Wireless Access

last person joined: an hour ago 

Access network design for branch, remote, outdoor and campus locations with Aruba access points, and mobility controllers.
Expand all | Collapse all

RAP wired split tunnel with MAC policy

Jump to Best Answer
  • 1.  RAP wired split tunnel with MAC policy

    Posted Aug 19, 2016 08:59 AM



    Follwoing problem, my customer wants to connect a phone to port 1 of the RAP! Laptop will be connected to the integrated phone-switch! So two clients on a single port.

    Special about that, the phone should get its IP address from the internal network but the DHCP request from the PC should already be bridged out to the local Fritzbox! So no NAT included....!


    I've created a rule like this:


    Action: Permit

    Host MAC: 00:80:9f:00:00:00

    Subent bits: 00:00:00:ff:ff:ff


    So everything coming from MAC range 00:80:9f:00:00:00 to 00:80:9f:ff:ff:ff should be permitted and forwarded through the tunnel!


    I have created a user role with this MAC rule as a first statement, second statement was:


    source user destination any service any route


    But this doesn't work! I can see matches on the MAC policy and the phones gets connected, but the PC is not getting it's IP address from the local device...!


    Do I need the "source NAT" statement anyway although that doesn't make sense to me? Or have I forgotten something? or is a mix of layer 2 and layer 3 rules not possible? And is the MAC-range config correct like this?


    Any idea on how to solve that would be very much appreciated!!






  • 2.  RE: RAP wired split tunnel with MAC policy

    Posted Aug 22, 2016 07:34 AM

    Policy on the port of a RAP is not effective if there is a switch between the RAP port and the devices.  Also the ethernet, or "mac" policy will not work in the context you are using it for.  Lastly, split tunneling will not work with the mac policy you are trying to use it for.

  • 3.  RE: RAP wired split tunnel with MAC policy

    Posted Aug 22, 2016 07:39 AM

    Split-Tunnel is really only for layer 3 traffic, not layer 2 traffic like DHCP.  A client will only get an ip address from the local network if the traffic is on a bridged, not split tunnel interface.  Again, putting a switch between clients and an AP interface breaks the security with regards to intercepting layer 2 traffic, so it should not be done.  Clients on the same switch can easily talk to each other or send and receive traffic to each other without being enforced on the RAP.

  • 4.  RE: RAP wired split tunnel with MAC policy

    Posted Aug 23, 2016 03:31 AM



    Thanks for the answer!


    But this is a really common configuration for a home office solution! The phone is connected to the RAP, the Laptop to the phone!


    So the only possible solution would be to configure either an static IP address and use layer 3 ACLs or cofigure a SSID in bridge mode for the laptop to connect?






  • 5.  RE: RAP wired split tunnel with MAC policy

    Posted Aug 23, 2016 04:03 AM

    I do not think it is impossible.  Using split tunneling and a switch is the problem.


    Is this a site with a single employee with a phone and a laptop?

  • 6.  RE: RAP wired split tunnel with MAC policy

    Posted Aug 23, 2016 04:09 AM

    Yes,  they are in the testing phase to roll it out as a home office solution...always a single person working behind the RAP!


    We did this configuration some years ago, but I think we used two different vlans on this project, this time the customer doesn't want to conifgure the phones for vlan tagging....that's the challenge!

  • 7.  RE: RAP wired split tunnel with MAC policy
    Best Answer

    Posted Aug 23, 2016 04:19 AM

    What kind of RAP are they using?  This could be done if the phone plugs into one wired port and the PC into another wired port or uses wireless.  It is the PC plugging into the phone switch that would break the split tunnel.

  • 8.  RE: RAP wired split tunnel with MAC policy

    Posted Aug 23, 2016 05:31 AM



    Thanks for your help!


    I've shown four different options to the customer now, work with static IP, work with vlan tag and two different vlans, use two physical ports or use one physical port and one SSID to reach the target configuration!


    I hope he'll accept one of these!!