Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Centralized routing for specific destinations

Solved
JpAlvesCroce22
Just browsing
Monday
Monday

Centralized routing for specific destinations

Hello everyone!
I'd like to comment on a problem that we need to resolve in our organization.
Currently, the internet is resolved locally in each of our Spokes.
The requirement we have is that we need to resolve some URLs centrally through one of our central sites (HUB).
The problem is that the site to be resolved does not have a fixed IP address, since we resolve it through Cloudflare Workers and the address rotates.
Can you think of how I could resolve this point?


Thanks!

Labels:
0 Kudos
Subscribe
1 Accepted Solution
PhilipDAth
Kind of a big deal
Kind of a big deal
Monday
Monday

There are no simple easy solutions.

 

If you get an SDWAN Plus licence, you could use a full tunnel back to your main site, and then use the Local Internet Breakout option to override the full tunnel for major traffic types.

https://documentation.meraki.com/MX/Site-to-site_VPN/VPN_Full-Tunnel_Exclusion_(Application_and_IP%2...

 

You could consider deploying a proxy at your main site (I like using HAProxy for this), and create an internal DNS entry for the domain pointing to the HAProxy.

 

Another option would be to consider going SASE with Cisco SecureConnect Plus.  This will send your Internet traffic via Cisco Umbrella (for all sites), and you have have the Umbrella IP address ranges white listed.

https://documentation.meraki.com/CiscoPlusSecureConnect

 

View solution in original post

0 Kudos
Subscribe
4 Replies 4
KH
Meraki Employee
Meraki Employee
Monday
Monday

Hey @JpAlvesCroce22 

 

Do you know if the URL at least uses the same subnet for its IP address? Assuming it uses something like 50.0.0.0/28 you could set that subnet as a local network on the hub and then traffic destined to that IP range will always flow through the hub instead of out of the WAN. This is also assuming the hub is in VPN Concentrator mode.

If you found this post helpful, please give it kudos. If my answer solved your problem, click "accept as solution" so that others can benefit from it
Subscribe
In response to KH
JpAlvesCroce22
Just browsing
Monday
Monday

It is possible to obtain the Cloudflare Worker segment, the problem is that these same Workers resolve many URLs, which we do not want to be consumed in a centralized way.
It would have to be a solution like the internet breakout in reverse, since we do not have Full-tunnel in our Auto-VPNs
Would it be possible to route through FQDN?

0 Kudos
Subscribe
PhilipDAth
Kind of a big deal
Kind of a big deal
Monday
Monday

There are no simple easy solutions.

 

If you get an SDWAN Plus licence, you could use a full tunnel back to your main site, and then use the Local Internet Breakout option to override the full tunnel for major traffic types.

https://documentation.meraki.com/MX/Site-to-site_VPN/VPN_Full-Tunnel_Exclusion_(Application_and_IP%2...

 

You could consider deploying a proxy at your main site (I like using HAProxy for this), and create an internal DNS entry for the domain pointing to the HAProxy.

 

Another option would be to consider going SASE with Cisco SecureConnect Plus.  This will send your Internet traffic via Cisco Umbrella (for all sites), and you have have the Umbrella IP address ranges white listed.

https://documentation.meraki.com/CiscoPlusSecureConnect

 

0 Kudos
Subscribe
In response to PhilipDAth
JpAlvesCroce22
Just browsing
yesterday
yesterday

Hey @PhilipDAth 
Thanks for the reply.
It is clear that I am not going to get a simple solution.

From what I have been looking at, the SD-Wan Plus license is not a requirement, only for exclusions based on applications.
Likewise, taking this path would imply making a design change to the Networking architecture and we have to evaluate that with more time.

The other alternatives would have to be seen together with our cybersecurity team, since we are using Umbrella (Roaming-Client).

Ultimately, I understand that there is no current capacity in the Mx devices that can solve this problem.

Thanks!

0 Kudos
Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.