cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

How can I bypass a 3rd Party VPN that is advertising the default route.

Comes here often

How can I bypass a 3rd Party VPN that is advertising the default route.

I have a scenario where ALL traffic from the MX is to traverse a VPN to the internet via a centralised cloud security service.

The 3rd party VPN advertises the 0.0.0.0/0 so that the VPN is used as the default gateway.

Its working fine.

However there will be exceptions where some LAN traffic will be required to use the WAN 0.0.0.0/0 to retain the local sites source IP in the UK for web site / vpn authentication purposes and not the VPN 0.0.0.0/0.

The MX has the ability to add static routes however they only apply to LAN interfaces and do not override the 0.0.0.0/0 behavior.

I tried adding a static to Google 8.8.8.8/32 and passing it to a LAN port VLAN that was not in the 'use VPN' list however the traffic got terminated by the MX which returns pings <1ms so its staying local.

I guess I could add a static to a 3rd party device on a VLAN in my attempt to get the traffic to 8.8.8.8 to use a different path to the internet but that means adding additional LAN hardware.

Can anyone think how the MX could be configured to route specific traffic via the WAN 0.0.0.0/0 and override the VPN learned 0.0.0.0/0 ?

This is so frustrating as all we need is a static routing capability that works with WAN interfaces and not just LAN so we can override the default path.

 

5 REPLIES 5
Kind of a big deal

Re: How can I bypass a 3rd Party VPN that is advertising the default route.

That is a tricky one.

You might be able to add a second Internet circuit and use traffic shaping to force the traffic out the second WAN port. 

Comes here often

Re: How can I bypass a 3rd Party VPN that is advertising the default route.

Yep I agree Phil I think that should work 🙂 and is possibly the cheapest alternative being the cost of maybe a cheap cct.
Getting noticed

Re: How can I bypass a 3rd Party VPN that is advertising the default route.

Hi MickeyDawson,

 

Have you contacted someone at support? They seem to have a few tricks up their sleeves that are not publicly shared. Perhaps run your scenario with them and see if they can build you a solution.

 

 

Comes here often

Re: How can I bypass a 3rd Party VPN that is advertising the default route.

I have spoken with our Meraki SE and he thinks that bypassing a Meraki - Meraki VPN is something they do support for SDWAN features but we're not sure if this also works for 3rd parties well, at least I cannot find a way to do it 🙂

Just wondered if this has ever come up before.

New here

Re: How can I bypass a 3rd Party VPN that is advertising the default route.


@MickeyDawson wrote:

I have spoken with our Meraki SE and he thinks that bypassing a Meraki - Meraki VPN is something they do support for SDWAN features


 

Hi,

 

I am interested in this solution in a full Meraki VPN environment.
How do we route traffic from a local vlan X to the local Internet Breakout, and traffic from a vlan Y to a centralized Internet through the VPN?

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.