Solved: Split tunneling is used for

gaskincharles · ‎04-09-2017

I have a 5508 WLC Controller ver 8.1 back at the Central Office and 4 3702 AP's at a branch office that connect back to the WLC via Centrally switched config, where all data is tunnel through CAPWAP over a VPN connection back to the Central Office and then routed through the WLC.

This seems to be killing my wireless performance for Internet, so I want the AP's to be able to route all local traffic not destined for 192.168.0.0 255.255.0.0 out locally through the Branch Offices Internet. Is it possible to tell my AP's at the Branch Office to only route 192.168.0.0/16 traffic through CAPWAP via WLC and send everything else out locally? If not is it possible to tell all traffic to switch locally and then just allow the Branch offices routing and switching to control traffic?

I believe I should be able to do this by placing the AP in Flex Connect mode and then applying a permit any any Flex Connect ACL to the AP. But I want to know if this would be the right solution.

The 2 diagrams should help paint the picture of what I am trying to accomplish. In the scenario below, the 172.16.100.0/24 network is back at the corporate office, but the Client device still gets a 172.16.100.0 IP address. The Client should not have to go through the CAPWAP tunnel to get to 192.168.1.100 since it's apart of the local network at the Clients actual location, and same goes for the Internet. The Client should be able to go out it's own internet without having to route via CAPWAP through the WLC back at the Central Office.

Rasika Nayanajith · ‎04-09-2017

Yes, If you configure FlexConnect local switching, you can achieve what you want. Once you convert to FlexConnect, AP simply terminate user traffic in a vlan & destined to gateway defined on a local switch (so AP connected switchports need to be trunkport and AP management should be on the native vlan of that trunk link).

Convert one AP to FlexConnect mode and test everything first. Once you test it succesfully and happy with the performance, then convert all other APs to FlexConnect. Keep this deisgn guide as a reference.

http://www.cisco.com/c/en/us/td/docs/wireless/controller/8-1/Enterprise-Mobility-8-1-Design-Guide/Enterprise_Mobility_8-1_Deployment_Guide/ch7_HREA.html

HTH

Rasika

*** Pls rate all useful responses ***

View solution in original post

sandjose_cisco · ‎04-10-2017

Split tunneling is used for central switching WLAN

if there is a need to access a resource that is available at the branch side , then an ACL needs to be defined to specify what destination IP should be switched locally

Please note that a NAT of source IP of the Client would be done with the AP IP .

A good example would be of a printer which is available at the branch so on a central switch wlan specify the IP of the local printer to be switched locally on the ACL

View solution in original post

Rasika Nayanajith · ‎04-09-2017

Yes, If you configure FlexConnect local switching, you can achieve what you want. Once you convert to FlexConnect, AP simply terminate user traffic in a vlan & destined to gateway defined on a local switch (so AP connected switchports need to be trunkport and AP management should be on the native vlan of that trunk link).

Convert one AP to FlexConnect mode and test everything first. Once you test it succesfully and happy with the performance, then convert all other APs to FlexConnect. Keep this deisgn guide as a reference.

http://www.cisco.com/c/en/us/td/docs/wireless/controller/8-1/Enterprise-Mobility-8-1-Design-Guide/Enterprise_Mobility_8-1_Deployment_Guide/ch7_HREA.html

HTH

Rasika

*** Pls rate all useful responses ***

gaskincharles · ‎04-10-2017

Rasika,

Could you tell me a little more about the FlexConnect ACL that needs to be applied to I need to Deny any traffic to send it local vs over CAPWAP? Do I need to permit all traffic to allow it to be forced locally only?

____________________________________________________________

FlexConnect and Splitunnel Info from article

FlexConnect ACL can be created with rules in order to permit all of the devices present at the local site/network. When packets from a wireless client on the Corporate SSID match the rules in the FlexConnect ACL configured on OEAP, that traffic is switched locally and the rest of the traffic (that is, implicit deny traffic) will switch centrally over CAPWAP.

The Split Tunneling solution assumes that the subnet/VLAN associated with a client in the central site is not present in the local site (that is, traffic for clients that receive an IP address from the subnet present on the central site will not be able to switch locally).

The Split Tunneling functionality is designed to switch traffic locally for subnets that belong to the local site in order to avoid WAN bandwidth consumption. Traffic that matches the FlexConnect ACL rules are switched locally, and NAT operation is performed changing the client’s source IP address to the FlexConnect AP’s interface IP address that is route-able at the local site/network.

FlexConnect ACL Summary

Create FlexConnect ACL on the controller.
Apply the same on a VLAN present on FlexConnect AP under AP Level VLAN ACL mapping.
Can be applied on a VLAN present in FlexConnect Group under VLAN-ACL mapping (generally done for AAA overridden VLANs.
While applying ACL on VLAN, select the direction to be applied: ingress, egress, or ingress and egress.
Split Tunnel Summary
- The Split Tunneling functionality is supported on WLANs configured for central switching advertised by FlexConnect APs only.
- The DHCP required should be enabled on WLANs configured for Split Tunneling.
- The Split Tunneling configuration is applied per WLAN configured for central switching on a per FlexConnect AP basis or for all of the FlexConnect APs in a FlexConnect Group.
Split Tunnel Limitations
- FlexConnect ACL rules should not be configured with permit/deny statement with same subnet as source and destination.
- Traffic on a centrally-switched WLAN configured for Split Tunneling can be switched locally only when a wireless client initiates traffic for a host present on the local site. If traffic is initiated by clients/host on a local site for wireless clients on these configured WLANs, the traffic will not be able to reach the destination.
- Split Tunneling is not supported for Multicast/Broadcast traffic. Multicast/Broadcast traffic will switch centrally even if it matches the FlexConnect ACL.

sandjose_cisco · ‎04-10-2017

Split tunneling is used for central switching WLAN

if there is a need to access a resource that is available at the branch side , then an ACL needs to be defined to specify what destination IP should be switched locally

Please note that a NAT of source IP of the Client would be done with the AP IP .

A good example would be of a printer which is available at the branch so on a central switch wlan specify the IP of the local printer to be switched locally on the ACL

Split Tunneling & Flex Connect Configuration for Branch Office

____________________________________________________________

FlexConnect ACL Summary

Split Tunnel Summary

Split Tunnel Limitations