Meraki

Community

Local breakout from autovpn

DarrenOC
Kind of a big deal
Kind of a big deal
โ€ŽJul 9 2020 2:02 AM
โ€ŽJul 9 2020 2:02 AM

Local breakout from autovpn

Taken from my LinkedIn feed from Gary Daly


[๐Œ๐— ๐”๐ฉ๐๐š๐ญ๐ž] ๐‹๐จ๐œ๐š๐ฅ ๐ˆ๐ง๐ญ๐ž๐ซ๐ง๐ž๐ญ ๐๐ซ๐ž๐š๐ค๐จ๐ฎ๐ญ (๐ˆ๐ ๐๐š๐ฌ๐ž๐) ๐Ž๐ฎ๐ญ ๐๐จ๐ฐ

One of the most popular ask from our customers is to locally breakout certain destination traffic.

We are pleased to announce that Local Internet Breakout for Meraki AutoVPN is officially released for all of our customers.

4939B1CD-55AD-468D-9615-779DB9096CDF.jpeg

โ€ƒ

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
4 Replies 4
Johann
Getting noticed
โ€ŽJul 9 2020 5:13 AM
โ€ŽJul 9 2020 5:13 AM

what version firmware does the device need to be on to see this change?

0 Kudos
Aaron_Wilson
A model citizen
โ€ŽAug 3 2020 1:36 PM
โ€ŽAug 3 2020 1:36 PM

Has anyone tested this? It's not working for me.

 

I have a spoke site with the default route box checked, so all traffic goes back to the main head-end. I also have a 0.0.0.0/0 route advertised from the hub to the spoke sites.

 

I added ANY 1.1.1.1/32. If I try to ping from the spoke site Meraki (vlan, default, or internet) it does not work. Doing a trace from a device connected to the Meraki shows it's still following default route.

 

Do we know if routes advertised from the main hub have a higher priority than the VPN exclusion?

 

Aaron_Wilson_2-1596486832424.png

 

Aaron_Wilson_0-1596486733465.png

 

Aaron_Wilson_1-1596486783585.png

 

 

Now, if I use trace route on the Meraki this uses ONLY the WAN interface rule and bypasses all settings/rules/routes. Works just fine, but this is expected.

 

Aaron_Wilson_3-1596486981688.png

 

0 Kudos
In response to Aaron_Wilson
Aaron_Wilson
A model citizen
โ€ŽAug 20 2020 10:17 AM
โ€ŽAug 20 2020 10:17 AM

An update, if anyone cares.

 

Support is saying the VPN exclusion is meant to override the default route checkbox, but not routes learned via VPN. Which in my mind is pointless.

 

If a certain route is learned from a hub, but you need to exclude that route at a branch so it goes via the NAT interface, that is what the option should (also) allow.

0 Kudos
In response to Aaron_Wilson
jlkeys
New here
โ€ŽSep 14 2020 5:08 AM
โ€ŽSep 14 2020 5:08 AM

We have been trying to get this feature to work with a Z1 (running 15.35 firmware) and have not had any success.  We have followed this document (https://documentation.meraki.com/MX/Site-to-site_VPN/VPN_Full-Tunnel_Exclusion_(IP%2F%2FURL_Based_Lo...) to split out ipchicken.com, but it does not appear to exclude the traffic.  We are not advertising a conflicting default route either.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
ยฉ 2025 Cisco Systems, Inc.