Non-Merkai VPN

SOLVED
Holli69
Here to help

Non-Merkai VPN

Hi all,

we transmit a Subnet 1 (10.0.10.0/24, VLAN 10) over a non-Meraki VPN Tunnel to a third party firewall.

Another Subnet 2 (10.0.20.0/24, VLAN 20) has a local breakout and is not transfered over this VPN tunnel.

Now the question:

A third Subnet 3 (10.0.30.0/24, VLAN 30) should have also a local breakout, except all DHCP requests from this Subnet 3 (Central DHCP Server)

Is this scenario possible with Advanced License, or only with SD-WAN Plus License ?

 

https://documentation.meraki.com/MX/Site-to-site_VPN/VPN_Full-Tunnel_Exclusion_(Application_and_IP%2...

 

I've read this document, but I like to know your experience and opinion.

 

many thanks for your reply in advance

 

1 ACCEPTED SOLUTION

Yeah - I don't believe that combination is possible.   You would like to use source-based default routes, but they can only be defined via another MX (an AutoVPN tunnel) or a LAN port, not a non-Meraki VPN tunnel, as here.

 

Is there a reason why you can't run the DHCP on the MX, as I suggested?   It's the closest you will get to the traffic pattern you want, right now, I think.

View solution in original post

5 REPLIES 5
GreenMan
Meraki Employee

Where is the DHCP server, that is serving VLAN 30?   I'm guesssing that's at the far end of the non-Meraki tunnel?

 

It sounds like you have a default route 0.0.0.0/0 configured as the Private subnet in your non-Meraki VPN.   (for VLAN 10) and that you have VLAN 20 = VPN mode disabled.

 

I think you will need to also configure VLAN 30 = VPN mode disabled, but provide DHCP for that VLAN locally on the MX.

 

Yes, DHCP Server is at the far end of the non-Meraki tunnel and you're right with the default route and VLAN 20  VPN mode  is disabled.

From VLAN 30,only DHCP should use the VPN Tunnel to the DHCP Server (VLAN 10 and 30), all other traffic from VLAN 30 should use local internet breakout.

Yeah - I don't believe that combination is possible.   You would like to use source-based default routes, but they can only be defined via another MX (an AutoVPN tunnel) or a LAN port, not a non-Meraki VPN tunnel, as here.

 

Is there a reason why you can't run the DHCP on the MX, as I suggested?   It's the closest you will get to the traffic pattern you want, right now, I think.

View solution in original post

MilesMeraki
Head in the Cloud

Running DHCP on the local MX would be the way to go.

Eliot F | Simplifying IT with Cloud Solutions
Found this helpful? Give me some Kudos! (click on the little up-arrow below)

Spoiler
 

Many thanks for your reply, but at the moment it's not possible, because our DHCP Server is located centralized in our DC, not locally.

But I can't route the whole Subnet 30 to the VPN tunnel, reason is to much traffic over VPN, only DHCP traffic should be transfered via the VPN tunnel.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels