Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

SD-WAN Uplink Selection Policy when not actually using VPN?

Solved
etb
Getting noticed
‎Jan 12 2024 12:46 PM
‎Jan 12 2024 12:46 PM

SD-WAN Uplink Selection Policy when not actually using VPN?

Should it be possible to use the [SD-WAN & traffic shaping -> SD-WAN policies -> VPN traffic -> Uplink selection policy] to pin certain traffic by destination domain to a certain "WAN" link - even if I actually have no VPN's (just 2 regular internet connections)?

 

This may or may not be a dumb question.  I have read through documentation and forum posts (some links below), and I'm just not 100% confident. 

 

I also set up a little test using my MX68 running 18.107.5, and it's not working to pin traffic by domain when using VPN traffic Uplink selection.  So I'm not sure if I have just proven that it doesn't work the way I'm hoping it could, or if I'm just doing something incorrectly with my test configuration.  (I can share screenshots of the config if anyone wants, but just didn't to make this post that much longer.)  I did read that ICMP doesn't respect the configuration no matter what, so I'm simulating real outbound traffic and running PCAP on each "WAN" interface.  I can see that the traffic continues to use the primary link, even though I set an Uplink selection policy to send it out the secondary link.  

 

At the heart of the matter, my scenario is that I will have 2 regular internet connections (no VPN) in a new office, and I'd ideally like to load balance traffic between them (whether automatically or hard-configured for certain traffic groups) just to take advantage of the combined bandwidth.  But there is outbound traffic to a few domains which I really need to pin to the primary internet connection (unless the primary internet connection goes down), and so the plain round-robin load balancing wouldn't work reliably for that (I can't trust the automatic 60-minute flow pinning to work 100%).  I assume that the [SD-WAN & traffic shaping -> Uplink selection -> Flow preferences -> Internet traffic] would theoretically work, but that only seems to allow for IP addresses (not domains).  My domains in question use many different blocks of IP addresses, and they could change at any time, so I don't think trying to configure by IP address is feasible. 

 

Any other feasible solution is welcome.  And apologies if I'm being dense.

 

 

 

https://documentation.meraki.com/MX/Firewall_and_Traffic_Shaping/MX_Load_Balancing_and_Flow_Preferen...

 

https://documentation.meraki.com/MX/Firewall_and_Traffic_Shaping/SD-WAN_and_Traffic_Shaping

 

https://community.meraki.com/t5/Security-SD-WAN/Load-balancing-question/m-p/101903#M25616

 

 

0 Kudos
Subscribe
1 Accepted Solution
In response to etb
Ryan_Miles
Meraki Employee
Meraki Employee
‎Jan 12 2024 4:28 PM
‎Jan 12 2024 4:28 PM

SD-Internet adds NBAR based application dynamic path selection. But it still doesn't support a custom destination domain like the VPN policy does. So I suppose it depends on what the destination is in your example and if it's something covered by NBAR.

View solution in original post

Subscribe
10 Replies 10
alemabrahao
Kind of a big deal
Kind of a big deal
‎Jan 12 2024 12:50 PM
‎Jan 12 2024 12:50 PM

If you are talking about Based Local Internet Breakout, you need the Secure SD-WAN Plus or Advance Teleworker license.

 

https://documentation.meraki.com/MX/Site-to-site_VPN/VPN_Full-Tunnel_Exclusion_(Application_and_IP%2...)

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Subscribe
In response to alemabrahao
etb
Getting noticed
‎Jan 12 2024 12:55 PM
‎Jan 12 2024 12:55 PM

Hi and thanks for your response.  That seems at least sort of related to what I'm doing, but again I am not actually using any VPN's at all - just 2 plain internet connections.

 

To try to make an easier illustration:  let's say that I want to round-robin load balance all regular internet traffic (no VPN's involved at all), except that I always want outbound traffic to meraki.com to use the Primary uplink.  Should I be able to pin traffic by domain like that when not using any VPN's?

0 Kudos
Subscribe
In response to etb
alemabrahao
Kind of a big deal
Kind of a big deal
‎Jan 12 2024 12:59 PM
‎Jan 12 2024 12:59 PM

SD-WAN policies > VPN traffic is used when you are talking about communication within SD-WAN. For the internet, you must use Flow preferences > Internet traffic as I mentioned previously.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Subscribe
In response to alemabrahao
etb
Getting noticed
‎Jan 12 2024 2:57 PM
‎Jan 12 2024 2:57 PM

Okay.  That sucks because what I'd like to do won't work, but also because it seems so tantalizingly close to being possible.

 

Since this capability already exists for SD-WAN, does it seem like it would be a halfway-reasonable feature request to make the capability available for internet as well?  I don't even really need the ability to monitor the "health" of the link - I just need/want to pin traffic to an interface based on domain (or other traffic classification beyond just IP address and port).

 

EDIT - I think my wish might be getting granted in MX18.2 before I even wished it?  But still only with an SD-WAN Plus license.

https://documentation.meraki.com/Architectures_and_Best_Practices/Cisco_Meraki_Best_Practice_Design/... 

0 Kudos
Subscribe
In response to etb
Ryan_Miles
Meraki Employee
Meraki Employee
‎Jan 12 2024 4:28 PM
‎Jan 12 2024 4:28 PM

SD-Internet adds NBAR based application dynamic path selection. But it still doesn't support a custom destination domain like the VPN policy does. So I suppose it depends on what the destination is in your example and if it's something covered by NBAR.

Subscribe
In response to Ryan_Miles
etb
Getting noticed
‎Jan 12 2024 4:44 PM
‎Jan 12 2024 4:44 PM

Thanks, Ryan.  Yeah, I can be flexible as to exactly how to accomplish things.  Automatic load balancing with pinning based on domain would be most ideal, but I could also just pick various NBAR-supported applications and manually assign them to the secondary link (without enabling the automatic round-robin load balancing).

 

My particular application happens to be LogMeIn, and NBAR does list that as supported.  But my experience since the "statistical peer-to-peer" stuff (Meraki community thread) has been that the majority of LogMeIn traffic seems to be getting classified as "unknown".

 

So I'll see what I can work out with MX 18.2xx.  But if I could get SD-Internet, with support for destination domain, and all included in the Advanced license - well that would be perfect 🙂

0 Kudos
Subscribe
alemabrahao
Kind of a big deal
Kind of a big deal
‎Jan 12 2024 12:56 PM
‎Jan 12 2024 12:56 PM

Otherwise, the correct resource is Flow preferences > Internet traffic, which does not accept domains, only IP or subnet and port.

 

alemabrahao_0-1705092973693.png

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Subscribe
GIdenJoe
Kind of a big deal
Kind of a big deal
‎Jan 13 2024 7:45 AM
‎Jan 13 2024 7:45 AM

At this time as @alemabrahao said you can only use flow preferences.
In the future releases SD-Internet will be available to use the actual NBAR application recognition to select the uplink and that is the actual feature you are looking for. I'm also hoping they will make it possible to add matching based on IP ranges or FQDN's.

0 Kudos
Subscribe
In response to GIdenJoe
Ryan_Miles
Meraki Employee
Meraki Employee
‎Jan 13 2024 10:03 AM
‎Jan 13 2024 10:03 AM

To be clear SD-Internet with NBAR is available now if running 18.207 on a supported MX model and SD-WAN licensing.

Subscribe
In response to Ryan_Miles
GIdenJoe
Kind of a big deal
Kind of a big deal
‎Jan 13 2024 10:10 AM
‎Jan 13 2024 10:10 AM

Thanks for that update. We don't have any MX on that firmware yet so it's good to know thanks!

0 Kudos
Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.