Wireless Access

Hello everybody,

Can you give me some informations about good practices regarding air Monitor installation.

from this thread (from 2013) : https://community.arubanetworks.com/t5/Wireless-Access/Installing-Air-Monitors/td-p/14587

It seem that only one AM need to have all vlan trunk to it.

Is it still relevant  to do so ?

Regards

Hi, if the Air Monitor is able to see a rogue AP on a VLAN different to the one it resides on then it will require the VLAN to be trunked. The Air Monitor would not be able to correlate a wired and wireless rogue AP unless it has visibility into the VLAN.

lso, it's best practice, if the intent is to monitor all VLANs, to not trunk all VLANs on just a single AM for monitorig, but to do so for all APs and AMs. A single AP is not scaled to listen to an entire L2 broadcasts of ALL VLAns on a large enterprise network, which can have thousands to tens of thousands of devices ARPing on all the VLANs. Best practice is to trunk all VLANs at the edge switch the AP or AM is connected to. That way all the VLANs are divided up and the AMs and APs can share the load more naturally.

Hi Jerrod ,

Is there any security issue in trunking vlan on all AP ?

I mean, some of our AP are apparent, we dread that someone could access the entire network by connect instead of the AP.

if securing the physical port is a concern, dynamic segmentation could be one solution. Otherwise deploy AMs and secure the AP physically.