10-27-2014 03:17 PM
It means that all the Client traffic from AP is tunnel to the controller
AP > Switch > Controller
or IPSEC tunnel if you have CPSec enabled or the traffic is coming from a Remote AP
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
10-27-2014 05:31 PM
The follwing is taken from the 6.3. User Guide. It describes the various forwarding modes in addition to tunnel.
This parameter controls whether data is tunneled to the controller using generic routing encapsulation (GRE), bridged into the local Ethernet LAN (for remote APs), or a combination thereof depending on the destination (corporate traffic goes to thecontroller, and Internet access remains local). All forwarding modes support band steering, TSPEC/TCLAS enforcement, 802.11k and station blacklisting.
Click the drop-down list to select one of the following forward modes:
Tunnel: The AP handles all 802.11 association requests and responses, but sends all 802.11 data packets, action frames and EAPOL frames over a GRE tunnel to thecontroller for processing. The controller removes or adds the GRE headers, decrypts or encrypts 802.11 frames and applies firewall rules to the user traffic as usual. Both remote and campus APs can be configured in tunnel mode.
Bridge: 802.11 frames are bridged into the local Ethernet LAN. When a remote AP or campus AP is in bridge mode, the AP (and not the controller) handles all 802.11 association requests and responses, encryption/decryption processes, and firewall enforcement. The 802.11e and 802.11k action frames are also processed by the AP, which then sends out responses as needed.
An AP in bridge mode does not support captive portal authentication. Both remote and campus APs can be configured in bridge mode. Note that you must enable the control plane security feature on the controller before you configure campus APs in bridge mode.
Split-Tunnel: 802.11 frames are either tunneled or bridged, depending on the destination (corporate traffic goes to the controller, and Internet access remains local).
A remote AP in split-tunnel forwarding mode handles all 802.11 association requests and responses, encryption/decryption, and firewall enforcement. the 802.11e and 802.11k action frames are also processed by the remote AP, which then sends out responses as needed.
Decrypt-Tunnel: Both remote and campus APs can be configured in decrypt-tunnelmode. When an AP uses decrypt-tunnel forwarding mode, that AP decrypts and decapsulates all 802.11 frames from a client and sends the 802.3 frames through the GRE tunnel to the controller, which then applies firewall policies to the user traffic.
When the controller sends traffic to a client, the controller sends 802.3 traffic through the GRE tunnel to the AP, which then converts it to encrypted 802.11 andforwards to the client. This forwarding mode allows a network to utilize the encryption/decryption capacity of the AP while reducing the demand for processing resources on the controller.
APs in decrypt-tunnel forwarding mode also manage all 802.11 association requests and responses, and process all 802.11e and 802.11k action frames. APs using decrypt-tunnel mode do have some limitations that not present for APs in regular tunnel forwarding mode.
You must enable the control plane security feature on the controller before you configure campus APs in decrypt-tunnel forward mode.
NOTE: Virtual APs in bridge or split-tunnel mode using static WEP should use key slots 2-4 on the controller. Key slot 1 should only be used with Virtual APs in tunnel mode.
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX
11-04-2014 06:33 AM
To be precise about crypto, because it is important:
In Tunnel mode the original WiFi encryption that was used over the air is unbroken all the
way to the controller. Because of this, certain features cannot happen at the AP and must wait until the traffic is in the controller to happen.
In decrypt-tunnel mode the behavior depends on whether the AP is "remote" or not. If it is "remote", all traffic is decrypted, then reencrypted. If it is not "remote" a.k.a "campus" then most of the client traffic goes over the GRE tunnel unencrypted, even if you have control plane security enabled. For "campus" APs in decrypt tunnel mode, only infrastructure communication is encrypted, not client traffic.
Now "remote" may mostly just mean "turn on crypto" but be aware there are restrictions on remote APs that make them incompatible, at least at present, with certain feature sets, like HA failover.