Study Guide: Layer 3 Routing — Static Routes, OSPF, and VRRP/Active-Gateway

Learning Objectives

Identify the four AOS-CX Layer 3 interface types (SVI, routed port, loopback, sub-interface) and the conditions under which each comes up.
Configure static, default, floating, and ECMP routes; predict which one wins given administrative-distance defaults.
Configure OSPFv2 on AOS-CX using per-interface ip ospf <id> area <id> syntax — and recognize why Cisco-style network statements do not exist here.
Recall OSPF LSA types (1, 2, 3, 4, 5, 7) and stub-area variants (Stub, Totally Stubby, NSSA, Totally NSSA).
Compare VRRP (active-standby) with VSX active-gateway (active-active) and choose the right FHRP for a given topology.
Verify all of the above with the right show commands.

6.1 Layer 3 Interface Types

AOS-CX is a fully routed switching platform — every Aruba CX 6000, 8000, and 10000 series switch can be a Layer 3 device on every port. Before any inter-VLAN forwarding works, the global feature must be on:

switch(config)# ip routing

Without ip routing, the switch will accept Layer 3 configuration on interfaces but will not forward packets between subnets.

SVI (Switched Virtual Interface)

An SVI — interface vlan <id> — is a logical L3 interface bound to a VLAN. It is the gateway for hosts in that VLAN. SVIs come up administratively down by default (no shutdown is mandatory) and require at least one forwarding member port for the VLAN to bring line-protocol up.

Routed Port

A physical port stripped of switching behavior with the routed keyword (or no switchport). Preferred over SVIs for transit links because it skips spanning-tree, has predictable up/down on cable failure, and avoids 802.1Q overhead.

Loopback

Always-up logical L3 interface; ideal for stable management address and OSPF/BGP router-id.

Table 6.1 — AOS-CX Layer 3 Interface Types

Type	Command	Use Case	Up When
SVI	`interface vlan <id>`	VLAN gateway, inter-VLAN routing	A member port forwarding AND `no shutdown`
Routed port	`routed` + `ip address`	P2P inter-switch / upstream link	Cable up + `no shutdown`
Loopback	`interface loopback <n>`	Stable router-id, mgmt	Always
Sub-interface	`interface 1/1/x.<vid>`	Router-on-a-stick	Parent up + `encapsulation dot1Q`

Pre-Reading Quiz — Section 1: L3 Interface Types

1. You configure interface vlan 10, assign an IP, and no shutdown, but the SVI stays line-protocol down. What is the most likely cause?

A. ip routing is disabled globally. B. No member port of VLAN 10 is in a forwarding state. C. The IP address mask must be dotted-decimal, not /24. D. SVIs require routed keyword to come up.

2. Which interface type is the most appropriate for a clean point-to-point link between two CX switches in a routed core?

A. SVI on a transit VLAN B. Loopback C. Routed port (routed + IP) D. Access port in VLAN 1

3. Why is a loopback the conventional source for an OSPF router-id?

A. OSPF refuses any router-id taken from a physical interface. B. A loopback never goes down due to physical-port failure, giving the router-id stable identity. C. Loopbacks have lower MTU which OSPF prefers. D. Only loopback IPs can be advertised into Area 0.

4. Without the ip routing global command, what happens to inter-VLAN traffic?

A. It is forwarded but at a lower priority. B. It is dropped — the switch does not forward L3 between subnets. C. It still works because SVIs route automatically. D. It is software-routed (no hardware acceleration).

6.2 Static and Default Routing

Static routes are deterministic plumbing: ip route <prefix>/<len> <next-hop> [distance]. Default AD for a static is 1 (beats OSPF's 110). A "floating static" sets a high AD (e.g., 200) so the route only installs if the preferred dynamic source disappears.

Table 6.2 — Default Administrative Distance

Source	AD
Connected	0
Static	1
eBGP	20
OSPF (intra/inter)	110
iBGP	200
Floating static (typical)	200+

ECMP — Equal-Cost Multipath

Multiple equal-cost routes for the same prefix are all installed and flows are hashed across them (typical 5-tuple of src/dst IP, src/dst port, protocol). This is what makes leaf-spine fabrics work — every leaf has equal-cost paths to every other leaf via every spine, with no single bottleneck.

Static-Route Decision Flow

flowchart TD A[Packet arrives] --> B{Longest match?} B -->|Yes| C{Multiple equal-cost paths?} C -->|Yes| D[Hash flow across paths - ECMP] C -->|No| E[Forward via single next-hop] B -->|No| F{Default 0.0.0.0/0 exists?} F -->|Yes| E F -->|No| G[Drop - ICMP unreachable if enabled]

Pre-Reading Quiz — Section 2: Static and Default Routing

5. Which administrative distance value is the AOS-CX default for a static route?

A. 0 B. 1 C. 110 D. 200

6. A switch has both a static ip route 10.10.0.0/16 ... 200 and an OSPF intra-area route to the same prefix. Which is installed in the routing table while OSPF is healthy?

A. The floating static (AD 200), because static is always preferred. B. The OSPF route (AD 110), because lower AD wins. C. Both are installed and ECMP-hashed. D. Neither — conflicting sources cause both to be suppressed.

7. What is the purpose of ECMP in a leaf-spine fabric?

A. Encrypt traffic between leaves and spines. B. Install multiple equal-cost paths for the same prefix and hash flows across them. C. Force all traffic onto a single primary uplink. D. Replace OSPF with a proprietary load-balancing protocol.

8. Which command best installs a backup default route that should only be used when the OSPF-learned default disappears?

A. ip route 0.0.0.0/0 198.51.100.1 B. ip route 0.0.0.0/0 198.51.100.1 200 C. ip route 0.0.0.0/0 198.51.100.1 0 D. ip default-network 198.51.100.1

6.3 OSPFv2 on AOS-CX

OSPFv2 is a link-state IGP. Every router in an area builds an identical map of the area, then runs Dijkstra (SPF) to compute its routing table. Failures are detected via hello/dead timers and the area re-converges in seconds.

The AOS-CX trap: OSPF is enabled per interface with ip ospf <id> area <area>. There are no Cisco-style network statements under the OSPF process.

switch(config)# router ospf 1
switch(config-ospf-1)# router-id 1.1.1.1
switch(config-ospf-1)# area 0
switch(config-ospf-1)# exit
switch(config)# interface 1/1/1
switch(config-if)# ip address 10.0.1.1/30
switch(config-if)# ip ospf 1 area 0
switch(config-if)# ip ospf network point-to-point

Table 6.3 — OSPFv2 LSA Types

Type	Name	Originated By	Scope
1	Router LSA	Every OSPF router	Within an area
2	Network LSA	DR on multi-access	Within an area
3	Summary LSA	ABR	Inter-area
4	ASBR Summary	ABR	How to reach an ASBR
5	AS-External	ASBR	Throughout AS (not stub/NSSA)
7	NSSA External	ASBR in NSSA	NSSA only — translated to Type 5 at ABR

Table 6.4 — Stub Area Variants

Area	Type 3?	Type 5?	Type 7?
Standard	Yes	Yes	No
Stub	Yes	No (default route only)	No
Totally Stubby	No (default only)	No	No
NSSA	Yes	No	Yes
Totally NSSA	No	No	Yes

Passive Interfaces, Authentication, Timers

Mark user-facing SVIs ip ospf passive — the subnet is still advertised but no hellos are sent. MD5 authentication (ip ospf message-digest-key) prevents rogue neighbors. Default timers are hello 10s / dead 40s; tighten only when BFD is unavailable.

Pre-Reading Quiz — Section 3: OSPFv2

9. How is an interface added to OSPF process 1, area 0 on AOS-CX?

A. network 10.0.1.0 0.0.0.3 area 0 under router ospf 1 B. ip ospf 1 area 0 on the interface C. passive-interface 1/1/1 under the OSPF process D. redistribute connected under OSPF

10. Which LSA type does an ABR generate to advertise inter-area prefixes into a non-originating area?

A. Type 1 (Router LSA) B. Type 2 (Network LSA) C. Type 3 (Summary LSA) D. Type 5 (AS-External LSA)

11. A point-to-point OSPF neighbor remains stuck in EXSTART. What is the most likely cause?

A. Mismatched router-ids — both routers picked the same ID. B. Hello/dead timer mismatch only — area mismatch never causes EXSTART. C. MTU mismatch on the link. D. Both interfaces are configured as DR.

12. Which area type permits Type 7 LSAs (NSSA External) but blocks Type 5 LSAs?

A. Stub B. Totally Stubby C. NSSA D. Standard

6.4 First-Hop Redundancy: VRRP and VSX Active-Gateway

A host has one default gateway. Lose it and traffic stops. AOS-CX offers two FHRPs:

VRRP (RFC 5798): standards-based active-standby. One master answers ARP for the VIP; the backup waits and takes over when the master goes silent.
VSX active-gateway: Aruba-proprietary, VSX-only active-active. Both peers continuously share a virtual MAC and route locally.

Table 6.5 — VRRP vs. VSX Active-Gateway

Feature	VRRP	VSX Active-Gateway
Forwarding	Active-standby	Active-active (both forward)
Config per VLAN	VRID, priority, VIP, timers, preempt	One line: `active-gateway ip ... mac ...`
Virtual MAC	Master owns; transfers on failover	Shared by both peers always
Protocol overhead	Multicast hellos per VLAN per second	None (uses VSX control channel)
ISL traversal	Backup hairpins north-bound traffic	None — each peer routes locally
Compatibility	Standards-based, multi-vendor	VSX only, mutually exclusive with VRRP per VLAN
Best fit	Non-VSX, multi-vendor, standalone cores	VSX pairs (campus dist, DC ToR)

VSX Active-Gateway Configuration

Configured identically on both VSX peers — no priority, no preemption, no advertisement timer:

interface vlan 10
  ip address 10.10.10.2/24       ! unique per peer
  active-gateway ip 10.10.10.1 mac 02:00:00:00:01:00

Why Active-Gateway Wins in VSX

Active-active forwarding — no ISL hairpin for north-bound L3 traffic.
Configuration simplicity — one line per SVI vs six+ for VRRP.
Zero protocol overhead — state syncs over the existing VSX control channel.
Symmetric ECMP upstream — both peers source traffic for the VIP.

VRRP and active-gateway are mutually exclusive on the same VLAN. Pick one per SVI.

Key Takeaways

ip routing is the global on/off switch for inter-VLAN forwarding.
SVIs are VLAN gateways, routed ports are L3 transit, loopbacks are always-up.
Static AD = 1, OSPF AD = 110; floating statics use AD 200+.
AOS-CX OSPF is per-interface (ip ospf <id> area <id>) — no network statements.
LSA types: 1 Router, 2 Network, 3 Summary, 4 ASBR-Summary, 5 External, 7 NSSA-External.
VRRP = active-standby, VSX active-gateway = active-active sharing one vMAC.
Active-gateway is preferred inside a VSX pair; VRRP is for non-VSX or multi-vendor.
VRRP and active-gateway are mutually exclusive on the same VLAN.

Pre-Reading Quiz — Section 4: First-Hop Redundancy

13. In a VSX pair carrying 30 SVIs, which FHRP minimizes ISL hairpin traffic and configuration?

A. VRRP with preempt enabled on each VLAN B. HSRP C. VSX active-gateway D. GLBP

14. Which of these statements about VRRP and VSX active-gateway is TRUE?

A. They can be configured together on the same VLAN for redundancy. B. They are mutually exclusive on a given VLAN. C. Active-gateway requires a VRID just like VRRP. D. VRRP is active-active and active-gateway is active-standby.

15. A VRRP master with priority 150 is tracking interface 1/1/1 with decrement 60. The peer has priority 100. What happens when 1/1/1 fails?

A. Priority drops to 90; peer at 100 wins and takes Master. B. The master keeps Master role — tracking only logs the event. C. Both routers become Master simultaneously (split brain). D. Priority drops to 60 and traffic is dropped.

Chapter 6: Layer 3 Routing — Static Routes, OSPF, and VRRP/Active-Gateway