Aruba: Split Tunnel with a RAP-5WN
Split Tunneling is technique, which is used very often in (SSL) VPN scenario’s. The RAP-5WN access points has multiple Ethernet ports to connect different components, like workstations or printers. You can configure the usual user roles and other settings on these Ethernet ports.
You can also configure Split Tunneling per Ethernet port. When using Split Tunneling the connected components received an IP address from the company DHCP server. By using access-control lists you can specify the traffic, which is tunnel through the RAP to the central controller. Traffic, which isn’t tunneled, is NAT’ted to the local network by using the IP address of the RAP on the local network.
The configuration example below shows you how to configure Split Tunneling for an Ethernet port on a RAP-5WN. I don’t show you the provision and creation of a VAP for the remote access points. I assume that the RAP is already provisioned and currently all traffic is tunneled to the central controller.
1. The first step involves the creation of the access-control list to specify the traffic to tunnel and the traffic to bridge locally. The access-list shows that the DHCP services (udp/67 and udp/68) and traffic to the network 10.10.10.0/24 is tunnel to the central controller and all other traffic is locally bridged. This is the most important step when configuring Split Tunneling.
ip access-list session rap-split-tunnel-policy
any network 10.10.10.0 255.255.255.0 any permit
any any svc-dhcp permit
any any any route src-nat
2. Next you need to create a user role and associate the previously create access-list to the user role.
user-role rap-split-tunnel-port-role
access-list session rap-split-tunnel-policy
3. The user role needs to be tied to a AAA profile.
aaa profile “rap-split-tunnel-aaa_prof”
initial-role “rap-split-tunnel-port-role”
4. The following step contains the configuration of a wired-ap-profile.. The wired-ap-profile contains the VLAN information for the connected component, the forward-mode and you can enable/disable the Ethernet port. The configured wired-ap-profile puts the client in VLAN 50, enables the port and puts the port in Split Tunnel mode.
ap wired-ap-profile “rap-split-tunnel-wired-ap_prof”
wired-ap-enable
forward-mode split-tunnel
switchport access vlan 50
5. You have all the basics configured and next you need to configure the Ethernet port profile. This profile combines the AAA profile and the wired-ap-profile.
ap wired-port-profile “rap-split-tunnel-wired-port_prof”
wired-ap-profile “rap-split-tunnel-wired-ap_prof”
no rap-backup
aaa-profile “rap-split-tunnel-aaa_prof”
6. The last step is to tie the wired-port-profile to the appropriate AP group. I configured a separate group for remote access points, called remote-o1. The configuration ties the wired-ap-profile to Ethernet 4 on the RAP-5WN.
ap-group “remote-01”
enet4-port-profile “rap-split-tunnel-wired-port_prof”
You are now ready to go!!
René Jorissen
Latest posts by René Jorissen (see all)
- MacOS Big Sur and SSLKEYFILELOG - November 23, 2021
- ClearPass, Azure AD, SSO and Object ID - August 12, 2021
- ClearPass – custom MPSK - July 20, 2021
“The last step is to tie the wired-ap-profile to the appropriate AP group”..you probably meant “wired-port-profile”
Andrey,
You are right. I changed the text.