cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

AutoVPN and applications

SOLVED
Highlighted
Here to help

AutoVPN and applications

Hello, I am looking at purchasing the Meraki SD-WAN solution and so far it looks like it can work for my company however I would like to know if I can direct certain applications like video to go directly out to the internet and other internal applications to use AutoVPN and be tunneled back to the hub? 

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Kind of a big deal

Re: AutoVPN and applications

Haha! Those are two different screen shots! They looked like one and you had me wondering if there's a new feature that was in beta I was missing. Too bad 😞

 

No, so you have the dialogue from the VPN traffic flow preferences show first, and then you have the Uplink selection configuration shown second. 

 

The VPN flow preferences only apply to traffic that is being routed into the AutoVPN overlay. The decision whether or not it goes into the VPN has already been made at that point. All those settings let you do is control which VPN tunnel is used to forward that traffic (the SD-WAN config, if you will). You'll notice in the available options you have there that there isn't any "in vpn" out "out of vpn" option that could be used to policy route direct to Internet.

 

So again, in the Flow Preferences sections, Internet flow preferences apply only to Internet bound traffic, and VPN flow preferences apply only to traffic being forwarded through a VPN tunnel. These settings apply AFTER the decision point of which forwarding option will be used and can't override that.  

View solution in original post

7 REPLIES 7
Highlighted
Kind of a big deal
Kind of a big deal

Re: AutoVPN and applications

Not applications  itself. But it depends  on if the destination IP( ip of your application) is learned from oneof your vpn sites. 

If not, it uses the local  internet(default route)

Highlighted
Kind of a big deal

Re: AutoVPN and applications

Hey @newengineerhere,

 

Yes, you can, but within certain constraints. The methods available to specify whether traffic is tunneled back to a hub or not are IP destination based for the most part. When you set up AutoVPN you would configure your hub to advertise known networks to your spokes. If a host at the spoke sends a packet and the destination matches a network the hub is advertising then it's tunneled back. If it doesn't match it'll head direct to the Internet. 

 

And with AutoVPN you can do split tunnelling, which is what I describe above, or full tunnelling, which is where an default route is advertised from the hub which in turn matches all traffic.

 

The other technique available is on the spoke itself. In the AutoVPN config you specify which networks are "In VPN" which is what I said above about specifying which networks are advertised (in this case which networks the spoke advertises to the hub), but this has a dual purpose in that is also specifies which LAN subnets are allowed to send traffic into the VPN at all. If a network is not "In VPN" then any traffic sourced from that VLAN will never be sent through the VPN ever (which makes sense since the hub would not have a route back so therefore could never forward return traffic anyway).

 

So, that's a bit of a long winded way of saying that yes, you can specify which traffic is in the tunnel or direct to the Internet, as long as you can do it based on known subnets. What you can't do is set up a spoke such that all traffic is tunneled back to the hub except for o365 (for e.g.), send that direct to the Internet. 

 

Hope that helps!

 

 

Here to help

Re: AutoVPN and applications

Thank you for your detailed response.

 

 

sdwan.JPGsd-wan2.JPG

 

 

I'm confused because in our demo unit I can set traffic filters based on applications and have the traffic prefer WAN1 or WAN2 (let's say I choose WAN2). Then if I disable active-active AutoVPN, the tunnel to the hub will only be formed over the primary uplink (WAN1).

 

1. Wouldn't that allow me to split tunnel traffic based on application type? 

2. Is there a way to decide whether the traffic can use the DIA link even with the tunnel enabled over an uplink?

3. Why would meraki send traffic from remote sites to well-known web apps through the hub by default. Aren't the MX devices capable of layer 3/7 as well as other vendors?

Highlighted
Kind of a big deal

Re: AutoVPN and applications

Haha! Those are two different screen shots! They looked like one and you had me wondering if there's a new feature that was in beta I was missing. Too bad 😞

 

No, so you have the dialogue from the VPN traffic flow preferences show first, and then you have the Uplink selection configuration shown second. 

 

The VPN flow preferences only apply to traffic that is being routed into the AutoVPN overlay. The decision whether or not it goes into the VPN has already been made at that point. All those settings let you do is control which VPN tunnel is used to forward that traffic (the SD-WAN config, if you will). You'll notice in the available options you have there that there isn't any "in vpn" out "out of vpn" option that could be used to policy route direct to Internet.

 

So again, in the Flow Preferences sections, Internet flow preferences apply only to Internet bound traffic, and VPN flow preferences apply only to traffic being forwarded through a VPN tunnel. These settings apply AFTER the decision point of which forwarding option will be used and can't override that.  

View solution in original post

Highlighted
Here to help

Re: AutoVPN and applications

Haha sorry to confuse you for a moment there and thank you for the explanation!

 

I think it's starting to clear everything up. But for 100% clarity, when you say "the decision point of which forwarding option will be used and can't override that," is there any way to influence that decision based on the type of traffic (ie identify certain for specific applications) or is it entirely route-based (ie identified by IP address only)?

Highlighted
Kind of a big deal

Re: AutoVPN and applications

All good! 🙂

 

As far the split tunneling goes, there's no way to specify traffic in or out of VPN based on application. It's based purely on the "local networks" section of the Site-to-site VPN page.

 

image.png

Highlighted
Here to help

Re: AutoVPN and applications

Last question!

 

Wouldn't I be able to use Flow preferences to control which application is split tunneled if I have the ports/ip information? sdwan3.JPG

 

For example - I have active-active disabled and WAN 1 is the tunnel. I could create a flow preference with an applications destination port/IP and have it take WAN 2 which would go straight to the internet. Do I understand that correctly? 

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.