Split Tunneling introduced to Flexconnect APs in WLC7.3.x releases. This will allow certain traffic to be locally switched & all other traffic to Centrally switch from a Flexconnect AP.
In this post we will see how this feature can be enabled & use it in Office Extend- Home user scenario. This feature works little bit differently with OEAP 600 series AP & will look at that in a separate post. In this post I have used 3502 AP model converted into Office Extend mode.
Below diagram shows a typical home users network connectivity. There won’t be an OEAP in normal set up, I have added it here since it is the primary focus of this post.
Once you changed the AP mode to Flexconnect & priming it for your corporate WLC (typically in a DMZ) it is ready to give to end user to plug it into his home network. Then it will give him the corporate SSID available at his home. If you are giving end user the capability of creating their own personal SSID then you can enable “office extend” feature on the AP itself. Refer this post to see how you could do that.
Prior to 7.3.x all corporate user devices traffic go back to wireless controller in their corporate office. In other words if that user connected to corporate SSID, he cannot access his local network devices (like printer, home PC, etc). Some times user want to print to his home printer while connecting to corporate SSID. This leads to enable this “Split Tunnel” feature on WLC software.
This is how it works. Let’s say you have setup your home personal network to 192.168.x.x (private network). You have completely different network at your corporate office (let’s say 131.172.x.x/16). Therefore when you connected to your office SSID while you are at home you will get 131.172.x.x range IP. If you are trying to access 192.168.x.x, from those IP, that traffic will go back to WLC & then it will drop since those private IP cannot routable across internet.
Once you enable split tunneling feature with defining ACL to classify what traffic need to locally switched, you can reach your home network devices while you are connecting to office SSID.
Here are the steps you need to follow. My wireless controller running with version 7.5.102.0 & you may see little bit different screens in your controller if version is different.
First you have to define a FlexConnect ACL to classify your local traffic. You can do this in GUI vial “Security -> Access Control List -> FlexConnect ACL-> New“. I have defined a ACL called “Flex-Split-Tunnel” like below. I have specified any traffic destined to 192.168.x.x to be treated as local traffic.
Then you need to create a FlexConnect Group & map this ACL to the WLAN you suppose to advertise via OEAP. You can do this in GUI via “Wireless -> FlexConnect Groups -> ACL Mapping -> WLAN ACL-mapping -> Local Split ACL Mapping” section. In my case I have created a group called “LTU-OEAP600” & map “Flex-Split-Tunnel” ACL to two corporate WLAN named “eduroam” & “LTUWireless2”.
This is how you want to configure it in CLI
(WLC) >config flexconnect group ? <groupName> flexconnect group name (WLC) >config flexconnect group LTU-OEAP600 (WLC) >config ap flexconnect ? central-dhcp Configures central-dhcp on AP per Wlan local-split Configures local-split on Wlan policy Add/Deletes policy flexconnect ACL on AP. radius Config flexconnect backup Radius Server in standalone mode vlan Enables/Disables VLAN on the flexconnect. web-auth Maps Web-Auth/Web Passthrough ACL to WLAN for an AP. wlan Configure wlan and vlan mapping (WLC) >config ap flexconnect local-split ? <Wlan-Id> Wlan Id (WLC) >config ap flexconnect local-split 1 ? <Cisco AP> Enter the name of the Cisco AP. (WLC) >config ap flexconnect local-split 1 OE-AP013-RasikaN ? enable Enable disables local-split tunnel on WLAN disable Enable disables local-split tunnel on WLAN (WLC) >config ap flexconnect local-split 1 OE-AP013-RasikaN enable ? acl ACL configurations (WLC) >config ap flexconnect local-split 1 OE-AP013-RasikaN enable acl ? <acl-name> ACL Nam (WLC) >config ap flexconnect local-split 1 OE-AP013-RasikaN enable acl Flex-Split-Tunnel (WLC) >config ap flexconnect local-split 2 OE-AP013-RasikaN enable acl Flex-Split-Tunnel
Then you can add FlexConnect AP into this group. If you tick the “Select AP from current controller” option it will list down all the FlexConnect AP in that controller where you can choose from. In my case I have put my home OEAP in to this group.
Here is the CLI way of doing this
(WLC) >config flexconnect ? acl Configures Access Control Lists. group Configure flexconnect group tables. join Enables or disables the latency base join mode for an OfficeExtend AP office-extend Enables or disables the OfficeExtend AP mode for a flexconnect AP (WLC) >config flexconnect group ? <groupName> flexconnect group name (WLC) >config flexconnect group LTU-OEAP600 ? add Adds flexconnect group ap Configure flexconnect group AP information. central-dhcp Configures central-dhcp on Flexconnect group per Wlan delete Deletes flexconnect group local-split Config local-split acl on Flexconnect Group. multicast Sets Multicast/Broadcast across L2 Broadcast Domain on Overridden interface for locally switched clients policy Config policy acl on Flexconnect Group. predownload Sets Efficient Upgrade for group radius RADIUS server for client authentication in standalone mode vlan Config Vlan on Flexconnect Group. web-auth Config web-auth acl on Flexconnect Group. wlan-vlan Configure Wlan-Vlan mapping on flexconnect group. (WLC) >config flexconnect group LTU-OEAP600 ap ? add Add AP <MacAddress> to flexconnect group table. delete Delete AP <MacAddress> from flexconnect group table. (WLC) >config flexconnect group LTU-OEAP600 ap add ? <MacAddress> AP Mac Address. (WLC) >config flexconnect group LTU-OEAP600 ap add 70:81:05:03:7c:ef
By using following CLI you can verify your configurations.
(WLC) >show flexconnect ? acl Display system Access Control Lists. group Display flexconnect group information. office-extend Display flexconnect OfficeExtend AP information. (WLC) >show flexconnect acl ? summary Display a summary of the Access Control Lists. detailed Display detailed Access Control List information. (WLC) >show flexconnect acl summary ACL Name Status -------------------------------- ------- Flex-Split-Tunnel Applied (BUN-PW00-WC01) >show flexconnect acl detailed Flex-Split-Tunnel Source Destination Source Port Dest Port Index IP Address/Netmask IP Address/Netmask Prot Range Range DSCP Action ------ ------------------------------- ------------------------------- ---- ----------- ----------- ----- ------- 1 0.0.0.0/0.0.0.0 192.168.0.0/255.255.0.0 Any 0-65535 0-65535 Any Permit 2 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0 Any 0-65535 0-65535 Any Deny (WLC) >show flexconnect group ? detail Display detail for a specific flexconnect group. summary Display list of flexconnect groups. (WLC) >show flexconnect group summary FlexConnect Group Summary: Count: 1 Group Name # Aps LTU-OEAP600 1 (WLC) >show flexconnect group detail LTU-OEAP600 Number of AP's in Group: 1 70:81:05:03:7c:ef OE-AP013-RasikaN Joined Efficient AP Image Upgrade ..... Disabled Master-AP-Mac Master-AP-Name Model Manual Group Radius Servers Settings: Type Server Address Port ------------- ---------------- ------- Primary Unconfigured Unconfigured Secondary Unconfigured Unconfigured Group Radius AP Settings: AP RADIUS server............ Disabled EAP-FAST Auth............... Disabled LEAP Auth................... Disabled EAP-TLS Auth................ Disabled EAP-TLS CERT Download....... Disabled PEAP Auth................... Disabled Server Key Auto Generated... No Server Key.................. <hidden> Authority ID................ 436973636f0000000000000000000000 Authority Info.............. Cisco A_ID PAC Timeout................. 0 Multicast on Overridden interface config: Disabled Number of User's in Group: 0 Group-Specific FlexConnect Local-Split ACLs : WLAN ID SSID ACL -------- -------------------- ----- 1 eduroam Flex-Split-Tunnel 2 LTUWireless2 Flex-Split-Tunnel Group-Specific FlexConnect Wlan-Vlan Mapping: WLAN ID Vlan ID -------- -------------------- WLAN ID SSID Central-Dhcp Dns-Override Nat-Pat
Once you do this you are ready to test your feature. As you can see my client get 131.x.x.14 IP, but still I can reach my local network 192.168.20.x at home.
It is working fine, How can you see what changes it makes on the AP config once you enable this feature. “show derived config” is the CLI command you need to run on AP console to see config changes pushed by WLC to AP. Here is the relevant section of this output (not all). As you can see it will create NAT configuration with ACL defined for Split Tunneling (similar config you use in IOS device to configure split tunneling).
OE-AP013-RasikaN#show derived-config dot11 ssid LTUWireless2 1 <--Corporate SSID 1 dot11 ssid eduroam 2 <- Corporate SSID 2 dot11 ssid mrn-cciew 16 <- Personal SSID ! interface Dot11Radio1 antenna gain 0 traffic-metrics aggregate-report peakdetect beamform ofdm mbssid speed basic-12.0 18.0 basic-24.0 36.0 48.0 54.0 m0. m1. m2. m3. m4. m5. m6. m7. m8. m9. m10. m11. m12. m13. m14. m15. power client local packet retries 64 drop-packet no cdp enable ! interface Dot11Radio1.1 encapsulation dot1Q 1 bridge-group 18 ! interface Dot11Radio1.2 encapsulation dot1Q 2 bridge-group 18 ! interface Dot11Radio1.17 encapsulation dot1Q 17 native bridge-group 1 ! interface Dot11Radio1.18 encapsulation dot1Q 18 bridge-group 18 ! interface GigabitEthernet0.1 encapsulation dot1Q 1 native bridge-group 1 ! interface BVI1 ip address dhcp client-id BVI1 ip nat outside ! interface BVI18 ip address 149.x.x.x 255.255.248.0 secondary <- gateway address of dyanamic interface for WLAN1 ip address 131.x.x.x 255.255.248.0 <- gateway address of dyanamic interface for WLAN2 ip nat inside ! ip nat inside source list reap_local_central_acl interface BVI1 overload ! ip access-list extended Flex-Split-Tunnel permit ip any 192.168.0.0 0.0.255.255 deny ip any any ip access-list extended reap_local_central_acl permit ip 131.x.x.0 0.0.7.255 any <- WLAN1 dynamic interface subnet permit ip 149.x.x.0 0.0.7.255 any <- WLAN1 dynamic interface subnet ! arp 149.x.x.18 04f7.e4ea.5b66 ARPA <- Client1 IP Address arp 131.x.x.14 a088.b435.c2f0 ARPA <- Client2 IP Address
In next post we will see how this feature works in OEAP 600 series.
Reference:
1. Configuring FlexConnect – WLC 7.5 Release
2. FlexConnect Split Tunneling – Cisco DOC-27758
mrn-cciew 
Hi Rasika,
Would it be possible to have this type of scenario:
1. WLAN is central auth and centrally switched.
2. Internet traffic routed to branch internet only and will not pass through HQ where WLC is located.
The reason for the scenario is to enable local client profiling from the WLC because if WLAN is locally switched, local client profiling does not work.
If this is possible, may I have a guideline on how to do this?
Thank you in advance!
Jogh
Did you ever figure out a solution for this scenario ? I am faced with the exact same issue.
Hi,
I just tried to deny corporate subnets in the Flex ACL before allowing any destination (branch and internet) traffic. That worked for me.
Regards, Daniel.
Hi Rasika,
Can you answer on question?
Is this possible?
Best regards, Max.
Sorry for the being late 🙂
Yes, this is possible only from WLC 8.0.x onwards where you can route internet traffic from branch internet link instead of tunnel to HQ. Only interested traffic can be tunnel back to HQ.
HTH
Rasika
Can you give an example of the configuration you would need in order to split tunnel the local network and internet traffic? We don’t want to back haul our officeextend users internet traffic back to HQ. Thanks!
Hi Jay,
All of my blog post related to AireOS 7.0. x code specific.
This feature is available on later versions (7.6 or 8.0), If I get a chance, I will do it, otherwise please refer respective configuration guides
HTH
Rasika
Can you point me in the direction of that configuration guide? I am having trouble finding it.
Hi Rasika,
In a WLC, I could see APs are in flexconnect mode, on WLAN – local switching is enabled, VLAN mapping is also done. perhaps as the APs are in AP groups where one of the dynamic interfaces from WLC is mapped. Users are getting IP addresses from this interface subnet.
So can we say AP group is overriding local switching in this case?
No, If AP is in FlexConnect mode (connected to a trunk port in BR-Switch) & WLAN is enabled for Local Switching, it should get local subnet IP.(irrespective of WLAN map dynamic interface)
Make sure those locally switch vlan is there in the switch & SVI defined in branch switch to get IP
HTH
Rasika
Thnks
Running 8.2 on my WLC, trying to get this working for the new 1810 OEAP. I’ve followed the steps above through the GUI, checked the settings in the CLI, and it looks fine. However, I’m getting my office IP and cannot ping my home network. Thoughts?
Hi Frank,
Haven’t work with this AP model to see if feature works as expected.
Try reach TAC & see if they can help here
Rasika
Hi Rasika,
Sorry, my comment is off the track. Do you have any document on Flexconnect group radius server. I have a setup where I have ISE PSN in branch and I want my branch wireless corporate users to be authenticated with local ISE PSN. We have centralized wlc and single corporate ssid. I am unable to make it work…always branch users to get authenticated through global Radius server which is mapped under SSID.
Hi Rasika, We are facing an issue with our wireless Network. We have Cisco 5508 controllers in HA mode with 200 APs in Flexconnect mode. Issue is when ever we perform any changes on any wlan, all our wireless clients get disassociates for few seconds and joins back…we can feel the disconnection if we are working on remote desktop connections…As far as my knowledge only those users will get disassociates which are connected to the ssid on which I am making changes. Not all SSID users.
Please let me know if you have seen this kind of issue ?