Google Meet & AnyConnect Split Tunnelling
Cisco AnyConnect has some sophisticated Split Tunnelling capability, together with great non-tunnel site protection via Cisco Umbrella. Some great articles have been written showing config examples to split out Media traffic from the Tunnel, particularly for Webex and Office365 Media - keep this bandwidth away from the tunnels (a) in order not to overburden the headend termination units (typically Cisco ASA Firewalls), (b) use up valuable VPN bandwidth unnecessarily and (c) provide a better UX to the participants in the audio/video/content meetings.
Typically, these articles cover Webex or Microsoft media handling. However, not much has been put together to help our friends & customers using Google Meet.
Luckily our friends at Google have provided some great info on how to identify the Google services required in order to split these services. This via :
This article, by my colleague Aaron Woland, provides a good level of detail in how to implement Dynamic Split Tunnelling within AnyConnect and can be used as an excellent template for the Google Meet Services :
Within the Google doc we can see that the following URIs can be used to identify the required Google Services, as well as the required IP addresses (and UDP Ports) for the associated Media servers :
Here, we can see (importantly) that the IPv4 range of 74.125.250.0/24 is being used for the media and within a UDP port range of 19302-19309 (this could be handy if wishing to QoS some of this traffic - for shaping or prioritisation before it heads out to the wild Internet).
Therefore, excluding these 'trusted' services (especially the media services) from associated VPN tunnels can be achieved simply & easily. AnyConnect, for example, can be configured for these individual exclusions with a subsequent default route 'catch all'. In essence, the creation of a Whitelist for Split Tunnelling.
Hopefully useful to some as I'm conscious our friends at Google can sometimes be left out when we discuss capabilities such as this. A word of caution, always make sure you are using Umbrella to protect non-Tunnelled traffic and ensure you have great endpoint protection and visibility in the way of AMP for Endpoints.......'til next time.
IT-Networking Sr Engineer en Mercado Libre | Master Security Information | PCNSA | Aws Solution Arquitect Profesional | aprendiendo Devops
3yHi Steve, I have a Question, When we exclude this domain, https://*google.com./* is all google traffic being excluded? or only meet traffic.
If it works well, then it works with Adaworx. * Get at least a day a week back per team member * It's all about enabling people*
5ySometimes a good old fashioned phone call works too....
ICT Infrastructure Service Manager | CCNP R&S & Security/ CCDP
5yJust done this for webex and some other media streaming apps. Useful post Steve.
Thanks Steve
Account Executive at Cisco
5yReally useful article, Steve 👍