Configuring Split Tunneling
The procedure to c配置分隧道requires the following steps. Each step is described in detail later in this chapter.
The split tunneling feature requires the PEFNG license. If you do not have the PEFNG license on yourManaged Device, you must install it before you configure split tunneling. For details on installing licenses, refer to theArubaManaged DeviceLicensing Guide. |
1.Define a sessionACLAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port.that forwards only corporate traffic to theManaged Device.
a.Configure a net destination for the corporatesubnetsSubnet is the logical division of an IP network..
b.Create rules to permitDHCPDynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network.and corporate traffic to the corporateManaged Device.
c.Apply the sessionACLAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port.to a user role.
2.(Optional) Configure an ACL that restricts remote AP users from accessing the remote AP local debugging homepage.
3.Configure the remote AP’s AAA profile.
a.Specify the authentication method ( or ) and the default user role for authenticated users. The user role specified in the AAA profile must contain the session ACL defined in the previous step.
b.(Optional) Use the remote AP’s AAA profile to enable RADIUS accounting.
4.Configure the virtual AP profile:
a.Specify which AP group or APto which the virtual AP profile applies.
b.Set theVLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN.used for split tunneling. Only oneVLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN.can be configured for split tunneling;VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN.pooling is not allowed.
c.当指定the use of a split tunnel configuration, use “split-tunnel” forward mode.
d.Create and apply the applicableSSIDService Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network.profile.
When creating a new virtual AP profile in the WebUI, you can also configure theSSIDService Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network.at the same time. For information about AP profiles, seeAP Configuration Profiles. |
5.(Optional) Create a list of network names resolved by corporateDNSDomain Name System. A DNS server functions as a phone book for the intranet and Internet users. It converts human-readable computer host names into IP addresses and IP addresses into host names. It stores several records for a domain name such as an address 'A' record, name server (NS), and mail exchanger (MX) records. The Address 'A' record is the most important record that is stored in a DNS server, because it provides the required IP address for a network peripheral or element.servers.