Wireless Access

last person joined: yesterday 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

Branch Office Local traffic breakout (Split Tunnel)

This thread has been viewed 8 times

  • 1.  Branch Office Local traffic breakout (Split Tunnel)

    Posted Dec 11, 2012 12:41 PM

    Hi folks,

    Looking to roll out AP105s to multiple remote offices. Our Controller is based at HQ ( where we have all AP105s).

    I'm trying to understand whether it is possible to break out local subnet trafffic in the remote office rather than tunnelling back to HQ  and also have non local traffic (either destined for HQ or another remote office - we are meshed MPLS) trminate on the local router.

    Is this even possible?

     

     

    Thanks very much

    Jonny

     



  • 2.  RE: Branch Office Local traffic breakout (Split Tunnel)

    Posted Dec 11, 2012 12:55 PM

    On your remote site you want to route all the traffic and have all the traffic on the remote site and if they need to go the central site then  the locall router branch will route back the traffic

    IF that what you want then you can set your AP as Campus Bridge mode



  • 3.  RE: Branch Office Local traffic breakout (Split Tunnel)

    Posted Dec 11, 2012 02:17 PM

    Hi,

    Basically yes.

    We have a corp SSID. I want that same SSID availible at the remote office and all traffic from/to the wireless clients to be handled by the local router. so effectivley the controller only handles the initial connection/auth to wlan and after that the client traffic flows like the AP is autonomous.

     

    Make sense?

     

    Thanks

    Jonny

     



  • 4.  RE: Branch Office Local traffic breakout (Split Tunnel)

    Posted Dec 11, 2012 02:19 PM

    IF you put it on campus bridge mode all the traffic will be locally routed on the remote site... is that what you looking for?



  • 5.  RE: Branch Office Local traffic breakout (Split Tunnel)

    Posted Dec 11, 2012 02:32 PM

    Yes exactly - however it appears that when we do that, DHCP requests aren't getting to the Corp DHCP servers at HQ.

    Is there something special required to permit that initial DHCP request though so the client gets on net initially?

     

     

    Thanks

    Jonny



  • 6.  RE: Branch Office Local traffic breakout (Split Tunnel)

    Posted Dec 11, 2012 02:37 PM

    You wont get the DHCP from teh corporrate... if you do it on bridge mode then you need a local DHCP server from the branch site

     

    It is necesary that the DHCP be distrubute from the central site?



  • 7.  RE: Branch Office Local traffic breakout (Split Tunnel)

    Posted Dec 11, 2012 01:41 PM

    You can try this split tunneling setup:

     

    I did this exact same config that we use for our remote users using a RAP , with the split tunneling setup the remote user can use their local resources and all the other traffic (Non-local, etc..) doesn't have to come all the way back to the campus .

     

    Under the Private networks you define the IP Spaces that you want the users to tunnel back to HQ office:

     

    user-role REMOTE-SECURE-SPLIT-TUNNEL-B
     access-list session REMOTE-SECURE-SPLIT-TUNNEL-ACL-B
     access-list session allowall
     
    ip access-list session REMOTE-SECURE-SPLIT-TUNNEL-ACL-B
      any any svc-dhcp  permit
      any   alias PRIVATE-NETWORKS-B any  permit
      any any any  route src-nat
      
    wlan virtual-ap "REMOTE-SECURE-SPLIT-TUNNEL-VAP-PROFILE-B"
       aaa-profile "AAA-REMOTE-SECURE-DOT1X-SPLIT-TUNNEL-PROFILE-B"
       ssid-profile "REMOTE-SECURE-SSID-PROFILE-B"
       vlan "vlan"
       forward-mode split-tunnel
       band-steering
       
    aaa profile "AAA-REMOTE-SECURE-DOT1X-SPLIT-TUNNEL-PROFILE-B"
       initial-role "REMOTE-SECURE-SPLIT-TUNNEL-B"
       authentication-dot1x "AAA-AUTH-REMOTE-SECURE-802.1X-PROFILE-B"
       dot1x-default-role "REMOTE-SECURE-SPLIT-TUNNEL-B"
       dot1x-server-group "REMOTE-SECURE-AUTH-DOT1X-B"
       enforce-dhcp
     
    ap-group "Remote-AP-Split-Tunnel"
       virtual-ap "REMOTE-SECURE-SPLIT-TUNNEL-VAP-PROFILE-B"
       ap-system-profile "REMOTE-SPLIT-TUNNEL-AP-SYSTEM-PROFILE-B"
     
    Corporate DNS servers

    ap system-profile "REMOTE-SPLIT-TUNNEL-AP-SYSTEM-PROFILE-B"
    dns-domain <domain_name1>
    dns-domain <domain_name2>



  • 8.  RE: Branch Office Local traffic breakout (Split Tunnel)

    Posted Dec 11, 2012 02:14 PM

    Yeah you can use split tunneling but then you will have to set it as RAP... and you will be doing ipsec tunnel through the mpls  which is a private wan

    But yes it can be done like taht also



  • 9.  RE: Branch Office Local traffic breakout (Split Tunnel)

    Posted Dec 11, 2012 02:38 PM
    Have you tried defining the ip helper address under those VLANs


  • 10.  RE: Branch Office Local traffic breakout (Split Tunnel)

    Posted Dec 11, 2012 05:10 PM

    Thanks for the replies gents,

    Yes we have defined the ip helper on the vlan interfaces - I will need to look into that issue(it may be a routing). I'm working blind at the moment as my colleague at HQ is actually working on the deployment.

     

    There is also another complication - we also have another SSID for a visitor/guest wlan. We would like to tunnel this traffic traffic back to HQ where it wold get dhcp from the controller and get broken out to internet. that requirement probably isn't compatible with enabling bridge mode - or is it?

     

    thanks for your help

     

    Jonny



  • 11.  RE: Branch Office Local traffic breakout (Split Tunnel)

    Posted Dec 11, 2012 05:11 PM

    If you want the captive portal works on the remote site you defenetly need to put it as normal campus AP

    OR Rap on split tunnel or rap on tunnel mode.

     

    Captive portal on bridge mode is not supported

     

    Cheers

    Carlos