Wireless Access

Reply
New Contributor
Posts: 4
Registered: ‎12-11-2012

Branch Office Local traffic breakout (Split Tunnel)

Hi folks,

Looking to roll out AP105s to multiple remote offices. Our Controller is based at HQ ( where we have all AP105s).

I'm trying to understand whether it is possible to break out local subnet trafffic in the remote office rather than tunnelling back to HQ  and also have non local traffic (either destined for HQ or another remote office - we are meshed MPLS) trminate on the local router.

Is this even possible?

 

 

Thanks very much

Jonny

 

MVP
Posts: 2,992
Registered: ‎10-25-2011

Re: Branch Office Local traffic breakout (Split Tunnel)

On your remote site you want to route all the traffic and have all the traffic on the remote site and if they need to go the central site then  the locall router branch will route back the traffic

IF that what you want then you can set your AP as Campus Bridge mode

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
MVP
Posts: 4,271
Registered: ‎07-20-2011

Re: Branch Office Local traffic breakout (Split Tunnel)

You can try this split tunneling setup:

 

I did this exact same config that we use for our remote users using a RAP , with the split tunneling setup the remote user can use their local resources and all the other traffic (Non-local, etc..) doesn't have to come all the way back to the campus .

 

Under the Private networks you define the IP Spaces that you want the users to tunnel back to HQ office:

 

user-role REMOTE-SECURE-SPLIT-TUNNEL-B
 access-list session REMOTE-SECURE-SPLIT-TUNNEL-ACL-B
 access-list session allowall
 
ip access-list session REMOTE-SECURE-SPLIT-TUNNEL-ACL-B
  any any svc-dhcp  permit
  any   alias PRIVATE-NETWORKS-B any  permit
  any any any  route src-nat
  
wlan virtual-ap "REMOTE-SECURE-SPLIT-TUNNEL-VAP-PROFILE-B"
   aaa-profile "AAA-REMOTE-SECURE-DOT1X-SPLIT-TUNNEL-PROFILE-B"
   ssid-profile "REMOTE-SECURE-SSID-PROFILE-B"
   vlan "vlan"
   forward-mode split-tunnel
   band-steering
   
aaa profile "AAA-REMOTE-SECURE-DOT1X-SPLIT-TUNNEL-PROFILE-B"
   initial-role "REMOTE-SECURE-SPLIT-TUNNEL-B"
   authentication-dot1x "AAA-AUTH-REMOTE-SECURE-802.1X-PROFILE-B"
   dot1x-default-role "REMOTE-SECURE-SPLIT-TUNNEL-B"
   dot1x-server-group "REMOTE-SECURE-AUTH-DOT1X-B"
   enforce-dhcp
 
ap-group "Remote-AP-Split-Tunnel"
   virtual-ap "REMOTE-SECURE-SPLIT-TUNNEL-VAP-PROFILE-B"
   ap-system-profile "REMOTE-SPLIT-TUNNEL-AP-SYSTEM-PROFILE-B"
 
Corporate DNS servers

ap system-profile "REMOTE-SPLIT-TUNNEL-AP-SYSTEM-PROFILE-B"
dns-domain <domain_name1>
dns-domain <domain_name2>

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
MVP
Posts: 2,992
Registered: ‎10-25-2011

Re: Branch Office Local traffic breakout (Split Tunnel)

Yeah you can use split tunneling but then you will have to set it as RAP... and you will be doing ipsec tunnel through the mpls  which is a private wan

But yes it can be done like taht also

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
New Contributor
Posts: 4
Registered: ‎12-11-2012

Re: Branch Office Local traffic breakout (Split Tunnel)

Hi,

Basically yes.

We have a corp SSID. I want that same SSID availible at the remote office and all traffic from/to the wireless clients to be handled by the local router. so effectivley the controller only handles the initial connection/auth to wlan and after that the client traffic flows like the AP is autonomous.

 

Make sense?

 

Thanks

Jonny

 

MVP
Posts: 2,992
Registered: ‎10-25-2011

Re: Branch Office Local traffic breakout (Split Tunnel)

IF you put it on campus bridge mode all the traffic will be locally routed on the remote site... is that what you looking for?

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
New Contributor
Posts: 4
Registered: ‎12-11-2012

Re: Branch Office Local traffic breakout (Split Tunnel)

Yes exactly - however it appears that when we do that, DHCP requests aren't getting to the Corp DHCP servers at HQ.

Is there something special required to permit that initial DHCP request though so the client gets on net initially?

 

 

Thanks

Jonny

MVP
Posts: 2,992
Registered: ‎10-25-2011

Re: Branch Office Local traffic breakout (Split Tunnel)

You wont get the DHCP from teh corporrate... if you do it on bridge mode then you need a local DHCP server from the branch site

 

It is necesary that the DHCP be distrubute from the central site?

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
MVP
Posts: 4,271
Registered: ‎07-20-2011

Re: Branch Office Local traffic breakout (Split Tunnel)

Have you tried defining the ip helper address under those VLANs
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
New Contributor
Posts: 4
Registered: ‎12-11-2012

Re: Branch Office Local traffic breakout (Split Tunnel)

Thanks for the replies gents,

Yes we have defined the ip helper on the vlan interfaces - I will need to look into that issue(it may be a routing). I'm working blind at the moment as my colleague at HQ is actually working on the deployment.

 

There is also another complication - we also have another SSID for a visitor/guest wlan. We would like to tunnel this traffic traffic back to HQ where it wold get dhcp from the controller and get broken out to internet. that requirement probably isn't compatible with enabling bridge mode - or is it?

 

thanks for your help

 

Jonny

Search Airheads
Showing results for 
Search instead for 
Did you mean: