Routing Specific Internet IP's Across S2S Tunnel

Solved
Brash
Kind of a big deal
Kind of a big deal

Routing Specific Internet IP's Across S2S Tunnel

I am in the process of doing a deployment where there are existing cloud-based applications that utilize source IP Address lists for security. With the current model, all outbound network traffic goes through a single hub location who's IP address is whitelisted within the application.
The plan is to alter this so that each site has direct internet access.

 

I'm not aware of any way to force specific internet bound traffic across the S2S tunnel.
Has anyone had to implement a workaround for this kind of scenario in the field?

1 Accepted Solution
ww
Kind of a big deal
Kind of a big deal

From a one armed concentrator you can advertise any route (more specific of unique) you want to exit that concentrator.

 

In case of a routed hub u need to advertise a static route from the lan side

View solution in original post

3 Replies 3
ww
Kind of a big deal
Kind of a big deal

From a one armed concentrator you can advertise any route (more specific of unique) you want to exit that concentrator.

 

In case of a routed hub u need to advertise a static route from the lan side

PhilipDAth
Kind of a big deal
Kind of a big deal

Can you get a static IP address for each spoke - that might be the easiest option.

 

Otherwise as @ww says, you basically have to use two MX in HQ.  One in VPN concentrator mode.  On that MX network you can add a static route to your Internet gateway (another MX in a different network) and then say to include that in AutoVPN.

Brash
Kind of a big deal
Kind of a big deal

"From a one armed concentrator you can advertise any route (more specific of unique) you want to exit that concentrator."

Spot on.
I completely forgot that you can define networks on a one-armed concentrator without them being local to the MX.
That fits into the design perfectly.

"Can you get a static IP address for each spoke - that might be the easiest option."

 

I agree this is the cleanest and my preferred option.
However I'm preparing should we not be able to go down that route (which seems to be a distinct possibility)


Thanks for the quick responses!

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels