Wireless Access

last person joined: an hour ago 

Access network design for branch, remote, outdoor and campus locations with Aruba access points, and mobility controllers.
Expand all | Collapse all

Aruba Wireless packet flow from user to server

Jump to Best Answer
  • 1.  Aruba Wireless packet flow from user to server

    Posted Jun 13, 2019 01:40 AM

    Hello Everyone, Could anyone help me to understand the packet flow from user to there server in different network.



  • 2.  RE: Aruba Wireless packet flow from user to server

    Posted Jun 14, 2019 10:54 AM

    Your client decides to transmit data. The crypto processor in the client wireless adapter encrypts the data, and the wireless adapter creates an 802.11 frame from this. This frames includes 3 address fields, that represent 5 pieces of information (L2 source, L2 destination, transmitter, receiver, BSSID). The frame is transmitted through the air and is received by the AP.

     

    The AP needs to forward this frame to the controller (assuming tunnel/GRE mode is being used which is the default and most common mode of forwarding). The AP bridge/routes it to the controller across an 802.3 network, however the frame that the AP received is an 802.11 frame, which cannot travel natively across an 802.3 network. So the AP wraps the 802.11 frame inside an 802.3 frame. This is call encapsulation, GRE, or tunneling. The 802.3 frame is then brige/routed across the network to the controller.

     

    The controller receives the frame, stips off the 802.3 header, and throws it away. It's only purpose was to transport it from the AP to the controller. The controller then pulls out the L2 source and L2 destination headers from the 802.11 frame. The controller then unencrypts the data from the 802.11 frame. The controller then tasks the L2 source, L2 destination, and 802.11 data and runs it through the firewall on the Aruba controller. If the firewall rule allows the frame to traverse the firewall and continue, then the controller now has the data and needs to decide what to do with it.

     

    The controller is now acting as an L2 or L3 switch and will forward the data to whereever it needs to go, just like any switch would do, based upon the L2 or L3 addressing that was part of the initial transmission.

     

    I hope this helps,

     



  • 3.  RE: Aruba Wireless packet flow from user to server

    Posted Jun 14, 2019 11:46 PM
      |   view attached

    Aruba.jpg

    I understand the process when AP gets the first packet from Client it should be authenticated by the clear pass then the controller put the traffic on designated VLAN but my doubt occurs is this process happen initially for the first time and thereafter customer Data traffic do not reach to the controller and it is routed within LAN 

    If you go by topology attached User is connected to access switch and customer WAN router is also connected to the same access switch but controller and Clearpass are on Core switch in this scenario how will be the flow of User Data traffic, not management as i know it will go to controller

     

     

     



  • 4.  RE: Aruba Wireless packet flow from user to server
    Best Answer

    Posted Jun 14, 2019 11:54 PM

    If your SSID is configured for tunnel mode forwarding, then the user traffic will always follow the path I described. Even 



  • 5.  RE: Aruba Wireless packet flow from user to server

    Posted Jun 15, 2019 12:27 AM

    Thank you for your reply.

     

    Could you also explain the flow when AP is using bridge mode?



  • 6.  RE: Aruba Wireless packet flow from user to server

    Posted Jun 15, 2019 12:41 AM

    Bridge mode is "highly" not recommended. Here is how bridge mode works.

     

    Your client decides to transmit data. The crypto processor in the client wireless adapter encrypts the data, and the wireless adapter creates an 802.11 frame from this. This frames includes 3 address fields, that represent 5 pieces of information (L2 source, L2 destination, transmitter, receiver, BSSID). The frame is transmitted through the air and is received by the AP.

     

    The AP at this point decrypts the frame and then forwards it directly onto the local network. Since the AP is decrypting the frame, it needs any encryption keys sent to it from the controller. Configuration communications between the controller and AP is known as "control traffic". Control traffic is sent using a protocol known as PAPI. PAPI is not a secure protocol. In order to make it secure, Aruba implemented a technology known as CPsec, which is essentially PAPI encrypted with IPsec. Therefore, in order to deploy Bridge mode, CPsec must be enabled.

     



  • 7.  RE: Aruba Wireless packet flow from user to server

    Posted Oct 23, 2020 10:50 PM

    What about how traffic flows back from the server back to the AP then to the user? Assuming using tunnel forwarding mode.



  • 8.  RE: Aruba Wireless packet flow from user to server

    Posted Oct 23, 2020 10:58 PM

    Correct, same process in reverse.



  • 9.  RE: Aruba Wireless packet flow from user to server

    Posted Oct 23, 2020 11:33 PM

    So just to confirm my understanding:

     

    1. Client->AP -> Controller->Switch->Server

    Client forwards out traffic.

     

    -Client sends out traffic

     

    - AP encrypts with 802.3 source IP and MAC address of AP.

     

    - Controller decrypts and forwards with source IP and MAC address being the Client Device.

     

    -Switch updates ARP and MAC Address Table of client IP and MAC Address belonging to port connected to controller

     

    2. Server->Switch->Controller->AP->Client

     

    -Server replies back with destination IP of the Client.

     

    -Switch sees ARP and MAC address table info for the Client and sees that it resides on the port connected to Controller and forwards it there.

     

    So from here, how does the controller process the traffic to return to controller?

     

    It creates a tunnel with IP destination of AP then when AP receives it, it will send back to the Client device?



  • 10.  RE: Aruba Wireless packet flow from user to server

    Posted Oct 23, 2020 11:50 PM

    Client takes the data that it is transmitting, and encrypts that data. The client then creates the 802.11 frame with the encrypted data as the payload, and adds the necessary layer 2 addresses to the frame. The client then transmits the frame into the air using the RF radio.

     

    The AP receives the frame. The AP needs to forward the frame to the controller, but an 802.11 frame cannot be transported across an 802.3 network, they are different, in the same way that a car cannot travel along rail road tracks. If you want to transport a car along railroad tracks, you put the car in the train. So the AP takes the 802.11 frame and puts it into an 802.3 frame. The 802.3 frame is then bridged and or routed across the 802.3 network until it arrives at the controller. Putting the 802.11 frame inside the 802.3 frames is known as Generic Routing Encapsulation (GRE) or tunneling. GRE does not encrypt anything, it just encapsulates it.

     

    The controller takes the 802.3 frame, and removes the 802.3 header, because the only reason for the 802.3 header was to direct the frame to the controller, and since it as arrived, it is no longer needed. Kinda like receiving a FEDEX envelope. Once you open the envelope and remove the letter inside, the FEDEX envelope is no longer needed. After the 802.3 header is removed, the controller takes the layer 2 source and destination address from the 802.11 header. The controller then decrypts the frame and now has the original data that was being sent. The controller takes the layer2 source and destination fields, along with the data and runs it through the firewall that is on the controller.

     

    If the firewall rules allow the frame through the firewall, the controller processes the frame at that point the save way any layer 2 or layer switch would process it. At this point that is essentially what the controller is, a layer 2 or layer 3 access layer device. The controller with then bridge or route the frame to the next destination.

     

    To reverse the process, when the controller receives a data that needs to be sent to a wireless client, the controller will take the data, encrypt it, add the 802.11 header to the encrypted data along with the necessary layer 2 address. The controller then puts the 802.11 frame inside an 802.3 frame and bridges it and/or routes it the the AP. The AP then strips off the 802.3 header and transmits the 802.11 frame into the air.

     

    The client will hear the frame, receive it, then decrypt the frame, and process it.



  • 11.  RE: Aruba Wireless packet flow from user to server

    Posted Oct 23, 2020 11:54 PM

    Thanks for the clear explanation!



  • 12.  RE: Aruba Wireless packet flow from user to server

    Posted 29 days ago
    Great explanation @westcott ; wonderful, and thank you.

    Just to get more clarity, ​does your explanation also match for traffic flow between wireless clients and IAPs in an IAP cluster managed by Airwave?

    That's actually my own scenario. I understand that one of the IAPs act as a master thereby becoming the virtual controller of all the other IAPs. 

    Just want to be sure if your explanation still holds or something different.


    Original Message:
    Sent: Oct 23, 2020 11:49 PM
    From: David Westcott
    Subject: Aruba Wireless packet flow from user to server

    Client takes the data that it is transmitting, and encrypts that data. The client then creates the 802.11 frame with the encrypted data as the payload, and adds the necessary layer 2 addresses to the frame. The client then transmits the frame into the air using the RF radio.

     

    The AP receives the frame. The AP needs to forward the frame to the controller, but an 802.11 frame cannot be transported across an 802.3 network, they are different, in the same way that a car cannot travel along rail road tracks. If you want to transport a car along railroad tracks, you put the car in the train. So the AP takes the 802.11 frame and puts it into an 802.3 frame. The 802.3 frame is then bridged and or routed across the 802.3 network until it arrives at the controller. Putting the 802.11 frame inside the 802.3 frames is known as Generic Routing Encapsulation (GRE) or tunneling. GRE does not encrypt anything, it just encapsulates it.

     

    The controller takes the 802.3 frame, and removes the 802.3 header, because the only reason for the 802.3 header was to direct the frame to the controller, and since it as arrived, it is no longer needed. Kinda like receiving a FEDEX envelope. Once you open the envelope and remove the letter inside, the FEDEX envelope is no longer needed. After the 802.3 header is removed, the controller takes the layer 2 source and destination address from the 802.11 header. The controller then decrypts the frame and now has the original data that was being sent. The controller takes the layer2 source and destination fields, along with the data and runs it through the firewall that is on the controller.

     

    If the firewall rules allow the frame through the firewall, the controller processes the frame at that point the save way any layer 2 or layer switch would process it. At this point that is essentially what the controller is, a layer 2 or layer 3 access layer device. The controller with then bridge or route the frame to the next destination.

     

    To reverse the process, when the controller receives a data that needs to be sent to a wireless client, the controller will take the data, encrypt it, add the 802.11 header to the encrypted data along with the necessary layer 2 address. The controller then puts the 802.11 frame inside an 802.3 frame and bridges it and/or routes it the the AP. The AP then strips off the 802.3 header and transmits the 802.11 frame into the air.

     

    The client will hear the frame, receive it, then decrypt the frame, and process it.



  • 13.  RE: Aruba Wireless packet flow from user to server

    Posted 28 days ago
    No. In an IAP network, when the client traffic arrives at the IAP, the IAP decrypts the frame, runs the frame through the firewall and forwards the frame onto the network. Each IAP handles the traffic for the clients that are connected to it. The VC is not involved.

    ------------------------------
    David Westcott
    ------------------------------