VLAN scanning too aggressive; should prefer native VLAN

  • 1
  • Idea
  • Updated 2 years ago
New APs are too aggressive in trying to find the Hive Manager by connecting to every VLAN it can find. We actually needed to rename our hive manager so it wouldn't be able to find it on the wrong VLAN. I'd rather it only check the native VLAN, but I'd suggest that it would be better to try the untagged port first and, if it receives DHCP options 225 or 226 then it shouldn't scan any other VLANs.

As it is now I get a lot of alarms when it shows up on security VLANs since we aren't doing VLAN pruning to the APs.

Thanks.
Photo of Dan Mellem

Dan Mellem

  • 52 Posts
  • 1 Reply Like

Posted 2 years ago

  • 1
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
As it is now I get a lot of alarms when it shows up on security VLANs since we aren't doing VLAN pruning to the APs.
Hi Dan,

This sounds like a significant security weakness in the environment. Wouldn't the correct approach regardless of HiveOS's discovery practices be to prune those VLANs back to only those that are necessary?

Cheers,

Nick
(Edited)
Photo of Luke Harris

Luke Harris

  • 265 Posts
  • 18 Reply Likes
I would have to agree with Nick. Best practice would dictate that you should only configure a VLAN on a port where it is needed rather than implementing an 'all VLAN' approach. Are you AP's not on there own subnet/VLAN for management purposes?
Photo of Dan Mellem

Dan Mellem

  • 52 Posts
  • 1 Reply Like
The APs are on a dedicated management VLAN (which is also the native/untagged traffic), but they're trunked for the SSIDs. When the AP comes up, it should get its IP address from the native VLAN, but it will also attempt to get IP addresses from the client networks on the trunk.
Photo of Luke Harris

Luke Harris

  • 265 Posts
  • 18 Reply Likes
Interesting. What switches are the APs connected to? Would you be able to post a sample of your switch port configuration? 
Photo of Bill W.

Bill W.

  • 222 Posts
  • 35 Reply Likes
Dan, do you have Bonjour Gateway configured in the network policy you are using? Because if you do, the APs will attempt to get an IP address on the client VLANs too.
Photo of Dan Mellem

Dan Mellem

  • 52 Posts
  • 1 Reply Like
Luke: They're connected to Cisco switches, including 3560v2, 3560, 3550, 6500, and 4500. Typical port config is:

interface FastEthernet1/7
description Aerohive room 101
switchport
switchport trunk encapsulation dot1q
switchport trunk native vlan 4
switchport trunk allowed vlan 1,4,64-191
switchport mode trunk
ip arp inspection trust
no mdix auto
spanning-tree bpduguard enable
Bill: Good point, but no, no Bonjour gateway configuration.

Thanks.
Photo of Dan Mellem

Dan Mellem

  • 52 Posts
  • 1 Reply Like
Well, we don't allow trunks to most ports and we don't prune back the ports until we find the AP and select which VLANs it gets, so it's generally not a problem as far as security goes. However, I still think it's too aggressive in trying to find a connection since I'd think most people would expect it to connect on its native VLAN and not try every VLAN it can find.

I personally think it should never try to get an address from a VLAN, but it'd be better if it tried untagged traffic first and not continue if it got DHCP options (even if it's not able to find the hive manager).