ArubaOS and Controllers

Reply
Occasional Contributor II
Posts: 27
Registered: ‎09-19-2007

Split-Tunneling on a Non-RAP AP

Question... I've got the situation where our organization functions as an ISP for multiple agencie (traffic has to be kept separate via different roles).

I've got an agency with multiple remote sites that I'd like to use split-tunneling at via the RAP capability. They'll always be assigned a role of something like "agency-a-role" on the controller. If I put a firewall rule for the "agency-a-role" that says "route" (keep the traffic local), but the agency user travels to a location where it's just a normal AP (tunneling only... non-RAP), what will happen to the traffic? Will it just be tunneled (ignoring the FW rule to "route")???:confused:

I might add that it's okay if the agency user travels to somewhere else that has an AP because since they're in "agency-a-role", the traffic will egress onto the proper VLAN at the controller for that specific agency.

Patrick
:-)
Guru Elite
Posts: 20,553
Registered: ‎03-29-2007

Split Tunneling


Question... I've got the situation where our organization functions as an ISP for multiple agencie (traffic has to be kept separate via different roles).

I've got an agency with multiple remote sites that I'd like to use split-tunneling at via the RAP capability. They'll always be assigned a role of something like "agency-a-role" on the controller. If I put a firewall rule for the "agency-a-role" that says "route" (keep the traffic local), but the agency user travels to a location where it's just a normal AP (tunneling only... non-RAP), what will happen to the traffic? Will it just be tunneled (ignoring the FW rule to "route")???:confused:

I might add that it's okay if the agency user travels to somewhere else that has an AP because since they're in "agency-a-role", the traffic will egress onto the proper VLAN at the controller for that specific agency.

Patrick
:-)




You can't do split tunneling on a regular Non RAP today. I have seen where you put those ACLs in and the Virtual AP does not come up.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 27
Registered: ‎09-19-2007

More info on split-tunnel question

Thanks Colin! Let me word it differently... if a user that is role "x" that contains a firewall policy that says "route"... and that user goes to a regular campus AP (one that's not doing split-tunneling), what happens to the user's traffic? Does it just get tunneled since the AP isn't capable of doing split-tunneling? Or... is the traffic dropped? :confused:
Moderator
Posts: 87
Registered: ‎04-10-2007

Use ap group option

What you need to do is use the ap group option for the role. In this case, you add the split-tunnel policy to the role, but use the option that says to activate that policy only when the user is associated to an ap in the rap group.

Kevin Hamilton
Occasional Contributor II
Posts: 27
Registered: ‎09-19-2007

Split-Tunneling on a Non-RAP AP

Kevin, thanks for the reply! I'll dig around for more infomation on that and see if it fits the bill here. Never used that one before.

I'm going to make a guess here and say you're talking about the user derivation rules to check the "Aruba-Location-ID" attribute? If not that, can you be specific on what you're talking about? Thanks!
Moderator
Posts: 87
Registered: ‎04-10-2007

Re: Split-Tunneling on a Non-RAP AP

When you are creating a role, the role consists of policies. When you select a pre-existing policy, the policy has an option of when it will be active. So for example, you could have a setup looking like this:

user-role myRole
session-acl control
session-acl rap ap-group rap
session-acl allowall

The session acl "rap" will only activate when the user is associated to an ap in the rap group.

HTH,
Kevin
Search Airheads
Showing results for 
Search instead for 
Did you mean: