Meraki

Community

Cisco Meraki SD-WAN Traffic design

Linus_S
Conversationalist
yesterday
yesterday

Cisco Meraki SD-WAN Traffic design

Hi Folks,

 

We want to design the SD-WAN in Hub-Spoke mode.

1. For traffic between Hubs, VLAN1 some traffic forwarded to the Internet from Local WAN(e.g. , Microsoft 365 traffic).

But VLAN1, some traffic needs to be forwarded to other Hub A sites(e.g., Youtube traffic).

 

2. For traffic between Hub and Spoke, VLAN 1 some traffic from the Spoke site needs to be forwarded to the Internet from the Local WAN(e.g., Microsoft 365 traffic).

But VLAN1 some traffic needs to be forwarded to the Hub A MX site(e.g., Youtube traffic), and VLAN1 some traffic needs to be forwarded to The Hub B site(e.g., Github traffic).

 

This requirement can be met in Cisco Viptela SD-WAN, but how can it be configured and implemented in Meraki?

 

Meraki SD-WAN.jpg

Labels:
0 Kudos
4 Replies 4
PhilipDAth
Kind of a big deal
Kind of a big deal
yesterday
yesterday

You create a VPN Full tunnel exclusions.

https://documentation.meraki.com/SASE_and_SD-WAN/MX/Design_and_Configure/Configuration_Guides/Site-t...

 

More specifically, you want to use the Smart Breakout.

https://documentation.meraki.com/SASE_and_SD-WAN/MX/Design_and_Configure/Configuration_Guides/Site-t...

 

Note that this needs the "SD-WAN+" licence.

Linus_S
Conversationalist
4 hours ago
4 hours ago

Hi Philip,

 

Thanks for your quick reply.

After checking the document.

The solution shared in this document cannot fully meet our needs.

This is because it relies on setting other sites as exit points and excluding certain applications.

For Hub nodes, setting the exit point to another Hub will cause all applications not excluded to be forwarded through the Tunnel.

We only want to send a small portion of traffic from specific applications through the Tunnel to other Hubs.

0 Kudos
In response to Linus_S
Mloraditch
Kind of a big deal
Kind of a big deal
3 hours ago
3 hours ago

You can technically do that if your Hubs are concentrators (or have another firewall to send traffic to) AND you can define the services via static routes. I.e. if you want to reach X.X.X.X/Y via Hub 1 you can advertise that from that Hub. 

Unless the services in question have fixed IPs, you would not be able to do this.

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
GIdenJoe
Kind of a big deal
Kind of a big deal
2 hours ago
2 hours ago

The options are:
Full tunnel to a primary Hub with secondary Hubs.
Full tunnel like above but with exclusions (based on a few applications or domain names or IP's) that then do DIA.  (this is what @PhilipDAth suggested).
Split tunnel where you only send private traffic to the primary HUB with failover HUB options.  And then use the SD-WAN to choose which uplink.

You can't decide which hub to take based on application or to have most of the traffic DIA and then choose specifics to go over the SD-WAN.  You can choose which uplink is used for Youtube by using SD-Internet but that will also be a DIA.

I'm not too familiar with the Viptela based SD-WAN from Cisco but I'm sure you'll find more granular options there.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.