You said ''VLAN id 10 tag will be stripped out from packets' header for packets leaving the port going outside the Switch'' but why every packet leaving the port 1 towards the firewall is tagged with vlan 10, it should not be tagged. Please see my screenshot wireshark .
I removed all the tagged vlan from port 1 and left only vlan 10 so it is purely an access port but, again, to my understanding a packet coming out of an access point should not be tagged. Thank you
-- With kind regards
Otman Ibrak
Network Administrator
Rabat American School
212-537-671476 Ext 502
Original Message:
Sent: 4/13/2023 3:31:00 PM
From: parnassus
Subject: RE: Aruba 2920 routing-related question
No, looking at your port 1 VLAN's membership (one screenshot you posted) we note that:
(a) Port 1 is untagged member of VLAN 10 and it means that Port 1 has PVID = 10; VLAN id 10 tag will be stripped out from packets' header for packets leaving the port going outside the Switch and the port will accept any incoming packets without a VLAN tag.
(b) Port 1 is tagged member of VLAN 1 and it means it will accept incoming packets with tag VLAN id 1 and it will send outgoing packets with the very same tag.
Port 1 is thus acting/operating - at least judging from the posted VLAN id membership - as a "trunk port" (in the Cisco jargon) and not as a typical "access port", this because it is capable to transport more than one VLAN id (1 and 10).
Original Message:
Sent: Apr 13, 2023 11:57 AM
From: oibrak
Subject: Aruba 2920 routing-related question
We don t have access to Aruba support program.
please, find the attached screenshot. that might help.
My question is if Aruba OS is adding the vlan id 10 to L2 header for every packet leaving port 1 towards the firewall, while the porte 1 VID is 10, why not doing the same thing when I send icmp request and from a switch that is on vlan 1 but instead the tag says it come from vlan 10 ?
Original Message:
Sent: Apr 13, 2023 04:04 AM
From: Herman Robers
Subject: Aruba 2920 routing-related question
I think without having access to a network diagram, the packet capture, switch configuration, and description what the MAC and IP addresses in the capture are, it will be hard to assist. Do you have access to your Aruba Partner or Aruba Support? It would make a lot of sense to have a (remote) session on your equipment as it probably is just a configuration thing.
Regarding VLAN1 tagged, I'm not sure if that is supported, because vlan 1 is a special VLAN and I don't think some equipment considers VLAN 1 as the native/untagged VLAN. I would recommend to avoid VLAN 1 when possible because of this.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Apr 12, 2023 11:18 AM
From: oibrak
Subject: Aruba 2920 routing-related question
I have got two vlan. 10 as PVID untagged and 1 tagged.
the vlan 1 is the one used for managing the switches and uses the subnet
192.168.49.0/24.
I went on a 1920 switch and from the diagnostic menu, I sent a ping request to a public ip address of a website but on wireshark the packet was routed to the firewall with the tag vlan 10 and not 1 even though the source ip was 192.168.49.171 the switch s IP. Thanks a lot for your support
-- With kind regards
Otman Ibrak
Network Administrator
Rabat American School
212-537-671476 Ext 502
Original Message:
Sent: 4/12/2023 10:59:00 AM
From: parnassus
Subject: RE: Aruba 2920 routing-related question
Out of curiosity, what is the output of the:
show vlans ports ethernet <interface-id> detail
CLI command to show the port's VLAN membership?
The <interface-id> is the Port Id used to connect the Aruba/HP 2920 to that particular peer.
Original Message:
Sent: Apr 12, 2023 09:57 AM
From: oibrak
Subject: Aruba 2920 routing-related question
That's clear but what baffles me is why the switch is adding an 802.1q tag with ID vlan 10 ? Vlan 10 is the PVID of the port that connects to the firewall ? The switch could send it untagged. In other words, if the switch removes the L2 header including vlan tag, why add the latter again and only content of the MAC addresses ? Thank you
-- With kind regards
Otman Ibrak
Network Administrator
Rabat American School
212-537-671476 Ext 502
Original Message:
Sent: 4/11/2023 5:26:00 AM
From: Herman Robers
Subject: RE: Aruba 2920 routing-related question
If you route traffic, it is by basic networking design that the VLAN changes because VLANs hold a L2 domain, and with routing your cross a VLAN. If the subnet between the switch and firewall is vlan 10, that is what routed traffic will follow.
If you need to keep the VLAN between switch and firewall (with another appliance in between), then put the L3 routing interface on your firewall and remove it from your switch.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Apr 10, 2023 07:29 AM
From: oibrak
Subject: Aruba 2920 routing-related question
Hello,
The architecture is that the 2920 is connected to a firewall and a default route says all the traffic not destined for our internal vlans, must be routed to the firewall. with the IP address of the interface of the firewall connected to the 2920. My issue is that iboss appliance is standing in between and I don t know why the switch is modifying the 801.2 vlan ID to the one its interface is untagged on, vlan 10. Indeed, we need to keep the tag of the vlan the packet comes from, so iboss can apply the configured policies based on the vlan ID.
Moreover, this switch port is tagged for another vlan but still put still put the vlan 10 id instead of the latter.
Thanks for your help