Meraki

Community

How can I bypass a 3rd Party VPN that is advertising the default route.

MickeyDawson
Comes here often
‎Jun 16 2018 3:56 AM
‎Jun 16 2018 3:56 AM

How can I bypass a 3rd Party VPN that is advertising the default route.

I have a scenario where ALL traffic from the MX is to traverse a VPN to the internet via a centralised cloud security service.

The 3rd party VPN advertises the 0.0.0.0/0 so that the VPN is used as the default gateway.

Its working fine.

However there will be exceptions where some LAN traffic will be required to use the WAN 0.0.0.0/0 to retain the local sites source IP in the UK for web site / vpn authentication purposes and not the VPN 0.0.0.0/0.

The MX has the ability to add static routes however they only apply to LAN interfaces and do not override the 0.0.0.0/0 behavior.

I tried adding a static to Google 8.8.8.8/32 and passing it to a LAN port VLAN that was not in the 'use VPN' list however the traffic got terminated by the MX which returns pings <1ms so its staying local.

I guess I could add a static to a 3rd party device on a VLAN in my attempt to get the traffic to 8.8.8.8 to use a different path to the internet but that means adding additional LAN hardware.

Can anyone think how the MX could be configured to route specific traffic via the WAN 0.0.0.0/0 and override the VPN learned 0.0.0.0/0 ?

This is so frustrating as all we need is a static routing capability that works with WAN interfaces and not just LAN so we can override the default path.

 

0 Kudos
5 Replies 5
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jun 16 2018 11:43 AM
‎Jun 16 2018 11:43 AM

That is a tricky one.

You might be able to add a second Internet circuit and use traffic shaping to force the traffic out the second WAN port. 

0 Kudos
In response to PhilipDAth
MickeyDawson
Comes here often
‎Jun 16 2018 11:47 AM
‎Jun 16 2018 11:47 AM

Yep I agree Phil I think that should work 🙂 and is possibly the cheapest alternative being the cost of maybe a cheap cct.
0 Kudos
In response to MickeyDawson
benny
Getting noticed
‎Jun 24 2018 8:43 PM
‎Jun 24 2018 8:43 PM

Hi MickeyDawson,

 

Have you contacted someone at support? They seem to have a few tricks up their sleeves that are not publicly shared. Perhaps run your scenario with them and see if they can build you a solution.

 

 

0 Kudos
In response to benny
MickeyDawson
Comes here often
‎Jun 25 2018 11:35 AM
‎Jun 25 2018 11:35 AM

I have spoken with our Meraki SE and he thinks that bypassing a Meraki - Meraki VPN is something they do support for SDWAN features but we're not sure if this also works for 3rd parties well, at least I cannot find a way to do it 🙂

Just wondered if this has ever come up before.

0 Kudos
In response to MickeyDawson
Lapinou
New here
‎Jan 18 2019 6:30 AM
‎Jan 18 2019 6:30 AM

@MickeyDawson wrote:

I have spoken with our Meraki SE and he thinks that bypassing a Meraki - Meraki VPN is something they do support for SDWAN features

 

Hi,

 

I am interested in this solution in a full Meraki VPN environment.
How do we route traffic from a local vlan X to the local Internet Breakout, and traffic from a vlan Y to a centralized Internet through the VPN?

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.