In a wireless local area network (WLAN) architecture in which there is a tunnel between a control node (CN) and a wireless access point (AP), a forwarding manner of a user data packet may be a tunnel forwarding manner or a local forwarding manner. The CN is a node for user authentication and is generally a WLAN controller, or a switch into which a function of a WLAN controller is integrated. The CN is responsible for user authentication and may be configured to manage a wireless AP, and the CN also has functions of data forwarding and forwarding policy implementation, where a forwarding policy includes a local forwarding manner and a tunnel forwarding manner. The wireless AP includes a wireless station (STA) function and provides access to a distribution service via a wireless medium (WM) for an associated STA. The wireless AP can implement the functions of data forwarding and forwarding policy implementation. In the following, a STA associated with a wireless AP is referred to as a client device. A client device is a terminal, for example, a personal computer or a mobile terminal, used by a user.
In the WLAN architecture in which there is a tunnel between a CN and a wireless AP, the packet forwarding manner may be controlled based on a user type. For example, the local forwarding manner is used for a packet belonging to a trusted user, and the tunnel forwarding manner is used for a packet not belonging to a trusted user. The local forwarding manner is a packet forwarding manner in which a wireless AP converts a WLAN packet to an Ethernet packet to perform forwarding; the tunnel forwarding manner is a packet forwarding manner in which a wireless AP converts a WLAN packet to an Ethernet packet and then encapsulates the Ethernet packet in a tunnel and forwards the packet to a CN, and the CN performs forwarding after performing tunnel decapsulation. In order to control the packet forwarding manner based on a user type, a service set identifier (SSID) generally needs to be set based on the user type. For example, one SSID is set for a trusted user, another SSID is set for another user, and corresponding forwarding manners are configured for the two SSIDs. The foregoing solution is complex in configuration and maintenance.