Table of Contents
Advertisement
The AP110/AP1014i access points support two types of virtualization:
Virtual Cell (also known as shared BSSID)
In this mode of virtualization, all APs advertising a particular SSID broadcast the same
BSSID across the WLAN for that SSID. Virtual Cell is the default virtualization mode for
System Director Release 5.3 or later.
Different client chipset vendors incorporate different calculation methodologies for
deciding when to roam from one AP to another. From a network perspective, this
situation leads to inconsistency among various client devices and their behavior when it
comes to roaming between two APs. This scenario is typical of why legacy microcell
WLAN architectures have problems, especially in a BYOD environment.
Virtual Port (also known as per-station BSSID)
In this mode, a common parent BSSID (PBSSID) is broadcast for a particular SSID by
all APs advertising that SSID. In Virtual Port, all clients receive a unique beacon and a
unique broadcast/multicast key, making them invulnerable to certain types of key
attacks. Each client is assigned its own BSSID. The BSSID remains the same for this
particular client regardless of which AP the client is connected to.
For information about best practices for each virtualization mode, see the
for High-Density Design and
VPN
In the current Meru wireless system architecture, communication between the controller and
AP takes place across specific UDP ports such as 5000, 9292, and 9393. It includes discovery
of controller, communication between Meru applications on controller and AP, and data packet
flow between different applications. All communication occurs over a UDP-encapsulated tunnel
regardless of whether the controller and AP are located within the same network or on different
networks. Some administrative overhead is added at times to open the firewall holes to allow
traffic in enterprise networks while data travels across geographical boundaries.
The VPN feature provides a secure tunnel between the controller and AP as needed to ensure
the security of traffic between them. With VPN enabled, all types of communication occur
inside a secure channel. SSL VPN is used to implement the VPN server and client on
controller and AP, respectively. The server and client together set up the secure VPN tunnel.
The SSL (v3)/TLS (v1) VPN implementation provides encryption of communication data within
the tunnel. AES-CBC (AES in Cipher Block Chaining mode) is the encryption algorithm used,
which uses a 128-bit default key. TLS authentication (SHA1 algorithm) is used, which involves
exchanging X.509 certificates for mutual authentication between the server (controller) and
client (AP). The tunnel between the controller and AP is established using UDP port 1194,
which is the well-known port for SSL VPN.
The VPN feature is available in System Director Release 5.3 or later.
Figure 1
illustrates a scenario in which users access corporate resources from home or a
remote branch office. The built-in VPN functionality of the APs helps avoid making firewall
changes and provides seamless access to the corporate network.
Deployment.
For use by Meru Networks authorized partners and customers.
Best Practices Guide
5
Advertisement
Table of Contents
