Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Best method to exclude traffic destined for a specific VLAN between two spokes from S2S tunnel?

Grasshopper
Comes here often
‎Aug 2 2022 8:19 AM
‎Aug 2 2022 8:19 AM

Best method to exclude traffic destined for a specific VLAN between two spokes from S2S tunnel?

Good Morning - 

 

I have multiple Meraki AutoVPN spoke sites which interconnect via a Hub concentrator. 

 

Hub

Spoke A (Provisioning VLAN 50)

Spoke B

Spoke C

etc

 

I need to configure traffic from spoke site to bypass the VPN concentrator and communicate directly to Spoke A, to reduce hops and latency for imaging. However I only want this to affect traffic destined for the Provisioning VLAN 50 located at Spoke A, with all other traffic still routing through the S2S VPN as normal. 

 

It seems there may be a few different ways to do this, I'm just researching and trying to determine the best and most secure option. I've configured a local internet breakout L3 rule on Spoke B to test, which should be excluding any protocol and port destined for the Provisioning VLAN 50 from the AutoVPN tunnel, however tracing to the VLAN 50 gateway IP, it appears that my traffic is still going through the concentrator Hub.

 

Any input or ideas would be very appreciated! Thank you!

Labels:
0 Kudos
Subscribe
3 Replies 3
ww
Kind of a big deal
Kind of a big deal
‎Aug 2 2022 9:17 AM
‎Aug 2 2022 9:17 AM

Dont think this is possible.

 

But fyi, Spokes always go to hubs.  So spoke A needs  to be a hub. And b needs to set that as primary hub

0 Kudos
Subscribe
In response to ww
Grasshopper
Comes here often
‎Aug 2 2022 2:03 PM
‎Aug 2 2022 2:03 PM

But shouldn't excluding the destination subnet from the VPN tunnel at Spoke B force traffic bound to that subnet through the local default gateway? In the same way that other traffic bound for the internet can be excluded from the VPN. 

0 Kudos
Subscribe
In response to Grasshopper
ww
Kind of a big deal
Kind of a big deal
‎Aug 3 2022 2:56 AM
‎Aug 3 2022 2:56 AM

I misunderstood your question.

I guess that should work... , if spoke A subnet/vlan 50 is reachable at your underlay.

Best call meraki support to check why it would be not using local breakout.

0 Kudos
Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.