Cloud Managed Networks

Hello.

I am in the process of setting up a new network.

We have quite a few access switches places around the site which primarly is for access points.

We have created a new "management" subnet and vlan so we dont use the default.

My initial thought was that we set the ports for the access points as trunk ports with native vlan 5 (the new management vlan).

By doing it that way every new access point we connect to those ports will automatically join the cluster.

Which is working very good.

One thing Im worried about though is if someone disconnects one access points and connects into the port with a computer the computer is automatically inside the management vlan (this is not good) since we have dhcp activated (for the easyness of provisioning new access points)

What Im wondering about is this: Is there someway to create port authentication on the ports so only the whitelistet mac-addresses can communicate?

We are not using any kind of radius or clearpass here.

Or could we maybe set some kind of dynamic native vlan on the ports? if mac-address equals the access point native vlan 5, else native vlan 20 (guest)

Hope someone have an easy (or hard) fix for this issue.

Best Regards

That depends on the type of switches that you have. With AOS-CX and ArubaOS-Switch you should be able to do this with device-profile or better with ClearPass (which you mentioned you don't have). For other brands/types of switches there may be similar functionality.

Hello.

I am in the process of setting up a new network.

We have quite a few access switches places around the site which primarly is for access points.

We have created a new "management" subnet and vlan so we dont use the default.

My initial thought was that we set the ports for the access points as trunk ports with native vlan 5 (the new management vlan).

By doing it that way every new access point we connect to those ports will automatically join the cluster.

Which is working very good.

One thing Im worried about though is if someone disconnects one access points and connects into the port with a computer the computer is automatically inside the management vlan (this is not good) since we have dhcp activated (for the easyness of provisioning new access points)

What Im wondering about is this: Is there someway to create port authentication on the ports so only the whitelistet mac-addresses can communicate?

We are not using any kind of radius or clearpass here.

Or could we maybe set some kind of dynamic native vlan on the ports? if mac-address equals the access point native vlan 5, else native vlan 20 (guest)

Hope someone have an easy (or hard) fix for this issue.

Best Regards

All the switches are 6100cx switches.

I will look into device-profile to check if its possible.

Thank you

That depends on the type of switches that you have. With AOS-CX and ArubaOS-Switch you should be able to do this with device-profile or better with ClearPass (which you mentioned you don't have). For other brands/types of switches there may be similar functionality.

Hello.

I am in the process of setting up a new network.

We have quite a few access switches places around the site which primarly is for access points.

We have created a new "management" subnet and vlan so we dont use the default.

My initial thought was that we set the ports for the access points as trunk ports with native vlan 5 (the new management vlan).

By doing it that way every new access point we connect to those ports will automatically join the cluster.

Which is working very good.

One thing Im worried about though is if someone disconnects one access points and connects into the port with a computer the computer is automatically inside the management vlan (this is not good) since we have dhcp activated (for the easyness of provisioning new access points)

What Im wondering about is this: Is there someway to create port authentication on the ports so only the whitelistet mac-addresses can communicate?

We are not using any kind of radius or clearpass here.

Or could we maybe set some kind of dynamic native vlan on the ports? if mac-address equals the access point native vlan 5, else native vlan 20 (guest)

Hope someone have an easy (or hard) fix for this issue.

Best Regards

for using Device profiles for CX switches. check this tutorial 

All the switches are 6100cx switches.

I will look into device-profile to check if its possible.

Thank you

That depends on the type of switches that you have. With AOS-CX and ArubaOS-Switch you should be able to do this with device-profile or better with ClearPass (which you mentioned you don't have). For other brands/types of switches there may be similar functionality.

Hello.

I am in the process of setting up a new network.

We have quite a few access switches places around the site which primarly is for access points.

We have created a new "management" subnet and vlan so we dont use the default.

My initial thought was that we set the ports for the access points as trunk ports with native vlan 5 (the new management vlan).

By doing it that way every new access point we connect to those ports will automatically join the cluster.

Which is working very good.

One thing Im worried about though is if someone disconnects one access points and connects into the port with a computer the computer is automatically inside the management vlan (this is not good) since we have dhcp activated (for the easyness of provisioning new access points)

What Im wondering about is this: Is there someway to create port authentication on the ports so only the whitelistet mac-addresses can communicate?

We are not using any kind of radius or clearpass here.

Or could we maybe set some kind of dynamic native vlan on the ports? if mac-address equals the access point native vlan 5, else native vlan 20 (guest)

Hope someone have an easy (or hard) fix for this issue.

Best Regards