Wireless Access

Hi

 

I'm new to Aruba (been working with HP MSM for many years), and I'm in the proces of converting a MSM customer to Aruba. Due to many factors we wish to create a very simple MSM like solution where a central controller manages hundreds of AP's that are all doing Local switching. We do not wan't nor have the option of using tunneling of traffic.

 

But one major question arises: We have fairly large subnets with a large number of clients, and in MSM i could simply activate a wireless filter that restricted the wireless clients traffic (including broadcasts) to requests that reffered to the default gateway for the client (in effect Isolating the client completely in the Wired/Wireless  L2). 

Do I have the same option when running Aruba centrally controlled AP's in local switching mode? I know i can using Instant AP's, but that's not an option here either due to Instant size limitations.

The short answer is yes.

At a high level, you would configure a "bridged" Virtual AP, where instead of traffing being tunneled, it will be bridged out the ethernet interface of the AP.  You can decide what VLAN that traffic would be bridged to by entering the VLAN in the Virtual AP.  By default, VLAN besides 1 will be tagged out the interface, so that an access point on a trunk will send traffic to the tagged VLAN.  Lastly, you can configure a role for the user traffic, so that you can apply a firewall policy to the traffic bridged to the wired network that would say what the user traffic is allowed and not allowed to do.

 

I hope that makes sense.

 

Hi Colin

 

Okay, that sounds fairly simple, and i assume this user role invokes a "firewall" like filtering directly on the AP so no per packet interaction is needed with the controller?

 

While that firewall sound like it would fix most my problems, one does remain. Can i filter broadcasts with this feature as well? I'll need to make absolutely sure broadcasts from a wireless client is not forwarded to all other wireless clients (spread out on several AP's in same L2) as Dropbox, Bonjour and other broadcast prone crapware will kill the wireless network due to the subnet size we're using. 

When a Virtual AP is configured as "bridged" the firewall operates in the access point, yes.

You can enable broadcast filtering at the Virtual AP level to stop broadcasts from propagating, yes.

 

You say "with the size of the subnets we have".  How big?

Cool, that sounds exactly like what I need.

 

Our subnet is /22 and sometimes we have a 1000+ clients online in one of them (All wireless and all filtered so they cannot see anything on L2 but their default gateway).

 

I'm very impressed by the response speed and detailed help I got here in less than 20 minuttes. You guys really rock :-) !!

---

@Keyser wrote:

Cool, that sounds exactly like what I need.

 

Our subnet is /22 and sometimes we have a 1000+ clients online in one of them (All wireless and all filtered so they cannot see anything on L2 but their default gateway).

 

I'm very impressed by the response speed and detailed help I got here in less than 20 minuttes. You guys really rock :-) !!

---

Keyser,

 

Let's talk about design.  If you have 1000 clients on a /23, how many access points would you need?  If you have let's say 30 access points, you would have to configure and manage a trunk port for each access point everytime you would deploy an access point.  If you simply tunneled the traffic back to a controller, you would only maintain a single trunk that connects to the controller.  Maintenance and management and deployment would be simpler.

 

Yes I understand your motivations for looking at a tunneled design, but in this case we have several factors that makes that both troublesome and in most cases impossible.

What are those factors?  I just want to make sure that you are not doing more work than you need to.

Hmm, what does the broadcast filtering option include then? I assume it will filter application broadcasts (Dropbox, Bonjour and so on). But I suspect ARP will be allowed across clients since that is a fundamental IP stack feature? This means clients will be able to discover each other and by that communicate with each other (Since there's no firewal). Is that correct?

 

Our limitations includes but is not limited to:

1: Thin lines to Data Center

2: Some locations uses Local Internet access lines

3: Advanced individial routing and filtering needs on each location that is already present in the localtion Coreswitch.

4: Everything is already set up, and due to man hours and management we need a plug and play drop in solution where we pull out the existing AP's and replace them with Aruba.

 

The broadcast filtering option does not require the Policy Enforcement license.  It will drop all traffic besides ARP, and DHCP, yes.  Clients will be able to discover and communicate with each other without the firewall license to block them, yes.

 

Our limitations includes but is not limited to:
1: Thin lines to Data Center
2: Some locations uses Local Internet access lines
3: Advanced individial routing and filtering needs on each location that is already present in the localtion Coreswitch.
4: Everything is already set up, and due to man hours and management we need a plug and play drop in solution where we pull out the existing AP's and replace them with Aruba.

1.  Understood.  If you do not have bandwidth to the datacenter and the controller is not onsite, you don't want to trunnel the traffic back. There are situations where if you have enough access points at a location you would want a controller there so that a site does not rely on the datacenter for management of those devices.  

2.  If you had a controller at that site, it would be able to provide the advanced routing that you need, including local internet and a guest captive portal, which bridging traffic would not be able to provide; it depends on your need.

3.  Understood

4.  Understood

 

If you can, please work with a local Aruba Var/ SE, because I am only giving advice based on what you tell me, and I cannot see the full picture.

 

 

 

 

 

Hi Colin

 

Well, I just talked to an engineer that has done several Aruba solutions, and he argues that your solution does not work. According to him you can actually select broadcast filtering i local switched mode, it just does not work. Hidden i some documentation somewhere it's apparently made clear that that feature only works in tunneled mode.

Likewise he says the advanced firewall feature is useless in local switched mode since you can only create source based rules that works. That leaves no filtering on destination and no options to block ARP generally except for converting the ARP for the default gateway to unicast.

 

Can you comment on this? Hopefully he missed something when doing his testing, otherwise I fear Aruba will be useless in my proposed solution. 

Keyser,

 

Well you should continue to talk to that engineer about your deployment, because he would know more details than I do.  If he has the details he needs to make decisions and you trust him, that is what you should do.

 

The design stage of any deployment is crucial and general answers to questions is no substitute for someone who will look at a solution from end to end.

 

 

Colin

I'm not quite sure what to think. This engineer is very very good, but he's not from aruba, so I would like to believe you would have more factual information than him.

Since you posted an answer for my question, I assume you have actually made it work at some point? That leads me to believe that the engineer perhaps missed a setting or prerequisite to getting broadcast filtering to work in local switched mode. Are you sure Broadcast filtering and Firewalling should work in local switched mode also?

Keyser,

 

You can allow or drop whatever traffic that you want with the policy enforcement firewall when the traffic is in bridge mode:  http://www.arubanetworks.com/techdocs/ArubaOS_64x_WebHelp/Web_Help_Index.htm#ArubaFrameStyles/Remote_AP/Bridge.htm?

 

Very few people do not purchase the PEF license, because everyone always wants or needs a way to treat client traffic differently before it is placed on the network.

 

If you are having a sizeable deployment at a site, I would suggest you put a controller at that site and have the traffic tunneled to that controller locally so that you do not have to configure a trunk on each AP just to pass traffic or even worse, have your access points in the same VLAN as your clients, or even worse...mix wired and wireless traffic.  Bridged mode is really designed for smaller remote networks that do not have not have a controller onsite.  Bridged mode also only supports up to 32 access points on the same layer 2 vlan for firewall synchronization:  http://community.arubanetworks.com/t5/Controller-Based-WLANs/Does-an-AP-in-bridge-mode-support-firewall-session/ta-p/179504

 

Long story short, if you deploy a controller at that site, you can use tunnel mode which:

 

- Does not require any physical AP ports to be configured as trunks

- Allows centralized control without traffic going back to the headend.

- Supports every feature under the sun in most combinations

- Will allow you to use the local internet if you want, and give you a captive portal for guest traffic as necessary

 

Honestly, you should consult someone who is knowledgeable and has all the info about your potential deployment to design your solution.  We can give you general advice here, but someone who can design a solution can steer you clear of any gotchas or dealbreakers so that you are successful.

Is there any diffrence between RAP bridge mode and CAP bridge mode ?

No.  The RAP uses only IPSEC is the main difference.

Ohh one more thing.

Does this feature require additional licenses on the controller? 

 

Right now we have just planned on bying AP licenses for the controller (7210).

To apply a firewall policy to the client traffic requires the Policy Enforcement Firewall License, yes.

 

EDIT:  Dropping broadcasts at the Virtual AP level does NOT require the Policy Enforcement Firewall license, however.

 

Ahh bugger....

 

I'll have to talk to my representative then...

Please see my corrected post above.  If you just simply want to drop broadcast traffic, it does not require the policy enforcement license.

When a Virtual AP is configured as "bridged" the firewall operates in the access point, yes.

You can enable broadcast filtering at the Virtual AP level to stop broadcasts from propagating, yes.

 

You say "with the size of the subnets we have".  How big?

Yes, you can do per SSID broadcast filtering. There is a drop-down in the ssid configuration page.

Sent from Nine