Network Management

New member here, and to Aruba.  I'm new to this company, and I didn't setup the network. 
I have a WatchGuard M270 firewall with 2 subnets
Interface 1, 10.0.1.5/ 24 (LAN)
Interface 3, 10.0.3.1 /24 (Wireless)
No VLANs, flat network

On the Aruba 2390F switches
Native VLAN 1
VLAN 302 labeled Wireless

Port 1 on the Aruba goes to interface 1 of the firewall (10.0.1.5)
Port 46 on the Aruba goes to interface 3 of the firewall (10.0.3.1)
Port 46 is (U) untagged with VLAN 302

My question is, how does port 46 know to get the Wireless 10.0.3.1 network?  Because port 46 is on VLAN 302 which doesn't exist in the Firewall.

I'm used to Netgear managed switches, so this is a bit confusing.  Because if the port is (U) untagged with a VLAN number (302), shouldn't the port on the uplink Firewall should be on VLAN 302?

Hi,

"My question is, how does port 46 know to get the Wireless 10.0.3.1 network?  Because port 46 is on VLAN 302 which doesn't exist in the Firewall.

The interface 46 of the Aruba 2930F, being untagged member of VLAN id 302, accepts untagged traffic...and it is connected to a Layer 3 interface (routed interface) on the WatchGuard M270 firewall (the firewall is acting as a Router on its interface 3 with IP Address equal to 10.0.3.1)...the Aruba 2930F's interface 46 is just the medium through which you are creating a Layer 2 extension of that SVI...and, indeed, any edge device include the Switch itself on that VLAN id) connected to an access port untagged on VLAN 302 once set with 10.0.3.1 as its Default Gateway, will be able to communicate with the 10.0.3.1. 

I'm used to Netgear managed switches, so this is a bit confusing.  Because if the port is (U) untagged with a VLAN number (302), shouldn't the port on the uplink Firewall should be on VLAN 302?"

No, not necessarily.

The point is that your are dealing with Interfaces (on both ends, Aruba 2930F switch and WatchGuard M270 firewall) that are untagged members of their internal respective VLAN (for sure the interface ethernet 46 of the Aruba 2930F switch is untagged member of its internal VLAN 302): the fact that an interface is untagged on a particular VLAN Id means that the incoming traffic is accepted when it is untagged and the outgoing traffic is send as untagged, only internally on the Switch the packets are tagged with that native VLAN Id 302. The same applies on the Firewall side. There is for sure a mismatch between the Switch and the Firewall's peer ports...but the traffic flows thank to the untagged nature of exchange packets.

Very different would be the story IF you assign the WatchGuard M270 Interface 3 a particular VLAN Id (tagged)...at that point the corresponding uplink interface 46 on the Aruba 2930F...must be configured as a tagged member of the very same VLAN Id (and thus that Firewall's VLAN Id should also exists on the Switch).

Try, as example, to tag with VLAN 1005 the Firewall interface 1 and with VLAN 1003 the Firewall interface 3, communication with the Aruba 2930F will stop immediately until you create VLAN 1005 and 1003 and assign Aruba 2930F interface 1 as Tagged member of VLAN 1005 and interface 46 as Tagged member of VLAN 1003...that way the traffic between each pair of ports will pass tagged and only if both ports are tagged member of the very same VLAN Id.

And to clarify...your network is not "flat" with no VLAN...on the contrary.

Ok thank you it makes sense.  That's what I thought but just wanted to confirm since I didn't setup this network, and there's no documentation.
Original Message:
Sent: Jul 01, 2022 07:25 PM
From: Davide Poletto
Subject: Aruba 2390f VLANs

Hi,

"My question is, how does port 46 know to get the Wireless 10.0.3.1 network?  Because port 46 is on VLAN 302 which doesn't exist in the Firewall.

The interface 46 of the Aruba 2930F, being untagged member of VLAN id 302, accepts untagged traffic...and it is connected to a Layer 3 interface (routed interface) on the WatchGuard M270 firewall (the firewall is acting as a Router on its interface 3 with IP Address equal to 10.0.3.1)...the Aruba 2930F's interface 46 is just the medium through which you are creating a Layer 2 extension of that SVI...and, indeed, any edge device include the Switch itself on that VLAN id) connected to an access port untagged on VLAN 302 once set with 10.0.3.1 as its Default Gateway, will be able to communicate with the 10.0.3.1. 

I'm used to Netgear managed switches, so this is a bit confusing.  Because if the port is (U) untagged with a VLAN number (302), shouldn't the port on the uplink Firewall should be on VLAN 302?"

No, not necessarily.

The point is that your are dealing with Interfaces (on both ends, Aruba 2930F switch and WatchGuard M270 firewall) that are untagged members of their internal respective VLAN (for sure the interface ethernet 46 of the Aruba 2930F switch is untagged member of its internal VLAN 302): the fact that an interface is untagged on a particular VLAN Id means that the incoming traffic is accepted when it is untagged and the outgoing traffic is send as untagged, only internally on the Switch the packets are tagged with that native VLAN Id 302. The same applies on the Firewall side. There is for sure a mismatch between the Switch and the Firewall's peer ports...but the traffic flows thank to the untagged nature of exchange packets.

Very different would be the story IF you assign the WatchGuard M270 Interface 3 a particular VLAN Id (tagged)...at that point the corresponding uplink interface 46 on the Aruba 2930F...must be configured as a tagged member of the very same VLAN Id (and thus that Firewall's VLAN Id should also exists on the Switch).

Try, as example, to tag with VLAN 1005 the Firewall interface 1 and with VLAN 1003 the Firewall interface 3, communication with the Aruba 2930F will stop immediately until you create VLAN 1005 and 1003 and assign Aruba 2930F interface 1 as Tagged member of VLAN 1005 and interface 46 as Tagged member of VLAN 1003...that way the traffic between each pair of ports will pass tagged and only if both ports are tagged member of the very same VLAN Id.

And to clarify...your network is not "flat" with no VLAN...on the contrary.

So just to make sure, because I want to be clear.

VLAN 302 on the switch, which is connected to the interface on the firewall, and both sides of the up-link are untagged (U) (on the firewall port 3, and port 46 on the Aruba switch)

VLAN 302 is just randomly selected VLAN number between 1 - 4094 correct?  VLAN 302's default gateway is 10.0.0.5 (firewall).

VLAN 302 asks its default gateway (10.0.0.5, firewall IP) what to do, and firewall returns since its connected to port 3 (10.0.3.1 untagged) on the firewall, and since its an untagged member of VLAN 302 on switch port 46, assign VLAN 302 10.0.3.1.

And this is how VLAN 302 = 10.0.3.1, Am I correct?
Original Message:
Sent: Jul 05, 2022 08:22 AM
From: Tony Antony
Subject: Aruba 2390f VLANs

Ok thank you it makes sense.  That's what I thought but just wanted to confirm since I didn't setup this network, and there's no documentation.
Original Message:
Sent: Jul 01, 2022 07:25 PM
From: Davide Poletto
Subject: Aruba 2390f VLANs

Hi,

"My question is, how does port 46 know to get the Wireless 10.0.3.1 network?  Because port 46 is on VLAN 302 which doesn't exist in the Firewall.

The interface 46 of the Aruba 2930F, being untagged member of VLAN id 302, accepts untagged traffic...and it is connected to a Layer 3 interface (routed interface) on the WatchGuard M270 firewall (the firewall is acting as a Router on its interface 3 with IP Address equal to 10.0.3.1)...the Aruba 2930F's interface 46 is just the medium through which you are creating a Layer 2 extension of that SVI...and, indeed, any edge device include the Switch itself on that VLAN id) connected to an access port untagged on VLAN 302 once set with 10.0.3.1 as its Default Gateway, will be able to communicate with the 10.0.3.1. 

I'm used to Netgear managed switches, so this is a bit confusing.  Because if the port is (U) untagged with a VLAN number (302), shouldn't the port on the uplink Firewall should be on VLAN 302?"

No, not necessarily.

The point is that your are dealing with Interfaces (on both ends, Aruba 2930F switch and WatchGuard M270 firewall) that are untagged members of their internal respective VLAN (for sure the interface ethernet 46 of the Aruba 2930F switch is untagged member of its internal VLAN 302): the fact that an interface is untagged on a particular VLAN Id means that the incoming traffic is accepted when it is untagged and the outgoing traffic is send as untagged, only internally on the Switch the packets are tagged with that native VLAN Id 302. The same applies on the Firewall side. There is for sure a mismatch between the Switch and the Firewall's peer ports...but the traffic flows thank to the untagged nature of exchange packets.

Very different would be the story IF you assign the WatchGuard M270 Interface 3 a particular VLAN Id (tagged)...at that point the corresponding uplink interface 46 on the Aruba 2930F...must be configured as a tagged member of the very same VLAN Id (and thus that Firewall's VLAN Id should also exists on the Switch).

Try, as example, to tag with VLAN 1005 the Firewall interface 1 and with VLAN 1003 the Firewall interface 3, communication with the Aruba 2930F will stop immediately until you create VLAN 1005 and 1003 and assign Aruba 2930F interface 1 as Tagged member of VLAN 1005 and interface 46 as Tagged member of VLAN 1003...that way the traffic between each pair of ports will pass tagged and only if both ports are tagged member of the very same VLAN Id.

And to clarify...your network is not "flat" with no VLAN...on the contrary.

Hi,

"VLAN 302 on the switch, which is connected to the interface on the firewall, and both sides of the up-link are untagged (U) (on the firewall port 3, and port 46 on the Aruba switch)"

Yes, it just means that port 3 facing port 46 and port 46 facing port 3 are both exchanging traffic Untagged (without Tag) so both ports accept incoming and send outgoing packets without any Tag. Internally, the Switch tags the packets it receives on each one of its ports (thus, internally, untagged packets received on port 46 from the uplinked Firewall are tagged with VLAN id 302 even if externally they are sent without any tag from that very port).

"VLAN 302 is just randomly selected VLAN number between 1 - 4094 correct?  VLAN 302's default gateway is 10.0.0.5 (firewall)."

I don't understand this sentence. You decided that VLAN id 302 is (one of the various) VLAN defined on your Aruba...

"VLAN 302 asks its default gateway (10.0.0.5, firewall IP) what to do, and firewall returns since its connected to port 3 (10.0.3.1 untagged) on the firewall, and since its an untagged member of VLAN 302 on switch port 46, assign VLAN 302 10.0.3.1."

You are doing confusion...VLAN 302 doesn't receive any IP Address (Layer 3)...since it is just a Layer 2 item...so, if IP routing is going to happen on the Firewall's port 3 then the link between port 3 and port 46 is just transporting (extending) a Layer 2 domain between the entire Aruba switch and the Firewall's port 3...and the VLAN extended is exactly the one you decided to transport which is the untagged one.

Consider this scenario: if port 3 is going to be only Tagged VLAN id 1000 and port 46 is going to match exactly that (being a tagged member of only VLAN id 1000 on the Aruba) then the VLAN id you're extending is exactly (and only) the VLAN 1000...if the Switch has an IP assigned on that VLAN id then - in absence of IP Routing enabled on the Switch itself - its Default Gateway should point to whatever IP Address is assigned on the Firewall's port 3 (port 3 has a foot on the Switch VLAN 1000 so, it's clear, the VLAN 1000 IP address of the Switch should be on the same subnet where the Port 3's IP address is placed).

Original Message:
Sent: Jul 05, 2022 02:42 PM
From: Tony Antony
Subject: Aruba 2390f VLANs

So just to make sure, because I want to be clear.

VLAN 302 on the switch, which is connected to the interface on the firewall, and both sides of the up-link are untagged (U) (on the firewall port 3, and port 46 on the Aruba switch)

VLAN 302 is just randomly selected VLAN number between 1 - 4094 correct?  VLAN 302's default gateway is 10.0.0.5 (firewall).

VLAN 302 asks its default gateway (10.0.0.5, firewall IP) what to do, and firewall returns since its connected to port 3 (10.0.3.1 untagged) on the firewall, and since its an untagged member of VLAN 302 on switch port 46, assign VLAN 302 10.0.3.1.

