Understanding Split Tunneling

The split tunneling feature allows you to optimize traffic flow by directing only corporate traffic back to the controller, while local application traffic remains local. This ensures that local traffic does not incur the overhead of the round trip to the controller, which decreases traffic on the WAN link and minimizes latency for local application traffic. This is useful for sites that have local servers and printers. With split tunneling, a remote user associates with a single SSID, not multiple SSIDs, to access corporate resources (for example, a mail server) and local resources (for example, a local printer). The remote AP examines session ACLs to distinguish between corporate traffic destined for the controller and local traffic.

Figure 1  Sample Split Tunnel Environment

Figure 1 displays corporate traffic is GRE tunneled to the controller through a trusted tunnel and local traffic is source NATed and bridged on the wired interface based on the configured user role and session ACL.

Configuring Split Tunneling

The procedure to configure split tunneling requires the following steps. Each step is described in detail later in this chapter.


The split tunneling feature requires the PEFNG license. If you do not have the PEFNG license on your controller, you must install it before you configure split tunneling. For details on installing licenses, see Software Licenses.

1. Define a session ACL that forwards only corporate traffic to the controller.
a. Configure a netdestination for the corporate subnets.
b. Create rules to permit DHCP and corporate traffic to the corporate controller.
c. Apply the session ACL to a user role. For information about user roles and policies, see Roles and Policies.
2. (Optional) Configure an ACL that restricts remote AP users from accessing the remote AP local debugging homepage.
3. Configure the remote AP’s AAA profile.
a. Specify the authentication method (802.1x or PSK) and the default user role for authenticated users. The user role specified in the AAA profile must contain the session ACL defined in the previous step.
b. (Optional) Use the remote AP’s AAA profile to enable RADIUS accounting.
4. Configure the virtual AP profile:
a. Specify which AP group or AP to which the virtual AP profile applies.
b. set the VLAN used for split tunneling. Only one VLAN can be configured for split tunneling; VLAN pooling is not allowed.
c. When specifying the use of a split tunnel configuration, use “split-tunnel” forward mode.
d. Create and apply the applicable SSID profile.



When creating a new virtual AP profile In the WebUI, you can also configure the SSID at the same time. For information about AP profiles, see Understanding AP Configuration Profiles.

5. (Optional) Create a list of network names resolved by corporate DNS servers.

Configuring the Session ACL Allowing Tunneling

First you need to configure a session ACL that “permits” corporate traffic to be forwarded (tunneled) to the controller, and that “routes”, or locally bridges, local traffic.

Using the WebUI

1. Navigate to the Configuration > Security > Access Control > Policies page.
2. Click Add to crete a new policy.
3. Enter the policy name in the Policy Name field.
4. From the Policy Type drop-down list, select Session.
5. From the IP Version drop-down list, select IPv4 or IPv6.
6. To create the first rule:
a. Under Rules, click Add.
b. Under Source, select any.
c. Under Destination, select any.
d. Under Service, select service. In the service drop-down list, select svc-dhcp.
e. Under Action, select permitforIPv4 orcaptivefor IPv6.
f. Click Add.
7. To create the next rule:
a. Under Rules, click Add.
b. Under Source, select any.
c. Under Destination, select alias.

The following steps define an alias representing the corporate network. Once defined, you can use the alias for other rules and policies. You can also create multiple destinations the same way.

8. Under the alias section, click New. Enter a name in the Destination Name field.
a. Click Add.
b. For Rule Type, select Network.
c. Enter the public IP address of the controller.
d. Enter the Network Mask/Range.
e. Click Add to add the network range.
f. Click Apply. The new alias appears in the Destination menu.
9. Under Destination, select the alias you just created.
10. Under Service, select any.
11. Under Action, select permitfor IPv4 or captivefor IPv6.
12. Click Add.
13. To create the next rule:
a. Under Rules, click Add.
b. Under Source, select user.
c. Under Destination, select any.
d. Under Service, select any.
e. Under Action, select route and check src-nat.
f. Click Add.
14. Click Apply.
15. Click the User Roles tab.
a. Click Add to create and configure a new user role.
b. Enter the desired name for the role in the Role Name field.
c. Under Firewall Policies, click Add.
d. From the Choose from Configured Policies drop-down menu, select the policy you just configured.
e. Click Done.
16. Click Apply.

Using the CLI

ap system-profile <profile>


lms-hold-down period <seconds>netdestination <policy>

network <ipaddr> <netmask>

network <ipaddr> <netmask>


ip access-list session <policy>

any any svc-dhcp permit

any alias <name> any permit

user any any route src-nat


user-role <role>

session-acl <policy>

When defining the alias, there are a number of other session ACLs that you can create to define the handling of local traffic, such as:

ip access-list session <policy>

user alias <name> any redirect 0

user alias <name> any route

user alias <name> any route src-nat

Configuring an ACL to Restrict Local Debug Homepage Access

A user in split or bridge role using a remote AP (RAP) can log on to the local debug (LD) homepage (for example, (http://rapconsole.arubanetworks.com) and perform a reboot or reset operations. The LD homepage provides various information about the RAP and also has a button to reboot the RAP. You can now restrict a RAP user from resetting or rebooting a RAP by using the localip keyword in the in the user role ACL.


You will require the PEFNG license to use this feature. See Software Licenses for more information on licensing requirements.

Any user associated to that role can be allowed or denied access to the LD homepage. You can use the localip keyword in the ACL rule to identify the local IP address on the RAP. The localip keyword identifies the set of all local IP addresses on the system to which the ACL is applied. The existing keywords controller and mswitch indicate only the primary IP address on the controller.


This release of ArubaOS provides localip keyword support only for RAP and not for controller.

In the WebUI

1. Navigate to the Configuration > Security > Access Control > Policies page.
2. Click Add to crete a new policy.
3. Enter the policy name in the Policy Name field.
4. From the Policy Type drop-down list, select IPv4 Session.
5. To create the first rule:
a. Under Rules, click Add.
b. Under Source, select localip.
c. Under Destination, select any.
d. Under Action, select permit.
e. Click Apply.

Figure 2  Enable Restricted Access to LD Homepage

In the CLI

Use the localip keyword in the user role ACL.

By default, all users have an ACL entry of type any any deny. This rule restricts access to all users. When the ACL is configured for a user role, if a user any permit ACL rule is configured, add a deny ACL before that for localip for restricting the user from accessing the LD homepage.


ip access-list session logon-control

user localip svc-http deny

user any permit

Configuring the AAA Profile for Tunneling

After you configure the session ACL, you define the AAA profile used for split tunneling. When defining the AAA parameters, specify the previously configured user role that contains the session ACL used for split tunneling.

If you enable RADIUS accounting in the AAA profile, the controller sends a RADIUS accounting start record to the RADIUS server when a user associates with the remote AP, and sends a stop record when the user logs out or is deleted from the user database. If interim accounting is enabled, the controller sends updates at regular intervals. Each interim record includes cumulative user statistics, including received bytes and packets counters. For more information on RADIUS accounting, see RADIUS Accounting

In the WebUI

1. Navigate to the Security > Authentication > AAA Profiles page. From the AAA Profiles Summary list, click Add.
2. Enter the AAA profile name, then click Add.
3. Select the AAA profile that you just created.
a. For 802.1X Authentication Default Role, select the user role you previously configured for split tunneling, then click Apply.
b. Under the AAA profile that you created, locate 802.1x Authentication Server Group, and select the authentication server group to use, then click Apply.
4. (Optional) To enable RADIUS accounting:
a. Select the AAA profile from the profile list to display the list of authentication and accounting profiles associated with the AAA profile.
b. Select the Radius Accounting Server Group profile associated with the AAA profile. Click the RADIUS Accounting Server Group drop-down list to select a RADIUS server group. (For more information on configuring a RADIUS server or server group, see Configuring a RADIUS Server.)
c. To enable RADIUS Interim Accounting, select the AAA profile name from the profile list, then click the RADIUS Interim Accounting checkbox. This option is disabled by default, allowing the controller to send only start and stop messages RADIUS accounting server.
5. ClickApply.

If you need to create an authentication server group, select new and enter the appropriate parameters.

Inthe CLI

aaa profile <name>

authentication-dot1x <dot1x-profile>

dot1x-default-role <role>

dot1x-server-group <group>

radius-accounting <group>


Configuring the Virtual AP Profile

In the WebUI

1. Navigate to Configuration > Wireless > AP Configuration page. Select either the AP Group or AP Specific tab. Click Edit for the applicable AP group name or AP name.
2. Under Profiles, select Wireless LAN, then Virtual AP.
3. To create a new virtual AP profile in the WebUI, select New from the Add a profile drop-down menu. Enter the name for the virtual AP profile, and click Add.


Whenever you create a new virtual AP profile in the WebUI, the profile automatically contains the “default” SSID profile with the default ESSID. You must configure a new ESSID and SSID profile for the virtual AP profile before you apply the profile.

a. In the Profile Details entry, go to the AAA Profile drop-down list and select the previously configured AAA profile. The AAA Profile pop-up window appears.
b. To set the AAA profile and close the window, click Apply.
c. In the Profile Details entry for the new virtual AP profile, select NEW from the SSID Profile drop-down menu. A pop-up window displays to allow you to configure the SSID profile.
d. Enter the name for the SSID profile.
e. Under Network, enter a name in the Network Name (SSID) field.
f. Under Security, select the network authentication and encryption methods.
g. To set the SSID profile and close the window, click Apply.
4. Click Apply at the bottom of the Profile Details window.
5. Click the new virtual AP name in the Profiles list or the Profile Details to display configuration parameters.
6. Under Profile Details:
a. Make sure Virtual AP enable is selected.
b. From the VLAN drop-down menu, select the VLAN ID for the VLAN to be used for split tunneling.
c. From the Forward mode drop-down menu, select split-tunnel.
d. Click Apply.

In the CLI

wlan ssid-profile <profile>

essid <name>

opmode <method>


wlan virtual-ap <profile>

ssid-profile <name>

forward-mode <mode>

vlan <vlan id>

aaa-profile <profile>


ap-group <name>

virtual-ap <profile>


ap-name <name>

virtual-ap <profile>

Defining Corporate DNS Servers

Clients send DNS requests to the corporate DNS server address that it learned from DHCP. If configured for split tunneling, corporate domains and traffic destined for corporate use the corporate DNS server. For non-corporate domains and local traffic, other DNS servers can be used.

In the WebUI

1. Navigate to Configuration > Wireless > AP Configuration page.
2. Select either the AP Group or AP Specific tab. Click Edit for the AP group or AP name.
3. Under Profiles, select AP, then AP system profile.
4. Under Profile Details:
a. Enter the corporate DNS servers.
b. Click Add.

The DNS name appears in Corporate DNS Domain list. You can add multiple names the same way.

5. Click Apply.

In the CLI

ap system-profile <profile>

dns-domain <domain name>