Cisco+ Secure Connect - Remote Access Traffic Selection
Traffic steering is a VPN feature that divides users' traffic by sending some of it through an encrypted virtual private network (VPN) tunnel, but route the rest to the open network. This allows you to choose which apps to secure and which can connect normally. This is a useful feature when you need to keep some of your traffic private, while still maintaining access to local network devices. So you can access foreign networks and local networks at the same time. It's also great because it helps save some bandwidth.
There are two main methods of traffic steering:
Local LAN Access
Figure 2: Local LAN Access Example
When you enable local LAN access for VPN clients, it permits those clients to communicate unencrypted with only devices on the network on which they are located. For example, a client that is allowed local LAN access while connected is able to print to its own printer but not to access the private applications without first sending the private traffic through the tunnel. The client’s default network of 0.0.0.0/255.255.25.255 is understood to mean the local LAN.
Here's how to configure local LAN:
Figure 3: Local LAN Configuration Example Route details:
Figure 4: VPN client route details
Figure 5: Traffic Steering Example: “Only securely route traffic destined to private applications”
Split tunneling has been in existence for a long time and is based on static statements using a standard access-list to either include or exclude IP networks from the VPN tunnel. Figure 3 illustrates the most common case where the tunnel (also known as split include) is used to access private applications. All other traffic remains outside the tunnel thus unencrypted.
Here’s how to configure this case:
Figure 6: Split Tunnel Configuration Example
Figure 7: VPN client route details