Meraki

Community

MX Local Breakout Validation

Solved
padgettmv
Here to help
yesterday
yesterday

MX Local Breakout Validation

I've been digging through the Meraki documentation and searched the forums and couldn't find a definitive answer (or didn't interpret one from what I read).

 

I'm looking for a way to validate the routing direction for traffic. If there is a specific screen that can be used to confirm configured breakout traffic is indeed routing locally versus over the VPN to the Hub.

 

I know VPN Status shows traffic that flows over the VPN, but the destination only reflects the destination IP, not the App ID (with smart breakout). Makes it difficult to confirm for sure by evaluating what is or is not there.

 

Does something like that exist and maybe I just overlooked it?

Labels:
0 Kudos
1 Accepted Solution
Mloraditch
Kind of a big deal
Kind of a big deal
yesterday
yesterday

I can't think of anyway to do this except via packet captures. Support may have deeper access to the full routing table on the MX, whether they can share any of the proof you need, I'm not sure.

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.

View solution in original post

3 Replies 3
Mloraditch
Kind of a big deal
Kind of a big deal
yesterday
yesterday

I can't think of anyway to do this except via packet captures. Support may have deeper access to the full routing table on the MX, whether they can share any of the proof you need, I'm not sure.

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
In response to Mloraditch
padgettmv
Here to help
8 hours ago
8 hours ago

Thanks for the reply, was kind of my hunch. I'll reach out to support, see what they may also suggest. Worst case, I'll put in a feature request and hope for maybe someday a more robust "view traffic decision" page or live-tool.

 

Edit: I did think of a way to confirm the feature works, though it's not universal. It seems obvious after the fact, but I used the "Speedtest" application match, then when going to speedtest.net, confirmed the IP was the local MX WAN IP, not the IP of the cloud firewall. Then of course removing the rule, speedtest.net would then reflect the cloud firewall IP. So, any site that will reflect your IP should at least confirm it, but it would still be nice to validate any path decision within the dashboard for all traffic, like an enhanced flow or session table.

0 Kudos
Brash
Kind of a big deal
Kind of a big deal
yesterday
yesterday

I can't think of anything easy.

The only way to confirm would be to know the destination IP address of an app you're validating and confirm

via packet capture that packets with that destination are broken out correctly

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2026 Cisco Systems, Inc.