How do I configure split-tunnel mode in a Remote AP (AP-70) for wired clients?

Aruba Employee
Aruba Employee

Product and Software: This article applies to all Aruba controllers and ArubaOS 3.2 and 3.3.


Split-tunnel forwarding mode is a feature for Remote AP (RAP) that allows the administrator to define an ACL where corporate traffic and DNS requests are sent back to the corporate network over a secure tunnel, and all other traffic is source NATed using AP Enet0 IP address and sent to the local LAN.


Split-tunnel Functionality


Corporate traffic is tunneled to the controller:

  •  GRE encapsulated to preserve VLAN tags
  •  Encrypted using IPSec (RAP and controller)

Other traffic is locally routed: Local traffic is source NATed (to enet0 address) and forwarded on wired interface according to user role and session ACL.



  •     ArubaOS 3.2 or higher  ·    
  • RAP license  ·    
  • AP70 or AP12x (AP12x needs ArubaOS 3.3 or higher) 
  •  RAP is configured and up  ·    
  • No other aaa wired profile in use (you can have only one aaa wired profile).

Configuration Steps


These steps are explained using CLI and GUI, and you can refer to User Guide for more details.

1) Define the corporate IP networks.


netdestination corp-network 





Configuration > Stateful Firewall > Destination > Add


2) Define the access list.



ip access-list session Corporate-split
  any any svc-dhcp permit
  user alias corp-network any permit
  user any any route src-nat


Alternate, More Permissive, Access List


ip access-list session Corporate-split
any any svc-dhcp permit
alias corp-network alias corp-network any permit
user any any route src-nat


The firewall action "permit" sends the traffic to the tunnel, but "src-nat" will NAT it and send it locally on enet0.





Configuration > Access Control > Policies > Add


3) Create a user role.



user-role Corporate-split 
session-acl Corporate-split





Configuration > Access Control > User Roles > Add



4) Define the AAA profile.


aaa profile wired-employee-laptop 
initial-role Corporate-split





Configuration > All Profiles > Wireless LAN > AAA Profile -> Add



5) Configure the aaa wired authentication profile.


aaa authentication wired 
profile wired-employee-laptop





Configuration > Wired Access > Wired Access AAA Profile > AAA Profile > Choose the profile from the drop-down menu.



Note: In ArubaOS 3.1, 3.2, and 3.3, only one "aaa authentication wired" profile is configured for the entire domain (Master and Locals, so it can be configured only on Master). The AAA profile should be specified there and under that we set the initial role with split-tunnel ACL.



6) Define wired-ap-profile.



ap wired-ap-profile employee-laptop 
     forward-mode split-tunnel 
     switchport access vlan xx





Configuration > All Profiles > AP > Wired AP Profile > ADD






Configuration > AP Configuration > AP group and click Edit > AP > Wired AP Profile > Choose the profile from drop menu.






Configuration > AP Configuration > AP group and click Edit > AP > Wired AP Profile >Choose NEW from the drop-down menu.







Version history
Revision #:
1 of 1
Last update:
‎07-09-2014 03:51 PM
Updated by:
Search Airheads
Showing results for 
Search instead for 
Did you mean: