Wireless Access

last person joined: 17 hours ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

Wireless clean up options

This thread has been viewed 1 times

  • 1.  Wireless clean up options

    Posted Feb 05, 2018 11:51 AM

    Hi

    I have a site that currently has a corporate SSID and a guest SSID that is tunneled back to the controller. They have vehicals that have wireless cards in them that for specific applications and connect to Specific SSIDs. The one can be tunneled back, the other needs to talk to a local device. This particular application needs to talk to a server that is on the local network, at this time there's no need for it to talk anywhere else. Could I use Split tunneling option for this and are there any issuess with having Tunnelled and Split Tunneled VAPs in the same AP Group?

     

    Any Thoughts?

    John



  • 2.  RE: Wireless clean up options

    EMPLOYEE
    Posted Feb 05, 2018 12:58 PM

    What is the network between the access point at site and the controller?

     

    Split tunneling only works with an access point that is configured as a remote AP.



  • 3.  RE: Wireless clean up options

    Posted Feb 06, 2018 09:30 AM

    There's a LAN extension fibre connection. The controller and the branch site are on separate VLANs , but both are internal to the Corporate firewall.



  • 4.  RE: Wireless clean up options

    EMPLOYEE
    Posted Feb 06, 2018 09:39 AM

    Thanks for that information.

     

    If you want a client to get an ip address local to the AP you would need:

    - Control Plane Security Enabled

    - A Virtual AP configured as "bridged"

    - The VLAN that you want the client to be on trunked to every AP that SSID is connected to.

     

    The switchports that those APs are connected to would need to be configured as trunks with the "default" or untagged VLAN as the VLAN the APs would get their ip addresses from.  You would  need to allow the VLAN that the clients need to be on, on those switchport trunks.  Lastly, you would configure a bridged Virtual AP where the VLAN specified is the client VLAN allowed on those trunks.

     

    Since you have a fiber connection between the APs and the controller and there should be no significant latency between the client and the server, most people would opt for the Tunneled Virtual AP and avoid having to configure switchports at a remote location. 



  • 5.  RE: Wireless clean up options

    Posted Feb 06, 2018 01:54 PM

    Thanks, I'd like to use the tunneled mode. The problem is the server is at the branch site and there are handhelds that are using Windows CE and must be on the same network as the server and must be at the branch office. It looks like I have three options to choose from just need to pick the cleanest and easiest to maintain.

    * enable control plane security and use bridge mode for that SSID.

    * Continue to use 3 separate AP's /IAPs for the SSID.

    * Use tunnel mode to bring it back to the controller only NAT it possibly a couple times to get it to work.

     

    If I enable  control plane security is there anything I should watch out for?

     

    thanks

    John



  • 6.  RE: Wireless clean up options

    EMPLOYEE
    Posted Feb 06, 2018 02:23 PM

    Control Plane Security is enabled by default.  If it is off and you need to re-enable it, you are talking about a minimum 15 minute outage while all of your APS obtain a certificate.  You can check to see if your controller has control plane security already enabled:

    (Aruba7640-US) #show control-plane-security 

Control Plane Security Profile
------------------------------
Parameter                    Value
---------                    -----
Control Plane Security       Enabled
Auto Cert Provisioning       Enabled
Auto Cert Allow All          Enabled
Auto Cert Allowed Addresses  N/A

(Aruba7005-US) #