Meraki

Grasshopper · ‎Aug 2 2022

Good Morning -

I have multiple Meraki AutoVPN spoke sites which interconnect via a Hub concentrator.

Hub

Spoke A (Provisioning VLAN 50)

Spoke B

Spoke C

etc

I need to configure traffic from spoke site to bypass the VPN concentrator and communicate directly to Spoke A, to reduce hops and latency for imaging. However I only want this to affect traffic destined for the Provisioning VLAN 50 located at Spoke A, with all other traffic still routing through the S2S VPN as normal.

It seems there may be a few different ways to do this, I'm just researching and trying to determine the best and most secure option. I've configured a local internet breakout L3 rule on Spoke B to test, which should be excluding any protocol and port destined for the Provisioning VLAN 50 from the AutoVPN tunnel, however tracing to the VLAN 50 gateway IP, it appears that my traffic is still going through the concentrator Hub.

Any input or ideas would be very appreciated! Thank you!

ww · ‎Aug 2 2022

Dont think this is possible.

But fyi, Spokes always go to hubs. So spoke A needs to be a hub. And b needs to set that as primary hub

Grasshopper · ‎Aug 2 2022

But shouldn't excluding the destination subnet from the VPN tunnel at Spoke B force traffic bound to that subnet through the local default gateway? In the same way that other traffic bound for the internet can be excluded from the VPN.

ww · ‎Aug 3 2022

I misunderstood your question.

I guess that should work... , if spoke A subnet/vlan 50 is reachable at your underlay.

Best call meraki support to check why it would be not using local breakout.

Meraki

Community

Best method to exclude traffic destined for a specific VLAN between two spokes from S2S tunnel?

Best method to exclude traffic destined for a specific VLAN between two spokes from S2S tunnel?