CISCO Catalyst 9800 Series Wireless Controller Network Management Device
Cisco OEAP Split Tunneling
- Feature History for Cisco OEAP Split Tunneling, on page 1
- Information About Cisco OEAP Split Tunneling, on page 1
- Prerequisites for Cisco OEAP Split Tunneling, on page 2
- Restrictions for Cisco OEAP Split Tunneling, on page 2
- Use Cases for Cisco OEAP Split Tunneling, on page 3
- Workflow to Configure Cisco OEAP Split Tunneling, on page 3
- Create an IP Address ACL (CLI), on page 3
- Create a URL ACL (CLI), on page 4
- Add an ACL to a Flex Connect Profile, on page 5
- Enable Split Tunneling in a Policy Profile, on page 6
- Verifying the Cisco OEAP Split Tunnel Configuration, on page 6
Feature History for Cisco OEAP Split Tunneling
This table provides release and related information for the feature explained in this module.
This feature is available in all the releases subsequent to the one in which it is introduced in, unless noted otherwise.
Table 1: Feature History for Cisco OEAP Split Tunneling
| Release | Feature | Feature Information |
| Cisco IOS XE Cupertino 17.7.1 | Cisco OEAP Split Tunnelling | The Split Tunneling feature in Cisco Office Extend Access Point (OEAP) provides a mechanism to classify client traffic, based on packet content, using access control lists (ACLs). |
Information About Cisco OEAP Split Tunneling
The global pandemic has redefined the way people interact and work. The workplace has shifted from office cubicles to home desks, which requires applications that enable seamless collaboration among the workforce. For home-based workers, access to business services must be reliable, consistent, and secure. It should provide an experience that is similar to the office facility. Routing all of the traffic through the corporate network using traditional VPNs increases the traffic volume, slows down access to resources, and negatively impacts the remote user experience.
Cisco OEAP provides secure communications from a controller to an access point (AP) at a remote location, seamlessly extending the corporate WLAN over the internet to an employee’s residence. Cisco OEAP provides segmentation of home and corporate traffic using the Split Tunneling feature, which allows for home device connectivity without security risks to corporate policy.
Split tunneling classifies the traffic sent by a client, based on packet content, using ACLs. Matching packets are switched locally from Cisco OEAP, and other packets are centrally switched over CAPWAP. Clients on a corporate SSID can talk to devices on a local network (printers, wireless devices on a personal SSID, and so on) directly without consuming WAN bandwidth, by sending packets over CAPWAP.
Traffic to Software as a Service (SaaS) applications such as Cisco WebEx, Microsoft SharePoint, Microsoft Office365, Box, Dropbox, and so on that is required as part of the work routine, need not go through the corporate network, by using the Split Tunneling feature.
The Cisco OEAP advertises two SSIDs, one corporate and one personal. Corporate SSID clients obtain their IP address from the central DHCP server in the corporate network. If split tunneling is enabled and a client wants to access a device in the home network, the AP performs NAT (PAT) translation between the wireless client corporate network subnet and the home network where the AP is located.
The personal SSID is configurable by a Cisco OEAP user. Clients will either get their IP address from the home router (when the AP personal SSID firewall is disabled) or from the internal AP DHCP server (when the AP personal SSID firewall is enabled). In the latter scenario, if the clients want to reach the home network devices, the AP performs NAT (PAT) translation between the wireless client’s internal network and the home network where the AP is located.
Prerequisites for Cisco OEAP Split Tunneling
- Cisco Wave 2 APs or Cisco Catalyst 9100AX Series Access Points
- URL filter list that matches the ACL name configured in split tunneling
Restrictions for Cisco OEAP Split Tunneling
- Cisco OEAPs are not supported when Cisco Embedded Wireless Controller on Catalyst Access Points (EWC) is used as a controller.
- Mesh topology is not supported.
- Clients connected on personal SSID or on home network (AP native VLAN) cannot discover devices on the corporate network.
- Split tunneling is not supported in standalone mode.
- URL split tunneling supports only up to 512 URLs.
- Action (deny or permit) can be specified only on the URL filter list, not for each individual entry.
- If URL-based ACL contains wild-card URLs, a maximum of 10 URLs are supported.
- The amount of snooped DNS IP addresses is limited as follows:
- An AP can snoop 4095 IP addresses per DNS response, if IP addresses are less than 150,000.
- An AP can snoop 10 IP addresses per DNS response, if IP addresses are between 150,000 and 200,000.
- An AP can snoop five IP addresses per DNS response, if IP addresses are between 200,000 and 250,000.
- An AP can snoop one IP address per DNS response, if IP addresses are greater than 250,000.
- A maximum of 128 IP address ACE (rules) can be used in the IP ACL for split tunneling.
- URL-based split tunneling only works with IPv4 addresses.
Use Cases for Cisco OEAP Split Tunneling
Before Release 17.7.1, split tunneling used IP ACLs. This meant that cloud services such as Cisco WebEx were accessed directly without going through the corporate network. The network administrator maintained the list of IP addresses that Cisco WebEx used, which was a daunting task. From Release 17.7.1, using the Cisco OEAP Split Tunneling feature, the network administrator needs to provide only the DNS names that Cisco WebEx uses. The A ensures that traffic from these DNS names is routed directly to the internet without using the corporate network.
Workflow to Configure Cisco OEAP Split Tunneling
- Create an IP address ACL or URL ACL
- Add ACL to Flex Connect Profile
- Enable Split Tunneling on Policy Profile
- Verify the Configuration
Create an IP Address ACL (CLI)
Procedure
| Command or Action | Purpose | |
| Step 1 | configure terminal
Example: Device# configure terminal |
Enters global configuration mode. |
| Step 2 | ip access-list extended name Example: Command or Action | Defines an extended IPv4 access list using a name.
Purpose |
| Device(config)# ip access-list extended vlan_oeap | Note
IP ACL can be used to define a default action if there is no match in the URL ACL |
|
| Step 3 | seq-num deny ip any host hostname
Example: Device(config-ext-nacl)# 10 deny ip any 10.10.0.0 0.0.255.255 |
Denies IP traffic from any host. |
| Step 4 | seq-num permit ip any any hostname
Example: Device(config-ext-nacl)# 20 permit ip any any |
Permits IP traffic from any source or destination host. |
| Step 5 | End
Example: Device(config-ext-nacl)# end |
Exits configuration mode and returns to privileged EXEC mode. |
Create a URL ACL (CLI)
Procedure
| Command or Action | Purpose | |
| Step 1 | configure terminal
Example: Device# configure terminal |
Enters global configuration mode. |
| Step 2 | URL filter list list-name
Example: Device(config)# URL filter list vlan_oeap |
Configures the URL filter list The list name must not exceed 32 alphanumeric characters |
| Step 3 | action permit
Example: Device(config-URL filter-paramos)# action |
Configures the action: Permit (traffic is allowed directly on the home network) or Deny (traffic is directed to the corporate network). |
| Step 4 | filter-type post-authentication
Example: Device(config-URL filter-paramos)# |
Configures the URL list as post authentication filter. |
| Step 5 | url url-name
Example: Command or Action |
Configures a URL. Purpose |
| Device(config-URL filter-paramos)# urlwiki.cisco.com | ||
| Step 6 | url url-name
Example: Device(config-URL filter-paramos)# urlexample.com |
(Optional) Configures a URL Use this option when you want to add multiple URLs. |
| Step 7 | End
Example: Device(config-URL filter-prams)# end |
Exits configuration mode and returns to privileged EXEC mode. |
Add an ACL to a Flex Connect Profile
Procedure
| Command or Action | Purpose | |
| Step 1 | configure terminal
Example: Device# configure terminal |
Enters global configuration mode. |
| Step 2 | wireless profile flex flex-profile
Example: Device(config)# wireless profile flex default-flex-profile |
Configures a FlexConnext profile. |
| Step 3 | acl-policy acl-policy-name
Example: Device(config-wireless-flex-profile)# |
Configures an ACL policy. |
| Step 4 | refilter list url-filter
Example: Device(config-wireless-flex-profile-acl)# |
Configures a URL filter list. |
| Step 5 | exit
Example: Device(config-wireless-flex-profile-acl)# |
Returns to FlexConnext profile configuration mode.. |
| Step 6 | office-extend
Example: Device(config-wireless-flex-profile)# |
Enables the OEAP mode for aFlexConnect AP |
| Command or Action | Purpose | |
| Step 7 | end Example: Device(config-wireless-flex-profile)# end |
Exits configuration mode and returns to privileged EXEC mode. |
Enable Split Tunnelling in a Policy Profile
Procedure
| Command or Action | Purpose | |
| Step 1 | configure terminal
Example: Device# configure terminal |
Enters global configuration mode. |
| Step 2 | wireless profile flex flex-profile
Example: Device(config)# wireless profile flex default-flex-profile |
Configures a Flex Connect profile. |
| Step 3 | no central association
Example: Device(config-wireless-flex-profile)# no central association |
Disables central association and enables local association for locally switched clients. |
| Step 4 | flex split-mac-acl split-mac-acl-name
Example: Device(config-wireless-flex-profile)# flex split-mac-acl vlan_oeap |
Configures a split MAC ACL name. Note Ensure that you use the same acl-policy-name in the FlexConnext profile. |
| Step 5 | End
Example: Device(config-wireless-flex-profile)# end |
Exits configuration mode and returns to privileged EXEC mode. |
Verifying the Cisco OEAP Split Tunnel Configuration
To verify the split tunneling DNS ACLs per wireless client on the AP side, use the following command:
Device# show split-tunnel client 00:11:22:33:44:55 access-list
Split tunnel ACLs for Client: 00:11:22:33:44:55
IP ACL: Split Tunnel ACL
To verify the current binding between a WLAN and an ACL, use the following command:
To verify the content of the current URL ACL, use the following command:
Documents / Resources
 |
CISCO Catalyst 9800 Series Wireless Controller Network Management Device [pdf] User Guide Catalyst 9800 Series Wireless Controller Network Management Device, Catalyst 9800 Series, Wireless Controller Network Management Device, Controller Network Management Device, Network Management Device, Management Device, Device |
 |
CISCO Catalyst 9800 Series Wireless Controller [pdf] User Guide Catalyst 9800 Series Wireless Controller, Catalyst 9800, Series Wireless Controller, Wireless Controller, Controller |
 |
CISCO Catalyst 9800 Series Wireless Controller [pdf] User Guide Catalyst 9800 Series Wireless Controller, Catalyst 9800 Series, Wireless Controller, Controller |
 |
CISCO Catalyst 9800 Series Wireless Controller [pdf] User Guide Catalyst 9800 Series Wireless Controller, Catalyst 9800, Series Wireless Controller, Wireless Controller, Controller |
