Manualshelf

MSM7xx Controllers Configuration Guide v6.4.0

ManualsBrandsHP ManualsNetwork HardwareHP 425 Wireless Dual Radio 802.11n (JP) Access Point
111112113114115116117118119120
Generally, most clients will be involved in the bidirectional exchange of unicast packets. In this
case, the rules can be simplified by assuming that the most restrictive setting for this option
takes precedence. For example:
If VSC1 is set to No and VSC2 is set to All, no communication is permitted between clients
on the two VSCs, or between clients on VSC1. However, all clients on VSC2 can
communicate with each other.
If VSC1 is set to 802.1X and VSC2 set to All, only 802.1X clients can communicate
between the two VSCs.
Client data tunnel
(Only available when Access control is enabled.)
When a VSC is access-controlled, client traffic that is sent between the AP and controller can
be carried in the client data tunnel. This provides the following benefits:
User traffic is segregated from the backbone network and can only travel to the controller.
Underlying network topology is abstracted enabling full support for L2-connected users
across routed networks.
The client data tunnel is always used when the connection between a controlled AP and its
controller traverses at least one router. The client data tunnel supports NAT traversal, so it can
cross routers that implement NAT. It is also always used when teaming is enabled, or when a
controlled AP is discovered via the Internet port (Internet network on the MSM720).
Optionally, the client data tunnel can be used when a controlled AP and its controller are on
the same subnet. To do this, enable the Always tunnel client traffic option.
Performance and security settings for the client data tunnel can be customized by selecting
Controller >> Controlled APs > Client data tunnel.
Less security/better performance: This option provides security using a secret key that is
attached to each packet. The key is rotated every 200 seconds.
High security/less performance: This option uses HMAC (Hash based message
authentication code) to ensure the data integrity and authenticity of each packet.
Performance is reduced due to the overhead needed to calculate HMAC.
Regardless of the security method used, the client tunnel does not encrypt the data stream. To
protect client traffic with encryption requires that client stations use WPA or VPN software.
Under Wireless protection, enable WPA with the Terminate WPA at the controller. This
requires client stations that support WPA.
Use VPN-based authentication. See “Securing wireless client sessions with VPNs (page 507).
120 Working with VSCs