Wired

Hello,

The architecture is that the 2920 is connected to a firewall and a default route says all the traffic not destined for our internal vlans,  must be routed to the firewall. with the IP address of the interface of the firewall connected to the 2920. My issue is that iboss appliance is standing in between and I don t know why the switch is modifying the 801.2 vlan ID to the one its interface is untagged on, vlan 10. Indeed, we need to keep the tag of the vlan the packet comes from, so iboss can apply the configured policies based on the vlan ID.
Moreover, this switch port is tagged for another vlan but still put still put the vlan 10 id instead of the latter.
Thanks for your help 

If you route traffic, it is by basic networking design that the VLAN changes because VLANs hold a L2 domain, and with routing your cross a VLAN. If the subnet between the switch and firewall is vlan 10, that is what routed traffic will follow.
If you need to keep the VLAN between switch and firewall (with another appliance in between), then put the L3 routing interface on your firewall and remove it from your switch.

Hello,

The architecture is that the 2920 is connected to a firewall and a default route says all the traffic not destined for our internal vlans,  must be routed to the firewall. with the IP address of the interface of the firewall connected to the 2920. My issue is that iboss appliance is standing in between and I don t know why the switch is modifying the 801.2 vlan ID to the one its interface is untagged on, vlan 10. Indeed, we need to keep the tag of the vlan the packet comes from, so iboss can apply the configured policies based on the vlan ID.
Moreover, this switch port is tagged for another vlan but still put still put the vlan 10 id instead of the latter.
Thanks for your help 

If you route traffic, it is by basic networking design that the VLAN changes because VLANs hold a L2 domain, and with routing your cross a VLAN. If the subnet between the switch and firewall is vlan 10, that is what routed traffic will follow.
If you need to keep the VLAN between switch and firewall (with another appliance in between), then put the L3 routing interface on your firewall and remove it from your switch.

Hello,

The architecture is that the 2920 is connected to a firewall and a default route says all the traffic not destined for our internal vlans,  must be routed to the firewall. with the IP address of the interface of the firewall connected to the 2920. My issue is that iboss appliance is standing in between and I don t know why the switch is modifying the 801.2 vlan ID to the one its interface is untagged on, vlan 10. Indeed, we need to keep the tag of the vlan the packet comes from, so iboss can apply the configured policies based on the vlan ID.
Moreover, this switch port is tagged for another vlan but still put still put the vlan 10 id instead of the latter.
Thanks for your help 

Out of curiosity, what is the output of the:

show vlans ports ethernet <interface-id> detail

CLI command to show the port's VLAN membership?

The <interface-id> is the Port Id used to connect the Aruba/HP 2920 to that particular peer.

If you route traffic, it is by basic networking design that the VLAN changes because VLANs hold a L2 domain, and with routing your cross a VLAN. If the subnet between the switch and firewall is vlan 10, that is what routed traffic will follow.
If you need to keep the VLAN between switch and firewall (with another appliance in between), then put the L3 routing interface on your firewall and remove it from your switch.

Hello,

The architecture is that the 2920 is connected to a firewall and a default route says all the traffic not destined for our internal vlans,  must be routed to the firewall. with the IP address of the interface of the firewall connected to the 2920. My issue is that iboss appliance is standing in between and I don t know why the switch is modifying the 801.2 vlan ID to the one its interface is untagged on, vlan 10. Indeed, we need to keep the tag of the vlan the packet comes from, so iboss can apply the configured policies based on the vlan ID.
Moreover, this switch port is tagged for another vlan but still put still put the vlan 10 id instead of the latter.
Thanks for your help 

Out of curiosity, what is the output of the:

show vlans ports ethernet <interface-id> detail

CLI command to show the port's VLAN membership?

The <interface-id> is the Port Id used to connect the Aruba/HP 2920 to that particular peer.

If you route traffic, it is by basic networking design that the VLAN changes because VLANs hold a L2 domain, and with routing your cross a VLAN. If the subnet between the switch and firewall is vlan 10, that is what routed traffic will follow.
If you need to keep the VLAN between switch and firewall (with another appliance in between), then put the L3 routing interface on your firewall and remove it from your switch.

Hello,

The architecture is that the 2920 is connected to a firewall and a default route says all the traffic not destined for our internal vlans,  must be routed to the firewall. with the IP address of the interface of the firewall connected to the 2920. My issue is that iboss appliance is standing in between and I don t know why the switch is modifying the 801.2 vlan ID to the one its interface is untagged on, vlan 10. Indeed, we need to keep the tag of the vlan the packet comes from, so iboss can apply the configured policies based on the vlan ID.
Moreover, this switch port is tagged for another vlan but still put still put the vlan 10 id instead of the latter.
Thanks for your help 

I think without having access to a network diagram, the packet capture, switch configuration, and description what the MAC and IP addresses in the capture are, it will be hard to assist. Do you have access to your Aruba Partner or Aruba Support? It would make a lot of sense to have a (remote) session on your equipment as it probably is just a configuration thing.
Regarding VLAN1 tagged, I'm not sure if that is supported, because vlan 1 is a special VLAN and I don't think some equipment considers VLAN 1 as the native/untagged VLAN. I would recommend to avoid VLAN 1 when possible because of this.

Out of curiosity, what is the output of the:

show vlans ports ethernet <interface-id> detail

CLI command to show the port's VLAN membership?

The <interface-id> is the Port Id used to connect the Aruba/HP 2920 to that particular peer.

If you route traffic, it is by basic networking design that the VLAN changes because VLANs hold a L2 domain, and with routing your cross a VLAN. If the subnet between the switch and firewall is vlan 10, that is what routed traffic will follow.
If you need to keep the VLAN between switch and firewall (with another appliance in between), then put the L3 routing interface on your firewall and remove it from your switch.

Hello,

The architecture is that the 2920 is connected to a firewall and a default route says all the traffic not destined for our internal vlans,  must be routed to the firewall. with the IP address of the interface of the firewall connected to the 2920. My issue is that iboss appliance is standing in between and I don t know why the switch is modifying the 801.2 vlan ID to the one its interface is untagged on, vlan 10. Indeed, we need to keep the tag of the vlan the packet comes from, so iboss can apply the configured policies based on the vlan ID.
Moreover, this switch port is tagged for another vlan but still put still put the vlan 10 id instead of the latter.
Thanks for your help 

We don t have access to Aruba support program.
please, find the attached screenshot. that might help.
My question is if Aruba OS is adding the vlan id 10 to L2 header for every packet leaving port 1 towards the firewall, while the porte 1 VID is 10, why not doing the same thing when I send icmp request and from a switch that is on vlan 1 but instead the tag says it come from vlan 10 ?

I think without having access to a network diagram, the packet capture, switch configuration, and description what the MAC and IP addresses in the capture are, it will be hard to assist. Do you have access to your Aruba Partner or Aruba Support? It would make a lot of sense to have a (remote) session on your equipment as it probably is just a configuration thing.
Regarding VLAN1 tagged, I'm not sure if that is supported, because vlan 1 is a special VLAN and I don't think some equipment considers VLAN 1 as the native/untagged VLAN. I would recommend to avoid VLAN 1 when possible because of this.

Out of curiosity, what is the output of the:

show vlans ports ethernet <interface-id> detail

CLI command to show the port's VLAN membership?

The <interface-id> is the Port Id used to connect the Aruba/HP 2920 to that particular peer.

If you route traffic, it is by basic networking design that the VLAN changes because VLANs hold a L2 domain, and with routing your cross a VLAN. If the subnet between the switch and firewall is vlan 10, that is what routed traffic will follow.
If you need to keep the VLAN between switch and firewall (with another appliance in between), then put the L3 routing interface on your firewall and remove it from your switch.

Hello,

The architecture is that the 2920 is connected to a firewall and a default route says all the traffic not destined for our internal vlans,  must be routed to the firewall. with the IP address of the interface of the firewall connected to the 2920. My issue is that iboss appliance is standing in between and I don t know why the switch is modifying the 801.2 vlan ID to the one its interface is untagged on, vlan 10. Indeed, we need to keep the tag of the vlan the packet comes from, so iboss can apply the configured policies based on the vlan ID.
Moreover, this switch port is tagged for another vlan but still put still put the vlan 10 id instead of the latter.
Thanks for your help 

No, looking at your port 1 VLAN's membership (one screenshot you posted) we note that:

(a) Port 1 is untagged member of VLAN 10 and it means that Port 1 has PVID = 10; VLAN id 10 tag will be stripped out from packets' header for packets leaving the port going outside the Switch and the port will accept any incoming packets without a VLAN tag.

(b) Port 1 is tagged member of VLAN 1 and it means it will accept incoming packets with tag VLAN id 1 and it will send outgoing packets with the very same tag.

Port 1 is thus acting/operating - at least judging from the posted VLAN id membership - as a "trunk port" (in the Cisco jargon) and not as a typical "access port", this because it is capable to transport more than one VLAN id (1 and 10).

We don t have access to Aruba support program.
please, find the attached screenshot. that might help.
My question is if Aruba OS is adding the vlan id 10 to L2 header for every packet leaving port 1 towards the firewall, while the porte 1 VID is 10, why not doing the same thing when I send icmp request and from a switch that is on vlan 1 but instead the tag says it come from vlan 10 ?

I think without having access to a network diagram, the packet capture, switch configuration, and description what the MAC and IP addresses in the capture are, it will be hard to assist. Do you have access to your Aruba Partner or Aruba Support? It would make a lot of sense to have a (remote) session on your equipment as it probably is just a configuration thing.
Regarding VLAN1 tagged, I'm not sure if that is supported, because vlan 1 is a special VLAN and I don't think some equipment considers VLAN 1 as the native/untagged VLAN. I would recommend to avoid VLAN 1 when possible because of this.

Out of curiosity, what is the output of the:

show vlans ports ethernet <interface-id> detail

CLI command to show the port's VLAN membership?

The <interface-id> is the Port Id used to connect the Aruba/HP 2920 to that particular peer.

If you route traffic, it is by basic networking design that the VLAN changes because VLANs hold a L2 domain, and with routing your cross a VLAN. If the subnet between the switch and firewall is vlan 10, that is what routed traffic will follow.
If you need to keep the VLAN between switch and firewall (with another appliance in between), then put the L3 routing interface on your firewall and remove it from your switch.

Hello,

The architecture is that the 2920 is connected to a firewall and a default route says all the traffic not destined for our internal vlans,  must be routed to the firewall. with the IP address of the interface of the firewall connected to the 2920. My issue is that iboss appliance is standing in between and I don t know why the switch is modifying the 801.2 vlan ID to the one its interface is untagged on, vlan 10. Indeed, we need to keep the tag of the vlan the packet comes from, so iboss can apply the configured policies based on the vlan ID.
Moreover, this switch port is tagged for another vlan but still put still put the vlan 10 id instead of the latter.
Thanks for your help 

If you route traffic, it is by basic networking design that the VLAN changes because VLANs hold a L2 domain, and with routing your cross a VLAN. If the subnet between the switch and firewall is vlan 10, that is what routed traffic will follow.
If you need to keep the VLAN between switch and firewall (with another appliance in between), then put the L3 routing interface on your firewall and remove it from your switch.

Hello,

The architecture is that the 2920 is connected to a firewall and a default route says all the traffic not destined for our internal vlans,  must be routed to the firewall. with the IP address of the interface of the firewall connected to the 2920. My issue is that iboss appliance is standing in between and I don t know why the switch is modifying the 801.2 vlan ID to the one its interface is untagged on, vlan 10. Indeed, we need to keep the tag of the vlan the packet comes from, so iboss can apply the configured policies based on the vlan ID.
Moreover, this switch port is tagged for another vlan but still put still put the vlan 10 id instead of the latter.
Thanks for your help