Cloud Managed Networks

For the longest I've been configuring and managing aruba aos-s switches (2530)in central using UI. But now I just added a 6000 AOS-CX in central and i'm struggling to comprehend on how to Untag and tag a port for Vlans.

For the AOS-S it was very self-explanatory. You select a switch - Device - Interface Tab and you would go to "Vlan". Once you select a Vlan you could choose a port and make a selection where it is "None, Tagged, Untagged".

However, With the 6000 it's totally different. When I go to "Interfaces" - "Ports & Link Aggregations" and select a port, is the Port section that confuses me. Before it was straightforward but CX has multilayer I guess. For example, If I want Tag a Vlan 2, Untagg Vlan 1 and none for Vlan 3, do I interpret my options. On the screeshot below, is it both Vlan 1 and 3 tagged?

Hi, as I first learned working with ArubaOS-CX CLI an interface operating in Trunk mode has a native VLAN Id (which corresponds to what is the "Untagged" VLAN Id concept the ArubaOS-Switch uses for a port operating as an access port...with the additional option that native VLAN Id on AOS-CX could also be defined as "tagged" <- that is a little bit counter-intuitive if compared to the strict untagged/tagged approach on AOS-S) and, along with that, all other allowed VLAN Id(s) are then tagged (excluded the VLAN Id declared as native, if not explicitly tagged too).

So, IMHO, when speaking about AOS-CX you have an interface with VLAN 1 native plus VLAN 1 and VLAN 3 allowed it means that that interface operates in trunk mode (it carries two VLANs) indeed, VLAN 1 is untagged (indeed you will not find "vlan 1 native tag" but a more familiar "vlan 1 native" in the running configuration's interface context) and VLAN 3 is tagged, both VLAN 1 and VLAN 3 are allowed. This configuration is equivalent to AOS-S where a port is untagged in VLAN 1 and concurrently tagged in VLAN 3 (or, better wording, when a port is Untagged member of VLAN 1 and Tagged member of VLAN 3).
Original Message:
Sent: Dec 08, 2022 12:10 PM
From: Selomon Kifle
Subject: Aruba cx switch 6000 vs Aruba AOS-S vlan config.

For the longest I've been configuring and managing aruba aos-s switches (2530)in central using UI. But now I just added a 6000 AOS-CX in central and i'm struggling to comprehend on how to Untag and tag a port for Vlans.

For the AOS-S it was very self-explanatory. You select a switch - Device - Interface Tab and you would go to "Vlan". Once you select a Vlan you could choose a port and make a selection where it is "None, Tagged, Untagged".

However, With the 6000 it's totally different. When I go to "Interfaces" - "Ports & Link Aggregations" and select a port, is the Port section that confuses me. Before it was straightforward but CX has multilayer I guess. For example, If I want Tag a Vlan 2, Untagg Vlan 1 and none for Vlan 3, do I interpret my options. On the screeshot below, is it both Vlan 1 and 3 tagged?

Ciao Davide,
so to better clarify if I need to tag a port for a vlan, what is in the "Native Vlan" field is untagged unless I include it in the "Allowed Vlan's" field. To better depict the screenshot I attached, the interpretation here is that both Vlan 1 and 3 are tagged and Vlan 2 is none, correct?
So if I need to trunk a port where access points are tagged for vlan 2 (wifi) and untagged for vlan 1 (getting ip from dhcp data) and none for vlan 3 (voice vlan), the configuration should be:
Native Vlan 1, Allowed Vlan 2.
Thank you for your quick response.


Original Message:
Sent: Dec 08, 2022 07:37 PM
From: Davide Poletto
Subject: Aruba cx switch 6000 vs Aruba AOS-S vlan config.

Hi, as I first learned working with ArubaOS-CX CLI an interface operating in Trunk mode has a native VLAN Id (which corresponds to what is the "Untagged" VLAN Id concept the ArubaOS-Switch uses for a port operating as an access port...with the additional option that native VLAN Id on AOS-CX could also be defined as "tagged" <- that is a little bit counter-intuitive if compared to the strict untagged/tagged approach on AOS-S) and, along with that, all other allowed VLAN Id(s) are then tagged (excluded the VLAN Id declared as native, if not explicitly tagged too).

So, IMHO, when speaking about AOS-CX you have an interface with VLAN 1 native plus VLAN 1 and VLAN 3 allowed it means that that interface operates in trunk mode (it carries two VLANs) indeed, VLAN 1 is untagged (indeed you will not find "vlan 1 native tag" but a more familiar "vlan 1 native" in the running configuration's interface context) and VLAN 3 is tagged, both VLAN 1 and VLAN 3 are allowed. This configuration is equivalent to AOS-S where a port is untagged in VLAN 1 and concurrently tagged in VLAN 3 (or, better wording, when a port is Untagged member of VLAN 1 and Tagged member of VLAN 3).
Original Message:
Sent: Dec 08, 2022 12:10 PM
From: Selomon Kifle
Subject: Aruba cx switch 6000 vs Aruba AOS-S vlan config.

For the longest I've been configuring and managing aruba aos-s switches (2530)in central using UI. But now I just added a 6000 AOS-CX in central and i'm struggling to comprehend on how to Untag and tag a port for Vlans.

For the AOS-S it was very self-explanatory. You select a switch - Device - Interface Tab and you would go to "Vlan". Once you select a Vlan you could choose a port and make a selection where it is "None, Tagged, Untagged".

However, With the 6000 it's totally different. When I go to "Interfaces" - "Ports & Link Aggregations" and select a port, is the Port section that confuses me. Before it was straightforward but CX has multilayer I guess. For example, If I want Tag a Vlan 2, Untagg Vlan 1 and none for Vlan 3, do I interpret my options. On the screeshot below, is it both Vlan 1 and 3 tagged?

Hi/Ciao!

"what is in the "Native Vlan" field is untagged unless I include it in the "Allowed Vlan's" field"

No, it remains untagged even if you include it into the allowed VLAN(s) list. And you should always include it (even if that seems a strange configuration to do).

Or - but here the Clearpass UI seems not engineered to show the user that particular counter-intuitive option - it remains tagged if you configured the Native VLAN with the proper native tag option even if / also if you include it into the allowed VLAN(s) list. Again it should be included within the allowed VLANs.

In any case you should always add the Native VLAN id (without or with the tag option, it doesn't matter) into the allowed VLAN(s) list.
Original Message:
Sent: Dec 09, 2022 11:11 AM
From: Selomon Kifle
Subject: Aruba cx switch 6000 vs Aruba AOS-S vlan config.

Ciao Davide,
so to better clarify if I need to tag a port for a vlan, what is in the "Native Vlan" field is untagged unless I include it in the "Allowed Vlan's" field. To better depict the screenshot I attached, the interpretation here is that both Vlan 1 and 3 are tagged and Vlan 2 is none, correct?
So if I need to trunk a port where access points are tagged for vlan 2 (wifi) and untagged for vlan 1 (getting ip from dhcp data) and none for vlan 3 (voice vlan), the configuration should be:
Native Vlan 1, Allowed Vlan 2.
Thank you for your quick response.


Original Message:
Sent: Dec 08, 2022 07:37 PM
From: Davide Poletto
Subject: Aruba cx switch 6000 vs Aruba AOS-S vlan config.

Hi, as I first learned working with ArubaOS-CX CLI an interface operating in Trunk mode has a native VLAN Id (which corresponds to what is the "Untagged" VLAN Id concept the ArubaOS-Switch uses for a port operating as an access port...with the additional option that native VLAN Id on AOS-CX could also be defined as "tagged" <- that is a little bit counter-intuitive if compared to the strict untagged/tagged approach on AOS-S) and, along with that, all other allowed VLAN Id(s) are then tagged (excluded the VLAN Id declared as native, if not explicitly tagged too).

So, IMHO, when speaking about AOS-CX you have an interface with VLAN 1 native plus VLAN 1 and VLAN 3 allowed it means that that interface operates in trunk mode (it carries two VLANs) indeed, VLAN 1 is untagged (indeed you will not find "vlan 1 native tag" but a more familiar "vlan 1 native" in the running configuration's interface context) and VLAN 3 is tagged, both VLAN 1 and VLAN 3 are allowed. This configuration is equivalent to AOS-S where a port is untagged in VLAN 1 and concurrently tagged in VLAN 3 (or, better wording, when a port is Untagged member of VLAN 1 and Tagged member of VLAN 3).
Original Message:
Sent: Dec 08, 2022 12:10 PM
From: Selomon Kifle
Subject: Aruba cx switch 6000 vs Aruba AOS-S vlan config.

For the longest I've been configuring and managing aruba aos-s switches (2530)in central using UI. But now I just added a 6000 AOS-CX in central and i'm struggling to comprehend on how to Untag and tag a port for Vlans.

For the AOS-S it was very self-explanatory. You select a switch - Device - Interface Tab and you would go to "Vlan". Once you select a Vlan you could choose a port and make a selection where it is "None, Tagged, Untagged".

