Product and Software: This article applies to all Aruba controllers and ArubaOS versions 3.2.x and above.
Split-tunnel mode means that the AP has a VPN tunnel established to the controller, and it is able to send traffic down that tunnel. Firewall policies that are pushed to the AP determine which traffic stays local and which traffic hits the tunnel. IP addressing for the clients comes from the controller, and the AP performs NAT for traffic going to the local network.
In split-tunnel mode, traffic is decrypted at the AP, and traffic that goes down the tunnel gets re-encrypted.
Bridge mode gives you the same firewall policies, but there is no VPN tunnel. All traffic stays local. IP addressing comes from the local site. (Actually a VPN tunnel does exist, but it is used only for control and management traffic).
In bridge mode, traffic is never re-encrypted. There are no performance limitations, because wireless encryption and decryption is done in the hardware.