Wireless Access

Reply
Occasional Contributor II
Posts: 11
Registered: ‎11-25-2015

Filtering local switched traffic in controller based solution??

Hi

 

I'm new to Aruba (been working with HP MSM for many years), and I'm in the proces of converting a MSM customer to Aruba. Due to many factors we wish to create a very simple MSM like solution where a central controller manages hundreds of AP's that are all doing Local switching. We do not wan't nor have the option of using tunneling of traffic.

 

But one major question arises: We have fairly large subnets with a large number of clients, and in MSM i could simply activate a wireless filter that restricted the wireless clients traffic (including broadcasts) to requests that reffered to the default gateway for the client (in effect Isolating the client completely in the Wired/Wireless  L2). 

Do I have the same option when running Aruba centrally controlled AP's in local switching mode? I know i can using Instant AP's, but that's not an option here either due to Instant size limitations.

Guru Elite
Posts: 21,270
Registered: ‎03-29-2007

Re: Filtering local switched traffic in controller based solution??

The short answer is yes.

At a high level, you would configure a "bridged" Virtual AP, where instead of traffing being tunneled, it will be bridged out the ethernet interface of the AP.  You can decide what VLAN that traffic would be bridged to by entering the VLAN in the Virtual AP.  By default, VLAN besides 1 will be tagged out the interface, so that an access point on a trunk will send traffic to the tagged VLAN.  Lastly, you can configure a role for the user traffic, so that you can apply a firewall policy to the traffic bridged to the wired network that would say what the user traffic is allowed and not allowed to do.

 

I hope that makes sense.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 11
Registered: ‎11-25-2015

Re: Filtering local switched traffic in controller based solution??

Hi Colin

 

Okay, that sounds fairly simple, and i assume this user role invokes a "firewall" like filtering directly on the AP so no per packet interaction is needed with the controller?

 

While that firewall sound like it would fix most my problems, one does remain. Can i filter broadcasts with this feature as well? I'll need to make absolutely sure broadcasts from a wireless client is not forwarded to all other wireless clients (spread out on several AP's in same L2) as Dropbox, Bonjour and other broadcast prone crapware will kill the wireless network due to the subnet size we're using. 

Guru Elite
Posts: 8,637
Registered: ‎09-08-2010

Re: Filtering local switched traffic in controller based solution??

Yes, you can do per SSID broadcast filtering. There is a drop-down in the ssid configuration page.

Sent from Nine

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Guru Elite
Posts: 21,270
Registered: ‎03-29-2007

Re: Filtering local switched traffic in controller based solution??

When a Virtual AP is configured as "bridged" the firewall operates in the access point, yes.

You can enable broadcast filtering at the Virtual AP level to stop broadcasts from propagating, yes.

 

You say "with the size of the subnets we have".  How big?



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Guru Elite
Posts: 21,270
Registered: ‎03-29-2007

Re: Filtering local switched traffic in controller based solution??

When a Virtual AP is configured as "bridged" the firewall operates in the access point, yes.

You can enable broadcast filtering at the Virtual AP level to stop broadcasts from propagating, yes.

 

You say "with the size of the subnets we have".  How big?



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 11
Registered: ‎11-25-2015

Re: Filtering local switched traffic in controller based solution??

Cool, that sounds exactly like what I need.

 

Our subnet is /22 and sometimes we have a 1000+ clients online in one of them (All wireless and all filtered so they cannot see anything on L2 but their default gateway).

 

I'm very impressed by the response speed and detailed help I got here in less than 20 minuttes. You guys really rock :-) !!

Occasional Contributor II
Posts: 11
Registered: ‎11-25-2015

Re: Filtering local switched traffic in controller based solution??

Ohh one more thing.

Does this feature require additional licenses on the controller? 

 

Right now we have just planned on bying AP licenses for the controller (7210).

Guru Elite
Posts: 21,270
Registered: ‎03-29-2007

Re: Filtering local switched traffic in controller based solution??

[ Edited ]

To apply a firewall policy to the client traffic requires the Policy Enforcement Firewall License, yes.

 

EDIT:  Dropping broadcasts at the Virtual AP level does NOT require the Policy Enforcement Firewall license, however.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Guru Elite
Posts: 21,270
Registered: ‎03-29-2007

Re: Filtering local switched traffic in controller based solution??


Keyser wrote:

Cool, that sounds exactly like what I need.

 

Our subnet is /22 and sometimes we have a 1000+ clients online in one of them (All wireless and all filtered so they cannot see anything on L2 but their default gateway).

 

I'm very impressed by the response speed and detailed help I got here in less than 20 minuttes. You guys really rock :-) !!


Keyser,

 

Let's talk about design.  If you have 1000 clients on a /23, how many access points would you need?  If you have let's say 30 access points, you would have to configure and manage a trunk port for each access point everytime you would deploy an access point.  If you simply tunneled the traffic back to a controller, you would only maintain a single trunk that connects to the controller.  Maintenance and management and deployment would be simpler.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: