Wireless Access

last person joined: 2 hours ago 

Access network design for branch, remote, outdoor and campus locations with Aruba access points, and mobility controllers.
Expand all | Collapse all

Placing APs on their own VLAN?

Jump to Best Answer
  • 1.  Placing APs on their own VLAN?

    Posted Apr 10, 2018 10:52 AM

    I am in the process of tighting up our local network VLANs and Subnets in order to place physical firewalls (sandwich) between some of our core network services (AD, DNS, etc...).

     

    I am wondering about moving our APs to their own VLAN as well.  This would be a non-routed VLAN and would end up being tagged on the controller side.  I could not find anything on this topic so was wondering the pros/cons of doing this.



  • 2.  RE: Placing APs on their own VLAN?
    Best Answer

    Posted Apr 10, 2018 11:35 AM

    You can put APs on their own VLAN, but don't place a firewall between the access points and the controller.  You will increase your administrative burden, if you do.  There are quite a few ports that need to be opened in a few directions with that setup.  In addition, if requirements ever change, you would have to edit more rules on your firewall.



  • 3.  RE: Placing APs on their own VLAN?

    Posted Apr 10, 2018 11:41 AM

    Excellent!  I was not planning on putting a physical firewall between the APs and the controller it would be like so:

     

    [Controller] (T Port) <==> [Tagged VLAN] Switch [Untagged VLAN] <==> [AP]



  • 4.  RE: Placing APs on their own VLAN?

    Posted Apr 10, 2018 11:58 AM
    That looks good.


  • 5.  RE: Placing APs on their own VLAN?

    Posted Apr 10, 2018 11:59 AM

    Is there any downside to doing this?  I was having a hard time determining "best practice" here...



  • 6.  RE: Placing APs on their own VLAN?

    Posted Apr 10, 2018 12:33 PM

    I'm looking forward to the responses to this question. Personally I run the AP's in a VLAN which also houses end-users. Is there a performance benefit to be had by placing AP's in a quiter VLAN?

    One thing to keep in mind is that your AP's most likely GRE tunnel back to the controller. From that perspective your traffic is fairly secure. A user in the same VLAN as the AP would not have the opportunity to intercept the L2 traffic.



  • 7.  RE: Placing APs on their own VLAN?

    Posted Apr 10, 2018 12:54 PM

    TBH a lot of this is simply my want to have a nicer looking network diagram with everything in their neat little boxes ;)



  • 8.  RE: Placing APs on their own VLAN?

    Posted Apr 10, 2018 01:21 PM

    No drawbacks to putting access points in their own VLAN.  No problems putting access points in user space either, because Rogue AP detection works better when the APs are in the same layer 2 vlan.  In terms of broadcasts, it is more important to protect the management  VLAN interfaces of controllers from alot of broadcasts, because you don't want things like VRRP advertisements to be throttled, dropped and missed.



  • 9.  RE: Placing APs on their own VLAN?

    Posted Apr 10, 2018 01:22 PM

    "don't want things like VRRP advertisements to be throttled, dropped and missed."

     

    Never even thought about that aspect. This forum is an awesome learning tool!!!