Wireless Access

last person joined: yesterday 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

How to Configure a Wired Port Split-Tunnel on RAP?

This thread has been viewed 1 times

  • 1.  How to Configure a Wired Port Split-Tunnel on RAP?

    Posted Jul 06, 2015 10:06 AM

    I have a Remote AP (RAP) that works great, except that I cannot ping it from my desktop and I need that capability.  Both my desktop and the Mobility Controller lie behind the firewall.  When I ping from my desktop we can see that the RAP receives the ping and responds to the controller through its VPN tunnel.  But when the controller routes the echo reply to my desktop it hits the firewall and the firewall blocks it.  Changing the firewall is not an option.

     

    Shouldn’t I be able to configure the RAP with a split-tunnel on the Wired Port so that it responds to my echo request directly instead of sending the reply to the controller through its VPN tunnel?

     

    I have created a Wired AP Profile for Port 0, which is the only wired port, and set the “Forward Mode” to “split-tunnel.’   I created a policy where the first rule is: “Source = any, Dest = any, Service/App = any, Action = src-nat” and applied it to a User Role and assigned the User Role to the “Initial role” of the AAA profile.

     

    I have not been able to get it to work and am unclear on how to proceed.   This is the first time I have experimented with a Wired AP Profile, Policies and User Roles so I am hoping someone can explain how this can be done.  I have read many Aruba documents but can’t find anything that directly addresses my questions.

     

    Just to be clear, my goal is for the RAP to receive an echo request and send an echo reply directly back to the originator (bypassing the VPN tunnel).  I don’t care about supporting wired traffic from the remote office and my only wired port is ETH0.



  • 2.  RE: How to Configure a Wired Port Split-Tunnel on RAP?
    Best Answer

    EMPLOYEE
    Posted Jul 06, 2015 10:17 AM

    Whether a RAP will or will not answer to solicited traffic depends on the session-acl parameter in the AP system profile.  http://www.arubanetworks.com/techdocs/ArubaOS_64x_WebHelp/Web_Help_Index.htm#ArubaFrameStyles/1CommandList/ap_system_profile.htm

     

    Please take a look at what session ACL is assigned in the AP system profile of the RAP.

     

    The configuration of the wired port does not determine whether or not a RAP itself answers pings.



  • 3.  RE: How to Configure a Wired Port Split-Tunnel on RAP?

    Posted Jul 06, 2015 03:07 PM

    Thank you, thank you, thank you!  That was the clue I needed.  The default Session ACL had a rule for svc-icmp to "permit."  I changed this from "permit" to "route src-nat" and it now works.  I don't totally understand the difference between "route src-nat" and plain ol' "src-nat" but it works.



  • 4.  RE: How to Configure a Wired Port Split-Tunnel on RAP?

    Posted Jul 06, 2015 10:18 AM

    HI,

     

    If you enable Split tunnel forwarding mode( VAP profile), it will show effect on only wireless traffic not on the wired traffic.

     

    We can not ping the wired interface of the AP from the client. it is expected behaviour.

    Please share your need, why do you want to ping the AP's wired interface so that we can find any other alternative way to chive it.