Is it possible: VPN Enabled VLAN but with local default route?

Solved
Luggage
Comes here often

Is it possible: VPN Enabled VLAN but with local default route?

For what seems like  pretty basic SD-WAN feature on other platforms that I can't figure out here, I have a Hub and Spoke AutoVPN with Site-Site-VPN setting Spokes configured to obtain the IPv4 default route via the Hub appliance.

 

VPN enabled VLAN at spokes obtain this as expected, plus the DC Prefixes I specify on the hub - that all fine

 

I have a VPN Disabled VLAN that I want for local internet access only (guest) - that's fine

 

I have another VLAN that I want to be VPN enabled - so device on here can be in-band managed from across the WAN (AutoVPN) but that I require to *not* obtain the default ipv4 route from the Hub Appliance, I want the default route to NAT out via via local internet, same as as if it were VPN disabled, or have the entire spoke not receive the default route from HUB Appliance.

I can use VPN exclusions for specific prefixes and FQDNs and do local breakout... sometimes this works but it's high maintenance, prone to breaking and is a mammoth config for the requirements of the devices on this vlan.

I don't want to have to deploy a separate gateway device and add a static default route to it... for 120 spokes. Source based routes... would be nice if they would let you route + NAT out your local WAN interface.

Anyone been able to accomplish this in a way I've missed?Screenshot 2024-10-14 212441.png

1 Accepted Solution
GreenMan
Meraki Employee
Meraki Employee

I think the trick here is to NOT advertise the Default Route as part of the general Auto VPN setup.   This would cause your VLAN 254 to break out locally, as you desire.   You'd then set your other VPN-enabled VLANs to use source based default routing over VPN to your chosen Hub

https://documentation.meraki.com/MX/Networks_and_Routing/Source_Based_Default_Routing

View solution in original post

4 Replies 4
ww
Kind of a big deal
Kind of a big deal

So you could not use a general vpn default route .

And then use source based default route for the vlans that want to use mx250 as default route

GreenMan
Meraki Employee
Meraki Employee

I think the trick here is to NOT advertise the Default Route as part of the general Auto VPN setup.   This would cause your VLAN 254 to break out locally, as you desire.   You'd then set your other VPN-enabled VLANs to use source based default routing over VPN to your chosen Hub

https://documentation.meraki.com/MX/Networks_and_Routing/Source_Based_Default_Routing

Luggage
Comes here often

Ahh this is the response I was looking for and makes sense to flip that logic around.

One final question, how does the next hop monitoring work for a VPN Hub Appliance as the next hop? If I enable this, would an AutoVPN / Hub failure mean traffic routes via the local default route instead?

 


While next hop responds to ping
When next hop does not respond to ping this traffic will go out the WAN appliance's default routes.
Luggage
Comes here often

Thanks both @ww and @GreenMan . That architecture change more or less worked. Maybe a different thread for this but I noticed with this method I can no longer then do Local Internet Breakout (eg, for some traffic I want to break out locally on the VLANs where source based default route -> Hub has been applied) any solution to this?

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels