You all may already know how to do this, but I had a mental block and had to ask for help and research a bit.
Here's how I got remote iAP "branches" to split tunnel. If you've got advice or a link to a better write-up, please add it below.
Starting point:
We have iAP303H access points set up as "take home and plug in" network extenders for WFH folks (mostly VP and Helpdesk)
Users do wireless for their laptop and cellphone, and plug an IP phone in to the POE port. The iAP builds a VPN tunnel (IPSEC primary connection to a 7210 controller at our datacenter A, and a backup tunnel to another 7210 at our datacenter B)
I'm doing "layer-2 extansion over the VPN with centralized layer-2 forwarding" per this document:
IAP VPN Solutions GuideIt refers to the fact that you could use a split-tunnel confguration to pass Corporate traffic to Corporate and Cloud traffic source-NAT from the iAP to the Internet (described on page 5, pretty picture on page 6) yet doesn't tell me how to do it.
Searching Airheads I found this:
Split-Tunnel in the Wireless Access topic, for controller based networks. After a few hit and miss stabs at a controllerless configuration, I have come up with this:
I went in to the role assigned to my SSID and switched from allow any to any all the time to the following:
I allow any host to access any address in my Enterprise IP space, and everything else is sNATted from the iAP.
Almost like magic, but it hadn't been obvious to me until I put those tow linked documents together.
I hope this helps someone.
------------------------------
--Matthew
If I have in some way helped, please click the KUDOS button
------------------------------