Local breakout but Source Based

Solved
beta-389-user
Getting noticed

Local breakout but Source Based

Hi All,

Client ask is to add a new VLAN which should have direct internet breakout with no access to DC services. Currently site has default routes coming from DC hence all internet + VPN traffic goes to DC from site. Restriction to DC services can be set up using group policies but how to allow local breakout for particular VLAN?

In order to manage the request, I need to 

1. Remove IPv4 Default Route checkbox from Hubs under Site-to-Site VPN
2. select VLANS that I want to follow DC path and select appropriate DC as next hop for them.

Doing this, not selected VLANS in step 2 will automatically have local breakout as bi-product of first 2 steps.

However, I only see one DC as a next hop can be selected. what if primary DC fails, will that route automatically sends the traffic to next available DC Hop without explicitly configuring that or not ? What happens when next hop fails?

Also, is there any other workaround available?

1 Accepted Solution
ww
Kind of a big deal
Kind of a big deal

You can just add a vlan.

Do not select it to be part of vpn.

View solution in original post

8 Replies 8
ww
Kind of a big deal
Kind of a big deal

You can just add a vlan.

Do not select it to be part of vpn.

But given IPv4 default route is always checked, even if I do not declare that VLAN on VPN, still it will flow via DC, right ?

ww
Kind of a big deal
Kind of a big deal

A vlan that does not participate in vpn will always use local breakout.  (Downside is it won't be able to communicate  to other vpn locations.if thats a requirement) 

PhilipDAth
Kind of a big deal
Kind of a big deal

Are you sure about this?

PhilipDAth
Kind of a big deal
Kind of a big deal

I am not sure ... but I think what happens is if a VLAN not included in VPN is used on a site configured to full tunnel it NATs that vlan into a 6.X.X.X address, and that can be used to access other sites.

PhilipDAth
Kind of a big deal
Kind of a big deal

Buy an SD-WAN Plus licence for just this one site, and then use the local Internet break out feature.

https://documentation.meraki.com/MX/Site-to-site_VPN/VPN_Full-Tunnel_Exclusion_(Application_and_IP%2... 

AMP
Meraki Employee
Meraki Employee

Using the default route option in Auto VPN will send all traffic over to the hub if the source subnet/vlan is set to be included in VPN. This can be seen here: https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-Site_VPN_Settings#Default_Route. If the default route option is selected you can use vpn breakout which breaks out traffic from the default route auto vpn based on destination. *SD-WAN rules will not override this default route. So breaking out traffic from the default route based on source is not possible at this time, if that vlan is participating in VPN. You would first need to uncheck the default route option and then you can steer traffic based on source.

Knowledge is power
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels