Wireless Access

last person joined: 14 hours ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

Bridge mode SSID , Campus AP and Control Plane Security

This thread has been viewed 10 times

  • 1.  Bridge mode SSID , Campus AP and Control Plane Security

    Posted Oct 27, 2017 03:13 AM

    Hello ,

     

    I need Bridge SSID , campus AP , Controle Plane Security disabled...

     

    Is it possible ? If not , what's the best practise of Bridge SSID with CPS disable.



  • 2.  RE: Bridge mode SSID , Campus AP and Control Plane Security

    Posted Oct 27, 2017 04:45 AM

    bridge ssid, campus, control-plane security - pick any two of three...... no it's not possible.

     

    You can use remote access point (rap) mode instead perhaps, but mostly people will suggest that if you're thinking to use bridge you should be using IAP or perhaps split tunnel.

     

    Can you share more details about you use case that leads you to bridge mode ? 



  • 3.  RE: Bridge mode SSID , Campus AP and Control Plane Security

    Posted Oct 27, 2017 07:26 AM

    I am using MPLS lines between my branch offices. I want to use their local vlans for clients.

    In additional that , when the controller shutdown , AP should be work without controller. Operation should not stop.

     

     



  • 4.  RE: Bridge mode SSID , Campus AP and Control Plane Security

    Posted Oct 29, 2017 03:25 AM
    @Ilkay wrote:

    I am using MPLS lines between my branch offices. I want to use their local vlans for clients.

    In additional that , when the controller shutdown , AP should be work without controller. Operation should not stop.

     

     

    then probably the best choice for your use case would be RAP with persistent bridge mode (presuming that you don't want to use instant).

     

    Bridge mode has some caveats and limitations though, so do read up in the user guide about the things which you lose if you use bridge mode, in the section "Understanding Mode Support". RAPs of course use ipsec so all this worry about CPSEC is not relevant.

     

    Finally, bridge mode does not receive much love these days due to instant and the rather expensive notion of putting branch controllers at every branch site, but if you want to do local offload of traffic and you don't need source nat on the AP, then bridge can do the trick (souce nat works but roaming gets ugly, avoid it)



  • 5.  RE: Bridge mode SSID , Campus AP and Control Plane Security

    EMPLOYEE
    Posted Oct 27, 2017 10:01 AM
    CPsec should ALWAYS be enabled.


  • 6.  RE: Bridge mode SSID , Campus AP and Control Plane Security

    Posted Oct 27, 2017 12:14 PM

    cpsec always ??? no, not really. balance the complexity/implications against switching to rap, rap will often win.



  • 7.  RE: Bridge mode SSID , Campus AP and Control Plane Security

    EMPLOYEE
    Posted Oct 28, 2017 06:34 PM

    Without CPSEC your AP control traffic can be monitored and possibly manipulated.  Users can also add any access points they want to your system.  You can keep CPSEC off and open the possibility that this can happen at your own risk.

     

    Please see more in the ArubaOS hardening guide here:  http://community.arubanetworks.com/aruba/attachments/aruba/unified-wired-wireless-access/37095/2/ArubaOS_Hardening_Guide_10302015.pdf and the control plane security best practices guide here:  https://community.arubanetworks.com/aruba/attachments/aruba/aaa-nac-guest-access-byod/25840/1/Control_Plane_Security_Best_Practices_1_0.pdf