Wireless Access

Reply
Occasional Contributor I
Posts: 7
Registered: ‎01-26-2015

native vlan in MBC course - LAB

Hi guys

 

In ARUBA MBC course, the vlan X0 (10 in our example) is an untagged vlan, the Management VLAN.

Aruba controller 3200 has 4 interfaces, 1/0-3.

- 1/0 is the uplink to the L3 switch. A trunk with native vlan 10, and vlans allowed 10,11

- 1/1-3 are used to connnect devices like access points. These ports are access ports, vlan 10.

- Vlan 10 is theManagement VLAN, and11 is a vlan used for the SSID.

 

What I dot fully understand is why do we use the same vlan like both access ad native vlan.

Also, I though that Native vlan should not be used due to security reasons, bu Aruba uses it.

 

 Thanks a lot,

Guru Elite
Posts: 21,493
Registered: ‎03-29-2007

Re: native vlan in MBC course - LAB

[ Edited ]

I am sure it is just a design choice.  There are some people that do it the opposite way and it would work either way.  The course is probably focused more on a task, rather than network design security.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Super Contributor I
Posts: 274
Registered: ‎04-04-2014

Re: native vlan in MBC course - LAB

 

Performance-wise it is fine to mix access and native on the same VLAN.  Direct links to APs are generally access mode unless you are doing split-tunnel/bridging, because they do not send tagged traffic otherwise.

 

As far as security-problems with native VLANs, I assume you are referring to double-tagging vlan hopping?  It depends on the network equipment... I would expect most modern equipment behaves sanely and will drop A) all tagged frames received on access-mode ports and B) any tagged frames bearing the same tag as the native vlan on vlanned ports.  This is enough protection for most configurations, where the native vlan is the same across all tagged ports.

 

When you have hosts connected via vlanned ports there may be less protection on some equipment, and in that case you may want to restrict the use of the natve vlan, but this can get complicated -- some vendors rely on tagging all traffic (they only pretend to have a native vlan) for security, other vendors insist that all native vlan traffic must be untagged.  They are both valid security models but are incompatible with each other and if you have this mix then you have to take care to configure things carefully.

 

Disclaimer: I haven't had time yet to personallly verify that the controllers and MAS are watertight in this respect.

 

Occasional Contributor I
Posts: 7
Registered: ‎01-26-2015

Re: native vlan in MBC course - LAB

Thanks Colin.

 

Indeed this is related to the LAB itself. However I dont really like it and it should not be like that. Native vlan utilization should be avoided as much as possible. I would rather Tag the traffic (vlan 10, following the example) on Controller 1/0 uplink to the L3 switch.

 

I wonder what would happen if we Tag it. From my prospective, the whole MBC Lab would work exactly on the same way. The vlan 10 broadcast domains ends up on the L3 switch.

 

 

Occasional Contributor I
Posts: 7
Registered: ‎01-26-2015

Re: native vlan in MBC course - LAB

Thanks Bjulin,

 

Yup, double tagging attacks are a concern. Furthermore, if we have a missmatch on our native vlan, just because of this missmatch, we are already leveraging intervlan hopping (without a router), or triggering Layer2 loops.

 

Certain vendors tag all the traffic, that is great, but it is a mesh in the field :)

Guru Elite
Posts: 21,493
Registered: ‎03-29-2007

Re: native vlan in MBC course - LAB


Josu wrote:

Thanks Colin.

 

Indeed this is related to the LAB itself. However I dont really like it and it should not be like that. Native vlan utilization should be avoided as much as possible. I would rather Tag the traffic (vlan 10, following the example) on Controller 1/0 uplink to the L3 switch.

 

I wonder what would happen if we Tag it. From my prospective, the whole MBC Lab would work exactly on the same way. The vlan 10 broadcast domains ends up on the L3 switch.

 

 


Josu,

 

There is enough flexibility here so that you can configure the equipment based on YOUR specific standard, and still achieve your goal.  Just knowing what it takes to configure the basics allows you to do anything else you want after that.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Aruba Employee
Posts: 1
Registered: ‎04-07-2007

Re: native vlan in MBC course - LAB

We hear your point and thank you. But remember this is a MBC course on configuring WLAN on Aruba controllers not an IP course. We have a simple IP structure. VLAN 10 is the management Vlan and we put it on all ports. We use VLAN 11 for WLAN employee and VLAN 13 for Guest. We then trunk port 0.

The MBC is already a heavy course with all the Aruba options.

Also we need these labs to work on 20 PODs (12 controllers each). Keep is simple.

 

Occasional Contributor I
Posts: 7
Registered: ‎01-26-2015

Re: native vlan in MBC course - LAB

Thanks for your interest Lbanville :)
Search Airheads
Showing results for 
Search instead for 
Did you mean: