Wireless Access

Reply
Contributor II
Posts: 53
Registered: ‎10-01-2013

Trunking VLANS to AP/AM's

 

I am helping out a coustomer that have done dedicated VLANS for AP's.

This is not good for Rogue detection, and trunking all VLANS to controller is not really feasible with their topology.

Reading up on rogue detection, and also asking before, one of the advices have been to trunk all the VLANS (wired) to an AP or AM.

THis is something that could improve the situation here, I am just a bit curious to what exactly does that mean.

Do you create all the needed VLANS on the Aruba controller as well, and then create a eth profile with a wired AP where all VLAN are allowed in trunking mode?

I can't see that just trunking them to a AM/AP does much, the VLANS must exist on the controller as well, otherwise the packets will be discarded.

Guru Elite
Posts: 8,759
Registered: ‎09-08-2010

Re: Trunking VLANS to AP/AM's

The best practice is to just place your access pointed in the same VLAN where end user devices are (desktops, printers, etc).

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
MVP
Posts: 729
Registered: ‎12-01-2010

Re: Trunking VLANS to AP/AM's

We're using the Aruba gear to provide WLAN access for our users and legacy devices, but we're also using it to meet PCI WLAN monitoring requirements.

 

To get optimum WIPS functionality, we connect the access points to trunk ports with the AP management VLAN set as native and all wired VLAN's "visible" to the wired interface of the AP/AM.

 

This allows the AM to "see" MAC addresses on the wire and in the air regardless of which VLAN has a potential rogue AP connected.

 

The onle VLANs we configure on the controller(s) are the VLANs needed for client traffic so the AP can either tunnel or drop off client data as needed.

--Matthew

if I've helped, please give kudos
if I've provided a solution, please mark the solution so others can find it
Search Airheads
Showing results for 
Search instead for 
Did you mean: