Wireless Access

Hi for reference,

it is not recommended to have an APs dedicated VLAN

the reason  is below .

 

Well, there are other ways to hunt rogues than to have APs out on client VLANs so we feel OK in ignoring that precious gem of "advice."

 

Why they think 802.1x wired would prevent one from doing so if they wanted to is the most peculiar part of that statement, actually.

 

It also just makes a lot of sense from an edge configuration standpoint. There is no technical need/requirement for an AP VLAN.


Thanks,
Tim

 

Sure there is.  Not having to install ACLs on all your switchports to keep clients out of the telnet port when you have to debug the APs, to start with.  Not everyone gets to run on an end-to-end integrated policy framework.

 

Disable telnet on the APs?

>> keep clients out of the telnet port when you have to debug the APs, to start with. 

                                                               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

 

Seriously, though, why would you want your clients to be able to talk directly to APs, ever?  That's just an invitation to trouble.

 

 

They're hardened. There's not much you can do to them.

 

Yeah and fairies live on dandelions.  A properly "hardened" device doesn't support telnet in the first place.  Period.  So I don't think the OP advice is sound.  People should plumb alternate ways to check for rogues if they need to.