doc title Help Center
You are here: Home > Tunnel and Mixed Mode Deployment

Tunnel and Mixed Mode Deployment

WLANWireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. is required to establish wireless connection between devices and thereby eliminating the need for cables. WLAN helps build personal and business networks without wiring the building with EthernetEthernet is a network protocol for data transmission over LAN.. It also provides a way for small devices, such as smartphones, tablets, laptops, and Point of Sale (POS) machines to connect to the network.

The AOS 10.x in tunnel mode consists of at least one Gateway cluster for security and network resiliency. The network created on tunnel mode or mixed mode acts as a virtual network on top of the physical network that is created on bridge mode. In the tunnel-mode of AOS 10.x, VLANsVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. are configured on Gateway cluster and APs tunnel traffic to Gateways. APs function as authenticators and send authentication and accounting requests to the Gateway cluster.

In the Mixed mode of AOS 10.x, VLANs are configured either on the Gateway cluster or on APs which tunnel client traffic to the Gateway cluster based on the optimum traffic route.

The hardware infrastructure of the tunnel mode and mixed mode deployments require APs and Gateways with ArubaOS or later software version.

The following figure illustrates the tunnel deployment mode:

Figure 1  Tunnel Mode Deployment

Network Setup for Tunnel and Mixed Mode Deployment

The client connection workflow in an tunnel network setup involves the following steps:

  1. The administrator onboards the APs and Gateways to a group in AOS 10.x.
  2. The Gateways assigned to the same group automatically form a Gateway cluster.
  3. The administrator configures a WLAN SSIDService Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. with the Tunnel or Mixed forwarding mode and associates the SSID to a Gateway cluster.
  4. The Tunnel Orchestrator for VLAN Tunnels service in AOS 10.x establishes secure tunnels between APs and the Gateways.
  5. The client connects to the SSID broadcast on the AP.
  6. The AP acts as an authenticator and sends the client traffic to a Gateway in the cluster. The Gateway acts as an authentication proxy. For example, based on the VLAN to which the client is assigned, the client traffic is bridged locally or forwarded to the Gateway through a secure tunnel. This assignment is done by selecting Bridge or Tunnel as traffic forwarding mode for the VLAN in VLAN Assignment Rules table on the VLANs tab.
  7. Based on the security profile and role assignment policy defined in the WLAN SSID, the Gateway forwards the request to the authentication server and derives the user role and VLAN for the client either locally or from an external authentication server.
  8. After the client completes the authentication successfully, the AP applies the user role and VLAN received from the Gateway cluster.
  9. The client is assigned an IP address and a user role.
  10. When the client connects to the network, the traffic sent by the client is encapsulated and sent to the Gateway over GREGeneric Routing Encapsulation. GRE is an IP encapsulation protocol that is used to transport packets over a network. tunnel.
  11. The Gateway bridges traffic to the client VLAN.
  12. When the client roams from one AP to another across the VLANs, the Cloud-Assisted Roaming Services feature ensures that the client's wireless connection is seamless without a need for re-authentication.

Tunnel and Mixed Mode Deployment Workflow

The following flowchart illustrates the procedure for setting up AOS 10.x tunnel and mixed mode deployment for WANWide Area Network. WAN is a telecommunications network or computer network that extends over a large geographical distance. Setup.

Tunnel and Mixed Mode Deployment Workflow Steps

The provisioning workflow for tunnel and mixed mode deployments includes the following steps:

Step 1: Follow the Pre-Provisioning Procedures

Before you get started with the configuration of WLAN SSID in the tunnel and mixed mode for LANLocal Area Network. A LAN is a network of connected devices within a distinct geographic area such as an office or a commercial establishment and share a common communications line or wireless link to a server. setup, refer to the following topic to complete the pre-provisioning procedures: Getting Started with the Deployment

For deployments with cluster, you must configure a WLAN SSID in the tunnel and mixed mode.

Step 2: Create a WLAN SSID Profile in Tunnel and Mixed Mode
Step 3: Configure a VLAN for a WLAN SSID Profile in Tunnel and Mixed Mode

A virtual LAN (local area network) is a group of devices on a single or multiple LANs that are logically configured to communicate seamlessly even if they are physically located on different LAN segments. In other words, a VLAN is a logical subnetwork that groups a collection of devices from different physical LANs.

For more information on configuring VLANs in tunnel and mixed mode, see the following sections:

Step 5: Configure Access for a WLAN SSID Profile in Tunnel and Mixed Mode

A user access rule defines which users can automatically be assigned user access when logging in to the network. AOS 10.x allows you to configure access rules and roles for WLAN clients in Enterprise, Personal, and Captive Portal networks. However, access rules and user role configurations are not applicable in open security networks.

For more information on configuring access rules and roles, see Configuring Access Rule for a WLAN SSID Profile in Tunnel and Mixed Mode.

Step 6: View the Network Summary for a WLAN SSID Profile in Tunnel and Mixed Mode

AOS 10.x displays a summary of all the basic configurations that you set for creating the WLAN SSID in tunnel and mixed mode.

For more information on network summary in tunnel and mixed mode, see Viewing Network Summary of Tunnel and Mixed Mode .


The MultiZone feature enables you to segregate the virtual APs tunnel traffic to different gateways. MultiZone allows organizations to have multiple and separate secure networks while using the same AP. It also allows the AP to terminate SSIDs to multiple gateways that reside in different zones or clusters.

Initially, when the AP boots up, the first zone it contacts is called the primary zone. The MultiZone configuration is forwarded to the AP based on the primary cluster configuration of different SSIDs. In the same group, each SSID can choose a different primary cluster to form a different zone. The AP virtually connects to each zone independently. Hence, the tunnel traffic is segregated based on the SSIDs. Data zone is the secondary zone that an AP connects to after receiving the MultiZone configuration from the primary zone. If there are MultiZone profiles configured and associated in the AP group or AP name profile of the primary zone, then the AP enters MultiZone state and starts connecting with the specified data zones.

The maximum number of allowed clusters is 5 and total number of allowed gateways is 12.

The gateways in different zones are independent and do not communicate with one another.

Figure 2 illustrates the configuration of MultiZone feature between two zones.

Figure 2  MultiZone Configuration

In the above diagram, Client 1 and Client 2 connect to VAP-1 and VAP-2 respectively. The MultiZone configuration segregates the tunnel traffic of VAP-1 and VAP-2 and forwards the traffic to different Gateways under Zone 1 and Zone 2.

Guidelines for MultiZone

  • Different virtual APs can be mapped to different zones. For example, VAP-1 can connect to one cluster and VAP-2 can connect to another cluster.
  • The AP creates the tunnels with different clusters and not with a single cluster.
  • Different clients can connect to different virtual APs. For example, if one client connects to VAP-1, the AP sends client traffic to Zone 1. Similarly, if another client connects to VAP-2, the AP sends client traffic to Zone 2.
  • The MultiZone feature requires an advanced license, and is disabled in the absence of the advanced license. Only an AP with advanced license can establish active SSID tunnels with data zone gateways. The AP with foundation license cannot establish active SSID tunnel with data zone gateways.

For more information on configuring MultiZone, see Configuring VLAN Settings for WLAN SSID Profile in Tunnel and Mixed Mode.