What are the differences in AP-side switch interface configuration and intermediate switch configuration in direct and tunnel forwarding modes



Other related questions:
What are the differences between direct forwarding and tunnel forwarding when STAs are configured to go online
When STAs are configured to go online, in direct forwarding, upstream interfaces connected to the APs must allow packets from the service VLAN to pass through. In tunnel forwarding, however, upstream interfaces cannot allow packets from the service VLAN to pass through to prevent MAC address flapping.

What are advantages and disadvantages of direct forwarding and tunnel forwarding
Direct forwarding: Packets do not need to be encapsulated and decapsulated. Therefore, the forwarding efficiency is high, and it is easy for network administrators to locate faults. However, user packets may be intercepted during transmission, threatening information security. In addition, packets of service VLANs need to be transparently transmitted, which increases maintenance workload on the Layer 2 network between ACs and APs. Tunnel forwarding: Packets are encrypted using the Datagram Transport Layer Security (DTLS) protocol, which prevents attackers from intercepting packets transmitted on the network. Therefore, tunnel forwarding has a high security. The configuration is also simple because only packets of the management VLAN need to be transparently transmitted between APs and ACs. However, encrypted packets make fault location difficult. Moreover, the forwarding efficiency is lower than that in direct forwarding because data packets must be encapsulated with a CAPWAP header.

What is the difference between direct forwarding and tunnel forwarding during STA login
In direct forwarding mode, all interfaces must allow all service VLANs. In tunnel forwarding, to prevent MAC address flapping, an interface cannot allow service VLANs.

Data forwarding mode
Data forwarding mode: - Centralized forwarding (also called tunnel forwarding): APs set up control tunnels and data tunnels with an AC. Control data between the AP and AC and service data from WLAN users are encapsulated in the control tunnel and data tunnel, respectively. After the service data reaches the APs, it must be sent to the AC through the data tunnel first and then be forwarded at L2 and L3. - Direct forwarding (also called local forwarding): APs only set up control tunnels with an AC. After the service data reaches the APs, it directly enters the wired network through the switch that connects to the APs and then be forwarded at L2 and L3. In summary, tunnel forwarding facilitates centralized management and control, and service data must be forwarded through an AC, reducing packet forwarding efficiency and burdening the AC. For direct forwarding, packet forwarding efficiency is high. You can select either of the forwarding mode as required. AC deployment - Bypass mode ACs are directly connected to aggregation switches or core switches in bypass mode. If two ACs provide 1+1 backup, they connect to the aggregation switch or core switch. - Establish an independent AC management area that connects to the core switch in bypass mode. In actual networking, an aggregation switch is connected to the core switch in bypass mode, and all the ACs are connected to the aggregation switch. Verify the forwarding mode by checking that an AC serves as the gateway or running the display forward-type service xx command.

Example for Configuring Multicast Packet Suppression In Direct Forwarding Mode
Example for Configuring Multicast Packet Suppression In Direct Forwarding Mode
Create the traffic classifier test and define a matching rule.
[HUAWEI] sysname SwitchA
[SwitchA] traffic classifier test
[SwitchA-classifier-test] if-match destination-mac 0100-5e00-0000 mac-address-mask ffff-ff00-0000 //Match the destination MAC address of multicast packets.
[SwitchA-classifier-test] quit
Create the traffic behavior test, enable traffic statistics collection, and set the traffic rate limit.
[SwitchA] traffic behavior test
[SwitchA-behavior-test]statistic enable
[SwitchA-behavior-test]car cir 100   //Set the rate limit to 100 kbit/s. If multicast services are available, you are advised to set the rate limit according to the service traffic.
Create the traffic policy test and bind the traffic classifier and traffic behavior to the traffic policy.
[SwitchA]traffic policy test
[SwitchA-trafficpolicy-test]classifier test behavior test
Apply the traffic policy to inbound or outbound directions of interfaces.
[SwitchA]interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1]traffic-policy test inbound
[SwitchA-GigabitEthernet0/0/1]traffic-policy test outbound

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top