We have a setup like all our remoite sites Internet access will be locally breakout through Zscaler tunnels., if remote sites Internet link goes down we would like route entire site internet traffic to DC and get the access from DC internet links ? is it achievable through automatically ? i know we can achieve this by manually adding default route from Site-to-Site vpn --> Hubs--> tick on IPV4 defaulr route
any thoughts or advices how can we achieve this ?
Note : Each remote sites has 2 links - Primary - Internet and Backup- MPLS
I´m absolutely not into API but maybe to code a script which checks if the primary uplink is working - if not change automatically routes?
On the other hand, shouldn´t this work with SD-WAN & traffic shaping on your MX?
@MarcP thanks for your reply, may be we need to try through API..but i tried to find required infromation in meraki documentation but i could not able to find that 😞
regards to your screen shot this is prioritise the internet traffic, by default always take WAN where we can forcefully move some trafffic to other link.., but this will not help us to failover automatically.
"Note that if an MX-Z device is configured with a default route (0.0.0.0/0) to a Non-Meraki VPN peer, traffic will not fail over to the WAN, even if the connection goes down."
@ww thanks for you reply, this is not for Non-meraki vpn peer, what i am looking for is if my Internet link(local break out for internet and ready to take traffic for MPLS) goeas down at one of my remote sites that site should take the inernet from my DC (HUB1) is this achievable ?
I was asuming you had some 3rd party vpn tunnel with default route to zscaler.
Where does your default route at the mpls provider go? Because if you use a default route provided at your dc then traffic always would flow that way. Like this design: https://documentation.meraki.com/MX/Site-to-site_VPN/Configuring_Site-to-site_VPN_over_MPLS
@ww at the moment default route is local Internet, if local internet goes down we want to route internet traffic to DC internet link via MPLS link by clicking the default route from Site-to-Site vpn --> Hubs--> tick on IPV4 default route, but for this manually we are doing, but we want to make this automatic
So thats not possible unless you make something work with api.
But local breakout at mpls, default route from the dc, as described in above url should be possible
Not with Zsaler.
Should be possible with Umbrella using the SD-WAN integration. In this configuration, the tunnels are not "static" but dynamically built. If the tunnel over the primary fails it will rebuild over the backup.
@PhilipDAth thanks for your reply, sorry for confusion, i am talking about meraki to meraki tunnels one is thorugh MPLS and other through DIA, same DIA link will be used for local break out for same sites. If DIA link goes down site should be able to access \internet through HUB1 how this is achievable automatically
You can't achieve this with Zscaler. You have a non-meraki site to site VPN to ZScaler to the primary interface of the MX. Sure the MX can failover, it will try and build the VPN from the MPLS interface, but the VPN to Zscaler won't come up as ZScaler will only be expecting it to come from the IP address of the primary interface.
You need something like Cisco Umbrella SIG which has failover support.