Airheads Community

View Only

last person joined: 27 days ago

A local community of education customers across Australia / NZ. This group will be moderated by HPE Aruba Networking staff and kept up to date with any upcoming training or events that are relevant to the EDU space.

Back to discussions

Expand all | Collapse all

Using GVRP/MVRP to simplify your network

This thread has been viewed 58 times

1. Using GVRP/MVRP to simplify your network

0 Kudos
MVP

Richard Litchfield
Posted Jun 28, 2016 10:46 AM

Reply Reply Privately
Overview
I have been using GVRP in my networks for many years. It is a very effective way of distributing VLANs, and in particular, avoiding the need to correctly configure every single switch-to-switch link with the correct set of untagged and tagged VLAN mappings. In environments where there are multiple switches between endpoints, just adding a single VLAN and manually distributing it can be a significant effort, and prone to errors.

GVRP/MVRP propagates the VLAN IDs only - not the names. It is also a standard, unlike the proprietary VTP that has caused so much consternation in the past.

GVRP/MVRP
GVRP has been deprecated in favour of the more recent MVRP.
MVRP grew out of GVRP, and has more features and controllability.
GVRP has been available in the ProCurve switches for many years
ProCurve switches that support the 16.x firmware (now being rebadged as ArubaOS-Switch) also support MVRP.
The Comware 7 switches have had MVRP for a few years now.

General Process
For simplicity, configure a common VLAN across all switches to use as the untagged (native/PVID) VLAN.
You could leave this as VLAN 1, but a different VAN is probably a good idea
Enable GVRP/MVRP (globally)
[for MVRP you also need to enable each port that will send/receive MVRP traffic.]
Make any port-specific or VLAN specific customisation
VLAN Propagation Example
Switch 1
This is a 2915 at the end of an MSM wireless mesh link; GVRP packets are sent over this link to the upstream switch. Just by typing in "vlan 1234", it will show up across the network (where it has not been blocked).

bvtv09(vlan-1234)# sh vlans 1234 Status and Counters - VLAN Information - VLAN 1234 VLAN ID : 1234 Name : VLAN1234 Status : Port-based Voice : No Jumbo : No Port Information Mode Unknown VLAN Status ---------------- -------- ------------ ---------- 1 Auto Block Up
In this case the uplink is on port 1. Note the mode is Auto.

On the same switch, you can see that VLAN 930 has port 10 specifically untagged, but port 1 has been automatically configured by GVRP to carry VLAN 930.
bvtv09(vlan-1234)# sh vlans 930 Status and Counters - VLAN Information - VLAN 930 VLAN ID : 930 Name : Show-Servers Status : Port-based Voice : No Jumbo : No Port Information Mode Unknown VLAN Status ---------------- -------- ------------ ---------- 1 Auto Block Up 10 Untagged Learn Down
Switch 4
This is 3 hops away from Switch 1 (the 2915 above). It is connected to its upstream switch on port 24, and has another downstream switch on port 23. Once GVRP was enabled on all the switches, not a single additional interaction was required to get a new VLAN connected through to the downstream Switch 5. (In this case, the full path was 2915 --> 5406 --> Comware 5130 --> 3810 --> 2910, with the 5130 running MVRP.)
3810M(config)# sh vlans 1234 Status and Counters - VLAN Information - VLAN 1234 VLAN ID : 1234 Name : GVRP_1234 Status : Dynamic Voice : Jumbo : No Private VLAN : Associated Primary VID : none Associated Secondary VIDs : none Port Information Mode Unknown VLAN Status ---------------- -------- ------------ ---------- 23 Auto Learn Up 24 Auto Learn Up

Extra Config Options
GVRP port options
bvcore01(eth-B22)# unknown-vlans learn Accept join requests for new VLANs on this port and propagate requests through all other forwarding ports that are participating in GVRP. block Only process GRVP packets that concern themselves with known VLANs and ignore new VLANs. disable Ignore all GVRP packets.
Unknown-vlans block is a useful port command to stop a switch learning new VLANs. This is sometimes used at the edge rather than the core or distribution switches. If the switch only knows about VLANs 1-10, it will never learn VLANs 11-4094. However, if you add a VLAN (eg 1234), it will automatically tag itself to the uplink port.

The output below is from Switch 2 (5406).
bvcore01(config)# sh gvrp GVRP support Maximum VLANs to support [256] : 256 Primary VLAN : DEFAULT_VLAN GVRP Enabled [No] : Yes Port Type | Unknown VLAN Join Leave Leaveall ------ ---------- + ------------ ----- ----- -------- D21 100/1000T | Disable 20 300 1000 D22 100/1000T | Learn 20 300 1000 D23 100/1000T | Block 20 300 1000 D24 100/1000T | Learn 20 300 1000 Trk3 Trunk | Learn 20 300 1000 Trk8 Trunk | Learn 20 300 1000

bvcore01(config)# sh run int d24,d23,d21

Running configuration:

interface D21
   name "Cable modem LAN4"
   broadcast-limit 10
   unknown-vlans disable
   no power-over-ethernet
   untagged vlan 255
   spanning-tree admin-edge-port
   spanning-tree root-guard
   exit
interface D23
   name "behind desk"
   unknown-vlans block
   no power-over-ethernet
   untagged vlan 254
   no snmp-server enable traps link-change
   spanning-tree root-guard
   exit
interface D24
   name "docking station"
   dhcp-snooping trust
   untagged vlan 145
   no snmp-server enable traps link-change
   spanning-tree root-guard
   exit

Static-VLAN
One of the issues is thatoften comes up is how to add ports to a dynamic VLAN. To convert the dynamic VLAN to a static VLAN: static-vlan <id>

New Feature Device Profile
If you create a device profile that includes a non-existent VLAN (1234 in the example below), it will be created and the port placed in it when an aruba-ap is plugged in. If you also have GVRP/MVRP enabled, it will automatically be connected via the trunk port(s) and propagate elsewhere. This works on all Aruba IAPs and APs, and not on the POE-powered 7005 controller!

bvcore01(config)# sh device-profile config Device Profile Configuration Configuration for device-profile : default-ap-profile untagged-vlan : 1 tagged-vlan : None ingress-bandwidth : 100% egress-bandwidth : 100% cos : None speed-duplex : auto poe-max-power : 33W poe-priority : critical allow-jumbo-frames: Disabled Configuration for device-profile : BV-Aruba-APs untagged-vlan : 1234 tagged-vlan : None ingress-bandwidth : 100% egress-bandwidth : 100% cos : None speed-duplex : auto poe-max-power : 33W poe-priority : high allow-jumbo-frames: Disabled Device Profile Association Device Type : aruba-ap Profile Name : BV-Aruba-APs Device Status : Enabled bvcore01(config)# sh device-profile status Device Profile Status Port Device-type Applied device profile -------- ----------- ---------------------- B10 aruba-ap BV-Aruba-APs bvcore01# sh vlans 1234 Status and Counters - VLAN Information - VLAN 1234 VLAN ID : 1234 Name : VLAN1234 Status : Port-based Voice : Jumbo : No Private VLAN : Associated Primary VID : none Associated Secondary VIDs : none Port Information Mode Unknown VLAN Status ---------------- -------- ------------ ---------- B10 DEV-PROF Learn Up Overridden Port VLAN configuration Port Mode ------ ------------
Note the new DEV-PROF mode (similar to Auto).

References
https://en.wikipedia.org/wiki/Multiple_Registration_Protocol#Multiple_VLAN_Registration_Protocol
http://www.hp.com/rnd/support/config_examples/gvrp_use.pdf Using GVRP (Dynamic VLANs)
http://community.hpe.com/t5/ProCurve-ProVision-Based/GVRP-Best-Pratice/td-p/4051663 GVRP - Best Practice?
http://community.hpe.com/t5/Switches-Hubs-Modems-Legacy/Allow-all-VLANs-on-trunk/td-p/5870765 Allow all VLANs on trunk
2. RE: Using GVRP/MVRP to simplify your network

0 Kudos
MVP

Richard Litchfield
Posted Apr 14, 2018 04:32 AM

Reply Reply Privately
When running in an environment with only MVRP (like you can do with all the AOSS devices, or later model ProCurve switches with the AOSS 16.xx firmware), the "unknown-vlan block" option does not stop new VLANs from appearing on the switch.

Note the "MVRP_100 dynamic" VLAN in the example below.

AIS-2920-04(config)# sh vlans Status and Counters - VLAN Information Maximum VLANs to support : 256 Primary VLAN : DEFAULT_VLAN Management VLAN : VLAN ID Name | Status Voice Jumbo ------- -------------------------------- + ---------- ----- ----- 1 DEFAULT_VLAN | Port-based No No 2 Null | Port-based No No 8 Aruba Instant AIS | Port-based No Yes 10 Platinum-Gold-Sponsors | Port-based No No 11 AIS-Wireless-Delegates | Port-based No No 12 AIS-Wireless-Podium | Port-based No No 13 AIS-Wireless-Sponsors | Port-based No No 100 MVRP_100 | Dynamic No 930 HPE-Roadshow | Port-based No Yes 931 OOBM | Port-based No No
With MVRP, this is resolved by using "mvrp registration fixed".

The following extract is for the port on a 2920 where the unwanted dynamic VLAN was coming from.
AIS-2920-04(config)# sh run int 24 Running configuration: interface 24 mvrp registration fixed mvrp enable untagged vlan 930 exit
Now the unwanted dynamic VLAN 100 is not appearing on the switch.

AIS-2920-04(eth-24)# sh vlans Status and Counters - VLAN Information Maximum VLANs to support : 256 Primary VLAN : DEFAULT_VLAN Management VLAN : VLAN ID Name | Status Voice Jumbo ------- -------------------------------- + ---------- ----- ----- 1 DEFAULT_VLAN | Port-based No No 2 Null | Port-based No No 8 Aruba Instant AIS | Port-based No Yes 10 Platinum-Gold-Sponsors | Port-based No No 11 AIS-Wireless-Delegates | Port-based No No 12 AIS-Wireless-Podium | Port-based No No 13 AIS-Wireless-Sponsors | Port-based No No 930 HPE-Roadshow | Port-based No Yes 931 OOBM | Port-based No No
The upstream switch will show matching dynamic VLANs if they are added added here; the "fixed" option only blocks the unknown incoming VLANs.
3. RE: Using GVRP/MVRP to simplify your network

0 Kudos
PawelZ
Posted May 23, 2019 06:00 AM

Reply Reply Privately
Hi,

I have an issue with device-profile, mvrp and tagged profiles.

Switch 2930F firmware WC.16.08.0001
IAP-228-RW in Campus Mode (ArubaMC-VA,8.4.0.0)

Switch learns dynamic vlans through mvrp from uplink and it works well.
interface 2
mvrp enable
tagged vlan 1
exit
Our WiFi uses 802.1x with Radius on Microsoft NPS. Clients are given vlans based on Network Policies. This WiFi profile is not tunneled to controller but bridged to tagged trunk (2ports lacp) on the switch. AP connects to controller on untagged vlan 111 (L3).

I'd like to force the switch to assign correct vlan tags to this trunk on which AP is detected. I try to use device-profile for that purpose but without success.

AP is detected correctly on the switch and assigned device-profile is bound to the trunk. Trk1 receives correct untagged-vlan from the profile.
If I don't configure tagged-vlan in device profile, none are set on the interface. I was hoping that AP would use vlans dynamically from mvrp depending on the need but nothing like that happens.
If I do configure tagged-vlan 200-299 in device-profle (we don't use so many vlans but we have reserved this range for future WiFi networks), switch sets them on the trunk BUT omitting all dynamic vlans learnt from mvrp. This is opposite to what I want to achive.

What am I doing wrong?

interface Trk1
untagged vlan 1
spanning-tree priority 4
device-type network-device
exit

Configuration for device-profile : my-aruba-ap
untagged-vlan : 111
tagged-vlan : None (or 200-299)
ingress-bandwidth : 100%
egress-bandwidth : 100%
cos : None
speed-duplex : auto
poe-max-power : Class/LLDP
poe-priority : critical
allow-jumbo-frames : Disabled
allow-tunneled-node: Enabled
profile-mode : client-mode (tried port-mode too)
4. RE: Using GVRP/MVRP to simplify your network

0 Kudos
EMPLOYEE

ProbeRequest
Posted Nov 11, 2020 10:37 PM

Reply Reply Privately
Hi PawelZ,

I'm seeing the same behaviour. It appears that the untagged-vlan defined in the device-profile is able to use a dynamic VLAN discovered using MVRP however tagged VLANs do not use MVRP based dynamic VLANs.

When I try to specify a larger range of VLANs, than is learned using MVRP, as tagged in the device-profile the MVRP learned VLANs are omitted and the other VLANs that didn't already exist in the VLAN table are created. I noted these VLANs could not be deleted - as they are seen as dynamic by the switch even though their status shows as port-based. They automatically disappear when they are removed from the device-profile configuration.

Profile-mode should be set to port-mode when assigned to an AP - typically.

I'm asking to see if this is expected. Have you opened a support case for this?

Original Message
5. RE: Using GVRP/MVRP to simplify your network

0 Kudos
lead
Posted Dec 07, 2020 12:08 PM

Reply Reply Privately
Hi,

as far as i can tell, the VLAN have to be defined, so MVRP could distribute them, and the device-profiles can use them - seems to me that there's no option to create the vlans dynamically and distribute them via mvrp:

at least:

vlan 666
name "Test"
no ip address
exit

device-profile name "default-ap-profile"
tagged-vlan 666
exit
device-profile type "aruba-ap"
enable
exit

Tested with 2530/2540-24G/-48G

regards

------------------------------
Peter Bartosch
------------------------------

Original Message

Education - Australia / New Zealand

Using GVRP/MVRP to simplify your network

1. Using GVRP/MVRP to simplify your network

2. RE: Using GVRP/MVRP to simplify your network

3. RE: Using GVRP/MVRP to simplify your network

4. RE: Using GVRP/MVRP to simplify your network

5. RE: Using GVRP/MVRP to simplify your network