We are planning to deploy Meraki SD-WAN solution and each branches will have two links, one is a MPLS link and one is a Internet link.
The requirement is to have direct Internet access for Office365 traffic only at branches, and the rest of the traffic should be sent back to hub sites via VPN tunnels.
Meraki has an pre-defined application called office365 in the traffic shaping page for VPN traffic only, but it looks like it is not available for the traffic that is not sent the tunnels. Just wondering how to achieve this?
Many thanks in advance.
This would be painful but not impossible. You would need to load all the Office 365 subnets in, and configure the flow preferences to send just these subnets out the local Internet.
The default route in VPN page gets ticked because we want to route the rest of the traffic back to hub sites.
In this case, I think internet traffic option in Flow preferences setting would not work?
Yes, you have to get the list of all the IP subnets used by Microsoft for the service. Allow those, allow access to your MPLS subnets, and block everything else.
Thanks for your reply, Philip. Much appreciated.
I have a quick look on the below page:
It looks like IP ranges and URLs are dynamic. Might API would be helpful here for IP addresses. But how to handle the URLs?
Take this one for example:
There is no IP address. If the two URLs are whitelisted in URL filtering, how to configure the layer 3 firewall rules to allow the traffic? permit tcp any any 443/80?
We are using proxy for all the traffic except office 365 and proxy traffic will be tunneled back to the hub site. In this case, how to define URL filtering to whitelist office 365 traffic? it looks like Meraki would inspect proxy traffic with URL filtering policy as well. If blacklisting everything except office 365, it will impact all the website browsing?
I did say it would be painful. You'll need to load in all the IP address ranges, and then periodically check if they have changed.
Found this thread whilst looking for something else. This feature is now available with SD-WAN+ license. Note the other pre-req's in the documentation: https://documentation.meraki.com/MX/Site-to-site_VPN/VPN_Full-Tunnel_Exclusion_(Application_and_IP%2...
What if you wanted it the other way around ?
I would like to only send fx. office 365 traffic through the VPN.
Does anyone know of a way to do this ?
I really miss an update to the "flow preference" so that you could input URL's instead of just IPs.
Fx. if I had a connection I would like to be used for Office 365 and all other traffic on the other connection, then there does not seem to be an easy way of doing it.
Or did I miss something ?
So - you want to split tunnel all of your Internet-bound traffic EXCEPT O365? I'm rather surprised by that - it's the opposite of what most people ask for.
The only way to achieve this is to leave the default route box unchecked, when you choose your spokes, then make your O365 traffic VPN, rather than Internet traffic - by advertising the relevant IPs and subnets for O365, from your hub site, towards your dependent spokes. As @PhilipDAth has said previously in this thread, it's painful, but possible. Bear in mind you would manually need to keep the advertisements in sync with any changes made at the Microsoft end. It's this 'automatically keeping up with MS' functionality which is key to the smart exceptions feature we created.
Bascially yes. Even though in my scenario, we do not use VPN, but have a dedicated WAN for Office 365.
The BEST thing I would like is this 🙂 (I hope my rough drawing conveys the idea 🙂 )
If I could have a WAN link selector for Traffic shaping rules.
Or If I could have all the options /definitions of traffic shaping rules , under "Flow preference", instead of just IPs and ports, those are a little "old fashioned" 🙂
Or here is another idea.
Use "Insight" to automatically select the best WAN connection for a specific service at that specific time.
That would be a "flipping awesome" feature, and would sell some more "Insight" licenses Im sure 🙂