Connecting the world…


Aruba RAP in bridge mode with remote access

The Aruba Networks Remote Access Points is a nice feature for branch offices or home workers. I use a RAP5WN at home and I configured different SSID’s on the RAP. The SSID’s are in tunnel mode, split-tunnel mode or bridge mode. The bridge mode connections are for my home devices, like my girls iPad and iPhone.

The RAP5WN has four 10/100 FastEthernet ports. I configured wired ap profiles for these ports and they are also configured in bridge mode. All devices in bridge mode receive an IP address from my local internet router (ADSL) and this works without any problems. Devices in bridge mode can directly communicate with each other.

My local internet router has some port forwarding rules configured so I can access the server from the internet. After using the Aruba RAP and physically moving the server from the local router to the Aruba RAP, I couldn’t access the server anymore. I did some more testing and noticed that I couldn’t connect to any device behind the RAP, when I tried to connect to the devices through the uplink port of the RAP.

I checked the configuration of the RAP and especially the wired AP profiles. I couldn’t find any related configuration parameters to change this behavior. Eventually I found the solution within the AP system profile. The setting Session ACL solved my problem. The explanation for the setting is: Session ACL applied on uplink of a remote AP. By default the session acl parameter is configured as ap-uplink-acl. This acl contains the following entries:

ip access-list session ap-uplink-acl
any any udp 68  permit
any any svc-icmp  permit
any host udp 5353  permit

I changed this setting to the session acl allowall to permit all traffic on the uplink interface.

ap system-profile “custom-ap-system-profile”
session-acl “allowall”
ap-group “home-rap-group”
ap-system-profile “custom-ap-system-profile”

I was able to connect remotely to the server after applying the session acl allowall to the AP system profile, which is connect to the correct AP Group. Problem solved!!

HP Virtual Connect Manager

While change the configuration of within a HP Virtual Connect Manager I noticed that I didn’t have any options to delete server profiles, Ethernet Networks or Shared Uplink Sets within the web browser.

I needed to change the configuration dramatically from an active / standby configuration to an active / active configuration. I also needed to change the complete server profile configuration and Ethernet Networks configuration.

I noticed that I can also connect through SSH to the HP VC Flex-10 Enet modules. This presents a CLI with different command options. And of course I had more options within the CLI compared to the web interface.

HP Virtual Connect Management CLI v3.18
Build: 3.18-3 (r46087) Apr  1 2011 17:45:49
(C) Copyright 2006-2011 Hewlett-Packard Development Company, L.P.
All Rights Reserved


help           : displays a list of available subcommands
exit           : quits the command shell
<subcommand> ? : displays a list of managed elements for a subcommand
<subcommand> <managed element> ? : displays detailed help for a command


Through the CLI I had the option to remove the server profiles, Ethernet Networks and the configured Shared Uplink Set. The help command (?) is very useful to check the command syntax to remove different configuration settings. You have to remove the different items in the correct order. I used the following order:

  1. 1. Server Profile : remove profile <profile_name>
  2. 2. Ethernet Networks : remove network <enet_name>
  3. 3 Shared Uplink Set : remove uplinkset <sus_name>

When you try to delete the items in the wrong order you will receive an error message on the console, like shown below.

->remove uplinkset SUS1
ERROR: Operation not allowed : The requested shared uplink set is currently in use by one or more networks

After deleting the configuration I configured my desired setup. The configuration can be a lit bumpy, which depends on the firmware used with the Virtual Connect Manager. I found a very good article on configuring HP Virtual Connect Manager in conjunction with ESX, Windows Hyper-V.

HP Virtual Connect Ethernet Cookbook: Single and Multiple Enclosure Domain

TIP: when configuring or changing Ethernet network settings on a Server Profile, first unassigned the profile from the bay. Changing settings on an unassigned profile is much faster than on an assigned profile.

What is an UPLINK port?

A colleague recently encountered some problems with keepalives on switch ports. He wrote a post about it. Keepalives are, quoted from his blog post:

By default Cisco routers and switches periodically test their (Fast) Ethernet links by sending out Loopback frames (ethertype 0×9000) addressed to themselves. Call it a “L2 self-ping” if you will. In a switched environment it can be used to test the functionality of the switch and/or keep the router’s MAC address in the switch’s address table. Another thing what this Loopback frames do, is to check for a loop. If there is a loop in the network, the resulting Loopback frame will be seen by the sending switch and the port will be err-disabled.

Cisco says that starting in 12.2SE based releases, keepalives are NO longer sent by default on fiber and uplink interfaces.

The big question, where I am struggling with is:

When is a port an UPLINK port?

Looking at a Cisco Catalyst 2960-24PC-L I get the following information about the keepalives information on the interfaces.

SW01#sh int | i 0/23|0/24|GigabitE|Keep

FastEthernet0/23 is down, line protocol is down (notconnect)
  Keepalive set (10 sec)
FastEthernet0/24 is down, line protocol is down (notconnect)
  Keepalive set (10 sec)
GigabitEthernet0/1 is up, line protocol is up (connected)
  Keepalive not set
GigabitEthernet0/2 is up, line protocol is up (connected)
  Keepalive not set

The output above shows that keepalives are enabled on the FastEthernet connections by default and disabled on the GigabitEthernet connections. The GigabitEthernet connections are dual-purpose, but I don’t use the fiber connection. But because it is a dual-purpose port I can imagine that keepalives are disabled by default, because of the fiber properties.

So I looked at at Cisco Catalyst 2960-48TT-L switch with Software Version 12.2(44)SE. This switch doesn’t have any fiber connections, but only copper. From this switch I get the following keepalives information.

SW01#sh int | i 0/47|0/48|GigabitE|Keepa

FastEthernet0/47 is down, line protocol is down (notconnect)
  Keepalive set (10 sec)
FastEthernet0/48 is down, line protocol is down (notconnect)
  Keepalive set (10 sec)
GigabitEthernet0/1 is down, line protocol is down (notconnect)
  Keepalive set (10 sec)
GigabitEthernet0/2 is up, line protocol is up (connected)
  Keepalive set (10 sec)

The output tells me that keepalives are enabled on all switch ports. GigabitEthernet0/2 is configured as a trunk port, so now I am very confused.

I draw the following conclusions:

  1. Keepalives are disabled on uplink and fiber ports starting in 12.2SE releases. GigabitEthernet0/2 from the 48TT-L switch is configured as a trunk port. So a trunk port doesn’t mean the same as an uplink port;
  2. The “special” ports on the right side of a switch are no uplink ports, because else GigabitEthernet0/2 from the 48TT-L switch would have keepalives disabled;

After drawing these conclusion I still don’t know the exact definition of an UPLINK port :-(. Please let me know if you have any suitable definition for an UPLINK port………