Wired Intelligent Edge

I'm configuring PUTN on a 2930F and it is working fine. However, I have some questions on how to handle the other ports. 

The user is role is defined as such:

aaa authorization user-role name "EMPLOYEE"
   policy "PERMIT-ALL"
   reauth-period 5
   vlan-id 2
   tunneled-node-server-redirect secondary-role "authenticated"
   exit

This role works fine. The user is assigned to role authenticated on the controller, and in the correct VLAN. However, since I can't tag the uplink of this switch with this same VLAN, how do I handle any static configurations for this same VLAN.

ie. What if I want one port to always be VLAN 2 in this instance? The traffic will not traverse the uplink due to it not being tagged.

I thought I would create a dummy VLAN on the switch just for tunneled users, but that is what's being assigned on the Controller too. This is regardless of role. 

With the enhancements last year in AOS-Switch 16.08, there is a reserved VLAN where all tunneled traffic is sent over that VLAN.  VLAN assignment would be handled by the controller in the controller (secondary) role.

https://techhub.hpe.com/eginfolib/Aruba/16.09/5200-5911/index.html#GUID-28E864E1-2E29-4DD5-B858-2F833DD98437.html

Otherwise, if not using the reserved VLAN, you would have to keep tunneled VLANs separate from the locally switched VLANs.

Thank you. I missed that feature. I think I got it going now. I want to make sure I'm using BP, though.

1. Set Reserved VLAN on switch: tunneled-node-server mode role-based reserved-vlan <VID>
2. No matching VLAN needs to exist on the controller. VLAN will be derived from secondary role. (The controller role)

The reserved VLAN can be any VLAN just as long as it won't be used in other applications on the switch.

Correct, the reserved VLAN only needs to be defined on the switch, the tunneled user VLAN will be derived from the secondary role.