Meraki

Community

Secure Connect topology

Solved
Messy
Getting noticed
‎May 12 2025 12:42 AM
‎May 12 2025 12:42 AM

Secure Connect topology

Hello,

Looking to use Secure connect for the cloud firewall and have a few design questions.


Currently we have about 60 sites around the world in a hub and spoke setup using meraki auto-VPN using MX devices.


The easiest setup seems to be to just connect every site to a secure connect hub, internet traffic goes to SC and internal routes through SD-WAN. 


However, I read in Meraki docs that Secure connect adds latency that would impact sensitive traffic like Voip etc.
2. How do we define traffic that should go straight out to internet rather than use SC ? 


Also, regarding existing hubs -when you join them they don't receive a default route from a Secure Connect hub by default.
Is this the recommended setup? Why is this the default? is there some significant downside toa  Hub site having its internet traffic go through secure connect?

 

What does this mean for their internet traffic? presumably the default behavior is that it goes out to internet directly as it did before? In which case what is the point in connecting it to Secure connect?


thanks!


0 Kudos
1 Accepted Solution
ChristopherR
Here to help
‎May 12 2025 10:39 AM
‎May 12 2025 10:39 AM

Hi,

Once you've connected a site to Secure Connect, you can configure which traffic to go direct to the Internet under Security & SD-WAN > SD-WAN & Traffic Shaping >Local Internet Breakout. Here you can define VPN Exclusion rules for which traffic to bypass going down the tunnel. With the SDWAN+ license, there is also an option to exclude traffic at the application level for a handful of popular well known applications.

 

As to your note on the hubs joining Secure Connect not receiving a default route by default, I believe when this was originally designed it was to help prevent customers from unknowingly having all their traffic sent through Secure Connect. Let's say you had a default security policy for HTTPS inspection in Umbrella but didn't have the cert deployed to all the endpoints connected to the hub: this could lead to an unpleasant experience for users trying to access HTTPS pages without the cert loaded. This configuration is definitely supported and I'd recommend reaching out to the Secure Connect support team (just use any support link from a Secure Connect page in the dashboard). I thought it was just a matter of ensuring that the Secure Connect hub was listed as a higher priority under Security & SD-WAN > Site-to-site VPN at the site in question.

 

The value of having the Internet traffic going through Secure Connect would be for additional security functionality like HTTPS inspection, tenant controls, DLP functionality, sandboxing, web app controls, etc.

View solution in original post

5 Replies 5
alemabrahao
Kind of a big deal
Kind of a big deal
‎May 12 2025 3:06 AM
‎May 12 2025 3:06 AM

Using Secure Connect to configure your cloud firewall can be beneficial, but it does require some consideration.

I think it would be a good idea to consult a Meraki SE to help you define the best design for your environment.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
Messy
Getting noticed
‎May 12 2025 8:04 AM
‎May 12 2025 8:04 AM

yea that was my first port of call but they aren't very helpful. We have had several "introduction" meetings, you know "just to say hello"...every time i try to get an actual technical meeting with a technical person, best i can manage is a sales guy who thought the meeting was just an introduction and he will pass on questions to the engineers - only to never hear from anyone again.

ChristopherR
Here to help
‎May 12 2025 10:39 AM
‎May 12 2025 10:39 AM

Hi,

Once you've connected a site to Secure Connect, you can configure which traffic to go direct to the Internet under Security & SD-WAN > SD-WAN & Traffic Shaping >Local Internet Breakout. Here you can define VPN Exclusion rules for which traffic to bypass going down the tunnel. With the SDWAN+ license, there is also an option to exclude traffic at the application level for a handful of popular well known applications.

 

As to your note on the hubs joining Secure Connect not receiving a default route by default, I believe when this was originally designed it was to help prevent customers from unknowingly having all their traffic sent through Secure Connect. Let's say you had a default security policy for HTTPS inspection in Umbrella but didn't have the cert deployed to all the endpoints connected to the hub: this could lead to an unpleasant experience for users trying to access HTTPS pages without the cert loaded. This configuration is definitely supported and I'd recommend reaching out to the Secure Connect support team (just use any support link from a Secure Connect page in the dashboard). I thought it was just a matter of ensuring that the Secure Connect hub was listed as a higher priority under Security & SD-WAN > Site-to-site VPN at the site in question.

 

The value of having the Internet traffic going through Secure Connect would be for additional security functionality like HTTPS inspection, tenant controls, DLP functionality, sandboxing, web app controls, etc.

In response to ChristopherR
Messy
Getting noticed
‎May 13 2025 1:01 AM
‎May 13 2025 1:01 AM

brill, thanks very much!

0 Kudos
In response to ChristopherR
SahandC
Meraki Employee
Meraki Employee
‎Aug 3 2025 5:32 PM
‎Aug 3 2025 5:32 PM

To add to Chris' comments regarding the configuration of the default route for Meraki appliances operating as VPN Type: Hub.

 

  • The configuration is done on the Secure Connect > Sites page
  • From the list of connected sites at the bottom of the page, click somewhere in the whitespace of the Hub you want to configure the default route for and a slider window should appear
  • Under the Remote Routes section, you'll find Default Route: Disabled (by default), select the 'Disabled' hyperlink
  • From the pop-up window, select the radio button to Enable Default Route, and then Confirm

 

Documentation: Meraki SD-WAN Hub Integration with Secure Connect

Within the same documentation, have a review of the section titled Platform Optimization for Hub Integration. This has been applied by default for all newly provisioned Secure Connect customers for a little while, but depending on when you provisioned the solution it may be worth reviewing and confirming with support that is has been enabled.

 

Final comments I'll make is connected to Chris' statements about scenarios where the default route could negatively impact clients. It is a good idea to enable this during a scheduled maintenance window as the UI elements in the Dashboard to configure Local Internet Breakout / VPN Exclusion rules won't appear until the appliance's configuration meets certain criteria (i.e. it has a default route from Secure Connect).

Depending on the amount of VPN Exclusion rules, you may do this directly in the Dashboard, or utilize the API endpoint to make this a programmatic workflow.

 

Documentation: 

 

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
© 2025 Cisco Systems, Inc.