Meraki

Community

Secure Connect topology

Solved
Messy
Getting noticed
‎May 12 2025 12:42 AM
‎May 12 2025 12:42 AM

Secure Connect topology

Hello,

Looking to use Secure connect for the cloud firewall and have a few design questions.


Currently we have about 60 sites around the world in a hub and spoke setup using meraki auto-VPN using MX devices.


The easiest setup seems to be to just connect every site to a secure connect hub, internet traffic goes to SC and internal routes through SD-WAN. 


However, I read in Meraki docs that Secure connect adds latency that would impact sensitive traffic like Voip etc.
2. How do we define traffic that should go straight out to internet rather than use SC ? 


Also, regarding existing hubs -when you join them they don't receive a default route from a Secure Connect hub by default.
Is this the recommended setup? Why is this the default? is there some significant downside toa  Hub site having its internet traffic go through secure connect?

 

What does this mean for their internet traffic? presumably the default behavior is that it goes out to internet directly as it did before? In which case what is the point in connecting it to Secure connect?


thanks!


0 Kudos
1 Accepted Solution
ChristopherR
Here to help
‎May 12 2025 10:39 AM
‎May 12 2025 10:39 AM

Hi,

Once you've connected a site to Secure Connect, you can configure which traffic to go direct to the Internet under Security & SD-WAN > SD-WAN & Traffic Shaping >Local Internet Breakout. Here you can define VPN Exclusion rules for which traffic to bypass going down the tunnel. With the SDWAN+ license, there is also an option to exclude traffic at the application level for a handful of popular well known applications.

 

As to your note on the hubs joining Secure Connect not receiving a default route by default, I believe when this was originally designed it was to help prevent customers from unknowingly having all their traffic sent through Secure Connect. Let's say you had a default security policy for HTTPS inspection in Umbrella but didn't have the cert deployed to all the endpoints connected to the hub: this could lead to an unpleasant experience for users trying to access HTTPS pages without the cert loaded. This configuration is definitely supported and I'd recommend reaching out to the Secure Connect support team (just use any support link from a Secure Connect page in the dashboard). I thought it was just a matter of ensuring that the Secure Connect hub was listed as a higher priority under Security & SD-WAN > Site-to-site VPN at the site in question.

 

The value of having the Internet traffic going through Secure Connect would be for additional security functionality like HTTPS inspection, tenant controls, DLP functionality, sandboxing, web app controls, etc.

View solution in original post

4 Replies 4
alemabrahao
Kind of a big deal
Kind of a big deal
‎May 12 2025 3:06 AM
‎May 12 2025 3:06 AM

Using Secure Connect to configure your cloud firewall can be beneficial, but it does require some consideration.

I think it would be a good idea to consult a Meraki SE to help you define the best design for your environment.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
Messy
Getting noticed
‎May 12 2025 8:04 AM
‎May 12 2025 8:04 AM

yea that was my first port of call but they aren't very helpful. We have had several "introduction" meetings, you know "just to say hello"...every time i try to get an actual technical meeting with a technical person, best i can manage is a sales guy who thought the meeting was just an introduction and he will pass on questions to the engineers - only to never hear from anyone again.

ChristopherR
Here to help
‎May 12 2025 10:39 AM
‎May 12 2025 10:39 AM

Hi,

Once you've connected a site to Secure Connect, you can configure which traffic to go direct to the Internet under Security & SD-WAN > SD-WAN & Traffic Shaping >Local Internet Breakout. Here you can define VPN Exclusion rules for which traffic to bypass going down the tunnel. With the SDWAN+ license, there is also an option to exclude traffic at the application level for a handful of popular well known applications.

 

As to your note on the hubs joining Secure Connect not receiving a default route by default, I believe when this was originally designed it was to help prevent customers from unknowingly having all their traffic sent through Secure Connect. Let's say you had a default security policy for HTTPS inspection in Umbrella but didn't have the cert deployed to all the endpoints connected to the hub: this could lead to an unpleasant experience for users trying to access HTTPS pages without the cert loaded. This configuration is definitely supported and I'd recommend reaching out to the Secure Connect support team (just use any support link from a Secure Connect page in the dashboard). I thought it was just a matter of ensuring that the Secure Connect hub was listed as a higher priority under Security & SD-WAN > Site-to-site VPN at the site in question.

 

The value of having the Internet traffic going through Secure Connect would be for additional security functionality like HTTPS inspection, tenant controls, DLP functionality, sandboxing, web app controls, etc.

In response to ChristopherR
Messy
Getting noticed
‎May 13 2025 1:01 AM
‎May 13 2025 1:01 AM

brill, thanks very much!

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
© 2025 Cisco Systems, Inc.