Local breakout from autovpn

DarrenOC
Kind of a big deal
Kind of a big deal

Local breakout from autovpn

Taken from my LinkedIn feed from Gary Daly


[𝐌𝐗 𝐔𝐩𝐝𝐚𝐭𝐞] 𝐋𝐨𝐜𝐚𝐥 𝐈𝐧𝐭𝐞𝐫𝐧𝐞𝐭 𝐁𝐫𝐞𝐚𝐤𝐨𝐮𝐭 (𝐈𝐏 𝐁𝐚𝐬𝐞𝐝) 𝐎𝐮𝐭 𝐍𝐨𝐰

One of the most popular ask from our customers is to locally breakout certain destination traffic.

We are pleased to announce that Local Internet Breakout for Meraki AutoVPN is officially released for all of our customers.

4939B1CD-55AD-468D-9615-779DB9096CDF.jpeg

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
4 REPLIES 4
Johann
Getting noticed

what version firmware does the device need to be on to see this change?

Aaron_Wilson
A model citizen

Has anyone tested this? It's not working for me.

 

I have a spoke site with the default route box checked, so all traffic goes back to the main head-end. I also have a 0.0.0.0/0 route advertised from the hub to the spoke sites.

 

I added ANY 1.1.1.1/32. If I try to ping from the spoke site Meraki (vlan, default, or internet) it does not work. Doing a trace from a device connected to the Meraki shows it's still following default route.

 

Do we know if routes advertised from the main hub have a higher priority than the VPN exclusion?

 

Aaron_Wilson_2-1596486832424.png

 

Aaron_Wilson_0-1596486733465.png

 

Aaron_Wilson_1-1596486783585.png

 

 

Now, if I use trace route on the Meraki this uses ONLY the WAN interface rule and bypasses all settings/rules/routes. Works just fine, but this is expected.

 

Aaron_Wilson_3-1596486981688.png

 

An update, if anyone cares.

 

Support is saying the VPN exclusion is meant to override the default route checkbox, but not routes learned via VPN. Which in my mind is pointless.

 

If a certain route is learned from a hub, but you need to exclude that route at a branch so it goes via the NAT interface, that is what the option should (also) allow.

We have been trying to get this feature to work with a Z1 (running 15.35 firmware) and have not had any success.  We have followed this document (https://documentation.meraki.com/MX/Site-to-site_VPN/VPN_Full-Tunnel_Exclusion_(IP%2F%2FURL_Based_Lo...) to split out ipchicken.com, but it does not appear to exclude the traffic.  We are not advertising a conflicting default route either.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels