Aruba Networks Version 3.3 ユーザーズマニュアル
Campus Wireless Networks Validated Reference Design Version 3.3
| Design Guide
Mobility Controller and Access Point Deployment |
29
In the second diagram the client device is placed into VLAN 200 by the controller following completion
of the role derivation process.
of the role derivation process.
The user VLAN design will have implications for user connectivity and mobility across the network. To
ensure that users do not overwhelm a single subnet, multiple VLANs can be configured to form a VLAN
Pool in the Mobility Controller which users will be load balanced into dynamically. ‘User mobility’ is the
ability of the user to roam between access points while remaining connected and not breaking user
sessions through IP address changes.
ensure that users do not overwhelm a single subnet, multiple VLANs can be configured to form a VLAN
Pool in the Mobility Controller which users will be load balanced into dynamically. ‘User mobility’ is the
ability of the user to roam between access points while remaining connected and not breaking user
sessions through IP address changes.
Do Not Make Aruba the Default Router
The Mobility Controller is a Layer 3 switch that does not run routing protocols and should not be the
default router for the VLANs on the network. The existing routers should remain the default gateways,
with the Mobility Controller as a Layer 2 switched solution extending from the distribution layer.
default router for the VLANs on the network. The existing routers should remain the default gateways,
with the Mobility Controller as a Layer 2 switched solution extending from the distribution layer.
Do Not Use Special VLANs
The use of ‘special VLANs’, which are VLANs created specifically for AP deployment, is not necessary
and not recommended. No user traffic can enter the wired network except through the controller on
which it terminates and after undergoing deep-packet inspection by the ArubaOS stateful firewall. As a
result, there is no security risk to the network by putting APs on existing VLANs. In addition, for the
Wireless Intrusion Detection System (WIDS) to operate properly, the Air Monitors need to see both the
wireless and wired side of the network to properly classify rogue access points. When placed on
isolated “AP VLANs”, the WIDS system cannot correlate wired and wireless traffic. It will not be able to
definitively classify rogue APs, and will not be able to automatically contain them.
and not recommended. No user traffic can enter the wired network except through the controller on
which it terminates and after undergoing deep-packet inspection by the ArubaOS stateful firewall. As a
result, there is no security risk to the network by putting APs on existing VLANs. In addition, for the
Wireless Intrusion Detection System (WIDS) to operate properly, the Air Monitors need to see both the
wireless and wired side of the network to properly classify rogue access points. When placed on
isolated “AP VLANs”, the WIDS system cannot correlate wired and wireless traffic. It will not be able to
definitively classify rogue APs, and will not be able to automatically contain them.
arun_053b
Local
Mobility
Controller
200
200