Aruba Networks Version 3.3 manual Do Not Make Aruba the Default Router, Do Not Use Special VLANs

Page 29

In the second diagram the client device is placed into VLAN 200 by the controller following completion of the role derivation process.

200

Local

Mobility

Controller

200

The user VLAN design will have implications for user connectivity and mobility across the network. To ensure that users do not overwhelm a single subnet, multiple VLANs can be configured to form a VLAN Pool in the Mobility Controller which users will be load balanced into dynamically. ‘User mobility’ is the ability of the user to roam between access points while remaining connected and not breaking user sessions through IP address changes.

Do Not Make Aruba the Default Router

The Mobility Controller is a Layer 3 switch that does not run routing protocols and should not be the default router for the VLANs on the network. The existing routers should remain the default gateways, with the Mobility Controller as a Layer 2 switched solution extending from the distribution layer.

Do Not Use Special VLANs

The use of ‘special VLANs’, which are VLANs created specifically for AP deployment, is not necessary and not recommended. No user traffic can enter the wired network except through the controller on which it terminates and after undergoing deep-packet inspection by the ArubaOS stateful firewall. As a result, there is no security risk to the network by putting APs on existing VLANs. In addition, for the Wireless Intrusion Detection System (WIDS) to operate properly, the Air Monitors need to see both the wireless and wired side of the network to properly classify rogue access points. When placed on isolated “AP VLANs”, the WIDS system cannot correlate wired and wireless traffic. It will not be able to definitively classify rogue APs, and will not be able to automatically contain them.

Campus Wireless Networks Validated Reference Design Version 3.3 Design Guide

Mobility Controller and Access Point Deployment 29

Image 29

Contents Campus Wireless Networks Validated Reference Design Version Crossman Avenue Sunnyvale, California Phone Fax Contents Chapter RF Planning and Operation Reference Documents Aruba Reference ArchitecturesContacting Aruba Networks IntroductionTelephone Support Aruba’s User-Centric Network Architecture Understanding Centralized Wireless LAN NetworksCentralized Wlan Model Introducing Aruba’s User-Centric NetworkArubaOS ArubaOS and Mobility ControllerMobility Controller Air Monitor Multi-function Thin Access PointsAccess Point Aruba’s Secure Enterprise Mesh Network Mesh Portal or Mesh PointRemote AP Mobility Management SystemMobility Management System Proof-of-Concept Network PoC Network Physical DesignVlan PoC Network Logical and RF DesignProof-of-Concept Network Proof-of-Concept Network Campus Wlan Validated Reference Design Aruba Campus Wlan Physical ArchitectureAruba Campus Wlan Logical Architecture Data center ManagementMaster Campus Wlan Validated Reference Design Understanding Master and Local Operation Mobility Controller Access Point DeploymentMobility Controller High Availability Master Controller Redundancy Local Controller Redundancy Second Local controller has an opposite configuration Vlan Design Do Not Use Special VLANs Do Not Make Aruba the Default RouterVlan Vlan PoolsVLANs 10, 20, 30 User Mobility and Mobility DomainsMD1 ArubaOS Mobility DomainMaster Controller Placement Mobility Controller Physical Placement and ConnectivityMobility Controller and Thin AP Communication AP Placement, Power, and ConnectivityLocal Controller Placement Office Deployment AP Power and ConnectivityAP Location and Density Considerations Active Rfid Tag Deployment Voice DeploymentMobility Controller Configuration Configuration Profiles and AP GroupsConfiguration Profiles Required LicensesAP group Profile TypesProfile Planning SSIDs, VLANs and Role DerivationAP Groups VLANs SSIDsRole Derivation Secure Authentication MethodsAuthenticating with Corporate Authentication Methods for Legacy Devices Authenticating with Captive PortalEmployee Role Configuring Roles for Employee, Guest and Application UsersGuest Role Create a bandwidth contract and apply it to an AP group Create the block-internal-access policy Modify the guest-logon role Device Role Wireless Attacks Wireless Intrusion Detection SystemRole Variation by Authentication Method Rogue APs Page Mobility Controller Configuration RF Planning and Operation RF Plan ToolAdaptive Radio Management Page Minimum Scan Time Sec WMM and QoS Voice over Wi-FiQuality of Service Traffic Prioritization Voice Functionality and FeaturesNetwork Wide QoS Voice-Aware RF ManagementComprehensive Voice Management Voice over Wi-Fi LAN / WAN Controller Clusters Mobility Management SystemMultiple Master/Local Clusters Page Multiple Master/Local Clusters Licenses Appendix aLicenses Wlan Extension with Remote AP Appendix BWlan Extension with Remote AP Alternative Deployment Architectures Small Network DeploymentMobility Controller located in the network data center Medium Network DeploymentBranch Office Deployment Corporate data center DMZ Pure Remote Access Deployment