cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Meraki local break out for office 365

Highlighted
Just browsing

Meraki local break out for office 365

Hi all,

 

We are planning to deploy Meraki SD-WAN solution and each branches will have two links, one is a MPLS link and one is a Internet link.

 

The requirement is to have direct Internet access for Office365 traffic only at branches, and the rest of the traffic should be sent back to hub sites via VPN tunnels. 

 

Meraki has an pre-defined application called office365 in the traffic shaping page for VPN traffic only, but it looks like it is not available for the traffic that is not sent the tunnels. Just wondering how to achieve this?

 

Many thanks in advance.

 

Cheers

Charles

9 REPLIES 9
Kind of a big deal

Re: Meraki local break out for office 365

This would be painful but not impossible.  You would need to load all the Office 365 subnets in, and configure the flow preferences to send just these subnets out the local Internet.

 

https://documentation.meraki.com/MX/Firewall_and_Traffic_Shaping/MX_Load_Balancing_and_Flow_Preferen...

Just browsing

Re: Meraki local break out for office 365

Thanks Philip,

 

The default route in VPN page gets ticked because we want to route the rest of the traffic back to hub sites.

 

1.PNG

 

In this case, I think internet traffic option in Flow preferences setting would not work?

 

Cheers

Charles

 

 

Kind of a big deal

Re: Meraki local break out for office 365

So you are running AutoVPN over MPLS?

Just browsing

Re: Meraki local break out for office 365

Yes.

 

VPN tunnels via MPLS and VPN tunnels via Internet. The Hub works in one-arm concentrate mode.

Kind of a big deal

Re: Meraki local break out for office 365

You wont be able to make this work if you are pushing a default route.

Just browsing

Re: Meraki local break out for office 365

OK. If the default route option is not ticked, is it possible to block all the Internet traffic except Office 365?

Kind of a big deal

Re: Meraki local break out for office 365

Yes, you have to get the list of all the IP subnets used by Microsoft for the service.  Allow those, allow access to your MPLS subnets, and block everything else.

Just browsing

Re: Meraki local break out for office 365

Thanks for your reply, Philip. Much appreciated.

 

I have a quick look on the below page:

https://docs.microsoft.com/en-us/office365/enterprise/urls-and-ip-address-ranges

 

It looks like IP ranges and URLs are dynamic. Might API would be helpful here for IP addresses. But how to handle the URLs? 

 

Take this one for example:

2.PNG

 

There is no IP address. If the two URLs are whitelisted in URL filtering, how to configure the layer 3 firewall rules to allow the traffic? permit tcp any any 443/80?

 

We are using proxy for all the traffic except office 365 and proxy traffic will be tunneled back to the hub site. In this case, how to define URL filtering to whitelist office 365 traffic? it looks like Meraki would inspect proxy traffic with URL filtering policy as well. If blacklisting everything except office 365, it will impact all the website browsing? 

 

Cheers

Charles

 

Kind of a big deal

Re: Meraki local break out for office 365

I did say it would be painful.  You'll need to load in all the IP address ranges, and then periodically check if they have changed.

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.