In a typical Campus WLAN, the APs communicate with the Master controller (MC) in one of the two following modes:
- Tunnel forwarding mode
- Decrypt Tunnel Mode
In both modes, the user VLANs are configured and stay on the MC, making it easier for addition/deletion of new VLANs from the core switch (uplinked to MC). This offers simple and flexible network design.
Tunnel forwarding mode
In Tunnel forwarding mode all 802.11 association requests/responses are handled by AP but all 802.11 action frames, data packets and EAPOL frames are forwarded via GRE tunnel to the MC for processing. The MC is responsible for the removal/addition of GRE headers and decryption/encryption of the 802.11 frames. Current mainstream production deployments use this mode.
For the support of the aggregation in the IEEE 802.11ac/ax standards, Aruba highly recommends enabling the jumbo frame support. Though the use of Control Plane Security (CPSec) is not compulsory, it is highly recommended. All the traffic between the AP and the MC is encrypted at all times.
Decrypt Tunnel Mode
In this mode, the communication between the AP and the Client makes best use of the Aggregated MAC packet Data Units (A-MPDUs) and Service Data Units (A-MSDUs) without the requirement for jumbo frame support. All decryption and de-aggregation is performed locally by the APs. As Decrypt Tunnel mode does not offer end-to-end encryption for data traffic (Control plane traffic is encrypted) there is a mandatory requirement for the enablement of CPSec between the APs and Controllers.
In addition to performing encryption/decryption, the AP acts a bridge between the MC and the clients. Since all assembly aggregation/de-aggregation is performed locally on the AP, it allows the use of Aggregated-MSDU/MPDU without requiring the Jumbo frame support.