How to configure a port or a VLAN to be trusted or untrusted? What are the various trust/untrust combinations between a port and a VLAN to determine if the traffic is trusted or untrusted?

Aruba Employee
Aruba Employee

This article explains 

  1. Need for a port or VLAN to be configured trusted or untrusted
  2. Configuring a port or VLAN to be trusted or untrusted
  3. Trust/untrusted combination between port and VLAN to determine if traffic is trusted or untrusted.


You can classify wired traffic based not only on the incoming physical port but also on the VLAN associated with the port carrying traffic. For eg, say the user is connected on VLAN 10 and needs to pass traffic through wired port 1/0. If VLAN 10 on that wired port is marked as untrusted then any traffic on VLAN 10 through that port is marked as untrusted.
When you define a physical port or a VLAN associated to that port as untrusted, traffic passing through that port needs to go through a predefined access control list policy. You can set a range of VLANs as trusted or untrusted on a trunk port.
Following table lists the various port/VLAN combination to determine if the user traffic is trusted or untrusted:

Port VLAN Traffic Status
Trusted Trusted Trusted
Untrusted Untrusted Untrusted
Untrusted Trusted Untrusted
Trusted Untrusted Untrusted

Environment : This article applies to all controller models and OS versions.


The following outputs are taken from Aruba 7210 controller running

Using WebUI:

  1. Navigate to Configuration> Ports
  2. Enable the “Make Port Trusted” checkbox
  3. Enter the VLANs to be allowed on the port and mark them trusted or untrusted.

If the "trusted" checkbox is enabled, only the entered VLANs will be marked trusted. Rest of the VLANs will automatically be categorized as untrusted.





Using CLI:

There are 5 VLANs allowed in the trunk

(Aruba) #show trunk
Trunk Port Table
Port        Vlans Allowed           Vlans Active      Native Vlan
----           -------------------          ----------------      ----------------
GE0/0/5          ALL            1,33,100,150,200           1

To mark the VLANs as trusted/untrusted:

VLAN 1,33 and 100 are marked as trusted and rest of them are untrusted

(Aruba) #configure terminal
Enter Configuration commands, one per line. End with CNTL/Z
(Aruba) (config) #interface gigabitethernet 0/0/5
(Aruba) (config-if)#trusted vlan 1,33,100

To mark the port as trusted/untrusted:

By default, a port is always trusted. In order to make the port as untrusted, use the “no trusted” command

(Aruba) #configure terminal
Enter Configuration commands, one per line. End with CNTL/Z
(Aruba) (config) #interface  gigabitethernet 0/0/5
(Aruba) (config-if)#no trusted


To check trusted/untrusted VLANs:

(Aruba) #show interface gigabitethernet 0/0/5 trusted-vlan
Name:  GE0/0/5
Trusted Vlan(s)
(Aruba) #show interface gigabitethernet 0/0/5 untrusted-vlan
Name:  GE0/0/5
Untrusted Vlan(s)

To check if the port is trusted/untrusted:

(Aruba) #show interface gigabitethernet 0/0/5
GE 0/0/5 is up, line protocol is down
Hardware is 10 Gigabit Ethernet, address is 00:1A:1E:00:1A:FE (bia 00:1A:1E:00:1A:FE)
Description: GE0/0/5 (Fiber Connector)
Encapsulation ARPA, loopback not set
speed (10 Gbps)
MTU 1500 bytes, BW is 10000 Mbit
Last clearing of "show interface" counters 4 day 12 hr 4 min 15 sec
link status last changed 4 day 12 hr 4 min 15 sec
    0 packets input, 0 bytes
    Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
    0 input error bytes, 0 CRC, 0 frame
    0 multicast, 0 unicast
    0 packets output, 0 bytes
    0 output errors bytes, 0 deferred
    0 collisions, 0 late collisions, 0 throttles
This port is NOT TRUSTED

Version history
Revision #:
1 of 1
Last update:
‎07-18-2014 11:01 AM
Updated by:
Labels (1)
Tags (1)
Search Airheads
Showing results for 
Search instead for 
Did you mean: