cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Route Specific Traffic over VPN

SOLVED
Highlighted
Here to help

Route Specific Traffic over VPN

Hello, I have 2 sites connected to each other currently using the auto-vpn functionality. The Hub is running an MX84 and the Spoke an MX68. Due to the nature of the internet usage some traffic has to be routed to the hub site while the rest is normal internet usage. Currently I have it set up at the spoke site to use the hub as a default route as I cannot seem to route traffic destined for specific IP addresses only through the VPN. The issue with this is that all internet traffic is sent over the VPN and it has cut download speeds in half. Ideally I want to set up routes for traffic that is only trying to reach specific IP addresses to be sent to the hub site. I understand that this might not be possible with the auto-vpn and that I may have to set up a site to site vpn manually. I am happy to do this if it solves my issue but I need to know how to set up the static routes once the non-meraki site-to-site vpn is in place.

 

Thanks

1 ACCEPTED SOLUTION

Accepted Solutions
Conversationalist

Re: Route Specific Traffic over VPN

Hey Phil,

 

yes, you need to create the routings on the destination Router (for LAN Addresses).

Since you want to reach WAN-Addresses you would need Policy Based routes, which the Meraki is not capable of 😞

So unfortunately I don't think that this is possible with Meraki atm 😕

Sorry I couldn't help more

 

Greetiungs

Sascha

View solution in original post

17 REPLIES 17
Highlighted
Head in the Cloud

Re: Route Specific Traffic over VPN

Highlighted
Here to help

Re: Route Specific Traffic over VPN

Hi MarcP,

 

Thanks for your reply.

 

Flow preferences seem to only allow you to select wan 1 or wan 2 as the route for the traffic. I can't see a way to say specific traffic only uses the VPN. Unless I am missing something. The screen shot below shows that the preferred uplink is only wan1 or wan2. If there was an option there for vpn then I think it would work. flow preferences.png

Highlighted
Conversationalist

Re: Route Specific Traffic over VPN

Hi Phil,

 

normaly you should be able to achive this, by adding the desired networks into the Security Assosiations (SA) of the MX84. So you need to have a route for these networks under Addressing and VLAN in the MX84. This way you can set them in you SAs on MX84 site so they are published to the MX68.

 

Steps:

- Add networks you want to reach on MX84 under Addressing and VLANs

- set the in VPN marker

Then you should be able to remove the "default GW" and be able to have the local internet breakout and reach your servers

Highlighted
Here to help

Re: Route Specific Traffic over VPN

Hi el_pajaro_bobo,

 

This sounds promising, I shall give this a go and report back. Could you clarify what you mean by "VPN marker"?

 

Many thanks,

 

Phil

Highlighted
Here to help

Re: Route Specific Traffic over VPN

Also, I assume I am adding the subnets from the spoke site (MX68) to the subnets section under addressing and vlans?

Highlighted
Here to help

Re: Route Specific Traffic over VPN

I think I worked out what you mean by "VPN marker". When I try to add a vlan for the destination network it wants me to add an ip for the mx, the router doesn't have an ip on this range so I am unsure what I should add.

 

Thanks for your time.

Highlighted
Conversationalist

Re: Route Specific Traffic over VPN

I mean the "in VPN" Checkbox which you can mark by adding a route.VPN.png

So by adding the route you say the meraki over which router it can reach this specific network. For example you got a router A and router B, router A has a route to B and knows which subnets are behind this specific router. Let's suppose your Meraki is behind router A. You need to let the Meraki know which subnets can be reached through router A, otherwise it only knows about the directly connected ones. I've made a little drawing to hopefully clear things up a little 🙂

 

If you take my drawing your routing table would look like this (with static routing):

Meraki:

192.168.10.128/25 -> Router A

192.168.0.0/24 -> Router A

172.16.0.0/16 -> Router A

10.0.0.0/8 -> Router A

192.168.20.128/25 -> directly connected

 

Router A (the left one):

192.168.10.128/25 -> directly connected

192.168.0.0/24 -> Router B

172.16.0.0/16 -> Router B

10.0.0.0/8 -> Router B

192.168.20.128/25 ->Meraki

 

Router B (the right one):

192.168.10.128/25 -> Router A

192.168.0.0/24 -> directly connected

172.16.0.0/16 -> directly connected

10.0.0.0/8 -> directly connected

192.168.20.128/25 -> Router A

routing.PNG

And then you should be able to reach the Server 🙂

Have you already tried to ping the Server from the Meraki connected to the network of it?
If the ping is possible you can add the Network to the Site-2-Site Firewall rules and this will create the route described above 🙂Firewall-rules.PNG

Also your daily dose of kb and routing https://documentation.meraki.com/MX/Networks_and_Routing/MX_Routing_Behavior#Route_Priority

Highlighted
Here to help

Re: Route Specific Traffic over VPN

Hi el_pajaro_bobo,

 

Thank you so much for all your help. This really helping to clear things up. In my case the addresses that the spoke site (mx68) is trying to reach are internet addresses not local networks. The hub site has an NHS broadband connection and the addresses are only available via this. On the mx84 there are traffic shaping rules to make sure that clients trying to access the NHS services use the NHS broadband (wan2 in this case). I would assume from your instructions that I could create a static route on the spoke (mx68) saying NHS traffic go to the mx84. However if I enter an internal IP address of the mx84 into the static route on the spoke router then it says the next hop address is invalid. Can I create static routes to the other MXs inside the auto vpn, or does this need to be done from the destination router so the mx84 in this case?

 

Thanks again,

 

Phil

Conversationalist

Re: Route Specific Traffic over VPN

Hey Phil,

 

yes, you need to create the routings on the destination Router (for LAN Addresses).

Since you want to reach WAN-Addresses you would need Policy Based routes, which the Meraki is not capable of 😞

So unfortunately I don't think that this is possible with Meraki atm 😕

Sorry I couldn't help more

 

Greetiungs

Sascha

View solution in original post

Highlighted
Here to help

Re: Route Specific Traffic over VPN

Hi Sascha,

 

Thanks for trying, I did see the same conclusion on a different forum but your explanation is much clearer, thank you for taking the time.

 

Phil

Highlighted
Getting noticed

Re: Route Specific Traffic over VPN

@Phil_SCDS Ran across this post and was wondering if you ever came up with a solution.  Your example is exactly what I ran into and people have tried to direct me to the flow preferences.  I want it to give me the option to identify my internal traffic and then split-tunnel that network into my auto-vpn tunnel and anything that falls outside of that out to the local ISP to the internet.  Just wanted to see if you found a solution. 

Highlighted
Here to help

Re: Route Specific Traffic over VPN

@Charlie Unfortunately the short answer is no. I believe it would be possible with another layer 3 device which you could use to essentially split the traffic into what you wanted to go over the auto VPN and what don't want to. I haven't tested this yet but it is something we are considering doing. I have also used the "make a wish" button to hopefully make Meraki aware that this would be a useful function. If you and others can do that too then maybe it will be available in a future firmware update. Currently we have left it as all traffic going over the auto VPN which of course slows down the remote site but in my case not enough for it to be a huge issue.

Highlighted
Getting noticed

Re: Route Specific Traffic over VPN

@Phil_SCDS  Yeah I was toying with the idea of additional hardware as well.  I had previously used the make a wish as this need comes and goes in our organization (we end up not using Meraki in places that need a split the way we want it) but I will reinforce my previous "wish" with another today.  🙂    Thanks!

Highlighted
Conversationalist

Re: Route Specific Traffic over VPN

The solution I had posted in November 2019 has been working.  The short of it is that you create a static route on the hub MX for the internet addresses you'd like to through the VPN tunnel.  For next hop, you put the hub MX IP.

 

 
 

Static Route 1.png

 

This would create a routing loop.  So, you want to uncheck the Enabled box. 

 

Static Route 2.png

 

This will cause the route to be advertised through the VPN tunnel by the hub MX.  The spoke MX will see the route advertised by the hub MX and send the traffic through the VPN tunnel.  Then when it arrives, the hub MX will send it out the WAN interface.  One would expect the hub MX to stop advertising routes that have been disabled, but that hasn't happened in the 3 months since I set this up.

 

I opened a support case to get clarification, since the setup seems a bit suspect.  The support rep communicated with the development team and relayed the following:

 

1. This is not intended behavior.  While the team doesn't have any plans to actively change how it is working, a future fix for an unrelated issue could have the side effect of closing up the loophole.  So, it's use at your own risk.

 

2. The team does plan to implement a supported way to accomplish selective routing of internet traffic through VPN tunnels.

 

My plan is to ride out the work-around until the supported solution is available.  The worst that can happen is that the work-around stops working before the official solution is available and I'm back to where I started. But right now things are working exactly as I wanted, and I didn't have to buy any extra equipment.

 

If you are doing pre-purchase research, don't base your decision on this work-around, because it is unsupported and can disappear.  But if you've already got Meraki gear running, you don't have much to lose by trying it out.

Highlighted
Conversationalist

Re: Route Specific Traffic over VPN

nice!
thanks alot
you get a beer in mannheim if you travel to. 😄
Highlighted
Conversationalist

Re: Route Specific Traffic over VPN

I've been struggling with this for the past few days.  The company has VOIP telephone service.  Each branch has two WAN uplinks.  If an uplink goes down, then the phone calls will drop when the branch MX switches to the second uplink.  If I can route the VOIP traffic to the MX at the data center, then the branch uplinks can switch without the VOIP service seeing a change in the IP address.  I can also simplify IP whitelisting with 3rd party services if I can backhaul all of the traffic to those services through the hub WAN IP address.  But I can't send all of the branch internet traffic to the hub because that would kill the hub's uplink bandwidth.

 

I opened a support case and the rep responded it is not possible to set this up.  I called in and the second rep told me if I can get the hub MX to advertise the route, the branch MX will send the traffic over the VPN tunnel.  When I asked how to do that, he told me to put a static route into the hub MX with the IP of interest as a /32 subnet and the MX IP as the next hop.  I tried that, but the traffic got into a routing loop.  One would expect this to happen, but I have seen the Meraki dashboard have special support to "do what I mean" with some things like this. 

 

To resolve the routing loop, I disabled the static route.  Then something amazing happened.  Things started operating exactly as I wanted.  The hub MX continued to advertise the route to the branch MX, and the branch MX happily sent it the traffic, but when the traffic got to the hub, the hub MX sent it out the WAN link.  Perfect!

 

So, this is great.  But I am worried that this behavior would be considered a bug that will eventually be "fixed".  If I were a programmer of the MX firmware, I would not advertise static routes that are disabled.  The point of disabling something is to completely remove it from use without losing the information of what used be active. 

Highlighted
Conversationalist

Re: Route Specific Traffic over VPN

This has been working great.  I used this technique to configure VOIP traffic to go through the VPN tunnel out a reliable data center fiber connection.  A colleague and I tested a phone call between a VOIP phone and a cell phone.  I unplugged the WAN1 link and the call continued.  I reconnected WAN1 and unplugged WAN2, and the call continued.  This is something I did not think was possible with Meraki.  We did notice brief interruptions due to lost packets.  But it was much better than expected.

 

I think the Meraki team is missing out on an opportunity here.  The Velo Cloud sales reps kept telling us how VOIP calls don't drop with Velo Cloud, but they do with Meraki. I was on a call with Meraki sales reps telling them I didn't think Meraki was "real SD-WAN", and they had no response.  And that's the sentiment I got from third party sales reps that sell both.  They told me if I wanted true SD-WAN, to get VeloCloud.  If I wanted a more reasonably-priced solution, get Meraki.  One VeloCloud sales rep used the phrase "you get what you pay for".

 

However, it is possible with Meraki to do a spoke failover without VOIP calls dropping.  If they wanted to, the Meraki team could implement packet duplication and jitter protection, and compete with the VeloCloud VOIP feature set.

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.