This article explains
- Need for a port or VLAN to be configured trusted or untrusted
- Configuring a port or VLAN to be trusted or untrusted
- Trust/untrusted combination between port and VLAN to determine if traffic is trusted or untrusted.
You can classify wired traffic based not only on the incoming physical port but also on the VLAN associated with the port carrying traffic. For eg, say the user is connected on VLAN 10 and needs to pass traffic through wired port 1/0. If VLAN 10 on that wired port is marked as untrusted then any traffic on VLAN 10 through that port is marked as untrusted.
When you define a physical port or a VLAN associated to that port as untrusted, traffic passing through that port needs to go through a predefined access control list policy. You can set a range of VLANs as trusted or untrusted on a trunk port.
Following table lists the various port/VLAN combination to determine if the user traffic is trusted or untrusted:
| Port |
VLAN |
Traffic Status |
| Trusted |
Trusted |
Trusted |
| Untrusted |
Untrusted |
Untrusted |
| Untrusted |
Trusted |
Untrusted |
| Trusted |
Untrusted |
Untrusted |
Environment : This article applies to all controller models and OS versions.
The following outputs are taken from Aruba 7210 controller running 6.3.0.1
Using WebUI:
- Navigate to Configuration> Ports
- Enable the “Make Port Trusted” checkbox
- Enter the VLANs to be allowed on the port and mark them trusted or untrusted.
If the "trusted" checkbox is enabled, only the entered VLANs will be marked trusted. Rest of the VLANs will automatically be categorized as untrusted.
Using CLI:
There are 5 VLANs allowed in the trunk
(Aruba) #show trunk
Trunk Port Table
-----------------
Port Vlans Allowed Vlans Active Native Vlan
---- ------------------- ---------------- ----------------
GE0/0/5 ALL 1,33,100,150,200 1
To mark the VLANs as trusted/untrusted:
VLAN 1,33 and 100 are marked as trusted and rest of them are untrusted
(Aruba) #configure terminal
Enter Configuration commands, one per line. End with CNTL/Z
(Aruba) (config) #interface gigabitethernet 0/0/5
(Aruba) (config-if)#trusted vlan 1,33,100
To mark the port as trusted/untrusted:
By default, a port is always trusted. In order to make the port as untrusted, use the “no trusted” command
(Aruba) #configure terminal
Enter Configuration commands, one per line. End with CNTL/Z
(Aruba) (config) #interface gigabitethernet 0/0/5
(Aruba) (config-if)#no trusted
To check trusted/untrusted VLANs:
(Aruba) #show interface gigabitethernet 0/0/5 trusted-vlan
Name: GE0/0/5
Trusted Vlan(s)
1,33,100
(Aruba) #show interface gigabitethernet 0/0/5 untrusted-vlan
Name: GE0/0/5
Untrusted Vlan(s)
2-32,34-99,101-4094
To check if the port is trusted/untrusted:
(Aruba) #show interface gigabitethernet 0/0/5
GE 0/0/5 is up, line protocol is down
Hardware is 10 Gigabit Ethernet, address is 00:1A:1E:00:1A:FE (bia 00:1A:1E:00:1A:FE)
Description: GE0/0/5 (Fiber Connector)
Encapsulation ARPA, loopback not set
speed (10 Gbps)
MTU 1500 bytes, BW is 10000 Mbit
Last clearing of "show interface" counters 4 day 12 hr 4 min 15 sec
link status last changed 4 day 12 hr 4 min 15 sec
0 packets input, 0 bytes
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input error bytes, 0 CRC, 0 frame
0 multicast, 0 unicast
0 packets output, 0 bytes
0 output errors bytes, 0 deferred
0 collisions, 0 late collisions, 0 throttles
This port is NOT TRUSTED