04-09-2017 09:11 PM - edited 07-05-2021 06:50 AM
I have a 5508 WLC Controller ver 8.1 back at the Central Office and 4 3702 AP's at a branch office that connect back to the WLC via Centrally switched config, where all data is tunnel through CAPWAP over a VPN connection back to the Central Office and then routed through the WLC.
This seems to be killing my wireless performance for Internet, so I want the AP's to be able to route all local traffic not destined for 192.168.0.0 255.255.0.0 out locally through the Branch Offices Internet. Is it possible to tell my AP's at the Branch Office to only route 192.168.0.0/16 traffic through CAPWAP via WLC and send everything else out locally? If not is it possible to tell all traffic to switch locally and then just allow the Branch offices routing and switching to control traffic?
I believe I should be able to do this by placing the AP in Flex Connect mode and then applying a permit any any Flex Connect ACL to the AP. But I want to know if this would be the right solution.
The 2 diagrams should help paint the picture of what I am trying to accomplish. In the scenario below, the 172.16.100.0/24 network is back at the corporate office, but the Client device still gets a 172.16.100.0 IP address. The Client should not have to go through the CAPWAP tunnel to get to 192.168.1.100 since it's apart of the local network at the Clients actual location, and same goes for the Internet. The Client should be able to go out it's own internet without having to route via CAPWAP through the WLC back at the Central Office.
Solved! Go to Solution.
04-09-2017 10:11 PM
Yes, If you configure FlexConnect local switching, you can achieve what you want. Once you convert to FlexConnect, AP simply terminate user traffic in a vlan & destined to gateway defined on a local switch (so AP connected switchports need to be trunkport and AP management should be on the native vlan of that trunk link).
Convert one AP to FlexConnect mode and test everything first. Once you test it succesfully and happy with the performance, then convert all other APs to FlexConnect. Keep this deisgn guide as a reference.
HTH
Rasika
*** Pls rate all useful responses ***
04-10-2017 06:26 AM
Split tunneling is used for central switching WLAN
if there is a need to access a resource that is available at the branch side , then an ACL needs to be defined to specify what destination IP should be switched locally
Please note that a NAT of source IP of the Client would be done with the AP IP .
A good example would be of a printer which is available at the branch so on a central switch wlan specify the IP of the local printer to be switched locally on the ACL
04-09-2017 10:11 PM
Yes, If you configure FlexConnect local switching, you can achieve what you want. Once you convert to FlexConnect, AP simply terminate user traffic in a vlan & destined to gateway defined on a local switch (so AP connected switchports need to be trunkport and AP management should be on the native vlan of that trunk link).
Convert one AP to FlexConnect mode and test everything first. Once you test it succesfully and happy with the performance, then convert all other APs to FlexConnect. Keep this deisgn guide as a reference.
HTH
Rasika
*** Pls rate all useful responses ***
04-10-2017 05:11 AM
Rasika,
Could you tell me a little more about the FlexConnect ACL that needs to be applied to I need to Deny any traffic to send it local vs over CAPWAP? Do I need to permit all traffic to allow it to be forced locally only?
FlexConnect and Splitunnel Info from article
FlexConnect ACL can be created with rules in order to permit all of the devices present at the local site/network. When packets from a wireless client on the Corporate SSID match the rules in the FlexConnect ACL configured on OEAP, that traffic is switched locally and the rest of the traffic (that is, implicit deny traffic) will switch centrally over CAPWAP.
The Split Tunneling solution assumes that the subnet/VLAN associated with a client in the central site is not present in the local site (that is, traffic for clients that receive an IP address from the subnet present on the central site will not be able to switch locally).
The Split Tunneling functionality is designed to switch traffic locally for subnets that belong to the local site in order to avoid WAN bandwidth consumption. Traffic that matches the FlexConnect ACL rules are switched locally, and NAT operation is performed changing the client’s source IP address to the FlexConnect AP’s interface IP address that is route-able at the local site/network.
04-10-2017 06:26 AM
Split tunneling is used for central switching WLAN
if there is a need to access a resource that is available at the branch side , then an ACL needs to be defined to specify what destination IP should be switched locally
Please note that a NAT of source IP of the Client would be done with the AP IP .
A good example would be of a printer which is available at the branch so on a central switch wlan specify the IP of the local printer to be switched locally on the ACL
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide