Wireless Access

Occasional Contributor II

AOS8.5: Untrusted VLAN on LACP Portchannel

Hi all,


I currently have a problem configuring a LACP PO on two 7010 Controllers (managed by an virtual MM) all with AOS8.5.


The controllers both have an IPv4-Adress in VLAN200 (which is the Internet). We want this VLAN to be untrusted so that the controller doesn't offer any services in the internet direction.


Connection between the (Aruba) Core and Controllers is made via a four port LACP PO. I marked the PO itself as trusted and added some trusted VLANs. I then wanted to add VLAN 200 as untrused (but allowed) VLAN. Apparently the GUI doesn't let me click the "Submit"-Button (see Screenshot attached). And yes: I tried different browsers (Firefox and Chrome).


Please help me. Is there a explaining reason why I am not allowed to add an unstrued VLAN to the PO?

According to Table 1 here it should work like that (as far as I understood).


Best regards


Frequent Contributor I

Re: AOS8.5: Untrusted VLAN on LACP Portchannel



I tried similar to this on my devices you can see the attached output.


can try once with trusted only ports and check and only untrusted ports.


or try with CLI you may get proper warning related to it.







Occasional Contributor II

Re: AOS8.5: Untrusted VLAN on LACP Portchannel

Thx for the fast reply.

Apparently there is no way to configure this behavious via CLI.

In the Userguide I also can't find any appropriate instruction (see Screenshot)


Could somebody from Aruba please make a statement about this?


Best regards,


New Contributor

Re: AOS8.5: Untrusted VLAN on LACP Portchannel

Hi Stefan,


Nothing to help you but we have exactly the same problem here. One Port-Channel configured and we'd like to untrust some vlans but nothing more. We tried everything CLI + GUI and we're stuck.

Cause : VRRP is not working on these VLANs


Good luck, i'm following the thread.


New Contributor

Re: AOS8.5: Untrusted VLAN on LACP Portchannel

I had a call with the TAC. Nothing more, they'll call me back asap.


But I maybe have a solution


In CLI try : 

interface port-channel x

switchport trunk allowed vlan all (or no switchport trunk allowed vlan)

trusted vlan add 1-4094

trusted vlan remove "your vlans"

wr mem


You should have the following config (all the vlan not trusted are considered as untrusted)


/!\ Don't change settings of your port-channel through the GUI after that :(

Let's see the TAC answer.

Search Airheads
Showing results for 
Search instead for 
Did you mean: