Wireless Access

Reply
Occasional Contributor II

Wireless controller networking, trunk, trusted vs non trusted vlans

I created the following Wireless config:

Port 0 - the Access Points (DHCP). Port is trusted.

Port 1 - Trunk to the switch with 6 vlans. Port is trusted. 

VAPs - 6 SSIDs, each has a vlan which is in the trunk. 

Port 14 - access vlan 1 (for management)

I haven't define any ACLs or firewall policies. 

 

Q1: All the vlans in port 1 are untrusted. I could not get a clear understanding of what trusted vs non trusted mean if I use L2 only. Seems like if I use L2 only, there is no differnece or impact if the vlan is trusted or not. Is that so? 
In other words, if all vlans in the trunk port are non trusted, does it have any negative impact or concerns?

 

Q2: I see in the client list clients for the wireless, wired and internet as well (e.g. cloud and akamay). What does it mean? is it just a nice bonus that the controller shows info of all clients it can discover, or does it try to do sotmeting with that traffic? 

 

Q3: I use port 14 as a mgmt port. It is connected to a access port with a static IP. Are there any other concerns or BKMs? 

Aruba Employee

Re: Wireless controller networking, trunk, trusted vs non trusted vlans

 

Untrusted for the port/vlan status means traffic coming into that interface should be authenticated and/or treated as a firewall user. The controller then can apply a aaa policy to authenticate untrusted users via mac auth, captive portal, or eap/802.1X and consequently place the user(s) and their associated traffic into a role.

 

You mentioned in Q2 that you're seeing Internet resources like cloud and akamai showing up as clients. From the topology you described, it sounds as though your Internet uplink is one of those 6 vlans on port 1 which is why the controller sees them as users.

 

 


Charlie Clemmer
Aruba Customer Engineering
Occasional Contributor II

Re: Wireless controller networking, trunk, trusted vs non trusted vlans

Thank you Charlie. I think that the trusted feature is relevant only if I terminate the authentication at the controller. If I use Radius trusted has no affect. Correct?

 

Regarding the uplink - my uplink is disabled:

uplink wired vlan 1 priority 1

uplink disable

 But the connected vlans do see the internet. So I guess Aruba controller shows all the "clients" it can see anywhere. 

 

 

 

Aruba Employee

Re: Wireless controller networking, trunk, trusted vs non trusted vlans

Negative. If you want to apply a AAA policy to a port/vlan, the port needs to be untrusted. If you don't want to auth/AAA each mac address that comes through the port, then the port needs to be trusted.

 

Once you've determined that you intend to do auth/AAA, then from there you can decide whether to add radius or other external auth sources.


Charlie Clemmer
Aruba Customer Engineering
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: