radio information entry in the packet details section.
Figure 6-13: 802.11 Beacon
What is the PHY type?
___________________________________________________________________
What is the Bandwidth?
___________________________________________________________________
What is the Data Rate for this frame?
155
Lab 06
___________________________________________________________________
What is the Channel and frequency?
___________________________________________________________________
What are the Signal strength and Noise Level?
___________________________________________________________________
What is the Signal/noise ratio?
___________________________________________________________________
Answer: Phy type is 802.11n, Bandwidth is 20 MHz which means no channel

bonding is in use. Data Rate is 6.5 Mbps. The SSID is using channel 11 with a
frequency of 2462MHz, a Signal strength of -63dBm and a Noise Floor of -
94dBm making a SNR of 31 dBm (this is the difference between the Signal and
the Noise levels).
5. Expand the IEEE 802.11 Beacon frame details.
Figure 6-14: 802.11 Beacon frame
What is the Destination address?
___________________________________________________________________
What is the Transmitter address?
___________________________________________________________________
What is the BSS Id?
___________________________________________________________________
156
Lab 06
Answer: Destination address is the all F’s broadcast one. Transmitter is the
AP’s BSSID (38:17:c3:3b:32:24).
6. Expand the IEEE 802.11 wireless LAN > Fixed parameters details.
Figure 6-15: Fixed parameters
What is the Beacon Interval?
___________________________________________________________________
Answer: Beacon interval is approximately 10 ms or a 10th of a second.
7. Expand Tagged parameters.
Figure 6-16: Tagged parameters
What is the SSID parameter value?
___________________________________________________________________
What are the Supported Rates?
157
Lab 06
___________________________________________________________________
What are Extended Supported Rates?
___________________________________________________________________
What are the HT Capabilities?
___________________________________________________________________
Answer: The SSID or WLAN name is IANS, this is one of the main reasons for
the Beacons, to provide the SSID to BSS Id mapping, that way the clients will
know what AP and AP’s radio they should connect to.
The supported rates are 1, 2, 5.5, 6, 9, 11, 12 and 18 Mbps while extended
rates are 24, 36, 48 and 54 Mbps, these are the different data transition rates
the AP supports for receiving frames from clients, the rate for specific client will
mainly depend on the SNR.
8. Select frame number 4.
Figure 6-17: Probe Response
What management frame is it?
___________________________________________________________________
Answer: This is a Probe Response. The message is consequence of a Probe

Request frame, not shown in the capture, that was sent by the station to the
Access Point.
9. Expand the IEEE 802.11 Probe Response details
158
Lab 06
Figure 6-18: Probe Response Flags
What is the Receiver address?
___________________________________________________________________
What is the Transmitter address?
___________________________________________________________________
What is the BSS Id?
___________________________________________________________________
Answer: The receiver address is the Wireless Station or client

(b0:be:83:41:a3:78) and the transmitter is the AP (38:17:c3:3b:32:24). The BSS
Id is the same value as the Transmitter because the frame comes from the AP
to the station.
10. Expand the 802.11 Wireless Management > Tagged parameters.
Figure 6-19: Tagged parameters
What is the SSID parameter set?
159
Lab 06
___________________________________________________________________
Answer: It is IANS. Similarly to the Beacons, Probe responses provide SSID to

BSS Id resolutions.
Figure 6-20: Authentication frame
___________________________________________________________________
Answer: This is an Authentication Request coming from the client in order to

initiate the connection.
12. Expand the IEEE 802.11 Wireless LAN > Fixed parameters details.
What authentication algorithm is used?
160
Lab 06
___________________________________________________________________
Answer: Open System. This means that no real authentication data is being
exchanged here, but this is a merely a handshake defined by the 802.11 protocol
required to complete the client association.

___________________________________________________________________
What is the purpose of the Authentication frames?
___________________________________________________________________
Answer: This is an Authentication Response; it is the reply coming from the AP

to the client and completes the initial handshake before the Association
Request/Response management frames.
Figure 6-22: Association Request
___________________________________________________________________
161
Lab 06
Answer: Association Request.
15. Expand 802.11 Wireless Management > Fixed parameters > Capabilities Information
Figure 6-23: Capabilities Information
What Is the purpose of this information?
___________________________________________________________________
Answer: Announcing what capabilities are supported by each device (Client and
AP).
162
Lab 06
Figure 6-24: Association Response
___________________________________________________________________
What is the purpose of the Association Request/Response frames?
___________________________________________________________________
Answer: This is an Association Response sent by the AP. The purpose of the
Association Request and Response is to complete the 802.11 association phase
and make sure that both the client and AP support all mandatory WiFi
capabilities.
Figure 6-25: Deauthentication
___________________________________________________________________
Who is the source and the destination of this frame?
___________________________________________________________________
Answer: This is a Deauthentication frame that was sent by the AP to notify that
the client should not be associated to the network anymore. In other words, it is
officially disconnecting the client.
163
Lab 06
18. Expand 802.11 Wireless Management > Fixed parameters
What is the reason code?
___________________________________________________________________
Answer: Deauthenticated because sending STA is leaving (or has left) IBSS or
ESS.
19. Focus on frames 10 to 41.
What frame types are those?
___________________________________________________________________
What purpose do they have?
___________________________________________________________________
Answer: They are data frames, exchanged between the client and the network
via the AP during the life the 802.11 connection, before the Deauthentication
frame was sent to disconnect the client. Although these frames are not properly
decoded, and therefore their contents are uncertain, they most likely include
DHCP and DNS packets among other protocols traffic.
164
Lab 7
Lab 7 – Configure a WLAN with Aruba Central

Overview
After studying the Radio Frequency environment, you have successfully identified the high
demand, low interference areas and mounted a few Access Points there. Then provisioned them
with an ethernet drop that terminates on Switch-1.
In this lab activity you will enable an Aruba AP and deploy a WLAN for the BrilliantAcademy
students. To do so you must first configure the switchport where the Access Point is plugged in,
then you will access Aruba Central, an Enterprise grade Cloud-based management solution to
assign its initial settings and create the SSID. Finally, you will test your setup.
Objectives

• Add an AP to the wired network.
• Access Aruba Central
• Create a custom Group
• Provision an AP in Central
• Deploy a WLAN
• Test wireless connectivity
• Monitor your client using Aruba Central
165
Lab 7
Task 1: Add the Aruba Access Point
Objective
In this task you will add an Aruba Access Point to your topology using a trunk port on Switch-1
using VLAN 1 for managing the AP and VLAN 3 for the future STUDENTS WLAN. Then you will
configure the required Layer 3 settings such as creating an SVI and give its IP address, enabling
DHCP Relay and enable routing for the AP’s management network.
Figure 7-1: Lab Topology
Steps
Switch-1
166
Lab 7
1. Open a new console session to Switch-1.

2. Enable port 1/1/3, make it trunk port and permit VLANs 1 and 3.
Switch-1(config-if)# vlan trunk allowed 1,3
3. Create SVI 1 and give it the 10.0.1.254/24 IP address.

4. Enable DHCP Relay SVI 1 pointing to 10.0.10.10 as the DHCP server.

Switch-2
5. Move to Switch-2 and add a new static route for the 10.0.1.0/24 segment using Switch-1
(10.0.0.1) as next hop.

Switch-2(config)# exit
So far you have enabled Layer 2 and Layer 3 connectivity for your AP, and it is only a matter of
waiting for it to complete its boot process and acquire its own IP settings with DHCP.
6. Reboot the AP by clicking on the AP Icon in the Lab Dashboard and choosing the option
to “reboot”
167
Lab 7
Figure 7-2: Reboot AP
7. Wait 5 minutes and confirm you can ping your AP. It should be given the 10.0.1.10 IP
address.

PING 10.0.1.10 (10. 0.1.10) 100(128) bytes of data.

8. Save your settings on both switches.

168
Lab 7
Task 2: Connect to Aruba Central
Objective
In this task you will connect to Aruba Central from a local browser, then you will verify the Central
version and finally you will explore the Aruba Central dashboard.
Aruba Central
Steps- make same as lab 0
1. Using your personal computer, open a web browser and connect to

https://central.arubanetworks.com.
2. Verify that the Availability Zone has been set to the zone assigned to you in your lab access
credentials.
3. Enter the username that was assigned to you.
Figure 7-3: Aruba Central Login
169
Lab 7
NOTE. The Central username uses email format, and this lab environment uses
arubatraininglabs.net as domain.
4. Click Continue.
5. You will fall into the Single Sign On (SSO) authentication web page.
6. Re-enter the same email as username and enter the password assigned to you.
Figure 7-4: ArubaTrainingLabs Sign-On
NOTE. Be patient, the first time you login into Central it could take up to 30 seconds.
7. You should now be in the main Central dashboard.

8. Click on the user icon (the icon is located on the top right corner).
9. Verify you are using the correct user.
170
Lab 7
Figure 7-5: User details
10. Move back to the Frontend tab or window.

11. Click on the circle next to Global. A new window appears where you can see a summary
of the total number of active and inactive network devices (APs, Switches and Gateways)
and clients.
Figure 7-6: Global
12. Click on the pin icon.
171
Lab 7
Figure 7-6: Overview > Pin
The system will display a bar located on the top.
Figure 7-7: Status bar
How many Access Points are active?

____________________________________________________________________
Aruba APs run a multi-phase boot process. One of the steps is contacting Aruba Activate,
a cloud-based service used for Zero Touch Provisioning, that redirects to the correct
management platform either as Aruba Central or AirWave.
Your table Access Point has already been onboarded and given a license in Aruba Central.
As consequence a redirection rule was pushed to Aruba Activate and let it know the AP
should be Central Managed. Hence as soon as your Access Point gained Internet access,
it received the order to contact Central.
172
Lab 7
13. On the left panel click Devices (alternatively you can click on the Access Point number on
the top bar).
Figure 7-8: Access Points
What is the IP address of your AP?

____________________________________________________________________
ANSWER: The access point should be using 10.0.1.10.
14. Click on the 3-dot icon then and select Group column.
173
Lab 7
Figure 7-9: Select columns
What is the group your AP was placed?

____________________________________________________________________
Aruba Central automatically mapped new devices to the ‘default’ group.
Figure 7-10: Access Points list
Click on the MAC address that appears under Device Name. You will be redirected to
device specific details page.
174
Lab 7
Figure 7-11: Select Access Point
Figure 7-12: Access Point details
What is the County Code?

____________________________________________________________________
ANSWER: Your Aruba Devices must be set with a country code to properly
function, without this parameter your APs never will broadcast a custom SSID.
You will set up this parameter in the next task.
175
Lab 7
Task 3: Configure your AP
Objective
In this task you will configure a new Central Group to manage your AP, then you will setup general
parameters on this device.
Steps
Aruba Central
1. Click on the MAC address that appear on the top left corner and set the context filter to
Global.
Figure 7-13: Global
2. On the left panel scroll down and select Organization.

3. Click on Groups.
176
Lab 7
Figure 7-14: Organization
4. Expand the default group, you should see an entry on this group (your AP).
Figure 7-15: default group
5. Click on the plus + sign to add a new Group.
Figure 7-16: Groups
6. Enter the following information:
177
Lab 7
a. Name: Campus-1
b. Check the box for Access Points
c. Leave other options unchecked.
7. Click Add.
Figure 7-17: Add Group
8. Select the following options to set the group persona:
a. Architecture for access points and gateways in this group: ArubaOS 10

b. Network role of the access points in this group: Campus/Branch (auto selected)
9. Click Add.
178
Lab 7
Figure 7-18: Add Group cont.
10. Expand the default group and select your AP.

11. Click on the “Move devices” button.
Figure 7-19: Move devices
12. Select the Campus-1 group and click Move.
179
Lab 7
Figure 7-20: Move Devices cont.
13. Expand Campus-1 group, your AP should be listed here.
Figure 7-21: Campus-1 group
14. Click on the gear icon that appears on the right to start the configuration of your group.
Figure 7-21: Campus-1 group config
15. The system requires a new password for the group, set the password to “@ruba123”
with no quotes.
180
Lab 7
Figure 7-21: SET DEVICE PASSWORD
16. Select the System tab.
Note: If you do not see the tab, select Show Advanced button.
17. Choose the following options:

a. Country code for group: United-States
b. Timezone: Eastern-Time UTC-05
c. Preferred Band: All
d. NTP Server: us.pool.ntp.org
e. Leave the rest of the fields untouched.
18. Click Save Settings.
181
Lab 7
Figure 7-22: Access Points > System
NOTE: Your AP needs to reboot to apply the new country code. This is the reason the
warning message still appears at the bottom of the page.
You will make some changes prior rebooting.
19. Select the Radios tab.

20. Click Add Profile.
182
Lab 7
Figure 7-23: Access Points > Radios
21. Name the profile “my-radio-profile”.

22. Under 5GHz radio, click on the channel numbers (see the image for reference).
Figure 7-23: ADD PROFILE
23. For channel bandwidth select 20MHz as the maximum.
183
Lab 7
24. Click OK.
Figure 7-24: ALLOWED CHANNELS
25. Click Save, the new profile should be listed.
Figure 7-24: RF Coverage
26. Select Access Point tab.

27. Check the box next to your AP name and then click on the pencil that appears to the far
right.
Figure 7-25: ACCESS POINTS
184
Lab 7
28. Modify the name to “AP-1”.
Figure 7-26: ACCESS POINT Name
29. Select the RADIO tab.

30. Use the following settings:
a. Radio profile: my-radio-profile
b. 2.4GHz Band: Disabled
31. Click on Save settings.
185
Lab 7
Figure 7-27: RADIO PROFILE

32. Select the List button.
Figure 7-28: ACCESS POINTS List
33. Hover your mouse on your Access Point, a reboot icon should appear.
186
Lab 7
Figure 7-29: ACCESS POINTS Radios
34. Reboot your AP and confirm the action.
NOTE. Optionally you can monitor the reboot process from your console.
Wait a few minutes until the Access Point is back. The warning message at bottom should
disappear.
IMPORTANT. In case you still see the warning message at the bottom of the page, then
follow the following optional steps.
Optional steps
35. Scroll down and at the bottom, click on “Set Country Code now”. A new window appears.
Figure 7-30: Set Country Code now
36. Click on the pencil to edit the Country code.

37. Select US – United States as the Country Code and click Save.
187
Lab 7
Figure 7-31: SET COUNTRY CODE
38. Click Save again.

39. Navigate to Devices > Access Points.
40. Hover your mouse on your Access Point, a reboot icon should appear.
Figure 7-32: Devices > Access Points
41. Reboot your AP and confirm the action.
End of Optional steps
Aruba Central includes a remote console feature, this option is very convenient when you do not
have physical access to the managed device. In the following steps you will explore how to use it.
188
Lab 7
42. From the global context filter select Campus-1 group.
Figure 7-33: Groups
43. Click on the AP name.
Figure 7-34: Devices > Access Points > AP-1
44. Under the Actions menu, select Console.
189
Lab 7
Figure 7-34: Actions > Console
45. Create a new console session use admin/@ruba123 credentials.
Why are you using this password?
________________________________________________________________________
ANSWER: Your Aruba Devices must be set with a country code to properly
function, without this parameter your APs never will broadcast a custom SSID.
You will set up this parameter in the next task.
Access Points inherit the group password as the login password.
46. Click Create New Session button.
Figure 7-35: Create New Session
190
Lab 7
Figure 7-36: Access Point console
47. Issue “show running-config | include country” command.
Figure 7-37: Console session
191
Lab 7
Figure 7-38: Console session AP-1
What is the country code displayed by your AP?
___________________________________________________________________
ANSWER: The country code is US.
192
Lab 7
Task 4: Create a new SSID
Objective
In this task you will create a new SSID.
Steps
Aruba Central
1. From the global context filter select Campus-1.
Figure 7-39: Global
2. Navigate to Devices > Access Point

3. Click on the Config icon on the far right.
193
Lab 7
Figure 7-40: Devices > Access Points
4. Under WLANs tab, click Add SSID.
Figure 7-41: WLANs > Add SSID
5. Enter Students-[YOUR INITIALS] as the SSID.
For example:
• If your name is Jonh Smith, then use Students-JS
6. Click Next.
194
Lab 7
Figure 7-42: CREATE A NEW NETWORK > General
7. For the VLANs tab, select the following options:

a. Traffic forwarding mode: Bridge
b. Client VLAN Assignment: Static
c. VLAN ID: 3
TIP: You need to delete VLAN 1 first.
Figure 7-43: CREATE A NEW NETWORK > VLANs
8. Click Next.
9. For the Security tab select the following options:
a. Security Level: Personal
195
Lab 7
b. Key Management: WPA2-Personal

c. Passphrase Format: 8-63 chars
d. Passphrase: aruba123
e. Retype: aruba123
Note. Due to some limitations with the lab environment you need to select WPA2 and not
WPA3. This however is not a recommended action in a real environment since WPA2-
Personal is susceptible to dictionary attacks.
Figure 7-44: CREATE A NEW NETWORK > Security
10. Click Next.

11. For the Access tab select leave the security level as Unrestricted.
196
Lab 7
Figure 7-45: CREATE A NEW NETWORK > Access
12. Click Next.

13. Review the summary and when you are ready scroll down and click Finish.
Figure 7-46: CREATE A NEW NETWORK > Summary
14. You should receive a successful message, click OK.
197
Lab 7
Figure 7-47: SUCCESS
198
Lab 7
Task 5: Test the WLAN
Objective
In this task you will connect your Wireless client to your SSID.
Steps
PC-1
1. From your local computer, move to Aruba Training Lab web page
(https://arubatraininglab.computerdata.com)
2. Click on PC-1 icon.
3. Select Open Desktop, a new tab or window will be open in your browser.
4. Disable your wired network adapter
a. Click on the Start Menu and type “Control Panel”
b. click on “Network and Internet”, and then select "Network and Sharing Center”
c. Click on “Lab NIC” and choose “Disable” in the popup window.
Figure 7-48: Lab NIC
199
Lab 7
5. Click on the Network icon on the task bar and verify you can see the Students-
[YOUR_INITIALS] SSID.
NOTE. If your wireless network card cannot see any SSIDs, please notify your instructor or
submit a trouble ticket using the instructions given to you.
6. Associate to the Students-[YOUR_INITIALS] SSID.
Figure 7-49: Students SSID
7. Uncheck the Connect automatically option.
Figure 7-50: Connect
8. Enter the aruba123 password.

9. Click Next.
200
Lab 7
Figure 7-51: Enter the network security key
10. On the Permit your PC to be discovered by other PCs message, select No.
Figure 7-52: Discover devices
11. You should be connected.
Figure 7-53: Connected, secured
201
Lab 7
According to your configuration, from which subnet your PC obtained its IP address?
__________________________________________________________________________
ANSWER: Your wireless client should receive an IP address from VLAN 3

subnet (10.0.3.0/24).
12. Click Start button then type Command Prompt.

13. Select the first option that appears.
Figure 7-55: Command Prompt
14. Verify your IP address by using the ipconfig command.
C:\Users\student>ipconfig
Windows IP Configuration
Wireless LAN adapter Wi-Fi 4:
Connection-specific DNS Suffix . : training.arubanetworks.com

IPv4 Address. . . . . . . . . . . : 10.0.3.150
Subnet Mask . . . . . . . . . . . : 255.255.255.0
202
Lab 7
Default Gateway . . . . . . . . . : 10.0.3.254
15. Ping your default gateway (10.0.3.254). The ping should be successful.
C:\Users\student>ping 10.0.3.254
Pinging 10.0.3.254 with 32 bytes of data:

Reply from 10.0.3.254: bytes=32 time=5ms TTL=64
Ping statistics for 10.0.3.254:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 4ms, Maximum = 5ms, Average = 4ms
Aruba Central
16. Move to Aruba Central (If you have been automatically logged out, log back in.).
17. From the global context filter select Global.
Figure 7-56: Global
18. Select Clients.
203
Lab 7
Figure 7-57: Clients
19. Analyze the information presented:
What is the IP address of your client?
__________________________________________________________________________
Is this the same IP address you expected?
__________________________________________________________________________
What is the name of the AP your client is connected to?
__________________________________________________________________________
20. Click on your client’s name.

21. Analyze the information presented in the Summary tab.
204
Lab 7
Figure 7-58: CLIENT DETAILS
How many elements appears in the Datapath?
__________________________________________________________________________
What is the Client family?
__________________________________________________________________________
What is the Client OS?
__________________________________________________________________________
What is the VLAN the client’s traffic is placed to?
__________________________________________________________________________
205
Lab 7
What is the radio band your device is connected to?
__________________________________________________________________________
What is the channel used to connect to the AP?
__________________________________________________________________________
ANSWER: You should see three elements in the Datapath, your client, the SSID and
the AP. Your AP is capable to analyze the client’s traffic including the DHCP
messages and the HTTP traffic to determine the OS. You can see more details about
this under the Profile tab.
206
3333 Scott Blvd, Santa Clara, CA 95054
TEL: 408.227.4500 | FAX: 408.227.4550
www.ARUBANETWORKS.com
EDU-$&17-RLABS-v22.11

Get The Edge An Introduction To Aruba Networking Solutions Lab Guide Rev.22.11 With Covers

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Get The Edge An Introduction To Aruba Networking Solutions Lab Guide Rev.22.11 With Covers

Uploaded by

Copyright:

Available Formats

Get the Edge:

Get the Edge: An Introduction

Lab 4: Configure Layer 2 Switching Features and Protocols .......................................... 60

Lab 0 – Testing Lab Connectivity (optional)

Figure 0-1: Lab Topology

Task 1: Aruba Training Lab Access

Figure 0-2: Sign in

Task 2: Testing Connectivity

vCX-1 and vCX-2

Figure 0-3: Open Console of 6300-A

2. A new browser tab should open with a blank, black screen.

Figure 0-4: Open Console of 6300-B

6300 login: admin

Please configure the 'admin' user account password.

PC-1 and Windows Server

Figure 0-5: Open Console of PC-1

7. A new browser tab will open with the remote desktop.

Figure 0-6: PC-1’s desktop

8. Repeat steps 6 and 7 on the Windows Server.

Figure 0-7: Open Console of Windows Server

1. Using your personal computer, open a web browser and connect to

Figure 0-8: Aruba Central Login

Figure 0-7: Aruba Training Labs Sign-On

7. You should now be in the main Central dashboard.

You have completed Lab 0!

Lab 1 - Numerical Conversion

After completing this lab, you will be able to:

• Convert decimal numbers to binary, hexadecimal and back.

Task 1: Convert Binary to Decimal

Convert the following binary into decimal values.

Table 1-1: Power of Two: Binary to decimal

Task 2: Convert Decimal to Binary

Table 1-2: Power of 2: Decimal to binary

Task 3: Convert Binary to Hexadecimal

Convert the following binary values into hexadecimal.

Table 1-3: Binary to Hexadecimal

Task 4: Convert Hexadecimal to Binary

Solutions: Task 1 – Convert Binary to Decimal

128 + 64 + 32 +16 + 8 + 4 + 2 = 252

Solutions: Task 2 – Convert Decimal to Binary

Solutions: Task 3 – Convert Binary to Hexadecimal

Solutions: Task 4 – Convert Hexadecimal to Binary

0xC390 = 1100 0011 1001 0000

0x8F4E = 1000 1111 0100 1110

You have completed Lab 1!

Lab 2 - Packet Exploration

After completing this lab, you will be able to:

Task 1: Discover Headers and Encapsulation

Figure 2-1: Task 1 Topology

1. Open a console session to Wired/Wireless PC-1.

Figure 2-2: Wireshark shortcut

NOTE: Wireshark is a well-known, open-source packet analyzer tool. It is

Figure 2-3: Wireshark View > Packet Bytes

Figure 2-4: Wireshark NICs

5. Identify the components shown in figure 2-5.

Figure 2-5: Wireshark Sections

Figure 2-6: Web page

Figure 2-7: Wireshark Stop

10. Scroll all the way up.

Figure 2-8: Data packets

What do they mean?

What are these three packets for?

Figure 2-9: Data headers