cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Routing vpn web traffic back through LAN

New here

Routing vpn web traffic back through LAN

Scenario—I have an MX100 at my main site and an MX67 at a branch site.  I need to be able to force all internet traffic for the branch site through a 3rd party web content filter which sits inline (between the router and the firewall) on the LAN side at my main site.

 

Is this possible and if so, what is the best way to go about this?

 

Thank You

 

net.JPG

 

11 REPLIES 11
Building a reputation

Re: Routing vpn web traffic back through LAN

I don't think this is posable but it really depends on how your network and Site to Site VPN is set up... Here is a good article about all the different configurations on the MX for your site to site VPN... https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-site_VPN_Settings

You would definitely need to configure Full tunnel (default route) but routing beyond that I'm not sure... hopefully this was helpful...

Dakota Snow | Network-dad Linkdedin
CMNO | A+ | ECMS2
Check out IT Career Skills onIt Career SkillsIt Career Skills
Kind of a big deal

Re: Routing vpn web traffic back through LAN

You won't be able to do this given your current topology. The best way to do this would be to use an MX in concentrator mode that's behind the content filter. You would then use a S2S VPN, full tunnelled as @Network-dad  mentioned, from the remote site to the concentrator before it heads out to the Internet. 

 

image.png

Building a reputation

Re: Routing vpn web traffic back through LAN

@jdsilva  That what I was thinking but that would require a 3rd MX... I wasn't sure if there was a way using static route statements to route the traffic through the CF then depending on the CF have a statement to route it back to the MX... It would be very messy and I think the idea of a 3rd MX in concentrator mode would be the cleanest. 

Dakota Snow | Network-dad Linkdedin
CMNO | A+ | ECMS2
Check out IT Career Skills onIt Career SkillsIt Career Skills
Building a reputation

Re: Routing vpn web traffic back through LAN

You can do this, but as noted it depends on your current LAN. I actually just implemented this a few months ago on my setup. Previously, my remote sites using "tunnel all" hair pinned at the Meraki to hit the internet. What I did was added 0.0.0.0/0 to the data center MX, gave the next hop of the core router, then told it to advertise that route to the spoke sites.

 

What happens is when the data center receives traffic from the spoke sites, it sends all that traffic to the core. The core sees the routes as being internet and then sends it to our egress vrf. It works flawless and we did it for similar reasons.

 

My basic topology is just like yours, I run the Meraki in the data center as dual-arm. Here is a picture showing the basic before/after.

 

defaultroute.png

Highlighted
Building a reputation

Re: Routing vpn web traffic back through LAN

Yes @Aaron_Wilson  This is exactly what I was thinking.

Dakota Snow | Network-dad Linkdedin
CMNO | A+ | ECMS2
Check out IT Career Skills onIt Career SkillsIt Career Skills
Kind of a big deal

Re: Routing vpn web traffic back through LAN

@Aaron_Wilson that actually works? How do you not end up with this:

 

image.png

Building a reputation

Re: Routing vpn web traffic back through LAN

@jdsilva you would need 2 different interfaces on different subnets with static routes to make it work IE having the core router perform the routing.. 

Dakota Snow | Network-dad Linkdedin
CMNO | A+ | ECMS2
Check out IT Career Skills onIt Career SkillsIt Career Skills
Kind of a big deal

Re: Routing vpn web traffic back through LAN

How do you make one static route apply to one interface and not another interface? MX can't do VRFs... I'm confused how the 0.0.0.0/0 pointing to the core doesn't create a routing loop with traffic the core sends to the MX.

Building a reputation

Re: Routing vpn web traffic back through LAN

Our Meraki is not our core or edge router. Our Meraki is strictly for spoke sites which are not MPLS. I mistakenly drew the egress flow as going through the Meraki rather than the edge routers/FWs.
Kind of a big deal

Re: Routing vpn web traffic back through LAN

Gotcha. That makes a lot more sense. Thanks for clarifying.

Building a reputation

Re: Routing vpn web traffic back through LAN

I did find the blue circles comical...lol. The best drawing I have seen showing a network loop.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.