New to Meraki, so looking for some help with routing question

Norman3
Conversationalist

New to Meraki, so looking for some help with routing question

Good Day, I hope I can find some help with a routing issue. First I'll layout the scenario:

 

We are a primarily Cisco WLC shop but we also use Meraki MX64 and Z3 teleworker gateways for most of our remote users. With that in mind, we normally route all traffic through the Meraki including Internet traffic. This is for a variety of reasons that include Security logging, as well as some of the sites we connect to require us to be added to whitelists in order to connect. That being said, there are several sites that run super slow for our Meraki users when they are international. One of those sites (lets call it https://company.thissite.com) can be reached publicly through the internet and does not require the traffic to come from our networks. Unfortunately the site is hosted in AWS which sees the traffic coming from our Denver location, and routes into the AWS network from there. Users in the UK that connect to this site regularly have complained about how slow it is. When I do my investigations, it shows the traffic is basically crossing the Atlantic twice (there and back) to get to the site and process data inputs. When I tested on a user's personal PC connected to their home network the site is super responsive and functions perfectly with very little delay. Doing the same investigations, I find the traffic going out of the user's local internet connects into the AWS cloud from a regionally local point rather than traversing the world and exiting our network in the states before hitting the AWS network.

Now with that in mind what I would like to figure out a way to configure a template like this:

Rather than offloading all internet traffic out the user's local internet, I'd like to create a template that will have all the traffic going through our network as it currently is, but create a rule that allows certain Addresses (preferably by name rather than IP) to be routed out the user's local internet. Ideally this would be a rule for a group, so that as we go along and find other sites with performance issue we can just add them to that group rather than having to add a new rule every time.

 

Is this possible in the Meraki configurations? Please understand, I am new to Meraki and still learning the ins and outs of everything.

12 REPLIES 12
alemabrahao
Kind of a big deal

Isn't it easier to publish the service to the internet? and then users can access the site by exiting the MX or Z3 local internet link.

And also, can you provide a simple topology for better understanding?

Meraki Teleworker -- S2S VPN --> Meraki MX250(x2 one in Denver and one in Chicago) --> Directly connected to Denver/Chicago Routers --> Routed to Corp Network or Our Internet connection

 

Currently we have 2 base templates, One uses the Chicago connection as primary and Denver as backup while the other is Reversed. In both cases the MX250 is connected directly to our router in each location and traffic is routed accordingly. In every case though all traffic, including internet traffic is routed through the S2S connection with the MX250.

The site is published to the Internet. The caveat to that is we route all of our Meraki users' internet traffic through the Meraki VPN  through our network and out our company internet pipe. What I'm looking to do is create a rule to offload traffic to certain sites out the User's local internet pipe while keeping the rest of the internet traffic going through the regular route through our network.

alemabrahao
Kind of a big deal

Maybe you can achieve It using VPN Full-Tunnel Exclusion (Application and IP/URL Based Local Internet Breakout)

 

https://documentation.meraki.com/MX/Site-to-site_VPN/VPN_Full-Tunnel_Exclusion_(Application_and_IP%2...

 

Available with the Secure SD-WAN Plus MX license running MX 15.X firmware.

Thank You for your help, I found the settings in the article but I am confused by one thing, When I'm doing the Local breakout rule, it asks for a CIDR/Hostname, but it won't accept a hostname. I have to use an IP address. For the issue I'm currently trying to solve, this should be okay, but I'd like to use an actual hostname rather than CIDR entry. Am I missing something?

alemabrahao
Kind of a big deal

Are you getting any error while configuring? Remember that it must be configured as a URL (example.local)

I configure it as a url, it just tells me it needs to be an IP address.

Norman3_0-1674501125558.png

 

alemabrahao
Kind of a big deal

The host field doesn't appear for you when you add the destination?

 

 

alemabrahao_0-1674501693938.png

 

nope. Just the IP field

alemabrahao
Kind of a big deal

Do you have a  Secure SD-WAN Plus MX license?

cmr
Kind of a big deal
Kind of a big deal

I think if you replace the Z3 with an MX and use the SD-WAN + license, then you can do this selective routing.

 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels