Hub and Spoke Configuration with local breakout of Office 365 traffic

VAdmin
Here to help

Hub and Spoke Configuration with local breakout of Office 365 traffic

Team,

 

We have two sites with HO having Meraki One arm configured as VPN Concentrator. The branch location is with Meraki configured in routed mode. We have auto vpn configured between these and HO Meraki is hub for the Branch location. Hence all the traffic including Internet flows through HO location. We have a requirement to have Office 365 traffic breakout locally from Branch office rather getting back hauled from HO locations. Please let us know how we can configure this.

 

Thanks

 

12 Replies 12
RaphaelL
Kind of a big deal
Kind of a big deal

I think this could simply be done with a split tunnel. 

 

https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-site_VPN_Settings

 

Sections : Default Route   / Tunneling

Thank you for your response. Unfortnately I have MX100 not a MX-Z. I do not get this option of split tunnel.

RaphaelL
Kind of a big deal
Kind of a big deal

On your MX that is configured in routed mode you should be able to see those options : 

 

Security & SD-WAN -> Site-to-site VPN

 

splittunnel.png

 

 

Those options are not available on the MX that is configured as one-arm VPN concentrator

Thank you. Yes I can see these options on my branch meraki. We have configured as hub mesh on my branch. Where can I see the split tunnel option?

BrechtSchamp
Kind of a big deal


@VAdmin wrote:

Thank you for your response. Unfortnately I have MX100 not a MX-Z. I do not get this option of split tunnel.


Don't panic there's no such thing as an MX-Z, that's just Meraki speak for "any MX or Z device", Z being the teleworker devices.

Okay got it thanks 

Why not let the Office users communicate directly with Office365/Azure cloud? Its encrypted. Local directories may be synch'ed with OneDrive.

Robin St.Clair | Principal, Caithness Analytics | @uberseehandel

Yes right I want the office users to communicate directly without going through the tunnel. Hence looking for that configuration.

PhilipDAth
Kind of a big deal
Kind of a big deal

I'm a bit hazy on this, but I'm pretty sure support can enable the bypassing of full tunnel for specific IP addresses/ranges.  You have to open a support case.  I would do this and ask about those capabilities.

 

Your problem will be that Office 365 will have lots and lots of IP address ranges.

 

 

I would investiagte re-engineering the network so you don't use a centralised Internet access and instead use local break out for everything.

I would investigate re-engineering the network so you don't use a centralised Internet access and instead use local break out for everything.

 

I absolutely endorse this suggestion from @PhilipDAth . We have moved to having all servers/storage in the Cloud and being very SAASy.

It works, and it is very cost effective.

Robin St.Clair | Principal, Caithness Analytics | @uberseehandel

Thank you.

Quote - 

 

Your problem will be that Office 365 will have lots and lots of IP address ranges.

 

Conveniently, MS has a new service to supply the required IP addresses - Office 365 URLs and IP address ranges 

Robin St.Clair | Principal, Caithness Analytics | @uberseehandel
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels