Meraki

Community

Route ALL Tunneled Traffic to the Hub and Then Internally

BusterDude
Comes here often
‎Oct 14 2024 6:42 AM
‎Oct 14 2024 6:42 AM

Route ALL Tunneled Traffic to the Hub and Then Internally

Hello all.  Brand new to Meraki.  I've set up a lab at this point and I can tunnel traffic from my spoke to the hub.  When I check the box for "IPv4 default route" I get the expected "All" traffic tunnels to the hub.  However, the internet traffic then hairpins directly outbound from the hub.  I don't want that.  I want all traffic to tunnel to the Hub and then that traffic to be forwarded to a separate firewall to then go outbound.  

 

Maybe this is the incorrect deployment for what we're trying to do.  Overall, I'd say the Meraki will be utilized as mostly a VPN concentrator for all our small remote sites.  We might allow some remote sites to "split tunnel" and allow those select remote sites to go directly from the internet and not tunnel that traffic.  

 

Thanks for any help.

0 Kudos
5 Replies 5
ww
Kind of a big deal
Kind of a big deal
‎Oct 14 2024 6:57 AM
‎Oct 14 2024 6:57 AM

You can create a static 0.0.0.0 to your firewall at the hub. And enable that route to advertise in your autovpn.  

But all your local hub traffic also follows that route

0 Kudos
BusterDude
Comes here often
‎Oct 14 2024 7:32 AM
‎Oct 14 2024 7:32 AM

So if I do this, how does this impact the Hub's ability to manage the VPN tunnels over the Meraki cloud network?  Does that traffic continue to traverse the MX wan port outbound?

0 Kudos
GreenMan
Meraki Employee
Meraki Employee
‎Oct 14 2024 7:44 AM
‎Oct 14 2024 7:44 AM

It sounds to me like you have your Hub set up in Routed mode.   Is there a reason why you avoided VPN Concentrator mode?    That would have more readily dealt with your scenario and would generally be the recommended mode for an MX in a Data Centre.

In response to GreenMan
BusterDude
Comes here often
‎Oct 14 2024 8:16 AM
‎Oct 14 2024 8:16 AM

Thanks.  I'm going to attach a rough diagram of how we normally deploy these types of technologies.  Please let me know your thoughts.  Looks like VPN Concentrator mode is probably the better option, but could you tell us if this proposed implementation is even possible.

 

Thanks

 

Meraki Deployment.jpg

0 Kudos
In response to GreenMan
BusterDude
Comes here often
2 weeks ago
2 weeks ago

I suppose we could set up as one-arm concentrator mode.  If we did this, could we utilize both WAN ports on our MX250 in some sort of layer 2 redundant mode?  We would want to directly connect 1 WAN port to one firewall and the other WAN port to the other firewall.  The firewalls are in HA and Active/Passive.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.