How can I bypass a 3rd Party VPN that is advertising the default route.

MickeyDawson
Comes here often

How can I bypass a 3rd Party VPN that is advertising the default route.

I have a scenario where ALL traffic from the MX is to traverse a VPN to the internet via a centralised cloud security service.

The 3rd party VPN advertises the 0.0.0.0/0 so that the VPN is used as the default gateway.

Its working fine.

However there will be exceptions where some LAN traffic will be required to use the WAN 0.0.0.0/0 to retain the local sites source IP in the UK for web site / vpn authentication purposes and not the VPN 0.0.0.0/0.

The MX has the ability to add static routes however they only apply to LAN interfaces and do not override the 0.0.0.0/0 behavior.

I tried adding a static to Google 8.8.8.8/32 and passing it to a LAN port VLAN that was not in the 'use VPN' list however the traffic got terminated by the MX which returns pings <1ms so its staying local.

I guess I could add a static to a 3rd party device on a VLAN in my attempt to get the traffic to 8.8.8.8 to use a different path to the internet but that means adding additional LAN hardware.

Can anyone think how the MX could be configured to route specific traffic via the WAN 0.0.0.0/0 and override the VPN learned 0.0.0.0/0 ?

This is so frustrating as all we need is a static routing capability that works with WAN interfaces and not just LAN so we can override the default path.

 

5 Replies 5
PhilipDAth
Kind of a big deal
Kind of a big deal

That is a tricky one.

You might be able to add a second Internet circuit and use traffic shaping to force the traffic out the second WAN port. 

MickeyDawson
Comes here often

Yep I agree Phil I think that should work 🙂 and is possibly the cheapest alternative being the cost of maybe a cheap cct.
benny
Getting noticed

Hi MickeyDawson,

 

Have you contacted someone at support? They seem to have a few tricks up their sleeves that are not publicly shared. Perhaps run your scenario with them and see if they can build you a solution.

 

 

MickeyDawson
Comes here often

I have spoken with our Meraki SE and he thinks that bypassing a Meraki - Meraki VPN is something they do support for SDWAN features but we're not sure if this also works for 3rd parties well, at least I cannot find a way to do it 🙂

Just wondered if this has ever come up before.

Lapinou
New here


@MickeyDawson wrote:

I have spoken with our Meraki SE and he thinks that bypassing a Meraki - Meraki VPN is something they do support for SDWAN features


 

Hi,

 

I am interested in this solution in a full Meraki VPN environment.
How do we route traffic from a local vlan X to the local Internet Breakout, and traffic from a vlan Y to a centralized Internet through the VPN?

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels