Professional Documents
Culture Documents
Tech Note
Version 1.0
Tech Note
Tunneling Configuration Guide for Enterprise v1.0
July 2016
©Ruckus Wireless 2
Tech Note
Tunneling Configuration Guide for Enterprise v1.0
July 2016
Introduction
The Ruckus SZ 100, vSZ and SCG 200 wireless controllers provide a number of options for tunneling data traffic. This document
will focus on several design scenarios that may apply to enterprise WLAN deployments. It will go through the types of tunnels,
which are supported and can be implemented. It will also discuss some design goals i.e. what can be achieved with a tunneled.
Step-by-step configuration guidance will be provided.
©Ruckus Wireless 3
Tech Note
Tunneling Configuration Guide for Enterprise v1.0
July 2016
Tunneling Options
There are two distinct options for tunneling data in the Ruckus solution.
rd
The first option addresses data tunneling from Access Points to the data plane on a wireless controller or to a 3 -party network
device, which can perform tunnel aggregation. Such a network design would apply to cases where data from user devices has to
be centralized or distributed between multiple data aggregation points.
The second option addresses an architecture where all clients’ data has to be tunneled northbound from a wireless controller to a
rd
3 -party aggregation point. This scenario would mostly apply to solutions used by service providers and is out of the scope of this
document. For more information see the Ruckus documentation for Ruckus Wireless SmartCell Gateway 200, “Tunneling Interface
Reference Guide for SmartZone 3.2.1”
A local breakout mode is used in all other cases where data traffic does not need to be centralized and can be switched and
routed locally.
Tunnel types
Ruckus GRE
GRE is a well-known tunneling protocol, described in the RFC 2784. An originating packet, which is called a payload packet, is
encapsulated in GRE with an additional header added for delivery over a network. It is a delivery protocol and in many cases it
can be IPv4. Packets are de-capsulated on the other end of the tunnel and the payload packet is forwarded to the destination.
Ruckus supports a proprietary GRE version called Ruckus GRE, which is used for tunneling the user data from Ruckus Access
Points to vSZ, SCG-200 or Zone Director controllers, see Figure 1.
Common configuration options are:
• Ruckus GRE with UDP - commonly used on networks that require NAT traversal
• Ruckus GRE - supports optional payload encryption
©Ruckus Wireless 4
Tech Note
Tunneling Configuration Guide for Enterprise v1.0
July 2016
Soft-GRE
Soft-GRE tunnels are similar to GRE tunnels but only one end of tunnel network connection has to be defined. The Access Point
will send an encapsulated packet to a dedicated gateway. When there are packets of data destined for the stations connected to
that AP, the gateway will encapsulate these packets to send back to the AP.
rd
This option requires a 3 -party gateway that supports GRE termination. Soft-GRE tunnels can be used in the following cases:
rd
• From Ruckus APs to 3 -party gateway i.e. ALU 7750, see Figure 2
rd
• Northbound from SCG to a 3 -party gateway
*vSZ-D is required by the vSZ-E and vSZ-H to terminate a data plane tunnel. Tunneling is not supported if a vSZ-D is not present.
vSZ-D capability
• Up 10K AP’s and 100K clients per instance
• Throughput 1 or 10 or higher Gbps
rd
** Configuration only i.e. Soft-GRE tunnels should be terminated on a 3 -party gateway which supports Soft-GRE protocol e.g.
ALU 7750
©Ruckus Wireless 5
Tech Note
Tunneling Configuration Guide for Enterprise v1.0
July 2016
Tunneling Configuration
WLAN Data Tunneling with vSZ-H
vSZ-H with vSZ-D data plane
A vSZ-D data plane VM is required for a vSZ-H to allow termination of Ruckus GRE tunnels from Access Points i.e. tunnels can’t
be terminated on a vSZ-H directly.
A vSZ-D is not required to be physically co-located with vSZ-H. This provides a high level of flexibility in creating network
architecture(s) with data tunneling. There are two possible scenarios for WLAN data aggregation, which can be implemented with
vSZ-D data plane and virtual SmartZone:
1. Centralized tunneled WLANs
2. Distributed tunneled WLANs (future)
Tunneling can be configured on a per-WLAN basis, which means the following scenarios for user data traffic can be implemented
for different WLANs on the same AP:
• Local breakout
• Data tunneling to vSZ-D over Ruckus GRE
rd
• Data tunneling to a 3 -party gateway over Soft-GRE
For more detailed information on the vSZ-D and how to install and configure it please refer to the “Virtual SmartZone Data Plane
(vSZ-D) Configuration Guide”.
©Ruckus Wireless 6
Tech Note
Tunneling Configuration Guide for Enterprise v1.0
July 2016
Actions >> Move AP to a different zone i.e. icon in the right column of the table, see Figure 6
©Ruckus Wireless 7
Tech Note
Tunneling Configuration Guide for Enterprise v1.0
July 2016
If an AP Zone does not exist create new AP zone or select Edit to modify the configuration of an existing AP zone.
