Layer3 connections on Aruba switches

On Cisco its quite convenient command “no switchport” , which  is used for layer3 connections between network devices. It disables spanning tree process on such interface:

#sh spanning-tree interface te1/4
no spanning tree info available for TenGigabitEthernet1/4

On Aruba though there are no such command and layer3 connection is done with help of VLANs (the same way as on Cisco behind the scenes).

On Aruba switch on layer3 link commands “spanning admin-edge-port” and “spanning-tree bpdu-filter”  should be used if on both ends are Aruba with layer3 interfaces.  However if on one end is Cisco (e.g. WAN router) and on other end is Aruba (e.g. L3 site switch), then such commands are not necessary as Cisco device on L3 interface will not have spanning tree process and not generate BPDUs.

Enabling RSTP (IEEE 802.1w) spanning tree on Aruba is done by following global commands:

spanning-tree force-version RSTP-operation






automation, configuration, network components, scripting, Uncategorized

script on expect language to push batch changes to cisco and aruba switches / routers

Notes about the script:

– in such particular case script pushes new syslog server to configuration and saves config file
– script works almost without changes on cisco and aruba (on cisco though syntax is “logging host <…>” on aruba it is “logging <…>”)
– script will terminate itself with error if it will be not able to establish ssh to any of mentioned switches/routers where it needs to do changes
– logging from aruba is a mambo-jumbo and not accepted as a solution (the same result I get if doing logging via tee command of Expect script and with Expect’s logging possibility by log_file command (in my script its log_file -a $Directory/session_$host.log) )
– script expects that directory /tmp/logs exists, hence either it should be created manually or by adjusting provided script
– “log_file” command in script closes logging for each host, otherwise I got complaints from Expect related to not closed logging
– script reads IP addresses of each aruba / cisco switch or router from a file, which is given as a parameter to a script:

case for cisco
./set_syslog_on_cisco_v1.0.ex /tmp/cisco.txt | tee /tmp/cisco_syslog.log

case for aruba
./set_syslog_on_aruba_v1.0.ex /tmp/aruba.txt | tee /tmp/aruba_syslog.log

below is example of script for aruba case, for cisco case one line should be changed:



#!/usr/bin/expect -f

set timeout 20

set file [lindex $argv 0];

set f [open “$file”]

set hosts [split [read $f] “n”]

close $f

foreach host $hosts {

if {$host != “”} {

send “echo host is $hostr”

sleep 2

set Username “your_username”

set Password “your_password”

set Directory /tmp/logs

log_file -a $Directory/session_$host.log

send_log “### /START-SSH-SESSION/ IP: $host @ [exec date] ###r”

spawn ssh -o “StrictHostKeyChecking no” $Username@$host

expect “*assword: ”

send “$Passwordr”

expect “#”

send “conf tr”

expect “(config)#”

send “logging”

expect “(config)#”

send “endr”

expect “#”

send “wr memr”

expect “#”
send “r”

send “logoutr”

sleep 2

send_log “r### /END-SSH-SESSION/ IP: $host @ [exec date] ###r”


configuration, Uncategorized, wireless topics

Peers configuration for guest wifi on Cisco wireless controllers

Infrastructure diagram for guest wifi service is well known:
guest wifi topology

            Pic.1 – Diagram for guest wifi service (diagram is taken from “design guide”)

Between local wireless controllers located on site (shown and named as “campus controllers” or “foreign WLCs”) and wireless controller located in DMZ (shown and named usually as “anchor controller”) should be configured and built EoIP tunnel. This article is dedicated to describe how correctly to configure this tunnel, as no documentation from cisco.com has such detailed information.

For functioning guest wifi service status of a tunnel should be UP (local WLC and anchor WLC show status of this tunnel as UP when all is correct):

peers status

Pic.2 – EoIP tunnel is established

To build a peer it is needed

1) IP address of management interface on remote peer (if you do configuration on anchor, its need IP of management interface on foreign WLC and vice versa – for foreign WLC its needed management IP of anchor WLC)

2) member MAC address: is tricky case as it is needed to use MAC address of virtual interface of the remote site. If any side (local WLCs or anchor WLC(s)) is in HA-SSO mode, then its needed to use high-availability virtual MAC address, which can be received by command (or from GUI via https access)

(Cisco Controller) >show redundancy summary

3) Group name – is Local Mobility Group of remote side and it is cAsE senSiTivE

peer parameters

Pic.3 – EoIP tunnel is established

If at least one of 1), 2) or 3) is not fulfilled peer will not be up and will show “data path is down” or “control path is down”.

4) firewall rules between anchor WLC (usually located in DMZ) and local WLCs should be cleared. From my experience such ports are needed:

“Legacy mobility: IP Protocol 97 for user data traffic, UDP Port 16666”

Despite it is called “legacy mobility” it is used by firmware, per firewall logs, UDP 16667 is not used, despite it is mentioned as

“New mobility: UDP Port 16666 and 16667”  under related Q&A

Additionally, per my memory, communication for EoIP is initiated from anchor (I’ve never seen such details on cisco documentations), but to be 100% sure, it is recommended to enable ACLs so that EoIP can be initiated from local WLCs as well as from anchor WLC, because for stateful firewall it is important which side initiates communication.

If mentioned in 4) details are not taken into account, then status of EoIP peer will be shown as “control and data path down“, “data path is down” or “control path is down”, depending on what is configured in related access lists.


P.S.: it is worse also to mention that Cisco suggests to have identical WLAN settings on local WLC and anchor, e.g. if “11k Neighbor List” is enabled on local WLC under guest wifi WLAN, then such setting should be enabled on anchor as well. The same is true for QoS settings under respective WLAN and other parameters.



Access control lists, automation, Uncategorized

convert Cisco ACL to Aruba ACL

There is a case when Cisco L3 switch (e.g. core or distribution level) is replaced by Aruba L3 switch. Cisco switch may have a bunch of ACLs on it and Aruba switch has similar syntax of ACLs but it requires numbers in front of each line and double quotes after remark command. Quick and a little dirty solution is to use such Linux command:

awk '{if ($1=="remark") { print (NR)*10, "remark", """$0""" } else if (($1=="permit") || ($1=="deny")) {print (NR-1)*10 " " $s} }'  <path_to_your_ACL_file>


convert from such Cisco ACLs:

remark permit ICMP on any direction
permit icmp
remark permit CAPWAP on any direction
permit udp range 5246 5247
remark permit TACACS traffic
permit tcp gt 1023 eq 49
remark enable SSH connections
permit tcp eq 22

to such Aruba ACLs:

10 remark "remark permit ICMP on any direction"
10 permit icmp
30 remark "remark permit CAPWAP on any direction"
30 permit udp range 5246 5247
50 remark "remark permit TACACS traffic"
50 permit tcp gt 1023 eq 49
70 remark "remark enable SSH connections"
70 permit tcp eq 22

such command has been used:

awk '{if ($1=="remark") { print (NR)*10, "remark", """$0""" } else if (($1=="permit") || ($1=="deny")) {print (NR-1)*10 " " $s} }' /tmp/acl_example.txt

Because NR built-in variable was used in such command some numbers in front of lines are skipped, e.g. 40 in this case. But technically such ACL is still valid and can be used.

automation, scripting, SQL, Uncategorized

SQL-style join functions in excel

Often I have a list or table with switch names approved for firmware upgrade on a certain site, but I have also a list of all network devices running on site with their names and IPs. So mentioned scope of devices for reboot is a sub-scope of all devices on site. The task is to do a JOIN operation with these two tables which I can have in excel. After such successful operation in excel I’ve got what is needed – all devices approved for reboot and their IP addresses, e.g. part of the table:

Name Device IP Vendor Model Partition
b101-f1-p1-acc01-p Cisco WS-C2960X-48FPS-L LAN
b101-f1-p1-acc02 Cisco WS-C2960X-48TS-L LAN
b101-f1-p2-acc01-p Cisco WS-C2960X-48FPS-L LAN
b101-f1-p2-acc02 Cisco WS-C2960X-48TS-L LAN
b101-f1-p2-acc03 Cisco WS-C2960X-48TS-L LAN
b101-f1-p3-acc01 Cisco WS-C2960X-48TS-L LAN
b101-f1-p3-acc02 Cisco WS-C2960X-48TS-L LAN
b101-f1-r1-acc01-p Cisco WS-C2960X-48FPS-L LAN
b101-f1-r1-acc02 Cisco WS-C2960X-48TS-L LAN

Steps can be followed for example from here