Which of the following descriptions most accurately describes split tunneling? (Select the best answer.)

A.
It enables traffic to exit the same interface through which it entered.

B.
It enables traffic to flow between interfaces that share the same security level.

C.
It enables a VPN tunnel to form through a firewall or NAT device.

D.
It enables a VPN tunnel to determine which traffic flows should be encrypted.

Explanation:
Split tunneling enables a virtual private network (VPN) tunnel to determine which traffic flows should be
encrypted. Without split tunneling, all traffic that passes through a remote VPN router is encrypted and
forwarded through a tunnel to the VPN server, which is an inefficient use of the bandwidth and processing
power of the VPN server and the remote VPN router. Traffic that is destined for the Internet or another
unprotected network does not need to be encrypted or forwarded to the VPN server. Split tunneling uses an
access control list (ACL) to determine which traffic flows are permitted to pass through the encrypted tunnel.
Traffic destined for a protected network at the VPN server site is encrypted and allowed to pass through the
tunnel, whereas all other traffic is processed normally. This method reduces both the processing load on the
router and the amount of traffic that passes through the encrypted tunnel. Split tunneling can also be applied to
traffic from remote access VPN clients.
Transparent tunneling, not split tunneling, enables a VPN tunnel to form through a firewall or Network Address
Translation (NAT) device. When transparent tunneling is enabled on a VPN client, encrypted packets are
encapsulated in Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) packets prior to
transmission through the firewall or NAT device.
The samesecuritytraffic permit intrainterface command enables traffic on a Cisco Adaptive Security Appliance
(ASA) to exit the same interface through which it entered, which is also known as hairpinning. By default, an
ASA does not allow packets to enter and exit through the same physical interface. However, because multiple
logical virtual LANs (VLANs) can be assigned to the same physical interface, it is sometimes necessary to allow
a packet to enter and exit through the same interface. The samesecuritytraffic permit intrainterface command
allows packets to be sent and received from the same interface even if the traffic is protected by IP Security
(IPSec) security policies. Another scenario for which you would need to use the samesecuritytraffic permit
intrainterface command is if multiple users need to connect via VPN through the same physical interface.
These users will not be able communicate with one another unless the samesecuritytraffic permit intrainterface
command has been issued from global configuration mode.
Likewise, the samesecuritytraffic permit interinterface command enables traffic to flow between interfaces that
share the same security level. Typically, interfaces with the same security level are not allowed to
communicate.

CCNA Security 210-260 Official Cert Guide, Chapter 8, Split Tunneling, pp. 227-228