WLAN Data Forwarding Modes
Introduction
Packets transmitted on a WLAN include management packets (control packets) and data packets (service packets). Management packets are forwarded through Control And Provisioning of Wireless Access Points (CAPWAP) control tunnels. Data packets can be forwarded in tunnel, direct, or soft Generic Routing Encapsulation (GRE) mode, depending on whether they are forwarded through CAPWAP data tunnels. Tunnel mode is also called centralized mode, and direct mode is also called local mode.
In actual networking, the direct and tunnel forwarding modes are widely used. This document describes the differences between the two modes (for other forwarding modes, see Continue Reading About WLAN Data Forwarding) and provides instructions for changing the data forwarding mode from direct to tunnel based on configuration requirements.
Description of Tunnel Forwarding and Direct Forwarding
In tunnel forwarding mode, APs encapsulate user data packets over a CAPWAP data tunnel and send them to an AC. The AC then forwards these packets to an upper-layer network, as shown in Figure 1-1.
In direct forwarding mode, APs forward user data packets to an upper-layer network without encapsulating them over a CAPWAP data tunnel, as shown in Figure 1-2.
The tunnel or direct forwarding mode can be selected based on networking requirements. Table 1-1 compares the two forwarding modes.
Data Forwarding Mode |
Advantage |
Disadvantage |
|---|---|---|
Tunnel forwarding |
An AC centrally forwards data packets, which is secure and facilitates centralized management and control. New devices can be easily deployed and configured, with small changes to the network. |
Service data must be forwarded by an AC, which is inefficient and increases the load on the AC. |
Direct forwarding |
Service data does not need to be forwarded by an AC, which is efficient and reduces the load on the AC. |
Service data cannot be centrally managed or controlled. New device deployment causes great changes to the network. |
Changing the Forwarding Mode from Direct to Tunnel
The following describes how to change the forwarding mode from direct to tunnel to adapt to user requirement changes.
The configurations for the two forwarding modes are provided in this section, allowing you to change the forwarding mode as required.
Reconfiguration Rules
To change the forwarding mode, adjust the management VLAN and service VLAN on each interface in addition to changing the forwarding mode on a VAP. The VLAN configurations in different forwarding modes are described as follows:
- In direct forwarding mode, it is recommended that different VLANs be used as the management VLAN and service VLAN. Otherwise, service interruption may occur. If a VLAN is configured as both the management VLAN and service VLAN, and the port connecting a switch to an AP has the management VLAN ID as the PVID, downstream packets in the service VLAN are terminated when going out from the switch. In this case, services are interrupted.
- In tunnel forwarding mode, the management VLAN and service VLAN must be different. Otherwise, MAC address flapping will occur, leading to a packet forwarding error. The network between the AC and APs needs to permit only packets carrying the management VLAN tag and deny packets carrying the service VLAN tag.
Changing the Forwarding Mode from Direct to Tunnel (AC Bypass Mode)
On a network shown in Figure 1-3, the AC is attached to Switch2 in bypass mode. In direct forwarding mode, data packets pass through the AP, Switch1, and Switch2 to reach the upper-layer network, without passing through the AC over the CAPWAP tunnel. In contrast, management packets are forwarded through the AC over the CAPWAP tunnel.
After the forwarding mode is changed to tunnel forwarding, the data packets are forwarded to the AC over the CAPWAP tunnel, passing through the AP, Switch1, and Switch2. During this process, the data packets are tagged with VLAN 100 (the management VLAN). When receiving the data packets, the AC decapsulates them, removes the VLAN tag, and forwards the packets to the upper-layer network through Switch2. In tunnel forwarding mode, management packets are still transmitted over the CAPWAP tunnel.
On this network, Switch2 is configured as a DHCP server for APs and STAs. Table 1-2 lists configuration differences between tunnel forwarding and direct forwarding.
Network Device |
Direct Forwarding |
Tunnel Forwarding |
|---|---|---|
AC |
Configuration before the change # interface GigabitEthernet0/0/1 port link-type trunk port trunk pvid vlan 100 port trunk allow-pass vlan 100 # wlan vap-profile name wlan-net forward-mode direct-forward //This is the default configuration and is not contained in the configuration file. |
Configuration after the change # interface GigabitEthernet0/0/1 port link-type trunk port trunk pvid vlan 100 port trunk allow-pass vlan 100 101 //Add GE0/0/1 to the service VLAN 101. # wlan vap-profile name wlan-net forward-mode tunnel //Change the forwarding mode on the VAP from direct to tunnel. |
Switch2 |
Configuration before the change # interface GigabitEthernet0/0/1 port link-type trunk port trunk allow-pass vlan 100 # interface GigabitEthernet0/0/2 port link-type trunk port trunk allow-pass vlan 100 to 101 |
Configuration after the change # interface GigabitEthernet0/0/1 port link-type trunk port trunk allow-pass vlan 100 to 101 //Add GE0/0/1 to the service VLAN 101. # interface GigabitEthernet0/0/2 port link-type trunk port trunk allow-pass vlan 100 //Delete GE0/0/2 from the service VLAN 101. |
Switch1 |
Configuration before the change # interface GigabitEthernet0/0/1 port link-type trunk port trunk pvid vlan 100 port trunk allow-pass vlan 100 to 101 # interface GigabitEthernet0/0/2 port link-type trunk port trunk allow-pass vlan 100 to 101 |
Configuration after the change # interface GigabitEthernet0/0/1 port link-type trunk port trunk pvid vlan 100 port trunk allow-pass vlan 100 //Delete GE0/0/1 from the service VLAN 101. # interface GigabitEthernet0/0/2 port link-type trunk port trunk allow-pass vlan 100 //Delete GE0/0/2 from the service VLAN 101. |
This example uses Switch2 as a DHCP server for APs and STAs. If another network device is deployed as the DHCP server, modify the VLAN or route configuration to ensure that APs and STAs communicate with the DHCP server properly.
