Cisco ASA: Remove FTD and Return to ASA and ASDM

Remove FTD KB ID 0001496

Problem

A few weeks ago I posted an article about re-image your Cisco ASA to FTD (FirePOWER Threat Defence). Now you may find the the FTD is not as ‘Feature rich’ as your old firewall, or that there’s a ‘Lack of feature parity’, which are two polite ways of saying that it’s crap, (sorry it’s just awful, as usual Cisco should’ve spent a LOT longer developing this product, before they released it!)

So now you want to remove the FTD image and go back to good old fashioned ASA code, so you can use the ASDM to manage it, or (of course) command line.

Prerequisites : Remove FTD

You will need a few things to perform the re-image;

  • A copy of the Cisco ASA operating system downloaded from Cisco (requires an in date support contract)
  • A copy of the Cisco ADSM Image downloaded from Cisco (requires an in date support contract)
  • The Activation Code for your firewall (which if you followed my previous article, you kept safe) If you don’t have it you need to get the firewall serial number and go to Cisco licensing, start an online chat, and be polite!
  • A TFTP server, (you can set this up on your laptop) I used a mac so TFTP is built in, if you are a Windows user then go here.
  • A rollover/serial cable and some terminal software, see this post for details.

Re-Image Cisco ASA5500-X to Remove FTD

Connect to the firewall via console cable and login, then reboot the firewall.

[box]

PNL-FirePOWER login: admin
Password: {Enter your password}
Last login: Thu Dec 13 20:18:35 UTC 2018 from 10.254.254.49 on pts/0

Copyright 2004-2018, Cisco and/or its affiliates. All rights reserved.
Cisco is a registered trademark of Cisco Systems, Inc.
All other trademarks are property of their respective owners.

Cisco Fire Linux OS v6.2.3 (build 13)
Cisco ASA5506-X Threat Defense v6.2.3.6 (build 37)

> reboot
This command will reboot the system.  Continue?
Please enter 'YES' or 'NO': YES

Broadcast message from root@PNL-Stopping Cisco ASA5506-X Threat Defense...

[/box]

When the ASA reboots, Press ‘Break’ to interrupt the startup and boot int ROMMON mode.

[box]

Cisco Systems ROMMON, Version 1.1.8, RELEASE SOFTWARE
Copyright (c) 1994-2015  by Cisco Systems, Inc.
Compiled Thu 06/18/2015 12:15:56.43 by builders

Current image running: Boot ROM0
Last reset cause: PowerCycleRequest
DIMM Slot 0 : Present

Platform ASA5506 with 4096 Mbytes of main memory
MAC Address: 6c:b2:ae:de:01:06

Use BREAK or ESC to interrupt boot. {Break}
Use SPACE to begin boot immediately.
Boot interrupted.

rommon 1 >

[/box]

You need to erase the contents of the built in flash drive;

[box]

rommon 1 > erase disk0:
erase: Erasing 7515 MBytes ...................................................
..............................................................................
..............................................................................
..............................................................................
rommon 2 >

[/box]

I’m re-imaging an ASA5506-x, so I don’t need to specify an interface, (it will use the management interface so MAKE SURE that is connected to the same network as your TFTP Server. Note: If you are not re-imaging a 5506, 5508, 5516, then you can specify which interface to use, by using an ‘interface gigabitethernet0/1‘ command.

Give the ASA some IP details, tell it where the TFTP server is and what the update file is called. You can then view the settings with a ‘set‘ command;

[box]

rommon 2 > address 10.254.254.253
rommon 3 > server 10.254.254.106
rommon 4 > gateway 10.254.254.106
rommon 5 > file asa992-36-lfbff-k8.SPA
rommon 6 > set
    ADDRESS=10.254.254.253
    NETMASK=255.255.255.0
    GATEWAY=10.254.254.106
    SERVER=10.254.254.106
    IMAGE=asa992-36-lfbff-k8.SPA
    CONFIG=
    PS1="rommon ! > "

rommon 7 >

[/box]

Note: I set the default gateway to the same IP as the TFTP server, (that’s fine).

To initiate the download you need to execute a ‘tftpdnld‘ command;

[box]

rommon 7 > tftpdnld
             ADDRESS: 10.254.254.253
             NETMASK: 255.255.255.0
             GATEWAY: 10.254.254.106
              SERVER: 10.254.254.106
               IMAGE: asa992-36-lfbff-k8.SPA
             MACADDR: 6c:b2:ae:de:01:06
           VERBOSITY: Progress
               RETRY: 40
          PKTTIMEOUT: 7200
             BLKSIZE: 1460
            CHECKSUM: Yes
                PORT: GbE/1
             PHYMODE: Auto Detect
..
Receiving asa992-36-lfbff-k8.SPA from 10.254.254.106!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!
File reception completed.

[/box]

The firewall will startup running the correct ASA code. WARNING: At this point the operating system is NOT in the flash, and the firewall is running the factory default config, so don’t reboot it, before you have carried out the following procedures.

Once started go to enable mode (password will be blank), and configure terminal mode, and format the flash drive, (don’t worry, the OS is running in memory at this point, it wont break).

[box]

ciscoasa> enable
{Enter}
ciscoasa(config)# format disk0:

Format operation may take a while. Continue? [confirm] {Enter}

Format operation will destroy all data in "disk0:".  Continue? [confirm] {Enter}
Initializing partition - done!
Creating FAT32 filesystem
mkdosfs 2.11 (12 Mar 2005)

System tables written to disk

Format of disk0 complete

[/box]

Now you need to copy in the operating system (this time to flash memory), and set it as the boot image.

[box]

ciscoasa(config)# copy tftp disk0:

Address or name of remote host []? 10.254.254.106

Source filename []? asa992-36-lfbff-k8.SPA

Destination filename [asa992-36-lfbff-k8.SPA]? {Enter}

Accessing tftp://10.254.254.106/asa992-36-lfbff-k8.SPA...!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!
Verifying file disk0:/asa992-36-lfbff-k8.SPA...

Writing file disk0:/asa992-36-lfbff-k8.SPA...

111503184 bytes copied in 338.80 secs (329891 bytes/sec)
ciscoasa(config)# boot system disk0:/asa992-36-lfbff-k8.SPA

[/box]

Then repeat the procedure, but this time to copy over the ASDM image, and set it as default.

[box]

ciscoasa(config)# copy tftp disk0:

Address or name of remote host [10.254.254.106]? {Enter}

Source filename [asa992-36-lfbff-k8.SPA]? asdm-7101.bin

Destination filename [asdm-7101.bin]? {Enter}

Accessing tftp://10.254.254.106/asdm-7101.bin...!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Verifying file disk0:/asdm-7101.bin...

Writing file disk0:/asdm-7101.bin...

INFO: No digital signature found
34143680 bytes copied in 118.250 secs (289353 bytes/sec)
ciscoasa(config)# asdm image disk0:/asdm-7101.bin

[/box]

You now need to enter your activation key again, to unlock any licensed features you have.

[box]

ciscoasa(config)# activation-key 3602fa77 540a5abc 50c13234 a378e777 c839300a
Validating activation key. This may take a few minutes...
Failed to retrieve permanent activation key.
Both Running and Flash permanent activation key was updated with the requested key.
ciscoasa(config)#

[/box]

Then either configure the firewall manually, or restore from a backup, and save the changes!

Backup and Restore a Cisco Firewall

Backup and Restore a Cisco Router with TFTP

[box]

ciscoasa(config)# write memory
Building configuration...
Cryptochecksum: 849a4713 61a6532b 0eb6d7a5 92ff32c3

3879 bytes copied in 0.280 secs
[OK]
ciscoasa(config)#

[/box]

 

Related Articles, References, Credits, or External Links

Convert ASA 5500-X To FirePOWER Threat Defence

HPe Synergy 12000 MPIO QSFP to 10GB SFP Setup

KB ID 0001495

Problem

I was recently involved in deploying an HPe Synergy 12000 Frame. And the network connections from it were ‘a little unusual’ so I thought I’d document that here, to save anyone else the problems I had.

I was connecting to an HP/Aruba 5412 switch so my cables were all HP/Aruba (to be on the safe side).

What you can see (above) is the MPIO Cable (K2Q46A P/N 800867-001) fixed onto the left (and above boxed,) there is a QSFP (P/N 817040-B21.) Note: this can be used either as 4 x 10Gbe or 4 x 8GbFC). On the right you can see the cable ends in 4x Standard LC fibre connectors, so you will also need 4x 10GB SR SFP+ Modules (Aruba P/N J1950D) – shown bottom right.

So what does it do? (Apart from cost a fortune!) Well the QSFP connects at 40Gb and splits the traffic down into 4 x 10Gb 

Cabling and Configuring MPIO QSFP

Connecting up is pretty straight forward, REMEMBER when you connect the 40GB QSFP to the Synergy it will light purple if its connected, and flash purple when it sees activity.

Connecting to the switch is also easy enough, (WARNING: All the ports need to be Trunked (HP) or Ether Channelled (Cisco,)) with LACP enabled. You don’t need to worry about configuring LACP on the Synergy, that’s handled automatically by the ‘Uplink set’.

So the back of the ‘Frame’ has two interconnect links (If you are from a switch background think of these like stacking cables). And two MPIO uplink cables.

HPe/Aruba Switch Config For MPIO

As previously stated, the switch I’m using is an Aruba 5412, with two 8 Port 1Gb/10Gb modules (J9993-A). Here’s the relevant switch config;

[box]

Firstly give the interfaces a sensible name;
!
interface A2
   name "Trunk Link to Synergy VC1 Port Q1"
   exit
interface A3
   name "Trunk Link to Synergy VC1 Port Q1"
   exit
interface A4
   name "Trunk Link to Synergy VC1 Port Q1"
   exit
interface A5
   name "Trunk Link to Synergy VC1 Port Q1"
   exit
!
interface B2
   name "Trunk Link to Synergy VC2 Port Q1"
   exit
interface B3
   name "Trunk Link to Synergy VC2 Port Q1"
   exit
interface B4
   name "Trunk Link to Synergy VC2 Port Q1"
   exit
interface B5
   name "Trunk Link to Synergy VC2 Port Q1"
   exit
!

Show any 'already configured' Trunk links with a 'show trunk' command
In my case two existed, (Trk1 and Trk2). So I used Trk3;

!
trunk A2-A5,B2-B5 Trk3 LACP
!

Now UNTAG vlan 1 (assuming that's your default VLAN) And TAG and VLANS that 
need to be used in the Synergy Deployment. (Note on an HP switch simply add
the Trk3 to the existing settings like so;

!
vlan1
untagged A6-A8,B6-B8,E1-E24,F1-F24,G3-G12,H3-H12,Trk1-Trk3
!
vlan 100
   tagged Trk1-Trk3
   exit
vlan 101
   tagged Trk1-Trk3
   exit
vlan 102
   tagged Trk1-Trk3
   exit
vlan 103
   tagged Trk1-Trk3
   exit
etc.

[/box]

Cisco Switch Config For MPIO

If you have a Cisco Switch then instead of ‘Trunking’ you will be ‘Ether Channelling’ for a more detailed explanation see the following post

HP and Cisco – VLANs and Trunks Confusion!

[box]

!
interface port-channel 1
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface range Te1/1 - 4 , Te2/1 - 4
switchport trunk encapsulation dot1q
switchport mode trunk
channel-protocol lacp
channel-group 1 mode active
!

[/box]

Configuring Synergy 12000 Networking

The process is, you add  Networks, then collect Networks together in Network Sets, Then you create Logical Interconnect  Groups. Part of creating a Logical Interconnect Groups, involves creating an Uplink Set, which consists of both your Networks, and the The Uplink ports.

Note: A Network Set is used by a Server Profile, (or a Server Profile Template).

Create Networks

One View > Networking > Networks > Create Network

Create Network Sets

One View > Networking > Networks Sets  > Create Network Set  > Give it a name > Add Networks > Create.

Create Logical Interconnect Group

One View > Networking > Logical Interconnect Group  > Create Logical Interconnect Group > Give it a name > Select the correct  Interconnect Bay Set (see diagram above) > Select Interconnects > Add Uplink Set.

Give the set a name > Select the Type > Add in the Networks > Add in the Uplinks > Create.

Note: You only need to add in ALL the LOGICAL interfaces i.e. Q1:1, Q1:2,Q1:3,Q1:4 for EACH Interconnect module. .

After a few minutes if you look under One View > Networking > Logical Interconnects > You will see one listed that has the name of your Logical Interconnect group (with a divide symbol on the end!) Make sure ALL the logical uplinks are connected. (If not you will see LACP errors on the switch).

 

Related Articles, References, Credits, or External Links

NA

Exchange – OWA and ECP Blank Page After Logon

ECP Blank Page KB ID 0001185

Problem

Note: This article is for Exchange 2013,2016 and 2019, if you are running Exchange 2010 or 2007 see the following article;

Exchange 2010 – Blank OWA Page?

Sometimes this happens after applying updates to Exchange! Firstly make sure all your services a running! From an administrative Powershell window run the following command;

[box]

Get-Service *Exchange* | Start-Service

[/box]

After making some certificate changes in Exchange 2016 this week, I found that the Outlook Web Access and Exchange Management websites would not work? I was presented with the normal login dialog, but after a successful authentication this happened.

ECP Blank Page: Solution

This happens because the website that runs the ‘Exchange Backend’ has lost the certificate for its https binding.

Open the Internet Information Services Management snap-in > Server-name > Sites  > Exchange Back End > Edit Bindings > https (444) > Edit > Select the correct certificate for Exchange.

Then restart the site, or run ‘iisreset’, or simply reboot the server.

Related Articles, References, Credits, or External Links

NA

Domain Controller Wont Boot: Stop Code ‘0x00002e2’

KB ID 0001494

Problem

I had this problem after a VMware host upgrade last night, this domain controller would not boot, I tried ‘Last Known Good Configuration’, I tried ‘Safe Mode’ it would not boot. More out of desperation than procedure, I tried to boot to ‘Directory Services Restore Mode’ and it booted up (hooray!) I tried all the client’s usual passwords, and could not log in, I messaged them to ask for the DSRM password, and tried all the ones they sent me, it seems I was defeated!

They had other domain controllers, and their critical systems were up, so I arranged for this server to be restored the following morning from tape.

A lot of you will (I hope) know your DSRM password, so you have less problems that I had, so you can skip reseting the DSRM password part.

Reset DSRM Password (From Boot Disk)

If you Google resetting the DSRM password you get a ton of posts telling you to use ntdsutil, which is great if you can logon, but I could not. I’ll let you into a secret: The DSRM password is actually the LOCAL administrators password on the Domain Controller, and resetting the local admin password, (using a Linux boot disk, {don’t panic it’s simple!}) well we have been able to do this since the days of NT4! (DON’T PAY FOR A UTILITY TO DO THIS).

To download the boot disk and see how this is done follow the instructions I’ve already written in THIS POST. The only difference is, I chose to {blank} the password, rather than reset it, (you can reset it afterwards using ntdsutil if you want to).

Select option 1: Clear (blank) user password;

Boot Into DSRM Mode and Repair Active Directory

You can now boot into DSRM mode, (if you don’t see these options Press F8 as the server boots).

As soon as you enter ‘administrator’ and then click in the password box, the ‘Sign in to‘ option will change from the domain name to the domain controllers name. This usually happens on all machines, that are NOT domain controllers, but in this case, it’s expected behaviour, (as we will be logging in with a LOCAL password.) Remember I blanked the password, so I’m leaving it empty.

First let’s take a backup of AD. Open a command window, and execute the following command;

[box]

xcopy C:\Windows\NTDS\* C:\Backup\NTDS-Backup /E /Y /V /C /I

[/box]

Then execute the following commands;

[box]

cd C:\Windows\NTDS
ren *.log *.log.old
esentutl /p C:\Windows\NTDS\ntds.dit

[/box]

When prompted; CLICK OK.

Now run the following commands;

[box]

ntdsutil
activate instance ntds
files
compact to C:\Windows\NTDS\TEMP
quit
quit

[/box]

As it’s telling us (above), we now need to copy the compacted and repaired database, over the top of the live database, and then get rid of the logs. To do that, run the following commands;

[box]

copy "C:\Windows\NTDS\TEMP\ntds.dit" "C:\Windows\NTDS\ntds.dit"
Yes
del *.log
del *.log.old
shutdown -r -f

[/box]

The server will reboot, and boot back into Windows as normal.

Related Articles, References, Credits, or External Links

A big thank you to Alex at iThinkVirtual.com, for the AD repair procedure, I would not have got over  the line without his excellent ‘Fixing a corrupt Domain Controller’ post.

Getting a Servers Serial Number (Remotely)

KB ID 0001493

Problem

If you have an iLO/iDRAC/EMM, then logging into these will give you the servers serial number, but what if they are not setup/connected, or you don’t know username or password?

Then you can use WMI to discover the serial number.

Solution

From PowerShell;

[box]

Get-Ciminstance -classname win32_bios -computername {Server-Name} | format-list serialnumber

[/box]

 

Or if you have RDP/Console access , then from an administrative command window, execute the following command;

[box]

wmic /node:%computername% bios get serialnumber

[/box]

Nice and simple!

Related Articles, References, Credits, or External Links

NA

Upgrading vSphere ESXi Hosts (Including HP and Dell)

KB ID 0001343

Problem

Before you think about upgrading your hosts, you should upgrade your vCenter,

Upgrade vSphere vCenter Appliance

Assuming that’s all done, your task now is to upgrade your hosts, if you have a vanilla VMware ESXi version installed. You COULD simply SSH into the host, and execute the following commands;

[box]

esxcli network firewall ruleset set -e true -r httpClient
esxcli software profile install -p ESXi-6.5.0-20170702001-standard -d https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml

[/box]

Well that’s great but if you are using a custom ESXi image, the process won’t even start, you simply get warned that this won’t work, as it will break all the vendor specific drivers/software, (which is a good thing I suppose, the warning I mean, not the breaking things!)

Still, if you have a vendor modified copy of ESX what do you do? Well the following procedures will work for any version of the software, either vanilla VMware or HP/Dell/IBM etc. AND IT RETAINS ALL THE HOST SETTINGS, i.e. licences, vSwitches (standard and distributed), certificates etc.

Solution 1: Use an ‘Offline Bundle’ update

Firstly, you need a copy of the appropriate ‘offline bundle’ update, below you can see this is the customised one for HPE servers.

Upload the offline bundle into a datastore, (that the host to be upgraded has access to!) While in here, shut down the guest VMs on this host, and put the host into ‘maintenance mode‘.

NOTE: If you are updating an HPE Server, there will be a gen-9 and a pre-gen-9 update bundle! Pick the correct one!

Or, you can upload the bundle via SCP into the appropriate datastore, if you prefer.

SSH into the host you are going to upgrade. Below you can see me navigating to the Datastore;

[box]

cd /vmfs/volumes
ls

[/box]

Enable SSH Access to VMware vSphere ESX

And there’s my offline bundle ready to be installed.

Remember: Even if you’re in the correct directory, you need to specify the ‘full path’ to the ‘offline bundle‘ (or it looks in the ‘/var/log’ directory and won’t work). Execute the following command;

[box]

esxcli software vib update -d /vmfs/volumes/{Datastore-Name}/VMWare-ESXi-6.5.0-Update2-9298722-HPE-preGen9-650.U2.9.6.8.3-Sept2018-depot.zip

[/box]

For a while it will look like nothing is happening, (don’t panic.) After a while a LOT of text will scroll past (quickly). Scroll back up to the TOP of all that text, and you are looking for, is ‘The update completed successfully‘.

Reboot the host.

Solution 2: Use VMware Update Manager

Warning: You CANT deploy an ESXi image, thats OLDER than the Update Manager you are running, i.e. if your vCenter is 6.5 you cant upload an ESX 6.0 image, (it will fail – this cost me two hours onsite!)

Warning 2: You need vCenter 6.0 Update1 or newer to perform this function.

I’ve got two hosts, one’s a Dell PowerEdge and the other a HP Proliant, I’ve already upgraded the HP server, you will see that in the screen shots below, now I’m going to upgrade the Dell.

Before Starting;

  • Download the install .ISO file that has the newer version of the ESXi software.
  • vMotion all the VM’s off the host being upgraded, (to save time).
  • If you have two hosts, (like me.) You might want to disable HA and DRS on the cluster as well temporarily!

Connect to vCenter > Home.

Update Manager.

Select the vCenter > Manage > ESXi Images > Import ESXi image.

Browse to the .iso file you downloaded and upload it to update manager.

After a short pause you should see the image appear, (Note: you can see the HP one I uploaded earlier) > Select the one to deploy > Create Baseline.

Give it a sensible name > OK.

Back in ‘Hosts and Clusters’ View > Select the Cluster > Update Manager > Attach Baseline.

Select your new one > OK.

Scan for updates > Select Upgrade Only > OK.

After a while, you will see your baseline saying ‘Non-Compliant‘ > Select it > Remediate.

Select the new baseline again > Next > Select the ‘Target Host’ to upgrade > Next > Accept the EULA > Next.

Next > Next.

Next > Finish.

Watch the task bar > Remediation will start > The host will go into Maintenance mode, get upgraded, reboot, and be taken out of maintenance mode.

Here you can see my host is now upgraded. (Mine’s an older server, it took about 45 minutes).

Note: If you disabled HA, DRS etc, you will want to re-enable that now.

 

Related Articles, References, Credits, or External Links

Upgrade vSphere vCenter Appliance to Version 6.5

VMware Upgrading the vSphere Virtual Center Appliance

VMware ESXi 5 – Applying Patches and Updates

Update VMware ESXi from 4.0 to 4.1

Upgrade ESX 3 to version 4.1.0

Stacking (VSF) Aruba Switches

KB ID 0001492

I noticed some shiny Aruba switches on the bench today, they were for a job my colleague is working on. (Note: Each switch in a stack should be the same model, so these will need two stacks!)

I work on the occasional HP/Aruba core switch, but it’s been a while since I did any work on distribution switches like these. The first thing I learned, was there’s no dedicated stacking cable for them. They simply use a 10Gb (Twinax / DAC) cable. Which I suppose is pretty straight forward, but it means you lose an SFP+ port (which is a bit pants).*

*Note: You can stack with 1GB cables, but you can’t mix and match!

So I said “Give me a shoult when you stack them and I’ll take a nosey!”

Solution

In the ‘land of Aruba’ this is called creating a VSF (Virtual Switching Fabric). As you can see from the photo, these are 2930F Switches, and you can stack up to four switches in a VSF. The same stacking method is used on the 5400R (v3) and 5412, where you can link two 5400R or 5412’s).

Also this method is NOT to be confused with ‘Fabric Stacking’ which is available on the 2920,2930M,3800,3810M models, (that is more like Cisco FlexStack, with a dedicated 100Gb stack cable).

So, assuming you have your switch new and fresh, connect in with your console cable, and dedicate a port to use for VSF.

[box]

Aruba-2930F-24G-PoEP-4SFPP# conf t
Aruba-2930F-24G-PoEP-4SFPP(config)# vsf member 1 link 1 ethernet 25
All configuration on this port has been removed and port is placed in VSF mode.

[/box]

Then place the switch into a VSF domain

[box]

Aruba-2930F-24G-PoEP-4SFPP(config)# vsf enable domain 1
This will save the current configuration and reboot the switch.

[/box]

The switch will ask for a reboot, let it do so.

Repeat the procedure on the second switch, (but this will be member 2).

[box]

Aruba-2930F-24G-PoEP-4SFPP# conf t
Aruba-2930F-24G-PoEP-4SFPP(config)# vsf member 1 link 1 ethernet 25
All configuration on this port has been removed and port is placed in VSF mode.
Aruba-2930F-24G-PoEP-4SFPP(config)# vsf enable domain 1
This will save the current configuration and reboot the switch.

[/box]

Once again let the switch reboot. 

Post reboot you will see the ports are ‘re-numbered’ 1/{port-number} on vsf member 1, 2/{port-number} on vsf member 2 etc.

[box]

Aruba-2930F-24G-PoEP-4SFPP# show interfaces
Status and Counters - Port Counters

                                                                 Flow Bcast
  Port         Total Bytes    Total Frames   Errors Rx Drops Tx  Ctrl Limit
  ------------ -------------- -------------- --------- --------- ---- -----
  1/1          0              0              0         0         off  0    
  1/2          0              0              0         0         off  0    
  1/3          0              0              0         0         off  0    
  1/4          0              0              0         0         off  0    
<---------------Output Removed For The Sake Of Brevity-------------->   
  1/10         0              0              0         0         off  0    
  1/11         0              0              0         0         off  0    
  1/12         0              0              0         0         off  0    
  1/13         0              0              0         0         off  0  
<---------------Output Removed For The Sake Of Brevity--------------> 
  1/19         0              0              0         0         off  0    
  1/20         0              0              0         0         off  0    
  1/21         0              0              0         0         off  0       
  1/25         1,496,823,949  23,354,845     0         0         off  0
<---------------Output Removed For The Sake Of Brevity--------------> 
  2/1          0              0              0         0         off  0    
  2/2          0              0              0         0         off  0    
  2/3          0              0              0         0         off  0    
  2/4          0              0              0         0         off  0    
<---------------Output Removed For The Sake Of Brevity--------------> 
  2/22         0              0              0         0         off  0    
  2/23         0              0              0         0         off  0    
  2/24         0              0              0         0         off  0    
  2/25         1,536,016,322  23,966,915     0         0         off  0    
  2/26         0              0              0         0         off  0    
  2/27         0              0              0         0         off  0    
  2/28         0              0              0         0         off  0    
 

[/box]

If you need to Stack 3 or 4 Switches then you need to add a second link, and create a ring;

i.e.

  • Switch 2 (2nd link now to switch 3) vsf member 2 link 2 ethernet 26
  • Switch 3 (1st link to switch 2 ) vsf member 2 link 1 ethernet 25
  • Switch 3 (2nd link to switch 4 ) vsf member 2 link 2 ethernet 26
  • Switch 4 (1st link to switch 3 ) vsf member 4 link 1 ethernet 25
  • Switch 4 (2nd link to switch 1 ) vsf member 4 link 2 ethernet 26

Useful Aruba VSF Commands

show vsf or show vsf detail :  Shows the list of provisioned chassis members.

show vsf link or show vsf link detail : Shows the state of vsf links for all members.

show vsf lldp-mad status : Shows LLDP MAD (Multi-Active Detection).

show vsftrunk-designated-forwarder : Shows designated forwarders for each trunk.

Related Articles, References, Credits, or External Links

NA