cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

New Hall of Fame Member-Peter PAluch

Dynamic Split Tunneling in AnyConnect VPN

382
Views
0
Helpful
0
Comments

 

  • The dynamic split tunneling exclusions address scenarios when traffic pertaining to a certain service needs to be excluded from the VPN tunnel dynamically, at run time
    • Use case when you have a public cloud service with wide range of public IPs which needs to be excluded from VPN connection such as O365 in run time and dynamically.
  • Depending on split tunneling policy configured, dynamic split tunneling exclusion is applied as follow:
    • Tunnel All Networks—All exclusions from the VPN tunnel are dynamic.
    • Exclude Specific Networks—Dynamic exclusions are added to preconfigured static ones.
    • Include Specific Networks—Dynamic exclusions are only relevant if at least one IP address of the excluded host names overlaps with a split include network. Otherwise, the traffic is already excluded from the VPN tunnel, and no dynamic exclusion is performed.

 

  • Configuration steps

 

Step 1

Define the custom attribute type in the WebVPN context with the following command: anyconnect-custom-attr dynamic-split-exclude-domains description dynamic split exclude domains

Step 2

Define the custom attribute names for each cloud/web service that needs access by the client outside the VPN tunnel. For example, add Google_domains to represent a list of DNS domain names pertaining to Google web services. The attribute value contains the list of domain names to exclude from the VPN tunnel and must be in comma-separated-values (CSV) format using the following as an example:anyconnect-custom-data dynamic-split-exclude-domains webex_service_domains webex.com, webexconnect.com, tags.tiqcdn.com

Step 3

Attach the previously defined custom attribute to a certain policy group with the following command, executed in the group-policy attributes context:anyconnect-custom dynamic-split-exclude-domains value webex_service_domains

CreatePlease to create content
Content for Community-Ad

Blog-Cisco Community Designated VIP Class of 2019