Wired Intelligent Edge

On two Aruba 8320 VSX (ArubaOS-CX 10.01.0011) I'm noticing this oddity:

I started from this VSX LAG configuration for my lag1:

interface lag 1 multi-chassis
    vsx-sync vlans
    description 8320-1-VSX-LAG-TSM
    no shutdown
    no routing
    vlan trunk native 20
    vlan trunk allowed 20
    lacp mode active
    loop-protect
    loop-protect vlan 20

to this configuration:

interface lag 1 multi-chassis
    vsx-sync vlans
    description 8320-1-VSX-LAG-TSM
    no shutdown
    no routing
    vlan trunk native 1
    vlan trunk allowed 1,20,30,40
    lacp mode active
    loop-protect
    loop-protect vlan 1,20,30,40

by executing - at level of interface lag 1 - these commands:

vlan trunk native 1
vlan trunk allowed 1,20,30,40
loop-protect vlan 1,20,30,40

this to change, respectively, native VLAN from 20 to 1, allowed VLANs from 20 only to 1, 20, 30 and 40 and finally loop-protect from 20 only to 1, 20, 30 and 40.

The strangeness is that - since vsx-sync is enabled on lag1 interface, I expected to see the same exact configuration (description apart) on Secondary VSX node...BUT what I see is currently this:

interface lag 1 multi-chassis
    vsx-sync vlans
    description 8320-2-VSX-LAG-TSM
    no shutdown
    no routing
    vlan trunk native 1
    vlan trunk allowed 20,30,40
    lacp mode active
    loop-protect

What worries me is not the absence of loop-protect with specified VLANs (that one is going to be added manually since it is not a synced status)...what worries me really is the fact I see this row:

vlan trunk allowed 20,30,40

and not the one I expect:

vlan trunk allowed 1,20,30,40

Is there a reason to not see 1 as VLAN ID allowed explicitly for the lag 1 interface on trunk mode?

This make me think both nodes - from the point of view of VLANs - are not totally synched even if synchronization seems to have happened (vsx status looks good to me):

Aruba-8320-1(config-lag-if)# do show vsx status
VSX Operational State
---------------------
  ISL channel             : In-Sync
  ISL mgmt channel        : operational
  Config Sync Status      : in-sync
  NAE                     : peer_reachable
  HTTPS Server            : peer_reachable

Attribute           Local               Peer
------------        --------            --------
ISL link            lag128              lag128
ISL version         2                   2
System MAC          d0:67:26:xx:xx:xx   d0:67:26:yy:yy:yy
Platform            8320                8320
Software Version    TL.10.01.0011       TL.10.01.0011
Device Role         primary             secondary

The fact is that there is a big difference on Secondary Aruba 8320 (8320-2) if VLAN 1 is not allowed in trunk mode as it is instructed to happen on Primary Aruba 8320 (8320-1)...untagged traffic will be dropped on lag1 on Secondary. Isn't it?

Is this a bug?

Or this behaviour could be related that I didn't added vsx-sync to VLAN 1 (I added vsx-sync only to VLAN 20, 30 and 40)? if so...should I add the vsx-sync option also to VLAN 1?

Probably I give myself the answer:

The vsx-sync option is needed also (clearly) also on VLAN 1...otherwise the vlan trunk allowed option will not be synchronized on Secondary if the specified VLAN Id is 1.

What is strange is that vlan trunk native option was correctly synched changing from vlan trunk native 20 to vlan trunk native 1...so I'm asking why vlan trunk allowed 20 didn't changed to vlan trunk allowed 1,20,30,40 instead of only vlan trunk allowed 20,30,40?

Is it really an issue related to vsx-sync feature missing on VLAN 1?

If so it looks it affects vlan trunk allowed option and not the vlan trunk native option as well.