Wireless Access

Reply
Occasional Contributor I
Posts: 9
Registered: ‎03-19-2010

Why deploy APs on existing VLANS

Hello,

 

I am uncertain on how to respond to the quote given below. 

 

A big motivation for putting APs in existing VLANs seems to be for Aruba rogue detection, however Airwave is good at detecting wireless detection and does not have that restriction.   Airwave scans switches for matching arp data and puts the wired and wireless data together for an overall picture.  Why is the author of this document so insistent?  Is this old advice? 

 

Also, advising APs be placed on existing VLANs may raise certain alarms with security people.  Yes, I know, the user traffic is tunneled back to the controller so you could argue about how much of a risk this really is.  There is an advantage in only enabling certain switch ports and knowing legitimate APs are in a limited number of IP addresses ranges.  This makes things easier to track. 

 

 

Regards,

  David

 

From Aruba Mobility Controller VRD

"AP VLANs:

Aruba strongly recommends that edge access VLANs should not be dedicated to

APs except in environments where 802.1X is a requirement on the wired edge. The APs should

use the existing edge VLANs as long as they have the ability to reach the mobility controller.

Deploying the APs in the existing VLANs allows for the full use of the Aruba rogue detection

capabilities."

MVP
Posts: 2,989
Registered: ‎10-25-2011

Re: Why deploy APs on existing VLANS

you can tell them tha the trafiic is encrypted...

Remenber there are 3 types in which you can put the AP

Tunnel mode

Tunnel Unencrypted mode

and Bridge

 

So i bealive the traffic is all encrypted on the AP and decrypted it on the Controller  if that worry them

I don tknow if that help

 

Cheers

Carlos

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
MVP
Posts: 2,989
Registered: ‎10-25-2011

Re: Why deploy APs on existing VLANS

Here is an extract of a VRD which is telling you that the packet is encrypted or at least is what i understand

 

tunnel.PNG

 

Hope that helps

 

Cheers

Carlos

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
MVP
Posts: 130
Registered: ‎06-11-2013

Re: Why deploy APs on existing VLANS

I like to use dedicated VLAN's for the AP's so IP connectivity to the controller can be restricted.


This works well in environments with strict security policies, also when combining this with network authentication (either 802.1X or MAC auth) with dynamic VLAN assignment.


ACMX#255 | ACMP | ACCP | AWMP
www.securelink.nl
Occasional Contributor I
Posts: 9
Registered: ‎03-19-2010

Re: Why deploy APs on existing VLANS

Thanks for the replies.  I should restate the question.   The author of the document seems very insistent about use regular office VLANS, with a big reason being scanning for rogues.  Airwave does not have the requirement to have the APs on regular office network.  It can pick up wired rogue data from the switches and combine it with wireless rogue data from the WLAN controller so it has a complete picture of wired and wireless.  It will provide an alert of a rogue that is both wired and wireless.  (Not to mention the other possible combinations of wired and wireless it reports out on.)  I certainly get rogue device alerts from Airwave.  :)  

 

What is lost by not having the Aruba APs on the regular office network given that Airwave is in place and  has rogue data from both wired and wireless sources?

Occasional Contributor I
Posts: 9
Registered: ‎03-19-2010

Re: Why deploy APs on existing VLANS

If anyone has any insight into this I would appreciate it.

 

At the moment my guess is that this strong recommendation was written before Airwave was more integrated into the Aruba product line and that this recommendation is out of date.  Am I missing something about Aruba rogue tracking capabilities versus Airwave rogue capabilities?

Guru Elite
Posts: 21,001
Registered: ‎03-29-2007

Re: Why deploy APs on existing VLANS


djkershaw wrote:

If anyone has any insight into this I would appreciate it.

 

At the moment my guess is that this strong recommendation was written before Airwave was more integrated into the Aruba product line and that this recommendation is out of date.  Am I missing something about Aruba rogue tracking capabilities versus Airwave rogue capabilities?


djkershaw,

 

I want to say that it is NOT assumed that the user has Airwave, so having the access points on the same VLAN as the users subnets to provide Rogue detection as well as wired mitigation is a good practice.  Airwave has more historical capability in terms of detection, but only the controller can provide wired mitigation when the access points are in the same VLAN;  



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I
Posts: 9
Registered: ‎03-19-2010

Re: Why deploy APs on existing VLANS

That is good to know.  Wired mitigation is an advantage worth mentioning.  Thanks. 

Search Airheads
Showing results for 
Search instead for 
Did you mean: