We are having a debate at work on whether a particular configuration should be using a “Forward mode” of “bridge” or “tunnel” in the “Wired AP” profile used on the “Ethernet interface port configuration” applied to an Access Point.
Here’s the setup. We are a large campus with many buildings. A typical building has fiber coming in to a main switch. The main switch is connected to child switches which could be connected to their own child switches and so on. Access Points (APs) and other devices are connected to these switches and the different types of devices are partitioned into VLANs. The Ethernet ports on the APs are always configured to “tunnel” forward mode. Thus, traffic from an AP tunnels back to the Mobility controller while traffic from other devices on the same switch follows whatever paths have been established for it. Hopefully this makes perfect sense.
Now consider a building, X, that does not have fiber coming in to it but which has a switch to support wired connections within the building, including APs, like any other building. Building X is across the street from Building Y, which does have fiber and is setup as described in the previous paragraph. In order to connect Building X to the network, we use Aruba mesh nodes to create a wireless bridge from Building X to Building Y. In the abstract, you could view Building X as just another floor of Building Y, which connects to building Y’s main switch via a wireless bridge instead of a copper wire.
The wireless bridge is composed of a mesh “point” located at Building X, and a mesh “portal” located at Building Y. Of course the “Mesh Cluster” profile is using encryption so that unencrypted traffic, like a telnet password for logging in to Building X’s switch, is not broadcast out on the public airwaves. And of course the “Forward mode” of the “Wired AP” profile for the mesh point at Building X is set to “bridge,” since there is no controller to tunnel to in Building X. Hopefully I am stating things clearly and have not lost the audience.
Here is where the disagreement comes in. Should the “Forward mode” of the “Wired AP” profile for the mesh portal at Building Y be set to “bridge” or “tunnel?” Before you answer, consider an ordinary AP located in Building X. Like an AP in any other building, it will establish a tunnel back to the controller. If the mesh portal in Building Y is also set up to tunnel, then the tunneled traffic from the AP in Building X will be placed inside a second tunnel created by the mesh portal. Consider also an ordinary PC in Building X. If the mesh portal in Building Y is set up to tunnel, then, unlike a PC in any other building, this PC’s traffic will be tunneled back to the Mobility controller by the mesh portal before it is released to be routed wherever it wants to go. You have probably detected which side of the debate I fall on.
The argument in favor of “bridge” mode is that the only purpose of the wireless bridge (be careful, we are using the word “bridge” in different contexts here and it means slightly different things) is to emulate a copper connection between a child switch in Building X, and its parent switch in Building Y. There is no extra trunking required, the switches are configured like they are in any other building.
The argument in favor of “tunnel” mode is unclear but there seems to be strong sentiment in favor of it. Perhaps someone on this forum can offer some insight as to why tunnel mode should be preferred to bridge mode in this use case. Perhaps there is some consideration that I have overlooked that would explain a preference for tunnel mode.
All commentary is welcome. Anyone care to weigh in?
As long as there is not a situation where there is limited bandwidth, it is a matter of personal style. If bridge or tunnel is making (1) administration harder (2) application visibility limited or (3) traffic degraded, choose the opposite forwarding mode.
+1 for bridge mode, especially if there are APs on the other side of that mesh point, don't want double encapuslation up to the controller.
FWIW over the years with almost no exceptions, each Aruba mesh network I have seen where it was providing backhaul connectivity to campus buildings, ran the wired ports in bridge mode.
Thanks, Jeff, just the sort of info I was looking for.
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2020 Hewlett Packard Enterprise Development LPAll Rights Reserved.