Meraki

Community

New to Meraki, so looking for some help with routing question

Norman3
Conversationalist
‎Jan 20 2023 10:46 AM
‎Jan 20 2023 10:46 AM

New to Meraki, so looking for some help with routing question

Good Day, I hope I can find some help with a routing issue. First I'll layout the scenario:

 

We are a primarily Cisco WLC shop but we also use Meraki MX64 and Z3 teleworker gateways for most of our remote users. With that in mind, we normally route all traffic through the Meraki including Internet traffic. This is for a variety of reasons that include Security logging, as well as some of the sites we connect to require us to be added to whitelists in order to connect. That being said, there are several sites that run super slow for our Meraki users when they are international. One of those sites (lets call it https://company.thissite.com) can be reached publicly through the internet and does not require the traffic to come from our networks. Unfortunately the site is hosted in AWS which sees the traffic coming from our Denver location, and routes into the AWS network from there. Users in the UK that connect to this site regularly have complained about how slow it is. When I do my investigations, it shows the traffic is basically crossing the Atlantic twice (there and back) to get to the site and process data inputs. When I tested on a user's personal PC connected to their home network the site is super responsive and functions perfectly with very little delay. Doing the same investigations, I find the traffic going out of the user's local internet connects into the AWS cloud from a regionally local point rather than traversing the world and exiting our network in the states before hitting the AWS network.

Now with that in mind what I would like to figure out a way to configure a template like this:

Rather than offloading all internet traffic out the user's local internet, I'd like to create a template that will have all the traffic going through our network as it currently is, but create a rule that allows certain Addresses (preferably by name rather than IP) to be routed out the user's local internet. Ideally this would be a rule for a group, so that as we go along and find other sites with performance issue we can just add them to that group rather than having to add a new rule every time.

 

Is this possible in the Meraki configurations? Please understand, I am new to Meraki and still learning the ins and outs of everything.

0 Kudos
12 Replies 12
alemabrahao
Kind of a big deal
Kind of a big deal
‎Jan 20 2023 11:01 AM
‎Jan 20 2023 11:01 AM

Isn't it easier to publish the service to the internet? and then users can access the site by exiting the MX or Z3 local internet link.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
alemabrahao
Kind of a big deal
Kind of a big deal
‎Jan 20 2023 11:07 AM
‎Jan 20 2023 11:07 AM

And also, can you provide a simple topology for better understanding?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
Norman3
Conversationalist
‎Jan 20 2023 11:11 AM
‎Jan 20 2023 11:11 AM

Meraki Teleworker -- S2S VPN --> Meraki MX250(x2 one in Denver and one in Chicago) --> Directly connected to Denver/Chicago Routers --> Routed to Corp Network or Our Internet connection

 

Currently we have 2 base templates, One uses the Chicago connection as primary and Denver as backup while the other is Reversed. In both cases the MX250 is connected directly to our router in each location and traffic is routed accordingly. In every case though all traffic, including internet traffic is routed through the S2S connection with the MX250.

0 Kudos
In response to alemabrahao
Norman3
Conversationalist
‎Jan 20 2023 11:07 AM
‎Jan 20 2023 11:07 AM

The site is published to the Internet. The caveat to that is we route all of our Meraki users' internet traffic through the Meraki VPN  through our network and out our company internet pipe. What I'm looking to do is create a rule to offload traffic to certain sites out the User's local internet pipe while keeping the rest of the internet traffic going through the regular route through our network.

0 Kudos
In response to Norman3
alemabrahao
Kind of a big deal
Kind of a big deal
‎Jan 20 2023 2:15 PM
‎Jan 20 2023 2:15 PM

Maybe you can achieve It using VPN Full-Tunnel Exclusion (Application and IP/URL Based Local Internet Breakout)

 

https://documentation.meraki.com/MX/Site-to-site_VPN/VPN_Full-Tunnel_Exclusion_(Application_and_IP%2...

 

Available with the Secure SD-WAN Plus MX license running MX 15.X firmware.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
In response to alemabrahao
Norman3
Conversationalist
‎Jan 23 2023 8:01 AM
‎Jan 23 2023 8:01 AM

Thank You for your help, I found the settings in the article but I am confused by one thing, When I'm doing the Local breakout rule, it asks for a CIDR/Hostname, but it won't accept a hostname. I have to use an IP address. For the issue I'm currently trying to solve, this should be okay, but I'd like to use an actual hostname rather than CIDR entry. Am I missing something?

0 Kudos
In response to Norman3
alemabrahao
Kind of a big deal
Kind of a big deal
‎Jan 23 2023 8:15 AM
‎Jan 23 2023 8:15 AM

Are you getting any error while configuring? Remember that it must be configured as a URL (example.local)

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
Norman3
Conversationalist
‎Jan 23 2023 11:12 AM
‎Jan 23 2023 11:12 AM

I configure it as a url, it just tells me it needs to be an IP address.

Norman3_0-1674501125558.png

 

0 Kudos
In response to Norman3
alemabrahao
Kind of a big deal
Kind of a big deal
‎Jan 23 2023 11:22 AM
‎Jan 23 2023 11:22 AM

The host field doesn't appear for you when you add the destination?

 

 

alemabrahao_0-1674501693938.png

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
Norman3
Conversationalist
‎Jan 23 2023 11:25 AM
‎Jan 23 2023 11:25 AM

nope. Just the IP field

0 Kudos
In response to Norman3
alemabrahao
Kind of a big deal
Kind of a big deal
‎Jan 28 2023 4:02 AM
‎Jan 28 2023 4:02 AM

Do you have a  Secure SD-WAN Plus MX license?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
cmr
Kind of a big deal
Kind of a big deal
‎Jan 20 2023 12:05 PM
‎Jan 20 2023 12:05 PM

I think if you replace the Z3 with an MX and use the SD-WAN + license, then you can do this selective routing.

 

If my answer solves your problem please click Accept as Solution so others can benefit from it.
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.