AutoVPN and applications

SOLVED
newengineerhere
Here to help

AutoVPN and applications

Hello, I am looking at purchasing the Meraki SD-WAN solution and so far it looks like it can work for my company however I would like to know if I can direct certain applications like video to go directly out to the internet and other internal applications to use AutoVPN and be tunneled back to the hub? 

1 ACCEPTED SOLUTION

Haha! Those are two different screen shots! They looked like one and you had me wondering if there's a new feature that was in beta I was missing. Too bad 😞

 

No, so you have the dialogue from the VPN traffic flow preferences show first, and then you have the Uplink selection configuration shown second. 

 

The VPN flow preferences only apply to traffic that is being routed into the AutoVPN overlay. The decision whether or not it goes into the VPN has already been made at that point. All those settings let you do is control which VPN tunnel is used to forward that traffic (the SD-WAN config, if you will). You'll notice in the available options you have there that there isn't any "in vpn" out "out of vpn" option that could be used to policy route direct to Internet.

 

So again, in the Flow Preferences sections, Internet flow preferences apply only to Internet bound traffic, and VPN flow preferences apply only to traffic being forwarded through a VPN tunnel. These settings apply AFTER the decision point of which forwarding option will be used and can't override that.  

View solution in original post

8 REPLIES 8
ww
Kind of a big deal
Kind of a big deal

Not applications  itself. But it depends  on if the destination IP( ip of your application) is learned from oneof your vpn sites. 

If not, it uses the local  internet(default route)

jdsilva
Kind of a big deal

Hey @newengineerhere,

 

Yes, you can, but within certain constraints. The methods available to specify whether traffic is tunneled back to a hub or not are IP destination based for the most part. When you set up AutoVPN you would configure your hub to advertise known networks to your spokes. If a host at the spoke sends a packet and the destination matches a network the hub is advertising then it's tunneled back. If it doesn't match it'll head direct to the Internet. 

 

And with AutoVPN you can do split tunnelling, which is what I describe above, or full tunnelling, which is where an default route is advertised from the hub which in turn matches all traffic.

 

The other technique available is on the spoke itself. In the AutoVPN config you specify which networks are "In VPN" which is what I said above about specifying which networks are advertised (in this case which networks the spoke advertises to the hub), but this has a dual purpose in that is also specifies which LAN subnets are allowed to send traffic into the VPN at all. If a network is not "In VPN" then any traffic sourced from that VLAN will never be sent through the VPN ever (which makes sense since the hub would not have a route back so therefore could never forward return traffic anyway).

 

So, that's a bit of a long winded way of saying that yes, you can specify which traffic is in the tunnel or direct to the Internet, as long as you can do it based on known subnets. What you can't do is set up a spoke such that all traffic is tunneled back to the hub except for o365 (for e.g.), send that direct to the Internet. 

 

Hope that helps!

 

 

Thank you for your detailed response.

 

 

sdwan.JPGsd-wan2.JPG

 

 

I'm confused because in our demo unit I can set traffic filters based on applications and have the traffic prefer WAN1 or WAN2 (let's say I choose WAN2). Then if I disable active-active AutoVPN, the tunnel to the hub will only be formed over the primary uplink (WAN1).

 

1. Wouldn't that allow me to split tunnel traffic based on application type? 

2. Is there a way to decide whether the traffic can use the DIA link even with the tunnel enabled over an uplink?

3. Why would meraki send traffic from remote sites to well-known web apps through the hub by default. Aren't the MX devices capable of layer 3/7 as well as other vendors?

Haha! Those are two different screen shots! They looked like one and you had me wondering if there's a new feature that was in beta I was missing. Too bad 😞

 

No, so you have the dialogue from the VPN traffic flow preferences show first, and then you have the Uplink selection configuration shown second. 

 

The VPN flow preferences only apply to traffic that is being routed into the AutoVPN overlay. The decision whether or not it goes into the VPN has already been made at that point. All those settings let you do is control which VPN tunnel is used to forward that traffic (the SD-WAN config, if you will). You'll notice in the available options you have there that there isn't any "in vpn" out "out of vpn" option that could be used to policy route direct to Internet.

 

So again, in the Flow Preferences sections, Internet flow preferences apply only to Internet bound traffic, and VPN flow preferences apply only to traffic being forwarded through a VPN tunnel. These settings apply AFTER the decision point of which forwarding option will be used and can't override that.  

Haha sorry to confuse you for a moment there and thank you for the explanation!

 

I think it's starting to clear everything up. But for 100% clarity, when you say "the decision point of which forwarding option will be used and can't override that," is there any way to influence that decision based on the type of traffic (ie identify certain for specific applications) or is it entirely route-based (ie identified by IP address only)?

All good! 🙂

 

As far the split tunneling goes, there's no way to specify traffic in or out of VPN based on application. It's based purely on the "local networks" section of the Site-to-site VPN page.

 

image.png

Last question!

 

Wouldn't I be able to use Flow preferences to control which application is split tunneled if I have the ports/ip information? sdwan3.JPG

 

For example - I have active-active disabled and WAN 1 is the tunnel. I could create a flow preference with an applications destination port/IP and have it take WAN 2 which would go straight to the internet. Do I understand that correctly? 

Yes I believe you are correct.  If you flows are purely internet based you can define the "match filter" and route traffic over your preferred uplink.

Flow Preferences

By default (without load balancing), internet-bound traffic will flow out of the MX's primary uplink. The MX can also be configured to send traffic out of a specific interface based on the traffic type (policy-based routing), or based on the link quality of each uplink (performance-based routing). Flow preferences can be configured to define which uplink a given flow should use. Flow preferences will also supersede load balancing decisions. 

 
 
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels