Split Tunneling introduced to Flexconnect APs in WLC7.3.x releases. This will allow certain traffic to be locally switched & all other traffic to Centrally switch from a Flexconnect AP.
In this post we will see how this feature can be enabled & use it in Office Extend- Home user scenario. This feature works little bit differently with OEAP 600 series AP & will look at that in a separate post. In this post I have used 3502 AP model converted into Office Extend mode.
Below diagram shows a typical home users network connectivity. There won’t be an OEAP in normal set up, I have added it here since it is the primary focus of this post.
Once you changed the AP mode to Flexconnect & priming it for your corporate WLC (typically in a DMZ) it is ready to give to end user to plug it into his home network. Then it will give him the corporate SSID available at his home. If you are giving end user the capability of creating their own personal SSID then you can enable “office extend” feature on the AP itself. Refer this post to see how you could do that.
Prior to 7.3.x all corporate user devices traffic go back to wireless controller in their corporate office. In other words if that user connected to corporate SSID, he cannot access his local network devices (like printer, home PC, etc). Some times user want to print to his home printer while connecting to corporate SSID. This leads to enable this “Split Tunnel” feature on WLC software.
This is how it works. Let’s say you have setup your home personal network to 192.168.x.x (private network). You have completely different network at your corporate office (let’s say 131.172.x.x/16). Therefore when you connected to your office SSID while you are at home you will get 131.172.x.x range IP. If you are trying to access 192.168.x.x, from those IP, that traffic will go back to WLC & then it will drop since those private IP cannot routable across internet.
Once you enable split tunneling feature with defining ACL to classify what traffic need to locally switched, you can reach your home network devices while you are connecting to office SSID.
Here are the steps you need to follow. My wireless controller running with version 22.214.171.124 & you may see little bit different screens in your controller if version is different.
First you have to define a FlexConnect ACL to classify your local traffic. You can do this in GUI vial “Security -> Access Control List -> FlexConnect ACL-> New“. I have defined a ACL called “Flex-Split-Tunnel” like below. I have specified any traffic destined to 192.168.x.x to be treated as local traffic.
Then you need to create a FlexConnect Group & map this ACL to the WLAN you suppose to advertise via OEAP. You can do this in GUI via “Wireless -> FlexConnect Groups -> ACL Mapping -> WLAN ACL-mapping -> Local Split ACL Mapping” section. In my case I have created a group called “LTU-OEAP600” & map “Flex-Split-Tunnel” ACL to two corporate WLAN named “eduroam” & “LTUWireless2”.
(WLC) >config flexconnect group ? <groupName> flexconnect group name (WLC) >config flexconnect group LTU-OEAP600 (WLC) >config ap flexconnect ? central-dhcp Configures central-dhcp on AP per Wlan local-split Configures local-split on Wlan policy Add/Deletes policy flexconnect ACL on AP. radius Config flexconnect backup Radius Server in standalone mode vlan Enables/Disables VLAN on the flexconnect. web-auth Maps Web-Auth/Web Passthrough ACL to WLAN for an AP. wlan Configure wlan and vlan mapping (WLC) >config ap flexconnect local-split ? <Wlan-Id> Wlan Id (WLC) >config ap flexconnect local-split 1 ? <Cisco AP> Enter the name of the Cisco AP. (WLC) >config ap flexconnect local-split 1 OE-AP013-RasikaN ? enable Enable disables local-split tunnel on WLAN disable Enable disables local-split tunnel on WLAN (WLC) >config ap flexconnect local-split 1 OE-AP013-RasikaN enable ? acl ACL configurations (WLC) >config ap flexconnect local-split 1 OE-AP013-RasikaN enable acl ? <acl-name> ACL Nam (WLC) >config ap flexconnect local-split 1 OE-AP013-RasikaN enable acl Flex-Split-Tunnel (WLC) >config ap flexconnect local-split 2 OE-AP013-RasikaN enable acl Flex-Split-Tunnel
Then you can add FlexConnect AP into this group. If you tick the “Select AP from current controller” option it will list down all the FlexConnect AP in that controller where you can choose from. In my case I have put my home OEAP in to this group.
(WLC) >config flexconnect ? acl Configures Access Control Lists. group Configure flexconnect group tables. join Enables or disables the latency base join mode for an OfficeExtend AP office-extend Enables or disables the OfficeExtend AP mode for a flexconnect AP (WLC) >config flexconnect group ? <groupName> flexconnect group name (WLC) >config flexconnect group LTU-OEAP600 ? add Adds flexconnect group ap Configure flexconnect group AP information. central-dhcp Configures central-dhcp on Flexconnect group per Wlan delete Deletes flexconnect group local-split Config local-split acl on Flexconnect Group. multicast Sets Multicast/Broadcast across L2 Broadcast Domain on Overridden interface for locally switched clients policy Config policy acl on Flexconnect Group. predownload Sets Efficient Upgrade for group radius RADIUS server for client authentication in standalone mode vlan Config Vlan on Flexconnect Group. web-auth Config web-auth acl on Flexconnect Group. wlan-vlan Configure Wlan-Vlan mapping on flexconnect group. (WLC) >config flexconnect group LTU-OEAP600 ap ? add Add AP <MacAddress> to flexconnect group table. delete Delete AP <MacAddress> from flexconnect group table. (WLC) >config flexconnect group LTU-OEAP600 ap add ? <MacAddress> AP Mac Address. (WLC) >config flexconnect group LTU-OEAP600 ap add 70:81:05:03:7c:ef
By using following CLI you can verify your configurations.
(WLC) >show flexconnect ? acl Display system Access Control Lists. group Display flexconnect group information. office-extend Display flexconnect OfficeExtend AP information. (WLC) >show flexconnect acl ? summary Display a summary of the Access Control Lists. detailed Display detailed Access Control List information. (WLC) >show flexconnect acl summary ACL Name Status -------------------------------- ------- Flex-Split-Tunnel Applied (BUN-PW00-WC01) >show flexconnect acl detailed Flex-Split-Tunnel Source Destination Source Port Dest Port Index IP Address/Netmask IP Address/Netmask Prot Range Range DSCP Action ------ ------------------------------- ------------------------------- ---- ----------- ----------- ----- ------- 1 0.0.0.0/0.0.0.0 192.168.0.0/255.255.0.0 Any 0-65535 0-65535 Any Permit 2 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0 Any 0-65535 0-65535 Any Deny (WLC) >show flexconnect group ? detail Display detail for a specific flexconnect group. summary Display list of flexconnect groups. (WLC) >show flexconnect group summary FlexConnect Group Summary: Count: 1 Group Name # Aps LTU-OEAP600 1 (WLC) >show flexconnect group detail LTU-OEAP600 Number of AP's in Group: 1 70:81:05:03:7c:ef OE-AP013-RasikaN Joined Efficient AP Image Upgrade ..... Disabled Master-AP-Mac Master-AP-Name Model Manual Group Radius Servers Settings: Type Server Address Port ------------- ---------------- ------- Primary Unconfigured Unconfigured Secondary Unconfigured Unconfigured Group Radius AP Settings: AP RADIUS server............ Disabled EAP-FAST Auth............... Disabled LEAP Auth................... Disabled EAP-TLS Auth................ Disabled EAP-TLS CERT Download....... Disabled PEAP Auth................... Disabled Server Key Auto Generated... No Server Key.................. <hidden> Authority ID................ 436973636f0000000000000000000000 Authority Info.............. Cisco A_ID PAC Timeout................. 0 Multicast on Overridden interface config: Disabled Number of User's in Group: 0 Group-Specific FlexConnect Local-Split ACLs : WLAN ID SSID ACL -------- -------------------- ----- 1 eduroam Flex-Split-Tunnel 2 LTUWireless2 Flex-Split-Tunnel Group-Specific FlexConnect Wlan-Vlan Mapping: WLAN ID Vlan ID -------- -------------------- WLAN ID SSID Central-Dhcp Dns-Override Nat-Pat
Once you do this you are ready to test your feature. As you can see my client get 131.x.x.14 IP, but still I can reach my local network 192.168.20.x at home.
It is working fine, How can you see what changes it makes on the AP config once you enable this feature. “show derived config” is the CLI command you need to run on AP console to see config changes pushed by WLC to AP. Here is the relevant section of this output (not all). As you can see it will create NAT configuration with ACL defined for Split Tunneling (similar config you use in IOS device to configure split tunneling).
OE-AP013-RasikaN#show derived-config dot11 ssid LTUWireless2 1 <--Corporate SSID 1 dot11 ssid eduroam 2 <- Corporate SSID 2 dot11 ssid mrn-cciew 16 <- Personal SSID ! interface Dot11Radio1 antenna gain 0 traffic-metrics aggregate-report peakdetect beamform ofdm mbssid speed basic-12.0 18.0 basic-24.0 36.0 48.0 54.0 m0. m1. m2. m3. m4. m5. m6. m7. m8. m9. m10. m11. m12. m13. m14. m15. power client local packet retries 64 drop-packet no cdp enable ! interface Dot11Radio1.1 encapsulation dot1Q 1 bridge-group 18 ! interface Dot11Radio1.2 encapsulation dot1Q 2 bridge-group 18 ! interface Dot11Radio1.17 encapsulation dot1Q 17 native bridge-group 1 ! interface Dot11Radio1.18 encapsulation dot1Q 18 bridge-group 18 ! interface GigabitEthernet0.1 encapsulation dot1Q 1 native bridge-group 1 ! interface BVI1 ip address dhcp client-id BVI1 ip nat outside ! interface BVI18 ip address 149.x.x.x 255.255.248.0 secondary <- gateway address of dyanamic interface for WLAN1 ip address 131.x.x.x 255.255.248.0 <- gateway address of dyanamic interface for WLAN2 ip nat inside ! ip nat inside source list reap_local_central_acl interface BVI1 overload ! ip access-list extended Flex-Split-Tunnel permit ip any 192.168.0.0 0.0.255.255 deny ip any any ip access-list extended reap_local_central_acl permit ip 131.x.x.0 0.0.7.255 any <- WLAN1 dynamic interface subnet permit ip 149.x.x.0 0.0.7.255 any <- WLAN1 dynamic interface subnet ! arp 149.x.x.18 04f7.e4ea.5b66 ARPA <- Client1 IP Address arp 131.x.x.14 a088.b435.c2f0 ARPA <- Client2 IP Address
In next post we will see how this feature works in OEAP 600 series.