Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Configuring Local Breakout via script error

JRobinson855
New here
‎Feb 29 2024 10:39 AM
‎Feb 29 2024 10:39 AM

Configuring Local Breakout via script error

meraki: ERROR > appliance, updateNetworkApplianceTrafficShapingVpnExclusions - 400 Bad Request, {'errors': ['Configuring Major Application VPN exclusion rules requires the SDWAN+ license']}

 

Local Breakout by application requires this enhanced license. Local breakout by IP does not.

 

But the function in the library doesn't seem to care much. It seems to try to configure major application rules even when there's no code to do so.

 

Anyone know of any workarounds?

 

 

0 Kudos
Subscribe
12 Replies 12
alemabrahao
Kind of a big deal
Kind of a big deal
‎Feb 29 2024 10:58 AM
‎Feb 29 2024 10:58 AM

Do you have the SD-WAN plus license? If you don't have it, you won't be able to enable it.

 

Requirements:

The following are the requirements to utilize this feature in a network:

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Subscribe
In response to alemabrahao
JRobinson855
New here
‎Feb 29 2024 12:39 PM
‎Feb 29 2024 12:39 PM

I'm not trying to enable Application Exclusion, I'm trying to write a script using the Meraki Python library for VPN exclusion by IP, which is a feature I'm already using on several networks

0 Kudos
Subscribe
In response to JRobinson855
alemabrahao
Kind of a big deal
Kind of a big deal
‎Feb 29 2024 12:47 PM
‎Feb 29 2024 12:47 PM

And can you share the script so I can try to find the error? Just to make it clear that the previous question was because you didn't mention that you have the license. 😉

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Subscribe
In response to alemabrahao
alemabrahao
Kind of a big deal
Kind of a big deal
‎Feb 29 2024 12:48 PM
‎Feb 29 2024 12:48 PM

This is an example script.

 

import requests

# Replace with your own API key and Meraki organization ID
api_key = "YOUR_API_KEY"
org_id = "YOUR_ORG_ID"

# Define the API endpoint for VPN exclusions
url = f"https://api.meraki.com/api/v1/organizations/{org_id}/appliance/vpn/exclusions"

# Example payload for application-based exclusion
payload = {
"name": "Office 365 Suite",
"type": "application",
"value": "office365",
}

# Make the API request
headers = {"X-Cisco-Meraki-API-Key": api_key}
response = requests.post(url, json=payload, headers=headers)

if response.status_code == 201:
print("Exclusion rule added successfully!")
else:
print(f"Error: {response.status_code} - {response.text}")

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Subscribe
In response to alemabrahao
JRobinson855
New here
‎Feb 29 2024 1:24 PM
‎Feb 29 2024 1:24 PM

I'll see if I can give this a shot

0 Kudos
Subscribe
RaphaelL
Kind of a big deal
Kind of a big deal
‎Feb 29 2024 12:00 PM
‎Feb 29 2024 12:00 PM

What is the payload that you are sending ? 

0 Kudos
Subscribe
In response to RaphaelL
JRobinson855
New here
‎Feb 29 2024 12:36 PM
‎Feb 29 2024 12:36 PM

I'm using the Python Library and only using the 'custom' payload.

 

dashboard.appliance.updateNetworkApplianceTrafficShapingVpnExclusions(network_id, custom=[{'protocol': 'tcp', 'destination': '192.168.3.0/24', 'port': '8000'}])

 

Put this example for reference


I understand the Application exclusion requires the SDWAN+ license, but I shouldn't need it to execute code that isn't deploying that feature.

0 Kudos
Subscribe
In response to JRobinson855
rhbirkelund
Kind of a big deal
‎Feb 29 2024 12:47 PM
‎Feb 29 2024 12:47 PM

According to the endpoint docs schema definition, it looks like that both "custom" and "majorApplications" are required fields. So I don't think you can use that endpoint without also setting "majorApplications". And since that is a SDW+ feature, I guess it would fail for you.

LinkedIn ::: https://blog.rhbirkelund.dk/

Like what you see? - Give a Kudo ## Did it answer your question? - Mark it as a Solution 🙂

All code examples are provided as is. Responsibility for Code execution lies solely your own.
0 Kudos
Subscribe
In response to rhbirkelund
rhbirkelund
Kind of a big deal
‎Feb 29 2024 12:50 PM
‎Feb 29 2024 12:50 PM

If you pass it with an empty list, does that make a difference? I.e.

 

response = dashboard.appliance.updateNetworkApplianceTrafficShapingVpnExclusions(network_id,
    custom=[{'protocol': 'tcp', 'destination': '192.168.3.0/24', 'port': '8000'}],
    majorApplications=[]
)

 

 

LinkedIn ::: https://blog.rhbirkelund.dk/

Like what you see? - Give a Kudo ## Did it answer your question? - Mark it as a Solution 🙂

All code examples are provided as is. Responsibility for Code execution lies solely your own.
0 Kudos
Subscribe
In response to rhbirkelund
JRobinson855
New here
‎Feb 29 2024 1:22 PM
‎Feb 29 2024 1:22 PM

It didn't seem to appreciate an empty list much, lol. Had the same error

0 Kudos
Subscribe
In response to JRobinson855
rhbirkelund
Kind of a big deal
‎Feb 29 2024 1:35 PM
‎Feb 29 2024 1:35 PM

Does your Spoke site have a Default Route configured on the VPN?

 

Configuring VPN Exclusion Rules (IP/Port)

The L3 VPN Exclusion configuration is available under Security & SD-WAN > SD-WAN and Traffic Shaping or Teleworker Gateway > Traffic Shaping.

The configuration option will appear if:

  • The spoke has at least one default route configured for a hub or
  • A hub is sharing the default route via an advanced routing protocol or
  • A hub with at least one exit hub configured.
LinkedIn ::: https://blog.rhbirkelund.dk/

Like what you see? - Give a Kudo ## Did it answer your question? - Mark it as a Solution 🙂

All code examples are provided as is. Responsibility for Code execution lies solely your own.
0 Kudos
Subscribe
In response to rhbirkelund
JRobinson855
New here
‎Mar 1 2024 6:30 AM
‎Mar 1 2024 6:30 AM

There's a default route at one of the hubs shared out via SDWAN

0 Kudos
Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
© 2024 Cisco Systems, Inc.