Instant On - Wired

Hi,

I am currently setting up a number of Aruba 1930 Instant on switches both 8 and 24 port devices.  The switches are locally managed and running software version 2.5.0.

We have not set-up IP routing on the 1930

Each switch is set-up with 5 vlans (we have other vlans but they are not yet operational)
VLAN 1 is operational but will be phased out over time - 192.168.0.0/24 - DHCP direct from Windows Server
VLAN 10 is / will be the Server vlan - 10.40.10.0/24
VLAN 15 is the management vlan - 10.40.15.0/.24 - DHCP from the Firewall
VLAN 20 is / will be the Data vlan - 10.40.20.0/24
VLAN 30 is / will be the VoIP vlan - 10.40.30.0/24 - DHCP relayed by the Firewall to a Windows Server (same DHCP server as used by vlan 1 but a different scope)

Interface 1 - Untagged VLAN 1
Interface 7 - Untagged VLAN 30
Interface 8 - Uplink untagged VLAN 1, tagged vlans 15, 20, 30

The switches are currently set to obtain an IP address from the Firewall. The switches are getting 10.40.15.x addresses and are manageable

When we plug a PC into interface 1 (Untagged vlan 1) is obtains an IP address - Obtain directly from a Windows server also on VLAN 1
When we plug a PC into interface 7 (Untagged vlan 30) we do not get an IP address.  Using port mirroring and WireShark we can see the DHCP discover packets on interface 7 but the packets aren't seen on interface 8 (uplink port).

We have:

1) Disabled 802.1.x Authentication Mode at the global level
2) Confirmed all port security is Disabled for ALL ports
3) Enabled DHCP Snooping for ALL VLANs
4) In DHCP snooping - Enabled Verify MAC Address 
5) In DHCP Snooping - Marked Interfaces 1-7 as untrusted and interface 8 (uplink) as Trusted - DHCP
6) Checked the MAC Address table - we can see the MAC address for the PC on Interface 1 but nothing reported for interface 7
7) Logs for the switch do not display any warning or errors.
8) Plugged the PC into the upstream switch (non Aruba switch) on an interface marked as untagged vlan 30 and it obtains an IP address
9) Confirmed the tagging of the uplink interface on the upstream switch and it is set for untagged 1 and tagged 15 and 30.
10) Restarted the Aruba switches



So,  why can we get an IP address for VLAN 1 and 15 but not VLAN 30?  We assume the DHCP discover packet is being dropped at interface 7 as we can't see it passing through interface 8.  Is this a safe assumption and if so why would it drop the DHCP packets?

------------------------------
Stephen Little
------------------------------

H=I tracked down the issue.  While I had set the vlans as untagged the PVID value hadn't changed,  Therefore I had untagged vlan 30 but PIVD still set to 1.  After changing the PIVD to 30 the DHCP worked,

------------------------------
Stephen Little
------------------------------

Original Message:
Sent: 04-08-2022 11:10 PM
From: Stephen Little
Subject: DHCP on specific vlans being blocked

Hi,

I am currently setting up a number of Aruba 1930 Instant on switches both 8 and 24 port devices.  The switches are locally managed and running software version 2.5.0.

We have not set-up IP routing on the 1930

Each switch is set-up with 5 vlans (we have other vlans but they are not yet operational)
VLAN 1 is operational but will be phased out over time - 192.168.0.0/24 - DHCP direct from Windows Server
VLAN 10 is / will be the Server vlan - 10.40.10.0/24
VLAN 15 is the management vlan - 10.40.15.0/.24 - DHCP from the Firewall
VLAN 20 is / will be the Data vlan - 10.40.20.0/24
VLAN 30 is / will be the VoIP vlan - 10.40.30.0/24 - DHCP relayed by the Firewall to a Windows Server (same DHCP server as used by vlan 1 but a different scope)

Interface 1 - Untagged VLAN 1
Interface 7 - Untagged VLAN 30
Interface 8 - Uplink untagged VLAN 1, tagged vlans 15, 20, 30

The switches are currently set to obtain an IP address from the Firewall. The switches are getting 10.40.15.x addresses and are manageable

When we plug a PC into interface 1 (Untagged vlan 1) is obtains an IP address - Obtain directly from a Windows server also on VLAN 1
When we plug a PC into interface 7 (Untagged vlan 30) we do not get an IP address.  Using port mirroring and WireShark we can see the DHCP discover packets on interface 7 but the packets aren't seen on interface 8 (uplink port).

We have:

1) Disabled 802.1.x Authentication Mode at the global level
2) Confirmed all port security is Disabled for ALL ports
3) Enabled DHCP Snooping for ALL VLANs
4) In DHCP snooping - Enabled Verify MAC Address 
5) In DHCP Snooping - Marked Interfaces 1-7 as untrusted and interface 8 (uplink) as Trusted - DHCP
6) Checked the MAC Address table - we can see the MAC address for the PC on Interface 1 but nothing reported for interface 7
7) Logs for the switch do not display any warning or errors.
8) Plugged the PC into the upstream switch (non Aruba switch) on an interface marked as untagged vlan 30 and it obtains an IP address
9) Confirmed the tagging of the uplink interface on the upstream switch and it is set for untagged 1 and tagged 15 and 30.
10) Restarted the Aruba switches

So,  why can we get an IP address for VLAN 1 and 15 but not VLAN 30?  We assume the DHCP discover packet is being dropped at interface 7 as we can't see it passing through interface 8.  Is this a safe assumption and if so why would it drop the DHCP packets?

------------------------------
Stephen Little
------------------------------