Meraki

Community

Routing specific public traffic via spoke WAN

Jsidge92
Comes here often
‎Sep 27 2022 4:53 PM
‎Sep 27 2022 4:53 PM

Routing specific public traffic via spoke WAN

Hi,

 

We have an external vendor where they have whitelisted the public IP from one of our SDWAN sites.

We would like to direct all traffic flows from spoke sites via the Auto-VPN tunnels, to egress this spoke site.

 

I believe this can be best done via a static route at the desired site, advertised into the VPN.

I would then list the next hop as an IP configured on the MX.

My assumption here is I should not use any downstream/ external IP interface.

 

The expectation here is once traffic is routed to the desired site, no local routes will exist for the service, and then will egress via the public WAN interface (Default route is still via WAN).

 

Can anyone advise if the above is correct, or if there is any best practice around trying to consolidate specific traffic flow via certain sites?

 

Thanks,

 

 

Labels:
0 Kudos
6 Replies 6
ww
Kind of a big deal
Kind of a big deal
‎Sep 27 2022 11:48 PM
‎Sep 27 2022 11:48 PM

For all traffic: Set a default route from spoke to a hub using the default route checkbox

or

using source based default route for a vlan.

 

For  subnet/ip advertisement:

In routed mode, set a static route and advertise that route in vpn(subnet must be reachable at lan side)

Or

One armed mode using wan1 only, advertise subnet/ip

 

0 Kudos
In response to ww
Jsidge92
Comes here often
‎Sep 27 2022 11:53 PM
‎Sep 27 2022 11:53 PM

Thanks for the reply!

 

It would be option 2, but just curious if any issues where next hop is router IP itself?

Say local subnet on router is 10.1.1.0/24 - router IP 10.1.1.1

 

Then static route advertised into VPN would be configured as 1.1.1.1 next-hop 10.1.1.1 (Router IP and not downstream device in subnet)

 

This then shows other remote sites to send any traffic for 1.1.1.1 via VPN to spoke site rather than local breakout.

 

Once traffic is routed to site, to IP 10.1.1.1, I would then assume as no other route path for traffic, it would then egress via local WAN breakout?

 

Thanks againm

0 Kudos
In response to Jsidge92
ww
Kind of a big deal
Kind of a big deal
‎Sep 28 2022 2:13 AM
‎Sep 28 2022 2:13 AM

That does not work. 

It will try reaching 1.1.1.1 at 10.1.1.1. And then use its static route: 1.1.1.1 to 10.1.1.1 again and again

0 Kudos
In response to ww
Jsidge92
Comes here often
‎Sep 28 2022 3:53 PM
‎Sep 28 2022 3:53 PM

Would it possible to set up an internal subnet for a public IP as a sort of DMZ/loopback interface since it will be obscured via NAT?(eg; 2.1.1.0/32 - router IP 2.1.1.1)

 

This could be the public /30 WAN interface configured on MX device.

 

Then static route advertised into VPN would be configured as 1.1.1.1 next-hop 2.1.1.2 (Theoretical next hop at spoke site).

Traffic would then be routed to site, and when reaching site, unable to find local next hop, should fall to default route of WAN?

 

At that point traffic would then be NAT'd, at which point it would then be privy to public routes to the desired public IP endpoint.

 

I know this is convoluted, but there doesn't seem to be any sort of documentation to facilitate this.

 

Thanks again,

0 Kudos
rabusiak
Getting noticed
‎Sep 30 2022 2:51 AM
‎Sep 30 2022 2:51 AM

It looks like my example:
Solved: Re: Routing traffic (to internet, for specific subnets) from MX1 over auto-... - The Meraki ...
I had a remote session with meraki support and unfortunately, it will work only if you have second mx or other router available on "lan side of the spoke". In my situation I just have old sophos firewall and transition network between him and meraki implemented. Then I'm advertising vpn enabled route from spoke for required networks/ips pointing to sophos ip from transition network. 

0 Kudos
GreenMan
Meraki Employee
Meraki Employee
‎Sep 30 2022 4:40 AM
‎Sep 30 2022 4:40 AM

If all your spokes need to be able to egress from that one site, why not change that site to be a Hub, advertising the particular destination IP address / IP route - with all the Spokes (also) having a tunnel to your new Hub - that way you avoid hairpinning traffic through an existing Hub?

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.