Routing vpn web traffic back through LAN

tedwards
Conversationalist

Routing vpn web traffic back through LAN

Scenario—I have an MX100 at my main site and an MX67 at a branch site.  I need to be able to force all internet traffic for the branch site through a 3rd party web content filter which sits inline (between the router and the firewall) on the LAN side at my main site.

 

Is this possible and if so, what is the best way to go about this?

 

Thank You

 

net.JPG

 

11 Replies 11
Network-dad
A model citizen

I don't think this is posable but it really depends on how your network and Site to Site VPN is set up... Here is a good article about all the different configurations on the MX for your site to site VPN... https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-site_VPN_Settings

You would definitely need to configure Full tunnel (default route) but routing beyond that I'm not sure... hopefully this was helpful...

Dakota Snow | Network-dad Linkdedin
CMNO | A+ | ECMS2
Check out The Bearded I.T. Dad onThe Bearded I.T. DadThe Bearded I.T. Dad
jdsilva
Kind of a big deal

You won't be able to do this given your current topology. The best way to do this would be to use an MX in concentrator mode that's behind the content filter. You would then use a S2S VPN, full tunnelled as @Network-dad  mentioned, from the remote site to the concentrator before it heads out to the Internet. 

 

image.png

Network-dad
A model citizen

@jdsilva  That what I was thinking but that would require a 3rd MX... I wasn't sure if there was a way using static route statements to route the traffic through the CF then depending on the CF have a statement to route it back to the MX... It would be very messy and I think the idea of a 3rd MX in concentrator mode would be the cleanest. 

Dakota Snow | Network-dad Linkdedin
CMNO | A+ | ECMS2
Check out The Bearded I.T. Dad onThe Bearded I.T. DadThe Bearded I.T. Dad
Aaron_Wilson
A model citizen

You can do this, but as noted it depends on your current LAN. I actually just implemented this a few months ago on my setup. Previously, my remote sites using "tunnel all" hair pinned at the Meraki to hit the internet. What I did was added 0.0.0.0/0 to the data center MX, gave the next hop of the core router, then told it to advertise that route to the spoke sites.

 

What happens is when the data center receives traffic from the spoke sites, it sends all that traffic to the core. The core sees the routes as being internet and then sends it to our egress vrf. It works flawless and we did it for similar reasons.

 

My basic topology is just like yours, I run the Meraki in the data center as dual-arm. Here is a picture showing the basic before/after.

 

defaultroute.png

Network-dad
A model citizen

Yes @Aaron_Wilson  This is exactly what I was thinking.

Dakota Snow | Network-dad Linkdedin
CMNO | A+ | ECMS2
Check out The Bearded I.T. Dad onThe Bearded I.T. DadThe Bearded I.T. Dad
jdsilva
Kind of a big deal

@Aaron_Wilson that actually works? How do you not end up with this:

 

image.png

Network-dad
A model citizen

@jdsilva you would need 2 different interfaces on different subnets with static routes to make it work IE having the core router perform the routing.. 

Dakota Snow | Network-dad Linkdedin
CMNO | A+ | ECMS2
Check out The Bearded I.T. Dad onThe Bearded I.T. DadThe Bearded I.T. Dad
jdsilva
Kind of a big deal

How do you make one static route apply to one interface and not another interface? MX can't do VRFs... I'm confused how the 0.0.0.0/0 pointing to the core doesn't create a routing loop with traffic the core sends to the MX.

Aaron_Wilson
A model citizen

Our Meraki is not our core or edge router. Our Meraki is strictly for spoke sites which are not MPLS. I mistakenly drew the egress flow as going through the Meraki rather than the edge routers/FWs.
jdsilva
Kind of a big deal

Gotcha. That makes a lot more sense. Thanks for clarifying.

Aaron_Wilson
A model citizen

I did find the blue circles comical...lol. The best drawing I have seen showing a network loop.
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels