topic Re: Local breakout help in Wireless

Local breakout help

frederick.mercado — Thu, 19 Oct 2023 19:41:48 GMT

So maybe I am over thinking this or perhaps its not possible. I am trying to have clients maintain internal network connectivity by means of their VLAN and access internet for any http/https traffic. Similar to split tunneling or split traffic like we do with VPN. One would think I can connect an outside internet line to the WLC and perhaps configure an SVI and allow access to VLAN xxx out to the internet?

We have a network that is fairly simplistic.

The wireless clients are on VLANxxx. They get internal DHCP, and authenticate to RADIUS. We are trying to create a local breakout to the internet for their internet traffic so it does not hit our MPLS line and use precious resource. I know the WLC has Layer capabilities so I wonder if I can somehow setup a direct local breakout from this, or should I do inter VLAN routing, or is there an easier path? Internet ISP can be routable if needed, abut I have an internal IP from its own switch at: 10.x.x.x

Here is a simple diagram:

Outside internet to connect to WLC (10.x.x.x)

Client> AP (flex) > WLC (Has SSID and VLAN SVI)/Switch > Core

Re: Local breakout help

Flavio Miranda — Fri, 29 Apr 2022 14:45:57 GMT

If your SSID is already in flexconnect mode, then the solution is pretty easy. Is basically routing task. Corp traffic you sent do MPLS and internet traffic you send local.

From a Security perspective, we could add a firewall on the topology but from connectivity perspective, no required.

Re: Local breakout help

frederick.mercado — Thu, 19 Oct 2023 19:42:26 GMT

Our APs are in flexconnect but are local to the facility. The wireless clients are on the VLANxxxx from cores and our APs are on VLANxx for management. The outside internet is also provided here. What would be a configuration to try? There is no route to outside internet.

Re: Local breakout help

Flavio Miranda — Fri, 29 Apr 2022 15:47:18 GMT

The important thing is the WLAN.. Is the option "FlexConnect Local Switching " checked on the WLC? If not, then the traffic is sent to the WLC and then the scenario is different.

Re: Local breakout help

frederick.mercado — Thu, 19 Oct 2023 19:42:40 GMT

Removed

Re: Local breakout help

MHM Cisco World — Sat, 30 Apr 2022 15:00:51 GMT

https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/215928-flexconnect-oeap-with-split-tunneling-co.html

I know this feature but I am not sure it can apply in WLC9800

Re: Local breakout help

Rich R — Sat, 07 May 2022 11:39:43 GMT

Office-extend is a different feature - designed for homeworkers and probably not appropriate for this scenario. Also that guide is for AireOS.

Some things still not clear from your descriptions:

- Is your WLC on the same site as the APs or is the WLC at a different site? (I'm getting the impression the WLC is at a separate central site)

- You want to break out the internet traffic at the local site?

- Your "simple diagram" doesn't show what's between the AP and the WLC - so what is there? Or are you saying your AP is physically connected directly to the WLC?

Might be easier to put your diagram on a drawing showing all the relevant connectivity. It's very difficult to answer your question without knowing all those details.

For general Flexconnect overview: https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/213945-understand-flexconnect-on-9800-wireless.html

There is a feature called Split Tunneling for FlexConnect that you might be able to use although it's really intended for accessing specific local services eg. printer. But you might be able to use it to break out everything except the traffic going to specific core services.

https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-3/config-guide/b_wl_17_3_cg/m_vewlc_flex_connect.html#ID138

Actually looking at their example I think they're doing exactly what you want to - sending a specific IP for central switching and everything else local.

Re: Local breakout help

frederick.mercado — Thu, 19 Oct 2023 19:44:07 GMT

We tried setting up a VRF on our 9300 switches with network advantage only to realize they are not VRF NAT aware, the 16.12.4 ios at least does not support the vrf statement for ip nat inside. So back to the WLC:

Our WLC and APs are all local to one site. Wireless management on VLAN xx (along with controller IP) and APs. Clients getting IP off VLAN xx, and mobile clients we have setup for VLAN xxx (10.74.x.x). We are trying to give mobile clients direct internet connectivity without the use of another router or FW. Then ACL it off. We saw that the WLC had routing capabilities with NAT, so we figured we will try.

We simply want to give clients access to the internet without going through our local MPLS.

Re: Local breakout help

Rich R — Mon, 09 May 2022 22:39:06 GMT

9800 is not supposed to be used as a router, with or without VRF.

Many router commands functions may still be there and some may even work but wireless BU have been removing them from the WLC IOS-XE so even if they work today they might not work in the next release. If you use them then you do so at your own risk.

Why not do the NAT in global VRF on 9300L? (if it even supports that?) The 9300L range is basic and really only intended as a simple switch so no surprise it doesn't support advanced routing features.

Re: Local breakout help

frederick.mercado — Thu, 19 Oct 2023 19:44:42 GMT

Makes sense for the WLC. It just makes things easier. The 9300 does not support Nat over VRF, or intra-VRF NAT...yet that is. The statement is missing from when to designate the "ip nat inside....overload". Every direction we turn is a wall.

Re: Local breakout help

Arshad Safrulla — Tue, 10 May 2022 14:20:16 GMT

This is basically Layer 3 routing, I recommend you connect your Internet router to L3 switch directly. I would manipulate routing in order to achieve this, if using static routes I would add more specific routes towards MPLS where the subnets are defined and default route towards Internet in your L3 switch.

For MPLS

ip route 10.0.0.0 255.0.0.0 <MPLS Router IP>

ip route X.X.X.X X.X.X.X <MPLS Router IP>

For Internet

ip route 0.0.0.0 0.0.0.0 <Internet Router IP>

Re: Local breakout help

frederick.mercado — Thu, 19 Oct 2023 19:45:15 GMT

But I noticed that when doing a traceroute to 8.8.8.8 the route it takes is through is the VLAN of the client or the L3 GW, and out to the MPLS router
IS there anyway to curb this?

Re: Local breakout help

Arshad Safrulla — Tue, 10 May 2022 17:35:54 GMT

You can consider adding a policy route in Core Switch where you define the interesting traffic and and set the next hop to be the Internet router

Re: Local breakout help

frederick.mercado — Tue, 10 May 2022 20:15:54 GMT

Could you provide an example to help given my current configuration?

Re: Local breakout help

Rich R — Tue, 10 May 2022 22:28:17 GMT

It's called policy based routing. Standard routing is based on the packet's destination address. Policy based routing allows you to base the routing decision on source and/or destination address and other characteristics independent of the routing table. In this case you would send everything originating from the mobile client subnet source range to the next hop IP of your internet router.

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_pi/configuration/xe-17/iri-xe-17-book/m_iri-pbr.html

Re: Local breakout help

frederick.mercado — Thu, 19 Oct 2023 19:46:20 GMT

Indeed, I attempted this by doing a route-map as well, it seemed the traffic was not phased by this.

If I have a VLAN xxx (10.74.x.x) on the core with the mobile traffic, and I wanted it to reach the ISP or interface with 207.x.x.x (no switchport or L3 int) with a route map what would be a good example?

Re: Local breakout help

Arshad Safrulla — Wed, 11 May 2022 19:45:08 GMT

ip access-list extended Guest_ACL
permit ip 10.74.126.0 0.0.0.255 any
!
route-map Guest_PBR permit 10
match ip address Guest_ACL
set ip next-hop 207.91.252.28
!
interface vlan 126
ip policy route-map Guest_PBR
!

You need this in both switches. This switches must know how to reach 207.91.252.28 (route must be present in both the switches, otherwise still be routed over MPLS as I assume there is a default route recieved over MPLS)

Re: Local breakout help

frederick.mercado — Thu, 19 Oct 2023 19:47:15 GMT

I have added this exact configuration.

Re: Local breakout help

frederick.mercado — Thu, 19 Oct 2023 19:47:36 GMT

Removed

Re: Local breakout help

Arshad Safrulla — Thu, 12 May 2022 20:20:54 GMT

207.91.252.28 is configured in GigabitEthernet1/0/44 ( in ur switch), so it will not work as this ip is defined as the next hop. You need to define the next hop (set ip next-hop 207.91.252.25)