Understanding Remote AP Modes of Operation

Table 1 summarizes the different Remote AP modes of operation. You specify both the forward mode setting (which controls whether 802.11 802.11 is an evolving family of specifications for wireless LANs developed by a working group of the Institute of Electrical and Electronics Engineers (IEEE). 802.11 standards use the Ethernet protocol and Carrier Sense Multiple Access with collision avoidance (CSMA/CA) for path sharing. frames are tunneled to the managed device using GRE Generic Routing Encapsulation. GRE is an IP encapsulation protocol that is used to transport packets over a network., bridged to the local Ethernet Ethernet is a network protocol for data transmission over LAN. LAN Local Area Network. A LAN is a network of connected devices within a distinct geographic area such as an office or a commercial establishment and share a common communications line or wireless link to a server., or a combination thereof) and the remote AP Remote APs extend corporate network to the users working from home or at temporary work sites. Remote APs are deplyed at branch office sites and are connected to the central network on a WAN link. mode of operation (when the virtual AP operates on a Remote AP) in the virtual AP profile.

The column on the left of the table lists the Remote AP operation settings. The row across the top of the table lists the forward mode settings. To understand how these settings work in concert, scan the desired Remote AP operation with the forward mode setting, and read the information in the appropriate table cell.

The all column and row lists features that all Remote AP operation and forward mode settings have in common regardless of other settings. For example, at the intersection of all and bridge, the description outlines what happens in bridge mode regardless of the Remote AP mode of operation.

Table 1: Remote AP Modes of Operation and Behavior

Remote AP Operation Setting

Forward Mode Setting

 

 

all

bridge

split-tunnel

tunnel

decrypt-tunnel

all

 

Management frames on the AP.

Frames are bridged between wired and wireless interfaces.

No frames are tunneled to the managed device.

Station acquires its IP address locally from an external DHCP Dynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network.  server.

 

Management frames on the AP.

Frames are either GRE Generic Routing Encapsulation. GRE is an IP encapsulation protocol that is used to transport packets over a network. tunneled to the managed device, to a trusted tunnel or are sent through the NAT Network Address Translation. NAT is a method of remapping one IP address space into another by modifying network address information in Internet Protocol (IP) datagram packet headers while they are in transit across a traffic routing device. and bridged on the wired interface according to user role and session ACL Access Control List. ACL is a common way of restricting certain types of traffic on a physical port..

Typically, the station obtains an IP address from a VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. on the Mobility Conductor.

Typically, the AP has ACLs Access Control List. ACL is a common way of restricting certain types of traffic on a physical port. that forward corporate traffic through the tunnel and source NAT Source NAT changes the source address of the packets passing through the router. Source NAT is typically used when an internal (private) host initiates a session to an external (public) host. the non-corporate traffic to the Internet.

Frames are GRE Generic Routing Encapsulation. GRE is an IP encapsulation protocol that is used to transport packets over a network. tunneled to the managed device to an untrusted tunnel.

100% of station frames are tunneled to the managed device.

Management frames on the AP.

Frames are always GRE Generic Routing Encapsulation. GRE is an IP encapsulation protocol that is used to transport packets over a network. tunneled to managed device.

always

ESSID Extended Service Set Identifier. ESSID refers to the ID used for identifying an extended service set. is always up when the AP is up regardless of whether the managed device is reachable.

Supports PSK Pre-shared key. A unique shared secret that was previously shared between two parties by using a secure channel. This is used with WPA security, which requires the owner of a network to provide a passphrase to users for network access. ESSID Extended Service Set Identifier. ESSID refers to the ID used for identifying an extended service set. only.

SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. configuration stored in flash on AP.

Provides an SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. that is always available for local access.

Not supported

Not supported

Not supported

 

 

all

bridge

split-tunnel

tunnel

decrypt-tunnel

backup

ESSID Extended Service Set Identifier. ESSID refers to the ID used for identifying an extended service set. is only up when the managed device is unreachable.

Supports PSK Pre-shared key. A unique shared secret that was previously shared between two parties by using a secure channel. This is used with WPA security, which requires the owner of a network to provide a passphrase to users for network access. ESSID Extended Service Set Identifier. ESSID refers to the ID used for identifying an extended service set. only.

SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. configuration stored in flash on AP.

Provides a backup SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. for local access only when the managed device is unreachable.

Not supported

Not supported

Not supported

 

persistent

ESSID Extended Service Set Identifier. ESSID refers to the ID used for identifying an extended service set. is up when the AP contacts the managed device and stays up if connectivity is disrupted with the managed device.

SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. configuration obtained from the managed device.

Designed for 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. SSIDs Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network..

Same behavior as standard, described below, except the ESSID Extended Service Set Identifier. ESSID refers to the ID used for identifying an extended service set. is up if connectivity to the managed device is lost.

Not supported

Not supported

Not supported

 

standard

ESSID Extended Service Set Identifier. ESSID refers to the ID used for identifying an extended service set. is up only when there is connectivity with the managed device.

SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. configuration obtained from the managed device.

Behaves like a classic Aruba branch office AP.

Provides a bridged ESSID Extended Service Set Identifier. ESSID refers to the ID used for identifying an extended service set. that is configured from the managed device and stays up if there is managed device connectivity.

Split tunneling mode

Classic Aruba thin AP operation

Decrypt tunnel mode