Wireless Access

Reply
Occasional Contributor II

Bridge mode SSID , Campus AP and Control Plane Security

Hello ,

 

I need Bridge SSID , campus AP , Controle Plane Security disabled...

 

Is it possible ? If not , what's the best practise of Bridge SSID with CPS disable.

Frequent Contributor I

Re: Bridge mode SSID , Campus AP and Control Plane Security

bridge ssid, campus, control-plane security - pick any two of three...... no it's not possible.

 

You can use remote access point (rap) mode instead perhaps, but mostly people will suggest that if you're thinking to use bridge you should be using IAP or perhaps split tunnel.

 

Can you share more details about you use case that leads you to bridge mode ? 

Occasional Contributor II

Re: Bridge mode SSID , Campus AP and Control Plane Security

I am using MPLS lines between my branch offices. I want to use their local vlans for clients.

In additional that , when the controller shutdown , AP should be work without controller. Operation should not stop.

 

 

Guru Elite

Re: Bridge mode SSID , Campus AP and Control Plane Security

CPsec should ALWAYS be enabled.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor I

Re: Bridge mode SSID , Campus AP and Control Plane Security

cpsec always ??? no, not really. balance the complexity/implications against switching to rap, rap will often win.

Guru Elite

Re: Bridge mode SSID , Campus AP and Control Plane Security

Without CPSEC your AP control traffic can be monitored and possibly manipulated.  Users can also add any access points they want to your system.  You can keep CPSEC off and open the possibility that this can happen at your own risk.

 

Please see more in the ArubaOS hardening guide here:  http://community.arubanetworks.com/aruba/attachments/aruba/unified-wired-wireless-access/37095/2/ArubaOS_Hardening_Guide_10302015.pdf and the control plane security best practices guide here:  https://community.arubanetworks.com/aruba/attachments/aruba/aaa-nac-guest-access-byod/25840/1/Control_Plane_Security_Best_Practices_1_0.pdf



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor I

Re: Bridge mode SSID , Campus AP and Control Plane Security


Ilkay wrote:

I am using MPLS lines between my branch offices. I want to use their local vlans for clients.

In additional that , when the controller shutdown , AP should be work without controller. Operation should not stop.

 

 


then probably the best choice for your use case would be RAP with persistent bridge mode (presuming that you don't want to use instant).

 

Bridge mode has some caveats and limitations though, so do read up in the user guide about the things which you lose if you use bridge mode, in the section "Understanding Mode Support". RAPs of course use ipsec so all this worry about CPSEC is not relevant.

 

Finally, bridge mode does not receive much love these days due to instant and the rather expensive notion of putting branch controllers at every branch site, but if you want to do local offload of traffic and you don't need source nat on the AP, then bridge can do the trick (souce nat works but roaming gets ugly, avoid it)

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: