I created the following Wireless config:
Port 0 - the Access Points (DHCP). Port is trusted.
Port 1 - Trunk to the switch with 6 vlans. Port is trusted.
VAPs - 6 SSIDs, each has a vlan which is in the trunk.
Port 14 - access vlan 1 (for management)
I haven't define any ACLs or firewall policies.
Q1: All the vlans in port 1 are untrusted. I could not get a clear understanding of what trusted vs non trusted mean if I use L2 only. Seems like if I use L2 only, there is no differnece or impact if the vlan is trusted or not. Is that so? In other words, if all vlans in the trunk port are non trusted, does it have any negative impact or concerns?
Q2: I see in the client list clients for the wireless, wired and internet as well (e.g. cloud and akamay). What does it mean? is it just a nice bonus that the controller shows info of all clients it can discover, or does it try to do sotmeting with that traffic?
Q3: I use port 14 as a mgmt port. It is connected to a access port with a static IP. Are there any other concerns or BKMs?
Untrusted for the port/vlan status means traffic coming into that interface should be authenticated and/or treated as a firewall user. The controller then can apply a aaa policy to authenticate untrusted users via mac auth, captive portal, or eap/802.1X and consequently place the user(s) and their associated traffic into a role.
You mentioned in Q2 that you're seeing Internet resources like cloud and akamai showing up as clients. From the topology you described, it sounds as though your Internet uplink is one of those 6 vlans on port 1 which is why the controller sees them as users.
Thank you Charlie. I think that the trusted feature is relevant only if I terminate the authentication at the controller. If I use Radius trusted has no affect. Correct?
Regarding the uplink - my uplink is disabled:
uplink wired vlan 1 priority 1
But the connected vlans do see the internet. So I guess Aruba controller shows all the "clients" it can see anywhere.
Negative. If you want to apply a AAA policy to a port/vlan, the port needs to be untrusted. If you don't want to auth/AAA each mac address that comes through the port, then the port needs to be trusted.
Once you've determined that you intend to do auth/AAA, then from there you can decide whether to add radius or other external auth sources.
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2021 Hewlett Packard Enterprise Development LPAll Rights Reserved.