Aruba Employee

Using GVRP/MVRP to simplify your network

Overview

I have been using GVRP in my networks for many years. It is a very effective way of distributing VLANs, and in particular, avoiding the need to correctly configure every single switch-to-switch link with the correct set of untagged and tagged VLAN mappings. In environments where there are multiple switches between endpoints, just adding a single VLAN and manually distributing it can be a significant effort, and prone to errors.

 

GVRP/MVRP propagates the VLAN IDs only - not the names. It is also a standard, unlike the proprietary VTP that has caused so much consternation in the past.


GVRP/MVRP

  • GVRP has been deprecated in favour of the more recent MVRP.
  • MVRP grew out of GVRP, and has more features and controllability.
  • GVRP has been available in the ProCurve switches for many years
  • ProCurve switches that support the 16.x firmware (now being rebadged as ArubaOS-Switch) also support MVRP.
  • The Comware 7 switches have had MVRP for a few years now.


General Process

  1. For simplicity, configure a common VLAN across all switches to use as the untagged (native/PVID) VLAN.
    You could leave this as VLAN 1, but a different VAN is probably a good idea
  2. Enable GVRP/MVRP (globally)
    [for MVRP you also need to enable each port that will send/receive MVRP traffic.]
  3. Make any port-specific or VLAN specific customisation

VLAN Propagation Example

Switch 1

This is a 2915 at the end of an MSM wireless mesh link; GVRP packets are sent over this link to the upstream switch. Just by typing in "vlan 1234", it will show up across the network (where it has not been blocked).

 

bvtv09(vlan-1234)# sh vlans 1234

 Status and Counters - VLAN Information - VLAN 1234

  VLAN ID : 1234
  Name : VLAN1234
  Status : Port-based
  Voice : No
  Jumbo : No

  Port Information Mode     Unknown VLAN Status
  ---------------- -------- ------------ ----------
  1                Auto     Block        Up

In this case the uplink is on port 1. Note the mode is Auto.

 

On the same switch, you can see that VLAN 930 has port 10 specifically untagged, but port 1 has been automatically configured by GVRP to carry VLAN 930.

bvtv09(vlan-1234)# sh vlans 930

 Status and Counters - VLAN Information - VLAN 930

  VLAN ID : 930
  Name : Show-Servers
  Status : Port-based
  Voice : No
  Jumbo : No

  Port Information Mode     Unknown VLAN Status
  ---------------- -------- ------------ ----------
  1                Auto     Block        Up
  10               Untagged Learn        Down

Switch 4

This is 3 hops away from Switch 1 (the 2915 above). It is connected to its upstream switch on port 24, and has another downstream switch on port 23. Once GVRP was enabled on all the switches, not a single additional interaction was required to get a new VLAN connected through to the downstream Switch 5. (In this case, the full path was 2915 --> 5406 --> Comware 5130 --> 3810 --> 2910, with the 5130 running MVRP.)

3810M(config)# sh vlans 1234

 Status and Counters - VLAN Information - VLAN 1234

  VLAN ID : 1234
  Name : GVRP_1234
  Status : Dynamic
  Voice :
  Jumbo : No
  Private VLAN :
  Associated Primary VID : none
  Associated Secondary VIDs : none

  Port Information Mode     Unknown VLAN Status
  ---------------- -------- ------------ ----------
  23               Auto     Learn        Up
  24               Auto     Learn        Up

 

 

Extra Config Options
GVRP port options

bvcore01(eth-B22)# unknown-vlans
 learn                 Accept join requests for new VLANs on this port and
                       propagate requests through all other forwarding ports
                       that are participating in GVRP.
 block                 Only process GRVP packets that concern themselves with
                       known VLANs and ignore new VLANs.
 disable               Ignore all GVRP packets.

Unknown-vlans block is a useful port command to stop a switch learning new VLANs. This is sometimes used at the edge rather than the core or distribution switches. If the switch only knows about VLANs 1-10, it will never learn VLANs 11-4094. However, if you add a VLAN (eg 1234), it will automatically tag itself to the uplink port.

 

The output below is from Switch 2 (5406).

bvcore01(config)# sh gvrp

 GVRP support

  Maximum VLANs to support [256] : 256
  Primary VLAN : DEFAULT_VLAN
  GVRP Enabled [No] : Yes

  Port   Type       | Unknown VLAN Join  Leave Leaveall
  ------ ---------- + ------------ ----- ----- --------
  D21    100/1000T  | Disable      20    300   1000
  D22    100/1000T  | Learn        20    300   1000
  D23    100/1000T  | Block        20    300   1000
  D24    100/1000T  | Learn        20    300   1000
  Trk3   Trunk      | Learn        20    300   1000
  Trk8   Trunk      | Learn        20    300   1000

bvcore01(config)# sh run int d24,d23,d21

Running configuration:

interface D21
   name "Cable modem LAN4"
   broadcast-limit 10
   unknown-vlans disable
   no power-over-ethernet
   untagged vlan 255
   spanning-tree admin-edge-port
   spanning-tree root-guard
   exit
interface D23
   name "behind desk"
   unknown-vlans block
   no power-over-ethernet
   untagged vlan 254
   no snmp-server enable traps link-change
   spanning-tree root-guard
   exit
interface D24
   name "docking station"
   dhcp-snooping trust
   untagged vlan 145
   no snmp-server enable traps link-change
   spanning-tree root-guard
   exit

Static-VLAN

One of the issues is thatoften comes up is how to add ports to a dynamic VLAN. To convert the dynamic VLAN to a static VLAN: static-vlan <id>


New Feature Device Profile
If you create a device profile that includes a non-existent VLAN (1234 in the example below), it will be created and the port placed in it when an aruba-ap is plugged in. If you also have GVRP/MVRP enabled, it will automatically be connected via the trunk port(s) and propagate elsewhere. This works on all Aruba IAPs and APs, and not on the POE-powered 7005 controller!

 

bvcore01(config)# sh device-profile config

Device Profile Configuration

Configuration for device-profile : default-ap-profile
untagged-vlan : 1
tagged-vlan : None
ingress-bandwidth : 100%
egress-bandwidth : 100%
cos : None
speed-duplex : auto
poe-max-power : 33W
poe-priority : critical
allow-jumbo-frames: Disabled

Configuration for device-profile : BV-Aruba-APs
untagged-vlan : 1234
tagged-vlan : None
ingress-bandwidth : 100%
egress-bandwidth : 100%
cos : None
speed-duplex : auto
poe-max-power : 33W
poe-priority : high
allow-jumbo-frames: Disabled

Device Profile Association

Device Type : aruba-ap
Profile Name : BV-Aruba-APs
Device Status : Enabled

bvcore01(config)# sh device-profile status

Device Profile Status

Port Device-type Applied device profile
-------- ----------- ----------------------
B10 aruba-ap BV-Aruba-APs


bvcore01# sh vlans 1234

Status and Counters - VLAN Information - VLAN 1234

VLAN ID : 1234
Name : VLAN1234
Status : Port-based
Voice :
Jumbo : No
Private VLAN :
Associated Primary VID : none
Associated Secondary VIDs : none

Port Information Mode Unknown VLAN Status
---------------- -------- ------------ ----------
B10 DEV-PROF Learn Up

Overridden Port VLAN configuration

Port Mode
------ ------------

Note the new DEV-PROF mode (similar to Auto).


References
https://en.wikipedia.org/wiki/Multiple_Registration_Protocol#Multiple_VLAN_Registration_Protocol
http://www.hp.com/rnd/support/config_examples/gvrp_use.pdf Using GVRP (Dynamic VLANs)
http://community.hpe.com/t5/ProCurve-ProVision-Based/GVRP-Best-Pratice/td-p/4051663 GVRP - Best Practice?
http://community.hpe.com/t5/Switches-Hubs-Modems-Legacy/Allow-all-VLANs-on-trunk/td-p/5870765 Allow all VLANs on trunk



Richard Litchfield, HPE Aruba
Consulting System Engineer
Network Ambassador
Aruba Employee

Re: Using GVRP/MVRP to simplify your network

When running in an environment with only MVRP (like you can do with all the AOSS devices, or later model ProCurve switches with the AOSS 16.xx firmware), the "unknown-vlan block" option does not stop new VLANs from appearing on the switch.

 

Note the "MVRP_100  dynamic" VLAN in the example below.

 

AIS-2920-04(config)# sh vlans

 Status and Counters - VLAN Information

  Maximum VLANs to support : 256
  Primary VLAN : DEFAULT_VLAN
  Management VLAN :

  VLAN ID Name                             | Status     Voice Jumbo
  ------- -------------------------------- + ---------- ----- -----
  1       DEFAULT_VLAN                     | Port-based No    No
  2       Null                             | Port-based No    No
  8       Aruba Instant AIS                | Port-based No    Yes
  10      Platinum-Gold-Sponsors           | Port-based No    No
  11      AIS-Wireless-Delegates           | Port-based No    No
  12      AIS-Wireless-Podium              | Port-based No    No
  13      AIS-Wireless-Sponsors            | Port-based No    No
  100     MVRP_100                         | Dynamic          No
  930     HPE-Roadshow                     | Port-based No    Yes
  931     OOBM                             | Port-based No    No

With MVRP, this is resolved by using "mvrp registration fixed".

 

The following extract is for the port on a 2920 where the unwanted dynamic VLAN was coming from.

AIS-2920-04(config)# sh run int 24

Running configuration:

interface 24
   mvrp registration fixed
   mvrp enable
   untagged vlan 930
   exit

Now the unwanted dynamic VLAN 100 is not appearing on the switch.

 

AIS-2920-04(eth-24)# sh vlans

 Status and Counters - VLAN Information

  Maximum VLANs to support : 256
  Primary VLAN : DEFAULT_VLAN
  Management VLAN :

  VLAN ID Name                             | Status     Voice Jumbo
  ------- -------------------------------- + ---------- ----- -----
  1       DEFAULT_VLAN                     | Port-based No    No
  2       Null                             | Port-based No    No
  8       Aruba Instant AIS                | Port-based No    Yes
  10      Platinum-Gold-Sponsors           | Port-based No    No
  11      AIS-Wireless-Delegates           | Port-based No    No
  12      AIS-Wireless-Podium              | Port-based No    No
  13      AIS-Wireless-Sponsors            | Port-based No    No
  930     HPE-Roadshow                     | Port-based No    Yes
  931     OOBM                             | Port-based No    No

The upstream switch will show matching dynamic VLANs if they are added added here; the "fixed" option only blocks the unknown incoming VLANs.



Richard Litchfield, HPE Aruba
Consulting System Engineer
Network Ambassador
New Contributor

Re: Using GVRP/MVRP to simplify your network

Hi,

 

I have an issue with device-profile, mvrp and tagged profiles.

 

Switch 2930F firmware WC.16.08.0001

IAP-228-RW in Campus Mode (ArubaMC-VA,8.4.0.0)

 

Switch learns dynamic vlans through mvrp from uplink and it works well.

interface 2
  mvrp enable
  tagged vlan 1
exit

Our WiFi uses 802.1x with Radius on Microsoft NPS. Clients are given vlans based on Network Policies. This WiFi profile is not tunneled to controller but bridged to tagged trunk (2ports lacp) on the switch. AP connects to controller on untagged vlan 111 (L3).

 

I'd like to force the switch to assign correct vlan tags to this trunk on which AP is detected. I try to use device-profile for that purpose but without success.

 

AP is detected correctly on the switch and assigned device-profile is bound to the trunk. Trk1 receives correct untagged-vlan from the profile.

If I don't configure tagged-vlan in device profile, none are set on the interface. I was hoping that AP would use vlans dynamically from mvrp depending on the need but nothing like that happens.

If I do configure tagged-vlan 200-299 in device-profle (we don't use so many vlans but we have reserved this range for future WiFi networks), switch sets them on the trunk BUT omitting all dynamic vlans learnt from mvrp. This is opposite to what I want to achive.

 

What am I doing wrong?

 

interface Trk1
  untagged vlan 1
  spanning-tree priority 4
  device-type network-device
exit

 

Configuration for device-profile : my-aruba-ap
untagged-vlan : 111
tagged-vlan : None (or 200-299)
ingress-bandwidth : 100%
egress-bandwidth : 100%
cos : None
speed-duplex : auto
poe-max-power : Class/LLDP
poe-priority : critical
allow-jumbo-frames : Disabled
allow-tunneled-node: Enabled
profile-mode : client-mode (tried port-mode too)