Ridge-Core-48# show vlans ports 45,47 detailStatus and Counters - VLAN Information - for ports 45
Port name: FireBox M270 PRT 5
VLAN ID Name | Status Voice Jumbo Mode
------- -------------------- + ---------- ----- ----- --------
5 CMM | Port-based No No Untagged
Status and Counters - VLAN Information - for ports 47
Port name: Test Uplink
VLAN ID Name | Status Voice Jumbo Mode
------- -------------------- + ---------- ----- ----- --------
5 CMM | Port-based No No Untagged
Ridge-Core-48# show spanning-tree ethernet 45,47Multiple Spanning Tree (MST) Information
STP Enabled : No
Ridge-Core-48# show running-config interface 45Running configuration:
interface 45
name "FireBox M270 PRT 5"
untagged vlan 5
aaa port-access authenticator
exit
Ridge-Core-48# show running-config interface 47Running configuration:
interface 47
name "Test Uplink"
untagged vlan 5
port-security learn-mode static address-limit 3 mac-address 3498b5-a783dd
exit
Ridge-Core-48# show vlan 5Status and Counters - VLAN Information - VLAN 5
VLAN ID : 5
Name : CMM
Status : Port-based
Voice : No
Jumbo : No
Private VLAN : none
Associated Primary VID : none
Associated Secondary VIDs : none
Port Information Mode Unknown VLAN Status
---------------- -------- ------------ ----------
45 Untagged Learn Down,
This is where the problem is looks like, not sure why its down. Port 45 is up, but VLAN 5 is down.47 Untagged Learn Up
Original Message:
Sent: Jul 09, 2022 04:51 AM
From: Davide Poletto
Subject: Aruba 2390f VLANs
Hi, would you be so kind to share the whole outputs of those CLI commands executed on your Aruba 2930F:
show vlan port ethernet 45,47 details
show spanning-tree interface ethernet 45,47
show running-config interface 45
show running-config interface 47
show vlan 5
with us? Thank you!
Original Message:
Sent: 7/8/2022 3:33:00 PM
From: t.antony
Subject: RE: Aruba 2390f VLANs
Ok, that all make sense, and I agree, but Its not working for some reason.
.
On my WatchGuard, I have on interface 5, 10.0.5.1/24 network running dhcp.
If I connect a cable from firewall interface 5 to a laptop, I get a dhcp address, so that's good.
On the Aruba 2930F switch, these are the settings.
I created a VLAN 5
I have VLAN 5 members on ports 45 and 47 of the Abuba switch. Both ports are untagged (U)
port 45 is connected to inerface 5 on firewall (uplink for 10.0.5.1 network)
port 47 is connected to a laptop, but the laptop doesn't get a dhcp, and says 'Unidentified network'
So I'm not sure what I'm doing wrong.
Firewall --> laptop works, but not firewall --> Aruba switch --> laptop
Original Message:
Sent: Jul 08, 2022 11:36 AM
From: Davide Poletto
Subject: Aruba 2390f VLANs
Hi,
"VLAN 302 on the switch, which is connected to the interface on the firewall, and both sides of the up-link are untagged (U) (on the firewall port 3, and port 46 on the Aruba switch)"
Yes, it just means that port 3 facing port 46 and port 46 facing port 3 are both exchanging traffic Untagged (without Tag) so both ports accept incoming and send outgoing packets without any Tag. Internally, the Switch tags the packets it receives on each one of its ports (thus, internally, untagged packets received on port 46 from the uplinked Firewall are tagged with VLAN id 302 even if externally they are sent without any tag from that very port).
"VLAN 302 is just randomly selected VLAN number between 1 - 4094 correct? VLAN 302's default gateway is 10.0.0.5 (firewall)."
I don't understand this sentence. You decided that VLAN id 302 is (one of the various) VLAN defined on your Aruba...
"VLAN 302 asks its default gateway (10.0.0.5, firewall IP) what to do, and firewall returns since its connected to port 3 (10.0.3.1 untagged) on the firewall, and since its an untagged member of VLAN 302 on switch port 46, assign VLAN 302 10.0.3.1."
You are doing confusion...VLAN 302 doesn't receive any IP Address (Layer 3)...since it is just a Layer 2 item...so, if IP routing is going to happen on the Firewall's port 3 then the link between port 3 and port 46 is just transporting (extending) a Layer 2 domain between the entire Aruba switch and the Firewall's port 3...and the VLAN extended is exactly the one you decided to transport which is the untagged one.
Consider this scenario: if port 3 is going to be only Tagged VLAN id 1000 and port 46 is going to match exactly that (being a tagged member of only VLAN id 1000 on the Aruba) then the VLAN id you're extending is exactly (and only) the VLAN 1000...if the Switch has an IP assigned on that VLAN id then - in absence of IP Routing enabled on the Switch itself - its Default Gateway should point to whatever IP Address is assigned on the Firewall's port 3 (port 3 has a foot on the Switch VLAN 1000 so, it's clear, the VLAN 1000 IP address of the Switch should be on the same subnet where the Port 3's IP address is placed).
Original Message:
Sent: Jul 05, 2022 02:42 PM
From: Tony Antony
Subject: Aruba 2390f VLANs
So just to make sure, because I want to be clear.
VLAN 302 on the switch, which is connected to the interface on the firewall, and both sides of the up-link are untagged (U) (on the firewall port 3, and port 46 on the Aruba switch)
VLAN 302 is just randomly selected VLAN number between 1 - 4094 correct? VLAN 302's default gateway is 10.0.0.5 (firewall).
VLAN 302 asks its default gateway (10.0.0.5, firewall IP) what to do, and firewall returns since its connected to port 3 (10.0.3.1 untagged) on the firewall, and since its an untagged member of VLAN 302 on switch port 46, assign VLAN 302 10.0.3.1.
And this is how VLAN 302 = 10.0.3.1, Am I correct?
Original Message:
Sent: Jul 05, 2022 08:22 AM
From: Tony Antony
Subject: Aruba 2390f VLANs
Ok thank you it makes sense. That's what I thought but just wanted to confirm since I didn't setup this network, and there's no documentation.
Original Message:
Sent: Jul 01, 2022 07:25 PM
From: Davide Poletto
Subject: Aruba 2390f VLANs
Hi,
"My question is, how does port 46 know to get the Wireless 10.0.3.1 network? Because port 46 is on VLAN 302 which doesn't exist in the Firewall.
The interface 46 of the Aruba 2930F, being untagged member of VLAN id 302, accepts untagged traffic...and it is connected to a Layer 3 interface (routed interface) on the WatchGuard M270 firewall (the firewall is acting as a Router on its interface 3 with IP Address equal to 10.0.3.1)...the Aruba 2930F's interface 46 is just the medium through which you are creating a Layer 2 extension of that SVI...and, indeed, any edge device include the Switch itself on that VLAN id) connected to an access port untagged on VLAN 302 once set with 10.0.3.1 as its Default Gateway, will be able to communicate with the 10.0.3.1.
I'm used to Netgear managed switches, so this is a bit confusing. Because if the port is (U) untagged with a VLAN number (302), shouldn't the port on the uplink Firewall should be on VLAN 302?"
No, not necessarily.
The point is that your are dealing with Interfaces (on both ends, Aruba 2930F switch and WatchGuard M270 firewall) that are untagged members of their internal respective VLAN (for sure the interface ethernet 46 of the Aruba 2930F switch is untagged member of its internal VLAN 302): the fact that an interface is untagged on a particular VLAN Id means that the incoming traffic is accepted when it is untagged and the outgoing traffic is send as untagged, only internally on the Switch the packets are tagged with that native VLAN Id 302. The same applies on the Firewall side. There is for sure a mismatch between the Switch and the Firewall's peer ports...but the traffic flows thank to the untagged nature of exchange packets.
Very different would be the story IF you assign the WatchGuard M270 Interface 3 a particular VLAN Id (tagged)...at that point the corresponding uplink interface 46 on the Aruba 2930F...must be configured as a tagged member of the very same VLAN Id (and thus that Firewall's VLAN Id should also exists on the Switch).
Try, as example, to tag with VLAN 1005 the Firewall interface 1 and with VLAN 1003 the Firewall interface 3, communication with the Aruba 2930F will stop immediately until you create VLAN 1005 and 1003 and assign Aruba 2930F interface 1 as Tagged member of VLAN 1005 and interface 46 as Tagged member of VLAN 1003...that way the traffic between each pair of ports will pass tagged and only if both ports are tagged member of the very same VLAN Id.
And to clarify...your network is not "flat" with no VLAN...on the contrary.