07-22-2016 02:21 AM
Hey, this is explained further in the User Guide for each respective release, I have taken an excerpt for you :
Tunnel: The AP handles all 802.11 association requests and responses, butsends all 802.11 data packets, action frames and EAPOL frames over a GRE tunnel to the controller for processing. The controller removes or adds the GRE headers, decrypts or encrypts 802.11 frames and applies firewall rules to the user traffic as usual. Both remote and campus APs can be configured in tunnel mode.
Split-Tunnel: 802.11 frames are either tunneled or bridged, depending on the destination (corporate traffic goes to the controller, and Internet access bremains local). A remote AP in split-tunnel forwarding mode handles all 802.11 association requests and responses, encryption/decryption, and firewall enforcement. the 802.11e and 802.11k action frames are also processed by the remote AP, which then sends out responses as needed.
In short, one sends the packets back to the controller the other sends only selected packets to the controller and the rest remain local.
If my post addresses your query, give kudos:)
07-22-2016 06:12 AM - edited 07-23-2016 04:22 AM
The main use for split tunnel is for users at remote sites with limited bandwidth to tunnel traffic that needs to be back to the datacenter TO the datacenter and send traffic locally that needs to stay local. This is the reason why a Remote AP can only be configured to have a Split Tunnel SSID. On campus networks, it is assumed that there is enough bandwidth and little latency, so everything can be tunneled back to the controller in the datacenter.
At a remote site, if you want the user to authenticate via captive portal, you can have that authentication occur to the headend, and then have the rest of the traffic be sent locally. You can also have users authenticate via 802.1x (the 802.1x traffic is not subject to split tunneling rules--it always goes back to the headend), send traffic to the headend that resides in the headend, like email and then send the rest of the traffic out of the local ISP.
These are just examples of why split tunneling was invented in the first place, and how it should be used.
Aruba Customer Engineering
Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base