Meraki

Community

Local Internet Exit (VPN Exclusion) without using Exit Hub (Using source based default route)

Luggage
Comes here often
‎Apr 23 2025 11:20 PM
‎Apr 23 2025 11:20 PM

Local Internet Exit (VPN Exclusion) without using Exit Hub (Using source based default route)

We have an architecture where each spoke is configured not to use an Exit Hub (configured at template level) to allow us to use source based default routes per VLAN, as there are some VLANs we are required to have using local Internet Exit for all device on said vlan, where VPN Exclusions / local breakout via IP Prefix or FQDN is not possible / too dynamic to maintain the exclusion list.

I've noticed you can't do VPN Exclusions if you won't have an Exit Hub configured, you can only have some VLANS not use a source based default route. We now have a requirement to do this for a secure web gateway proxy we want to have locally exit via IP prefix.

Is there a way we can configure an MX to have both source based default route for some VLANs, but with a local exit / VPN Exclusion prefix applied over top of these? I feel like it's either one way or the other here with the config options I can see, which is only going to address one of our requirements at a time.

Diagram:

Luggage_0-1745475570359.png

 

0 Kudos
1 Reply 1
alemabrahao
Kind of a big deal
Kind of a big deal
‎Apr 24 2025 4:37 AM
‎Apr 24 2025 4:37 AM

Unfortunately, the current configuration options in the Meraki Dashboard do not support having both source-based default routes and VPN Exclusions simultaneously without an Exit Hub.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.