Scenario—I have an MX100 at my main site and an MX67 at a branch site. I need to be able to force all internet traffic for the branch site through a 3rd party web content filter which sits inline (between the router and the firewall) on the LAN side at my main site.
Is this possible and if so, what is the best way to go about this?
Thank You
I don't think this is posable but it really depends on how your network and Site to Site VPN is set up... Here is a good article about all the different configurations on the MX for your site to site VPN... https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-site_VPN_Settings
You would definitely need to configure Full tunnel (default route) but routing beyond that I'm not sure... hopefully this was helpful...
You won't be able to do this given your current topology. The best way to do this would be to use an MX in concentrator mode that's behind the content filter. You would then use a S2S VPN, full tunnelled as @Network-dad mentioned, from the remote site to the concentrator before it heads out to the Internet.
@jdsilva That what I was thinking but that would require a 3rd MX... I wasn't sure if there was a way using static route statements to route the traffic through the CF then depending on the CF have a statement to route it back to the MX... It would be very messy and I think the idea of a 3rd MX in concentrator mode would be the cleanest.
You can do this, but as noted it depends on your current LAN. I actually just implemented this a few months ago on my setup. Previously, my remote sites using "tunnel all" hair pinned at the Meraki to hit the internet. What I did was added 0.0.0.0/0 to the data center MX, gave the next hop of the core router, then told it to advertise that route to the spoke sites.
What happens is when the data center receives traffic from the spoke sites, it sends all that traffic to the core. The core sees the routes as being internet and then sends it to our egress vrf. It works flawless and we did it for similar reasons.
My basic topology is just like yours, I run the Meraki in the data center as dual-arm. Here is a picture showing the basic before/after.
@jdsilva you would need 2 different interfaces on different subnets with static routes to make it work IE having the core router perform the routing..
How do you make one static route apply to one interface and not another interface? MX can't do VRFs... I'm confused how the 0.0.0.0/0 pointing to the core doesn't create a routing loop with traffic the core sends to the MX.
Gotcha. That makes a lot more sense. Thanks for clarifying.