HP Aruba switch configuration for VLANs

Forums › LAN (ethernet/Wifi/routers/Bluetooth) › HP Aruba switch configuration for VLANs

Ge0rge

2052 posts

Uber Geek

Trusted

Lifetime subscriber

#319129 25-Mar-2025 12:02

I'm starting to think that there is an id-ten-t error present on my home network...

My current home network has everything all on the one subnet - IoT, cameras, trusted devices, the lot. I'd like to do something about this, even if more out of curiosity than anything else.

I have a Mikrotik RB4011 in my shed that does all my routing, DHCP etc. That is connected to an Aruba 2930f via Cat6, in the house. From there to an Aruba 315-AP.

The Mikrotik has a VLan created on it, second DHCP and address list etc - I'm pretty comfortable that I've got it sorted (except the firewall, currently all blocked while I sort the inside out, that can come later). The 315 has a wireless network created that should be tagging traffic with VLan40 - If I connect the AP directly to the Mikrotik, the AP gets its IP address on the untagged subnet, and wireless devices that connect to the VLan SSID get an IP on the VLan subnet from the Mikrotik. Devices that connect to the original SSID get a non-VLan IP address. Happy.

Things start to fall apart when I include the Aruba Switch into the mix. For the life of me, I can't work out how to pass both tagged and untagged data through it. All the guides I can find seem to be slightly different from what I'm doing, although I can't understand why my configuration isn't common.

I have created a VLan on the switch, that was easy enough. Port 2 has the AP connected to it, port 10 is the link to the Mikrotik. I have read enough to know I don't think I need to use "trunking" as HP call it, because there is only one cat6 going back to the Mikrotik, but I do know that port 2 needs to be able to pass both tagged and untagged through to port 10, which needs to be able to pass both through to the Mikrotik.

What is the correct combination of tagged/untagged selections on port 2 and 10? The default VLan1 is selected as "untagged" on all ports, I get that. Reading through my post, I'm now wondering if it is then as simple as selecting VLan40, and tagging both port 2 and 10? I thought I had done that last night, when I was mucking around, but now I'm not so sure.

nitro

656 posts

Ultimate Geek

#3357211 25-Mar-2025 12:53

I have created a VLan on the switch, that was easy enough. Port 2 has the AP connected to it, port 10 is the link to the Mikrotik. I have read enough to know I don't think I need to use "trunking" as HP call it, because there is only one cat6 going back to the Mikrotik, but I do know that port 2 needs to be able to pass both tagged and untagged through to port 10, which needs to be able to pass both through to the Mikrotik.

What is the correct combination of tagged/untagged selections on port 2 and 10? The default VLan1 is selected as "untagged" on all ports, I get that. Reading through my post, I'm now wondering if it is then as simple as selecting VLan40, and tagging both port 2 and 10? I thought I had done that last night, when I was mucking around, but now I'm not so sure.

well, read some more. 😁 jk

for starters, "trunking" is not "as HP call it". to get network ports to pass both tagged and untagged traffic, one has to set them up as trunk ports. define the trunk vlan range as all of the vlan IDs you want to pass through those ports, plus a "native vlan" (in your case vlan 1 might be the easiest) to use for all untagged traffic going into those ports - the native vlan is popped on egress so the packets going back to the device connected are untagged again.

so Aruba ports 2 and 10, as well as the Mikrotik port connected to Aruba port 10 should all be Trunk ports with the trunk vlan range and native vlan defined.

Ge0rge

2052 posts

Uber Geek

Trusted

Lifetime subscriber

#3357259 25-Mar-2025 13:21

The reason I said "as HP call it", was because I have found plenty of places saying things along the lines of:

"Some vendors mean different things when they use the term 'trunk'. Some vendors use 'trunk' to mean a port carrying multiple VLANs. Other vendors use 'trunk' to mean a LAG/port bundle/port-channel/etc (bundling multple ports together). HP actually uses it both ways unfortunately, depending on the platform/model of switch."

Based on the manual for my switch OS, I feel like trunking is not what I am after:

"Port trunking allows you to assign physical links to one logical link (trunk)
that functions as a single, higher-speed link providing dramatically increased
bandwidth. This capability applies to connections between backbone devices
as well as to connections in other network areas where traffic bottlenecks
exist."

Have I interpreted HP's definition wrong?

muppet

2566 posts

Uber Geek

Trusted

#3357261 25-Mar-2025 13:31

You need to get out of the mindset of only having one VLAN :)

You'll have two now, whatever you give/call your current native "untagged" one, and whatever you call you new tagged one (VLAN 40)

You want a command like so:

switch(config)# interface 1/1/1

switch(config-if)# vlan trunk native 10

So ASSUMING the following:

You current VLAN is VLAN10

You new VLAN is VLAN40

That command above will mean that any frames sent/received untagged (no dot1q tag on it) will end up VLAN10. Hopefully that's your current been-using-it-for-years VLAN. And it will support tagged frames coming in, so stuff tagged with VLAN40 will end up in VLAN40.

The command "vlan trunk native 10" means "Allow any tagged traffic on this port, any packets that arrived untagged go into vlan 10 (And I'll send any packets in VLAN10 out this port untagged)

nitro

656 posts

Ultimate Geek

#3357296 25-Mar-2025 15:12

Ge0rge:

The reason I said "as HP call it", was because I have found plenty of places saying things along the lines of:

"Some vendors mean different things when they use the term 'trunk'. Some vendors use 'trunk' to mean a port carrying multiple VLANs. Other vendors use 'trunk' to mean a LAG/port bundle/port-channel/etc (bundling multple ports together). HP actually uses it both ways unfortunately, depending on the platform/model of switch."

Based on the manual for my switch OS, I feel like trunking is not what I am after:

"Port trunking allows you to assign physical links to one logical link (trunk)
that functions as a single, higher-speed link providing dramatically increased
bandwidth. This capability applies to connections between backbone devices
as well as to connections in other network areas where traffic bottlenecks
exist."

Have I interpreted HP's definition wrong?

apologies. i see where your confusion stems from. i have, a long time ago, realised it is far easier for my audience - student interns, new employees, etc., to call what you refer to as LAG ports, bundle interface, etc. and reserve 'trunk' for use in the vlan context.

for instance, LAG ports can either be (VLAN) trunk ports or (VLAN) access ports.

for your use case, i.e. the VLAN concept, i don't know any other term that can be used for 'trunk ports'.

Access ports only deal with a single VLAN, typically assigning this VLAN to all untagged traffic on ingress. They normally aren't used (do not accept) with tagged packets, but i've seen devices that accept tagged packets if they match the defined access vlan.

Trunk ports are used when multiple VLANs are expected on the port. There is the option to also accept untagged packets, which it will (internally) assign the defined native vlan to.

hope the following helps:

Ge0rge

2052 posts

Uber Geek

Trusted

Lifetime subscriber

#3357345 25-Mar-2025 19:49

Thanks for the input from all who contributed, I appreciate your time.

The solution was actually as simple as I thought this afternoon, but wasn't at home to be able to try it.

On the Aruba switch, go to VLan Mgmt, select VLan40, and tag it on port 2 and port 10. Presto, its that simple. Now, when I connect to the AP via the VLan SSID, I get a VLan IP address from the Mikrotik. Connect to the existing SSID that isn't tagged, I get an existing IP. Perfect.

There is obviously a lot more to do to be able to create segregation etc, more to create - but I can get back to Mikrotik from the AP, so that's definitely progress!