02-25-2013 04:01 AM
I would like to ask a few questions regarding the Campus AP in Bridge mode:
1. For Campus AP in bridge mode, does it support fast roaming? or the client will need to re-authenticate everytime in roam?
2. Is there a max number of bridge mode AP in a virtual AP profile?
3. Is spectrum load balance and traffic shaping supported in this AP mode?
I am referring to campus AP which a controller is always connected.
I look forward to hear from your clarifcation.
02-25-2013 04:30 AM - edited 02-25-2013 04:35 AM
Please red the following info:
Bridge: 802.11 frames are bridged into the local Ethernet LAN. When a remote AP or campus AP is in bridge mode, the AP (and not the controller)handles all 802.11 association requests and responses, encryption/decryption processes, and firewall enforcement. The 802.11e and 802.11k action frames are also processed by the AP, which then sends out responses as needed.
An AP in bridge mode does not support captive portal authentication.Both remote and campus APs can be configured in bridge mode. Note that you must enable the control plane security feature on the controller before you configure campus APs in bridge mode.
*DON'T FORGET TO CONFIGURE THE NATIVE VLAN ON EACH VAP U ARE USING BRIDGE-MODE IN*
1. THE AP will handle the 802.11 association so.. no - user will need to re-auth in each AP.
3.All those options will not supported when using in Bridge-mode:
Firewall—SIP/SCCP/RTP/RTSP Voice Support
Firewall—Alcatel NOE Support
Voice over Mesh
Video over Mesh
Rate Limiting for broadcast/multicast
Power save: Wireless battery boost
Power save: Drop wireless multicast traffic
Power save: Proxy ARP (global)
Power save: Proxy ARP (per-SSID)
Automatic Voice Flow Classification
SIP: SIP authentication tracking
SIP: CAC enforcement enhancements
SIP: Phone number awareness
SIP: R-Value computation
SIP: Delay measurement
Management: Voice-specific views
Management: Voice client statistics
Management: Voice client troubleshooting
Voice protocol monitoring/reporting
Layer 3 Mobility
IGMP Proxy Mobility
TKIP countermeasure mgmt
Bandwidth based CAC
Dynamic Multicast Optimization
User derivated rules
Firewall rules logging to syslog server
Spectrum load balancing
RF sensitivity tuning based channel reuse
hope it clearify you questions :smileyhappy:
feel free to ask more - if you have further question.
have a lovely week.
Aruba Airheads - Powered By community for empower the community
************ Don't Forget to Kudos + me,If i helped you******************
02-25-2013 06:20 AM
Answer to 1;
Any connection to a new AP requires 802.11 authenticate/associate.
If the SSID is open, is the question do we maintain L3 information on role (i.e. captive-portal assigned role) then yes, so the user won't keep getting CP everytime he roams.
If the SSID is encrypted with a PSK then EAPOL will need to exchange between AP and client.
If the SSID is dot1X then depending if the client supports OKC or PMK caching then we might be able to to the key exchange without having to do a complete EAP exchange (OKC and PMK cache are supported in all forward modes).
As for 2 not sure I understand the question, there are limits to the amount of Virtual AP's an AP can support concurrently (some AP's support 8 BSSID's per radio other's 16 per radio), if it's about how many profiles can be in the config, then there is practicaly no limit.
02-25-2013 01:58 PM
I am still a bit confused.
So from the end user point of view (when CAP in Bridge mode), SSID with PSK, the connection will drop and re-assoicated when they roam. For SSID with 802.1x, if the client supports OKC or PMK caching, then the connection will NOT drop, and just roam seamlessly?
Much appreciated for the clarification.
02-26-2013 01:43 AM
No mater what type of SSID open, PSK, or Dot1X the user of the device should not notice the device has roamed.
EAPOL exchange is just 4 packets, EAP+EAPOL is dependent on the size of client/server certificates, but only typically a couple of Kbytes, so the exchange takes place very quickly.
The only thing you do have to be aware of is the latency to the radius server when used over poor links, as this can add significant delay to completing dot1X.
In this sort of case you should look to use something like EAP-PWD but not many devices support it yet.
02-26-2013 02:17 AM
that is even more confusing.Actually, let me explain what I am trying to do.
The whole network is going to be within one site, there should be no issue with network latency as there are 1/10G uplink everywhere.
However, we are trying to explore the idea of having the user packet switch straight onto the wired network to avoid bottleneck at the controller.
Therefore, we want to make sure there is no issue with fast roaming (the users dont want to get disconnected when they move from one place to another). Also Spectrum load balancing, in case if there is too many clients attached to one AP.
I understand Instant probably be a better choice here, but I am worried about the high density area. For example, lecture halls and large common area etc.
02-26-2013 02:21 AM
Aruba Customer Engineering
Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base
02-26-2013 02:31 AM
From an Aruba perspective there is very litle difference in roaming in tunnel mode or roaming in bridge mode.
The only major difference from a network perspective is that in tunnel mode the client at a L2 MAC level never moves between switch ports,but of course in local bridging as the client moves it moves between switch ports on the local switches, which should have no affect.
You could always select an A72x0 controller which we have recently released which is a lot more powerful than previous controllers.
RF designs for lecture halls can be complex I believe we have a VRD for the same.
02-26-2013 02:36 AM
Thanks for the responses.
I agree tunnel mode will work if the network consists of 1/10G uplink everywhere.
I would like to explore deeper in terms of roaming in the Bridge mode tho. When the client moves from one AP to another AP (both in Bridge mode), what would the client experience? Will the client's connection get dropped then reassociated and reauthenticated with the next AP? Does this process be different between Open, PSK, and 802.1x authentication?