Wireless Access

last person joined: yesterday 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

aruba controller difference between SSID tunnel and split tunnel

This thread has been viewed 3 times

  • 1.  aruba controller difference between SSID tunnel and split tunnel

    Posted Jul 22, 2016 04:51 AM

    Dear Community,

     

    Need the work flow of SSID tunnel and split tunnel, how it works and what are the challenges between.



  • 2.  RE: aruba controller difference between SSID tunnel and split tunnel

    MVP EXPERT
    Posted Jul 22, 2016 05:21 AM

    Hey, this is explained further in the User Guide for each respective release, I have taken an excerpt for you :

     

    Tunnel: The AP handles all 802.11 association requests and responses, butsends all 802.11 data packets, action frames and EAPOL frames over a GRE tunnel to the controller for processing. The controller removes or adds the GRE headers, decrypts or encrypts 802.11 frames and applies firewall rules to the user traffic as usual. Both remote and campus APs can be configured in tunnel mode.

     

    Split-Tunnel: 802.11 frames are either tunneled or bridged, depending on the destination (corporate traffic goes to the controller, and Internet access bremains local). A remote AP in split-tunnel forwarding mode handles all 802.11 association requests and responses, encryption/decryption, and firewall enforcement. the 802.11e and 802.11k action frames are also processed by the remote AP, which then sends out responses as needed.

     

    In short, one sends the packets back to the controller the other sends only selected packets to the controller and the rest remain local.



  • 3.  RE: aruba controller difference between SSID tunnel and split tunnel

    EMPLOYEE
    Posted Jul 22, 2016 09:13 AM

    The main use for split tunnel is for users at remote sites with limited bandwidth to tunnel traffic that needs to be back to the datacenter TO the datacenter and send traffic locally that needs to stay local.  This is the reason why a Remote AP can only be configured to have a Split Tunnel SSID.  On campus networks, it is assumed that there is enough bandwidth and little latency, so everything can be tunneled back to the controller in the datacenter.

     

    At a remote site, if you want the user to authenticate via captive portal, you can have that authentication occur to the headend, and then have the rest of the traffic be sent locally.  You can also have users authenticate via 802.1x (the 802.1x traffic is not subject to split tunneling rules--it always goes back to the headend), send traffic to the headend that resides in the headend, like email and then send the rest of the traffic out of the local ISP.

     

    These are just examples of why split tunneling was invented in the first place, and how it should be used.