Instant On - Wireless

 View Only

  • 1.  Uplink/Management VLAN

    Posted 12-03-2019 03:56 AM

    Hi

    We need to roll out Aruba Instant On to a customer. I am aware that Instant on does Support SSID to VLAN.

    But does it also support native VLAN for the uplink? As we need to have the device uplink tagged to a specific network and not just the specific SSID. I did not find a VLAN Setting for the device itself.

    Switch example:
    MGMT VLAN100 Tagged (here goes the Instant on Uplink/Management)
    Guest VLAN101 Tagged (SSID to VLAN)

    Thanks,

    Mario


    #Management
    #vlan
    #uplink


  • 2.  RE: Uplink/Management VLAN

    Employee
    Posted 12-04-2019 07:20 PM

    @tcag  You can configure your Mgmt VLAN100 to be untagged on the port and the Guest VLAN101 to be tagged on the same port, and the AP will be in the Mgmt VLAN and the Client will be in the Guest VLAN. In the Network settings(SSID) make sure you select Assign a VLAN to your network and use VLAN101 this will put all clients on that network.



  • 3.  RE: Uplink/Management VLAN

    Posted 12-05-2019 03:52 AM

    @GThiesen this is clear. But what if we cant put the port to untagged for policy reasons? I assume the Instant On AP doesn't support uplink/management interface vlan tagging then? Just tagging on the SSID?



  • 4.  RE: Uplink/Management VLAN

    Employee
    Posted 12-05-2019 11:31 AM

    @tcag Correct.



  • 5.  RE: Uplink/Management VLAN

    Posted 12-11-2019 01:04 PM

    This seems like something that Aruaba should be doing. With all the cyber threats and security issues on any network.  Aruba should be thinking about security first, no matter the 'grade' of their product. 



  • 6.  RE: Uplink/Management VLAN

    Posted 06-25-2021 08:18 AM
    This is absolutely the correct answer.

    ------------------------------
    T Cannon
    ------------------------------

    Original Message


  • 7.  RE: Uplink/Management VLAN

    Posted 07-06-2021 06:45 AM
    I disagree, the management interface is to manage devices that have an exposed interface, with access to http/snmp/ssh/capwap etc. But the instant on does not have anything of the sorts. It phones home, picks up the configuration from the cloud and its done.  What should an management vlan add,  there nothing to interface with !

    ------------------------------
    Pierre Lorier
    ------------------------------

    Original Message


  • 8.  RE: Uplink/Management VLAN

    Posted 07-06-2021 07:08 AM
    As the management interface is the device access vector, whether you manage the device directly or not, typically has (an) open port(s).  Just because a device has an open or closed port doesn't mean it's vulnerable to exploit, but it does add risk.  It's just standard industry best practice to change management ports from VLAN 1, have a management VLAN where device management lives, shutdown all unused ports, and on and on.

    Pretend for a moment an Instant On device has a local vulnerability (known or unknown), with everything living on VLAN 1, an attacker who just phished their way into an office building, now can see all these APs, switch, and anything else and can fire away if they wish.  Had the devices lived on a management VLAN, which naturally users wouldn't have access too, these devices would probably be still considered "safe" from attack.

    I realize the Instant On is being targeted at a non-technical business owner crowd who will set-it-and-forget it but in the real world, technical folks will be configuring and installing a lot of this stuff for businesses where VLANs and firewall rules are an essential part to compartmentalizing traffic and limit the attack surface...at least it should be standard operating procedure to do so.

    ------------------------------
    T Cannon
    ------------------------------

    Original Message