I am in the process of tighting up our local network VLANs and Subnets in order to place physical firewalls (sandwich) between some of our core network services (AD, DNS, etc...).
I am wondering about moving our APs to their own VLAN as well. This would be a non-routed VLAN and would end up being tagged on the controller side. I could not find anything on this topic so was wondering the pros/cons of doing this.
You can put APs on their own VLAN, but don't place a firewall between the access points and the controller. You will increase your administrative burden, if you do. There are quite a few ports that need to be opened in a few directions with that setup. In addition, if requirements ever change, you would have to edit more rules on your firewall.
Excellent! I was not planning on putting a physical firewall between the APs and the controller it would be like so:
[Controller] (T Port) <==> [Tagged VLAN] Switch [Untagged VLAN] <==> [AP]
Is there any downside to doing this? I was having a hard time determining "best practice" here...
I'm looking forward to the responses to this question. Personally I run the AP's in a VLAN which also houses end-users. Is there a performance benefit to be had by placing AP's in a quiter VLAN?
One thing to keep in mind is that your AP's most likely GRE tunnel back to the controller. From that perspective your traffic is fairly secure. A user in the same VLAN as the AP would not have the opportunity to intercept the L2 traffic.
TBH a lot of this is simply my want to have a nicer looking network diagram with everything in their neat little boxes ;)
No drawbacks to putting access points in their own VLAN. No problems putting access points in user space either, because Rogue AP detection works better when the APs are in the same layer 2 vlan. In terms of broadcasts, it is more important to protect the management VLAN interfaces of controllers from alot of broadcasts, because you don't want things like VRRP advertisements to be throttled, dropped and missed.
"don't want things like VRRP advertisements to be throttled, dropped and missed."
Never even thought about that aspect. This forum is an awesome learning tool!!!
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2021 Hewlett Packard Enterprise Development LPAll Rights Reserved.