That's true only when Native Port VLAN Id (PVID) is not equal to the default VLAN Id 1.
When the Native PVID is changed with respect to default VLAN Id 1, on the ArubaOS-CX the allowed list should contain the default Native VLAN Id 1 too (otherwise it should not be required at all).
In the case of ArubaOS-Switch the concept of a port operating in "Trunk Mode" versus a port operating in "Access Mode" is simplified since, for any port, you just play with its VLAN Id(s) membership (so a port used for uplink/downlink to other peer carries exactly the VLAN Id(s) as per its explicit membership, tagged or not).
Original Message:
Sent: 3/24/2023 5:42:00 AM
From: OK96
Subject: RE: Howto: Troubleshooting a CX connectivity issue - missing allowed VLAN on trunk port
Nice post.
That is also something I have noticed. On CX you need to add the VLAN both to Native VLAN and allowed vlan list.
On AOS-S switches (f.x 2930) you do not have to add the vlan to tagged vlan list, only as untagged vlan.
------------------------------
Ole Morten Kårbø
ACEA ACSP
Netnordic Norway
------------------------------
Original Message:
Sent: Mar 18, 2023 09:35 AM
From: Richard Litchfield
Subject: Howto: Troubleshooting a CX connectivity issue - missing allowed VLAN on trunk port
Howto: Troubleshooting a CX connectivity issue - missing allowed VLAN on trunk port
Symptoms
I started working on a project, but didn't finish and came back to it 2 weeks later.
Now an AP was not getting an IP address, and not showing up in Central.
Initial Troubleshooting
- Port enabled, correct native/untagged VLAN assigned
- DHCP server (on the switch) was showing leases (on a different subnet)
- Plugged a test device into the switch in a different port in the same VLAN 930 - lease assigned and device booted OK
- Moved the test device into the original port - didn't work, no DHCP.
Port Mirror
This is what port mirroring is for!
In my home lab I have a 5Gb NIC permanently connected to a dedicated 5Gb SmartRate port on my switch, so I just had to define the source interface (1/1/16) and enable the mirror session. This is easily done with MultiEdit.
Now I can watch what is happening on port 1/1/16 with WireShark.
I can see that there is traffic visible on tagged VLAN 27 (which carries subnet 172.20.27.0), but nothing on untagged/native VLAN 930 (subnet 10.20.30.0).
This is a problem, because the DHCP broadcast is on the untagged VLAN 930, and there are no DHCP responses coming back.
Resolution
In step 1 of my initial troubleshooting, I didn't check the full VLAN config in Central or CLI.
Highlight the port in Central GUI and click edit to properly inspect the config. The Native VLAN must also be listed in the Allowed VLANs list - which was not the case here, with only VLAN 27 allowed.
After adding my native VLAN 930 to the Allowed VLANs list, it worked as expected.
And the same view from MultiEdit
As soon as VLAN 930 was allowed on port 1/1/16, DHCP worked, and the AP came online in Central.
You can see the proper DHCP sequence of Discover - Offer - Request - ACK, and also the 10.20.30.0 IP addresses
Summary
When dealing with multiple VLANs on a CX switch port (ie a trunk port), it is important to include your native VLAN (the untagged VLAN) in the list of allowed VLANs. Failure to do so will mean that the switch ignores any native VLAN packets.
------------------------------
Richard Litchfield
Airheads MVP 2020, 2021, 2022
------------------------------