M and MSM Series

Re: Question about "Always tunnel" - can't find right way to work with it

Occasional Contributor

Question about "Always tunnel" - can't find right way to work with it


I have MSM765zl and MSM410 AP. If I configure VSC without "always tunnel", it works fine with egress VLAN, binded to AP.

But I can't find out, what I can do with "always tunnel" feature and how to get it work. When "always tunnel" enabled, should MSM765zl bridge traffic or route traffic to egress VLAN?

If bridge, why egress VLAN need IP in configuration? If route, where can I configure network between wireless client and MSM765zl? If I set IP manually on wireless client, I can ping any interface on MSM765zl, but can't ping anything behind it - looks like trafic is not bridged either routed.

I've read MCG and wireless implementation guide and spent all day to try it out - anyway, with "always tunnel" trafic does not go to egress VLAN configured in VSC.

I'll be glad if anyony explain me concept on "always tunnel" feature and give some description of working topology.

Trusted Contributor

Re: Question about "Always tunnel" - can't find right way to work with it

Always tunnel is a feature between the AP and the controller. It is a mean to take the wireless client data traffic and to carry it over a network inside a tunnel. This has 2 advantages in my opinion: it makes sure that the client traffic does not temper with the network and therefore it makes sure it reaches the controller and only the controller. The second advantage is that it works regardless of the network topology between the AP and the controller (VLANs or not, number of hops/switches/routers/etc.)

There are several concepts that needs to be understood, the first is the egress VLAN that you find in the VSC binding. This VLAN applies at the AP and is useless in case of the "always tunnel" feature.

The other concept is the egress VLAN in the VSC itself. This one applies at the controller to determine where the traffic should go once it reaches the controller.

The AP bridges the traffic. But in the vast majority of cases, once the traffic reaches the controller it is always routed through the controller. The fact that you specify a VLAN interface as an egress to the VSC (not the binding, but the actual VSC) means that the traffic is forced to be routed through that interface rather than taking the default routing table.

On top of being routed, your traffic is most likely access controlled (especially true if the "use this controller for: access control" is checked in the VSC, which means that by default no traffic will go through unless your client is authenticated.

Again, the egress mapping of a VSC is not linked to the "Always tunnel" feature.

In terms of topology, it really depend on what you want to achieve. 2 big questions to ask really:
1) Do you want the traffic from your client to be bridged directly and put on the network at the AP so that it can reach any resources directly from there?
2) Or do you want the traffic from your client to be forced towards the controller so that it can be access controlled (with ACLs) before it can actually reach resources?

If none of the above, can you try to explain what you are trying to achieve?