How many IPsec and GRE Tunnels RAP constructs?

Aruba Employee
Aruba Employee

RAP configuration with a mix of wired ports, wireless SSIDs, and forwarding modes that various client devices use to connect. Data from the client devices is tunneled through to the controller in the DMZ using IPsec-encrypted GRE data tunnels. In addition, Aruba Process Application Programming Interface (PAPI) control channels to the master are also used for image and configuration download, heartbeats, air monitoring, and spectrum monitoring functions.


Number of tunnels is based on what forwarding mode and wired port configurations are we selection as per our requirements.



rtaImage (7).png


The number of IPsec-encrypted GRE tunnels that the RAP constructs depends on the forwarding mode on each SSID and wired port.

1. Tunnel/Decrypt-tunnel mode: One GRE tunnel per SSID per wireless radio (2.4GHz b/g radio or 5GHz a radio), plus one GRE tunnel per active wired port.

2. Split-tunnel mode: The user data traffic from all split-tunnel wired ports and wireless SSIDs are multiplexed onto a single IPsec-encrypted GRE tunnel after the decrypt and encrypt process. However, every split-tunnel VAP and wired port configured for 802.1X forms a separate IPsecencrypted GRE tunnel to the controller. This tunnel is used only for 802.1X exchanges.

3. Bridge mode: The user data traffic is never forwarded to the controller, so there is no IPsecencrypted GRE tunnel to the controller for data traffic. However, each bridge mode SSID configured for 802.1X forms a GRE tunnel back to the controller on which the RAP terminates. This tunnel is used only for 802.1X exchanges.

The number of PAPI control channels constructed by a RAP, dedicated AM, or SM is two. One is used for heartbeats (GRE + PAPI keepalives). The other is used for image and configuration download, ARM, WIPS, and spectrum monitoring functions.

IMP NOTE : ArubaOS 6.0 and later introduces an optimization to reduce the WAN bandwidth required by APs. Instead of exchanging one heartbeat (GRE keepalives) per tunnel, the RAP exchanges one heartbeat per AP. The PAPI keepalives are sent once every 10 minutes (earlier was 60 seconds) and are used only for time synchronization. The time interval between keepalives is not configurable. Excluding user-traffic, a pre ArubaOS 6.0 RAP with three BSSIDs requires approximately 9 kb/s of consistent bandwidth. With ArubaOS 6.0 and later, the same RAP requires just 3 kb/s.





Version history
Revision #:
1 of 1
Last update:
‎07-02-2014 03:40 PM
Updated by:
Search Airheads
Showing results for 
Search instead for 
Did you mean: