Wireless Access

Occasional Contributor II

MFP in Bridge Mode

We have our wireless setup in Tunnel Mode. In order to implement MFP we are considering changing it to Bridge Mode. 


1. Is there a way available to implement MFP without change to Bridge Mode? 

2. Bridge Mode also requires CoPP enabling. Is it a disruptive change? 

3. Any potential issue or drawback changing to Bridge mode? 


Re: MFP in Bridge Mode

In general, it is not recommended to switch to bridge mode on controller APs. In bridge mode a significant amount of features is lost. If you want to run in bridge mode, many times Aruba Instant is a better choice.


If you need to implement 802.11w (Management Frame Protection), please first check if all of you clients work properly with that. I have seen reports of customers who implemented MFP and found out that some of their clients really didn't like that and exposed connectivity issues. Most of those customers disabled the feature again.


Then, moving from tunneled SSID, the logical step will be to go to a Decrypt-Tunnel SSID where encryption is moved to the AP but traffic is still tunneled.


As the encryption keys will be in the Access Point in Decrypt Tunnel, you will need to have Control Plane Security (CPSec) enabled. I know some engineers switch off CPSec by default, I leave it on by default and did not find a reason to switch it off in the last 5 years.


When you re-enable CPSec, all APs will restart for at least two times to get all certificates configured and communication secured, which will likely result in downtime of 5-15 minutes. You will likely want to set the auto-cert provisioning for CPSec during this transition to allow any AP that connects. 

If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).
Search Airheads
Showing results for 
Search instead for 
Did you mean: