Wireless Access

Reply
Frequent Contributor I
Posts: 64
Registered: ‎03-21-2011

VLAN 1 on Aruba S2500

I’m having issues with understanding VLAN 1 on the Aruba S2500 PoE switch. I have a point-to-point Mesh using AP 70s. I have all I have about 4 VLANs being trunked (via the allowed VLANs field on my controller mesh profile) across the wireless link. The only VLAN I can’t get to pass traffic is VLAN 1. I’ve tried having it pass traffic via the native VLAN. Didn’t work. I tried adding it to the allowed trunk VLANs. Didn’t work either.

 

It appears that these switches like to keep all traffic on VLAN 1 untagged if it is defined as the native VLAN. The behavior doesn’t seem to be consistent between devices, especially if you add other switch brands to the mix like Dell 2824s. Sometimes I have to trunk VLAN 1 to get it to work and sometimes I have to leave it un-tagged to get it to work. Can someone explain the behavior of VLAN 1 for me?

 

Also, by default VLAN 1 is assigned the below profile. I can’t remove the profile. Can someone explain what purpose this profile serves and if it is having an affect on how VLAN 1 passes traffic?

 

vlan "1"

   igmp-snooping-profile "igmp-snooping-factory-initial"

 

Thanks for your help,

Super Contributor I
Posts: 269
Registered: ‎04-04-2014

Re: VLAN 1 on Aruba S2500

 

You can see the factory profiles by using the relevant show commands.

 

show vlan-profile igmp-snooping-profile igmp-snooping-factory-initial igmp-snooping-profile "igmp-snooping-factory-initial" ----------------------------------------------------- Parameter Value --------- ----- Enable igmp snooping Enabled Enable igmp snooping proxy Disabled Enable fast leave Disabled startup-query-count 2 startup-query-interval(secs) 31 query-interval(secs) 125 query-response-interval(secs) 10 last-member-query-count 2 last-member-query-interval(secs) 1 robustness-variable 2

 

It is the same as the default profile.  It serves to prevent needless multicast flooding to hosts that are not listening.

 

VLAN1 is usually set up by switch vendors to support various stuff like clustering/management out of the box.  Most of it I usually move off to other VLANs and then leave it native everywhere for CIST.  Vendors aren't going to go picking VLANs arbitrarily for factory default configurations so it a ot gets piled into 1.  It is generally assumed that you are going to leave VLAN 1 as the untagged native VLAN across the entire network, despite the possibility of native VLAN hopping problems/exploits.   Sometimes those assumptions go so far as to prevent you from disabling it or locking some configuration items on it.  There might be a service like stacking you could disable to allow you to configure VLAN 1's multicast behavior, or there may not be, maybe TAC knows.

 

 

Frequent Contributor I
Posts: 64
Registered: ‎03-21-2011

Re: VLAN 1 on Aruba S2500

I understand what you're saying but that didnt really answer any of my questions. Does anyone know what Aruba's implimentation of VLAN 1? What do they expect you to be able to do and not do with VLAN 1? Does anyone know of any documentation that addresses this?

 

Thanks for any input you may have,

Guru Elite
Posts: 20,761
Registered: ‎03-29-2007

Re: VLAN 1 on Aruba S2500

Mark,

 

You have an AP70 on the far end of a mesh link.  It is connected to an S2500.

 

Is it connected to enet0 or enet1?  What wired port profile on the AP-Group that the AP70 is in did you modify to get it to trunk, and what are you allowing?

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor I
Posts: 64
Registered: ‎03-21-2011

Re: VLAN 1 on Aruba S2500

Sorry for the slow response. I've been working many projects lately.

 

The layout is as follows:

 

(Main Building End) S2500 -> AP70  )))  ((( AP70 -> Dell 2824 (remote Building End)

 

I've attached a pic of the wireless MESH radio profile. At the moment, I'm trying to allow all VLANS. Ultimately, I only need VLANs         1, 3,  8, 45

 

VLANs 3, 8, and 45 are working.

 

Odd behaviors

  • At the remote end, I can't draw a DHCP address for VLAN 1
  • With a manual address, I can PING VLAN 1 devices on the Main building side. I can't PING VLAN 1 devices that are on the remote side with me

 

Thanks for your help,

Frequent Contributor I
Posts: 64
Registered: ‎03-21-2011

Re: VLAN 1 on Aruba S2500

So the problem was that we didn't allow VLAN 1 on the trunk that connects the controller to the network. Obviously killing ARP requests destined to VLAN 1 machines that live behind the controller.

 

Here's the issue now;

We removed the VLAN from the trunk because machines on VLAN 1 could not communicate to the controller when VLAN 1 was trunked to the controller. Once we removed VLAN 1 from the trunk, the problem was solved.

 

Are there no resources that explain the functionality of VLAN 1 on Aruba access switches and controllers?

 

I would love to understand this better,

Guru Elite
Posts: 8,320
Registered: ‎09-08-2010

Re: VLAN 1 on Aruba S2500

My experience has been to never use VLAN 1 for anything other than a switch local dead-end VLAN.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor I
Posts: 64
Registered: ‎03-21-2011

Re: VLAN 1 on Aruba S2500

I appreciate the advice but that doesn't address my question.

 

I want to understand how switching decistions are made in aruba access switches and mobile controllers. I can't believe that I'm the only Network Manager that thinks this knowledge is important so I'll ask once more, is there any documentation or other resources that explain this; especially in regards to VLAN 1.

Guru Elite
Posts: 20,761
Registered: ‎03-29-2007

Re: VLAN 1 on Aruba S2500

Mark,

 

We do not handle VLAN1 differently than any other VLAN number when it comes to switching.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Aruba
Posts: 429
Registered: ‎05-30-2012

Re: VLAN 1 on Aruba S2500

Mark,

On the Mobility Access Switches, the configuration of "native-vlan" influences whether or not vlan 1 is tagged/untagged and if tagged, which vlan will then accept untagged traffic. Take the following example:

 

(host) #show interface gigabitethernet 0/0/12 switchport extensive

GE0/0/12
Link is Up
Flags: Trunk, Trusted
Native VLAN is 10

VLAN membership:

VLAN tag  Tagness   STP-State
--------  --------  ---------
1         Tagged    FWD
10        Untagged  FWD
10        Tagged    FWD
20        Tagged    FWD
30        Tagged    FWD
40        Tagged    FWD

The output above is the result of a trunk port that has VLAN 10 defined as the native-vlan. You can see in this situation that VLAN 1 is now flagged as a tagged VLAN while VLAN 10 is flagged as Untagged and Tagged. This means that we can receive frames with a tag of 10 or if we receive any frames without tags, we'll put them in vlan 10. We will always send traffic for the VLAN defined as native without any tags.

 

I hope that helps.

 

Best regards,

 

Madani

 

Search Airheads
Showing results for 
Search instead for 
Did you mean: