Access Points

Occasional Contributor II

When to use 5.0 Decrypt-tunnel forward mode


I'm trying to figure out when to use the new decrypt tunnel forwarding mode on the VAP in 5.0 software.

The customer have got WAN accelerating equipment for their wired segment between HQ and branch offices. The network between HQ and Branch is a VPN MPLS network with no restricting in regard of traffic.

But when applying campus AP's on the Branch office then we cannot optimize the traffic from the corporate SSID because its encrypted from the client-through the campus AP on the branch, then through then MPLS VPN and the Wan accelerating equipment to the HQ controller.

Is it possible to use the decrypt-tunnel forward mode for the wireless traffic also to be optimized through the wan?

Optimizing equipment in this case is Riverbed boxes.

Ole M

Re: When to use 5.0 Decrypt-tunnel forward mode

One of the uses for decrypt-tunnel mode is to squeeze more performance out of some controllers. All controllers have a crypto throughput number and a firewall throughput value. On some controllers the firewall throughput is higher than the crypto throughput. In this case, decrypt-tunnel mode moves the crypto to the APs so you can use the higher firewall throughput capacity.

To answer your question, in decrypt-tunnel mode the AP will send the client frames as clear-text 802.3 frames inside GRE. So if the Riverbed can dig past the GRE header then it could provide optimization for the traffic.
Christopher Leach - CISSP, ACDX, ACMX
Director, Training and Certification
Search Airheads
Showing results for 
Search instead for 
Did you mean: