Meraki

Community

2 different Gateway Tunnels for different purpose at same MX

MauroJK
Here to help
‎Oct 30 2024 10:38 AM
‎Oct 30 2024 10:38 AM

2 different Gateway Tunnels for different purpose at same MX

We currently aim for the following layout:

  • The SDWAN Gateway establishes HUB/Spoke SDWAN tunnels and routes only RFC1918 traffic through these tunnels.
  • establishes a Non-Meraki peer tunnel with zScaler, which becomes the network gateway, and routes all internet traffic (0.0.0.0/0) through this tunnel.
  • Additionally,  establishes another tunnel with Cloudify (zScaler), which also becomes the network gateway and routes all internet-bound traffic (0.0.0.0/0) through this tunnel, but only for the GUEST VLAN.

I am researching the MX and non-Meraki VPN peer documentation but cannot find a way to configure the MX in order to use Cloudify Tunnel as the gateway for traffic originating from the GUEST VLAN, while the zScaler Tunnel as the gateway for traffic originating from other VLANs.

Labels:
0 Kudos
5 Replies 5
GIdenJoe
Kind of a big deal
Kind of a big deal
‎Oct 30 2024 12:02 PM
‎Oct 30 2024 12:02 PM

Using non-Meraki VPN's to tunnel all traffic will most probably not work.  You need to define specific local and remote networks for this.

AutoVPN is a different beast.  If you set a default route on a spoke to a hub you can tunnel all local traffic over that for local networks that are subjected to the VPN tunnel.  In that case you would have to tunnel to a Meraki hub that then has a default route to the internet where you can allow or deny traffic using those other technologies.

In response to GIdenJoe
MauroJK
Here to help
‎Oct 31 2024 4:16 AM
‎Oct 31 2024 4:16 AM

Thanks for the Info GIJoe... there is a technical solution to setup this scenario with 2 internal segments with different default gateway?

0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Oct 31 2024 3:43 AM
‎Oct 31 2024 3:43 AM

This would be tremendously simpler if you used the Cisco solution - Umbrella (instead of Zscaler).  It has native integration.

 

Or step it up one more and go full SASE with Cisco Secure Connect.

https://meraki.cisco.com/products/cisco-plus-secure-connect/

 

0 Kudos
In response to PhilipDAth
MauroJK
Here to help
‎Oct 31 2024 4:14 AM
‎Oct 31 2024 4:14 AM

Thanks for the Answer but the idea on a Tech Meraki Forum is to find technical solutions on Meraki Plattform. Not Pre-Sales other solutions. rigth? 

Regarding the scenario. 
besides of not being as easy as other vendors....
the question is... ITs Possible?

0 Kudos
In response to MauroJK
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Oct 31 2024 10:58 AM
‎Oct 31 2024 10:58 AM

The reason why you are struggling with this is because of the current design.  If you can correct your system design, you'll have fewer issues.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.