Wireless Access

Hello once again! :)

Okay i got a question about the bridge mode

Well i got a case in which we got a central side in which the Wireless controller is there is not too many people in there as we just got like all the servers and all the equipment in there but is not an office... and i got many remote sites... but remote sites going through a private WAN! and we communicate with the other sites through L3  not L2...

Now i was wondering if you guys would put the aps on the remote sides going throught he wan privite link on bridge mode rather than tunnel mode?

There wont be no more than 3 APS on each remote site practially always like 1 ap or 2 aps.

The advange would be well less BW on the wan link... and an advantage to the client in which he wont need to create a vlan in there as for some reason he doesnt seems exited about creating one in there...  and well he will not have to create the vlan in that central site...

The disasvantage are:

1-Less security as  When a remote AP or campus AP is in bridge mode, the AP (and not the controller) handles all 802.11 association requests and responses, encryption/decryption processes, and firewall enforcement. The 802.11e and 802.11k action frames are also processed by the AP, which then sends out responses as needed

2-More administrative job as i will need to create one wireless vlan in each remote site, new AP group and a new VAP as the wireless vlan  id will be differente in each site  and ill need to tag this vlan to the AP

3-I do have less features in this mode...

Now if you could create this vlan and there wont be any issue with that... would you still configure it as a bridge mode campus AP?

or you would still configure it as a bridge mode campus AP? and why?

I just want some opinions to see if i can analyze thisbetter with other point of views :)

Thanks everyone in advance!

---

@NightShade1 wrote:

Hello once again! :)

 

Okay i got a question about the bridge mode

Well i got a case in which we got a central side in which the Wireless controller is there is not too many people in there as we just got like all the servers and all the equipment in there but is not an office... and i got many remote sites... but remote sites going through a private WAN! and we communicate with the other sites through L3  not L2...

Now i was wondering if you guys would put the aps on the remote sides going throught he wan privite link on bridge mode rather than tunnel mode?

The advange would be well less BW on the wan link... and an advantage to the client in which he wont need to create a vlan in there as for some reason he doesnt seems exited about creating one in there...  and well he will not have to create the vlan in that central site...

 

The disasvantage are:

1-Less security as  When a remote AP or campus AP is in bridge mode, the AP (and not the controller) handles all 802.11 association requests and responses, encryption/decryption processes, and firewall enforcement. The 802.11e and 802.11k action frames are also processed by the AP, which then sends out responses as needed

2-More administrative job as i will need to create one wireless vlan in each remote site and ill need to tag this vlan to the AP

3-I do have less features in this mode...

 

Now if you could create this vlan and there wont be any issue with that... would you still configure it as a bridge mode campus AP?

or you would still configure it as a bridge mode campus AP? and why?

I just want some opinions to see if i can analyze thisbetter with other point of views :)

 

Thanks everyone in advance!

---

1.  You do NOT have less security, because the firewall enforcement is done in the AP.

2.  Your virtual AP VLAN, if you leave it at 1, will simply bridge traffic at all sites, regardless of the VLAN.

3.  I don't understand what you say when you mean less features?  What features do you NOT get?

Hello Collin thanks for answering my tread

Answering you

1-It has less security cause of what i said or at least thats what the VRD tells you, that the security is enhanced on tunnel mode

"By centralizing encryption and decryption at the mobility controller,
network security is enhanced because encryption keys are never sent to the APs. The keys are securely
stored on the mobility controller."

Reference

http://www.arubanetworks.com/pdf/technology/DG_Mobility-Controllers-Deployment-Models-5.0-VRD.pdf

page 40

"When a remote AP or campus AP is in bridge mode, the AP (and not the controller) handles all 802.11
association requests and responses, encryption/decryption processes, and firewall
enforcement. The 802.11e and 802.11k action frames are also processed by the AP, which then sends out responses as needed"

User guide page 152 Aruba AOS 6.1

If i missunderstood the VRD and user guide explanation sorry and well if yhou could tell me if this does not matter and why.

2-Okay i got a quetion here let say  on the remote site the AP is on vlan 10 but i dont want my wireless being on the same vlan that the APS wont asyou has mention before is a bad practice and we should have the Wireless on a vlan alone and not with wired devices!,  i need to create a new VLAN and tag it to the AP and tell it on the virtual AP let say i create a new vlan 15 for the wireless i tag that vlan to the ap and put that vlan 15 on the VAP? im wrong in this statement collin?

3-Less features

Well at least the User guides does point you a list of features you loose on bridge mode page 803

Most ArubaOS features are supported in all forwarding modes. However, there are a some features that are
not supported in one or more forwarding modes. Campus APs do not support split-tunnel forwarding mode
and the decrypt-tunnel forwarding mode does not support TKIP Counter measure management on campus
APs or remote APs.

Bridge mode

Firewall—SIP/SCCP/RTP/RTSP Voice Support
Firewall—Alcatel NOE Support
Voice over Mesh
Video over Mesh
Named VLAN
Captive portal
Rate Limiting for broadcast/multicast
Power save: Wireless battery boost
Power save: Drop wireless multicast traffic
Power save: Proxy ARP (global)
Power save: Proxy ARP (per-SSID)
Automatic Voice Flow Classification

SIP ALG
SIP: SIP authentication tracking
SIP: CAC enforcement enhancements
SIP: Phone number awareness
SIP: R-Value computation
SIP: Delay measurement
Management: Voice-specific views
Management: Voice client statistics
Management: Voice client troubleshooting
Voice protocol monitoring/reporting
SVP ALG
H.323 ALG
Vocera ALG
SCCP ALG
NOE ALG
Layer 3 Mobility
IGMP Proxy Mobility
Mobile IP
TKIP countermeasure mgmt
Bandwidth based CAC
Dynamic Multicast Optimization

Hello Again Collin

I was testing what you said on point number 2

Well i dont know if the scenario you were telling me was the fallowing one...

Remote site A

Wireless Vlan 99

on the virtual AP i put vlan 1

on the port that connect to the AP i put switchport access vlan 99

So only the AP and wireless client are on that vlan...

If i do that i will not have to configure many ap groups or VAPs... i can do the same with the same vap but the client will have to create a vlan for each remote site... thats IF we put the wireless client on a separeted vlan  than the normal wired users....

Did i get it rigth? or did i missunderstood you?

At least im doing the laboratory and the way i describe it up its working fine...

---

@NightShade1 wrote:

Hello Again Collin

I was testing what you said on point number 2

 

Well i dont know if the scenario you were telling me was the fallowing one...

 

Remote site A

Wireless Vlan 99

on the virtual AP i put vlan 1

on the port that connect to the AP i put switchport access vlan 99

 

So only the AP and wireless client are on that vlan...

 

If i do that i will not have to configure many ap groups or VAPs... i can do the same with the same vap but the client will have to create a vlan for each remote site... thats IF we put the wireless client on a separeted vlan  than the normal wired users....

 

Did i get it rigth? or did i missunderstood you?

 

At least im doing the laboratory and the way i describe it up its working fine...

---

Nightshade1,

In the AP-Group of every AP, there is an AP System Profile.  In that AP System Profile there is a "Native VLAN ID" parameter.  If:

- An SSID is bridged and:

- The Native VLAN ID parameter Matches the Virtual AP VLAN of the Bridged SSID:

The traffic will be sent untagged to the ethernet port.

Since by default this parameter is 1, if you ALSO set the Virtual AP Vlan to 1, it will ALWAYS send the user traffic out the ethernet of the AP, untagged.

if you have many small sites where the AP is on the same VLAN as the wireless users, this will work.

It is ONLY when the Virtual AP parameter and the Native VLAN ID parameter do NOT match, where the user traffic is sent out untagged.

Okay Collin i got you! its clear now

Thank you very much again for you time in explaining all this!

Cheers

Carlos