Wireless Access

last person joined: yesterday 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

native vlan in MBC course - LAB

This thread has been viewed 0 times

  • 1.  native vlan in MBC course - LAB

    Posted May 02, 2015 06:40 PM

    Hi guys

     

    In ARUBA MBC course, the vlan X0 (10 in our example) is an untagged vlan, the Management VLAN.

    Aruba controller 3200 has 4 interfaces, 1/0-3.

    - 1/0 is the uplink to the L3 switch. A trunk with native vlan 10, and vlans allowed 10,11

    - 1/1-3 are used to connnect devices like access points. These ports are access ports, vlan 10.

    - Vlan 10 is theManagement VLAN, and11 is a vlan used for the SSID.

     

    What I dot fully understand is why do we use the same vlan like both access ad native vlan.

    Also, I though that Native vlan should not be used due to security reasons, bu Aruba uses it.

     

     Thanks a lot,



  • 2.  RE: native vlan in MBC course - LAB

    EMPLOYEE
    Posted May 02, 2015 09:55 PM

    I am sure it is just a design choice.  There are some people that do it the opposite way and it would work either way.  The course is probably focused more on a task, rather than network design security.



  • 3.  RE: native vlan in MBC course - LAB

    Posted May 03, 2015 01:59 PM

    Thanks Colin.

     

    Indeed this is related to the LAB itself. However I dont really like it and it should not be like that. Native vlan utilization should be avoided as much as possible. I would rather Tag the traffic (vlan 10, following the example) on Controller 1/0 uplink to the L3 switch.

     

    I wonder what would happen if we Tag it. From my prospective, the whole MBC Lab would work exactly on the same way. The vlan 10 broadcast domains ends up on the L3 switch.

     

     



  • 4.  RE: native vlan in MBC course - LAB
    Best Answer

    EMPLOYEE
    Posted May 03, 2015 02:13 PM
    @Josu wrote:

    Thanks Colin.

     

    Indeed this is related to the LAB itself. However I dont really like it and it should not be like that. Native vlan utilization should be avoided as much as possible. I would rather Tag the traffic (vlan 10, following the example) on Controller 1/0 uplink to the L3 switch.

     

    I wonder what would happen if we Tag it. From my prospective, the whole MBC Lab would work exactly on the same way. The vlan 10 broadcast domains ends up on the L3 switch.

     

     

    Josu,

     

    There is enough flexibility here so that you can configure the equipment based on YOUR specific standard, and still achieve your goal.  Just knowing what it takes to configure the basics allows you to do anything else you want after that.



  • 5.  RE: native vlan in MBC course - LAB

    Posted May 02, 2015 10:50 PM

     

    Performance-wise it is fine to mix access and native on the same VLAN.  Direct links to APs are generally access mode unless you are doing split-tunnel/bridging, because they do not send tagged traffic otherwise.

     

    As far as security-problems with native VLANs, I assume you are referring to double-tagging vlan hopping?  It depends on the network equipment... I would expect most modern equipment behaves sanely and will drop A) all tagged frames received on access-mode ports and B) any tagged frames bearing the same tag as the native vlan on vlanned ports.  This is enough protection for most configurations, where the native vlan is the same across all tagged ports.

     

    When you have hosts connected via vlanned ports there may be less protection on some equipment, and in that case you may want to restrict the use of the natve vlan, but this can get complicated -- some vendors rely on tagging all traffic (they only pretend to have a native vlan) for security, other vendors insist that all native vlan traffic must be untagged.  They are both valid security models but are incompatible with each other and if you have this mix then you have to take care to configure things carefully.

     

    Disclaimer: I haven't had time yet to personallly verify that the controllers and MAS are watertight in this respect.

     



  • 6.  RE: native vlan in MBC course - LAB

    Posted May 03, 2015 02:08 PM

    Thanks Bjulin,

     

    Yup, double tagging attacks are a concern. Furthermore, if we have a missmatch on our native vlan, just because of this missmatch, we are already leveraging intervlan hopping (without a router), or triggering Layer2 loops.

     

    Certain vendors tag all the traffic, that is great, but it is a mesh in the field :)



  • 7.  RE: native vlan in MBC course - LAB

    Posted May 04, 2015 02:09 PM

    We hear your point and thank you. But remember this is a MBC course on configuring WLAN on Aruba controllers not an IP course. We have a simple IP structure. VLAN 10 is the management Vlan and we put it on all ports. We use VLAN 11 for WLAN employee and VLAN 13 for Guest. We then trunk port 0.

    The MBC is already a heavy course with all the Aruba options.

    Also we need these labs to work on 20 PODs (12 controllers each). Keep is simple.

     



  • 8.  RE: native vlan in MBC course - LAB

    Posted May 04, 2015 03:22 PM
    Thanks for your interest Lbanville :)