Wireless Access

Hello,

I am uncertain on how to respond to the quote given below. 

A big motivation for putting APs in existing VLANs seems to be for Aruba rogue detection, however Airwave is good at detecting wireless detection and does not have that restriction.   Airwave scans switches for matching arp data and puts the wired and wireless data together for an overall picture.  Why is the author of this document so insistent?  Is this old advice? 

Also, advising APs be placed on existing VLANs may raise certain alarms with security people.  Yes, I know, the user traffic is tunneled back to the controller so you could argue about how much of a risk this really is.  There is an advantage in only enabling certain switch ports and knowing legitimate APs are in a limited number of IP addresses ranges.  This makes things easier to track. 

Regards,

  David

From Aruba Mobility Controller VRD

"AP VLANs:

Aruba strongly recommends that edge access VLANs should not be dedicated to

APs except in environments where 802.1X is a requirement on the wired edge. The APs should

use the existing edge VLANs as long as they have the ability to reach the mobility controller.

Deploying the APs in the existing VLANs allows for the full use of the Aruba rogue detection

capabilities."

you can tell them tha the trafiic is encrypted...

Remenber there are 3 types in which you can put the AP

Tunnel mode

Tunnel Unencrypted mode

and Bridge

So i bealive the traffic is all encrypted on the AP and decrypted it on the Controller  if that worry them

I don tknow if that help

Cheers

Carlos

Here is an extract of a VRD which is telling you that the packet is encrypted or at least is what i understand

Hope that helps

Cheers

Carlos

I like to use dedicated VLAN's for the AP's so IP connectivity to the controller can be restricted.

This works well in environments with strict security policies, also when combining this with network authentication (either 802.1X or MAC auth) with dynamic VLAN assignment.

Thanks for the replies.  I should restate the question.   The author of the document seems very insistent about use regular office VLANS, with a big reason being scanning for rogues.  Airwave does not have the requirement to have the APs on regular office network.  It can pick up wired rogue data from the switches and combine it with wireless rogue data from the WLAN controller so it has a complete picture of wired and wireless.  It will provide an alert of a rogue that is both wired and wireless.  (Not to mention the other possible combinations of wired and wireless it reports out on.)  I certainly get rogue device alerts from Airwave.  :)  

What is lost by not having the Aruba APs on the regular office network given that Airwave is in place and  has rogue data from both wired and wireless sources?

If anyone has any insight into this I would appreciate it.

At the moment my guess is that this strong recommendation was written before Airwave was more integrated into the Aruba product line and that this recommendation is out of date.  Am I missing something about Aruba rogue tracking capabilities versus Airwave rogue capabilities?

---

@djkershaw wrote:

If anyone has any insight into this I would appreciate it.

 

At the moment my guess is that this strong recommendation was written before Airwave was more integrated into the Aruba product line and that this recommendation is out of date.  Am I missing something about Aruba rogue tracking capabilities versus Airwave rogue capabilities?

---

djkershaw,

I want to say that it is NOT assumed that the user has Airwave, so having the access points on the same VLAN as the users subnets to provide Rogue detection as well as wired mitigation is a good practice.  Airwave has more historical capability in terms of detection, but only the controller can provide wired mitigation when the access points are in the same VLAN;  

That is good to know.  Wired mitigation is an advantage worth mentioning.  Thanks.