9. Under AP Tunnel Options select Ruckus GRE tunnel type.
10. From a drop down list for “GRE Tunnel Profile” select the correct profile name, see Figure 8 below.
©Ruckus Wireless 8
Tech Note
Tunneling Configuration Guide for Enterprise v1.0
July 2016
Soft-GRE configuration
Soft-GRE tunnel configuration in a vSZ-H is very similar to Ruckus GRE configuration, but there are some differences.
1. First, create Soft-GRE AP Tunnel profile,
2. Configuration>>AP zones>> AP tunnel profiles>>SoftGRE, see Figure 9 below
3. Configure primary and secondary Gateway addresses or FQDN
rd
Note: Soft-GRE tunnels have to be terminated on 3 -party gateway with Soft-GRE termination support e.g. ALU 7750
4. MTU size can set as Auto or adjusted within the range 850-1500 bytes to prevent packet fragmentation.
©Ruckus Wireless 9
Tech Note
Tunneling Configuration Guide for Enterprise v1.0
July 2016
©Ruckus Wireless 10
Tech Note
Tunneling Configuration Guide for Enterprise v1.0
July 2016
Next, enable tunneling for the WLAN, this will tunnel all of the clients’ data to the SZ 100. To configure this, use the following
steps:
4. Go to Configure>>WLANs and select the WLAN for tunneling.
5. Under WLAN Usage >> Access Network, mark the tick box “Tunnel WLAN traffic through Ruckus GRE”, see Figure 13
below.
MTU size can left as Auto or adjusted within the range 850-1500 bytes to prevent packet fragmentation, see Figure 14.
July 2016
Tunneling of data traffic is enabled on a per-WLAN basis. To configure this, use the following steps:
4. Go to Configure>>WLANs and select the WLAN you want to tunnel traffic for.
5. Under WLAN Usage enable tick box Tunnel WLAN traffic through Soft GRE.
©Ruckus Wireless 12
Tech Note
Tunneling Configuration Guide for Enterprise v1.0
July 2016
F IGURE 17 E XAMPLE . V SZ-D D ATA P LANE WITH M ANAGED AND A PPROVED STATUS
©Ruckus Wireless 13
Tech Note
Tunneling Configuration Guide for Enterprise v1.0
July 2016
Tunneling is enabled on per-WLAN basis. To configure it for a specific WLAN, use the following steps:
9. Go to Configuration>>WLANs
10. Select a WLAN from the list or create a new WLAN if it does not exist
11. Under WLAN Usage mark the check box “Tunnel WLAN traffic through Ruckus GRE” as shown on Figure 19 below
Soft-GRE configuration
rd
Soft-GRE tunnels should be enabled on the vSZ-E when an AP has to terminate its tunnel on a 3 -party gateway with Soft-GRE
tunnel support.
To enable Soft-GRE on the vSZ-E, use the following steps:
1. Go to Configuration>> AP Tunnel Settings
2. From the dropdown select SoftGRE option as a Tunnel Type.
3. Next, configure the primary and secondary Gateway address or FQDN. See Figure 20. Note that the Gateway IP address
is shown as an example only.
4. MTU size can set as Auto or adjusted within the range 850-1500 bytes to prevent packet fragmentation from an increased
overhead in the packets.
©Ruckus Wireless 14
Tech Note
Tunneling Configuration Guide for Enterprise v1.0
July 2016
©Ruckus Wireless 15
Tech Note
Tunneling Configuration Guide for Enterprise v1.0
July 2016
The use of Soft-GRE tunnels with IPsec is most applicable to mobile service providers where tunnels from APs must be
terminated on a Wireless Access Gateway (WAG) in the Evolving Packet Core (EPC). The use of IPSec ensures these tunnels are
encrypted. Please note that not all Access Points support IPsec tunnels. Verify your AP model supports this feature before
deploying.
When enabling multiple tunneling protocols please consider the amount of packet overhead and adjust the MTU size if necessary.
The IPsec protocol is CPU intensive and may impact performance of the tunnel endpoints i.e. in our case these are the Access
Points with IPsec support and the aggregation gateway. The gateway where IPsec tunnels get terminated should have enough
processing power to handle traffic from all endpoints, to validate the capability please check in documentation for specific platform.
Let’s consider a configuration example on SZ 100 platform. To start with, create a profile for IPsec in SZ-100 configuration by
following these steps:
1. Go to Configuration>>Access Points>>IPsec > Create New
2. Configure a profile name and security gateway where this tunnel will be terminated
Authentication can be either set as a shared key or as a certificate based, see an example on Figure 22 for a shared key
authentication. Configure the security gateway accordingly to match these authentication settings so these tunnel endpoints can
be authenticated and an IPsec tunnel established. This may also require configuring additional features for IKE and ESP as well
as for the Certification Management protocol.
©Ruckus Wireless 16
Tech Note
Tunneling Configuration Guide for Enterprise v1.0
July 2016
Troubleshooting
Validate supported configuration
When implementing WLAN designs with Ruckus GRE tunnels and SmartZone controllers please validate that the controller(s) has
a data plane to terminate these tunnels. Table 1 provides the information for supported combinations. Note that SZ-100 platform
has a data plane built-in, where vSZ-E and vSZ-H will require an external data plane.
When vSZ-D is installed as a VM and configured to operate with vSZ-E or vSZ-H, make sure they have an available license
assigned to it. Additionally, vSZ-D has to be Managed and Approved as shown on Figure 4 and Figure 17.
If Ruckus GRE tunnel is enabled for a specific WLAN in the controller and this controller has no data plane present, the access
points will not be able to terminate this tunnel and the SSID allocated to this WLAN will not be operational in these APs.
In some cases wireless APs and the wireless controller data plane can be deployed within same L2 domain (VLAN) but it is very
likely that many deployments will be done over a L3 network where IP packets from one tunnel endpoint (AP) will have to cross
multiple routers to reach other end of the tunnel (Data Plane).
In more complex L3 configurations, traffic may have to traverse a NAT router or a firewall. Tunneling protocol option shall be set to
Ruckus GRE + UDP and these UDP ports shall be permitted through the firewall.
To help with troubleshooting, some examples of Ruckus GRE data captures are included in Appendix A: Examples of traffic
captures of this document.
©Ruckus Wireless 17
Tech Note
Tunneling Configuration Guide for Enterprise v1.0
July 2016
Summary
This document discussed tunneling configuration for Ruckus GRE and Soft-GRE tunnel types on Ruckus Wi-Fi controllers and
APs. Although most configuration steps look very similar across the SZ-100 and vSZ-E / vSZ-H platforms there are some
differences between them. The most important feature is that the virtual platforms require a vSZ-D to assist with tunneling. Please
note a WLAN configured to tunnel traffic will not function if the data plane is not present. This includes the advertising of a
tunneled WLAN SSID.
Additional consideration should be given to the increased overhead, both in the packet size due to additional layer of
encapsulation and in the processing requirements on both tunneling endpoints, especially, in cases where encrypted tunnels are
configured.
To demonstrate different encapsulations, some examples of packet captures have been provided in Appendix A: Examples of
traffic captures.
©Ruckus Wireless 18
Tech Note
Tunneling Configuration Guide for Enterprise v1.0
July 2016
The Figure 23 shows UDP packets with tunneled data passed between an AP and vSZ-D in both directions.
©Ruckus Wireless 19
Tech Note
Tunneling Configuration Guide for Enterprise v1.0
July 2016
Ruckus GRE
Below is an example of a Wireshark traffic capture performed on the Ethernet port connected to a Ruckus AP. In this example
data is encapsulated using Ruckus GRE protocol option.
• Access Point IP: 10.3.6.64
• SZ-100 IP: 10.3.7.167
The Figure 24 shows GRE (Protocol 47) packets with tunneled data passed between the AP and SZ 100 in both directions.
©Ruckus Wireless 20
Tech Note
Tunneling Configuration Guide for Enterprise v1.0
July 2016
About Ruckus
Headquartered in Sunnyvale, CA, Ruckus Wireless, Inc. is a global supplier of advanced wireless systems for the rapidly
expanding mobile Internet infrastructure market. The company offers a wide range of indoor and outdoor “Smart Wi-Fi” products to
mobile carriers, broadband service providers, and corporate enterprises, and has over 36,000 end-customers worldwide. Ruckus
technology addresses Wi-Fi capacity and coverage challenges caused by the ever-increasing amount of traffic on wireless
networks due to accelerated adoption of mobile devices such as smartphones and tablets. Ruckus invented and has patented
state-of-the-art wireless voice, video, and data technology innovations, such as adaptive antenna arrays that extend signal range,
increase client data rates, and avoid interference, providing consistent and reliable distribution of delay-sensitive multimedia
content and services over standard 802.11 Wi-Fi. For more information, visit http://www.ruckuswireless.com.
Ruckus and Ruckus Wireless are trademarks of Ruckus Wireless, Inc. in the United States and other countries.
Disclaimer
THIS DOCUMENTATION AND ALL INFORMATION CONTAINED HEREIN (“MATERIAL”) IS PROVIDED
FOR GENERAL INFORMATION PURPOSES ONLY. RUCKUS AND ITS LICENSORS MAKE NO
WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, WITH REGARD TO THE MATERIAL, INCLUDING,
BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, NON-INFRINGEMENT
AND FITNESS FOR A PARTICULAR PURPOSE, OR THAT THE MATERIAL IS ERROR-FREE,
ACCURATE OR RELIABLE. RUCKUS RESERVES THE RIGHT TO MAKE CHANGES OR UPDATES TO
THE MATERIAL AT ANY TIME.
Limitation of Liability
IN NO EVENT SHALL RUCKUS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL OR
CONSEQUENTIAL DAMAGES, OR DAMAGES FOR LOSS OF PROFITS, REVENUE, DATA OR USE,
INCURRED BY YOU OR ANY THIRD PARTY, WHETHER IN AN ACTION IN CONTRACT OR TORT,
ARISING FROM YOUR ACCESS TO, OR USE OF, THE MATERIAL
©Ruckus Wireless 21