Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

'split tunneling' vs. 'allow local lan access'

Hi, I'm confused about the difference between "allowing split tunneling" option from a VPN server side, and the "allow local LAN access" option from the VPN client side. Don't they do the same thing? If so, which one should be configured...

Thanks, Lisa


Re: 'split tunneling' vs. 'allow local lan access'

Hi Lisa,

It is a small difference.

The "allow split tunneling" is a flexible tool to allow users to have the tunnel to the corporate office, and still browse the internet unencrypted and to access local LAN services like printing and servers. This flexibility comes with a security concern, as the user becomes a getway between Internet threats and corporate network.

Therefore, some companies prohibits the use of split tunneling.

Having this in mind, think of "allow local LAN access" as a compromise between both. User cannot access Internet unless traffic passes through the tunnel (all traffic encapsulated), BUT acccess to it's LAN (printers, mail server) are allowed unecnrypted, but only that (destination traffic the same subnet as the user).

This is a dynamic process, the VPN machine detects the local LAN of the client and allows the traffic within that.

You cannot manually specify this in "allow split tunneling" since the user might be at home (192.168.x.x) or on airport (public subnet) or Internet cafe with printers on LAN.

"Allow local LAN access" automatically detecs and permits the local LAN.

Please rate if this helped.



New Member

Re: 'split tunneling' vs. 'allow local lan access'

Thanks, Daniel, for your response. That was very helpful. Please let me make sure I get this straight...

"allow local lan" can be used regardless of whether the split tunneling option was checked.


The subnets chosen under split tunneling are the protected ones; not the ones that do not need to be encapsulated.


if split tunneling is chosen, the traffic from the remote hub can either be encrypted if the destination subnet is in the protected list, or sent through the same interface as the vpn interface if the destination subnet is not in the protected list.

The VPN router is always the default gateway of the client regardless of whether split tunneling was checked.

The third scenario if split tunneling is enabled is that the renote

VPN router will send an ICMP redirect to the originating host if necessary.

I thank you so much for your answer and assistance! I'm just at the stage where I'm putting it all together and so I really appreciate your input.

Lisa G

New Member

Re: 'split tunneling' vs. 'allow local lan access'

Hello All,

Regarding "allow local LAN access"

Can anyone confirm that Internet traffic will go through the tunnel even if there is a gateway on the local LAN that the user could point their browser to?.

Also is there anyway of further refining this facility so that only print traffic is allowed to the local LAN.

Many thanks for any advice.


CreatePlease to create content