Wireless Access

last person joined: 22 hours ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

Mesh traffic flow

This thread has been viewed 6 times

  • 1.  Mesh traffic flow

    Posted Sep 18, 2018 12:41 PM

    I just want to make sure I am clear on how Mesh traffic flows and where encryption and authentication take place in tunneled mode. Given the diagram below, are the following statements correct:

    1) 802.1x authentication for the SSID's on the Mesh Point is secured inside the Mesh Backhaul via AES and sent to the controller which actually performs the 802.1x authentication for wireless users

    2)For the wireless SSID's, wireless traffic is encrypted and decrypted at the Mesh Point.

    3) Both the wireless and wired traffic are put in GRE tunnels between the Mesh Point and the Mesh controller

    4) Over the Mesh backhaul the tunneled traffic is AES encrypted using the MSSID PSK

    5) Between the mesh portal and the controller the tunneled traffic is not encrypted but is still in GRE tunnels

     

    Thanks for any input!

    WiFI bridge_L2_v3.png



  • 2.  RE: Mesh traffic flow
    Best Answer

    EMPLOYEE
    Posted Sep 22, 2018 10:41 PM

    1) For 802.1X authentication on SSIDs, the controller performs the actual authentication. For the mesh point(s), this connection is carried across the mesh backhaul ssid and protected via that SSID (in addition to the protection provided natively by the EAP type deployed).

     

    2) For the wireless SSIDs, wireless traffic is encrypted and decrypted at the controller. If the SSID is configured in decrypt-tunnel mode (rather than tunnel mode), then traffic is encrypted/decrypted at the AP.

     

    3) The mesh point will put wireless traffic in GRE tunnel(s) back to the controller. Wired traffic can optionally be tunneled back to the controller, when the wired port profile is also configured for tunnel mode.

     

    4) The mesh backhaul is protected by WPA2/CCMP PSK (AES).

     

    5) The tunnel is not changed between the mesh portal and the controller. See item 2 above, wireless users of encrypted SSIDs have their encrypted 802.11 frames carried over the GRE to the controller for encrypt/decrypt when operating in tunnel mode.



  • 3.  RE: Mesh traffic flow

    Posted Sep 26, 2018 10:05 AM

    Thanks so much for the reply, this is exactly what I needed to know. Is there any chance this is documented somewhere at a high level? The User Guide tells you how to configure it but glosses over the details of how it actually works. It would be nice to have a chapter that just tells you the actual traffic flows. 



  • 4.  RE: Mesh traffic flow

    EMPLOYEE
    Posted Sep 27, 2018 04:06 PM

    Generally that would/should be covered in the Outdoor MIMO VRD, but if not, I will make sure I add it as a section in the upcoming redo I will be working on towards the end of the year.