414| Virtual APs AOS-W 6.5.3.x| User Guide
Parameter Description
Forward mode This parameter controls whether data is tunneled to the switch using generic
routing encapsulation (GRE), bridged into the local Ethernet LAN (for remote APs),
or a combination thereof depending on the destination (corporate traffic goes to
the switch, and Internet access remains local). All forwarding modes support band
steering, TSPEC/TCLAS enforcement, 802.11k and station blacklisting.
Click the drop-down list to select one of the following forward modes:
n Tunnel: The AP handles all 802.11 association requests and responses, but
sends all 802.11 data packets, action frames and EAPOL frames over a GRE
tunnel to the switch for processing. The switch removes or adds the GRE
headers, decrypts or encrypts 802.11 frames and applies firewall rules to the
user traffic as usual. Both remote and campus APs can be configured in tunnel
mode.
n Bridge: 802.11 frames are bridged into the local Ethernet LAN. When a remote
AP or campus AP is in bridge mode, the AP (and not the switch) handles all
802.11 association requests and responses, encryption/decryption processes,
and firewall enforcement. The 802.11e and 802.11k action frames are also
processed by the AP, which then sends out responses as needed.
An AP in bridge mode does not support captive portal authentication. Both
remote and campus APs can be configured in bridge mode. Note that you must
enable the control plane security feature on the switch before you configure
campus APs in bridge mode.
n Split-Tunnel: 802.11 frames are either tunneled or bridged, depending on the
destination (corporate traffic goes to the switch, and Internet access remains
local).
A remote AP in split-tunnel forwarding mode handles all 802.11 association
requests and responses, encryption/decryption, and firewall enforcement. the
802.11e and 802.11k action frames are also processed by the remote AP, which
then sends out responses as needed.
n Decrypt-Tunnel: Both remote and campus APs can be configured in decrypt-
tunnel mode. When an AP uses decrypt-tunnel forwarding mode, that AP
decrypts and decapsulates all 802.11 frames from a client and sends the 802.3
frames through the GRE tunnel to the switch, which then applies firewall policies
to the user traffic.
When the switch sends traffic to a client, the switch sends 802.3 traffic through
the GRE tunnel to the AP, which then converts it to encrypted 802.11 and
forwards to the client. This forwarding mode allows a network to utilize the
encryption/decryption capacity of the AP while reducing the demand for
processing resources on the switch.
APs in decrypt-tunnel forwarding mode also manage all 802.11 association
requests and responses, and process all 802.11e and 802.11k action frames.
APs using decrypt-tunnel mode do have some limitations that not present for
APs in regular tunnel forwarding mode.
You must enable the control plane security feature on the switch before you
configure campus APs in decrypt-tunnel forward mode.
NOTE: Virtual APs in bridge or split-tunnel mode using static WEP should use key
slots 2–4 on the switch. Key slot 1 should only be used with Virtual APs in tunnel
mode.
Allowed band The band(s) on which to use the virtual AP:
n a—802.11a band only (5 GHz).
n g—802.11b/g band only (2.4 GHz).
n all—both 802.11a and 802.11b/g bands (5 GHz and 2.4 GHz). This is the default
setting.
Table 97: Virtual AP Profile Parameters
To Next Page
Loading...