Meraki local break out for office 365

CharlesYang
Here to help

Meraki local break out for office 365

Hi all,

 

We are planning to deploy Meraki SD-WAN solution and each branches will have two links, one is a MPLS link and one is a Internet link.

 

The requirement is to have direct Internet access for Office365 traffic only at branches, and the rest of the traffic should be sent back to hub sites via VPN tunnels. 

 

Meraki has an pre-defined application called office365 in the traffic shaping page for VPN traffic only, but it looks like it is not available for the traffic that is not sent the tunnels. Just wondering how to achieve this?

 

Many thanks in advance.

 

Cheers

Charles

14 REPLIES 14
PhilipDAth
Kind of a big deal

Re: Meraki local break out for office 365

This would be painful but not impossible.  You would need to load all the Office 365 subnets in, and configure the flow preferences to send just these subnets out the local Internet.

 

https://documentation.meraki.com/MX/Firewall_and_Traffic_Shaping/MX_Load_Balancing_and_Flow_Preferen...

CharlesYang
Here to help

Re: Meraki local break out for office 365

Thanks Philip,

 

The default route in VPN page gets ticked because we want to route the rest of the traffic back to hub sites.

 

1.PNG

 

In this case, I think internet traffic option in Flow preferences setting would not work?

 

Cheers

Charles

 

 

PhilipDAth
Kind of a big deal

Re: Meraki local break out for office 365

So you are running AutoVPN over MPLS?

CharlesYang
Here to help

Re: Meraki local break out for office 365

Yes.

 

VPN tunnels via MPLS and VPN tunnels via Internet. The Hub works in one-arm concentrate mode.

PhilipDAth
Kind of a big deal

Re: Meraki local break out for office 365

You wont be able to make this work if you are pushing a default route.

CharlesYang
Here to help

Re: Meraki local break out for office 365

OK. If the default route option is not ticked, is it possible to block all the Internet traffic except Office 365?

PhilipDAth
Kind of a big deal

Re: Meraki local break out for office 365

Yes, you have to get the list of all the IP subnets used by Microsoft for the service.  Allow those, allow access to your MPLS subnets, and block everything else.

CharlesYang
Here to help

Re: Meraki local break out for office 365

Thanks for your reply, Philip. Much appreciated.

 

I have a quick look on the below page:

https://docs.microsoft.com/en-us/office365/enterprise/urls-and-ip-address-ranges

 

It looks like IP ranges and URLs are dynamic. Might API would be helpful here for IP addresses. But how to handle the URLs? 

 

Take this one for example:

2.PNG

 

There is no IP address. If the two URLs are whitelisted in URL filtering, how to configure the layer 3 firewall rules to allow the traffic? permit tcp any any 443/80?

 

We are using proxy for all the traffic except office 365 and proxy traffic will be tunneled back to the hub site. In this case, how to define URL filtering to whitelist office 365 traffic? it looks like Meraki would inspect proxy traffic with URL filtering policy as well. If blacklisting everything except office 365, it will impact all the website browsing? 

 

Cheers

Charles

 

PhilipDAth
Kind of a big deal

Re: Meraki local break out for office 365

I did say it would be painful.  You'll need to load in all the IP address ranges, and then periodically check if they have changed.

GreenMan
Meraki Employee

Re: Meraki local break out for office 365

Found this thread whilst looking for something else.   This feature is now available with SD-WAN+ license.   Note the other pre-req's in the documentation:   https://documentation.meraki.com/MX/Site-to-site_VPN/VPN_Full-Tunnel_Exclusion_(Application_and_IP%2...

 

thomasthomsen
Getting noticed

Re: Meraki local break out for office 365

What if you wanted it the other way around ?

I would like to only send fx. office 365 traffic through the VPN.

 

Does anyone know of a way to do this ?

 

I really miss an update to the "flow preference" so that you could input URL's instead of just IPs.

Fx. if I had a connection I would like to be used for Office 365 and all other traffic on the other connection, then there does not seem to be an easy way of doing it.

 

Or did I miss something ?

 

/Thomas

GreenMan
Meraki Employee

Re: Meraki local break out for office 365

So - you want to split tunnel all of your Internet-bound traffic EXCEPT O365?    I'm rather surprised by that - it's the opposite of what most people ask for.

The only way to achieve this is to leave the default route box unchecked, when you choose your spokes, then make your O365 traffic VPN, rather than Internet traffic - by advertising the relevant IPs and subnets for O365, from your hub site, towards your dependent spokes.    As @PhilipDAth has said previously in this thread, it's painful, but possible.   Bear in mind you would manually need to keep the advertisements in sync with any changes made at the Microsoft end.  It's this 'automatically keeping up with MS' functionality which is key to the smart exceptions feature we created.

thomasthomsen
Getting noticed

Re: Meraki local break out for office 365

Bascially yes. Even though in my scenario, we do not use VPN, but have a dedicated WAN for Office 365.

 

The BEST thing I would like is this 🙂 (I hope my rough drawing conveys the idea 🙂 )

 

thomasthomsen_0-1615990511807.png

If I could have a WAN link selector for Traffic shaping rules.

Or If I could have all the options /definitions of traffic shaping rules , under "Flow preference", instead of just IPs and ports, those are a little "old fashioned" 🙂

 

/Thomas

 

thomasthomsen
Getting noticed

Re: Meraki local break out for office 365

Or here is another idea.

Use "Insight" to automatically select the best WAN connection for a specific service at that specific time.

That would be a "flipping awesome" feature, and would sell some more "Insight" licenses Im sure 🙂

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.