Meraki

Community

Is it posisble to do split tunneling for a secure connect spoke?

Bucket
Getting noticed
‎Nov 27 2024 12:37 PM
‎Nov 27 2024 12:37 PM

Is it posisble to do split tunneling for a secure connect spoke?

Is it possible to do split tunneling so only RFC1918 is tunneled to Secure Connect via auto-vpn?

 

I am guessing it is only possible for hub sites as spokes will always receive the 0.0.0.0/0 route from the secure connect hubs.

0 Kudos
4 Replies 4
Inderdeep
Kind of a big deal
‎Nov 27 2024 12:54 PM
‎Nov 27 2024 12:54 PM

Hope this will help you 

https://www.reddit.com/r/meraki/comments/z1v77o/meraki_autovpn_hubs_split_tunnel_pri_hub_and_full/

Cisco Awarded Blogs 2020/2021 https://www.thenetworkdna.com/
0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Nov 27 2024 10:12 PM
‎Nov 27 2024 10:12 PM

If you have fewer than 50 sites you could consider running more of the sites as hubs to work around the issue.

GreenMan
Meraki Employee All-Star Meraki Employee All-Star
Meraki Employee All-Star
‎Nov 29 2024 4:21 AM
‎Nov 29 2024 4:21 AM

I'd be interested to understand your use case as, for MX-protected branches, Secure Connect is used primarily to provide secure Internet Access (hence the default route).   If you provide your Spoke MX with any more specific route though, that will be preferred over the SC default route.   So if you have a tunnel to a Hub in a traditional DC, which is advertising some routes for the services they host (typically from within RFC1918), that traffic would use the direct tunnel, not go via SC - but your Internet traffic would still flow via SC.

You can also perform local breakout at the MX (full-tunnel exclusion), if you wish:   https://documentation.meraki.com/MX/Site-to-site_VPN/VPN_Full-Tunnel_Exclusion_(Application_and_IP%2...)

In response to GreenMan
Bucket
Getting noticed
‎Nov 29 2024 4:42 AM
‎Nov 29 2024 4:42 AM

I am just trying to fully understand SC and what options there are. 


The use case here would mostly be to utilize remote access and ztna without tunneling everything.

 

It would also be nice to force split tunneling temporarily or in troubleshooting scenarios in case full tunneling broke something. 

traffic exclusion is cool for that thou 🙂

li.common.scroll-to.top
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
© 2025 Cisco Systems, Inc.