Legal Disclaimer: The resource assets in this website may include abbreviated and/or legacy terminology for HPE Aruba Networking products. See www.arubanetworks.com for current and complete HPE Aruba Networking product lines and names.
Tunnel Forwarding Mode
When tunnel traffic forwarding is configured in a WLAN Wireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. or downlink-wired port profile, the client traffic is encapsulated in Generic Routing Encapsulation (GRE Generic Routing Encapsulation. GRE is an IP encapsulation protocol that is used to transport packets over a network.) by the APs and is tunneled to the primary gateway cluster. Client traffic forwarded within the GRE tunnels is tagged with the client's assigned VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN.. The role of each gateway within the primary cluster determines which gateway is responsible for transmitting and receiving traffic for each tunneled client.
With tunnel traffic forwarding, the user VLANs are centralized and reside within each cluster. Each tunneled profile terminates within a primary cluster and can optionally failover to a secondary cluster. For each primary cluster, the gateway management and user VLANs are extended from each gateway in the cluster to their respective core or aggregation switching layer. As a best practice, all the VLANs are 802.1Q 802.1Q is an IEEE standard that enables the use of VLANs on an Ethernet network. 802.1Q supports VLAN tagging.-tagged. Each gateway within a cluster shares management VLAN, user VLANs, and associated IP networks. Each tunneled client is either statically or dynamically assigned to a centralized user VLAN within its primary cluster.
For example, in the bridge forwarding deployment below, the tunneled user VLANs 73 and 75 are extended from the gateway to the core or aggregation switching layer. The WLAN client is assigned VLAN 73, while the wired client is assigned VLAN 75. The core or aggregation switch has IP interfaces and IP helper addresses defined for each VLAN and is the default gateway for each VLAN.
This example uses a single gateway to simplify the datapath of each tunneled client. When multiple gateways are deployed within a cluster, each AP establishes IPsec Internet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. and Generic Routing Encapsulation (GRE) tunnels to each cluster node. The role of each gateway within the cluster determines which gateway is responsible for anchoring each client’s traffic and which gateway is responsible for forwarding broadcast or multicast traffic destined to clients attached to each AP. The gateway role effectively determines which GRE tunnel the AP selects when forwarding traffic from a client and which tunnel is selected by the gateway for unicast, broadcast, and multicast return traffic.
Figure 1 Tunnel Forwarding Deployment
Roaming
Each tunneled WLAN terminates in a primary cluster where the user VLANs are centralized. Each tunneled client is either statically or dynamically assigned to a VLAN, which is present on all the gateways within the primary cluster. For each client, one gateway in the cluster is assigned a UDG role that determines the gateway to which the client’s traffic is anchored. As the bucketmap is published per cluster, each client will maintain its UDG assignment as it roams. Each client’s traffic is always anchored to the same gateway within a cluster, regardless of the AP to which the client roams.
When a client roams between APs that tunnel to the same primary cluster, the client is able to maintain its VLAN assignment, IP address and default gateway after each roam, which provides a seamless roaming experience. Clients can perform a slow roam or fast roam, depending on the WLAN profile configuration and capabilities of the client. Seamless roaming can be achieved between APs in the same HPE Aruba Networking Central configuration group (same profile) or between APs in separate configuration groups (duplicated WLAN profiles). The only requirement for seamless roam is that the primary cluster must be the same between the APs.
MAC Address Learning
When tunnel forwarding is enabled, the APs tunnel the client’s traffic to the gateway in the cluster that is assigned the User Designated Gateway (UDG) role. Each tunneled client's MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address will be learned by the core or aggregation switch, along with all the active gateways within the cluster:
-
Core or aggregation switch: This device learns each client’s MAC address from the physical or logical aggregated port that connects to the UDG Gateway for each client.
-
Gateways: This device learns each client’s MAC address either from GRE tunnel (UDG role) or physical or logical aggregated uplink port from the core or aggregation switch.
Each tunneled client’s MAC address is anchored to the gateway, assuming the UDG role for each client. The layer 2 path for each tunneled client will remain bound to the physical or logical port of its assigned UDG gateway, regardless of which AP the client roams. No MAC address move will occur between the gateways and the core or aggregation switching layer after a roam. A client’s MAC address will only move between gateways as a result of a UDG to Standby User Designated Gateway (S-UDG) transition.