, ,

Split Tunneling introduced to Flexconnect APs in WLC7.3.x releases. This will allow certain traffic to be locally switched & all other traffic to Centrally switch from a Flexconnect AP.

In this post we will see how this feature can be enabled & use it in  Office Extend- Home user scenario. This feature works little bit differently with OEAP 600 series AP & will look at that in a separate post. In this post I have used 3502 AP model converted into Office Extend mode.

Below diagram shows a typical home users network connectivity. There won’t be an OEAP in normal set up, I have added it here since it is the primary focus of this post.

Split-Tunnel-3500-01Once you changed the AP mode to Flexconnect  & priming it  for your corporate WLC (typically in a DMZ) it is ready to give to end user to plug it into his home network. Then it will give him the corporate SSID available at his home. If you are giving end user the capability of creating their own personal SSID then you can enable “office extend” feature on the AP itself. Refer this post to see how you could do that.

Prior to 7.3.x all corporate user devices traffic go back to wireless controller in their corporate office. In other words if that user connected to corporate SSID, he cannot access his local network devices (like printer, home PC, etc). Some times user want to print to his home printer while connecting to corporate SSID. This leads to enable this “Split Tunnel” feature on WLC software.

This is how it works. Let’s say you have setup your home personal network to 192.168.x.x (private network). You have completely different network at your corporate office (let’s say 131.172.x.x/16). Therefore when you connected to your office SSID while you are at home you will get 131.172.x.x range IP. If you are trying to access 192.168.x.x, from those IP, that traffic will go back to WLC & then it will drop since those private IP cannot routable across internet.

Once you enable split tunneling feature with defining ACL to classify what traffic need to locally switched, you can reach your home network devices while you are connecting to office SSID.

Here are the steps you need to follow. My wireless controller running with version & you may see little bit different screens in your controller if version is different.

First you have to define a FlexConnect ACL to classify your local traffic. You can do this  in GUI vial “Security  -> Access Control List -> FlexConnect ACL-> New“. I have defined a ACL called “Flex-Split-Tunnel” like below. I have specified any traffic destined to 192.168.x.x to be treated as local traffic.

Split-Tunnel-3500-02Then you need to create a FlexConnect Group & map this ACL to the WLAN you suppose to advertise via OEAP. You can do this in GUI via “Wireless -> FlexConnect Groups -> ACL Mapping -> WLAN ACL-mapping -> Local Split ACL Mapping” section. In my case I have created a group called “LTU-OEAP600” & map “Flex-Split-Tunnel” ACL to two corporate WLAN named “eduroam” & “LTUWireless2”.

Split-Tunnel-3500-03This is how you want to configure it in CLI

(WLC) >config flexconnect group ?            
<groupName>    flexconnect group name

(WLC) >config flexconnect group LTU-OEAP600

(WLC) >config ap flexconnect ?             
central-dhcp   Configures central-dhcp on AP per Wlan
local-split    Configures local-split on Wlan
policy         Add/Deletes policy flexconnect ACL on AP.
radius         Config flexconnect backup Radius Server in standalone mode
vlan           Enables/Disables VLAN on the flexconnect.
web-auth       Maps Web-Auth/Web Passthrough ACL to WLAN for an AP.
wlan           Configure wlan and vlan mapping

(WLC) >config ap flexconnect local-split ?               
<Wlan-Id>      Wlan Id

(WLC) >config ap flexconnect local-split 1 ?              
<Cisco AP>     Enter the name of the Cisco AP.

(WLC) >config ap flexconnect local-split 1 OE-AP013-RasikaN ?              
enable         Enable disables local-split tunnel on WLAN              
disable        Enable disables local-split tunnel on WLAN

(WLC) >config ap flexconnect local-split 1 OE-AP013-RasikaN enable ?               
acl            ACL configurations

(WLC) >config ap flexconnect local-split 1 OE-AP013-RasikaN enable acl ?              
<acl-name>     ACL Nam

(WLC) >config ap flexconnect local-split 1 OE-AP013-RasikaN enable acl Flex-Split-Tunnel            
(WLC) >config ap flexconnect local-split 2 OE-AP013-RasikaN enable acl Flex-Split-Tunnel

Then you can add FlexConnect AP into this group. If you tick the “Select AP from current controller” option it will list down all the FlexConnect AP in that controller where you can choose from. In my case I have put my home OEAP in to this group.

Split-Tunnel-3500-04Here is the CLI way of doing this

(WLC) >config flexconnect ?             
acl            Configures Access Control Lists.
group          Configure flexconnect group tables.
join           Enables or disables the latency base join mode for an OfficeExtend AP
office-extend  Enables or disables the  OfficeExtend AP mode for a flexconnect AP

(WLC) >config flexconnect group ?              
<groupName>    flexconnect group name

(WLC) >config flexconnect group LTU-OEAP600 ?               
add            Adds flexconnect group 
ap             Configure flexconnect group AP information.
central-dhcp   Configures central-dhcp on Flexconnect group per Wlan
delete         Deletes flexconnect group
local-split    Config local-split acl on Flexconnect Group.
multicast      Sets Multicast/Broadcast across L2 Broadcast Domain on Overridden interface for locally switched clients
policy         Config policy acl on Flexconnect Group.
predownload    Sets Efficient Upgrade for group 
radius         RADIUS server for client authentication in standalone mode
vlan           Config Vlan on Flexconnect Group.
web-auth       Config web-auth acl on Flexconnect Group.
wlan-vlan      Configure Wlan-Vlan mapping on flexconnect group.

(WLC) >config flexconnect group LTU-OEAP600 ap ?               
add            Add AP <MacAddress> to flexconnect group table.
delete         Delete AP <MacAddress> from flexconnect group table.

(WLC) >config flexconnect group LTU-OEAP600 ap add ?               
<MacAddress>   AP Mac Address.

(WLC) >config flexconnect group LTU-OEAP600 ap add 70:81:05:03:7c:ef

By using following CLI you can verify your configurations.

(WLC) >show flexconnect ?              
acl            Display system Access Control Lists.
group          Display flexconnect group information.
office-extend  Display flexconnect OfficeExtend AP information.

(WLC) >show flexconnect acl ?               
summary        Display a summary of the Access Control Lists.
detailed       Display detailed Access Control List information.

(WLC) >show flexconnect acl summary  
ACL Name                         Status
-------------------------------- -------
Flex-Split-Tunnel                Applied

(BUN-PW00-WC01) >show flexconnect acl detailed Flex-Split-Tunnel
                   Source                        Destination                Source Port  Dest Port
Index        IP Address/Netmask              IP Address/Netmask        Prot    Range       Range    DSCP  Action
------ ------------------------------- ------------------------------- ---- ----------- ----------- ----- -------
     1         Any     0-65535     0-65535  Any Permit
     2                 Any     0-65535     0-65535  Any   Deny

(WLC) >show flexconnect group ?               
detail         Display detail for a specific flexconnect group.
summary        Display list of flexconnect groups.

(WLC) >show flexconnect group summary 
FlexConnect Group Summary: Count: 1
Group Name                # Aps
LTU-OEAP600                        1

(WLC) >show flexconnect group detail LTU-OEAP600 
Number of AP's in Group: 1 
70:81:05:03:7c:ef    OE-AP013-RasikaN     Joined 
Efficient AP Image Upgrade ..... Disabled

Master-AP-Mac     Master-AP-Name                    Model      Manual

Group Radius Servers Settings:
Type           Server Address    Port   
-------------  ----------------  -------
                                         Primary       Unconfigured      Unconfigured
                                                                                      Secondary     Unconfigured      Unconfigured
Group Radius AP Settings:
AP RADIUS server............ Disabled
EAP-FAST Auth............... Disabled
LEAP Auth................... Disabled
EAP-TLS Auth................ Disabled
EAP-TLS CERT Download....... Disabled
PEAP Auth................... Disabled
Server Key Auto Generated... No
Server Key..................     <hidden>    
Authority ID................ 436973636f0000000000000000000000
Authority Info.............. Cisco A_ID
PAC Timeout................. 0
Multicast on Overridden interface config: Disabled
Number of User's in Group: 0
Group-Specific FlexConnect Local-Split ACLs :
WLAN ID     SSID                            ACL 
--------   --------------------            ----- 
1          eduroam                          Flex-Split-Tunnel               
2          LTUWireless2                     Flex-Split-Tunnel               
Group-Specific FlexConnect Wlan-Vlan Mapping:
WLAN ID     Vlan ID          
--------   --------------------

WLAN ID   SSID                            Central-Dhcp  Dns-Override  Nat-Pat

Once you do this you are ready to test your feature. As you can see my client get 131.x.x.14 IP, but still I can reach my local network 192.168.20.x at home.

Split-Tunnel-3500-05It is working fine, How can you see what changes it makes on the AP config once you enable this feature. “show derived config” is the CLI command you need to run on AP console to see config changes pushed by WLC to AP. Here is the relevant section of this output (not all). As you can see it will create NAT configuration with ACL defined for Split Tunneling (similar config you use in IOS device to configure split tunneling).

OE-AP013-RasikaN#show derived-config 

dot11 ssid LTUWireless2 1 <--Corporate SSID 1
dot11 ssid eduroam 2  <- Corporate SSID 2
dot11 ssid mrn-cciew 16 <- Personal SSID
interface Dot11Radio1
 antenna gain 0
 traffic-metrics aggregate-report
 beamform ofdm
 speed  basic-12.0 18.0 basic-24.0 36.0 48.0 54.0 m0. m1. m2. m3. m4. m5. m6. m7. m8. m9. m10. m11. m12. m13. m14. m15.
 power client local
 packet retries 64 drop-packet
 no cdp enable
interface Dot11Radio1.1
 encapsulation dot1Q 1
 bridge-group 18
interface Dot11Radio1.2
 encapsulation dot1Q 2
 bridge-group 18
interface Dot11Radio1.17
 encapsulation dot1Q 17 native
 bridge-group 1
interface Dot11Radio1.18
 encapsulation dot1Q 18
 bridge-group 18
interface GigabitEthernet0.1
 encapsulation dot1Q 1 native
 bridge-group 1
interface BVI1
 ip address dhcp client-id BVI1
 ip nat outside
interface BVI18
 ip address 149.x.x.x secondary <- gateway address of dyanamic interface for WLAN1
 ip address 131.x.x.x <- gateway address of dyanamic interface for WLAN2
 ip nat inside
ip nat inside source list reap_local_central_acl interface BVI1 overload
ip access-list extended Flex-Split-Tunnel
 permit ip any
 deny   ip any any
ip access-list extended reap_local_central_acl
 permit ip 131.x.x.0 any <- WLAN1 dynamic interface subnet
 permit ip 149.x.x.0 any <- WLAN1 dynamic interface subnet
arp 149.x.x.18 04f7.e4ea.5b66 ARPA <- Client1 IP Address 
arp 131.x.x.14 a088.b435.c2f0 ARPA <- Client2 IP Address 

In next post we will see how this feature works in OEAP 600 series.

1. Configuring FlexConnect – WLC 7.5 Release
2. FlexConnect Split Tunneling – Cisco DOC-27758

Related Posts

1. Split Tunneling in OEAP600