Which of the following descriptions most accurately describes split tunneling? (Select the best answer.)
- It enables traffic to exit the same interface through which it entered.
- It enables traffic to flow between interfaces that share the same security level.
- It enables a VPN tunnel to form through a firewall or NAT device.
- It enables a VPN tunnel to determine which traffic flows should be encrypted.
Split tunneling enables a virtual private network (VPN) tunnel to determine which traffic flows should be encrypted. Without split tunneling, all traffic that passes through a remote VPN router is encrypted and forwarded through a tunnel to the VPN server, which is an inefficient use of the bandwidth and processing power of the VPN server and the remote VPN router. Traffic that is destined for the Internet or another unprotected network does not need to be encrypted or forwarded to the VPN server. Split tunneling uses an access control list (ACL) to determine which traffic flows are permitted to pass through the encrypted tunnel. Traffic destined for a protected network at the VPN server site is encrypted and allowed to pass through the tunnel, whereas all other traffic is processed normally. This method reduces both the processing load on the router and the amount of traffic that passes through the encrypted tunnel. Split tunneling can also be applied to traffic from remote access VPN clients.
Transparent tunneling, not split tunneling, enables a VPN tunnel to form through a firewall or Network Address Translation (NAT) device. When transparent tunneling is enabled on a VPN client, encrypted packets are encapsulated in Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) packets prior to transmission through the firewall or NAT device.
The samesecuritytraffic permit intrainterface command enables traffic on a Cisco Adaptive Security Appliance (ASA) to exit the same interface through which it entered, which is also known as hairpinning. By default, an ASA does not allow packets to enter and exit through the same physical interface. However, because multiple logical virtual LANs (VLANs) can be assigned to the same physical interface, it is sometimes necessary to allow a packet to enter and exit through the same interface. The samesecuritytraffic permit intrainterface command allows packets to be sent and received from the same interface even if the traffic is protected by IP Security (IPSec) security policies. Another scenario for which you would need to use the samesecuritytraffic permit intrainterface command is if multiple users need to connect via VPN through the same physical interface. These users will not be able communicate with one another unless the samesecuritytraffic permit intrainterface command has been issued from global configuration mode.
Likewise, the samesecuritytraffic permit interinterface command enables traffic to flow between interfaces that share the same security level. Typically, interfaces with the same security level are not allowed to communicate.