ARUBA JL724A User Guide

DATA SHEET

ARUBA CX 6200 SWITCH
SERIES

PRODUCT OVERVIEW

The Aruba CX 6200 Switch Series is a next-gen family of

stackable access switches ideal for enterprise branch oces,

campuses, and SMB networks. Created for game-changing

operational eciency with built-in analytics and automation,

the CX 6200 switches provide an enterprise-class access

layer solution that’s simple and secure.

Built from the ground up with a combination of cutting-

edge hardware, software and analytics and automation

tools, the stackable CX 6200 switches are part of the

Aruba CX switching portfolio. By combining a modern,

fully programmable OS with the Aruba Network Analy tics

Engine, the CX 6200 brings industry leading monitoring and

troubleshooting capabilities to the access layer.

A powerful Aruba Gen7 ASIC architecture delivers reliable

performance and enterprise-class feature support with

exible programmability for tomorrow’s applications. The CX

6200 is designed for simple deployment using the intuitive

Aruba CX Mobile App that speeds install, conguration and

stacking of up to 8 switches. The CX 6200 has built-in high

speed uplinks and up to 740W of PoE to support IoT devices

such as security cameras and the latest wireless APs.

Aruba Dynamic Segmentation extends Aruba’s foundational

wireless role-based policy capability to Aruba wired switches.

What this means is that the same security, user experience

and simplied IT management can be enjoyed throughout

the network. Regardless of how users and IoT devices

connect, consistent policies are enforced across wired and

wireless networks, keeping trac secure and separate.

PRODUCT DIFFERENTIATORS

AOS-CX - a modern software system

The Aruba CX 6200 Switch Series is based on AOS-CX, a

modern, database-driven operating system that automates

and simplies many critical and complex network tasks.

A built-in time series database enables customers and

developers to utilize software scripts for historical

troubleshooting, as well as analysis of past trends.

KEY FEATURES

• Enterprise-class connectivity with support for ACLs,

robust QoS and common protocols such as static

and Access OSPF routing

• Scalability with 8 member switch VSF stacking

• Convenient built-in 1/10GbE uplinks and up to 740W

of Class 4 PoE

• Intelligent monitoring, visibility, and troubleshooting

with Aruba Network Analytics Engine

• Simple, one touch deployment with the Aruba CX

Mobile App

• Automated conguration and verication with Aruba

NetEdit

• Secure and simple access for users and IoT with

Aruba Dynamic Segmentation

This helps predict and avoid future problems due to scale,

security, and performance bottlenecks. Easy access to

all network state information allows unique visibility and

analytics.

DATA SHEET

ARUBA CX 6200 SWITCH SERIES

Our AOS-CX software also includes Aruba Network Analytics

Engine (NAE) and support for Aruba NetEdit. Because AOS-

CX is built on a modular Linux architecture with a stateful

database, our operating system provides the following

unique capabilities:

• Easy access to all network state information allows unique

visibility and analytics

• REST APIs and Python scripting for ne-grained

programmability of network tasks

• A micro-services architecture that enables full integration

with other workow systems and services

• Continuous telemetry data with WebSocket subscriptions

for event driven automation

• Continual state synchronization that provides superior

fault tolerance and high availability

• All software processes communicate with the database

rather than each other, ensuring near real-time state and

resiliency and allowing individual software modules to be

independently upgraded for higher availability

Aruba Network Analytics Engine - advanced monitoring
and diagnostics

For enhanced visibility and troubleshooting, Aruba’s Network

Analytics Engine (NAE) automatically monitors and analyzes

events that can impact network health. Advanced telemetry

and automation provide the ability to easily identif y and

troubleshoot network, system, application and security

related issues easily, through the use of Python agents and

REST APIs.

The Time Series Database (TSDB) stores conguration and

operational state historical data making it available to quickly

resolve network issues. The data may also be used to analyze

trends, identif y anomalies and predict future capacity

requirements.

Aruba NetEdit – automated switch conguration and

management

The entire Aruba CX por tfolio empowers IT teams to

orchestrate multiple switch conguration changes for

smooth end-to-end service rollouts. Aruba NetEdit

introduces automation that allows for rapid network-wide

changes, and ensures policy conformance post network

updates. Intelligent capabilities include search, edit,

validation (including conformance checking), deployment and

audit features. Capabilities include:

• Centralized conguration with validation for consistency

and compliance

• Time savings via simultaneous viewing and editing of

multiple congurations

• Customized validation tests for corporate compliance and

network design

• Automated large-scale conguration deployment without

programming

• Network health and topology visibility with Aruba NAE

integration

Note: A separate software license is required to use Aruba

NetEdit.

Aruba CX Mobile App – unparalleled deployment
convenience

An easy-to-use mobile app simplies connecting, stacking

and managing Aruba CX 6200 switches for any size project.

Switch information can also be imported into Aruba NetEdit

for simplied conguration management and to continuously

validate the conformance of congurations anywhere in the

network.

Aruba ASICs - programmable innovation

Based on over 30 years of continuous investment, Aruba’s

ASICs create the basis for innovative and agile software

feature advancements, unparalleled performance and deep

visibility. These programmable ASICs are purpose-built

to allow for a tighter integration of switch hardware and

software within campus and data center architectures to

optimize performance and capacity. Virtual Output Queuing

(VOQ) isolates congestion, prevents Head of Line Blocking

(HOLB) and allows full line rate on outgoing (egress) ports.

Flexible ASIC resources enable Aruba’s NAE solution to

inspect all data, which allows for rapid feature development

and delivery. The Aruba CX 6200 is based on the Aruba Gen7

ASIC architecture.

Aruba Dynamic Segmentation – improved segmentation
and simplicity

For enhanced security, Aruba Dynamic Segmentation

automatically applies and enforces user, device and

application-aware policies on Aruba wired and wireless

infrastructure. Automated device proling, role-based access

control, and Layer 7 rewall features deliver enhanced

visibility and performance for a better overall experience for

both IT and end-users alike.

2

DATA SHEET

ARUBA CX 6200 SWITCH SERIES

Simplied IT controls include:

• A secure tunnel from Aruba switches or access points

transports user trac to an Aruba Controller or Gateway.

Policies can be written on the Controller or Gateway

– or the Aruba ClearPass Policy Manager can be used

to centrally congure policies to further simplify micro-

segmentation of networks.

• The utilization of user roles will include a set of switch-

based rules to dene authentication, authorization and

QoS values for each connecting device. A user role can

be assigned to a group of users or devices, regardless of

using local user roles written on the switch or downloaded

from ClearPass.

Mobility and IoT performance

The Aruba CX 6200 Switch Series uses a fully distributed

architecture that utilizes the Gen7 Aruba ASICs. This ensures

that our switches oer ver y low latency, increased packet

buering, and adaptive power consumption. All switching

and routing are wire-speed to meet the demands of

bandwidth-intensive applications today and in the future.

Each switch includes the following:

• Up to 176 Gbps in non-blocking bandwidth and up to

130.9 Mpps for forwarding

• Selectable queue congurations that allow for increased

performance by dening a number of queues and

associated memory buering to best meet the

requirements of network applications

VSF Stacking - scale and simplicity

The Aruba Virtual Switching Framework (VSF) allows you to

quickly grow your network using high performance front

plane stacking. Four built-in SFP+ ports support speeds of

1GbE and 10GbE. Additional features include:

• Support for up to 8 switches (or members) in a stack via

chain or ring topology

• Flexibility to create stacks that span longer distances such

as hundreds of meters across campuses to kilometres

between sites using long-range 1GbE and 10GbE

transceivers

• Simplied conguration and management as the switches

act as a single chassis when stacked

• The Aruba CX Mobile app provides support for a validated

stack deployment that ensure that all stack links and

uplinks are connected properly

Enterprise-class connectivity for all environments

Whether in the branch oce or a small to large enterprise

environment, you can choose from ve xed 1U models.

Each switch includes four high-speed built-in uplinks that

auto-negotiate from 1GbE to 10GbE to deliver non-blocking

performance. Additional highlights:

• 1U models support 24 and 48 access ports of IEEE 802.3

(100M/1GbE) with four built-in 1GbE/10GbE uplink SFP+

ports

• PoE models support up to 740W IEEE 802.3at Class 4

Power over Ethernet for up to 30W per port as well as any

IEEE 802.3af-compliant end device

• Always-on PoE supplies PoE power even during scheduled

reboots and rmware upgrades

• Support for pre-standard PoE detects and provides power

to pre-standard PoE devices

• Auto-MDIX provides automatic adjustments for straight-

through or crossover cables on all 10/100/1000 ports

• IPv6 capabilities include:

 - IPv6 host enables switches to be managed in an IPv6

network

 - Dual stack (IPv4 and IPv6) transitions from IPv4 to IPv6,

supporting connectivity for both protocols

 - MLD snooping forwards IPv6 multicast trac to the

appropriate interface

 - IPv6 ACL/QoS supports ACL and QoS for IPv6 network

trac

 - IPV6 routing supports Static and OSPFv3 protocols

 - Security provides RA guard, DHCPv6 protection, dynamic

IPv6 lockdown, and ND snooping

• Jumbo frames allow for high-performance backups and

disaster-recovery systems; provides a maximum frame

size of 9220 bytes

• Packet storm protection against broadcast, multicast and

unknown unicast storms with user-dened thresholds

3

DATA SHEET

ARUBA CX 6200 SWITCH SERIES

High availability and resiliency

To ensure a high degree of up-time we oer high availability

and multicast features needed for a highly-available Layer 2

access deployment including:

• Uni-directional Link Detection (UDLD) to monitor

link connectivity and shut down ports at both ends if

uni-directional trac is detected, preventing loops in

STP-based networks

• IEEE 802.3ad LACP supports up to 32 LAGs, each with

up to 8 links per LAG; and provides support for static or

dynamic groups and a user-selectable hashing algorithm

• IEEE 802.1s Multiple Spanning Tree provides high link

availability in VLAN environments where multiple spanning

trees are required; and legacy support for IEEE 802.1d

and IEEE 802.1w

• IEEE 802.3ad link-aggregation-control protocol (LACP) and

port trunking support static and dynamic trunks where

each trunk supports up to eight links (ports) per static

trunk

Quality of Service (QoS) features

To support congestion actions and trac prioritization, the

Aruba CX 6200 Series includes the following:

• Strict priority (SP) queuing and Decit Weighted Round

Robin (DWRR)

• Trac prioritization (IEEE 802.1p) for real-time

classication

• Class of Service (CoS) sets the IEEE 802.1p priority tag

based on IP address, IP Type of Service (ToS), Layer 3

protocol, TCP/UDP port number, source port, and DiServ

• Rate limiting sets per-port ingress enforced maximums

and per-port, per-queue minimums

• Transmission rates of egressing frames can be limited on

a per-queue basis using Egress Queue Shaping (EQS)

• Large buers for graceful congestion management

Simplied conguration and management

In addition to the Aruba CX Mobile App, Aruba NetEdit and

Aruba Network Analytics Engine, the 6200 series oers the

following:

• Built-in programmable and easy-to-use REST API interface

• Simple day zero provisioning

• sFlow (RFC 3176) is ASIC-based wire speed network

monitoring and accounting with no impact on network

performance; network operators can gather a variety of

network statistics and information for capacity planning

and real-time network monitoring purposes

• Management interface control enables or disables each of

the following depending on security preferences, console

port, or reset button

• Industry-standard CLI with a hierarchical structure for

reduced training time and expense. Delivers increased

productivity in multivendor environments

• Management security restricts access to critical

conguration commands, provides multiple privilege

levels with password protection and local and remote

syslog capabilities allow logging of all access

• SNMP v2c/v3 provides SNMP read and trap support of

industry standard Management Information Base (MIB),

and private extensions

• Remote monitoring (RMON) with standard SNMP to

monitor essential network functions. Supports events,

alarms, history, and statistics groups as well as a private

alarm extension group; RMON, and sFlow provide

advanced monitoring and reporting capabilities for

statistics, history, alarms and events

• TFTP and SFTP support oers dierent mechanisms

for conguration updates; trivial FTP (TFTP) allows

bidirectional transfers over a TCP/ IP network; Secure

File Transfer Protocol (SFTP) runs over an SSH tunnel to

provide additional security

• Debug and sampler utility supports ping and traceroute

for IPv4 and IPv6

• Network Time Protocol (NTP) synchronizes timekeeping

among distributed time servers and clients; keeps

timekeeping consistent among all clock-dependent

devices within the network

• IEEE 802.1AB Link Layer Discovery Protocol (LLDP)

advertises and receives management information from

adjacent devices on a network, facilitating easy mapping

by network management applications

• Dual ash images provides independent primary and

secondary operating system les for backup while

upgrading

• Multiple conguration les can be stored to a ash image

• Ingress and egress port monitoring enable more ecient

network problem solving

• Unidirectional link detection (UDLD) monitors the link

between two switches and blocks the ports on both ends

of the link if the link goes down at any point between the

two devices

• IP SLA responders for Voice helps in monitoring quality of

voice trac using the UDP Jitter for VoIP tests

4

DATA SHEET

ARUBA CX 6200 SWITCH SERIES

Layer 2 Switching

The following layer 2 services are supported:

• VLAN support and tagging for IEEE 802.1Q (4094 VLAN

IDs)

• Jumbo packet support improves the performance of large

data transfers; supports frame size of up to 9220 bytes

• IEEE 802.1v protocol VLANs isolate select non-IPv4

protocols automatically into their own VLANs

• Rapid Per-VLAN Spanning Tree (RPVST+) allows each

VLAN to build a separate spanning tree to improve link

bandwidth usage; is compatible with PVST+

• MVRP allows automatic learning and dynamic assignment

of VLANs

• VXLAN encapsulation (tunnelling) protocol for overlay

network that enables a more scalable virtual network

deployment

• Bridge Protocol Data Unit (BPDU) tunnelling Transmits STP

BPDUs transparently, allowing correct tree calculations

across service providers, WANs, or MANs

• Port mirroring duplicates port trac (ingress and egress)

to a monitoring port; supports 4 mirroring groups

• STP supports standard IEEE 802.1D STP, IEEE 802.1w

Rapid Spanning Tree Protocol (RSTP) for faster

convergence, and IEEE 802.1s Multiple Spanning Tree

Protocol (MSTP)

• Internet Group Management Protocol (IGMP) Controls

and manages the ooding of multicast packets in a Layer

2 network

Layer 3 Services

The following layer 3 services are suppor ted:

• Loopback interface address denes an address in Open

Shortest Path First (OSPF), improving diagnostic capability

• Address Resolution Protocol (ARP) determines the MAC

address of another IP host in the same subnet; supports

static ARPs; gratuitous ARP allows detection of duplicate

IP addresses; proxy ARP allows normal ARP operation

between subnets or when subnets are separated by a

Layer 2 network

• Dynamic Host Conguration Protocol (DHCP) simplies

the management of large IP networks and supports client;

DHCP Relay enables DHCP operation across subnets

• Domain Name System (DNS) provides a distributed

database that translates domain names and IP addresses,

which simplies network design; supports client and

server

Layer 3 Routing

The following layer 3 routing services are supported:

• Single-area Open shortest path rst (OSPF) delivers

faster convergence; uses link-state routing Interior

Gateway Protocol (IGP), which supports NSSA, and MD5

authentication for increased security and graceful restart

for faster failure recovery

• OSPF provides OSPFv2 for IPv4 routing and OSPFv3 for

IPv6 routing

• Static IP routing provides manually congured routing

• Static IPv4 routing provides simple manually congured

IPv4 routing

• IP performance optimization provides a set of tools to

improve the performance of IPv4 networks; includes

directed broadcasts, customization of TCP parameters,

support of ICMP error packets, and extensive display

capabilities

• Static IPv6 routing provides simple manually congured

IPv6 routing

• Dual IP stack maintains separate stacks for IPv4 and IPv6

to ease the transition from an IPv4-only network to an

IPv6-only network design

Security

Each Aruba CX 6200 Switch comes with an integrated trusted

platform module (TPM) for platform integrity. This ensures

the boot process started from a trusted combination of

AOS-CX switches. Other security features include:

• TAA Compliance uses FIPS 140-2 validated cryptography

for protection of sensitive information

• Access control list (ACL) support for both IPv4 and IPv6;

allows for ltering trac to prevent unauthorized users

from accessing the network, or for controlling network

trac to save resources; rules can either deny or permit

trac to be forwarded; rules can be based on a Layer 2

header or a Layer 3 protocol header

5

DATA SHEET

ARUBA CX 6200 SWITCH SERIES

• ACLs also provide ltering based on the IP eld, source/

destination IP address/subnet, and source/ destination

TCP/UDP port number on a per-VLAN or per-port basis

• Remote Authentication Dial-In User Service (RADIUS)

• Terminal Access Controller Access-Control System

(TACACS+) delivers an authentication tool using TCP with

encryption of the full authentication request, providing

additional security

• Management access security for both on- and o-

box authentication for administrative access. RADIUS

or TACACS+ can be used to provide encrypted user

authentication. Additionally, TACACS+ can also provide

admin authorization services

• Control Plane Policing sets rate limit on control protocols

to protect CPU overload from DOS attacks

• Supports multiple user authentication methods. Uses an

IEEE 802.1X supplicant on the client in conjunction with a

RADIUS server to authenticate in accordance with industry

standards

• Web based authentication using Captive Portal on

ClearPass is supported for use cases such as Guest

Access and for devices that don’t support 802.1x or

MACAuth.

• Supports MAC-based client authentication

• Concurrent IEEE 802.1X, Web, and MAC authentication

schemes per switch port accepts up to 32 sessions of IEEE

802.1X, Web, and MAC authentications

• DHCP protection blocks DHCP packets from unauthorized

DHCP servers, preventing denial-of-service attacks

• Secure management access delivers secure encryption of

all access methods (CLI, GUI, or MIB) through SSHv2, SSL,

and/or SNMPv3

• Switch CPU protection provides automatic protection

against malicious network trac trying to shut down

theswitch

• ICMP throttling defeats ICMP denial-of-service attacks

byenabling any switch port to automatically throttle

ICMPtrac

• Identity-driven ACL enables implementation of a highly

granular and exible access security policy and VLAN

assignment specic to each authenticated network user

• STP BPDU port protection blocks Bridge Protocol Data

Units (BPDUs) on ports that do not require BPDUs,

preventing forged BPDU attacks

• Dynamic IP lockdown works with DHCP protection to block

trac from unauthorized hosts, preventing IP source

address spoong

• Dynamic ARP protection blocks ARP broadcasts from

unauthorized hosts, preventing eavesdropping or theft of

network data

• STP root guard protects the root bridge from malicious

attacks or conguration mistakes

• Port security allows access only to specied MAC

addresses, which can be learned or specied by the

administrator

• MAC address lockout prevents particular congured MAC

addresses from connecting to the network

• Source-port ltering allows only specied ports to

communicate with each other

• Secure shell encrypts all transmitted data for secure

remote CLI access over IP networks

• Secure Sockets Layer (SSL) encrypts all HTTP trac,

allowing secure access to the browser-based

management GUI in the switch

• Secure FTP allows secure le transfer to and from the

switch; protects against unwanted le downloads or

unauthorized copying of a switch conguration le

• Critical Authentication Role ensures that important

infrastructure devices such as IP phones are allowed

network access even in the absence of a RADIUS server

• MAC Pinning allows non-chatty legacy devices to stay

authenticated by pinning client MAC addresses to the port

until the clients logo or get disconnected

• Management Interface Wizard helps secure management

interfaces such as SNMP, telnet, SSH, SSL, Web, and USB

at the desired level

• Security banner displays a customized security policy

when users log in to the switch

Multicast

• IGMP Snooping allows multiple VLANs to receive the

same IPv4 multicast trac, lessening network bandwidth

demand by reducing multiple streams to each VLAN

• Multicast Listener Discovery (MLD) enables discovery of

IPv6 multicast listeners; support MLD v1 and v2

• Internet Group Management Protocol (IGMP) utilizes

Any-Source Multicast (ASM) to manage IPv4 multicast

networks; supports IGMPv1, v2, and v3

6