How to Switch WLAN APs from Direct to Tunnel Forwarding (Step‑by‑Step Guide)
This article explains the concepts of direct and tunnel forwarding in WLAN networks, compares their advantages and disadvantages, and provides detailed step‑by‑step configuration instructions for converting APs from direct‑forward mode to tunnel‑forward mode in both AC‑side and AC‑direct deployment scenarios.
Introduction
WLAN network packets are divided into management (control) packets and data (service) packets. Management packets are forwarded via the CAPWAP control tunnel; data packets can be forwarded via tunnel forwarding (centralized), direct forwarding (local), or Soft‑GRE.
In real deployments, requirements may change, requiring conversion from direct forwarding to tunnel forwarding. The following explains the concepts and how to modify the configuration.
Concepts of Direct and Tunnel Forwarding
Tunnel forwarding means user data packets reaching the AP are encapsulated in a CAPWAP data tunnel and sent to the AC, which then forwards them to the upstream network (see Figure 1‑1).
Direct forwarding means user data packets reach the AP and are sent directly to the upstream network without CAPWAP encapsulation (see Figure 1‑2).
Both methods have pros and cons, summarized below.
Tunnel Forwarding
Advantages: Centralized forwarding by AC, better security, easier centralized management, simple addition of new devices, minimal impact on existing network.
Disadvantages: Data must pass through AC, lower forwarding efficiency, higher load on AC.
Direct Forwarding
Advantages: Data bypasses AC, higher forwarding efficiency, lower AC load.
Disadvantages: Harder to manage centrally, larger impact on existing network when adding devices.
Changing Direct Forwarding to Tunnel Forwarding
In practice, converting from direct to tunnel forwarding involves adjusting VAP forwarding mode and the VLAN settings on each interface.
Configuration Adjustment Principles
Besides the VAP forwarding mode, the main changes are the management VLAN and service VLAN configurations on each interface.
In direct forwarding, management and service VLANs should be different; otherwise, traffic may be blocked.
In tunnel forwarding, management and service VLAN must not be the same to avoid MAC flapping; only management VLAN is allowed between AP and AC.
Direct‑to‑Tunnel Conversion (AC‑Side Branch)
In the AC‑side branch scenario, data packets originally bypass the CAPWAP tunnel; after conversion they are encapsulated, gaining a VLAN 100 tag, then the tag is removed at the AC before forwarding.
Configuration differences (only changed items shown):
Direct Forwarding Configuration
AC configuration:
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100
#
wlan
vap-profile name wlan-net
forward-mode direct-forward // default, not present in actual configSwitch2 configuration:
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100 to 101Switch1 configuration:
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100 to 101
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100 to 101Tunnel Forwarding Configuration
AC configuration:
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100 101 // add business VLAN 101
#
wlan
vap-profile name wlan-net
forward-mode tunnel // change to tunnel forwardingSwitch2 configuration:
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100 to 101 // add business VLAN 101
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100 // remove business VLAN 101Switch1 configuration:
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100 // remove business VLAN 101
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100 // remove business VLAN 101Note: The example assumes Switch2 provides DHCP for AP and STA. If DHCP resides on other devices, configure appropriate VLANs or routes to ensure communication.
Direct‑to‑Tunnel Conversion (AC Direct Connection)
In the AC direct‑connection scenario, data packets travel through the AP, Switch1, then AC after conversion, with similar VLAN tagging and removal steps.
Configuration differences (only changed items shown):
Direct Forwarding Configuration
AC configuration:
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100 to 101
#
wlan
vap-profile name wlan-net
forward-mode direct-forward // defaultSwitch1 configuration:
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100 to 101
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100 to 101Tunnel Forwarding Configuration
AC configuration:
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100 // remove business VLAN 101
#
wlan
vap-profile name wlan-net
forward-mode tunnel // change to tunnel forwardingSwitch1 configuration:
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100 // remove business VLAN 101
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100 // remove business VLAN 101Note: If the DHCP server for AP and STA is on the AC, ensure VLAN or routing is configured correctly for communication.
AP Wired Port Forwarding Modes
AP wired ports support tunnel and direct forwarding. In tunnel mode, wired user packets are encapsulated in a CAPWAP tunnel to the AC; in direct mode they are sent directly to the upstream network.
Since version V200R010C00, AP wired ports support tunnel forwarding.
When the wired port’s downstream device’s gateway is on the AC, tunnel forwarding should be used.
Key points:
Only endpoint‑mode AP wired ports support tunnel forwarding.
Model AD9431DN-24X wired port does not support tunnel forwarding.
In tunnel mode, if user isolation is enabled on the wired port, unicast packets are not isolated on the AC.
Management and service VLANs must not be the same in tunnel mode to avoid network loops.
Example configuration for setting the AP wired port ETH0 to endpoint mode and tunnel forwarding:
<AC6605> system-view
[AC6605] wlan
[AC6605-wlan-view] ap-group name ap-group1
[AC6605-wlan-ap-group-ap-group1] quit
[AC6605-wlan-view] wired-port-profile name wired
[AC6605-wlan-wired-port-wired] mode endpoint
[AC6605-wlan-wired-port-wired] forward-mode tunnel // tunnel = tunnel forwarding, direct-forward = direct forwarding (default)
[AC6605-wlan-wired-port-wired] quit
[AC6605-wlan-view] ap-group name ap-group1
[AC6605-wlan-ap-group-ap-group1] wired-port-profile wired ethernet 0Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
Open Source Linux
Focused on sharing Linux/Unix content, covering fundamentals, system development, network programming, automation/operations, cloud computing, and related professional knowledge.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.