However, With the 6000 it's totally different. When I go to "Interfaces" - "Ports & Link Aggregations" and select a port, is the Port section that confuses me. Before it was straightforward but CX has multilayer I guess. For example, If I want Tag a Vlan 2, Untagg Vlan 1 and none for Vlan 3, do I interpret my options. On the screeshot below, is it both Vlan 1 and 3 tagged?

so what shall I do if I want to have all those vlans tagged.
Usually we have a vendor managing our firewalls or sdwan where it also serve as a dhcp server. When we connect the switch directly to the firewall, the port we use, we tag it for all the vlans 1,2,3.
In this case, what shall I do then if I want Vlan 1 be Tagged as well?
Ciao Davide anche io sono Italiano ma residente negli States :)
Original Message:
Sent: Dec 09, 2022 12:22 PM
From: Davide Poletto
Subject: Aruba cx switch 6000 vs Aruba AOS-S vlan config.

Hi

"what is in the "Native Vlan" field is untagged unless I include it in the "Allowed Vlan's" field"

No, it remains untagged even if you include it into the allowed VLAN(s) list. And you shoukd always include it.

Or (but here the Clearpass Ui doesn't show the option) it remains tagged if you configured the Native VLAN with thenative tag option even if you include it into the allowed VLAN(s) list.

In any case you should always add the Native VLAN id (without or with the tag option) into the allowed VLAN(s) list.
Original Message:
Sent: Dec 09, 2022 11:11 AM
From: Selomon Kifle
Subject: Aruba cx switch 6000 vs Aruba AOS-S vlan config.

Ciao Davide,
so to better clarify if I need to tag a port for a vlan, what is in the "Native Vlan" field is untagged unless I include it in the "Allowed Vlan's" field. To better depict the screenshot I attached, the interpretation here is that both Vlan 1 and 3 are tagged and Vlan 2 is none, correct?
So if I need to trunk a port where access points are tagged for vlan 2 (wifi) and untagged for vlan 1 (getting ip from dhcp data) and none for vlan 3 (voice vlan), the configuration should be:
Native Vlan 1, Allowed Vlan 2.
Thank you for your quick response.


Original Message:
Sent: Dec 08, 2022 07:37 PM
From: Davide Poletto
Subject: Aruba cx switch 6000 vs Aruba AOS-S vlan config.

Hi, as I first learned working with ArubaOS-CX CLI an interface operating in Trunk mode has a native VLAN Id (which corresponds to what is the "Untagged" VLAN Id concept the ArubaOS-Switch uses for a port operating as an access port...with the additional option that native VLAN Id on AOS-CX could also be defined as "tagged" <- that is a little bit counter-intuitive if compared to the strict untagged/tagged approach on AOS-S) and, along with that, all other allowed VLAN Id(s) are then tagged (excluded the VLAN Id declared as native, if not explicitly tagged too).

So, IMHO, when speaking about AOS-CX you have an interface with VLAN 1 native plus VLAN 1 and VLAN 3 allowed it means that that interface operates in trunk mode (it carries two VLANs) indeed, VLAN 1 is untagged (indeed you will not find "vlan 1 native tag" but a more familiar "vlan 1 native" in the running configuration's interface context) and VLAN 3 is tagged, both VLAN 1 and VLAN 3 are allowed. This configuration is equivalent to AOS-S where a port is untagged in VLAN 1 and concurrently tagged in VLAN 3 (or, better wording, when a port is Untagged member of VLAN 1 and Tagged member of VLAN 3).
Original Message:
Sent: Dec 08, 2022 12:10 PM
From: Selomon Kifle
Subject: Aruba cx switch 6000 vs Aruba AOS-S vlan config.

For the longest I've been configuring and managing aruba aos-s switches (2530)in central using UI. But now I just added a 6000 AOS-CX in central and i'm struggling to comprehend on how to Untag and tag a port for Vlans.

For the AOS-S it was very self-explanatory. You select a switch - Device - Interface Tab and you would go to "Vlan". Once you select a Vlan you could choose a port and make a selection where it is "None, Tagged, Untagged".

However, With the 6000 it's totally different. When I go to "Interfaces" - "Ports & Link Aggregations" and select a port, is the Port section that confuses me. Before it was straightforward but CX has multilayer I guess. For example, If I want Tag a Vlan 2, Untagg Vlan 1 and none for Vlan 3, do I interpret my options. On the screeshot below, is it both Vlan 1 and 3 tagged?

Ciao! molto piacere di conoscerti!

If you need a port to carry (trunk) all and only tagged VLAN to avoid having a (default) VLAN Id untagged I think you need to define that port with a native tag (so tagged) and add it to all the others VLAN Id(s) you allow (those VLANs, except for the Native you are including if not tagged yet, will be considered tagged)...so in the end that port will be a only tagged member of all the allowed VLAN Id(s).

Do you need an example in ArubaOS-CX or are you asking from the Clearpass standpoint?

Spero di essermi spiegato (io non uso Clearpass quindi non saprei dire come gestire la cosa usando Clearpass).
Original Message:
Sent: Dec 09, 2022 12:38 PM
From: Selomon Kifle
Subject: Aruba cx switch 6000 vs Aruba AOS-S vlan config.

so what shall I do if I want to have all those vlans tagged.
Usually we have a vendor managing our firewalls or sdwan where it also serve as a dhcp server. When we connect the switch directly to the firewall, the port we use, we tag it for all the vlans 1,2,3.
In this case, what shall I do then if I want Vlan 1 be Tagged as well?
Ciao Davide anche io sono Italiano ma residente negli States :)
Original Message:
Sent: Dec 09, 2022 12:22 PM
From: Davide Poletto
Subject: Aruba cx switch 6000 vs Aruba AOS-S vlan config.

Hi

"what is in the "Native Vlan" field is untagged unless I include it in the "Allowed Vlan's" field"

No, it remains untagged even if you include it into the allowed VLAN(s) list. And you shoukd always include it.

Or (but here the Clearpass Ui doesn't show the option) it remains tagged if you configured the Native VLAN with thenative tag option even if you include it into the allowed VLAN(s) list.

In any case you should always add the Native VLAN id (without or with the tag option) into the allowed VLAN(s) list.
Original Message:
Sent: Dec 09, 2022 11:11 AM
From: Selomon Kifle
Subject: Aruba cx switch 6000 vs Aruba AOS-S vlan config.

Ciao Davide,
so to better clarify if I need to tag a port for a vlan, what is in the "Native Vlan" field is untagged unless I include it in the "Allowed Vlan's" field. To better depict the screenshot I attached, the interpretation here is that both Vlan 1 and 3 are tagged and Vlan 2 is none, correct?
So if I need to trunk a port where access points are tagged for vlan 2 (wifi) and untagged for vlan 1 (getting ip from dhcp data) and none for vlan 3 (voice vlan), the configuration should be:
Native Vlan 1, Allowed Vlan 2.
Thank you for your quick response.


Original Message:
Sent: Dec 08, 2022 07:37 PM
From: Davide Poletto
Subject: Aruba cx switch 6000 vs Aruba AOS-S vlan config.

Hi, as I first learned working with ArubaOS-CX CLI an interface operating in Trunk mode has a native VLAN Id (which corresponds to what is the "Untagged" VLAN Id concept the ArubaOS-Switch uses for a port operating as an access port...with the additional option that native VLAN Id on AOS-CX could also be defined as "tagged" <- that is a little bit counter-intuitive if compared to the strict untagged/tagged approach on AOS-S) and, along with that, all other allowed VLAN Id(s) are then tagged (excluded the VLAN Id declared as native, if not explicitly tagged too).

So, IMHO, when speaking about AOS-CX you have an interface with VLAN 1 native plus VLAN 1 and VLAN 3 allowed it means that that interface operates in trunk mode (it carries two VLANs) indeed, VLAN 1 is untagged (indeed you will not find "vlan 1 native tag" but a more familiar "vlan 1 native" in the running configuration's interface context) and VLAN 3 is tagged, both VLAN 1 and VLAN 3 are allowed. This configuration is equivalent to AOS-S where a port is untagged in VLAN 1 and concurrently tagged in VLAN 3 (or, better wording, when a port is Untagged member of VLAN 1 and Tagged member of VLAN 3).
Original Message:
Sent: Dec 08, 2022 12:10 PM
From: Selomon Kifle
Subject: Aruba cx switch 6000 vs Aruba AOS-S vlan config.

For the longest I've been configuring and managing aruba aos-s switches (2530)in central using UI. But now I just added a 6000 AOS-CX in central and i'm struggling to comprehend on how to Untag and tag a port for Vlans.

For the AOS-S it was very self-explanatory. You select a switch - Device - Interface Tab and you would go to "Vlan". Once you select a Vlan you could choose a port and make a selection where it is "None, Tagged, Untagged".

However, With the 6000 it's totally different. When I go to "Interfaces" - "Ports & Link Aggregations" and select a port, is the Port section that confuses me. Before it was straightforward but CX has multilayer I guess. For example, If I want Tag a Vlan 2, Untagg Vlan 1 and none for Vlan 3, do I interpret my options. On the screeshot below, is it both Vlan 1 and 3 tagged?

Ciao Davide,
scusami se sono ancora un pochino confuso.

The last message seems a lil bit confusing:
"If you need a port to carry (trunk) all and only tagged VLAN to avoid having a (default) VLAN Id untagged I think you need to define that port with a native tag (so tagged) and add it to all the others VLAN Id(s) you allow (those VLANs"- This part I get it, if I want vlan 1 to be tagged along with 2 and 3, being that Vlan 1 is the native, and you mentioned that It should always be included the native one. The correct configuration should be this one below, correct?
<mat-form-field _ngcontent-onx-c80="" class="mat-form-field ng-tns-c58-11 mat-primary mat-form-field-type-mat-select mat-form-field-appearance-legacy mat-form-field-can-float mat-form-field-has-label ng-untouched ng-pristine ng-valid ng-star-inserted mat-form-field-should-float">

<mat-select _ngcontent-onx-c80="" class="mat-select ng-tns-c72-12 ng-untouched ng-pristine ng-valid ng-star-inserted" disableoptioncentering="" panelclass="cfg-dropdown" role="listbox" id="form-input-dropdown-vlan_mode" aria-labelledby="mat-form-field-label-13" aria-required="false" aria-disabled="false" aria-invalid="false" aria-multiselectable="false" tabindex="0">

</mat-select><mat-label _ngcontent-onx-c80="" class="ng-star-inserted">VLAN Mode</mat-label>

<mat-label _ngcontent-onx-c80="" class="ng-star-inserted">Native VLAN </mat-label>
<mat-label _ngcontent-onx-c80="" class="ng-star-inserted">Allowed VLANs</mat-label>

</mat-form-field>
However,
If I need to have vlan 1 "untagged" on a different port, it should not be included in the "allowed Vlans", correct? See below example.
<mat-form-field _ngcontent-onx-c80="" class="mat-form-field ng-tns-c58-11 mat-primary mat-form-field-type-mat-select mat-form-field-appearance-legacy mat-form-field-can-float mat-form-field-has-label ng-untouched ng-pristine ng-valid ng-star-inserted mat-form-field-should-float"> </mat-form-field><mat-form-field _ngcontent-onx-c80="" class="mat-form-field ng-tns-c58-14 mat-primary mat-form-field-type-mat-input mat-form-field-appearance-legacy mat-form-field-can-float mat-form-field-should-float mat-form-field-has-label ng-star-inserted ng-touched ng-dirty ng-valid"> </mat-form-field>
Original Message:
Sent: Dec 09, 2022 03:03 PM
From: Davide Poletto
Subject: Aruba cx switch 6000 vs Aruba AOS-S vlan config.

Ciao! molto piacere di conoscerti!

If you need a port to carry (trunk) all and only tagged VLAN to avoid having a (default) VLAN Id untagged I think you need to define that port with a native tag (so tagged) and add it to all the others VLAN Id(s) you allow (those VLANs, except for the Native you are including if not tagged yet, will be considered tagged)...so in the end that port will be a only tagged member of all the allowed VLAN Id(s).

Do you need an example in ArubaOS-CX or are you asking from the Clearpass standpoint?

Spero di essermi spiegato (io non uso Clearpass quindi non saprei dire come gestire la cosa usando Clearpass).
Original Message:
Sent: Dec 09, 2022 12:38 PM
From: Selomon Kifle
Subject: Aruba cx switch 6000 vs Aruba AOS-S vlan config.

so what shall I do if I want to have all those vlans tagged.
Usually we have a vendor managing our firewalls or sdwan where it also serve as a dhcp server. When we connect the switch directly to the firewall, the port we use, we tag it for all the vlans 1,2,3.
In this case, what shall I do then if I want Vlan 1 be Tagged as well?
Ciao Davide anche io sono Italiano ma residente negli States :)
Original Message:
Sent: Dec 09, 2022 12:22 PM
From: Davide Poletto
Subject: Aruba cx switch 6000 vs Aruba AOS-S vlan config.

Hi

"what is in the "Native Vlan" field is untagged unless I include it in the "Allowed Vlan's" field"

No, it remains untagged even if you include it into the allowed VLAN(s) list. And you shoukd always include it.

Or (but here the Clearpass Ui doesn't show the option) it remains tagged if you configured the Native VLAN with thenative tag option even if you include it into the allowed VLAN(s) list.

In any case you should always add the Native VLAN id (without or with the tag option) into the allowed VLAN(s) list.
Original Message:
Sent: Dec 09, 2022 11:11 AM
From: Selomon Kifle
Subject: Aruba cx switch 6000 vs Aruba AOS-S vlan config.

Ciao Davide,
so to better clarify if I need to tag a port for a vlan, what is in the "Native Vlan" field is untagged unless I include it in the "Allowed Vlan's" field. To better depict the screenshot I attached, the interpretation here is that both Vlan 1 and 3 are tagged and Vlan 2 is none, correct?
So if I need to trunk a port where access points are tagged for vlan 2 (wifi) and untagged for vlan 1 (getting ip from dhcp data) and none for vlan 3 (voice vlan), the configuration should be:
Native Vlan 1, Allowed Vlan 2.
Thank you for your quick response.


Original Message:
Sent: Dec 08, 2022 07:37 PM
From: Davide Poletto
Subject: Aruba cx switch 6000 vs Aruba AOS-S vlan config.

Hi, as I first learned working with ArubaOS-CX CLI an interface operating in Trunk mode has a native VLAN Id (which corresponds to what is the "Untagged" VLAN Id concept the ArubaOS-Switch uses for a port operating as an access port...with the additional option that native VLAN Id on AOS-CX could also be defined as "tagged" <- that is a little bit counter-intuitive if compared to the strict untagged/tagged approach on AOS-S) and, along with that, all other allowed VLAN Id(s) are then tagged (excluded the VLAN Id declared as native, if not explicitly tagged too).

So, IMHO, when speaking about AOS-CX you have an interface with VLAN 1 native plus VLAN 1 and VLAN 3 allowed it means that that interface operates in trunk mode (it carries two VLANs) indeed, VLAN 1 is untagged (indeed you will not find "vlan 1 native tag" but a more familiar "vlan 1 native" in the running configuration's interface context) and VLAN 3 is tagged, both VLAN 1 and VLAN 3 are allowed. This configuration is equivalent to AOS-S where a port is untagged in VLAN 1 and concurrently tagged in VLAN 3 (or, better wording, when a port is Untagged member of VLAN 1 and Tagged member of VLAN 3).
Original Message:
Sent: Dec 08, 2022 12:10 PM
From: Selomon Kifle
Subject: Aruba cx switch 6000 vs Aruba AOS-S vlan config.

For the longest I've been configuring and managing aruba aos-s switches (2530)in central using UI. But now I just added a 6000 AOS-CX in central and i'm struggling to comprehend on how to Untag and tag a port for Vlans.

For the AOS-S it was very self-explanatory. You select a switch - Device - Interface Tab and you would go to "Vlan". Once you select a Vlan you could choose a port and make a selection where it is "None, Tagged, Untagged".

However, With the 6000 it's totally different. When I go to "Interfaces" - "Ports & Link Aggregations" and select a port, is the Port section that confuses me. Before it was straightforward but CX has multilayer I guess. For example, If I want Tag a Vlan 2, Untagg Vlan 1 and none for Vlan 3, do I interpret my options. On the screeshot below, is it both Vlan 1 and 3 tagged?

Ciao, scusa.

La frase che volevo scrivere era piuttosto: "Spero di essermi spiegato (io non uso Clearpass Central quindi non saprei dire come gestire la cosa usando Clearpass Central)." ma ho confuso Clearpass con Central. Sorry!

Non si capisce interamente il tuo post (forse a causa di un copia ed incolla finito male).

Below I post two interface configuration examples.

Native VLAN Id is tagged (IMHO is always a little bit counter-intuitive the association between Native and Tagged because - maybe it's just me - I learnt to associate "Native" with "Untagged", typically because a Native VLAN is the only one used on interfaces operating in Access mode explicitly to connect "VLAN unaware" Hosts...seeing Native Tagged breaks the "VLAN unaware" concept I have in mind):

interface 1/1/1
description interface-1-1-1
no shutdown
mtu 9198
no routing
vlan trunk native 2005 tag
vlan trunk allowed 2000,2005,2010
spanning-tree bpdu-guard
spanning-tree port-type admin-edge
spanning-tree tcn-guard
loop-protect
loop-protect vlan 2000,2005,2010
exit

Here the same as above but with the Native VLAN Id untagged (note the absence of tag option):

interface 1/1/1
description interface-1-1-1
no shutdown
mtu 9198
no routing
vlan trunk native 2005
vlan trunk allowed 2000,2005,2010
spanning-tree bpdu-guard
spanning-tree port-type admin-edge
spanning-tree tcn-guard
loop-protect
loop-protect vlan 2000,2005,2010
exit

In both the above examples the VLAN Id 2005 needs to be included into the list of allowed VLANs, we can eventually discuss if that is mandatory or not, I believe it is and the reason is explained here:


To me it seems pretty much implicit that listing the Native VLAN is required when (allowing) "all" is not the used option in the vlan trunk allowed command.

By the way, the former example creates an interface allowing all listed VLANs and those listed - 2000, 2005 and 2010 - are all tagged (there is no an Untagged membership indeed), the latter example instead creates an interface allowing all listed VLANs but those ones are, respectively, the one 2005 untagged (the one we recognize as Native(ly) untagged) plus the others two - the 2000 and the 2010 - tagged.
Original Message:
Sent: Dec 13, 2022 11:43 AM
From: Selomon Kifle
Subject: Aruba cx switch 6000 vs Aruba AOS-S vlan config.

Ciao Davide,
scusami se sono ancora un pochino confuso.

The last message seems a lil bit confusing:
"If you need a port to carry (trunk) all and only tagged VLAN to avoid having a (default) VLAN Id untagged I think you need to define that port with a native tag (so tagged) and add it to all the others VLAN Id(s) you allow (those VLANs"- This part I get it, if I want vlan 1 to be tagged along with 2 and 3, being that Vlan 1 is the native, and you mentioned that It should always be included the native one. The correct configuration should be this one below, correct?
<mat-form-field _ngcontent-onx-c80="" class="mat-form-field ng-tns-c58-11 mat-primary mat-form-field-type-mat-select mat-form-field-appearance-legacy mat-form-field-can-float mat-form-field-has-label ng-untouched ng-pristine ng-valid ng-star-inserted mat-form-field-should-float">

<mat-select _ngcontent-onx-c80="" class="mat-select ng-tns-c72-12 ng-untouched ng-pristine ng-valid ng-star-inserted" disableoptioncentering="" panelclass="cfg-dropdown" role="listbox" id="form-input-dropdown-vlan_mode" aria-labelledby="mat-form-field-label-13" aria-required="false" aria-disabled="false" aria-invalid="false" aria-multiselectable="false" tabindex="0">

</mat-select><mat-label _ngcontent-onx-c80="" class="ng-star-inserted">VLAN Mode</mat-label>

<mat-label _ngcontent-onx-c80="" class="ng-star-inserted">Native VLAN </mat-label>
<mat-label _ngcontent-onx-c80="" class="ng-star-inserted">Allowed VLANs</mat-label>

</mat-form-field>
However,
If I need to have vlan 1 "untagged" on a different port, it should not be included in the "allowed Vlans", correct? See below example.
<mat-form-field _ngcontent-onx-c80="" class="mat-form-field ng-tns-c58-11 mat-primary mat-form-field-type-mat-select mat-form-field-appearance-legacy mat-form-field-can-float mat-form-field-has-label ng-untouched ng-pristine ng-valid ng-star-inserted mat-form-field-should-float">

<mat-select _ngcontent-onx-c80="" class="mat-select ng-tns-c72-12 ng-untouched ng-pristine ng-valid ng-star-inserted" disableoptioncentering="" panelclass="cfg-dropdown" role="listbox" id="form-input-dropdown-vlan_mode" aria-labelledby="mat-form-field-label-13" aria-required="false" aria-disabled="false" aria-invalid="false" aria-multiselectable="false" tabindex="0">

</mat-select><mat-label _ngcontent-onx-c80="" class="ng-star-inserted">VLAN Mode</mat-label>

<mat-label _ngcontent-onx-c80="" class="ng-star-inserted">Native VLAN
</mat-label>
<mat-label _ngcontent-onx-c80="" class="ng-star-inserted">Allowed VLANs
</mat-label>

</mat-form-field><mat-form-field _ngcontent-onx-c80="" class="mat-form-field ng-tns-c58-14 mat-primary mat-form-field-type-mat-input mat-form-field-appearance-legacy mat-form-field-can-float mat-form-field-should-float mat-form-field-has-label ng-star-inserted ng-touched ng-dirty ng-valid">

Most of the ports will have the Vlan 1 Untagged except for the port that connects to the firewall and the other port that is used as uplink to pass traffic to another switch.
You mentioned that regardless "the native Vlan" which is "1" must be included regardless if it has to be "U" or "T". "you allow (those VLANs, except for the Native you are including if not tagged yet, will be considered tagged)..."

Fyi, we don't use Clearpass yet, only the UI in Cloud Central.
Thanks,

</mat-form-field>
Original Message:
Sent: Dec 09, 2022 03:03 PM
From: Davide Poletto
Subject: Aruba cx switch 6000 vs Aruba AOS-S vlan config.

Ciao! molto piacere di conoscerti!

If you need a port to carry (trunk) all and only tagged VLAN to avoid having a (default) VLAN Id untagged I think you need to define that port with a native tag (so tagged) and add it to all the others VLAN Id(s) you allow (those VLANs, except for the Native you are including if not tagged yet, will be considered tagged)...so in the end that port will be a only tagged member of all the allowed VLAN Id(s).

Do you need an example in ArubaOS-CX or are you asking from the Clearpass standpoint?

Spero di essermi spiegato (io non uso Clearpass quindi non saprei dire come gestire la cosa usando Clearpass).
Original Message:
Sent: Dec 09, 2022 12:38 PM
From: Selomon Kifle
Subject: Aruba cx switch 6000 vs Aruba AOS-S vlan config.

so what shall I do if I want to have all those vlans tagged.
Usually we have a vendor managing our firewalls or sdwan where it also serve as a dhcp server. When we connect the switch directly to the firewall, the port we use, we tag it for all the vlans 1,2,3.
In this case, what shall I do then if I want Vlan 1 be Tagged as well?
Ciao Davide anche io sono Italiano ma residente negli States :)
Original Message:
Sent: Dec 09, 2022 12:22 PM
From: Davide Poletto
Subject: Aruba cx switch 6000 vs Aruba AOS-S vlan config.

Hi

"what is in the "Native Vlan" field is untagged unless I include it in the "Allowed Vlan's" field"

No, it remains untagged even if you include it into the allowed VLAN(s) list. And you shoukd always include it.

Or (but here the Clearpass Ui doesn't show the option) it remains tagged if you configured the Native VLAN with thenative tag option even if you include it into the allowed VLAN(s) list.

In any case you should always add the Native VLAN id (without or with the tag option) into the allowed VLAN(s) list.
Original Message:
Sent: Dec 09, 2022 11:11 AM
From: Selomon Kifle
Subject: Aruba cx switch 6000 vs Aruba AOS-S vlan config.

Ciao Davide,
so to better clarify if I need to tag a port for a vlan, what is in the "Native Vlan" field is untagged unless I include it in the "Allowed Vlan's" field. To better depict the screenshot I attached, the interpretation here is that both Vlan 1 and 3 are tagged and Vlan 2 is none, correct?
So if I need to trunk a port where access points are tagged for vlan 2 (wifi) and untagged for vlan 1 (getting ip from dhcp data) and none for vlan 3 (voice vlan), the configuration should be:
Native Vlan 1, Allowed Vlan 2.
Thank you for your quick response.


Original Message:
Sent: Dec 08, 2022 07:37 PM
From: Davide Poletto
Subject: Aruba cx switch 6000 vs Aruba AOS-S vlan config.

Hi, as I first learned working with ArubaOS-CX CLI an interface operating in Trunk mode has a native VLAN Id (which corresponds to what is the "Untagged" VLAN Id concept the ArubaOS-Switch uses for a port operating as an access port...with the additional option that native VLAN Id on AOS-CX could also be defined as "tagged" <- that is a little bit counter-intuitive if compared to the strict untagged/tagged approach on AOS-S) and, along with that, all other allowed VLAN Id(s) are then tagged (excluded the VLAN Id declared as native, if not explicitly tagged too).

So, IMHO, when speaking about AOS-CX you have an interface with VLAN 1 native plus VLAN 1 and VLAN 3 allowed it means that that interface operates in trunk mode (it carries two VLANs) indeed, VLAN 1 is untagged (indeed you will not find "vlan 1 native tag" but a more familiar "vlan 1 native" in the running configuration's interface context) and VLAN 3 is tagged, both VLAN 1 and VLAN 3 are allowed. This configuration is equivalent to AOS-S where a port is untagged in VLAN 1 and concurrently tagged in VLAN 3 (or, better wording, when a port is Untagged member of VLAN 1 and Tagged member of VLAN 3).
Original Message:
Sent: Dec 08, 2022 12:10 PM
From: Selomon Kifle
Subject: Aruba cx switch 6000 vs Aruba AOS-S vlan config.

For the longest I've been configuring and managing aruba aos-s switches (2530)in central using UI. But now I just added a 6000 AOS-CX in central and i'm struggling to comprehend on how to Untag and tag a port for Vlans.

For the AOS-S it was very self-explanatory. You select a switch - Device - Interface Tab and you would go to "Vlan". Once you select a Vlan you could choose a port and make a selection where it is "None, Tagged, Untagged".

However, With the 6000 it's totally different. When I go to "Interfaces" - "Ports & Link Aggregations" and select a port, is the Port section that confuses me. Before it was straightforward but CX has multilayer I guess. For example, If I want Tag a Vlan 2, Untagg Vlan 1 and none for Vlan 3, do I interpret my options. On the screeshot below, is it both Vlan 1 and 3 tagged?