Environment : This article applies to all the Controller and AP models and OS versions.
The number of IPsec-encrypted GRE tunnels that the RAP constructs depends on the forwarding mode on each SSID and wired port.
Tunnel/Decrypt-tunnel mode: One GRE tunnel per SSID per wireless radio, plus one GRE tunnel per wired port.
Split-tunnel mode: The user data traffic from all split-tunnel wired ports and wireless SSIDs are multiplexed onto a single IPsec-encrypted GRE tunnel after the decrypt and encrypt process. However, every split-tunnel VAP and wired port configured for 802.1X forms a separate IPsec-encrypted GRE tunnel to the controller. This tunnel is used only for 802.1X exchanges.
Bridge mode: The user data traffic is never forwarded to the controller, so there is no IPsec-encrypted GRE tunnel to the controller for data traffic. However, each bridge mode SSID configured for 802.1X forms a GRE tunnel back to the controller on which the RAP terminates.
This tunnel is used only for 802.1X exchanges.
The number of PAPI control channels constructed by a RAP, dedicated AM, or SM is two. One is used for heartbeats (GRE + PAPI keepalives). The other is used for image and configuration download, ARM, WIPS, and spectrum monitoring functions.
ArubaOS 6.0 and later introduces an optimization to reduce the WAN bandwidth required by APs. Instead of exchanging one heartbeat (GRE
keepalives) per tunnel, the RAP exchanges one heartbeat per AP. The PAPI keepalives are sent once every 10 minutes and are used only for time synchronization. The time interval between keepalives is not configurable. Excluding user-traffic, a pre ArubaOS 6.0 RAP with three BSSIDs requires approximately 9 kb/s of consistent bandwidth. With ArubaOS 6.0 and later, the same RAP requires just 3 kb/s.