And this is how VLAN 302 = 10.0.3.1, Am I correct?
Original Message:
Sent: Jul 05, 2022 08:22 AM
From: Tony Antony
Subject: Aruba 2390f VLANs

Ok thank you it makes sense.  That's what I thought but just wanted to confirm since I didn't setup this network, and there's no documentation.
Original Message:
Sent: Jul 01, 2022 07:25 PM
From: Davide Poletto
Subject: Aruba 2390f VLANs

Hi,

"My question is, how does port 46 know to get the Wireless 10.0.3.1 network?  Because port 46 is on VLAN 302 which doesn't exist in the Firewall.

The interface 46 of the Aruba 2930F, being untagged member of VLAN id 302, accepts untagged traffic...and it is connected to a Layer 3 interface (routed interface) on the WatchGuard M270 firewall (the firewall is acting as a Router on its interface 3 with IP Address equal to 10.0.3.1)...the Aruba 2930F's interface 46 is just the medium through which you are creating a Layer 2 extension of that SVI...and, indeed, any edge device include the Switch itself on that VLAN id) connected to an access port untagged on VLAN 302 once set with 10.0.3.1 as its Default Gateway, will be able to communicate with the 10.0.3.1. 

I'm used to Netgear managed switches, so this is a bit confusing.  Because if the port is (U) untagged with a VLAN number (302), shouldn't the port on the uplink Firewall should be on VLAN 302?"

No, not necessarily.

The point is that your are dealing with Interfaces (on both ends, Aruba 2930F switch and WatchGuard M270 firewall) that are untagged members of their internal respective VLAN (for sure the interface ethernet 46 of the Aruba 2930F switch is untagged member of its internal VLAN 302): the fact that an interface is untagged on a particular VLAN Id means that the incoming traffic is accepted when it is untagged and the outgoing traffic is send as untagged, only internally on the Switch the packets are tagged with that native VLAN Id 302. The same applies on the Firewall side. There is for sure a mismatch between the Switch and the Firewall's peer ports...but the traffic flows thank to the untagged nature of exchange packets.

Very different would be the story IF you assign the WatchGuard M270 Interface 3 a particular VLAN Id (tagged)...at that point the corresponding uplink interface 46 on the Aruba 2930F...must be configured as a tagged member of the very same VLAN Id (and thus that Firewall's VLAN Id should also exists on the Switch).

Try, as example, to tag with VLAN 1005 the Firewall interface 1 and with VLAN 1003 the Firewall interface 3, communication with the Aruba 2930F will stop immediately until you create VLAN 1005 and 1003 and assign Aruba 2930F interface 1 as Tagged member of VLAN 1005 and interface 46 as Tagged member of VLAN 1003...that way the traffic between each pair of ports will pass tagged and only if both ports are tagged member of the very same VLAN Id.

And to clarify...your network is not "flat" with no VLAN...on the contrary.

Ok, that all make sense, and I agree, but Its not working for some reason.
.
On my WatchGuard, I have on interface 5, 10.0.5.1/24 network running dhcp.  
If I connect a cable from firewall interface 5 to a laptop, I get a dhcp address, so that's good.

On the Aruba 2930F switch, these are the settings.
I created a VLAN 5
I have VLAN 5 members on ports 45 and 47 of the Abuba switch.  Both ports are untagged (U)
port 45 is connected to inerface 5 on firewall (uplink for 10.0.5.1 network)
port 47 is connected to a laptop, but the laptop doesn't get a dhcp, and says 'Unidentified network'

So I'm not sure what I'm doing wrong.

Firewall --> laptop works, but not firewall -->  Aruba switch  --> laptop
Original Message:
Sent: Jul 08, 2022 11:36 AM
From: Davide Poletto
Subject: Aruba 2390f VLANs

Hi,

"VLAN 302 on the switch, which is connected to the interface on the firewall, and both sides of the up-link are untagged (U) (on the firewall port 3, and port 46 on the Aruba switch)"

Yes, it just means that port 3 facing port 46 and port 46 facing port 3 are both exchanging traffic Untagged (without Tag) so both ports accept incoming and send outgoing packets without any Tag. Internally, the Switch tags the packets it receives on each one of its ports (thus, internally, untagged packets received on port 46 from the uplinked Firewall are tagged with VLAN id 302 even if externally they are sent without any tag from that very port).

"VLAN 302 is just randomly selected VLAN number between 1 - 4094 correct?  VLAN 302's default gateway is 10.0.0.5 (firewall)."

I don't understand this sentence. You decided that VLAN id 302 is (one of the various) VLAN defined on your Aruba...

"VLAN 302 asks its default gateway (10.0.0.5, firewall IP) what to do, and firewall returns since its connected to port 3 (10.0.3.1 untagged) on the firewall, and since its an untagged member of VLAN 302 on switch port 46, assign VLAN 302 10.0.3.1."

You are doing confusion...VLAN 302 doesn't receive any IP Address (Layer 3)...since it is just a Layer 2 item...so, if IP routing is going to happen on the Firewall's port 3 then the link between port 3 and port 46 is just transporting (extending) a Layer 2 domain between the entire Aruba switch and the Firewall's port 3...and the VLAN extended is exactly the one you decided to transport which is the untagged one.

Consider this scenario: if port 3 is going to be only Tagged VLAN id 1000 and port 46 is going to match exactly that (being a tagged member of only VLAN id 1000 on the Aruba) then the VLAN id you're extending is exactly (and only) the VLAN 1000...if the Switch has an IP assigned on that VLAN id then - in absence of IP Routing enabled on the Switch itself - its Default Gateway should point to whatever IP Address is assigned on the Firewall's port 3 (port 3 has a foot on the Switch VLAN 1000 so, it's clear, the VLAN 1000 IP address of the Switch should be on the same subnet where the Port 3's IP address is placed).

Original Message:
Sent: Jul 05, 2022 02:42 PM
From: Tony Antony
Subject: Aruba 2390f VLANs

So just to make sure, because I want to be clear.

VLAN 302 on the switch, which is connected to the interface on the firewall, and both sides of the up-link are untagged (U) (on the firewall port 3, and port 46 on the Aruba switch)

VLAN 302 is just randomly selected VLAN number between 1 - 4094 correct?  VLAN 302's default gateway is 10.0.0.5 (firewall).

VLAN 302 asks its default gateway (10.0.0.5, firewall IP) what to do, and firewall returns since its connected to port 3 (10.0.3.1 untagged) on the firewall, and since its an untagged member of VLAN 302 on switch port 46, assign VLAN 302 10.0.3.1.

And this is how VLAN 302 = 10.0.3.1, Am I correct?
Original Message:
Sent: Jul 05, 2022 08:22 AM
From: Tony Antony
Subject: Aruba 2390f VLANs

Ok thank you it makes sense.  That's what I thought but just wanted to confirm since I didn't setup this network, and there's no documentation.
Original Message:
Sent: Jul 01, 2022 07:25 PM
From: Davide Poletto
Subject: Aruba 2390f VLANs

Hi,

"My question is, how does port 46 know to get the Wireless 10.0.3.1 network?  Because port 46 is on VLAN 302 which doesn't exist in the Firewall.

The interface 46 of the Aruba 2930F, being untagged member of VLAN id 302, accepts untagged traffic...and it is connected to a Layer 3 interface (routed interface) on the WatchGuard M270 firewall (the firewall is acting as a Router on its interface 3 with IP Address equal to 10.0.3.1)...the Aruba 2930F's interface 46 is just the medium through which you are creating a Layer 2 extension of that SVI...and, indeed, any edge device include the Switch itself on that VLAN id) connected to an access port untagged on VLAN 302 once set with 10.0.3.1 as its Default Gateway, will be able to communicate with the 10.0.3.1. 

I'm used to Netgear managed switches, so this is a bit confusing.  Because if the port is (U) untagged with a VLAN number (302), shouldn't the port on the uplink Firewall should be on VLAN 302?"

No, not necessarily.

The point is that your are dealing with Interfaces (on both ends, Aruba 2930F switch and WatchGuard M270 firewall) that are untagged members of their internal respective VLAN (for sure the interface ethernet 46 of the Aruba 2930F switch is untagged member of its internal VLAN 302): the fact that an interface is untagged on a particular VLAN Id means that the incoming traffic is accepted when it is untagged and the outgoing traffic is send as untagged, only internally on the Switch the packets are tagged with that native VLAN Id 302. The same applies on the Firewall side. There is for sure a mismatch between the Switch and the Firewall's peer ports...but the traffic flows thank to the untagged nature of exchange packets.

Very different would be the story IF you assign the WatchGuard M270 Interface 3 a particular VLAN Id (tagged)...at that point the corresponding uplink interface 46 on the Aruba 2930F...must be configured as a tagged member of the very same VLAN Id (and thus that Firewall's VLAN Id should also exists on the Switch).

Try, as example, to tag with VLAN 1005 the Firewall interface 1 and with VLAN 1003 the Firewall interface 3, communication with the Aruba 2930F will stop immediately until you create VLAN 1005 and 1003 and assign Aruba 2930F interface 1 as Tagged member of VLAN 1005 and interface 46 as Tagged member of VLAN 1003...that way the traffic between each pair of ports will pass tagged and only if both ports are tagged member of the very same VLAN Id.

And to clarify...your network is not "flat" with no VLAN...on the contrary.

Original Message:
Sent: 7/8/2022 3:33:00 PM
From: t.antony
Subject: RE: Aruba 2390f VLANs

Ok, that all make sense, and I agree, but Its not working for some reason.
.
On my WatchGuard, I have on interface 5, 10.0.5.1/24 network running dhcp.  
If I connect a cable from firewall interface 5 to a laptop, I get a dhcp address, so that's good.

On the Aruba 2930F switch, these are the settings.
I created a VLAN 5
I have VLAN 5 members on ports 45 and 47 of the Abuba switch.  Both ports are untagged (U)
port 45 is connected to inerface 5 on firewall (uplink for 10.0.5.1 network)
port 47 is connected to a laptop, but the laptop doesn't get a dhcp, and says 'Unidentified network'

So I'm not sure what I'm doing wrong.

Firewall --> laptop works, but not firewall -->  Aruba switch  --> laptop
Original Message:
Sent: Jul 08, 2022 11:36 AM
From: Davide Poletto
Subject: Aruba 2390f VLANs

Hi,

"VLAN 302 on the switch, which is connected to the interface on the firewall, and both sides of the up-link are untagged (U) (on the firewall port 3, and port 46 on the Aruba switch)"

Yes, it just means that port 3 facing port 46 and port 46 facing port 3 are both exchanging traffic Untagged (without Tag) so both ports accept incoming and send outgoing packets without any Tag. Internally, the Switch tags the packets it receives on each one of its ports (thus, internally, untagged packets received on port 46 from the uplinked Firewall are tagged with VLAN id 302 even if externally they are sent without any tag from that very port).

"VLAN 302 is just randomly selected VLAN number between 1 - 4094 correct?  VLAN 302's default gateway is 10.0.0.5 (firewall)."

I don't understand this sentence. You decided that VLAN id 302 is (one of the various) VLAN defined on your Aruba...

"VLAN 302 asks its default gateway (10.0.0.5, firewall IP) what to do, and firewall returns since its connected to port 3 (10.0.3.1 untagged) on the firewall, and since its an untagged member of VLAN 302 on switch port 46, assign VLAN 302 10.0.3.1."

You are doing confusion...VLAN 302 doesn't receive any IP Address (Layer 3)...since it is just a Layer 2 item...so, if IP routing is going to happen on the Firewall's port 3 then the link between port 3 and port 46 is just transporting (extending) a Layer 2 domain between the entire Aruba switch and the Firewall's port 3...and the VLAN extended is exactly the one you decided to transport which is the untagged one.

Consider this scenario: if port 3 is going to be only Tagged VLAN id 1000 and port 46 is going to match exactly that (being a tagged member of only VLAN id 1000 on the Aruba) then the VLAN id you're extending is exactly (and only) the VLAN 1000...if the Switch has an IP assigned on that VLAN id then - in absence of IP Routing enabled on the Switch itself - its Default Gateway should point to whatever IP Address is assigned on the Firewall's port 3 (port 3 has a foot on the Switch VLAN 1000 so, it's clear, the VLAN 1000 IP address of the Switch should be on the same subnet where the Port 3's IP address is placed).

Original Message:
Sent: Jul 05, 2022 02:42 PM
From: Tony Antony
Subject: Aruba 2390f VLANs

So just to make sure, because I want to be clear.

VLAN 302 on the switch, which is connected to the interface on the firewall, and both sides of the up-link are untagged (U) (on the firewall port 3, and port 46 on the Aruba switch)

VLAN 302 is just randomly selected VLAN number between 1 - 4094 correct?  VLAN 302's default gateway is 10.0.0.5 (firewall).

VLAN 302 asks its default gateway (10.0.0.5, firewall IP) what to do, and firewall returns since its connected to port 3 (10.0.3.1 untagged) on the firewall, and since its an untagged member of VLAN 302 on switch port 46, assign VLAN 302 10.0.3.1.

And this is how VLAN 302 = 10.0.3.1, Am I correct?
Original Message:
Sent: Jul 05, 2022 08:22 AM
From: Tony Antony
Subject: Aruba 2390f VLANs

Ok thank you it makes sense.  That's what I thought but just wanted to confirm since I didn't setup this network, and there's no documentation.
Original Message:
Sent: Jul 01, 2022 07:25 PM
From: Davide Poletto
Subject: Aruba 2390f VLANs

Hi,

"My question is, how does port 46 know to get the Wireless 10.0.3.1 network?  Because port 46 is on VLAN 302 which doesn't exist in the Firewall.

The interface 46 of the Aruba 2930F, being untagged member of VLAN id 302, accepts untagged traffic...and it is connected to a Layer 3 interface (routed interface) on the WatchGuard M270 firewall (the firewall is acting as a Router on its interface 3 with IP Address equal to 10.0.3.1)...the Aruba 2930F's interface 46 is just the medium through which you are creating a Layer 2 extension of that SVI...and, indeed, any edge device include the Switch itself on that VLAN id) connected to an access port untagged on VLAN 302 once set with 10.0.3.1 as its Default Gateway, will be able to communicate with the 10.0.3.1. 

I'm used to Netgear managed switches, so this is a bit confusing.  Because if the port is (U) untagged with a VLAN number (302), shouldn't the port on the uplink Firewall should be on VLAN 302?"

No, not necessarily.

The point is that your are dealing with Interfaces (on both ends, Aruba 2930F switch and WatchGuard M270 firewall) that are untagged members of their internal respective VLAN (for sure the interface ethernet 46 of the Aruba 2930F switch is untagged member of its internal VLAN 302): the fact that an interface is untagged on a particular VLAN Id means that the incoming traffic is accepted when it is untagged and the outgoing traffic is send as untagged, only internally on the Switch the packets are tagged with that native VLAN Id 302. The same applies on the Firewall side. There is for sure a mismatch between the Switch and the Firewall's peer ports...but the traffic flows thank to the untagged nature of exchange packets.

Very different would be the story IF you assign the WatchGuard M270 Interface 3 a particular VLAN Id (tagged)...at that point the corresponding uplink interface 46 on the Aruba 2930F...must be configured as a tagged member of the very same VLAN Id (and thus that Firewall's VLAN Id should also exists on the Switch).

Try, as example, to tag with VLAN 1005 the Firewall interface 1 and with VLAN 1003 the Firewall interface 3, communication with the Aruba 2930F will stop immediately until you create VLAN 1005 and 1003 and assign Aruba 2930F interface 1 as Tagged member of VLAN 1005 and interface 46 as Tagged member of VLAN 1003...that way the traffic between each pair of ports will pass tagged and only if both ports are tagged member of the very same VLAN Id.

And to clarify...your network is not "flat" with no VLAN...on the contrary.

Ridge-Core-48# show vlans ports 45,47 detail

Status and Counters - VLAN Information - for ports 45

Port name: FireBox M270 PRT 5
VLAN ID Name | Status Voice Jumbo Mode
------- -------------------- + ---------- ----- ----- --------
5 CMM | Port-based No No Untagged

Status and Counters - VLAN Information - for ports 47

Port name: Test Uplink
VLAN ID Name | Status Voice Jumbo Mode
------- -------------------- + ---------- ----- ----- --------
5 CMM | Port-based No No Untagged

Ridge-Core-48# show spanning-tree ethernet 45,47

Multiple Spanning Tree (MST) Information

STP Enabled : No

Ridge-Core-48# show running-config interface 45

Running configuration:

interface 45
name "FireBox M270 PRT 5"
untagged vlan 5
aaa port-access authenticator
exit

Ridge-Core-48# show running-config interface 47

Running configuration:

interface 47
name "Test Uplink"
untagged vlan 5
port-security learn-mode static address-limit 3 mac-address 3498b5-a783dd
exit

Ridge-Core-48# show vlan 5

Status and Counters - VLAN Information - VLAN 5

VLAN ID : 5
Name : CMM
Status : Port-based
Voice : No
Jumbo : No
Private VLAN : none
Associated Primary VID : none
Associated Secondary VIDs : none

Port Information Mode Unknown VLAN Status
---------------- -------- ------------ ----------
45 Untagged Learn Down, This is where the problem is looks like, not sure why its down.  Port 45 is up, but VLAN 5 is down.
47 Untagged Learn Up
Original Message:
Sent: Jul 09, 2022 04:51 AM
From: Davide Poletto
Subject: Aruba 2390f VLANs

Hi, would you be so kind to share the whole outputs of those CLI commands executed on your Aruba 2930F:

show vlan port ethernet 45,47 details

show spanning-tree interface ethernet 45,47

show running-config interface 45

show running-config interface 47

show vlan 5

with us? Thank you!

Original Message:
Sent: 7/8/2022 3:33:00 PM
From: t.antony
Subject: RE: Aruba 2390f VLANs

Ok, that all make sense, and I agree, but Its not working for some reason.
.
On my WatchGuard, I have on interface 5, 10.0.5.1/24 network running dhcp.  
If I connect a cable from firewall interface 5 to a laptop, I get a dhcp address, so that's good.

On the Aruba 2930F switch, these are the settings.
I created a VLAN 5
I have VLAN 5 members on ports 45 and 47 of the Abuba switch.  Both ports are untagged (U)
port 45 is connected to inerface 5 on firewall (uplink for 10.0.5.1 network)
port 47 is connected to a laptop, but the laptop doesn't get a dhcp, and says 'Unidentified network'

So I'm not sure what I'm doing wrong.

Firewall --> laptop works, but not firewall -->  Aruba switch  --> laptop
Original Message:
Sent: Jul 08, 2022 11:36 AM
From: Davide Poletto
Subject: Aruba 2390f VLANs

Hi,

"VLAN 302 on the switch, which is connected to the interface on the firewall, and both sides of the up-link are untagged (U) (on the firewall port 3, and port 46 on the Aruba switch)"

Yes, it just means that port 3 facing port 46 and port 46 facing port 3 are both exchanging traffic Untagged (without Tag) so both ports accept incoming and send outgoing packets without any Tag. Internally, the Switch tags the packets it receives on each one of its ports (thus, internally, untagged packets received on port 46 from the uplinked Firewall are tagged with VLAN id 302 even if externally they are sent without any tag from that very port).

"VLAN 302 is just randomly selected VLAN number between 1 - 4094 correct?  VLAN 302's default gateway is 10.0.0.5 (firewall)."

I don't understand this sentence. You decided that VLAN id 302 is (one of the various) VLAN defined on your Aruba...

"VLAN 302 asks its default gateway (10.0.0.5, firewall IP) what to do, and firewall returns since its connected to port 3 (10.0.3.1 untagged) on the firewall, and since its an untagged member of VLAN 302 on switch port 46, assign VLAN 302 10.0.3.1."

You are doing confusion...VLAN 302 doesn't receive any IP Address (Layer 3)...since it is just a Layer 2 item...so, if IP routing is going to happen on the Firewall's port 3 then the link between port 3 and port 46 is just transporting (extending) a Layer 2 domain between the entire Aruba switch and the Firewall's port 3...and the VLAN extended is exactly the one you decided to transport which is the untagged one.

Consider this scenario: if port 3 is going to be only Tagged VLAN id 1000 and port 46 is going to match exactly that (being a tagged member of only VLAN id 1000 on the Aruba) then the VLAN id you're extending is exactly (and only) the VLAN 1000...if the Switch has an IP assigned on that VLAN id then - in absence of IP Routing enabled on the Switch itself - its Default Gateway should point to whatever IP Address is assigned on the Firewall's port 3 (port 3 has a foot on the Switch VLAN 1000 so, it's clear, the VLAN 1000 IP address of the Switch should be on the same subnet where the Port 3's IP address is placed).

Original Message:
Sent: Jul 05, 2022 02:42 PM
From: Tony Antony
Subject: Aruba 2390f VLANs

So just to make sure, because I want to be clear.

VLAN 302 on the switch, which is connected to the interface on the firewall, and both sides of the up-link are untagged (U) (on the firewall port 3, and port 46 on the Aruba switch)

VLAN 302 is just randomly selected VLAN number between 1 - 4094 correct?  VLAN 302's default gateway is 10.0.0.5 (firewall).

VLAN 302 asks its default gateway (10.0.0.5, firewall IP) what to do, and firewall returns since its connected to port 3 (10.0.3.1 untagged) on the firewall, and since its an untagged member of VLAN 302 on switch port 46, assign VLAN 302 10.0.3.1.

And this is how VLAN 302 = 10.0.3.1, Am I correct?
Original Message:
Sent: Jul 05, 2022 08:22 AM
From: Tony Antony
Subject: Aruba 2390f VLANs

Ok thank you it makes sense.  That's what I thought but just wanted to confirm since I didn't setup this network, and there's no documentation.
Original Message:
Sent: Jul 01, 2022 07:25 PM
From: Davide Poletto
Subject: Aruba 2390f VLANs

Hi,

"My question is, how does port 46 know to get the Wireless 10.0.3.1 network?  Because port 46 is on VLAN 302 which doesn't exist in the Firewall.

The interface 46 of the Aruba 2930F, being untagged member of VLAN id 302, accepts untagged traffic...and it is connected to a Layer 3 interface (routed interface) on the WatchGuard M270 firewall (the firewall is acting as a Router on its interface 3 with IP Address equal to 10.0.3.1)...the Aruba 2930F's interface 46 is just the medium through which you are creating a Layer 2 extension of that SVI...and, indeed, any edge device include the Switch itself on that VLAN id) connected to an access port untagged on VLAN 302 once set with 10.0.3.1 as its Default Gateway, will be able to communicate with the 10.0.3.1. 

I'm used to Netgear managed switches, so this is a bit confusing.  Because if the port is (U) untagged with a VLAN number (302), shouldn't the port on the uplink Firewall should be on VLAN 302?"

No, not necessarily.

The point is that your are dealing with Interfaces (on both ends, Aruba 2930F switch and WatchGuard M270 firewall) that are untagged members of their internal respective VLAN (for sure the interface ethernet 46 of the Aruba 2930F switch is untagged member of its internal VLAN 302): the fact that an interface is untagged on a particular VLAN Id means that the incoming traffic is accepted when it is untagged and the outgoing traffic is send as untagged, only internally on the Switch the packets are tagged with that native VLAN Id 302. The same applies on the Firewall side. There is for sure a mismatch between the Switch and the Firewall's peer ports...but the traffic flows thank to the untagged nature of exchange packets.

Very different would be the story IF you assign the WatchGuard M270 Interface 3 a particular VLAN Id (tagged)...at that point the corresponding uplink interface 46 on the Aruba 2930F...must be configured as a tagged member of the very same VLAN Id (and thus that Firewall's VLAN Id should also exists on the Switch).

Try, as example, to tag with VLAN 1005 the Firewall interface 1 and with VLAN 1003 the Firewall interface 3, communication with the Aruba 2930F will stop immediately until you create VLAN 1005 and 1003 and assign Aruba 2930F interface 1 as Tagged member of VLAN 1005 and interface 46 as Tagged member of VLAN 1003...that way the traffic between each pair of ports will pass tagged and only if both ports are tagged member of the very same VLAN Id.

And to clarify...your network is not "flat" with no VLAN...on the contrary.

Ports 1,45,46 are the uplinks from the firewall, but I noticed that ONLY port 45 have the aaa port-access authenticator

port 1  = uplink from firewall interface 1 for VLAN 1
port 45  = uplink from firewall interface 5 for VLAN 5, this is the one with aaa port-access authenticator
port 46  = uplink from firewall interface for 3 VLAN 302

Ridge-Core-48# show running-config interface 1,45,46

Running configuration:

interface 1
name "FireboxX750e"
untagged vlan 1
exit

interface 45
name "FireBox M270 PRT 5"
untagged vlan 5
aaa port-access authenticator
exit

interface 46
untagged vlan 302
exit
Original Message:
Sent: Jul 11, 2022 07:21 AM
From: Tony Antony
Subject: Aruba 2390f VLANs

Ridge-Core-48# show vlans ports 45,47 detail

Status and Counters - VLAN Information - for ports 45

Port name: FireBox M270 PRT 5
VLAN ID Name | Status Voice Jumbo Mode
------- -------------------- + ---------- ----- ----- --------
5 CMM | Port-based No No Untagged

Status and Counters - VLAN Information - for ports 47

Port name: Test Uplink
VLAN ID Name | Status Voice Jumbo Mode
------- -------------------- + ---------- ----- ----- --------
5 CMM | Port-based No No Untagged

Ridge-Core-48# show spanning-tree ethernet 45,47

Multiple Spanning Tree (MST) Information

STP Enabled : No

Ridge-Core-48# show running-config interface 45

Running configuration:

interface 45
name "FireBox M270 PRT 5"
untagged vlan 5
aaa port-access authenticator
exit

Ridge-Core-48# show running-config interface 47

Running configuration:

interface 47
name "Test Uplink"
untagged vlan 5
port-security learn-mode static address-limit 3 mac-address 3498b5-a783dd
exit

Ridge-Core-48# show vlan 5

Status and Counters - VLAN Information - VLAN 5

VLAN ID : 5
Name : CMM
Status : Port-based
Voice : No
Jumbo : No
Private VLAN : none
Associated Primary VID : none
Associated Secondary VIDs : none

Port Information Mode Unknown VLAN Status
---------------- -------- ------------ ----------
45 Untagged Learn Down, This is where the problem is looks like, not sure why its down.  Port 45 is up, but VLAN 5 is down.
47 Untagged Learn Up
Original Message:
Sent: Jul 09, 2022 04:51 AM
From: Davide Poletto
Subject: Aruba 2390f VLANs

Hi, would you be so kind to share the whole outputs of those CLI commands executed on your Aruba 2930F:

show vlan port ethernet 45,47 details

show spanning-tree interface ethernet 45,47

show running-config interface 45

show running-config interface 47

show vlan 5

with us? Thank you!

Original Message:
Sent: 7/8/2022 3:33:00 PM
From: t.antony
Subject: RE: Aruba 2390f VLANs

Ok, that all make sense, and I agree, but Its not working for some reason.
.
On my WatchGuard, I have on interface 5, 10.0.5.1/24 network running dhcp.  
If I connect a cable from firewall interface 5 to a laptop, I get a dhcp address, so that's good.

On the Aruba 2930F switch, these are the settings.
I created a VLAN 5
I have VLAN 5 members on ports 45 and 47 of the Abuba switch.  Both ports are untagged (U)
port 45 is connected to inerface 5 on firewall (uplink for 10.0.5.1 network)
port 47 is connected to a laptop, but the laptop doesn't get a dhcp, and says 'Unidentified network'

So I'm not sure what I'm doing wrong.

Firewall --> laptop works, but not firewall -->  Aruba switch  --> laptop
Original Message:
Sent: Jul 08, 2022 11:36 AM
From: Davide Poletto
Subject: Aruba 2390f VLANs

Hi,

"VLAN 302 on the switch, which is connected to the interface on the firewall, and both sides of the up-link are untagged (U) (on the firewall port 3, and port 46 on the Aruba switch)"

Yes, it just means that port 3 facing port 46 and port 46 facing port 3 are both exchanging traffic Untagged (without Tag) so both ports accept incoming and send outgoing packets without any Tag. Internally, the Switch tags the packets it receives on each one of its ports (thus, internally, untagged packets received on port 46 from the uplinked Firewall are tagged with VLAN id 302 even if externally they are sent without any tag from that very port).

"VLAN 302 is just randomly selected VLAN number between 1 - 4094 correct?  VLAN 302's default gateway is 10.0.0.5 (firewall)."

I don't understand this sentence. You decided that VLAN id 302 is (one of the various) VLAN defined on your Aruba...

"VLAN 302 asks its default gateway (10.0.0.5, firewall IP) what to do, and firewall returns since its connected to port 3 (10.0.3.1 untagged) on the firewall, and since its an untagged member of VLAN 302 on switch port 46, assign VLAN 302 10.0.3.1."

You are doing confusion...VLAN 302 doesn't receive any IP Address (Layer 3)...since it is just a Layer 2 item...so, if IP routing is going to happen on the Firewall's port 3 then the link between port 3 and port 46 is just transporting (extending) a Layer 2 domain between the entire Aruba switch and the Firewall's port 3...and the VLAN extended is exactly the one you decided to transport which is the untagged one.

Consider this scenario: if port 3 is going to be only Tagged VLAN id 1000 and port 46 is going to match exactly that (being a tagged member of only VLAN id 1000 on the Aruba) then the VLAN id you're extending is exactly (and only) the VLAN 1000...if the Switch has an IP assigned on that VLAN id then - in absence of IP Routing enabled on the Switch itself - its Default Gateway should point to whatever IP Address is assigned on the Firewall's port 3 (port 3 has a foot on the Switch VLAN 1000 so, it's clear, the VLAN 1000 IP address of the Switch should be on the same subnet where the Port 3's IP address is placed).

Original Message:
Sent: Jul 05, 2022 02:42 PM
From: Tony Antony
Subject: Aruba 2390f VLANs

So just to make sure, because I want to be clear.

VLAN 302 on the switch, which is connected to the interface on the firewall, and both sides of the up-link are untagged (U) (on the firewall port 3, and port 46 on the Aruba switch)

VLAN 302 is just randomly selected VLAN number between 1 - 4094 correct?  VLAN 302's default gateway is 10.0.0.5 (firewall).

VLAN 302 asks its default gateway (10.0.0.5, firewall IP) what to do, and firewall returns since its connected to port 3 (10.0.3.1 untagged) on the firewall, and since its an untagged member of VLAN 302 on switch port 46, assign VLAN 302 10.0.3.1.

And this is how VLAN 302 = 10.0.3.1, Am I correct?
Original Message:
Sent: Jul 05, 2022 08:22 AM
From: Tony Antony
Subject: Aruba 2390f VLANs

Ok thank you it makes sense.  That's what I thought but just wanted to confirm since I didn't setup this network, and there's no documentation.
Original Message:
Sent: Jul 01, 2022 07:25 PM
From: Davide Poletto
Subject: Aruba 2390f VLANs

Hi,

"My question is, how does port 46 know to get the Wireless 10.0.3.1 network?  Because port 46 is on VLAN 302 which doesn't exist in the Firewall.

The interface 46 of the Aruba 2930F, being untagged member of VLAN id 302, accepts untagged traffic...and it is connected to a Layer 3 interface (routed interface) on the WatchGuard M270 firewall (the firewall is acting as a Router on its interface 3 with IP Address equal to 10.0.3.1)...the Aruba 2930F's interface 46 is just the medium through which you are creating a Layer 2 extension of that SVI...and, indeed, any edge device include the Switch itself on that VLAN id) connected to an access port untagged on VLAN 302 once set with 10.0.3.1 as its Default Gateway, will be able to communicate with the 10.0.3.1. 

I'm used to Netgear managed switches, so this is a bit confusing.  Because if the port is (U) untagged with a VLAN number (302), shouldn't the port on the uplink Firewall should be on VLAN 302?"

No, not necessarily.

The point is that your are dealing with Interfaces (on both ends, Aruba 2930F switch and WatchGuard M270 firewall) that are untagged members of their internal respective VLAN (for sure the interface ethernet 46 of the Aruba 2930F switch is untagged member of its internal VLAN 302): the fact that an interface is untagged on a particular VLAN Id means that the incoming traffic is accepted when it is untagged and the outgoing traffic is send as untagged, only internally on the Switch the packets are tagged with that native VLAN Id 302. The same applies on the Firewall side. There is for sure a mismatch between the Switch and the Firewall's peer ports...but the traffic flows thank to the untagged nature of exchange packets.

Very different would be the story IF you assign the WatchGuard M270 Interface 3 a particular VLAN Id (tagged)...at that point the corresponding uplink interface 46 on the Aruba 2930F...must be configured as a tagged member of the very same VLAN Id (and thus that Firewall's VLAN Id should also exists on the Switch).

Try, as example, to tag with VLAN 1005 the Firewall interface 1 and with VLAN 1003 the Firewall interface 3, communication with the Aruba 2930F will stop immediately until you create VLAN 1005 and 1003 and assign Aruba 2930F interface 1 as Tagged member of VLAN 1005 and interface 46 as Tagged member of VLAN 1003...that way the traffic between each pair of ports will pass tagged and only if both ports are tagged member of the very same VLAN Id.

And to clarify...your network is not "flat" with no VLAN...on the contrary.

I don't see a way to check the status of aaa on the web gui, but if I run this command, it should turn it off for port 45 also.  Correct?
And hopefully that will give switch "access to VLAN 5"

no aaa port-access authenticator 45

https://techhub.hpe.com/eginfolib/networking/docs/switches/WB/15-18/5998-8152_wb_2920_asg/content/ch13s05.html
Original Message:
Sent: Jul 11, 2022 07:40 AM
From: Tony Antony
Subject: Aruba 2390f VLANs

Ports 1,45,46 are the uplinks from the firewall, but I noticed that ONLY port 45 have the aaa port-access authenticator

port 1  = uplink from firewall interface 1 for VLAN 1
port 45  = uplink from firewall interface 5 for VLAN 5, this is the one with aaa port-access authenticator
port 46  = uplink from firewall interface for 3 VLAN 302

Ridge-Core-48# show running-config interface 1,45,46

Running configuration:

interface 1
name "FireboxX750e"
untagged vlan 1
exit

interface 45
name "FireBox M270 PRT 5"
untagged vlan 5
aaa port-access authenticator
exit

interface 46
untagged vlan 302
exit
Original Message:
Sent: Jul 11, 2022 07:21 AM
From: Tony Antony
Subject: Aruba 2390f VLANs

Ridge-Core-48# show vlans ports 45,47 detail

Status and Counters - VLAN Information - for ports 45

Port name: FireBox M270 PRT 5
VLAN ID Name | Status Voice Jumbo Mode
------- -------------------- + ---------- ----- ----- --------
5 CMM | Port-based No No Untagged

Status and Counters - VLAN Information - for ports 47

Port name: Test Uplink
VLAN ID Name | Status Voice Jumbo Mode
------- -------------------- + ---------- ----- ----- --------
5 CMM | Port-based No No Untagged

Ridge-Core-48# show spanning-tree ethernet 45,47

Multiple Spanning Tree (MST) Information

STP Enabled : No

Ridge-Core-48# show running-config interface 45

Running configuration:

interface 45
name "FireBox M270 PRT 5"
untagged vlan 5
aaa port-access authenticator
exit

Ridge-Core-48# show running-config interface 47

Running configuration:

interface 47
name "Test Uplink"
untagged vlan 5
port-security learn-mode static address-limit 3 mac-address 3498b5-a783dd
exit

Ridge-Core-48# show vlan 5

Status and Counters - VLAN Information - VLAN 5

VLAN ID : 5
Name : CMM
Status : Port-based
Voice : No
Jumbo : No
Private VLAN : none
Associated Primary VID : none
Associated Secondary VIDs : none

Port Information Mode Unknown VLAN Status
---------------- -------- ------------ ----------
45 Untagged Learn Down, This is where the problem is looks like, not sure why its down.  Port 45 is up, but VLAN 5 is down.
47 Untagged Learn Up
Original Message:
Sent: Jul 09, 2022 04:51 AM
From: Davide Poletto
Subject: Aruba 2390f VLANs

Hi, would you be so kind to share the whole outputs of those CLI commands executed on your Aruba 2930F:

show vlan port ethernet 45,47 details

show spanning-tree interface ethernet 45,47

show running-config interface 45

show running-config interface 47

show vlan 5

with us? Thank you!

Original Message:
Sent: 7/8/2022 3:33:00 PM
From: t.antony
Subject: RE: Aruba 2390f VLANs

Ok, that all make sense, and I agree, but Its not working for some reason.
.
On my WatchGuard, I have on interface 5, 10.0.5.1/24 network running dhcp.  
If I connect a cable from firewall interface 5 to a laptop, I get a dhcp address, so that's good.

On the Aruba 2930F switch, these are the settings.
I created a VLAN 5
I have VLAN 5 members on ports 45 and 47 of the Abuba switch.  Both ports are untagged (U)
port 45 is connected to inerface 5 on firewall (uplink for 10.0.5.1 network)
port 47 is connected to a laptop, but the laptop doesn't get a dhcp, and says 'Unidentified network'

So I'm not sure what I'm doing wrong.

Firewall --> laptop works, but not firewall -->  Aruba switch  --> laptop
Original Message:
Sent: Jul 08, 2022 11:36 AM
From: Davide Poletto
Subject: Aruba 2390f VLANs

Hi,

"VLAN 302 on the switch, which is connected to the interface on the firewall, and both sides of the up-link are untagged (U) (on the firewall port 3, and port 46 on the Aruba switch)"

Yes, it just means that port 3 facing port 46 and port 46 facing port 3 are both exchanging traffic Untagged (without Tag) so both ports accept incoming and send outgoing packets without any Tag. Internally, the Switch tags the packets it receives on each one of its ports (thus, internally, untagged packets received on port 46 from the uplinked Firewall are tagged with VLAN id 302 even if externally they are sent without any tag from that very port).

"VLAN 302 is just randomly selected VLAN number between 1 - 4094 correct?  VLAN 302's default gateway is 10.0.0.5 (firewall)."

I don't understand this sentence. You decided that VLAN id 302 is (one of the various) VLAN defined on your Aruba...

"VLAN 302 asks its default gateway (10.0.0.5, firewall IP) what to do, and firewall returns since its connected to port 3 (10.0.3.1 untagged) on the firewall, and since its an untagged member of VLAN 302 on switch port 46, assign VLAN 302 10.0.3.1."

You are doing confusion...VLAN 302 doesn't receive any IP Address (Layer 3)...since it is just a Layer 2 item...so, if IP routing is going to happen on the Firewall's port 3 then the link between port 3 and port 46 is just transporting (extending) a Layer 2 domain between the entire Aruba switch and the Firewall's port 3...and the VLAN extended is exactly the one you decided to transport which is the untagged one.

Consider this scenario: if port 3 is going to be only Tagged VLAN id 1000 and port 46 is going to match exactly that (being a tagged member of only VLAN id 1000 on the Aruba) then the VLAN id you're extending is exactly (and only) the VLAN 1000...if the Switch has an IP assigned on that VLAN id then - in absence of IP Routing enabled on the Switch itself - its Default Gateway should point to whatever IP Address is assigned on the Firewall's port 3 (port 3 has a foot on the Switch VLAN 1000 so, it's clear, the VLAN 1000 IP address of the Switch should be on the same subnet where the Port 3's IP address is placed).

Original Message:
Sent: Jul 05, 2022 02:42 PM
From: Tony Antony
Subject: Aruba 2390f VLANs

So just to make sure, because I want to be clear.

VLAN 302 on the switch, which is connected to the interface on the firewall, and both sides of the up-link are untagged (U) (on the firewall port 3, and port 46 on the Aruba switch)

VLAN 302 is just randomly selected VLAN number between 1 - 4094 correct?  VLAN 302's default gateway is 10.0.0.5 (firewall).

VLAN 302 asks its default gateway (10.0.0.5, firewall IP) what to do, and firewall returns since its connected to port 3 (10.0.3.1 untagged) on the firewall, and since its an untagged member of VLAN 302 on switch port 46, assign VLAN 302 10.0.3.1.

And this is how VLAN 302 = 10.0.3.1, Am I correct?
Original Message:
Sent: Jul 05, 2022 08:22 AM
From: Tony Antony
Subject: Aruba 2390f VLANs

Ok thank you it makes sense.  That's what I thought but just wanted to confirm since I didn't setup this network, and there's no documentation.
Original Message:
Sent: Jul 01, 2022 07:25 PM
From: Davide Poletto
Subject: Aruba 2390f VLANs

Hi,

"My question is, how does port 46 know to get the Wireless 10.0.3.1 network?  Because port 46 is on VLAN 302 which doesn't exist in the Firewall.

The interface 46 of the Aruba 2930F, being untagged member of VLAN id 302, accepts untagged traffic...and it is connected to a Layer 3 interface (routed interface) on the WatchGuard M270 firewall (the firewall is acting as a Router on its interface 3 with IP Address equal to 10.0.3.1)...the Aruba 2930F's interface 46 is just the medium through which you are creating a Layer 2 extension of that SVI...and, indeed, any edge device include the Switch itself on that VLAN id) connected to an access port untagged on VLAN 302 once set with 10.0.3.1 as its Default Gateway, will be able to communicate with the 10.0.3.1. 

I'm used to Netgear managed switches, so this is a bit confusing.  Because if the port is (U) untagged with a VLAN number (302), shouldn't the port on the uplink Firewall should be on VLAN 302?"

No, not necessarily.

The point is that your are dealing with Interfaces (on both ends, Aruba 2930F switch and WatchGuard M270 firewall) that are untagged members of their internal respective VLAN (for sure the interface ethernet 46 of the Aruba 2930F switch is untagged member of its internal VLAN 302): the fact that an interface is untagged on a particular VLAN Id means that the incoming traffic is accepted when it is untagged and the outgoing traffic is send as untagged, only internally on the Switch the packets are tagged with that native VLAN Id 302. The same applies on the Firewall side. There is for sure a mismatch between the Switch and the Firewall's peer ports...but the traffic flows thank to the untagged nature of exchange packets.

Very different would be the story IF you assign the WatchGuard M270 Interface 3 a particular VLAN Id (tagged)...at that point the corresponding uplink interface 46 on the Aruba 2930F...must be configured as a tagged member of the very same VLAN Id (and thus that Firewall's VLAN Id should also exists on the Switch).

Try, as example, to tag with VLAN 1005 the Firewall interface 1 and with VLAN 1003 the Firewall interface 3, communication with the Aruba 2930F will stop immediately until you create VLAN 1005 and 1003 and assign Aruba 2930F interface 1 as Tagged member of VLAN 1005 and interface 46 as Tagged member of VLAN 1003...that way the traffic between each pair of ports will pass tagged and only if both ports are tagged member of the very same VLAN Id.

And to clarify...your network is not "flat" with no VLAN...on the contrary.

Its working now.  I turned of AAA port authentication on port 45.
Now when I connect from port 47 to laptop, I get a VLAN network dhcp.

Later, I changed port 47 Tagged for VLANs 1,5, and the Netgear switch is also working.

Thanks for all the help
Original Message:
Sent: Jul 11, 2022 08:27 AM
From: Tony Antony
Subject: Aruba 2390f VLANs

I don't see a way to check the status of aaa on the web gui, but if I run this command, it should turn it off for port 45 also.  Correct?
And hopefully that will give switch "access to VLAN 5"

no aaa port-access authenticator 45

https://techhub.hpe.com/eginfolib/networking/docs/switches/WB/15-18/5998-8152_wb_2920_asg/content/ch13s05.html
Original Message:
Sent: Jul 11, 2022 07:40 AM
From: Tony Antony
Subject: Aruba 2390f VLANs

Ports 1,45,46 are the uplinks from the firewall, but I noticed that ONLY port 45 have the aaa port-access authenticator

port 1  = uplink from firewall interface 1 for VLAN 1
port 45  = uplink from firewall interface 5 for VLAN 5, this is the one with aaa port-access authenticator
port 46  = uplink from firewall interface for 3 VLAN 302

Ridge-Core-48# show running-config interface 1,45,46

Running configuration:

interface 1
name "FireboxX750e"
untagged vlan 1
exit

interface 45
name "FireBox M270 PRT 5"
untagged vlan 5
aaa port-access authenticator
exit

interface 46
untagged vlan 302
exit
Original Message:
Sent: Jul 11, 2022 07:21 AM
From: Tony Antony
Subject: Aruba 2390f VLANs

Ridge-Core-48# show vlans ports 45,47 detail

Status and Counters - VLAN Information - for ports 45

Port name: FireBox M270 PRT 5
VLAN ID Name | Status Voice Jumbo Mode
------- -------------------- + ---------- ----- ----- --------
5 CMM | Port-based No No Untagged

Status and Counters - VLAN Information - for ports 47

Port name: Test Uplink
VLAN ID Name | Status Voice Jumbo Mode
------- -------------------- + ---------- ----- ----- --------
5 CMM | Port-based No No Untagged

Ridge-Core-48# show spanning-tree ethernet 45,47

Multiple Spanning Tree (MST) Information

STP Enabled : No

Ridge-Core-48# show running-config interface 45

Running configuration:

interface 45
name "FireBox M270 PRT 5"
untagged vlan 5
aaa port-access authenticator
exit

Ridge-Core-48# show running-config interface 47

Running configuration:

interface 47
name "Test Uplink"
untagged vlan 5
port-security learn-mode static address-limit 3 mac-address 3498b5-a783dd
exit

Ridge-Core-48# show vlan 5

Status and Counters - VLAN Information - VLAN 5

VLAN ID : 5
Name : CMM
Status : Port-based
Voice : No
Jumbo : No
Private VLAN : none
Associated Primary VID : none
Associated Secondary VIDs : none

Port Information Mode Unknown VLAN Status
---------------- -------- ------------ ----------
45 Untagged Learn Down, This is where the problem is looks like, not sure why its down.  Port 45 is up, but VLAN 5 is down.
47 Untagged Learn Up
Original Message:
Sent: Jul 09, 2022 04:51 AM
From: Davide Poletto
Subject: Aruba 2390f VLANs

Hi, would you be so kind to share the whole outputs of those CLI commands executed on your Aruba 2930F:

show vlan port ethernet 45,47 details

show spanning-tree interface ethernet 45,47

show running-config interface 45

show running-config interface 47

show vlan 5

with us? Thank you!

Original Message:
Sent: 7/8/2022 3:33:00 PM
From: t.antony
Subject: RE: Aruba 2390f VLANs

Ok, that all make sense, and I agree, but Its not working for some reason.
.
On my WatchGuard, I have on interface 5, 10.0.5.1/24 network running dhcp.  
If I connect a cable from firewall interface 5 to a laptop, I get a dhcp address, so that's good.

On the Aruba 2930F switch, these are the settings.
I created a VLAN 5
I have VLAN 5 members on ports 45 and 47 of the Abuba switch.  Both ports are untagged (U)
port 45 is connected to inerface 5 on firewall (uplink for 10.0.5.1 network)
port 47 is connected to a laptop, but the laptop doesn't get a dhcp, and says 'Unidentified network'

So I'm not sure what I'm doing wrong.

Firewall --> laptop works, but not firewall -->  Aruba switch  --> laptop
Original Message:
Sent: Jul 08, 2022 11:36 AM
From: Davide Poletto
Subject: Aruba 2390f VLANs

Hi,

"VLAN 302 on the switch, which is connected to the interface on the firewall, and both sides of the up-link are untagged (U) (on the firewall port 3, and port 46 on the Aruba switch)"

Yes, it just means that port 3 facing port 46 and port 46 facing port 3 are both exchanging traffic Untagged (without Tag) so both ports accept incoming and send outgoing packets without any Tag. Internally, the Switch tags the packets it receives on each one of its ports (thus, internally, untagged packets received on port 46 from the uplinked Firewall are tagged with VLAN id 302 even if externally they are sent without any tag from that very port).

"VLAN 302 is just randomly selected VLAN number between 1 - 4094 correct?  VLAN 302's default gateway is 10.0.0.5 (firewall)."

I don't understand this sentence. You decided that VLAN id 302 is (one of the various) VLAN defined on your Aruba...

"VLAN 302 asks its default gateway (10.0.0.5, firewall IP) what to do, and firewall returns since its connected to port 3 (10.0.3.1 untagged) on the firewall, and since its an untagged member of VLAN 302 on switch port 46, assign VLAN 302 10.0.3.1."

You are doing confusion...VLAN 302 doesn't receive any IP Address (Layer 3)...since it is just a Layer 2 item...so, if IP routing is going to happen on the Firewall's port 3 then the link between port 3 and port 46 is just transporting (extending) a Layer 2 domain between the entire Aruba switch and the Firewall's port 3...and the VLAN extended is exactly the one you decided to transport which is the untagged one.

Consider this scenario: if port 3 is going to be only Tagged VLAN id 1000 and port 46 is going to match exactly that (being a tagged member of only VLAN id 1000 on the Aruba) then the VLAN id you're extending is exactly (and only) the VLAN 1000...if the Switch has an IP assigned on that VLAN id then - in absence of IP Routing enabled on the Switch itself - its Default Gateway should point to whatever IP Address is assigned on the Firewall's port 3 (port 3 has a foot on the Switch VLAN 1000 so, it's clear, the VLAN 1000 IP address of the Switch should be on the same subnet where the Port 3's IP address is placed).

Original Message:
Sent: Jul 05, 2022 02:42 PM
From: Tony Antony
Subject: Aruba 2390f VLANs

So just to make sure, because I want to be clear.

VLAN 302 on the switch, which is connected to the interface on the firewall, and both sides of the up-link are untagged (U) (on the firewall port 3, and port 46 on the Aruba switch)

VLAN 302 is just randomly selected VLAN number between 1 - 4094 correct?  VLAN 302's default gateway is 10.0.0.5 (firewall).

VLAN 302 asks its default gateway (10.0.0.5, firewall IP) what to do, and firewall returns since its connected to port 3 (10.0.3.1 untagged) on the firewall, and since its an untagged member of VLAN 302 on switch port 46, assign VLAN 302 10.0.3.1.

And this is how VLAN 302 = 10.0.3.1, Am I correct?
Original Message:
Sent: Jul 05, 2022 08:22 AM
From: Tony Antony
Subject: Aruba 2390f VLANs

Ok thank you it makes sense.  That's what I thought but just wanted to confirm since I didn't setup this network, and there's no documentation.
Original Message:
Sent: Jul 01, 2022 07:25 PM
From: Davide Poletto
Subject: Aruba 2390f VLANs

Hi,

"My question is, how does port 46 know to get the Wireless 10.0.3.1 network?  Because port 46 is on VLAN 302 which doesn't exist in the Firewall.

The interface 46 of the Aruba 2930F, being untagged member of VLAN id 302, accepts untagged traffic...and it is connected to a Layer 3 interface (routed interface) on the WatchGuard M270 firewall (the firewall is acting as a Router on its interface 3 with IP Address equal to 10.0.3.1)...the Aruba 2930F's interface 46 is just the medium through which you are creating a Layer 2 extension of that SVI...and, indeed, any edge device include the Switch itself on that VLAN id) connected to an access port untagged on VLAN 302 once set with 10.0.3.1 as its Default Gateway, will be able to communicate with the 10.0.3.1. 

I'm used to Netgear managed switches, so this is a bit confusing.  Because if the port is (U) untagged with a VLAN number (302), shouldn't the port on the uplink Firewall should be on VLAN 302?"

No, not necessarily.

The point is that your are dealing with Interfaces (on both ends, Aruba 2930F switch and WatchGuard M270 firewall) that are untagged members of their internal respective VLAN (for sure the interface ethernet 46 of the Aruba 2930F switch is untagged member of its internal VLAN 302): the fact that an interface is untagged on a particular VLAN Id means that the incoming traffic is accepted when it is untagged and the outgoing traffic is send as untagged, only internally on the Switch the packets are tagged with that native VLAN Id 302. The same applies on the Firewall side. There is for sure a mismatch between the Switch and the Firewall's peer ports...but the traffic flows thank to the untagged nature of exchange packets.

Very different would be the story IF you assign the WatchGuard M270 Interface 3 a particular VLAN Id (tagged)...at that point the corresponding uplink interface 46 on the Aruba 2930F...must be configured as a tagged member of the very same VLAN Id (and thus that Firewall's VLAN Id should also exists on the Switch).

Try, as example, to tag with VLAN 1005 the Firewall interface 1 and with VLAN 1003 the Firewall interface 3, communication with the Aruba 2930F will stop immediately until you create VLAN 1005 and 1003 and assign Aruba 2930F interface 1 as Tagged member of VLAN 1005 and interface 46 as Tagged member of VLAN 1003...that way the traffic between each pair of ports will pass tagged and only if both ports are tagged member of the very same VLAN Id.

And to clarify...your network is not "flat" with no VLAN...on the contrary.

Not sure how the aaa was there on port 45 though.
Original Message:
Sent: Jul 11, 2022 10:02 AM
From: Tony Antony
Subject: Aruba 2390f VLANs

Its working now.  I turned of AAA port authentication on port 45.
Now when I connect from port 47 to laptop, I get a VLAN network dhcp.

Later, I changed port 47 Tagged for VLANs 1,5, and the Netgear switch is also working.

Thanks for all the help
Original Message:
Sent: Jul 11, 2022 08:27 AM
From: Tony Antony
Subject: Aruba 2390f VLANs

I don't see a way to check the status of aaa on the web gui, but if I run this command, it should turn it off for port 45 also.  Correct?
And hopefully that will give switch "access to VLAN 5"

no aaa port-access authenticator 45

https://techhub.hpe.com/eginfolib/networking/docs/switches/WB/15-18/5998-8152_wb_2920_asg/content/ch13s05.html
Original Message:
Sent: Jul 11, 2022 07:40 AM
From: Tony Antony
Subject: Aruba 2390f VLANs

Ports 1,45,46 are the uplinks from the firewall, but I noticed that ONLY port 45 have the aaa port-access authenticator

port 1  = uplink from firewall interface 1 for VLAN 1
port 45  = uplink from firewall interface 5 for VLAN 5, this is the one with aaa port-access authenticator
port 46  = uplink from firewall interface for 3 VLAN 302

Ridge-Core-48# show running-config interface 1,45,46

Running configuration:

interface 1
name "FireboxX750e"
untagged vlan 1
exit

interface 45
name "FireBox M270 PRT 5"
untagged vlan 5
aaa port-access authenticator
exit

interface 46
untagged vlan 302
exit
Original Message:
Sent: Jul 11, 2022 07:21 AM
From: Tony Antony
Subject: Aruba 2390f VLANs

Ridge-Core-48# show vlans ports 45,47 detail

Status and Counters - VLAN Information - for ports 45

Port name: FireBox M270 PRT 5
VLAN ID Name | Status Voice Jumbo Mode
------- -------------------- + ---------- ----- ----- --------
5 CMM | Port-based No No Untagged

Status and Counters - VLAN Information - for ports 47

Port name: Test Uplink
VLAN ID Name | Status Voice Jumbo Mode
------- -------------------- + ---------- ----- ----- --------
5 CMM | Port-based No No Untagged

Ridge-Core-48# show spanning-tree ethernet 45,47

Multiple Spanning Tree (MST) Information

STP Enabled : No

Ridge-Core-48# show running-config interface 45

Running configuration:

interface 45
name "FireBox M270 PRT 5"
untagged vlan 5
aaa port-access authenticator
exit

Ridge-Core-48# show running-config interface 47

Running configuration:

interface 47
name "Test Uplink"
untagged vlan 5
port-security learn-mode static address-limit 3 mac-address 3498b5-a783dd
exit

Ridge-Core-48# show vlan 5

Status and Counters - VLAN Information - VLAN 5

VLAN ID : 5
Name : CMM
Status : Port-based
Voice : No
Jumbo : No
Private VLAN : none
Associated Primary VID : none
Associated Secondary VIDs : none

Port Information Mode Unknown VLAN Status
---------------- -------- ------------ ----------
45 Untagged Learn Down, This is where the problem is looks like, not sure why its down.  Port 45 is up, but VLAN 5 is down.
47 Untagged Learn Up
Original Message:
Sent: Jul 09, 2022 04:51 AM
From: Davide Poletto
Subject: Aruba 2390f VLANs

Hi, would you be so kind to share the whole outputs of those CLI commands executed on your Aruba 2930F:

show vlan port ethernet 45,47 details

show spanning-tree interface ethernet 45,47

show running-config interface 45

show running-config interface 47

show vlan 5

with us? Thank you!

Original Message:
Sent: 7/8/2022 3:33:00 PM
From: t.antony
Subject: RE: Aruba 2390f VLANs

Ok, that all make sense, and I agree, but Its not working for some reason.
.
On my WatchGuard, I have on interface 5, 10.0.5.1/24 network running dhcp.  
If I connect a cable from firewall interface 5 to a laptop, I get a dhcp address, so that's good.

On the Aruba 2930F switch, these are the settings.
I created a VLAN 5
I have VLAN 5 members on ports 45 and 47 of the Abuba switch.  Both ports are untagged (U)
port 45 is connected to inerface 5 on firewall (uplink for 10.0.5.1 network)
port 47 is connected to a laptop, but the laptop doesn't get a dhcp, and says 'Unidentified network'

So I'm not sure what I'm doing wrong.

Firewall --> laptop works, but not firewall -->  Aruba switch  --> laptop
Original Message:
Sent: Jul 08, 2022 11:36 AM
From: Davide Poletto
Subject: Aruba 2390f VLANs

Hi,

"VLAN 302 on the switch, which is connected to the interface on the firewall, and both sides of the up-link are untagged (U) (on the firewall port 3, and port 46 on the Aruba switch)"

Yes, it just means that port 3 facing port 46 and port 46 facing port 3 are both exchanging traffic Untagged (without Tag) so both ports accept incoming and send outgoing packets without any Tag. Internally, the Switch tags the packets it receives on each one of its ports (thus, internally, untagged packets received on port 46 from the uplinked Firewall are tagged with VLAN id 302 even if externally they are sent without any tag from that very port).

"VLAN 302 is just randomly selected VLAN number between 1 - 4094 correct?  VLAN 302's default gateway is 10.0.0.5 (firewall)."

I don't understand this sentence. You decided that VLAN id 302 is (one of the various) VLAN defined on your Aruba...

"VLAN 302 asks its default gateway (10.0.0.5, firewall IP) what to do, and firewall returns since its connected to port 3 (10.0.3.1 untagged) on the firewall, and since its an untagged member of VLAN 302 on switch port 46, assign VLAN 302 10.0.3.1."

You are doing confusion...VLAN 302 doesn't receive any IP Address (Layer 3)...since it is just a Layer 2 item...so, if IP routing is going to happen on the Firewall's port 3 then the link between port 3 and port 46 is just transporting (extending) a Layer 2 domain between the entire Aruba switch and the Firewall's port 3...and the VLAN extended is exactly the one you decided to transport which is the untagged one.

Consider this scenario: if port 3 is going to be only Tagged VLAN id 1000 and port 46 is going to match exactly that (being a tagged member of only VLAN id 1000 on the Aruba) then the VLAN id you're extending is exactly (and only) the VLAN 1000...if the Switch has an IP assigned on that VLAN id then - in absence of IP Routing enabled on the Switch itself - its Default Gateway should point to whatever IP Address is assigned on the Firewall's port 3 (port 3 has a foot on the Switch VLAN 1000 so, it's clear, the VLAN 1000 IP address of the Switch should be on the same subnet where the Port 3's IP address is placed).

Original Message:
Sent: Jul 05, 2022 02:42 PM
From: Tony Antony
Subject: Aruba 2390f VLANs

So just to make sure, because I want to be clear.

VLAN 302 on the switch, which is connected to the interface on the firewall, and both sides of the up-link are untagged (U) (on the firewall port 3, and port 46 on the Aruba switch)

VLAN 302 is just randomly selected VLAN number between 1 - 4094 correct?  VLAN 302's default gateway is 10.0.0.5 (firewall).

VLAN 302 asks its default gateway (10.0.0.5, firewall IP) what to do, and firewall returns since its connected to port 3 (10.0.3.1 untagged) on the firewall, and since its an untagged member of VLAN 302 on switch port 46, assign VLAN 302 10.0.3.1.

And this is how VLAN 302 = 10.0.3.1, Am I correct?
Original Message:
Sent: Jul 05, 2022 08:22 AM
From: Tony Antony
Subject: Aruba 2390f VLANs

Ok thank you it makes sense.  That's what I thought but just wanted to confirm since I didn't setup this network, and there's no documentation.
Original Message:
Sent: Jul 01, 2022 07:25 PM
From: Davide Poletto
Subject: Aruba 2390f VLANs

Hi,

"My question is, how does port 46 know to get the Wireless 10.0.3.1 network?  Because port 46 is on VLAN 302 which doesn't exist in the Firewall.

The interface 46 of the Aruba 2930F, being untagged member of VLAN id 302, accepts untagged traffic...and it is connected to a Layer 3 interface (routed interface) on the WatchGuard M270 firewall (the firewall is acting as a Router on its interface 3 with IP Address equal to 10.0.3.1)...the Aruba 2930F's interface 46 is just the medium through which you are creating a Layer 2 extension of that SVI...and, indeed, any edge device include the Switch itself on that VLAN id) connected to an access port untagged on VLAN 302 once set with 10.0.3.1 as its Default Gateway, will be able to communicate with the 10.0.3.1. 

I'm used to Netgear managed switches, so this is a bit confusing.  Because if the port is (U) untagged with a VLAN number (302), shouldn't the port on the uplink Firewall should be on VLAN 302?"

No, not necessarily.

The point is that your are dealing with Interfaces (on both ends, Aruba 2930F switch and WatchGuard M270 firewall) that are untagged members of their internal respective VLAN (for sure the interface ethernet 46 of the Aruba 2930F switch is untagged member of its internal VLAN 302): the fact that an interface is untagged on a particular VLAN Id means that the incoming traffic is accepted when it is untagged and the outgoing traffic is send as untagged, only internally on the Switch the packets are tagged with that native VLAN Id 302. The same applies on the Firewall side. There is for sure a mismatch between the Switch and the Firewall's peer ports...but the traffic flows thank to the untagged nature of exchange packets.

Very different would be the story IF you assign the WatchGuard M270 Interface 3 a particular VLAN Id (tagged)...at that point the corresponding uplink interface 46 on the Aruba 2930F...must be configured as a tagged member of the very same VLAN Id (and thus that Firewall's VLAN Id should also exists on the Switch).

Try, as example, to tag with VLAN 1005 the Firewall interface 1 and with VLAN 1003 the Firewall interface 3, communication with the Aruba 2930F will stop immediately until you create VLAN 1005 and 1003 and assign Aruba 2930F interface 1 as Tagged member of VLAN 1005 and interface 46 as Tagged member of VLAN 1003...that way the traffic between each pair of ports will pass tagged and only if both ports are tagged member of the very same VLAN Id.

And to clarify...your network is not "flat" with no VLAN...on the contrary.

Original Message:
Sent: 7/11/2022 10:09:00 AM
From: t.antony
Subject: RE: Aruba 2390f VLANs

Not sure how the aaa was there on port 45 though.
Original Message:
Sent: Jul 11, 2022 10:02 AM
From: Tony Antony
Subject: Aruba 2390f VLANs

Its working now.  I turned of AAA port authentication on port 45.
Now when I connect from port 47 to laptop, I get a VLAN network dhcp.

Later, I changed port 47 Tagged for VLANs 1,5, and the Netgear switch is also working.

Thanks for all the help
Original Message:
Sent: Jul 11, 2022 08:27 AM
From: Tony Antony
Subject: Aruba 2390f VLANs

I don't see a way to check the status of aaa on the web gui, but if I run this command, it should turn it off for port 45 also.  Correct?
And hopefully that will give switch "access to VLAN 5"

no aaa port-access authenticator 45

https://techhub.hpe.com/eginfolib/networking/docs/switches/WB/15-18/5998-8152_wb_2920_asg/content/ch13s05.html
Original Message:
Sent: Jul 11, 2022 07:40 AM
From: Tony Antony
Subject: Aruba 2390f VLANs

Ports 1,45,46 are the uplinks from the firewall, but I noticed that ONLY port 45 have the aaa port-access authenticator

port 1  = uplink from firewall interface 1 for VLAN 1
port 45  = uplink from firewall interface 5 for VLAN 5, this is the one with aaa port-access authenticator
port 46  = uplink from firewall interface for 3 VLAN 302

Ridge-Core-48# show running-config interface 1,45,46

Running configuration:

interface 1
name "FireboxX750e"
untagged vlan 1
exit

interface 45
name "FireBox M270 PRT 5"
untagged vlan 5
aaa port-access authenticator
exit

interface 46
untagged vlan 302
exit
Original Message:
Sent: Jul 11, 2022 07:21 AM
From: Tony Antony
Subject: Aruba 2390f VLANs

Ridge-Core-48# show vlans ports 45,47 detail

Status and Counters - VLAN Information - for ports 45

Port name: FireBox M270 PRT 5
VLAN ID Name | Status Voice Jumbo Mode
------- -------------------- + ---------- ----- ----- --------
5 CMM | Port-based No No Untagged

Status and Counters - VLAN Information - for ports 47

Port name: Test Uplink
VLAN ID Name | Status Voice Jumbo Mode
------- -------------------- + ---------- ----- ----- --------
5 CMM | Port-based No No Untagged

Ridge-Core-48# show spanning-tree ethernet 45,47

Multiple Spanning Tree (MST) Information

STP Enabled : No

Ridge-Core-48# show running-config interface 45

Running configuration:

interface 45
name "FireBox M270 PRT 5"
untagged vlan 5
aaa port-access authenticator
exit

Ridge-Core-48# show running-config interface 47

Running configuration:

interface 47
name "Test Uplink"
untagged vlan 5
port-security learn-mode static address-limit 3 mac-address 3498b5-a783dd
exit

Ridge-Core-48# show vlan 5

Status and Counters - VLAN Information - VLAN 5

VLAN ID : 5
Name : CMM
Status : Port-based
Voice : No
Jumbo : No
Private VLAN : none
Associated Primary VID : none
Associated Secondary VIDs : none

Port Information Mode Unknown VLAN Status
---------------- -------- ------------ ----------
45 Untagged Learn Down, This is where the problem is looks like, not sure why its down.  Port 45 is up, but VLAN 5 is down.
47 Untagged Learn Up
Original Message:
Sent: Jul 09, 2022 04:51 AM
From: Davide Poletto
Subject: Aruba 2390f VLANs

Hi, would you be so kind to share the whole outputs of those CLI commands executed on your Aruba 2930F:

show vlan port ethernet 45,47 details

show spanning-tree interface ethernet 45,47

show running-config interface 45

show running-config interface 47

show vlan 5

with us? Thank you!

Original Message:
Sent: 7/8/2022 3:33:00 PM
From: t.antony
Subject: RE: Aruba 2390f VLANs

Ok, that all make sense, and I agree, but Its not working for some reason.
.
On my WatchGuard, I have on interface 5, 10.0.5.1/24 network running dhcp.  
If I connect a cable from firewall interface 5 to a laptop, I get a dhcp address, so that's good.

On the Aruba 2930F switch, these are the settings.
I created a VLAN 5
I have VLAN 5 members on ports 45 and 47 of the Abuba switch.  Both ports are untagged (U)
port 45 is connected to inerface 5 on firewall (uplink for 10.0.5.1 network)
port 47 is connected to a laptop, but the laptop doesn't get a dhcp, and says 'Unidentified network'

So I'm not sure what I'm doing wrong.

Firewall --> laptop works, but not firewall -->  Aruba switch  --> laptop
Original Message:
Sent: Jul 08, 2022 11:36 AM
From: Davide Poletto
Subject: Aruba 2390f VLANs

Hi,

"VLAN 302 on the switch, which is connected to the interface on the firewall, and both sides of the up-link are untagged (U) (on the firewall port 3, and port 46 on the Aruba switch)"

Yes, it just means that port 3 facing port 46 and port 46 facing port 3 are both exchanging traffic Untagged (without Tag) so both ports accept incoming and send outgoing packets without any Tag. Internally, the Switch tags the packets it receives on each one of its ports (thus, internally, untagged packets received on port 46 from the uplinked Firewall are tagged with VLAN id 302 even if externally they are sent without any tag from that very port).

"VLAN 302 is just randomly selected VLAN number between 1 - 4094 correct?  VLAN 302's default gateway is 10.0.0.5 (firewall)."

I don't understand this sentence. You decided that VLAN id 302 is (one of the various) VLAN defined on your Aruba...

"VLAN 302 asks its default gateway (10.0.0.5, firewall IP) what to do, and firewall returns since its connected to port 3 (10.0.3.1 untagged) on the firewall, and since its an untagged member of VLAN 302 on switch port 46, assign VLAN 302 10.0.3.1."

You are doing confusion...VLAN 302 doesn't receive any IP Address (Layer 3)...since it is just a Layer 2 item...so, if IP routing is going to happen on the Firewall's port 3 then the link between port 3 and port 46 is just transporting (extending) a Layer 2 domain between the entire Aruba switch and the Firewall's port 3...and the VLAN extended is exactly the one you decided to transport which is the untagged one.

Consider this scenario: if port 3 is going to be only Tagged VLAN id 1000 and port 46 is going to match exactly that (being a tagged member of only VLAN id 1000 on the Aruba) then the VLAN id you're extending is exactly (and only) the VLAN 1000...if the Switch has an IP assigned on that VLAN id then - in absence of IP Routing enabled on the Switch itself - its Default Gateway should point to whatever IP Address is assigned on the Firewall's port 3 (port 3 has a foot on the Switch VLAN 1000 so, it's clear, the VLAN 1000 IP address of the Switch should be on the same subnet where the Port 3's IP address is placed).

Original Message:
Sent: Jul 05, 2022 02:42 PM
From: Tony Antony
Subject: Aruba 2390f VLANs

So just to make sure, because I want to be clear.

VLAN 302 on the switch, which is connected to the interface on the firewall, and both sides of the up-link are untagged (U) (on the firewall port 3, and port 46 on the Aruba switch)

VLAN 302 is just randomly selected VLAN number between 1 - 4094 correct?  VLAN 302's default gateway is 10.0.0.5 (firewall).

VLAN 302 asks its default gateway (10.0.0.5, firewall IP) what to do, and firewall returns since its connected to port 3 (10.0.3.1 untagged) on the firewall, and since its an untagged member of VLAN 302 on switch port 46, assign VLAN 302 10.0.3.1.

And this is how VLAN 302 = 10.0.3.1, Am I correct?
Original Message:
Sent: Jul 05, 2022 08:22 AM
From: Tony Antony
Subject: Aruba 2390f VLANs

Ok thank you it makes sense.  That's what I thought but just wanted to confirm since I didn't setup this network, and there's no documentation.
Original Message:
Sent: Jul 01, 2022 07:25 PM
From: Davide Poletto
Subject: Aruba 2390f VLANs

Hi,

"My question is, how does port 46 know to get the Wireless 10.0.3.1 network?  Because port 46 is on VLAN 302 which doesn't exist in the Firewall.

The interface 46 of the Aruba 2930F, being untagged member of VLAN id 302, accepts untagged traffic...and it is connected to a Layer 3 interface (routed interface) on the WatchGuard M270 firewall (the firewall is acting as a Router on its interface 3 with IP Address equal to 10.0.3.1)...the Aruba 2930F's interface 46 is just the medium through which you are creating a Layer 2 extension of that SVI...and, indeed, any edge device include the Switch itself on that VLAN id) connected to an access port untagged on VLAN 302 once set with 10.0.3.1 as its Default Gateway, will be able to communicate with the 10.0.3.1. 

I'm used to Netgear managed switches, so this is a bit confusing.  Because if the port is (U) untagged with a VLAN number (302), shouldn't the port on the uplink Firewall should be on VLAN 302?"

No, not necessarily.

The point is that your are dealing with Interfaces (on both ends, Aruba 2930F switch and WatchGuard M270 firewall) that are untagged members of their internal respective VLAN (for sure the interface ethernet 46 of the Aruba 2930F switch is untagged member of its internal VLAN 302): the fact that an interface is untagged on a particular VLAN Id means that the incoming traffic is accepted when it is untagged and the outgoing traffic is send as untagged, only internally on the Switch the packets are tagged with that native VLAN Id 302. The same applies on the Firewall side. There is for sure a mismatch between the Switch and the Firewall's peer ports...but the traffic flows thank to the untagged nature of exchange packets.

Very different would be the story IF you assign the WatchGuard M270 Interface 3 a particular VLAN Id (tagged)...at that point the corresponding uplink interface 46 on the Aruba 2930F...must be configured as a tagged member of the very same VLAN Id (and thus that Firewall's VLAN Id should also exists on the Switch).

Try, as example, to tag with VLAN 1005 the Firewall interface 1 and with VLAN 1003 the Firewall interface 3, communication with the Aruba 2930F will stop immediately until you create VLAN 1005 and 1003 and assign Aruba 2930F interface 1 as Tagged member of VLAN 1005 and interface 46 as Tagged member of VLAN 1003...that way the traffic between each pair of ports will pass tagged and only if both ports are tagged member of the very same VLAN Id.

And to clarify...your network is not "flat" with no VLAN...on the contrary.

Ok thanks again for your help.  Like I said, I'm new to this company's IT department, and I didn't setup this network.
This was done by a 3rd party vendor.
Original Message:
Sent: Jul 11, 2022 10:50 AM
From: Davide Poletto
Subject: Aruba 2390f VLANs

AFAIK aaa aren't set in a default configuration so they were probably set manually on those ports.

Original Message:
Sent: 7/11/2022 10:09:00 AM
From: t.antony
Subject: RE: Aruba 2390f VLANs

Not sure how the aaa was there on port 45 though.
Original Message:
Sent: Jul 11, 2022 10:02 AM
From: Tony Antony
Subject: Aruba 2390f VLANs

Its working now.  I turned of AAA port authentication on port 45.
Now when I connect from port 47 to laptop, I get a VLAN network dhcp.

Later, I changed port 47 Tagged for VLANs 1,5, and the Netgear switch is also working.

Thanks for all the help
Original Message:
Sent: Jul 11, 2022 08:27 AM
From: Tony Antony
Subject: Aruba 2390f VLANs

I don't see a way to check the status of aaa on the web gui, but if I run this command, it should turn it off for port 45 also.  Correct?
And hopefully that will give switch "access to VLAN 5"

no aaa port-access authenticator 45

https://techhub.hpe.com/eginfolib/networking/docs/switches/WB/15-18/5998-8152_wb_2920_asg/content/ch13s05.html
Original Message:
Sent: Jul 11, 2022 07:40 AM
From: Tony Antony
Subject: Aruba 2390f VLANs

Ports 1,45,46 are the uplinks from the firewall, but I noticed that ONLY port 45 have the aaa port-access authenticator

port 1  = uplink from firewall interface 1 for VLAN 1
port 45  = uplink from firewall interface 5 for VLAN 5, this is the one with aaa port-access authenticator
port 46  = uplink from firewall interface for 3 VLAN 302

Ridge-Core-48# show running-config interface 1,45,46

Running configuration:

interface 1
name "FireboxX750e"
untagged vlan 1
exit

interface 45
name "FireBox M270 PRT 5"
untagged vlan 5
aaa port-access authenticator
exit

interface 46
untagged vlan 302
exit
Original Message:
Sent: Jul 11, 2022 07:21 AM
From: Tony Antony
Subject: Aruba 2390f VLANs

Ridge-Core-48# show vlans ports 45,47 detail

Status and Counters - VLAN Information - for ports 45

Port name: FireBox M270 PRT 5
VLAN ID Name | Status Voice Jumbo Mode
------- -------------------- + ---------- ----- ----- --------
5 CMM | Port-based No No Untagged

Status and Counters - VLAN Information - for ports 47

Port name: Test Uplink
VLAN ID Name | Status Voice Jumbo Mode
------- -------------------- + ---------- ----- ----- --------
5 CMM | Port-based No No Untagged

Ridge-Core-48# show spanning-tree ethernet 45,47

Multiple Spanning Tree (MST) Information

STP Enabled : No

Ridge-Core-48# show running-config interface 45

Running configuration:

interface 45
name "FireBox M270 PRT 5"
untagged vlan 5
aaa port-access authenticator
exit

Ridge-Core-48# show running-config interface 47

Running configuration:

interface 47
name "Test Uplink"
untagged vlan 5
port-security learn-mode static address-limit 3 mac-address 3498b5-a783dd
exit

Ridge-Core-48# show vlan 5

Status and Counters - VLAN Information - VLAN 5

VLAN ID : 5
Name : CMM
Status : Port-based
Voice : No
Jumbo : No
Private VLAN : none
Associated Primary VID : none
Associated Secondary VIDs : none

Port Information Mode Unknown VLAN Status
---------------- -------- ------------ ----------
45 Untagged Learn Down, This is where the problem is looks like, not sure why its down.  Port 45 is up, but VLAN 5 is down.
47 Untagged Learn Up
Original Message:
Sent: Jul 09, 2022 04:51 AM
From: Davide Poletto
Subject: Aruba 2390f VLANs

Hi, would you be so kind to share the whole outputs of those CLI commands executed on your Aruba 2930F:

show vlan port ethernet 45,47 details

show spanning-tree interface ethernet 45,47

show running-config interface 45

show running-config interface 47

show vlan 5

with us? Thank you!

Original Message:
Sent: 7/8/2022 3:33:00 PM
From: t.antony
Subject: RE: Aruba 2390f VLANs

Ok, that all make sense, and I agree, but Its not working for some reason.
.
On my WatchGuard, I have on interface 5, 10.0.5.1/24 network running dhcp.  
If I connect a cable from firewall interface 5 to a laptop, I get a dhcp address, so that's good.

On the Aruba 2930F switch, these are the settings.
I created a VLAN 5
I have VLAN 5 members on ports 45 and 47 of the Abuba switch.  Both ports are untagged (U)
port 45 is connected to inerface 5 on firewall (uplink for 10.0.5.1 network)
port 47 is connected to a laptop, but the laptop doesn't get a dhcp, and says 'Unidentified network'

So I'm not sure what I'm doing wrong.

Firewall --> laptop works, but not firewall -->  Aruba switch  --> laptop
Original Message:
Sent: Jul 08, 2022 11:36 AM
From: Davide Poletto
Subject: Aruba 2390f VLANs

Hi,

"VLAN 302 on the switch, which is connected to the interface on the firewall, and both sides of the up-link are untagged (U) (on the firewall port 3, and port 46 on the Aruba switch)"

Yes, it just means that port 3 facing port 46 and port 46 facing port 3 are both exchanging traffic Untagged (without Tag) so both ports accept incoming and send outgoing packets without any Tag. Internally, the Switch tags the packets it receives on each one of its ports (thus, internally, untagged packets received on port 46 from the uplinked Firewall are tagged with VLAN id 302 even if externally they are sent without any tag from that very port).

"VLAN 302 is just randomly selected VLAN number between 1 - 4094 correct?  VLAN 302's default gateway is 10.0.0.5 (firewall)."

I don't understand this sentence. You decided that VLAN id 302 is (one of the various) VLAN defined on your Aruba...

"VLAN 302 asks its default gateway (10.0.0.5, firewall IP) what to do, and firewall returns since its connected to port 3 (10.0.3.1 untagged) on the firewall, and since its an untagged member of VLAN 302 on switch port 46, assign VLAN 302 10.0.3.1."

You are doing confusion...VLAN 302 doesn't receive any IP Address (Layer 3)...since it is just a Layer 2 item...so, if IP routing is going to happen on the Firewall's port 3 then the link between port 3 and port 46 is just transporting (extending) a Layer 2 domain between the entire Aruba switch and the Firewall's port 3...and the VLAN extended is exactly the one you decided to transport which is the untagged one.

Consider this scenario: if port 3 is going to be only Tagged VLAN id 1000 and port 46 is going to match exactly that (being a tagged member of only VLAN id 1000 on the Aruba) then the VLAN id you're extending is exactly (and only) the VLAN 1000...if the Switch has an IP assigned on that VLAN id then - in absence of IP Routing enabled on the Switch itself - its Default Gateway should point to whatever IP Address is assigned on the Firewall's port 3 (port 3 has a foot on the Switch VLAN 1000 so, it's clear, the VLAN 1000 IP address of the Switch should be on the same subnet where the Port 3's IP address is placed).

Original Message:
Sent: Jul 05, 2022 02:42 PM
From: Tony Antony
Subject: Aruba 2390f VLANs

So just to make sure, because I want to be clear.

VLAN 302 on the switch, which is connected to the interface on the firewall, and both sides of the up-link are untagged (U) (on the firewall port 3, and port 46 on the Aruba switch)

VLAN 302 is just randomly selected VLAN number between 1 - 4094 correct?  VLAN 302's default gateway is 10.0.0.5 (firewall).

VLAN 302 asks its default gateway (10.0.0.5, firewall IP) what to do, and firewall returns since its connected to port 3 (10.0.3.1 untagged) on the firewall, and since its an untagged member of VLAN 302 on switch port 46, assign VLAN 302 10.0.3.1.

And this is how VLAN 302 = 10.0.3.1, Am I correct?
Original Message:
Sent: Jul 05, 2022 08:22 AM
From: Tony Antony
Subject: Aruba 2390f VLANs

Ok thank you it makes sense.  That's what I thought but just wanted to confirm since I didn't setup this network, and there's no documentation.
Original Message:
Sent: Jul 01, 2022 07:25 PM
From: Davide Poletto
Subject: Aruba 2390f VLANs

Hi,

"My question is, how does port 46 know to get the Wireless 10.0.3.1 network?  Because port 46 is on VLAN 302 which doesn't exist in the Firewall.

The interface 46 of the Aruba 2930F, being untagged member of VLAN id 302, accepts untagged traffic...and it is connected to a Layer 3 interface (routed interface) on the WatchGuard M270 firewall (the firewall is acting as a Router on its interface 3 with IP Address equal to 10.0.3.1)...the Aruba 2930F's interface 46 is just the medium through which you are creating a Layer 2 extension of that SVI...and, indeed, any edge device include the Switch itself on that VLAN id) connected to an access port untagged on VLAN 302 once set with 10.0.3.1 as its Default Gateway, will be able to communicate with the 10.0.3.1. 

I'm used to Netgear managed switches, so this is a bit confusing.  Because if the port is (U) untagged with a VLAN number (302), shouldn't the port on the uplink Firewall should be on VLAN 302?"

No, not necessarily.

The point is that your are dealing with Interfaces (on both ends, Aruba 2930F switch and WatchGuard M270 firewall) that are untagged members of their internal respective VLAN (for sure the interface ethernet 46 of the Aruba 2930F switch is untagged member of its internal VLAN 302): the fact that an interface is untagged on a particular VLAN Id means that the incoming traffic is accepted when it is untagged and the outgoing traffic is send as untagged, only internally on the Switch the packets are tagged with that native VLAN Id 302. The same applies on the Firewall side. There is for sure a mismatch between the Switch and the Firewall's peer ports...but the traffic flows thank to the untagged nature of exchange packets.

Very different would be the story IF you assign the WatchGuard M270 Interface 3 a particular VLAN Id (tagged)...at that point the corresponding uplink interface 46 on the Aruba 2930F...must be configured as a tagged member of the very same VLAN Id (and thus that Firewall's VLAN Id should also exists on the Switch).

Try, as example, to tag with VLAN 1005 the Firewall interface 1 and with VLAN 1003 the Firewall interface 3, communication with the Aruba 2930F will stop immediately until you create VLAN 1005 and 1003 and assign Aruba 2930F interface 1 as Tagged member of VLAN 1005 and interface 46 as Tagged member of VLAN 1003...that way the traffic between each pair of ports will pass tagged and only if both ports are tagged member of the very same VLAN Id.

And to clarify...your network is not "flat" with no VLAN...on the contrary.