Meraki Auto-VPN Split Tunnelling

MarkiP
Getting noticed

Meraki Auto-VPN Split Tunnelling

Hi all,

 

We have a branch site that is currently set up as a spoke with a default route to our hub main site, as that spoke site needs to send certain traffic to external/public IP addresses which are only accessible via a physical WAN connection at our hub site. Ideally however, we would like to have a split tunnel, whereby traffic to the hub subnets advertised over the Auto-VPN, as well as specific external IP address ranges are sent over the VPN, and all other traffic is sent out to the internet via the spoke site's own WAN link. The aim being to reduce load on the hub site and increase speed at the spoke site when accessing IP ranges that do not require the hub site's WAN connection, whereas currently it is either all or no traffic that can be sent over the VPN.

 

We had resigned ourselves to this fact, however I stumbled across the following (https://documentation.meraki.com/MR/Client_Addressing_and_Bridging/MR_Teleworker_VPN), and it seems that this functionality is available on the MR devices, whereby you can specify the IP ranges & ports to send over the tunnel, with other traffic exiting from the local WAN link. However, it doesn't seem this is possible on the MX/Z series devices?

 

Could someone please confirm if this is the case or if there is any way to achieve what I state above? It does seem somewhat odd that this can be implemented on an access point, but not on a full security appliance.

 

Many thanks,

 

Mark

4 REPLIES 4
ww
Kind of a big deal
Kind of a big deal

you can remove the default route and advertise the specific external IP address ranges at the hub into the autovpn

MarkiP
Getting noticed

Thanks for your reply.

 

Would this be configured with a static route under Addressing & VLANs? And for a static route to a public IP range, does it matter which subnet Gateway IP it uses? 

 

Also, do you happen to know if traffic that matches those routes and is sent over the VPN from spoke to hub will still conform to the hub site traffic shaping rules, it must use Uplink 2 in our scenario.

merakichamp
Building a reputation

@MarkiP  did you try to see the explanation on this document?

 

Best Practice Design - MX Security and SD-WAN > Meraki SD-WAN

 I think if you raise a support ticket they can configure the full tunnel "exceptions" on the MX.

 

Otherwise you need an additional MX (in a separate network) at your HQ.  You configure one MX in normal routed mode (not configured for AutoVPN), and the second MX as an AutoVPN concentrator (running on a single interface).

 

Then on the AutoVPN concentrator add static routes pointing to the other MX, and then select the option to redistribute these into AutoVPN.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels