ArubaOS and Controllers

Reply
New Contributor
Posts: 4
Registered: ‎04-17-2010

bridge mode users' traffic flow

Hi all,

I manage to create a brigde mode SSID where the users have a different IP subnet from the APs. And for these wireless users segment, we do a source-NAT.
But i still don't understand how is the traffic flow and the forwarding process done by the bridge mode SSID.
Need advice from you guys...

BIG Thanks
Guru Elite
Posts: 20,002
Registered: ‎03-29-2007

User Role


Hi all,

I manage to create a brigde mode SSID where the users have a different IP subnet from the APs. And for these wireless users segment, we do a source-NAT.
But i still don't understand how is the traffic flow and the forwarding process done by the bridge mode SSID.
Need advice from you guys...

BIG Thanks




1. What are the firewall policies that the user gets when connected (show rights )?
2. Do the users get the same IP address range as the ones that physical APs are on?
Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
New Contributor
Posts: 4
Registered: ‎04-17-2010

Re: bridge mode users' traffic flow


1. What are the firewall policies that the user gets when connected (show rights )?
2. Do the users get the same IP address range as the ones that physical APs are on?




Hi Joseph,

1. --> i dont have access to the controller right now, but there are 2 rules in the policy when user connected.
- any dhcp permit
- any any route src-nat

2.--> no, users get different IP range.
Guru Elite
Posts: 20,002
Registered: ‎03-29-2007

User Traffic


Hi Joseph,

1. --> i dont have access to the controller right now, but there are 2 rules in the policy when user connected.
- any dhcp permit
- any any route src-nat

2.--> no, users get different IP range.




User gets a DHCP address from the DHCP server that is configured in the AP groups AP system-profile. After that, all traffic is source-natted out of the physical IP address that the AP gets. All traffic from the user is seen as coming from the IP address of the AP. The AP acts as a border firewall and all traffic that comes from it, has the AP's ip address as the source.
Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
New Contributor
Posts: 4
Registered: ‎04-17-2010

Re: bridge mode users' traffic flow




Thank you very much Joseph!

Occasional Contributor I
Posts: 8
Registered: ‎07-14-2011

Re: bridge mode users' traffic flow




I think I'm confuse, and pls correct me.

what my understanding of bridge mode is wireless client IP and AP physical IP are in the same bridge domain (L2 broadcast domain), so wireless client can ONLY get IP from local DHCP server.

Guru Elite
Posts: 20,002
Registered: ‎03-29-2007

Re: bridge mode users' traffic flow

In Bridged mode the client will get an ip address in the same l2 VLAN as the access point unless:

The VLAN of the client specified in the Virtual AP is different from the VLAN of the AP. In that case, the client traffic will be tagged and if the AP is on a trunk, the client traffic will be placed in the VLAN that corresponds with the tag.

In the specific example earlier in this thread, the person established a VLAN that only exists inside the access point, and configured a DHCP server inside the AP, AND source-natted the traffic out of the access point.
Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
Occasional Contributor I
Posts: 8
Registered: ‎07-14-2011

Re: bridge mode users' traffic flow

so for wireless client in bridge forwarding mode, IP can ONLY get from

1. DHCP server outside the AP but within the same L2 domain

2. DHCP server inside the AP and must work with source NAT policy

right?
Search Airheads
Showing results for 
Search instead for 
Did you mean: