Meraki

Community

PBR on MX-100

SymphonyOps
New here
‎Jun 24 2019 12:00 AM
‎Jun 24 2019 12:00 AM

PBR on MX-100

Hi Guys,

 

We are using Aryaka as a WAN optimizer in our network. Hence we have created a static route in MX and given Aryaka Gateway IP as next hop. Thus, all VLAN traffic from office A to Office B is going through Aryaka.

 

We have total 4 VLAN's in our network and out of them, we want 2 VLAN's traffic to go through S2S VPN over the Internet between Office A and Office B. Can you please help us in setting up this as we don't know how PBR works in Meraki?

 

Thanks 

0 Kudos
4 Replies 4
Ben
A model citizen
‎Jun 24 2019 1:14 AM
‎Jun 24 2019 1:14 AM

Perhaps this can help you a bit. 

 

https://documentation.meraki.com/Architectures_and_Best_Practices/Cisco_Meraki_Best_Practice_Design/...

 

If you configure your VPN tunnel in Meraki your MX will route traffic to to the other MX via autovpn.

Subnets that are configured to participate in the VPN network will traverse over the tunnel. All others won't. 

 

If you still have some traffic within that VLAN that is destined to go to internet you can configure a split tunnel. 

 

Send only site-to-site traffic, meaning that if a subnet is at a remote site, the traffic destined for that subnet is sent over the VPN. However, if traffic is destined for a network that is not in the VPN mesh (for example, traffic going to a public web service such as www.google.com), the traffic is not sent over the VPN. Instead this traffic is routed using another available route, most commonly being sent directly to the Internet from the local MX device. 
source: https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-site_VPN_Settings#Tunneling

 

Cheers,

Ben

In response to Ben
SymphonyOps
New here
‎Jun 24 2019 4:57 AM
‎Jun 24 2019 4:57 AM

Thanks for the suggestion, Ben!

But the problem here is that we have configured a static route to Office B from Office A. Now whatever the traffic we are sending to Office B is going through Aryaka only as the next hop for that static route is Aryaka Gateway IP.

And we do not want to send a couple of VLAN'S through Aryaka but over the Internet. Please note that Office A is having Meraki but Office B is having ASA so AutoVPN's won't come in the picture.

Is there any way that we can send few VLAN's through Aryaka and other through the Internet. Please note that the main issue is the static route configured for Office B and we can't remove it.

Thanks

0 Kudos
In response to SymphonyOps
BrechtSchamp
Kind of a big deal
‎Jun 25 2019 3:46 AM
‎Jun 25 2019 3:46 AM

I'm afraid that won't be possible. There's some basic PBR functionality in the MX, but it requires an SD-WAN setup, so AutoVPN. Even if you have an SD-WAN setup the PBR would choose between the VPN tunnels present on the two uplinks.

 

See here:

https://documentation.meraki.com/Architectures_and_Best_Practices/Cisco_Meraki_Best_Practice_Design/...

0 Kudos
Vinod_Dongdi
New here
‎Jun 27 2019 7:46 AM
‎Jun 27 2019 7:46 AM

Uncheck “In VPN” option on the VLAN’s which you want to go over Aryaka Routing Use VLANs

 

You can configure a single LAN or enable VLANs under the Routing section of the Addressing & VLANs page. To enable VLANs, check the Use VLANs box.

 

Subnets

VLANs allow you to partition your network into different subnets such that downstream hosts are separated into different broadcast domains based on the VLAN they operate in. VLAN-based network separation can be an effective tool for isolating and identifying different segments of your network and therefore provides an additional layer of security and control. The appliance has multiple LAN IPs, each of which is the default gateway address on its particular VLAN.

To add a new VLAN, click Add VLAN at the top right of the Subnets table. To modify an existing VLAN, click on that VLAN in the Subnets table. The following fields can be set for a local VLAN:

  • Name: The name of the VLAN.
  • Subnet: Use this option to enter the IP subnet for the VLAN. Note that as with Single LAN mode, you need to provide this information in CIDR notation.
  • MX IP: The IP address of the MX appliance in this particular VLAN/subnet. This is the default gateway IP address on that VLAN.
  • VLAN ID: The numerical identifier that is assigned to the VLAN.
  • Group Policy: The Group Policy you wish to apply to this VLAN, if any (see Group policies).
  • In VPN: Determines whether the MX advertises this VLAN to site-to-site VPN peers.

To delete a VLAN, click the check the box next to the VLAN and click the Delete button, then click Save

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.