Wired Intelligent Edge

 View Only

  • 1.  2 Tier Topology

    Posted Dec 15, 2025 01:26 AM

    Dears 

    Greeting for the day and all are great 

    I have 2 tier topology 

    2 VSX core switches connected with MC LAG to many access switches and I have multiple questions 

    1-management VLAN I configure VLANs and SVIs in both core and access switches ?

    2-data and voice VLANs I configure the VLANs on access switches but SVIs should be configured only on core switches ?

    3-for MC LAGs ID to access switches should be different for all access switches or it is enough to use one MC LAG ID for all ?

    4-active gateway MAC should be same for all SVIs or should be different ?

    5-is there any recommendation for active gateway MAC and system MAC in core and access ?

    6-Regarding Active gateway MAC between VSX will be synced but for the same SVI in access switches as management should be same   ?

    your answers highly appreciated   



    -------------------------------------------


  • 2.  RE: 2 Tier Topology

    Posted Dec 15, 2025 01:50 AM

    Hi

     

    Thanks for reaching out to the community.

     

    I can give you same answers to your questions. However, some points are very individual and heavily depend on your design goals or preferences. There is not always a "right" and "wrong".

     

    1. CX-Switches give you the option of managing them using the OOBM (out-of-band / dedicated) management interface or using an SVI (inline). As using the OOBM on access switches is usually too complicated (you would need to connect a RJ45 copper cable to a switch with a management VLAN on it), you would configure an SVI and tag it to the uplink you have towards the core. On the core side this depends mostly on where you terminate your L3 networks. If you for example have a powerful firewall you may want to have all L3 interfaces configured there. So, on the core you don't configure any SVIs and therefore no routing functions. In such cases I prefer the use of the OOBM interface for management. However, configuring an SVI for inline management as the only one is also feasible. Just be careful when segmenting the network (for security purposes) not to route "client traffic" into the management network without traversing the firewall by having all SVIs configured in the same VRF.
    2. Mostly, this (=your suggestion) is the design which is simple and effective. In more complex designs you can also have routing enabled on the access switch and have OSPF running between the core and the access layer. However, that is only for very large networks.
    3. You need a separate LAG configuration for each access switch (stack) on the core. So, given you have 3 access switch (stacks), you need to MC-LAG IDs configured on the core for the access switches. On the access switch side, you may use always the same ID. I prefer assigning the LAG ID using port number information. E.g. an access switch connected to interface 1/1/1 gets LAG 1, an access switch connected to interface 1/1/2 gets LAG 2 etc.
    4. Yes, all the same, that's quite important. You only have a limited number of MAC addresses available for AG per VSX cluster.
    5. Yes, see VSX confiuguration best practices: https://support.hpe.com/hpesc/public/docDisplay?docId=a00094242en_us&docLocale=en_US
    6. I'm not sure whether I understand your question. Can you please explain what you intend to do in more detail?

     

    I hope this helps. Feels free to reply to my post if you still have any questions.

     

    Regards,

    Thomas

     






  • 3.  RE: 2 Tier Topology

    Posted Dec 15, 2025 02:17 AM

    First of all i really thank you for clear answers 

    i am actually new to Aruba I used to work in cisco environment as bellow and wanted to know that is it possible to do it in Aruba  

    1- I used to create management , data and voice VLANs in core with SVIs including IP helper to for data and voice and just configure management VLAN in access switches for connectivity then broadcast the VLANs by VTP but i got to know that VTP is not supported in Aruba so i was asking if I did the same thing manually without VTP means create the VLANs only in access switches is it going to work  

    6-Regarding Active gateway MAC between VSX will be synced but for the same SVI in access switches as management should be same   ?

    I mean when I configure the management SVI will contain

    1- ip address which is going for sue to be different each switch 

    2- gateway IP and MAC which is going to be also synced in VSX to second pair and I think should not configure IP and MAC on  access switches if I configured Management SVI there because the these gateways should only be in the VSX pairs 

    -------------------------------------------

    Original Message


  • 4.  RE: 2 Tier Topology

    Posted Dec 15, 2025 03:37 AM

    Hi

     

    1. management VLAN: if you do not route it directly on the access switch, you need to create it on the core and forward it on the LAGs Core <-> Access. Otherwise it will be isolated. Aruba does have a comparable thing to VTP called MVRP. However, you cannot use it together with VSX.
    1. On the access switches you need an SVI with an individual IP address plus an ip route (ip route 0.0.0.0/0 x.x.x.x) towards the gateway for the management VLAN (can for instance be your core or your firewall depending on your setup). On the core you need an IP per node (if you want to use it for management) and an active-gateway IP/MAC (if you want to have it configured as gateway for that VLAN).

     

    If you want, post a sanitized version of your basic configuration of your core nodes and an access switch here, so, we can validate it.

     

    Regards

    Thomas

     

     




    Original Message


  • 5.  RE: 2 Tier Topology

    Posted Dec 15, 2025 09:14 AM

    Hi

    First of all thank you

    This is my configuration 

    and i want to inform you that i created 3 interface VLANs in core switch

    1- Management VLAN for switches access

    2- DHCP server VLAN which is for DHCP subnet and I assign 1 port to access this VLAN for connectivity with DHCP 

    2- VLAN for users and IP helper is DHCP server

    _________

    in access switch just I created one interface VLAN which is for management 

    and configured user VLAN also assign one port that is connected with endpoint 

    _______________________________

    Client took an IP as attached and also can ping DHCP server 

    __________________________________________

    Issue that from access switch I can not ping any IP except management VLAN which is configured in access switch 

    ______________________________________________________

    Important : I Used to do this in Cisco Environment 

    interface VLANs in core and  just Management VLAN interface configure in access switch other just only VLANs with trunk connection and default gateway of core but here i didn't find any thing such default gateway 

    Core Configuration 

    VSX

    VSX Operational State
    ---------------------
      ISL channel             : In-Sync
      ISL mgmt channel        : operational
      Config Sync Status      : In-Sync
      NAE                     : peer_reachable
      HTTPS Server            : peer_reachable

    Attribute           Local               Peer
    ------------        --------            --------
    ISL link            lag256              lag256
    ISL version         2                   2
    System MAC          02:01:00:00:01:00   02:01:00:00:01:00
    Platform            X86-64              X86-64
    Software Version    Virtual.10.14.1000  Virtual.10.14.1000
    Device Role         primary             secondary

    ________________________________________________________________________________

    interface vlan 10
        description **MC MGMT**
        vsx-sync active-gateways
        ip address 192.168.10.2/24
        active-gateway ip mac 02:01:00:00:02:00
        active-gateway ip 192.168.10.1
        ipv6 address link-local
    interface vlan 61
        description **DHCP Server**
        vsx-sync active-gateways
        ip address 192.168.61.2/24
        active-gateway ip mac 02:01:00:00:02:00
        active-gateway ip 192.168.61.1
        ipv6 address link-local
    interface vlan 200
        description ** IT USers**
        vsx-sync active-gateways
        ip address 192.168.200.2/24
        active-gateway ip mac 02:01:00:00:02:00
        active-gateway ip 192.168.200.1
        ipv6 address link-local
        ip helper-address 192.168.61.10

    ______________________________________________________________________________________________

    Access Switch

    interface vlan 10
        description **MC MGMT**
        ip address 192.168.10.4/24
        ipv6 address link-local

    1/1/3          200     access --             yes     up

    -------------------------------------------

    Original Message


  • 6.  RE: 2 Tier Topology
    Best Answer

    Posted Dec 16, 2025 12:49 AM
    Hi

    Looks like you miss the default route on the access switch. 

    What switch model do you have there?

    Did you try „ip route 0.0.0.0/0 192.168.10.1" on global level?

    Regards,
    Thomas




    Original Message


  • 7.  RE: 2 Tier Topology

    Posted Dec 16, 2025 01:36 AM
    Edited by Te10 Dec 16, 2025 01:38 AM

    Hi thomasbnc

    And thank you for your cooperation 

    Switch are

    8300 as core and distribution switch 

    6200 as acess switches

    And access switches layer 2 shouldn't the default gateway be in this scenario or replaced by default route in this case?

    And what about other configuration I mean configuration of vlan that all interface vlans should configure in core and just management vlan configure in access with keeping vlan config in access switches 

    Thank you in advance 

    -------------------------------------------

    Original Message


  • 8.  RE: 2 Tier Topology

    Posted Dec 16, 2025 12:17 PM

    Thank you 

    it is working fine i can reach all vlans from access switch 

    but i wanted to know that i am following here the best practice 

    Switch are

    8300 as core and distribution switch 

    6200 as acess switches

    And access switches layer 2 shouldn't the default gateway be in this scenario or replaced by default route in this case?

    And what about other configuration I mean configuration of vlan that all interface vlans should configure in core and just management vlan configure in access with keeping vlan config in access switches 

    Thank you in advance 

    -------------------------------------------

    Original Message


  • 9.  RE: 2 Tier Topology

    Posted Jan 21, 2026 06:04 AM

    Hi Thomas

    actually I configured my network with external dhcp server and it worked fine but when i removed the external one and configured local dhcp in core switch clients couldn't get IPs i tried many things with no success and i  am following the document but unfortunately didn't work  

    here is my configuration 

    2 vsx cores configuration 

    Vlan 60 management 

    Vlan 61 data

    Interface vlan 60

    Ip address 192.168.60. 2

    Active gateway 192.168.60. 1

    active mac 

    Interface vlan 61

    Ip address 192.168.61. 2

    Active gateway 192.168.61. 1

    active mac 

    Dhcp-server vrf default 

    Range 192.168.61. 50 192.168.61. 254

    Leases 12:00:00

    Default-router 192.168.61. 1

    Enable 

    Multi chassies lag

    Native vla 1 

    Trunk allowed all

    Same in other vsx pair 

    _________________

    Access switch configuration 

    Vlan 60 management 

    Vlan 61 data 

    just only

    Interface vlan 60 

    Ip address 192.168.60. 11

    I could not ping first after default route to 192.168.60.1 i could ping 

    Lag 

    Vlan trunk allowed all

    Native vlan 1

    -------------------------------------------

    Original Message


Related Content