Wireless Access

Occasional Contributor I

Split tunnel for RAP's

Hey folks,


We have a configuration with a mixture of AP93's and RAP2WG's across the region. Currently, users authenticate to the SSID via AD credentials and they then have access to all machines at all locations, including head office where the controller is located.

The customer has requested we change to the following configuration;


All remote AP's to provide DHCP addresses from their local routers at the remote offices.

Users authenticate as normal

Segregate the AP's from head office and each other.


I believe this can be achieved with split tunnelling with the following configuration (please bear with my here, I'm fairly new to Aruba configuration);


1) New ACL that pushes ALL traffic to local environment:

Ip access-list session Split-Tunnel-RAP-ACL
                any any any route src-nat

2) New User Role:

User-role Split-Tunnel-RAP-Role
                access-list session Split-Tunnel-RAP-ACL
                access-list session allowall

3) New AAA profile:

Aaa profile “Split-Tunnel-RAP-AAA”
                initial-role “Split-Tunnel-RAP-Role”

4) New VAP:
virtual-ap “Split-Tunnel-RAP-VAP”

                aaa-profile “Split-Tunnel-RAP-AAA”

                ssid-profile “PB-Net-ssid_prof”

                vap enable

                vlan 2

                forward-mode split-tunnel

                rap-operation standard


And then I can replace the AAA profile and VAP selected in my existing AP group to roll out all these changes to the RAPs?

Also of note, I have yet to configure a VAP (a colleague of mine configured this controller from scratch). Under VLAN's in the GUI of my controller, the only VLAN configured is of ID 2, so I assume this is the ID I give here.



Re: Split tunnel for RAP's


Lets start by saying:

In Split-tunnel, the user must get the ip address of the headend, NOT the remote site.  Is your Virtual AP configured a split-tunnel?  If it was, a client would NOT get an ip address from the remote site.  In addition, the Virtual AP vlan should be a VLAN that exists at the headend..


The user/machince authentication is not done on the AP.  -> is sent to the controller. The controller wil use the authentication server or its local internal database to check the user/machince/cert db.


  • The trafffic who match the rules with action=" permit" will use the tunnel (back to the controller)
  • The traffic who macht the rules with action = "route src-nat" wil bridge the traffic localy (Brench/Home Site)


You may wanna do some small reading here:



Then,:smileywink: please read this guide:

(thanks to Mike Courtney)

Setting up a Split Tunnel port on an Aruba RAP2 / RAP5

The elements of this configuration are very similar to my previous Bridge post. The differences are in the initial Split Tunneling configuration.

1. The first step is to differentiate the IP space that will be tunneled back to the controller.

netdestination Org-IP-Space
  network *.*.0.0

2. The next step is the magic behind Split Tunneling:

ip access-list session RAP-Split-Tunneling
  any any svc-dhcp  permit
  any   alias Org-IP-Space any  permit
  any any any  route src-nat

This access list will allow a client to receive DHCP, will tunnel all traffic destined for the organization's IP space, and locally NAT the remaining traffic.

3. Create a user role for Split Tunnel port connections:

user-role RAP5-Split-Tunnel-Port
 access-list session RAP-Split-Tunneling
 access-list session allowall

4. Create a new AAA profile that references the above user role:

aaa profile "RAP5-Split-Tunnel-AAA"
   initial-role "RAP5-Split-Tunnel-Port"

5. Next, the "wired-ap-profile" will reference the VLAN that is currently attached to the Aruba controller. For instance:

ap wired-ap-profile "RAP5-AP-Profile-Local-Split-Tunnel-Port"
   forward-mode split-tunnel
   switchport access vlan 122

6. The "wired-ap-profile" will be referenced in a new "wired-port-profile" that will combine the above three steps.

ap wired-port-profile "RAP5-Local-Split-Tunnel-Port"
   wired-ap-profile "RAP5-AP-Profile-Local-Split-Tunnel-Port"
   no rap-backup
   aaa-profile "RAP5-Split-Tunnel-AAA"

7. Finally, the last step is to tie the port profile to the appropriate RAP5 AP group. The following is the stanza to apply under your specific RAP5 AP group:

enet1-port-profile "RAP5-Science-Local-Split-Tunnel-Port"


Here's the controller CLI output that shows the above working as expected:

(Test-Controller) #show user-table | include split
*.*.20.24   00:80:a3:1d:f0:5b   RAP5-Split-Tunnel-Port   07:02:53   RAP5WN-Dorm2-Basement   Wired(Remote)   RAP5-Split-Tunnel-AAA   split tunnel


Then do some reading in this post:




Also another good guides for u to use and get the idea behind the split tunnel:






Let us know if u have further questions - and if everything works for u.




*****************2Plus Wireless Solutions****************************
Aruba Airheads - Powered By community for empower the community
************ Don't Forget to Kudos + me,If i helped you******************
Occasional Contributor I

Re: Split tunnel for RAP's

Hi KDisc, thanks for that. I've found some of that information and read that already, but I guess I'm just having a few issues getting my head around it..


Can I just confirm the following points:

1) Users will always get an IP from the controller, so DHCP always needs to be allowed to the controller ran than src-nat'd?


2) I can't simply create a split tunnel with: "any any any route src-nat" to force all traffic to be local?




EDIT: It's just occurred to me that perhaps what I am looking for is Bridged mode rather than Split Tunnelling..

New Contributor

Re: Split tunnel for RAP's

Can we permit all the traffic (including dhcp) using :


any any any permit


and split only some  traffic destined for a server in the LAN.


any alias(server ip) any route src-nat


Please advise?

Search Airheads
Showing results for 
Search instead for 
Did you mean: