FortiWLC – Bridging Versus Tunneling

Bridging Versus Tunneling

The bridged AP feature allows APs to be installed and managed at locations separated from the controller by a WAN or ISP, for example, in a satellite office. Encryption can be enabled on the bridged connection to provide security over ISP-based connections.

Bridging Versus Tunneling

The controller, through a keep-alive signal, monitors the remote AP. Remote APs can exchange control information, including authentication and accounting information with the controller, but are unable to exchange data. (Remote bridged APs can, however, exchange data with other APs within their subnet.)

Tunneled mode only features
  • Mesh
  • Mesh Plug and Play
  • 5 Hop mesh
  • Wired Client on uplink port with Mesh
  • Captive Portal on L2 APs
  • Captive Portal Exemptions (domain walled garden entries)
  • Domain whitelisting for OAuth with MCT (older way of domain whitelisting)
  • VLAN Mesh (801.q trunking on wired ports on Mesh APs)
  • VLAN pooling
  • GRE tunneling
  • QoS Rules -Rate-limiting, DSCP marking
  • QoS Rules -dynamic flow detection
  • CoA -(filter ID)
  • DHCP relay
  • Proxy ARP
  • RAC
  • DPI -Application bandwidth throttling
Bridge mode only features
  • Remote Radius
  • AP survivability Captive Portal, CP bypass on MAC filtering, IP v6 pass-through, Static/Dynamic VLANs – NOT supported in bridged mode on AP300.
  • Allow/Deny QoS rule – NOT supported in bridged mode on AP300,433,1000 & 332
Example of Bridged AP Deployment

The following figure is an example of remote bridged AP deployment. Notice that AP1 is configured for L2/local mode, AP2 is configured L2/Remote mode, AP3 is configured L3/local mode, and AP4 is configured for L3/Remote AP mode. The controller, AP1 and AP2 are

Bridging Versus Tunneling

located in the same 10.0.10.x/24 subnet, and AP3 and AP4 are in a different subnet, 192.0.10.x/24. The blue and red lines correspond to L2 and L3 data tunnel, respectively. Also, MS A through D are associated to AP 1 to 4, respectively. Note that the MS C and MS D have different IP addresses, even though they are associated to APs within the same IP subnet. The reason for this is because AP3 is configured in local mode and is tunneled back to the controller at Layer 3. This example demonstrates how a mobile client’s IP domain is changed by the dataplane bridged or tunneled setting. Figure 35: Example Remote AP Topology

Configure a Bridged Profile

For complete UI directions, see “Add an ESS with the Web UI” on page 137 or click Configuration > Wireless > ESS and select an ESS to edit.

To configure a bridged AP for an existing ESSID with the CLI, follow these steps: 1. Enter the ESSID configuration mode and set the dataplane mode to bridged:

Bridging Versus Tunneling

controller# configure terminal controller(config)# essid profile_name controller(config‐ap)# dataplane bridged controller(config‐ap)# exit

After you make the config changes, force the APs to do a hard reboot.

  1. If the connection between the controller and the Remote AP should be secured, use the following command to encrypt only an AP connection:

controller# configure terminal controller(config)# ap ap#

controller(config‐ap)# dataplane‐encryption on controller(config‐ap)# exit

The Remote AP feature may require that corporate firewall configuration be updated to permit wireless access over certain Ethernet ports. The affected ports are:

  • L2 (Ethernet) L3 (UDP)
  • Data 0x4000 9393
  • Comm 0x4001 5000
  • Discovery 0x4003 9292

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Don't Forget To visit the YouTube Channel for the latest Fortinet Training Videos and Question / Answer sessions!
- FortinetGuru YouTube Channel
- FortiSwitch Training Videos

Cybersecurity Videos and Training Available Via: Office of The CISO Security Training Videos