Meraki

Community

Local Internet Breakout and Microsoft updates

Finn
Comes here often
‎Aug 3 2023 2:19 AM
‎Aug 3 2023 2:19 AM

Local Internet Breakout and Microsoft updates

Hi,

 

We are in the process of setting up a customer on Meraki SD-WAN and they have the SD-WAN plus licence and will be primarily using full tunnel with some exceptions which was the driver for SD-WAN plus. 

 

One of their requirements is to use a spokes local internet connection for o365 and Microsoft updates. The o365 seems simple enough, just use the major application that's defined and we should be good to go.

 

Updates are a bit less clear. Do we need to define some/all of the URLs provided by Microsoft as individual URLs in addition to the major application classes? At best I'd presume that updates for the o365 suite itself would be captured within the Major application but even that's not too clear from what I have seen.  

0 Kudos
8 Replies 8
alemabrahao
Kind of a big deal
‎Aug 3 2023 3:04 AM
‎Aug 3 2023 3:04 AM

Configuring Application Based VPN Exclusion Rules 

Meraki MX supports L7 Application based Local Internet Breakout for the top SD-WAN Applications. The following is the list of applications that can be excluded from the full tunnel VPN.

  • Office 365 Suite

  • Office 365 Sharepoint

  • Skype & Teams

  • Webex

  • Zoom

  • Box

  • SalesForce

  • SAP

  • Oracle

  • AWS

 

Requirements:

The following are the requirements to utilize this feature in a network:

  • Meraki AutoVPN support: This feature requires the Meraki MX on MX 15+ series firmware

  • Non-Meraki VPN support: This feature requires the Meraki MX on MX 18.1+ series firmware 

  • Minimum License Type: Secure SD-WAN Plus

  • All other requirements listed for IP/URL based Local Internet Breakout

Note: Application-based VPN exclusion rules are only supported on MX/Z devices with the Secure SD-WAN Plus or Secure Teleworker License. For additional info on MX family features and license options, please refer to our Meraki MX Security and SD-WAN Licensing article.

 

alemabrahao_0-1691057075605.png

 

https://documentation.meraki.com/MX/Site-to-site_VPN/VPN_Full-Tunnel_Exclusion_(Application_and_IP%2...)

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
Finn
Comes here often
‎Aug 3 2023 3:21 AM
‎Aug 3 2023 3:21 AM

Thanks, I'd seen the documentation pages already. What's not clear from that is if update traffic would be captured as part of this or not?

0 Kudos
In response to Finn
alemabrahao
Kind of a big deal
‎Aug 3 2023 3:33 AM
‎Aug 3 2023 3:33 AM

Could you explain it better?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
ww
Kind of a big deal
Kind of a big deal
‎Aug 3 2023 3:37 AM
‎Aug 3 2023 3:37 AM

If windows updates and office updates falls into one of those categories

0 Kudos
In response to ww
Finn
Comes here often
‎Aug 3 2023 3:44 AM
‎Aug 3 2023 3:44 AM

Correct yes.  What I'm trying to establish is if some or all updates for Microsoft products/windows fall under those categories or if we'd need to also manually add the full list of URLs published in addition to the major applications to have updates go direct via sites local internet. 

 

I think it's possible but not a guarantee that 365 product updates would go direct, but that windows updates would not but this is just a hunch. It seems windows updates would be a common thing to want to have local and not saturate WAN links at the hub.

0 Kudos
In response to ww
alemabrahao
Kind of a big deal
‎Aug 3 2023 3:46 AM
‎Aug 3 2023 3:46 AM

As far I know It's in another category.

 

  • Software & anti-virus updates

 

 

alemabrahao_0-1691059554583.png

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
Finn
Comes here often
‎Aug 3 2023 3:51 AM
‎Aug 3 2023 3:51 AM

Unfortunately that list isn't available for local internet breakout, only the ones listed above in your first post. Beyond that it seems you need to define by destination CIDR/URL which seems quite cumbersome, especially as you need to define these per network, I don't see an easy way to set this per organisation. 

0 Kudos
jp6
New here
‎Oct 16 2023 2:37 PM
‎Oct 16 2023 2:37 PM

@Finn, were you ever able to figure this out? We are having Windows Update issues now that we activated our Cisco Umbrella SWG. Umbrella is suggesting we use the Local Internet Breakout and use the DNS feature but that has not worked. I added about 6 Microsft Windows Update domains and updates are still not working. Trying to figure out all the different IP addresses used for Microsoft Updates will be nearly impossible. Meraki and Umbrella support haven't been able to figure out what's going on. Thanks. 

0 Kudos
Back to the top
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.