Aruba & ProVision-based

Tagged, Untagged, and Forbidden? When is forbidden used?

Go to solution
Occasional Visitor

Tagged, Untagged, and Forbidden? When is forbidden used?


I'm having some trouble finding the answer to this. When is it appropriate to make a port forbidden on a VLAN? I understand that setting a port as forbidden on a VLAN will make it so that port cannot be a member of that VLAN, but isn't that also the case if it's not specifically marked as untagged on that VLAN? Does that make sense?

I have an Aruba 2530 and would like port 2 to be a member of VLAN 50, all of the rest of the ports to be on the native VLAN. Do I have to set port 2 as untagged for VLAN 50, and set all of the other ports on the switch as forbidden on VLAN 50? Or do I just leave the rest of the ports alone? What is best practice?



Re: Tagged, Untagged, and Forbidden? When is forbidden used?


The option "forbid" is only useful if GVRP is enabled on the switch. Some info about GVRP from the manual:

GVRP (GARP VLAN Registration Protocol) is an application of GARP (Generic Attribute Registration Protocol.)It enables a switch to dynamically create 802.1Q-compliant VLANs on links with other devices running GVRP and automatically create VLAN links between GVRP-aware devices. (A GVRP link can include intermediatedevices that are not GVRP-aware.) This operation reduces the chance for errors in VLAN configurations by automatically providing VID (VLAN ID) consistency across the network.

You can find more about GVRP here. The forbid option is also explained here.

So when GVRP is enabled the switch-port can create dynamically a VLAN membership on the port (or learn dynamically the VLAN on this port) if this VLAN is advertised by a GVRP aware switch connected to this port. The forbit option is used to restrict the GVRP VLAN learning. So the port cannot be member of this VLAN even if GVRP is enabled and the GVRP peer switch advertises this VLAN.

GVRP is disabled by default, you can check the status  with show gvrp. If GVRP is disabled, then you dont need to make any port forbidden on any VLAN. Just make port 2 untagged member of VLAN 50 and leave the rest untagged in VLAN 1.

Just want to add a small clarification about the following statement: you said, a port cannot be a member of a VLAN if it is not specifically marked as untagged on that VLAN. This is not entirely true. If a port is tagged on that VLAN it is also a member. You are using the untagged option when you connect end devices or other switches which support only a single VLAN. You used the tagged option when you need to make a port member of more than 1 VLAN. The typicall use case is when port connects to another switch and you want to transport all the VLANs supported on this switches via the same port. When you used the tagged option it is important to make sure that VLAN tagging on both sides is matching. A port can have only one untagged membership and multiple tagged memberships. It must have at least one VLAN membership either tagged or untagged.

I am an HPE employee

Accept or Kudo

Occasional Visitor

Re: Tagged, Untagged, and Forbidden? When is forbidden used?

Emil_G, excellent explanation. Thank you very much for the help. This was very helpful.