Aruba Instant - Is VLAN hopping possible and other layer 2 security risks
08-04-2020 10:37 PM
Just looking to understand a concept for an Instant AP setup around layer 2 security or VLAN hopping.
Requirement is a corporate WLAN and a guest WLAN, no multizone controller etc to tunnel traffic. So both services will terminate onto the edge switch into VLANs.
The Instant AP connects to the switch, the ports configured as a trunk, allowing the corporate VLAN, guest VLAN and the native VLAN is for AP management.
There are two options with VLAN hopping, default ports on Cisco for instance that allow DTP to establish a trunk link... but that's if you connect a device to the wired port... The other is to do VLAN tagging like QinQ using the native VLAN then the switch strips off the native VLAN and you left with the tagged traffic... again if you plug a device into a switch.
I suppose my question, is VLAN hopping a concern for Wireless, I don't think the access point will accept tagged packets from Wireless Clients and I'm not finding much around VLAN hopping on wireless when searching? Also are there any other layer two attacks that could be a concern for this setup or a valid reason to tunnel guest traffic to a DMZ? Layer 3 can be resolved with the built in firewalls as well as the campus firewall.
Thanks very much in advance