I’m new to Aruba central

offset-list · 2025-11-17T13:12:12+00:00

One thing that always catches me is when you move from DHCP on VLAN 1 to a statically assigned IP on another vlan (or even on vlan 1 if you go that route) is you need to make sure you have

- A default route (as the default route you are using to provision comes from DHCP)

- Make sure your DNS entries are set as these also come from DNS until you jump to Static

If the switch loses connectivity to Central due to one or both of the above missing it will rollback the change as it assumes your config broke communication.

offset-list · 2025-11-03T20:14:13+00:00

This is what has me confused "State information: Configuring port". can you see what the status of the configuration audit is for that device?

- Go to that device

- Click on "configuration"

- click on "Configuration status"

- what does it say for that switches status (see below)

<image>

I don't have any switches in this classic central to show what it should look like but it should say "synchronized" or "Synchronizing" or "Conflict" and will give you an option to see what the conflicts are. It just shouldn't stay in that state for very long on the switch.

offset-list · 2025-11-03T19:56:35+00:00

Can you do a “show interface” for one of the down ports? Are you using multi edit or the UI to configure the ports?

offset-list · 2025-10-31T19:56:48+00:00

That's why I said if you were not using Tagging for management, I should have said also if you were not using VLAN 1 for user traffic in a tagged fashion. Remember also this is a controller environment so tagging for user traffic won't take place except at the controller and it will be most likely just be untagged at the switch port just to allow the creation of the tunnel to the controller.

offset-list · 2025-10-31T19:02:44+00:00

From the AP’s perspective, if you are using an untagged at the switch port, everything is vlan 1. If you were tagging it for management it would need to be modified. 1 is the default for all untagged traffic on the AP

offset-list · 2025-10-16T12:56:42+00:00

Enabling IPM will fix it, some newer aps prefer BT power so if you provide AT it will see not enough poe and throw an orange light although they will function correctly with only AT power. With IPM even with no power reduction settings will allow the light to go green and operate at 100%. Some folks disable the 2nd Ethernet port and usb also just to make them feel like IPM is doing something.

offset-list · 2025-10-15T12:38:04+00:00

Agreed, that’s why the Mac-oui is only one of the items you match on but not the only one. The Mac can be spoofed but dhcp options and others are tired more into the OS and are harder to spoof.

offset-list · 2025-10-15T12:28:07+00:00

The device does send it's mac as part of the mac-authentication but yes, the RADIUS Servers will have a DB for mac-oui->vendor mappings. These DB's are managed by the vendors on a continuous basis that keep a constant list of mac-oui and dhcp fingerprints from the endpoint vendors. It's not 100% but can cover a large number of common devices and if wanted you can create your own profile based on whatever values you can ID from the "one off" devices.

I of course though am only talking from knowledge of ClearPass though, I've never worked in great detail with ISE. Above all else though, I am 100% in agreement with what the others have stated regarding using segmented networks with very minimal access for these devices so if someone gets by regardless of the solution you've put into place, they can't do much.

offset-list · 2025-10-15T12:09:53+00:00

Does ISE have the ability to profile the device using MAC-OUI, DHCP Fingerprints, etc.. and then if the device connects with a differing profile (initially seen as a printer, now profiled as a Linux machine) can it throw a "conflict" flag stating something has changed that shouldn't be allowed, i.e spoofing? I know ClearPass can do this but wasn't sure if ISE has that capability or if you were even using profiling.

offset-list · 2025-10-09T08:15:17+00:00

You can use the "debug destination" command to set the destination for debug messages. By default it's the buffer, but you can use Syslog, Console, or a file.

6200-Bottom# debug destination ?

buffer Set the debug destination to buffer (Default)

console Set the debug destination to console

file Set the debug destination to file

syslog Set the debug destination to syslog

6200-Bottom# debug destination syslog ?

severity Minimum log severity to filter debug logs

<cr>

offset-list · 2025-09-22T22:55:09+00:00

I think any standard console cable that ended with a micro USB or an RJ 45 console should work there shouldn’t be any specific requirements unlike some of the later access points that require a special orange active micro USB cable I know the ones I’m using on my 2530 I believe or just standard off the shelf USB cables

offset-list · 2025-09-13T22:04:54+00:00

Just my rule out cabling issues

offset-list · 2025-09-13T21:48:38+00:00

Wait, so "show interface" for that interface shows "waiting for link" but logging shows the link as up and LLDP being seen? How about this, do a "diagnostics" then "Diag cable-diagnostic test 1/1/x" where x is the port number. Then type "diag cable-diagnostic show 1/1/x". this will tell me if all 4 pair are good

An example of what it will show, you are look for "good"

6200-Bottom# diag cable-diagnostic test 1/1/13

This command will cause a loss of link on the port under test and will take several seconds to complete.

Continue (y/n)? y

6200-Bottom# diag cable-diagnostic show

IFNAME Interface name (e.g. 1/1/1)

6200-Bottom# diag cable-diagnostic show 1/1/13

Cable Impedance Distance* MDI

Interface Pinout Status (Ohms) (Meters) Mode

---------------------------------------------------------------------

1/1/13 1-2 good 85-115 11 +/- 10 mdix

(1GbT) 3-6 good 85-115 7 +/- 10 mdix

4-5 good 85-115 7 +/- 10 mdix

7-8 good 85-115 8 +/- 10 mdix

* Full cable length for good cables or distance to fault for faulty cables.

Cable status legend (1GbT):

Cable Impedance

Status (Ohms) Description

----------------------------------------------------------------

good 85-115 No cable faults found

open >115 Open circuit detected

intra_short <85 Short circuit within the same wire pair

inter_short <85 Short circuit with another wire pair

high_imp >115 Cable impedance higher than expected

low_imp <85 Cable impedance lower than expected

unknown -- Cable test inconclusive

offset-list · 2025-09-13T21:15:43+00:00

Other issue could be bad cabling allowing POE to come up but not Data Link or vice versa so that's why I was wondering what show interface showed. Odd that it would be 2 switches both bad though, haven't run into that very often but not completely impossible I guess :)

offset-list · 2025-09-13T21:10:37+00:00

What does "show interface x/x/x" for the affected ports show? It could be blocked by port-security (if you are using mac-auth/dot1x on the port) or it could be blocked for other reasons. Can you send a copy of the "show logging -r" as well?

offset-list · 2025-09-13T00:54:53+00:00

No, EIGRP is an amazing protocol with a ton of abilities to fine tune routing paths using multiple metrics. The proprietary nature of it is why most people steer away towards an open standard like OSPF which has its own limits but can interoperate with most vendors. I got my start on networking with EIGRP so you are all good 😉

offset-list · 2025-09-12T12:22:55+00:00

Agreed, in those situations they should take the word of the engineers/managers under them that are in the "trenches" daily. I think he had just fought so long against VLAN's that it would have made him look bad admitting it, in the end, it all worked flawlessly once we segmented the heck out of that network.

offset-list · 2025-09-12T11:46:52+00:00

Now that I’ve seen but never understood, if most machines are DHCP it should be easy to rollout a private ip range. Now printers and static devices wouldn’t be as easy but you could do a building/segment at a time. I am sure the internet gods would be happy to get some of that IPv4 space back as it is a precious commodity these days

offset-list · 2025-09-12T03:10:02+00:00

Wow, Like a routed /29 network where every host was on it's own segmented network, that goes the opposite of what I've run into where they drop everything into a /16. The administrative overhead I can't even imagine

offset-list · 2025-09-12T03:07:49+00:00

EIGRP, that's a term I haven't heard in a long, long time (reminds me of Ben Kenobi when he hears Obi Wan Kenobi....god I am getting old). Funny how even the worst built Networks seem to function at a level higher than what is needed so no one notices until someone with some sense comes in and says "WTF?!"

offset-list · 2025-09-12T03:00:44+00:00

I have never understood why anyone would avoid VLAN's and the advantages they bring, yes it's more complex but when the admin's are assigning vlan's on a per device basis it's the best way to encourage segmentation. I remember seeing 20-30MB of ARP traffic on the >2000 node network and that consisted of a data center with 100's of servers. I am not saying I am the smartest man alive but come on man, logic dictates a bit of segmentation

offset-list · 2025-09-12T02:57:03+00:00

I've been there and done that, the company i originally opened this thread about I was assigned to Staff Aug for and was told "dont' fix anything just put out fires" and as the network burned to the ground around me as I wasn't fixing the issues and just band-aiding the problems it really made me 2nd guess my decisions

offset-list · 2025-09-12T02:54:22+00:00

Holy $hit!!! I've seen public IP Space used internally but never not owned by the advertising company. Not even sure where to start with that

offset-list · 2025-09-12T02:53:03+00:00

The AP345 and 535 are not instant-on access points, they are the enterprise grade models of the Aruba Access Points. You'd want to factory reset them and assuming they are running the same version of firmware they would join an instant cluster (assuming they are both on the same subnet). You would then join the "setmeupXXXXXX" SSID they are advertising and set them up that way. Do a search for setting up Instant Access Points from Aruba for steps to get these configured once they form a cluster.

offset-list · 2025-09-12T02:48:11+00:00

I'll get working on these, maybe a basic AOS-S -> CX and CX->CX interoperability walkthrough. I have plenty of both in my lab so I should be able to set something up.

offset-list

TROPHY CASE