Changing the Forwarding Mode from Direct to Tunnel (AC Inline Mode)
On a network shown in Figure 1-4, the AC is deployed in inline mode. In direct forwarding mode, data packets pass through the AP, Switch1, and Switch2 to reach the upper-layer network, without passing through the AC over the CAPWAP tunnel. In contrast, management packets are forwarded over the CAPWAP tunnel.
After the forwarding mode is changed to tunnel forwarding, the data packets are forwarded to the AC over the CAPWAP tunnel, passing through the AP and Switch1. During this process, the data packets are tagged with VLAN 100 (the management VLAN). When receiving the data packets, the AC decapsulates them, removes the VLAN tag, and forwards the packets to the upper-layer network. In tunnel forwarding mode, management packets are still transmitted over the CAPWAP tunnel.
On this network, the AC is configured as a DHCP server for APs and STAs. Table 1-3 lists configuration differences between tunnel forwarding and direct forwarding.
Network Device |
Direct Forwarding |
Tunnel Forwarding |
|---|---|---|
AC |
Configuration before the change # interface GigabitEthernet0/0/2 port link-type trunk port trunk allow-pass vlan 100 to 101 # wlan vap-profile name wlan-net forward-mode direct-forward //This is the default configuration and is not contained in the configuration file. |
Configuration after the change # interface GigabitEthernet0/0/2 port link-type trunk port trunk allow-pass vlan 100 //Delete GE0/0/2 from the service VLAN 101. # wlan vap-profile name wlan-net forward-mode tunnel //Change the forwarding mode on the VAP from direct to tunnel. |
Switch1 |
Configuration before the change # interface GigabitEthernet0/0/1 port link-type trunk port trunk pvid vlan 100 port trunk allow-pass vlan 100 to 101 # interface GigabitEthernet0/0/2 port link-type trunk port trunk allow-pass vlan 100 to 101 |
Configuration after the change # interface GigabitEthernet0/0/1 port link-type trunk port trunk pvid vlan 100 port trunk allow-pass vlan 100 //Delete GE0/0/1 from the service VLAN 101. # interface GigabitEthernet0/0/2 port link-type trunk port trunk allow-pass vlan 100 //Delete GE0/0/2 from the service VLAN 101. |
This example uses the AC as a DHCP server for APs and STAs. If another network device is deployed as the DHCP server, modify the VLAN or route configuration to ensure that APs and STAs communicate with the DHCP server properly.
Data Forwarding Mode on AP's Wired Interfaces
An AP's wired interface supports tunnel and direct forwarding modes. In tunnel forwarding mode, after data packets from wired users reach an AP's wired interface, the AP encapsulates the packets over the CAPWAP tunnel and sends them to an AC. The AC then forwards these packets to an upper-layer network. In direct forwarding mode, after data packets from wired users reach an AP's wired interface, the AP forwards the packets to an upper-layer network without encapsulating them over a CAPWAP tunnel.
AP's wired interfaces support tunnel forwarding since V200R010C00.
In some scenarios, the downlink wired interfaces on an AP connect to wired terminals, and the AC connected to the AP is configured as the gateway for these terminals. To forward packets from these terminals to the AC through a CAPWAP tunnel, configure the tunnel forwarding mode on the AP's wired interfaces.
- Tunnel forwarding is supported by wired interfaces on only APs working in endpoint mode.
- Wired interfaces on an AD9431DN-24X do not support tunnel forwarding.
- If user isolation is configured on AP's wired interfaces in tunnel forwarding mode, unicast packets can be isolated only on APs instead of on the AC.
- In tunnel forwarding mode, configure different VLANs as the management VLAN and service VLAN on the AP's wired interfaces. Otherwise, a network loop may occur.
<AC6605> system-view [AC6605] wlan [AC6605-wlan-view] ap-group name ap-group1 [AC6605-wlan-ap-group-ap-group1] quit [AC6605-wlan-view] wired-port-profile name wired [AC6605-wlan-wired-port-wired] mode endpoint Warning: If the AP goes online through a wired port, the incorrect port mode configuration will cause the AP to go out of management . This fault can be recovered only by modifying the configuration on the AP. Continue? [Y/N]:y [AC6605-wlan-wired-port-wired] forward-mode tunnel [AC6605-wlan-wired-port-wired] quit [AC6605-wlan-view] ap-group name ap-group1 [AC6605-wlan-ap-group-ap-group1] wired-port-profile wired ethernet 0
Continue Reading About WLAN Data Forwarding
- For implementation of other forwarding modes, see Data Forwarding Mode.
- For VLAN deployment suggestions in different forwarding modes, see VLAN Deployment Guide for WLAN.