As described in the previous post, Split tunneling feature was available in FlexConnect AP since WLC 7.3.x onwards. Cisco introduced this feature to OEAP600 series AP model in WLC 7.5.x onwards. For OEAP 600 series this is limited to Printing services & forwarded well known printer ports traffic (shown below) back to local subnet behind OEAP.
– IPP (port :631)
– PDL (port :9100)
– MFP (port :9303)
– LPD, LPR (port :515)
– PSUS4 (port :34443)
– Generic printer server (port :35)
In this post we will see how we can configure this for those 600 series AP. Before go into Split Tunnel Configuration you should know few important points about this 600 series AP model.
1. It has 4-LAN ports (like home grade wireless internet router)
2. Port 4 is called Remote-LAN where you can extend one of your office wired vlan.
3. Max 15 client devices can connect via wireless for Corporate SSID advertise (not include personal SSID)
4. Max 4 wired clients supported.
5. WAN port has to connect to your home internet router (or any port where public internet access is available)
6. This AP need to configure for local DHCP for the personal SSID you create or local wired clients connecting via Port 1-3.(WAN port & Local LAN ports cannot be in same network)
When you connect this to your home network connectivity looks like this.
As you can see above when you plug OEAP600 series into your home network & you are planning to use personal SSID or Local LAN ports, those devices will get an IP defined by the AP itself. It won’t be the same home network you already having.(WAN port of the OEAP will be in same network 192.168.20.x/24)
Therefore with this AP model, if you enable split tunneling you would able to reach local network -10.30.83.0 /24 (sitting on OEAP itself) while you are connecting to corporate SSID. You won’t be able to access your home network -192.168.20.024 while you are connecting to corporate SSID.
Here how you configure this feature on WLC running 7.5.102.0 onwards for OEAP600 series AP. First of all you need to enable split tunneling globally. By default it was disabled (as shown) & you have to un-ticked that check box.
Here is the CLI command to enable this
(WLC) >config network oeap-600 ?
dual-rlan-ports Allows the use of OEAP-600 port 3 to function as a RLAN port in addition to port 4
local-network Configures Local Network Access for OEAP-600 connecting to this controller
split-tunnel Configures Split Tunnel (Printers) State for OEAP-600 connecting to this controller
(WLC) >config network oeap-600 split-tunnel ?
disable Disables Split Tunnel State (Printers) for OEAP-600 connecting to this controller
enable Enables Split Tunnel State (Printers) for OEAP-600 connecting to this controller
(WLC) >config network oeap-600 split-tunnel enable
Then you need to go to WLAN-Advanced settings where you can enable this feature for specific WLAN.
Here is CLI command to do the above
(WLC) >config wlan split-tunnel ? <wlan id> Enter WLAN Identifier between 1 and 512. (WLC) >config wlan split-tunnel 1 ? enable Enable Split Tunnel (Printers). disable Disable Split Tunnel (Printers). (WLC) >config wlan split-tunnel 1 enable (WLC) >config wlan split-tunnel 2 enable
You can verify your config in CLI like this,
(WLC) >show network summary RF-Network Name............................. test Web Mode.................................... Disable Secure Web Mode............................. Enable Secure Web Mode Cipher-Option High.......... Disable Secure Web Mode Cipher-Option SSLv2......... Disable Secure Web Mode RC4 Cipher Preference....... Enable . . . AP Discovery - NAT IP Only ................. Enabled IP/MAC Addr Binding Check .................. Enabled CCX-lite status ............................ Disable oeap-600 dual-rlan-ports ................... Enable oeap-600 local-network ..................... Enable oeap-600 Split Tunneling (Printers)......... Enable WebPortal Online Client .................... 0 mDNS snooping............................... Enabled mDNS Query Interval......................... 15 minutes (WLC) >show wlan 1 WLAN Identifier.................................. 1 Profile Name..................................... eduroam Network Name (SSID).............................. eduroam Status........................................... Enabled MAC Filtering.................................... Disabled Broadcast SSID................................... Enabled . . AVC Visibilty.................................... Enabled AVC Profile Name................................. LTU-AVC-POLICY Flow Monitor Name................................ Scrutinizer Split Tunnel (Printers).......................... Enabled Call Snooping.................................... Disabled Roamed Call Re-Anchor Policy..................... Disabled SIP CAC Fail Send-486-Busy Policy................ Enabled SIP CAC Fail Send Dis-Association Policy......... Disabled KTS based CAC Policy............................. Disabled
Now Split Tunneling is there in your OEAP600 series AP. Once you connect to corporate SSID (which is enabled with Split Tunnel) you can reach any device connect to your OEAP personal SSID or Local LAN ports. So if you want to print, then you have to move your printer back to OEAP local port. I have connected my printer to OEAP LAN port (got an IP 10.30.83.100), then while I am connecting to my corporate SSID (131.x.x.9) I can reach the printer. Here is then nmap scan for printer while I am on corporate SSID. You can see only limited ports are open.
If I do a port scan to my PC behind OEAP (10.30.83.102) here is the result
If I put my scanning PC on the same subnet 10.30.83.0/24 here is the output.
Based on the above, you can confirmed that Split Tunneling in OEAP does open only few printer ports only.
What above you other local devices in 192.168.20.x communicating back to Printer (or any device in 10.30.83.0/24 range). Since your home internet router does not know existence of a such network within your home, that won’t work.
What are the solution to get it working ?
1. You can add a static route entry in your home internet router pointing to OEAP for 10.30.83.0/24 (tested & did not work)
2. Use your OEAP as home network & all wired connection behind OEAP (this works only you have 2-3 devices) as it has limited wired MAC address limit.
3. Turn off your home internet router wireless & only used OEAP personal SSID.
But if you are giving this solution to your corporate office staff to use at their home, do you want to involve their home network configuration ? most probably answer would be NO, since it will give you additional administrative overhead.
That’s why I preferred FlexConnect AP using as OEAP instead of giving OEAP600 to meet this requirement (local printing while connecting to corporate SSID). But commercial term wise OEAP would be a viable option if you planning to give this in volumes to your staff.
Ref
1. Configuring Office Extend Access Point – 7.5 Config Guide
2. 600 Series OEAP Config Guide
mrn-cciew 
Thanks a lot Rasika. This is excellent.
Hi Lee,
Thanks for the feedback & glad to see it is useful to you
Rasika
Hi Rasika,
I have a not configuration switch connected on Remote Lan port at OEAP. In this switch I have 2 PCs and 2 printers. Why I delay 1 hour aprox to print a document? Does the traffic aren’t local? Is it possible that the traffic goes to WLC and it come back to OEAP? I think that I don’t need to configure split tunneling.
Thanks in advance,
Jordi
If you are using Remote LAN port, I think that traffic has to go to WLC & Come back.
If your device connected to corporate SSID at home & then try to print Port 1-3 connected printer, then it should be local as it use port-forwarding (not exact split tunneling)
HTH
Rasika
Very useful article, but I’m trying to get split tunneling to work with 8.0, where you have to supply an ACL when enabling it on the WLAN. I’ve tried various contents in the ACL, but whatever I try all the traffic seems to get sent down the tunnel. The documentation is unclear about how you do it. Have you got this to work?
TIA
Haven’t play much with 8.x & 602APs