As described in the previous post, Split tunneling feature was available in FlexConnect AP since WLC 7.3.x onwards. Cisco introduced this feature to OEAP600 series AP model in WLC 7.5.x onwards. For OEAP 600 series this is limited to Printing services & forwarded well known printer ports traffic (shown below) back to local subnet behind OEAP.
– IPP (port :631)
– PDL (port :9100)
– MFP (port :9303)
– LPD, LPR (port :515)
– PSUS4 (port :34443)
– Generic printer server (port :35)
In this post we will see how we can configure this for those 600 series AP. Before go into Split Tunnel Configuration you should know few important points about this 600 series AP model.
1. It has 4-LAN ports (like home grade wireless internet router)
2. Port 4 is called Remote-LAN where you can extend one of your office wired vlan.
3. Max 15 client devices can connect via wireless for Corporate SSID advertise (not include personal SSID)
4. Max 4 wired clients supported.
5. WAN port has to connect to your home internet router (or any port where public internet access is available)
6. This AP need to configure for local DHCP for the personal SSID you create or local wired clients connecting via Port 1-3.(WAN port & Local LAN ports cannot be in same network)
When you connect this to your home network connectivity looks like this.
As you can see above when you plug OEAP600 series into your home network & you are planning to use personal SSID or Local LAN ports, those devices will get an IP defined by the AP itself. It won’t be the same home network you already having.(WAN port of the OEAP will be in same network 192.168.20.x/24)
Therefore with this AP model, if you enable split tunneling you would able to reach local network -10.30.83.0 /24 (sitting on OEAP itself) while you are connecting to corporate SSID. You won’t be able to access your home network -192.168.20.024 while you are connecting to corporate SSID.
Here how you configure this feature on WLC running 7.5.102.0 onwards for OEAP600 series AP. First of all you need to enable split tunneling globally. By default it was disabled (as shown) & you have to un-ticked that check box.
Here is the CLI command to enable this
(WLC) >config network oeap-600 ?
dual-rlan-ports Allows the use of OEAP-600 port 3 to function as a RLAN port in addition to port 4
local-network Configures Local Network Access for OEAP-600 connecting to this controller
split-tunnel Configures Split Tunnel (Printers) State for OEAP-600 connecting to this controller
(WLC) >config network oeap-600 split-tunnel ?
disable Disables Split Tunnel State (Printers) for OEAP-600 connecting to this controller
enable Enables Split Tunnel State (Printers) for OEAP-600 connecting to this controller
(WLC) >config network oeap-600 split-tunnel enable
Then you need to go to WLAN-Advanced settings where you can enable this feature for specific WLAN.
Here is CLI command to do the above
(WLC) >config wlan split-tunnel ? <wlan id> Enter WLAN Identifier between 1 and 512. (WLC) >config wlan split-tunnel 1 ? enable Enable Split Tunnel (Printers). disable Disable Split Tunnel (Printers). (WLC) >config wlan split-tunnel 1 enable (WLC) >config wlan split-tunnel 2 enable
You can verify your config in CLI like this,
(WLC) >show network summary RF-Network Name............................. test Web Mode.................................... Disable Secure Web Mode............................. Enable Secure Web Mode Cipher-Option High.......... Disable Secure Web Mode Cipher-Option SSLv2......... Disable Secure Web Mode RC4 Cipher Preference....... Enable . . . AP Discovery - NAT IP Only ................. Enabled IP/MAC Addr Binding Check .................. Enabled CCX-lite status ............................ Disable oeap-600 dual-rlan-ports ................... Enable oeap-600 local-network ..................... Enable oeap-600 Split Tunneling (Printers)......... Enable WebPortal Online Client .................... 0 mDNS snooping............................... Enabled mDNS Query Interval......................... 15 minutes (WLC) >show wlan 1 WLAN Identifier.................................. 1 Profile Name..................................... eduroam Network Name (SSID).............................. eduroam Status........................................... Enabled MAC Filtering.................................... Disabled Broadcast SSID................................... Enabled . . AVC Visibilty.................................... Enabled AVC Profile Name................................. LTU-AVC-POLICY Flow Monitor Name................................ Scrutinizer Split Tunnel (Printers).......................... Enabled Call Snooping.................................... Disabled Roamed Call Re-Anchor Policy..................... Disabled SIP CAC Fail Send-486-Busy Policy................ Enabled SIP CAC Fail Send Dis-Association Policy......... Disabled KTS based CAC Policy............................. Disabled
Now Split Tunneling is there in your OEAP600 series AP. Once you connect to corporate SSID (which is enabled with Split Tunnel) you can reach any device connect to your OEAP personal SSID or Local LAN ports.
So if you want to have print, then you have to move your printer back to OEAP local port. Then what above you other local devices in 192.168.20.x communicating back to Printer (or any device in 10.30.83.0/24 range). Since your home internet router does not know existence of a such network within your home, that won’t work.
What are the solution to get it working ?
1. You can add a static route entry in your home internet router pointing to OEAP for 10.30.83.0/24
2. Use your OEAP as home network & all wired connection behind OEAP (this works only you have 2-3 devices) as it has limited wired MAC address limit.
3. Turn off your home internet router wireless & only used OEAP personal SSID.
But if you are giving this solution to your corporate office staff to use at their home, do you want to involve their home network configuration ? most probably answer would be NO, since it will give you additional administrative overhead.
That’s why I preferred FlexConnect AP using as OEAP instead of giving OEAP600 to meet this requirement (local printing while connecting to corporate SSID). But commercial term wise OEAP would be a viable option if you planning to give this in volumes to your staff.
Ref
1. Configuring Office Extend Access Point – 7.5 Config Guide
2. 600 Series OEAP Config Guide
Related Posts
