Wireless Access

I’m having issues with understanding VLAN 1 on the Aruba S2500 PoE switch. I have a point-to-point Mesh using AP 70s. I have all I have about 4 VLANs being trunked (via the allowed VLANs field on my controller mesh profile) across the wireless link. The only VLAN I can’t get to pass traffic is VLAN 1. I’ve tried having it pass traffic via the native VLAN. Didn’t work. I tried adding it to the allowed trunk VLANs. Didn’t work either.

It appears that these switches like to keep all traffic on VLAN 1 untagged if it is defined as the native VLAN. The behavior doesn’t seem to be consistent between devices, especially if you add other switch brands to the mix like Dell 2824s. Sometimes I have to trunk VLAN 1 to get it to work and sometimes I have to leave it un-tagged to get it to work. Can someone explain the behavior of VLAN 1 for me?

Also, by default VLAN 1 is assigned the below profile. I can’t remove the profile. Can someone explain what purpose this profile serves and if it is having an affect on how VLAN 1 passes traffic?

vlan "1"

   igmp-snooping-profile "igmp-snooping-factory-initial"

Thanks for your help,

You can see the factory profiles by using the relevant show commands.

show vlan-profile igmp-snooping-profile igmp-snooping-factory-initial igmp-snooping-profile "igmp-snooping-factory-initial" ----------------------------------------------------- Parameter Value --------- ----- Enable igmp snooping Enabled Enable igmp snooping proxy Disabled Enable fast leave Disabled startup-query-count 2 startup-query-interval(secs) 31 query-interval(secs) 125 query-response-interval(secs) 10 last-member-query-count 2 last-member-query-interval(secs) 1 robustness-variable 2

It is the same as the default profile.  It serves to prevent needless multicast flooding to hosts that are not listening.

VLAN1 is usually set up by switch vendors to support various stuff like clustering/management out of the box.  Most of it I usually move off to other VLANs and then leave it native everywhere for CIST.  Vendors aren't going to go picking VLANs arbitrarily for factory default configurations so it a ot gets piled into 1.  It is generally assumed that you are going to leave VLAN 1 as the untagged native VLAN across the entire network, despite the possibility of native VLAN hopping problems/exploits.   Sometimes those assumptions go so far as to prevent you from disabling it or locking some configuration items on it.  There might be a service like stacking you could disable to allow you to configure VLAN 1's multicast behavior, or there may not be, maybe TAC knows.

I understand what you're saying but that didnt really answer any of my questions. Does anyone know what Aruba's implimentation of VLAN 1? What do they expect you to be able to do and not do with VLAN 1? Does anyone know of any documentation that addresses this?

Thanks for any input you may have,

Mark,

You have an AP70 on the far end of a mesh link.  It is connected to an S2500.

Is it connected to enet0 or enet1?  What wired port profile on the AP-Group that the AP70 is in did you modify to get it to trunk, and what are you allowing?

Sorry for the slow response. I've been working many projects lately.

The layout is as follows:

(Main Building End) S2500 -> AP70  )))  ((( AP70 -> Dell 2824 (remote Building End)

I've attached a pic of the wireless MESH radio profile. At the moment, I'm trying to allow all VLANS. Ultimately, I only need VLANs         1, 3,  8, 45

VLANs 3, 8, and 45 are working.

Odd behaviors

• At the remote end, I can't draw a DHCP address for VLAN 1
• With a manual address, I can PING VLAN 1 devices on the Main building side. I can't PING VLAN 1 devices that are on the remote side with me

Thanks for your help,

So the problem was that we didn't allow VLAN 1 on the trunk that connects the controller to the network. Obviously killing ARP requests destined to VLAN 1 machines that live behind the controller.

Here's the issue now;

We removed the VLAN from the trunk because machines on VLAN 1 could not communicate to the controller when VLAN 1 was trunked to the controller. Once we removed VLAN 1 from the trunk, the problem was solved.

Are there no resources that explain the functionality of VLAN 1 on Aruba access switches and controllers?

I would love to understand this better,

I appreciate the advice but that doesn't address my question.

I want to understand how switching decistions are made in aruba access switches and mobile controllers. I can't believe that I'm the only Network Manager that thinks this knowledge is important so I'll ask once more, is there any documentation or other resources that explain this; especially in regards to VLAN 1.

Mark,

We do not handle VLAN1 differently than any other VLAN number when it comes to switching.

Mark,

On the Mobility Access Switches, the configuration of "native-vlan" influences whether or not vlan 1 is tagged/untagged and if tagged, which vlan will then accept untagged traffic. Take the following example:

(host) #show interface gigabitethernet 0/0/12 switchport extensive

GE0/0/12
Link is Up
Flags: Trunk, Trusted
Native VLAN is 10

VLAN membership:

VLAN tag  Tagness   STP-State
--------  --------  ---------
1         Tagged    FWD
10        Untagged  FWD
10        Tagged    FWD
20        Tagged    FWD
30        Tagged    FWD
40        Tagged    FWD

The output above is the result of a trunk port that has VLAN 10 defined as the native-vlan. You can see in this situation that VLAN 1 is now flagged as a tagged VLAN while VLAN 10 is flagged as Untagged and Tagged. This means that we can receive frames with a tag of 10 or if we receive any frames without tags, we'll put them in vlan 10. We will always send traffic for the VLAN defined as native without any tags.

I hope that helps.

Best regards,

Madani