Route ALL Tunneled Traffic to the Hub and Then Internally

BusterDude
Comes here often

Route ALL Tunneled Traffic to the Hub and Then Internally

Hello all.  Brand new to Meraki.  I've set up a lab at this point and I can tunnel traffic from my spoke to the hub.  When I check the box for "IPv4 default route" I get the expected "All" traffic tunnels to the hub.  However, the internet traffic then hairpins directly outbound from the hub.  I don't want that.  I want all traffic to tunnel to the Hub and then that traffic to be forwarded to a separate firewall to then go outbound.  

 

Maybe this is the incorrect deployment for what we're trying to do.  Overall, I'd say the Meraki will be utilized as mostly a VPN concentrator for all our small remote sites.  We might allow some remote sites to "split tunnel" and allow those select remote sites to go directly from the internet and not tunnel that traffic.  

 

Thanks for any help.

5 Replies 5
ww
Kind of a big deal
Kind of a big deal

You can create a static 0.0.0.0 to your firewall at the hub. And enable that route to advertise in your autovpn.  

But all your local hub traffic also follows that route

BusterDude
Comes here often

So if I do this, how does this impact the Hub's ability to manage the VPN tunnels over the Meraki cloud network?  Does that traffic continue to traverse the MX wan port outbound?

GreenMan
Meraki Employee
Meraki Employee

It sounds to me like you have your Hub set up in Routed mode.   Is there a reason why you avoided VPN Concentrator mode?    That would have more readily dealt with your scenario and would generally be the recommended mode for an MX in a Data Centre.

BusterDude
Comes here often

Thanks.  I'm going to attach a rough diagram of how we normally deploy these types of technologies.  Please let me know your thoughts.  Looks like VPN Concentrator mode is probably the better option, but could you tell us if this proposed implementation is even possible.

 

Thanks

 

Meraki Deployment.jpg

BusterDude
Comes here often

I suppose we could set up as one-arm concentrator mode.  If we did this, could we utilize both WAN ports on our MX250 in some sort of layer 2 redundant mode?  We would want to directly connect 1 WAN port to one firewall and the other WAN port to the other firewall.  The firewalls are in HA and Active/Passive.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels