Great explanation
@westcott ; wonderful, and thank you.
Just to get more clarity, does your explanation also match for traffic flow between wireless clients and IAPs in an IAP cluster managed by Airwave?
That's actually my own scenario. I understand that one of the IAPs act as a master thereby becoming the virtual controller of all the other IAPs.
Just want to be sure if your explanation still holds or something different.
Original Message:
Sent: Oct 23, 2020 11:49 PM
From: David Westcott
Subject: Aruba Wireless packet flow from user to server
Client takes the data that it is transmitting, and encrypts that data. The client then creates the 802.11 frame with the encrypted data as the payload, and adds the necessary layer 2 addresses to the frame. The client then transmits the frame into the air using the RF radio.
The AP receives the frame. The AP needs to forward the frame to the controller, but an 802.11 frame cannot be transported across an 802.3 network, they are different, in the same way that a car cannot travel along rail road tracks. If you want to transport a car along railroad tracks, you put the car in the train. So the AP takes the 802.11 frame and puts it into an 802.3 frame. The 802.3 frame is then bridged and or routed across the 802.3 network until it arrives at the controller. Putting the 802.11 frame inside the 802.3 frames is known as Generic Routing Encapsulation (GRE) or tunneling. GRE does not encrypt anything, it just encapsulates it.
The controller takes the 802.3 frame, and removes the 802.3 header, because the only reason for the 802.3 header was to direct the frame to the controller, and since it as arrived, it is no longer needed. Kinda like receiving a FEDEX envelope. Once you open the envelope and remove the letter inside, the FEDEX envelope is no longer needed. After the 802.3 header is removed, the controller takes the layer 2 source and destination address from the 802.11 header. The controller then decrypts the frame and now has the original data that was being sent. The controller takes the layer2 source and destination fields, along with the data and runs it through the firewall that is on the controller.
If the firewall rules allow the frame through the firewall, the controller processes the frame at that point the save way any layer 2 or layer switch would process it. At this point that is essentially what the controller is, a layer 2 or layer 3 access layer device. The controller with then bridge or route the frame to the next destination.
To reverse the process, when the controller receives a data that needs to be sent to a wireless client, the controller will take the data, encrypt it, add the 802.11 header to the encrypted data along with the necessary layer 2 address. The controller then puts the 802.11 frame inside an 802.3 frame and bridges it and/or routes it the the AP. The AP then strips off the 802.3 header and transmits the 802.11 frame into the air.
The client will hear the frame, receive it, then decrypt the frame, and process it.