Wireless Access

 

I am helping out a coustomer that have done dedicated VLANS for AP's.

This is not good for Rogue detection, and trunking all VLANS to controller is not really feasible with their topology.

Reading up on rogue detection, and also asking before, one of the advices have been to trunk all the VLANS (wired) to an AP or AM.

THis is something that could improve the situation here, I am just a bit curious to what exactly does that mean.

Do you create all the needed VLANS on the Aruba controller as well, and then create a eth profile with a wired AP where all VLAN are allowed in trunking mode?

I can't see that just trunking them to a AM/AP does much, the VLANS must exist on the controller as well, otherwise the packets will be discarded.

The best practice is to just place your access pointed in the same VLAN where end user devices are (desktops, printers, etc).

We're using the Aruba gear to provide WLAN access for our users and legacy devices, but we're also using it to meet PCI WLAN monitoring requirements.

 

To get optimum WIPS functionality, we connect the access points to trunk ports with the AP management VLAN set as native and all wired VLAN's "visible" to the wired interface of the AP/AM.

 

This allows the AM to "see" MAC addresses on the wire and in the air regardless of which VLAN has a potential rogue AP connected.

 

The onle VLANs we configure on the controller(s) are the VLANs needed for client traffic so the AP can either tunnel or drop off client data as needed.