CISCO Catalyst 9800 Series Wireless Controller Network Management Device User Guide

CISCO Catalyst 9800 Series Wireless Controller Network Management Device

Cisco OEAP Split Tunneling

• Feature History for Cisco OEAP Split Tunneling, on page 1
• Information About Cisco OEAP Split Tunneling, on page 1
• Prerequisites for Cisco OEAP Split Tunneling, on page 2
• Restrictions for Cisco OEAP Split Tunneling, on page 2
• Use Cases for Cisco OEAP Split Tunneling, on page 3
• Workflow to Configure Cisco OEAP Split Tunneling, on page 3
• Create an IP Address ACL (CLI), on page 3
• Create a URL ACL (CLI), on page 4
• Add an ACL to a Flex Connect Profile, on page 5
• Enable Split Tunneling in a Policy Profile, on page 6
• Verifying the Cisco OEAP Split Tunnel Configuration, on page 6

Feature History for Cisco OEAP Split Tunneling

This table provides release and related information for the feature explained in this module.
This feature is available in all the releases subsequent to the one in which it is introduced in, unless noted otherwise.

Table 1: Feature History for Cisco OEAP Split Tunneling

Tunneling feature in Cisco Office Extend Access Point (OEAP) provides a mechanism to classify client traffic, based on packet content, using access control lists (ACLs).

Information About Cisco OEAP Split Tunneling

The global pandemic has redefined the way people interact and work. The workplace has shifted from office cubicles to home desks, which requires applications that enable seamless collaboration among the workforce. For home- based workers, access to business services must be reliable, consistent, and secure. It should provide an experience that is similar to the office facility. Routing all of the traffic through the corporate network using traditional VPNs increases the traffic  volume, slows down access to resources, and negatively impacts  the remote user experience.
Cisco OEAP provides secure communications from a controller to an access point (AP) at a remote location, seamlessly extending the corporate WLAN over the internet to an employee’s residence. Cisco OEAP provides segmentation of home and corporate traffic using the Split Tunneling feature, which allows for home device connectivity without security risks to corporate policy.
Split tunneling classifies the traffic sent by a client, based on packet content, using ACLs. Matching packets are switched locally from Cisco OEAP, and other packets are centrally switched over CAPWAP. Clients on a corporate SSID can talk to devices on a local network (printers, wireless devices on a personal SSID, and so on) directly without consuming WAN bandwidth, by sending packets over CAPWAP.
Traffic to Software as a Service (SaaS) applications such as Cisco WebEx, Microsoft SharePoint, Microsoft Office365, Box, Dropbox, and so on that is required as part of the work routine, need not go through the corporate network, by using the Split Tunneling feature.
The Cisco OEAP advertises two SSIDs, one corporate and one personal. Corporate SSID clients obtain their IP address from the central DHCP server in the corporate network. If split tunneling is enabled and a client wants to access a device in the home network, the AP performs NAT (PAT) translation between the wireless client corporate network subnet and the home network where the AP is located.
The personal SSID is configurable by a Cisco OEAP user. Clients will either get their IP address from the home router (when the AP personal SSID firewall is disabled) or from the internal AP DHCP server (when the AP personal SSID firewall is enabled). In the latter scenario, if the clients want to reach the home network devices, the AP performs NAT (PAT) translation between the wireless client’s internal network and the home network where the AP is located.

Prerequisites for Cisco OEAP Split Tunneling

• Cisco Wave 2 APs or Cisco Catalyst 9100AX Series Access Points
• URL filter list that matches the ACL name configured in split tunneling

Restrictions for Cisco OEAP Split Tunneling

• Cisco OEAPs are not supported when Cisco Embedded Wireless Controller on Catalyst Access Points (EWC) is used as a controller.
• Mesh topology is not supported.
• Clients connected on personal SSID or on home network (AP native VLAN) cannot discover devices on the corporate network.
• Split tunneling is not supported in standalone mode.
• URL split tunneling supports only up to 512 URLs.
• Action (deny or permit) can be specified only on the URL filter list, not for each individual entry.
• If URL-based ACL contains wild-card URLs, a maximum of 10 URLs are supported.
• The amount of snooped DNS IP addresses is limited as follows:
• An AP can snoop 4095 IP addresses per DNS response, if IP addresses are less than 150,000.
• An AP can snoop 10 IP addresses per DNS response, if IP addresses are between 150,000 and 200,000.
• An AP can snoop five IP addresses per DNS response, if IP addresses are between 200,000 and 250,000.
• An AP can snoop one IP address per DNS response, if IP addresses are greater than 250,000.
• A maximum of 128 IP address ACE (rules) can be used in the IP ACL for split tunneling.
• URL-based split tunneling only works with IPv4 addresses.

Use Cases for Cisco OEAP Split Tunneling

Before Release 17.7.1, split tunneling used IP ACLs. This meant that cloud services such as Cisco WebEx were accessed directly without going through the corporate network. The network administrator maintained the list of IP addresses that Cisco WebEx used, which was a daunting task. From Release 17.7.1, using the Cisco OEAP Split Tunneling feature, the network administrator needs to provide only the DNS names that Cisco WebEx uses. The A ensures that traffic from these DNS names is routed directly to the internet without using the corporate network.

Workflow to Configure Cisco OEAP Split Tunneling

1. Create an IP address ACL or URL ACL
2. Add ACL to Flex Connect Profile
3. Enable Split Tunneling on Policy Profile
4. Verify the Configuration

Create an IP Address ACL (CLI)

Procedure

| Command or Action| Purpose
---|---|---
Step 1| configure terminal

Example: Device# configure terminal

| Enters global configuration mode.
Step 2|  ip access-list extended name Example:   Command or Action| Defines an extended IPv4 access list using a name.

Purpose

| |
---|---|---
| Device(config)# ip access-list extended vlan_oeap| Note

IP ACL can be used to define a default action if there is no match in the URL ACL

Step 3| seq-num deny ip any host hostname

Example: Device(config-ext-nacl)# 10 deny ip any 10.10.0.0 0.0.255.255

| Denies IP traffic from any host.
Step 4| seq-num permit ip any any hostname

Example: Device(config-ext-nacl)# 20 permit ip any any

| Permits IP traffic from any source or destination host.
Step 5| End

Example: Device(config-ext-nacl)# end

| Exits configuration mode and returns to privileged EXEC mode.

Create a URL ACL (CLI)

Procedure

| Command or Action| Purpose
---|---|---
Step 1| configure terminal

Example: Device# configure terminal

| Enters global configuration mode.
Step 2| URL filter list list-name

Example:   Device(config)# URL filter list vlan_oeap

| Configures the URL filter list The list name must not exceed 32 alphanumeric characters
Step 3| action permit

Example: Device(config-URL filter-paramos)# action
permit

| Configures the action: Permit (traffic is allowed directly on the home network) or Deny (traffic is directed to the corporate network).
Step 4| filter-type post-authentication

Example:

Device(config-URL filter-paramos)#
filter-type post-authentication

| Configures the URL list as post authentication filter.
Step 5| url url-name

Example: Command or Action

| Configures a URL.  Purpose
| |
| Device(config-URL filter-paramos)# urlwiki.cisco.com|
Step 6| url url-name

Example: Device(config-URL filter-paramos)# urlexample.com

| (Optional) Configures a URL Use this option when you want to add multiple URLs.
Step 7| End

Example: Device(config-URL filter-prams)# end

| Exits configuration mode and returns to privileged EXEC mode.
---|---|---

Add an ACL to a Flex Connect Profile

Procedure

| Command or Action| Purpose
---|---|---
Step 1| configure terminal

Example: Device# configure terminal

| Enters global configuration mode.
Step 2| wireless profile flex flex-profile

Example: Device(config)# wireless profile flex default-flex-profile

| Configures a FlexConnext profile.
Step 3| acl-policy acl-policy-name

Example: Device(config-wireless-flex-profile)#
acl-policy vlan_oeap

| Configures an ACL policy.
Step 4| refilter list url-filter

Example:   Device(config-wireless-flex-profile-acl)#
URL filter list vlan_oeap

| Configures a URL filter list.
Step 5| exit

Example: Device(config-wireless-flex-profile-acl)#
exit

| Returns to FlexConnext profile configuration mode..
Step 6| office-extend

Example: Device(config-wireless-flex-profile)#
office-extend

| Enables the OEAP mode for aFlexConnect AP
| Command or Action| Purpose
Step 7| end Example: Device(config-wireless-flex-profile)#
end| Exits configuration mode and returns to privileged EXEC mode.

Enable Split Tunnelling in a Policy Profile

Procedure

| Command or Action| Purpose
---|---|---
Step 1| configure terminal

Example: Device# configure terminal

| Enters global configuration mode.
Step 2| wireless profile flex flex-profile

Example: Device(config)# wireless profile flex default-flex-profile

| Configures a Flex Connect profile.
Step 3| no central association

Example: Device(config-wireless-flex-profile)# no central association

| Disables central association and enables local association for locally switched clients.
Step 4| flex split-mac-acl split-mac-acl-name

Example: Device(config-wireless-flex-profile)# flex split-mac-acl vlan_oeap

|  Configures a split MAC ACL name. Note Ensure that you use the same acl- policy-name in the FlexConnext profile.
Step 5| End

Example: Device(config-wireless-flex-profile)# end

| Exits configuration mode and returns to privileged EXEC mode.

  Verifying the Cisco OEAP Split Tunnel Configuration

To verify the split tunneling DNS ACLs per wireless client on the AP side, use the following command:
Device# show split-tunnel client 00:11:22:33:44:55 access-list
Split tunnel ACLs for Client: 00:11:22:33:44:55
IP ACL: Split Tunnel ACL

To verify the current binding between a WLAN and an ACL, use the following command:

To verify the content of the current URL ACL, use the following command:

base.com

References

• Release Notes for Cisco Catalyst 9800 Series Wireless Controller, Cisco IOS XE Cupertino 17.9.x - Cisco

Read User Manual Online (PDF format)

Read User Manual Online (PDF format)  >>

Download This Manual (PDF format)

Download this manual  >>