08-16-2016 11:10 AM
A customer has requested that we create a locally bridged ssid for him, which is no probem. But he wants traffic for the local ssid to be dumped out on eth1 which will be connected directly to one of his own switches, eth0 is connected to our PoP (and tunnels back to the controller). Is this desirable/possible?
In the vap profile for his local ssid we have a vlan number assigned, would I create a port profile for eth1 with that vlan number allowed?
Authentication for his local vap is via dot1x and uses the same aaa profile as our other 'normal' (non-local) ssids.
09-05-2016 02:27 PM
I'm just following up on this. I did some testing and it looks like this works:
local vlan 100 in the vap profilefor local ssid
default profile on enet0 (connected to switch 1 with AP vlan)
wired ap profile on enet1 - vlan 100 allowed - connected to switch 2
I'm not sure how the two halves of this work together - ie does specifying the vlan in the vap mean that the vlan is then added to the wired ports automatically?
I tried this with the vlan tagged, and untagged in the wired-ap-profile, both seemed to work. There didn't appear to be leaking between the AP vlan and the local vlan (wireshark on a PC connected to the local ssid showed very little traffic, which is what I expected as the vlan in testing doesn't go anywhere other than the local switch, which is also acting as the dhcp-server)
So unless there's something I'm missing it seems like this is technically possible, but is it something that Aruba recommends? Our worry is that we could configure this as the customer has asked but then find it becomes broken in a later release of AOS, and if unsupported, then no fix would become available.