Meraki

Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Meraki Auto-VPN Split Tunnelling

MarkiP
Getting noticed
‎May 20 2020 5:45 AM
‎May 20 2020 5:45 AM

Meraki Auto-VPN Split Tunnelling

Hi all,

 

We have a branch site that is currently set up as a spoke with a default route to our hub main site, as that spoke site needs to send certain traffic to external/public IP addresses which are only accessible via a physical WAN connection at our hub site. Ideally however, we would like to have a split tunnel, whereby traffic to the hub subnets advertised over the Auto-VPN, as well as specific external IP address ranges are sent over the VPN, and all other traffic is sent out to the internet via the spoke site's own WAN link. The aim being to reduce load on the hub site and increase speed at the spoke site when accessing IP ranges that do not require the hub site's WAN connection, whereas currently it is either all or no traffic that can be sent over the VPN.

 

We had resigned ourselves to this fact, however I stumbled across the following (https://documentation.meraki.com/MR/Client_Addressing_and_Bridging/MR_Teleworker_VPN), and it seems that this functionality is available on the MR devices, whereby you can specify the IP ranges & ports to send over the tunnel, with other traffic exiting from the local WAN link. However, it doesn't seem this is possible on the MX/Z series devices?

 

Could someone please confirm if this is the case or if there is any way to achieve what I state above? It does seem somewhat odd that this can be implemented on an access point, but not on a full security appliance.

 

Many thanks,

 

Mark

0 Kudos
4 Replies 4
ww
Kind of a big deal
Kind of a big deal
‎May 20 2020 6:23 AM
‎May 20 2020 6:23 AM

you can remove the default route and advertise the specific external IP address ranges at the hub into the autovpn

In response to ww
MarkiP
Getting noticed
‎May 20 2020 7:19 AM
‎May 20 2020 7:19 AM

Thanks for your reply.

 

Would this be configured with a static route under Addressing & VLANs? And for a static route to a public IP range, does it matter which subnet Gateway IP it uses? 

 

Also, do you happen to know if traffic that matches those routes and is sent over the VPN from spoke to hub will still conform to the hub site traffic shaping rules, it must use Uplink 2 in our scenario.

0 Kudos
In response to MarkiP
merakichamp
Building a reputation
‎May 20 2020 7:56 AM
‎May 20 2020 7:56 AM

@MarkiP  did you try to see the explanation on this document?

 

Best Practice Design - MX Security and SD-WAN > Meraki SD-WAN

In response to merakichamp
PhilipDAth
Kind of a big deal
Kind of a big deal
‎May 20 2020 8:42 AM
‎May 20 2020 8:42 AM

 I think if you raise a support ticket they can configure the full tunnel "exceptions" on the MX.

 

Otherwise you need an additional MX (in a separate network) at your HQ.  You configure one MX in normal routed mode (not configured for AutoVPN), and the second MX as an AutoVPN concentrator (running on a single interface).

 

Then on the AutoVPN concentrator add static routes pointing to the other MX, and then select the option to redistribute these into AutoVPN.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.