Users Guide

Table Of Contents
749 | Remote Access Points Dell Networking W-Series ArubaOS 6.4.x| User Guide
Understanding Split Tunneling
The split tunneling feature allows you to optimize traffic flow by directing only corporate traffic back to the
controller, while local application traffic remains local. This ensures that local traffic does not incur the
overhead of the round trip to the controller, which decreases traffic on the WAN link and minimizes latency for
local application traffic. This is useful for sites that have local servers and printers. With split tunneling, a
remote user associates with a single SSID, not multiple SSIDs, to access corporate resources (for example, a
mail server) and local resources (for example, a local printer). The remote AP examines session ACLs to
distinguish between corporate traffic destined for the controller and local traffic.
Figure 101 Sample Split Tunnel Environment
Figure 101 displays corporate traffic is GRE tunneled to the controller through a trusted tunnel and local traffic
is source NATed and bridged on the wired interface based on the configured user role and session ACL.
Configuring Split Tunneling
The procedure to configure split tunneling requires the following steps. Each step is described in detail later in
this chapter.
The split tunneling feature requires the PEFNG license. If you do not have the PEFNG license on your controller, you
must install it before you configure split tunneling. For details on installing licenses, see Software Licenses on page
146.
1. Define a session ACL that forwards only corporate traffic to the controller.
a. Configure a net destination for the corporate subnets.
b. Create rules to permit DHCP and corporate traffic to the corporate controller.
c. Apply the session ACL to a user role.
2. (Optional) Configure an ACL that restricts remote AP users from accessing the remote AP local debugging
homepage.
3. Configure the remote AP’s AAA profile.
a. Specify the authentication method (802.1x or PSK) and the default user role for authenticated users.
The user role specified in the AAA profile must contain the session ACL defined in the previous step.
b. (Optional) Use the remote AP’s AAA profile to enable RADIUS accounting.
4. Configure the virtual AP profile: