Meraki

Community

Hub and Spoke Configuration with local breakout of Office 365 traffic

VAdmin
Here to help
‎Oct 15 2019 6:24 AM
‎Oct 15 2019 6:24 AM

Hub and Spoke Configuration with local breakout of Office 365 traffic

Team,

 

We have two sites with HO having Meraki One arm configured as VPN Concentrator. The branch location is with Meraki configured in routed mode. We have auto vpn configured between these and HO Meraki is hub for the Branch location. Hence all the traffic including Internet flows through HO location. We have a requirement to have Office 365 traffic breakout locally from Branch office rather getting back hauled from HO locations. Please let us know how we can configure this.

 

Thanks

 

0 Kudos
12 Replies 12
RaphaelL
Kind of a big deal
Kind of a big deal
‎Oct 15 2019 6:39 AM
‎Oct 15 2019 6:39 AM

I think this could simply be done with a split tunnel. 

 

https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-site_VPN_Settings

 

Sections : Default Route   / Tunneling

In response to RaphaelL
VAdmin
Here to help
‎Oct 15 2019 6:55 AM
‎Oct 15 2019 6:55 AM

Thank you for your response. Unfortnately I have MX100 not a MX-Z. I do not get this option of split tunnel.

0 Kudos
In response to VAdmin
RaphaelL
Kind of a big deal
Kind of a big deal
‎Oct 15 2019 7:05 AM
‎Oct 15 2019 7:05 AM

On your MX that is configured in routed mode you should be able to see those options : 

 

Security & SD-WAN -> Site-to-site VPN

 

splittunnel.png

 

 

Those options are not available on the MX that is configured as one-arm VPN concentrator

0 Kudos
In response to RaphaelL
VAdmin
Here to help
‎Oct 15 2019 10:29 AM
‎Oct 15 2019 10:29 AM

Thank you. Yes I can see these options on my branch meraki. We have configured as hub mesh on my branch. Where can I see the split tunnel option?

0 Kudos
In response to VAdmin
BrechtSchamp
Kind of a big deal
‎Oct 15 2019 7:26 AM
‎Oct 15 2019 7:26 AM

@VAdmin wrote:

Thank you for your response. Unfortnately I have MX100 not a MX-Z. I do not get this option of split tunnel.

Don't panic there's no such thing as an MX-Z, that's just Meraki speak for "any MX or Z device", Z being the teleworker devices.

In response to BrechtSchamp
VAdmin
Here to help
‎Oct 15 2019 10:30 AM
‎Oct 15 2019 10:30 AM

Okay got it thanks 

0 Kudos
In response to RaphaelL
Uberseehandel
Kind of a big deal
‎Oct 15 2019 10:19 AM
‎Oct 15 2019 10:19 AM

Why not let the Office users communicate directly with Office365/Azure cloud? Its encrypted. Local directories may be synch'ed with OneDrive.

Robin St.Clair | Principal, Caithness Analytics | @uberseehandel
0 Kudos
In response to Uberseehandel
VAdmin
Here to help
‎Oct 15 2019 10:31 AM
‎Oct 15 2019 10:31 AM

Yes right I want the office users to communicate directly without going through the tunnel. Hence looking for that configuration.

0 Kudos
In response to VAdmin
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Oct 15 2019 11:34 AM
‎Oct 15 2019 11:34 AM

I'm a bit hazy on this, but I'm pretty sure support can enable the bypassing of full tunnel for specific IP addresses/ranges.  You have to open a support case.  I would do this and ask about those capabilities.

 

Your problem will be that Office 365 will have lots and lots of IP address ranges.

 

 

I would investiagte re-engineering the network so you don't use a centralised Internet access and instead use local break out for everything.

In response to PhilipDAth
Uberseehandel
Kind of a big deal
‎Oct 15 2019 11:53 AM
‎Oct 15 2019 11:53 AM

I would investigate re-engineering the network so you don't use a centralised Internet access and instead use local break out for everything.

 

I absolutely endorse this suggestion from @PhilipDAth . We have moved to having all servers/storage in the Cloud and being very SAASy.

It works, and it is very cost effective.

Robin St.Clair | Principal, Caithness Analytics | @uberseehandel
0 Kudos
In response to PhilipDAth
VAdmin
Here to help
‎Oct 21 2019 3:30 AM
‎Oct 21 2019 3:30 AM

Thank you.

0 Kudos
In response to PhilipDAth
Uberseehandel
Kind of a big deal
‎Oct 21 2019 8:33 AM
‎Oct 21 2019 8:33 AM

Quote - 

 

Your problem will be that Office 365 will have lots and lots of IP address ranges.

 

Conveniently, MS has a new service to supply the required IP addresses - Office 365 URLs and IP address ranges 

Robin St.Clair | Principal, Caithness Analytics | @uberseehandel
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.