Security

 View Only
last person joined: yesterday 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Controller VLAN IP on same VLAN/subnet as APs - anything to watch out for?

This thread has been viewed 23 times
  • 1.  Controller VLAN IP on same VLAN/subnet as APs - anything to watch out for?

    Posted Sep 16, 2022 01:46 PM
    We have a pair of 7210 controllers (aka MDs) and a virtual MM. Controllers are running 8.10.0.1.

    We currently have our APs on two VLANS (call them A and B), and our controllers have management IPs on VLAN C. Traffic to the APs is routed via the management IP using the default route set in the controllers. We would like to add VLAN IPs on VLANs A and B on the controllers so traffic doesn't have to be switched at the core, and so that production traffic is separate from AP - controller traffic. I would assume once we create these IPs, the IP stack on the controller would begin sending packets destined for APs from the new VLAN IPs. Is this a safe assumption? Is there anything we should keep in mind while making this change?


  • 2.  RE: Controller VLAN IP on same VLAN/subnet as APs - anything to watch out for?

    EMPLOYEE
    Posted Sep 16, 2022 02:08 PM
    You will always want the controllers to be on the smallest broadcast domain possible to maintain and improve performance.  If you have a choice, keep the access points, clients and controller on different subnets.  Of course you need to trunk the client VLANs to the controller, but do not put ip addresses on the client VLANs on the controller, unless you have a captive portal.

    EDIT:  If it didn't make it clear, there are no problems with having traffic routed at the core.
    EDIT#2:  If you put an additional ip address on a controller and the access points discover the controller on that ip address, the access points will be redirected to the controller IP and that is the ip address that the controller will use to communicate with the access point.  You would have to change the "controller-ip" to the new ip address for the controller to only communicate on that new ip address..

    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card
    ------------------------------



  • 3.  RE: Controller VLAN IP on same VLAN/subnet as APs - anything to watch out for?

    Posted Sep 16, 2022 02:57 PM
    This is great - thanks cjoseph. I had not been aware of the 'controller-ip' command. Once I change the 'controller-ip', will I be able to access the web interface from another VLAN IP configured on the controller? The documentation implies this but doesn't explicitly say it: https://community.arubanetworks.com/browse/articles/blogviewer?blogkey=9c691018-850c-4829-869c-4da409f07125.

    To clarify: my main motivation is to separate management traffic from AP-controller traffic.

    Thanks again.


  • 4.  RE: Controller VLAN IP on same VLAN/subnet as APs - anything to watch out for?

    EMPLOYEE
    Posted Sep 16, 2022 03:10 PM
    You can access the controller on any interface that you define on the controller that has an ip address on it that is reachable.  For access points, they will only be able to communicate to/from the controller-ip

    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card
    ------------------------------



  • 5.  RE: Controller VLAN IP on same VLAN/subnet as APs - anything to watch out for?

    Posted Sep 16, 2022 03:20 PM
    Understood. Thanks again!