We have a HUB-Spoke scenario "central site=Hub and remote sites=Spokes", from Spoke side, it's requested to route all traffic through the VPN "site-site" except Office365 traffic, it should be forwarded to the internet directly/locally.
The normal way to achieve the above setup was to get a list of IP ranges for Office365 "100+ IP and subnets", and exclude it from the VPN, but I'm looking for a more smart scenario which is Application Base Routing; if supported.
So, wish is anyone can advise, Is it supported on MXs to take the routing decision based on URL or Application?
If you are using a full tunnel then I don't think this will be possible.
The MX spoke will lookup the routing table first, see the default route via the hub, and use that.
Hello Philip,
Thanks for your feedback. The answer is No, it's not full tunnel mode, cuz there are site-site connections between spoke and third party sites "non-Meraki".
No. Meraki does not have the ability to route applications directly out to the "Internet" rather than over a VPN. You can configure VLAN's to not be used in the VPN, to be able to have this traffic routed directly over the "Internet".
In your example, why are you routing everything bar Office-365 over the site to site VPN? Why not let all traffic that's not required to go to the site to site VPN directly out to the Internet? - Kind of defeats the purpose of SD-WAN and will also cause higher latency on this traffic?
Hello WANKiller
Thanks for your feedback, but this is a customer request, where Meraki role is to replace an existing VPN solution, in the existing solution, all Internet Access traffic is inspected by a central Proxy located at the Central Hub. SO, he doesn't want to touch Internet Access Policies, only he wants replace a VPN solution by a more smart VPN solution.
In Sophos XG firewall "Cyber-roam or Astro" you can apply firewall rule based on FQDN and then select the next Hop, so Policy rule is combined with Routing Decision, I wonder how such smart handling is not included in Meraki "SDN" yet.
It's amazing to see a SDWAN solution that doesn't have any option to handle office365 traffic