How should the Aruba controller be configured to ensure proper VLAN tagging across a mesh bridge link?

By Arunkumar posted Jun 30, 2014 09:52 PM


Product and Software: This article applies to ArubaOS 3.3.2 and later.

When configuring a mesh link for bridging, it is important to ensure that VLAN tagging is properly implemented. Proper VLAN tagging includes having the same native VLAN throughout for untagged traffic.

On Aruba controllers, the following profiles are used for configuring bridging across a mesh link:

  • Wired AP profile: used for the wired ports on a mesh portal and on a mesh point. By default, the native VLAN in the wired AP profile is 1. The port is an access port, by default, meaning no VLAN tagging traffic is done and all traffic incoming on the port is considered untagged on the specified access VLAN.
  • AP system profile: used for specifying the native VLAN for traffic using the air across the mesh link. By default, the native VLAN is 1. Thus, any traffic received untagged on the wired port would be sent across the mesh link untagged and considered to be on VLAN 1. Upon receipt on the remote side of the mesh link, the mesh portal or point would attempt to put the traffic on any ports that have VLAN 1, except of course, the mesh link the traffic was received on.

    Another way of explaining the use of the native VLAN in the system profile.
    The VLAN in the AP system profile represents the VLAN of the mesh link. If the access VLAN configured in the wired-ap-profile is not the same as the native VLAN in the system profile, the Ethernet frames from the wired device will be tagged when sent on the mesh link. So the port to which the portal is connected will have to be made a trunk port and the VLAN should be enabled for it to work properly.
  • Interface switchport configurations on connected Ethernet switches. By default, the native VLAN is usually 1 and the port is considered an access port, meaning only untagged traffic for a specified VLAN is on the port.

    Suppose you want:
  • Untagged traffic on VLAN 10.
  • Tagged traffic on VLANs 100, 200, and 300.

To be specific, the configuration on an Aruba controller running ArubaOS 3.4.0.x would be as follows:

Wired AP profile

ap wired-ap-profile "mesh"
   forward-mode bridge
   switchport mode trunk
   switchport trunk native vlan 10
   switchport trunk allowed vlan 100,200,300

AP system profile

ap system-profile "mesh"
   native-vlan-id 10

AP group configuration

ap-group "mesh"
   dot11a-radio-profile "mesh"
   dot11g-radio-profile "mesh"
   wired-ap-profile "mesh"
   ap-system-profile "mesh"
   mesh-cluster-profile "mesh" priority 1

Sample Ethernet configuration for the switch that may be connected to the mesh portal or mesh point

interface fastethernet 2/4
        description "fe2/4"
        switchport mode trunk
        switchport trunk native vlan 10
        switchport trunk allowed vlan 100,200,300


When the forwarding mode is changed in the wired AP profile, the AP reboots. The AP reboots even after the forwarding mode has been changed after the wired AP profile has been applied the AP group.