Is it posisble to do split tunneling for a secure connect spoke?

Bucket
Getting noticed

Is it posisble to do split tunneling for a secure connect spoke?

Is it possible to do split tunneling so only RFC1918 is tunneled to Secure Connect via auto-vpn?

 

I am guessing it is only possible for hub sites as spokes will always receive the 0.0.0.0/0 route from the secure connect hubs.

4 Replies 4
Inderdeep
Kind of a big deal
Kind of a big deal

Hope this will help you 

https://www.reddit.com/r/meraki/comments/z1v77o/meraki_autovpn_hubs_split_tunnel_pri_hub_and_full/

Regards/Inder
Cisco IT Blogs awarded in 2020 & 2021
www.thenetworkdna.com
PhilipDAth
Kind of a big deal
Kind of a big deal

If you have fewer than 50 sites you could consider running more of the sites as hubs to work around the issue.

GreenMan
Meraki Employee
Meraki Employee

I'd be interested to understand your use case as, for MX-protected branches, Secure Connect is used primarily to provide secure Internet Access (hence the default route).   If you provide your Spoke MX with any more specific route though, that will be preferred over the SC default route.   So if you have a tunnel to a Hub in a traditional DC, which is advertising some routes for the services they host (typically from within RFC1918), that traffic would use the direct tunnel, not go via SC - but your Internet traffic would still flow via SC.

You can also perform local breakout at the MX (full-tunnel exclusion), if you wish:   https://documentation.meraki.com/MX/Site-to-site_VPN/VPN_Full-Tunnel_Exclusion_(Application_and_IP%2...)

Bucket
Getting noticed

I am just trying to fully understand SC and what options there are. 


The use case here would mostly be to utilize remote access and ztna without tunneling everything.

 

It would also be nice to force split tunneling temporarily or in troubleshooting scenarios in case full tunneling broke something. 

traffic exclusion is cool for that thou 🙂

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.