Wireless Access

last person joined: yesterday 

Access network design for branch, remote, outdoor and campus locations with Aruba access points, and mobility controllers.
Expand all | Collapse all

Wireless controller networking, trunk, trusted vs non trusted vlans

  • 1.  Wireless controller networking, trunk, trusted vs non trusted vlans

    Posted Apr 02, 2018 05:45 PM

    I created the following Wireless config:

    Port 0 - the Access Points (DHCP). Port is trusted.

    Port 1 - Trunk to the switch with 6 vlans. Port is trusted. 

    VAPs - 6 SSIDs, each has a vlan which is in the trunk. 

    Port 14 - access vlan 1 (for management)

    I haven't define any ACLs or firewall policies. 

     

    Q1: All the vlans in port 1 are untrusted. I could not get a clear understanding of what trusted vs non trusted mean if I use L2 only. Seems like if I use L2 only, there is no differnece or impact if the vlan is trusted or not. Is that so? 
    In other words, if all vlans in the trunk port are non trusted, does it have any negative impact or concerns?

     

    Q2: I see in the client list clients for the wireless, wired and internet as well (e.g. cloud and akamay). What does it mean? is it just a nice bonus that the controller shows info of all clients it can discover, or does it try to do sotmeting with that traffic? 

     

    Q3: I use port 14 as a mgmt port. It is connected to a access port with a static IP. Are there any other concerns or BKMs? 



  • 2.  RE: Wireless controller networking, trunk, trusted vs non trusted vlans

    Posted Apr 02, 2018 06:00 PM

     

    Untrusted for the port/vlan status means traffic coming into that interface should be authenticated and/or treated as a firewall user. The controller then can apply a aaa policy to authenticate untrusted users via mac auth, captive portal, or eap/802.1X and consequently place the user(s) and their associated traffic into a role.

     

    You mentioned in Q2 that you're seeing Internet resources like cloud and akamai showing up as clients. From the topology you described, it sounds as though your Internet uplink is one of those 6 vlans on port 1 which is why the controller sees them as users.

     

     



  • 3.  RE: Wireless controller networking, trunk, trusted vs non trusted vlans

    Posted Apr 10, 2018 06:22 AM

    Thank you Charlie. I think that the trusted feature is relevant only if I terminate the authentication at the controller. If I use Radius trusted has no affect. Correct?

     

    Regarding the uplink - my uplink is disabled:

    uplink wired vlan 1 priority 1

    uplink disable

     But the connected vlans do see the internet. So I guess Aruba controller shows all the "clients" it can see anywhere. 

     

     

     



  • 4.  RE: Wireless controller networking, trunk, trusted vs non trusted vlans

    Posted Apr 10, 2018 01:18 PM

    Negative. If you want to apply a AAA policy to a port/vlan, the port needs to be untrusted. If you don't want to auth/AAA each mac address that comes through the port, then the port needs to be trusted.

     

    Once you've determined that you intend to do auth/AAA, then from there you can decide whether to add radius or other external auth sources.