PRODUCT OVERVIEW

The Aruba 5400R zl2 Switch Series delivers enterpriseclass resiliency with innovative flexibility and scalability
for customers creating smart digital workplaces that are
optimized for mobile users with an integrated wired and
wireless approach. This modular series brings scalable
aggregation with Virtual Switching Framework (VSF) stacking
technology, hitless failover, and Fast Software Upgrade for
5400R VSF stacks. The advanced Layer 2 and 3 feature set
includes OSPF, IPv6, IPv4 BGP, Dynamic Segmentation,
robust QoS and policy-based routing with no software
licensing required.
Based on a powerful ProVision ASIC, the Aruba 5400R zl2
Switch Series has a high-speed, high-capacity architecture with
2 Tbps crossbar switching fabric with low 2.1µ latency, robust
feature support, and value with flexible programmability for
the latest applications. This series offers flexible connectivity
options with 6- or 12-slot compact chassis, line rate 40GbE, up
to 96 line rate Smart Rate multigigabit or 10GbE ports and up
to 288 ports of PoE+ for powering access points, cameras and
IoT devices.
The 5400R is easy to deploy, use and manage using Aruba
AirWave or Aruba Central. Aruba ClearPass offers centralized
security and external captive portal support. The switches
include a Limited Lifetime Warranty.

ENHANCED CAPABILITIES

Software-defined networks
• Supports multiple programmatic interfaces, including REST
APIs and Openflow 1.0 and 1.3, to enable automation of
network operations, monitoring, and troubleshooting
Unified Wired and wireless support
• Supports unified wired and wireless policies using Aruba
ClearPass Policy Manager
• Switch auto-configuration automatically configures switch
for different settings such as VLAN, CoS, PoE max power,
and PoE priority when an Aruba access point is detected
• User Role defines a set of switch-based policies in areas
such as security, authentication, and QoS. A user role can

FEATURES

be assigned to a group of users or devices, using switchbased local user role or download from ClearPass
• For improved network simplicity and security, Aruba
Dynamic Segmentation automatically enforces user,
device and application-aware policies on Aruba wired
and wireless networks. Automated device profiling, rolebased access control, and Layer 7 firewall features deliver
enhanced visibility and performance for a better overall
experience for both IT and end-users alike
• Dynamic Segmentation provides a secure tunnel that
transports network traffic on a per-port or per-user role
basis to an Aruba Controller. In a per-user role Tunnel
Node, users are authenticated by the ClearPass Policy
Manager which directs traffic to be tunneled to an Aruba
controller or switch locally
• Static IP Visibility allows ClearPass to do accounting for
clients with static IP addresses.

Quality of Service (QoS)
• Advanced classifier-based QoS classifies traffic using multiple
match criteria based on Layer 2, 3, and 4 information; applies
QoS policies such as setting priority level and rate limit to
selected traffic on a per-port or per-VLAN basis
• Traffic prioritization allows real-time traffic classification into
eight priority levels mapped to eight queues
• Bandwidth shaping
– Port-based rate limiting provides per-port ingress-/
egress-enforced increased bandwidth
– Classifier-based rate limiting uses an access control list
(ACL) to enforce increased bandwidth for ingress traffic
on each port
– Supports per-port, per-queue egress-based
reduced bandwidth
• Class of Service (CoS) sets the IEEE 802.1p priority tag based
on IP address, IP Type of Service (ToS), Layer 3 protocol,
TCP/UDP port number, source port, and DiffServ
• Unknown Unicast Rate Limiting throttles unicast packets
with unknown destination addresses and limits flooding on
the VLAN
Simplified configuration and management
• Aruba Central cloud-based management platform offers
simple, secure, and cost effective way to manage switches
• Zero Touch ProVisioning (ZTP) simplifies installation of the
switch infrastructure using Aruba Activate or DHCP-based
process with AirWave and Central Network Management
• Flexible management – Supports both cloud-based Central
and on-premise AirWave without ripping and replacing
switching infrastructure
• IP SLA for Voice monitors quality of voice traffic
using the UDP Jitter and UDP Jitter for VoIP tests (requires
v3 modules)
• Built-in programmable and easy to use REST API interface
provides configuration automation for campus networks
• Remote intelligent mirroring mirrors selected ingress/egress
traffic based on ACL, port, MAC address, or VLAN to a local or
remote HPE 8200 zl, 6600, 6200 yl, 5400 zl, 5400R, 3500, or
3800 Switch located anywhere on the network
• RMON, XRMON, and sFlow provide advanced monitoring and
reporting capabilities for statistics, history, alarms,
and events
• IEEE 802.1AB Link Layer Discovery Protocol (LLDP) advertises
and receives management information from adjacent
devices on a network, facilitating easy mapping by network
management applications

• Unidirectional link detection (UDLD) monitors the link
between two switches and blocks the ports on both ends
of the link if the link goes down at any point between the
two devices
• Management simplicity provides common software features
and CLI implementation across all HPE ProVision-based
switches (including the zl and yl switches)
• Command authorization leverages RADIUS to link a custom
list of CLI commands to an individual network administrator’s
login; an audit trail documents activity
• Friendly port names allows assignment of descriptive names
to ports
• Dual flash images provides independent primary and
secondary operating system files for backup while upgrading
• Multiple configuration files stores easily to the flash image
Connectivity
• IEEE 802.3az Energy Efficient Ethernet lowers power
consumption in periods of low link usage (supported on v2
zl 10/100/1000 and 10/100 modules)
• IEEE 802.3at Power over Ethernet (PoE+) provides up to
30 W per port that allows support of the latest PoE+
capable devices such as IP phones, wireless access
points, and security cameras, as well as any IEEE 802.3afcompliant end device; eliminates the cost of additional
electrical cabling and circuits that would otherwise be
necessary in IP phone and WLAN deployments
• Support for pre-standard PoE detects and provides power
to pre-standard PoE devices
• High-density port connectivity provides up to 12 interface
module slots and up to 288 wire-speed 10/100/1000
PoE-enabled ports, 96 10GbE ports or 96 Smart Rate
multi-gigabit ports per system
• Jumbo frames on Gigabit Ethernet and 10-Gigabit Ethernet
support high-performance remote backup and disasterrecovery services
• Auto-MDIX provides automatic adjustments for
straight-through or crossover cables on all 10/100 and
10/100/1000 ports
• IPv6
– IPv6 host enables switches to be managed in an
IPv6 network
– Dual stack (IPv4 and IPv6) transitions IPv4 to IPv6,
supporting connectivity for both protocols
– MLD snooping forwards IPv6 multicast traffic to the
appropriate interface
– IPv6 ACL/QoS supports ACL and QoS for IPv6 traffic

– IPv6 routing supports static, RIPng, OSPFv3
routing protocols
– 6in4 tunneling supports encapsulation of IPv6 traffic in
IPv4 packets
– Security provides RA guard, DHCPv6 protection,
dynamic IPv6 lockdown, and ND snooping
Performance
• High-speed, high-capacity architecture 2 Tbps crossbar
switching fabric provides intra-module and inter-module
switching with 785.7 million pps throughput on the
purpose-built ProVision ASICs
• Selectable queue configurations allows for increased
performance by selecting the number of queues
and associated memory buffering that best meet the
requirements of the network applications
Resiliency and high availability
• Virtual Switching Framework (VSF) creates one virtual resilient
switch from two switches; servers or switches can be attached
using standard LACP for automatic load balancing and high
availability; simplify network operation by reduce the need for
complex protocols like Spanning Tree Protocol (STP), Equal-Cost Multipath (ECMP), and VRRP (requires v3 modules)
• Fast Software Upgrade reduces downtime of the VSF stack
during an upgrade by sequentially upgrading the members in
the stack shrinking the downtime to a few seconds (requires
v3 modules)
• Virtual Router Redundancy Protocol (VRRP) allows groups of
two routers to dynamically back each other up to create highly
available routed environments for IPv4 and IPv6 networks
• Nonstop switching improves network availability to
better support critical applications such as unified
communication and mobility; interface and fabric modules
continue switching traffic during failover from active to
standby management module
• Nonstop routing enhances Layer 3 high availability;
OSPFv2/v3 and VRRP will continue to operate and route
network traffic during failover from an active to a standby
management module
• Redundant management and power provide enhanced
system availability and continuity of operations
• IEEE 802.1s Multiple Spanning Tree Protocol provides high
link availability in multiple VLAN environments by allowing
multiple spanning trees; encompasses IEEE 802.1D
Spanning Tree Protocol and IEEE 802.1w Rapid Spanning
Tree Protocol

• IEEE 802.3ad Link Aggregation Control Protocol (LACP)
and HPE port trunking support up to 144 trunks, each
with up to eight links (ports) per trunk
• Distributed trunking enables loop-free and redundant
network topology without using Spanning Tree Protocol;
allows a server or switch to connect to two switches using
one logical trunk for redundancy and load sharing
• Optional redundant power supply provides uninterrupted
power and allows hot-swapping of the redundant power
supplies when installed
• Hot-swappable modules allows dissimilar modules, and
power supplies in a redundant power supply configuration
to be added or swapped without interrupting the network
• Sparing simplicity with zl-common accessories (interface
modules and power supplies)
• Uplink Failure Detection provides active-standby network
path redundancy for servers that are configured for
active-standby NIC teaming
• SmartLink provides easy-to-configure link redundancy of
active and standby links
Layer 2 switching
• VLAN support and tagging supports the IEEE 802.1Q
standard and 4,094 VLANs simultaneously
• IEEE 802.1v protocol VLANs isolate select non-IPv4
protocols automatically into their own VLANs
• VxLAN encapsulation (tunneling) protocol for overlay
network that enables a more scalable virtual network
deployment (requires v3 modules)
• GVRP and MVRP allows automatic learning and dynamic
assignment of VLANs
• IEEE 802.1ad Q-in-Q increases the scalability of an
Ethernet network by providing a hierarchical structure;
connects multiple LANs on a high-speed campus or
metro network
• MAC-based VLAN provides granular control and security;
uses RADIUS to map a MAC address/user to specific
VLANs (requires v2 or higher modules)
• Rapid Per-VLAN Spanning Tree (RPVST+) allows each
VLAN to build a separate spanning tree to improve link
bandwidth usage; is compatible with PVST+
• HPE switch meshing dynamically load balances across
multiple active redundant links to increase available
aggregate bandwidth; allows concurrent Layer 3 routing
with v2 or higher modules

Layer 3 services
• Bidirectional Forwarding Detection (BFD) enables
link connectivity monitoring and reduces network
convergence time for static route, OSPFv2 and VRRP
(requires v3 modules)
• User Datagram Protocol (UDP) helper function allows
UDP broadcasts to be directed across router interfaces
to specific IP unicast or subnet broadcast addresses and
prevents server spoofing for UDP services such as DHCP
• Loopback interface address defines an address in Routing
Information Protocol (RIP) and Open Standard Path First
(OSPF), improving diagnostic capability
• Route maps provide more control during route
redistribution; allow filtering and altering of route metrics
• DHCP server centralizes and reduces the cost of IPv4
address management
Layer 3 routing
• Static IP routing provides manually configured routing for
both IPv4 and IPv6 networks
• Routing Information Protocol (RIP) provides RIPv1, RIPv2,
and RIPng routing
• OSPF provides OSPFv2 for IPv4 routing and OSPFv3 for
IPv6 routing
• Policy-based routing uses a classifier to select traffic that
can be forwarded based on policy set by the network
administrator (requires v2 or higher modules)
• Border Gateway Protocol (BGP) provides IPv4 Border
Gateway Protocol routing, which is scalable, robust,
and flexible
Security
• Control Plane Policing sets rate limit on control protocols
to protect CPU overload from DOS attacks
• Access control lists (ACLs) provide filtering based on the IP
field, source/destination IP address/subnet, and source/
destination TCP/UDP port number on a per-VLAN or perport basis
• Multiple user authentication methods
– Uses an IEEE 802.1X supplicant on the client in
conjunction with a RADIUS server to authenticate in
accordance with industry standards
– Web-based authentication provides a browser-based
environment, similar to IEEE 802.1X, to authenticate
clients that do not support IEEE 802.1X
– Supports MAC-based client authentication
– Concurrent IEEE 802.1X, Web, and MAC authentication
schemes per switch port accepts up to 32 sessions of
IEEE 802.1X, Web, and MAC authentications

• Private VLAN provides network security by restricting peerto-peer communication to prevent a variety of malicious
attacks; typically a switch port can only communicate with
other ports in the same community and/or an uplink port,
regardless of VLAN ID or destination MAC address
• DHCP protection blocks DHCP packets from unauthorized
DHCP servers, preventing denial-of-service attacks
• Secure management access delivers secure encryption of
all access methods (CLI, GUI, or MIB) through SSHv2, SSL,
and/or SNMPv3
• Switch CPU protection provides automatic protection
against malicious network traffic trying to shut down
the switch
• ICMP throttling defeats ICMP denial-of-service attacks
by enabling any switch port to automatically throttle
ICMP traffic
• Identity-driven ACL enables implementation of a highly
granular and flexible access security policy and VLAN
assignment specific to each authenticated network user
• STP BPDU port protection blocks Bridge Protocol Data
Units (BPDUs) on ports that do not require BPDUs,
preventing forged BPDU attacks
• Dynamic IP lockdown works with DHCP protection to block
traffic from unauthorized hosts, preventing IP source
address spoofing
• Dynamic ARP protection blocks ARP broadcasts from
unauthorized hosts, preventing eavesdropping or theft of
network data
• STP root guard protects the root bridge from malicious
attacks or configuration mistakes
• Detection of malicious attacks monitors 10 types of
network traffic and sends a warning when an anomaly that
potentially can be caused by malicious attacks is detected
• Port security allows access only to specified MAC
addresses, which can be learned or specified by the
administrator
• MAC address lockout prevents particular configured MAC
addresses from connecting to the network
• Source-port filtering allows only specified ports to
communicate with each other
• RADIUS/TACACS+ eases switch management security
administration by using a password authentication server
• Secure shell encrypts all transmitted data for secure
remote CLI access over IP networks
• Secure Sockets Layer (SSL) encrypts all HTTP traffic,
allowing secure access to the browser-based management
GUI in the switch

• Radius over TLS (RadSec) allows users to use a more
secure and reliable mode of communications between
switch and radius servers over unsecure networks
• Secure FTP allows secure file transfer to and from the
switch; protects against unwanted file downloads or
unauthorized copying of a switch configuration file
• Open Authentication Role simplifies first-time deployment
of AAA in brownfield deployments by allowing full network
access for failed clients and provides instant connectivity
as soon as a client is plugged-in
• Critical Authentication Role ensures that important
infrastructure devices such as IP phones are allowed
network access even in the absence of a RADIUS server
• MAC Pinning allows non-chatty legacy devices to stay
authenticated by pinning client MAC addresses to the port
until the clients logoff or get disconnected
• Management Interface Wizard helps secure management
interfaces such as SNMP, telnet, SSH, SSL, Web, and USB at
the desired level
• Switch management logon security helps secure switch
CLI logon by optionally requiring either RADIUS or
TACACS+ authentication
• Security banner displays a customized security policy when
users log in to the switch
• IEEE 802.1AE MACsec provides security on a link between
two switch ports (1Gbps or 10Gbps) using standard
encryption and authentication (requires v3 modules)
• Enrollment over Secure Transport (EST) enhances the
switch PKI infrastructure with a simpler, scalable and more
secure method of certificate provisioning, re-enrollment
and renewal
Convergence
• IP multicast routing includes PIM Sparse and Dense modes
to route IP multicast traffic
• IP multicast snooping (data-driven IGMP) prevents flooding
of IP multicast traffic
• Protocol Independent Multicast for IPv6 supports one-tomany and many-to-many media casting use cases such as
IPTV over IPv6 networks
• LLDP-MED (Media Endpoint Discovery) defines a standard
extension of LLDP that stores values for parameters such
as QoS and VLAN to automatically configure network
devices such as IP phones
• PoE allocations supports multiple methods (automatic,
IEEE 802.3af class, LLDP-MED, or user-specified) to allocate
PoE power for more efficient energy savings

• Auto VLAN configuration for voice
– RADIUS VLAN uses a standard RADIUS attribute and LLDPMED to automatically configure a VLAN for IP phones
– CDPv2 uses CDPv2 to configure legacy IP phones
• Local MAC Authentication assigns attributes such as VLAN
and QoS using locally configured profile that can be a list
of MAC prefixes
Customer first, customer last support
When your network is important to your business, then
your business needs the backing of Aruba Support Services.
Partner with Aruba product experts to increase your team
productivity, keep pace with technology advances, software
releases, and obtain break-fix support.
Foundation Care for Aruba support services include priority
access to Aruba Technical Assistance Center(TAC) engineers
24x7x365, flexible hardware and onsite support options,
and total coverage for Aruba products. Aruba switches with
assigned Aruba Central subscriptions benefit with option for
additional hardware support only.
Aruba Pro Care adds fast access to senior Aruba TAC
engineers, who are assigned as a single point of contact for
case management, reducing the time spent addressing and
resolving issues.
For complete details on Foundation Care and Aruba Pro
Care, please visit: https://www.arubanetworks.com/
supportservices/
Warranty, services and support
• Limited Lifetime Warranty, see https://www.
arubanetworks.com/support-services/ product-warranties/ for warranty and support information
included with your product purchase
• For Software Releases and Documentation, refer to
https://asp.arubanetworks.com/downloads
• For support and services information, visit
https://www.arubanetworks.com/support-services/
arubacare/

5400R Switch Series

aruba 5400r switch series:

The aruba 5400r switch series delivers enterpriseclass resiliency with innovative flexibility and scalability
for customers creating smart digital workplaces that are
optimized for mobile users with an integrated wired and
wireless approach. This modular series brings scalable
aggregation with Virtual Switching Framework (VSF) stacking
technology, hitless failover, and Fast Software Upgrade for
5400R VSF stacks. The advanced Layer 2 and 3 feature set
includes OSPF, IPv6, IPv4 BGP, Dynamic Segmentation,
robust QoS and policy-based routing with no software
licensing required.

ENHANCED CAPABILITIES aruba 5400r switch series:

FEATURES aruba 5400r switch series:

• aruba 5400r switch seriesPowerful Aruba Layer 3 modular switch series with
VSF stacking, Dynamic Segmentation, low latency and resiliency
• HPE Smart Rate for high-speed multi-gigabit
bandwidth (IEEE 802.3bz) and PoE+ power
• Resilient with redundant management and hot
swappable power supplies
• Up to 288 ports of PoE+
• Scalable line rate 40GbE for wireless traffic aggregation
• Software defined ready with REST APIs and
OpenFlow support
• Advanced security and network management via
Aruba ClearPass Policy Manager, Aruba AirWave
and Aruba Central