The tenant's bridge domain (BD) and BRG instance (for vRGW processing) is not identified by the tunnel source’s IP address. Each tenant is provided a unique dot1q tag, which is maintained by the back-end system. The traffic from a device that is tunneled to vRGW carries this unique dot1q tag. The AP is aware of the tag per tenant and can provide traffic isolation between tenants. The BD and BRG instance for the tenant on vRGW are identified by the combination of the dot1q tag and the tunnel destination (that is, a gateway address configured under the WLAN-GW group-interface). Therefore, devices belonging to a tenant can connect from any AP, as the tenant context is not identified based on tunnel source (that is, the AP’s IP address). This AP agnostic connectivity can be enabled on a per-VLAN range basis (in the vrgw>lanext context) as shown in the following example.
config>service>vprn>sub-if>grp-if>wlan-gw>ranges>range>
vrgw
lanext
access
[no] multi-access
exit
exit
exit
The multi-access keyword indicates that the connecting device is not tied to a single AP and implicitly enables the identification of the BD and BRG instance for this device based on dot1q tag in the frame, and the gateway address, such as the L2oGRE or L2TPv3 tunnel endpoint IP address.