Wireless Access

Occasional Contributor II

aruba controller difference between SSID tunnel and split tunnel

Dear Community,


Need the work flow of SSID tunnel and split tunnel, how it works and what are the challenges between.

MVP Guru

Re: aruba controller difference between SSID tunnel and split tunnel

Hey, this is explained further in the User Guide for each respective release, I have taken an excerpt for you :


Tunnel: The AP handles all 802.11 association requests and responses, butsends all 802.11 data packets, action frames and EAPOL frames over a GRE tunnel to the controller for processing. The controller removes or adds the GRE headers, decrypts or encrypts 802.11 frames and applies firewall rules to the user traffic as usual. Both remote and campus APs can be configured in tunnel mode.


Split-Tunnel: 802.11 frames are either tunneled or bridged, depending on the destination (corporate traffic goes to the controller, and Internet access bremains local). A remote AP in split-tunnel forwarding mode handles all 802.11 association requests and responses, encryption/decryption, and firewall enforcement. the 802.11e and 802.11k action frames are also processed by the remote AP, which then sends out responses as needed.


In short, one sends the packets back to the controller the other sends only selected packets to the controller and the rest remain local.

If my post addresses your query, give kudos:)
Guru Elite

Re: aruba controller difference between SSID tunnel and split tunnel

The main use for split tunnel is for users at remote sites with limited bandwidth to tunnel traffic that needs to be back to the datacenter TO the datacenter and send traffic locally that needs to stay local.  This is the reason why a Remote AP can only be configured to have a Split Tunnel SSID.  On campus networks, it is assumed that there is enough bandwidth and little latency, so everything can be tunneled back to the controller in the datacenter.


At a remote site, if you want the user to authenticate via captive portal, you can have that authentication occur to the headend, and then have the rest of the traffic be sent locally.  You can also have users authenticate via 802.1x (the 802.1x traffic is not subject to split tunneling rules--it always goes back to the headend), send traffic to the headend that resides in the headend, like email and then send the rest of the traffic out of the local ISP.


These are just examples of why split tunneling was invented in the first place, and how it should be used.

*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Remote Access Point Solution Guide
ArubaOS Consolidated Release Notes
ArubaOS 8 ViA VPN Solution Guide
Search Airheads
Showing results for 
Search instead for 
Did you mean: