Wireless Access

Occasional Contributor I

Campus AP in Bridge mode

Hi Experts


I would like to ask a few questions regarding the Campus AP in Bridge mode:


1. For Campus AP in bridge mode, does it support fast roaming? or the client will need to re-authenticate everytime in roam?

2. Is there a max number of bridge mode AP in a virtual AP profile?

3. Is spectrum load balance and traffic shaping supported in this AP mode?


I am referring to campus AP which a controller is always connected.


I look forward to hear from your clarifcation.



Re: Campus AP in Bridge mode



Please red the following info:

Bridge: 802.11 frames are bridged into the local Ethernet LAN. When a remote AP or campus AP is in bridge mode, the AP (and not the controller)handles all 802.11 association requests and responses, encryption/decryption processes, and firewall enforcement. The 802.11e and 802.11k action frames are also processed by the AP, which then sends out responses as needed.

An AP in bridge mode does not support captive portal authentication.Both remote and campus APs can be configured in bridge mode. Note that you must enable the control plane security feature on the controller before you configure campus APs in bridge mode.




1. THE AP will handle the 802.11 association so.. no -  user will need to re-auth in each AP.


3.All those options will not supported when using in Bridge-mode:

Firewall—SIP/SCCP/RTP/RTSP Voice Support
Firewall—Alcatel NOE Support
Voice over Mesh
Video over Mesh
Named VLAN
Captive portal
Rate Limiting for broadcast/multicast
Power save: Wireless battery boost
Power save: Drop wireless multicast traffic
Power save: Proxy ARP (global)
Power save: Proxy ARP (per-SSID)
Automatic Voice Flow Classification

SIP: SIP authentication tracking
SIP: CAC enforcement enhancements
SIP: Phone number awareness
SIP: R-Value computation
SIP: Delay measurement
Management: Voice-specific views
Management: Voice client statistics
Management: Voice client troubleshooting
Voice protocol monitoring/reporting
H.323 ALG
Vocera ALG
Layer 3 Mobility
IGMP Proxy Mobility
Mobile IP
TKIP countermeasure mgmt
Bandwidth based CAC
Dynamic Multicast Optimization

User derivated rules

Firewall rules logging to syslog server

Spectrum load balancing

RF sensitivity tuning based channel reuse


hope it clearify you questions :smileyhappy:

feel free to ask more - if you have further question.


have a lovely week.



*****************2Plus Wireless Solutions****************************
Aruba Airheads - Powered By community for empower the community
************ Don't Forget to Kudos + me,If i helped you******************
Occasional Contributor I

Re: Campus AP in Bridge mode


Thank you for your response.

What about layer 2 roaming in bridge mode? Is it required re-auth as mentioned?
In this case, what features in ARM will still be provided?

Aruba Employee

Re: Campus AP in Bridge mode

Answer to 1;

Any connection to a new AP requires 802.11 authenticate/associate.


If the SSID is open, is the question do we maintain L3 information on role (i.e. captive-portal assigned role) then yes, so the user won't keep getting CP everytime he roams.


If the SSID is encrypted with a PSK then EAPOL will need to exchange between AP and client.


If the SSID is dot1X then depending if the client supports OKC or PMK caching then we might be able to to the key exchange without having to do a complete EAP exchange (OKC and PMK cache are supported in all forward modes).



As for 2 not sure I understand the question, there are limits to the amount of Virtual AP's an AP can support concurrently (some AP's support 8 BSSID's per radio other's 16 per radio), if it's about how many profiles can be in the config, then there is practicaly no limit.



Occasional Contributor I

Re: Campus AP in Bridge mode



I am still a bit confused.


So from the end user point of view (when CAP in Bridge mode), SSID with PSK, the connection will drop and re-assoicated when they roam. For SSID with 802.1x, if the client supports OKC or PMK caching, then the connection will NOT drop, and just roam seamlessly?


Much appreciated for the clarification.



Aruba Employee

Re: Campus AP in Bridge mode

No mater what type of SSID open, PSK, or Dot1X the user of the device should not notice the device has roamed.

EAPOL exchange is just 4 packets, EAP+EAPOL is dependent on the size of client/server certificates, but only typically a couple of Kbytes, so the exchange takes place very quickly.


The only thing you do have to be aware of is the latency to the radius server when used over poor links, as this can add significant delay to completing dot1X.

In this sort of case you should look to use something like EAP-PWD but not many devices support it yet.

Occasional Contributor I

Re: Campus AP in Bridge mode

that is even more confusing.Actually, let me explain what I am trying to do.


The whole network is going to be within one site, there should be no issue with network latency as there are 1/10G uplink everywhere.

However, we are trying to explore the idea of having the user packet switch straight onto the wired network to avoid bottleneck at the controller.

Therefore, we want to make sure there is no issue with fast roaming (the users dont want to get disconnected when they move from one place to another). Also Spectrum load balancing, in case if there is too many clients attached to one AP.

I understand Instant probably be a better choice here, but I am worried about the high density area. For example, lecture halls and large common area etc.

Guru Elite

Re: Campus AP in Bridge mode

If you have gig everywhere, you should have no problems using tunnel mode, at all, period. Everything will be supported.

*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.3 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Employee

Re: Campus AP in Bridge mode

From an Aruba perspective there is very litle difference in roaming in tunnel mode or roaming in bridge mode.

The only major difference from a network perspective is that in tunnel mode the client at a L2 MAC level never moves between switch ports,but of course in local bridging as the client moves it moves between switch ports on the local switches, which should have no affect.


You could always select an A72x0 controller which we have recently released which is a lot more powerful than previous controllers.


RF designs for lecture halls can be complex I believe we have a VRD for the same.



Occasional Contributor I

Re: Campus AP in Bridge mode

Hi all


Thanks for the responses.


I agree tunnel mode will work if the network consists of 1/10G uplink everywhere.


I would like to explore deeper in terms of roaming in the Bridge mode tho. When the client moves from one AP to another AP (both in Bridge mode), what would the client experience? Will the client's connection get dropped then reassociated and reauthenticated with the next AP? Does this process be different between Open, PSK, and 802.1x authentication?


Thanks again

Search Airheads
Showing results for 
Search instead for 
Did you mean: