What are the differences between direct forwarding and tunnel forwarding when STAs are configured to go online


When STAs are configured to go online, in direct forwarding, upstream interfaces connected to the APs must allow packets from the service VLAN to pass through. In tunnel forwarding, however, upstream interfaces cannot allow packets from the service VLAN to pass through to prevent MAC address flapping.

Other related questions:
What is the difference between direct forwarding and tunnel forwarding during STA login
In direct forwarding mode, all interfaces must allow all service VLANs. In tunnel forwarding, to prevent MAC address flapping, an interface cannot allow service VLANs.

What are advantages and disadvantages of direct forwarding and tunnel forwarding
Direct forwarding: Packets do not need to be encapsulated and decapsulated. Therefore, the forwarding efficiency is high, and it is easy for network administrators to locate faults. However, user packets may be intercepted during transmission, threatening information security. In addition, packets of service VLANs need to be transparently transmitted, which increases maintenance workload on the Layer 2 network between ACs and APs. Tunnel forwarding: Packets are encrypted using the Datagram Transport Layer Security (DTLS) protocol, which prevents attackers from intercepting packets transmitted on the network. Therefore, tunnel forwarding has a high security. The configuration is also simple because only packets of the management VLAN need to be transparently transmitted between APs and ACs. However, encrypted packets make fault location difficult. Moreover, the forwarding efficiency is lower than that in direct forwarding because data packets must be encapsulated with a CAPWAP header.

What are the differences in AP-side switch interface configuration and intermediate switch configuration in direct and tunnel forwarding modes

Data forwarding mode
Data forwarding mode: - Centralized forwarding (also called tunnel forwarding): APs set up control tunnels and data tunnels with an AC. Control data between the AP and AC and service data from WLAN users are encapsulated in the control tunnel and data tunnel, respectively. After the service data reaches the APs, it must be sent to the AC through the data tunnel first and then be forwarded at L2 and L3. - Direct forwarding (also called local forwarding): APs only set up control tunnels with an AC. After the service data reaches the APs, it directly enters the wired network through the switch that connects to the APs and then be forwarded at L2 and L3. In summary, tunnel forwarding facilitates centralized management and control, and service data must be forwarded through an AC, reducing packet forwarding efficiency and burdening the AC. For direct forwarding, packet forwarding efficiency is high. You can select either of the forwarding mode as required. AC deployment - Bypass mode ACs are directly connected to aggregation switches or core switches in bypass mode. If two ACs provide 1+1 backup, they connect to the aggregation switch or core switch. - Establish an independent AC management area that connects to the core switch in bypass mode. In actual networking, an aggregation switch is connected to the core switch in bypass mode, and all the ACs are connected to the aggregation switch. Verify the forwarding mode by checking that an AC serves as the gateway or running the display forward-type service xx command.

How to configure IPSG for a WLAN device
IP source guard (IPSG) can defend against spoofing attacks based on source IP addresses. For the methods of configuring IPSG for a WLAN device, see "Example for Configuring WLAN IPSG" in Typical Configuration Examples.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top