SD-WAN Uplink Selection Policy when not actually using VPN?

Solved
etb
Getting noticed

SD-WAN Uplink Selection Policy when not actually using VPN?

Should it be possible to use the [SD-WAN & traffic shaping -> SD-WAN policies -> VPN traffic -> Uplink selection policy] to pin certain traffic by destination domain to a certain "WAN" link - even if I actually have no VPN's (just 2 regular internet connections)?

 

This may or may not be a dumb question.  I have read through documentation and forum posts (some links below), and I'm just not 100% confident. 

 

I also set up a little test using my MX68 running 18.107.5, and it's not working to pin traffic by domain when using VPN traffic Uplink selection.  So I'm not sure if I have just proven that it doesn't work the way I'm hoping it could, or if I'm just doing something incorrectly with my test configuration.  (I can share screenshots of the config if anyone wants, but just didn't to make this post that much longer.)  I did read that ICMP doesn't respect the configuration no matter what, so I'm simulating real outbound traffic and running PCAP on each "WAN" interface.  I can see that the traffic continues to use the primary link, even though I set an Uplink selection policy to send it out the secondary link.  

 

At the heart of the matter, my scenario is that I will have 2 regular internet connections (no VPN) in a new office, and I'd ideally like to load balance traffic between them (whether automatically or hard-configured for certain traffic groups) just to take advantage of the combined bandwidth.  But there is outbound traffic to a few domains which I really need to pin to the primary internet connection (unless the primary internet connection goes down), and so the plain round-robin load balancing wouldn't work reliably for that (I can't trust the automatic 60-minute flow pinning to work 100%).  I assume that the [SD-WAN & traffic shaping -> Uplink selection -> Flow preferences -> Internet traffic] would theoretically work, but that only seems to allow for IP addresses (not domains).  My domains in question use many different blocks of IP addresses, and they could change at any time, so I don't think trying to configure by IP address is feasible. 

 

Any other feasible solution is welcome.  And apologies if I'm being dense.

 

 

 

https://documentation.meraki.com/MX/Firewall_and_Traffic_Shaping/MX_Load_Balancing_and_Flow_Preferen...

 

https://documentation.meraki.com/MX/Firewall_and_Traffic_Shaping/SD-WAN_and_Traffic_Shaping

 

https://community.meraki.com/t5/Security-SD-WAN/Load-balancing-question/m-p/101903#M25616

 

 

1 Accepted Solution
Ryan_Miles
Meraki Employee
Meraki Employee

SD-Internet adds NBAR based application dynamic path selection. But it still doesn't support a custom destination domain like the VPN policy does. So I suppose it depends on what the destination is in your example and if it's something covered by NBAR.

Ryan

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.

View solution in original post

10 Replies 10
alemabrahao
Kind of a big deal
Kind of a big deal

If you are talking about Based Local Internet Breakout, you need the Secure SD-WAN Plus or Advance Teleworker license.

 

https://documentation.meraki.com/MX/Site-to-site_VPN/VPN_Full-Tunnel_Exclusion_(Application_and_IP%2...)

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
etb
Getting noticed

Hi and thanks for your response.  That seems at least sort of related to what I'm doing, but again I am not actually using any VPN's at all - just 2 plain internet connections.

 

To try to make an easier illustration:  let's say that I want to round-robin load balance all regular internet traffic (no VPN's involved at all), except that I always want outbound traffic to meraki.com to use the Primary uplink.  Should I be able to pin traffic by domain like that when not using any VPN's?

alemabrahao
Kind of a big deal
Kind of a big deal

SD-WAN policies > VPN traffic is used when you are talking about communication within SD-WAN. For the internet, you must use Flow preferences > Internet traffic as I mentioned previously.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
etb
Getting noticed

Okay.  That sucks because what I'd like to do won't work, but also because it seems so tantalizingly close to being possible.

 

Since this capability already exists for SD-WAN, does it seem like it would be a halfway-reasonable feature request to make the capability available for internet as well?  I don't even really need the ability to monitor the "health" of the link - I just need/want to pin traffic to an interface based on domain (or other traffic classification beyond just IP address and port).

 

EDIT - I think my wish might be getting granted in MX18.2 before I even wished it?  But still only with an SD-WAN Plus license.

https://documentation.meraki.com/Architectures_and_Best_Practices/Cisco_Meraki_Best_Practice_Design/... 

Ryan_Miles
Meraki Employee
Meraki Employee

SD-Internet adds NBAR based application dynamic path selection. But it still doesn't support a custom destination domain like the VPN policy does. So I suppose it depends on what the destination is in your example and if it's something covered by NBAR.

Ryan

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
etb
Getting noticed

Thanks, Ryan.  Yeah, I can be flexible as to exactly how to accomplish things.  Automatic load balancing with pinning based on domain would be most ideal, but I could also just pick various NBAR-supported applications and manually assign them to the secondary link (without enabling the automatic round-robin load balancing).

 

My particular application happens to be LogMeIn, and NBAR does list that as supported.  But my experience since the "statistical peer-to-peer" stuff (Meraki community thread) has been that the majority of LogMeIn traffic seems to be getting classified as "unknown".

 

So I'll see what I can work out with MX 18.2xx.  But if I could get SD-Internet, with support for destination domain, and all included in the Advanced license - well that would be perfect 🙂

alemabrahao
Kind of a big deal
Kind of a big deal

Otherwise, the correct resource is Flow preferences > Internet traffic, which does not accept domains, only IP or subnet and port.

 

alemabrahao_0-1705092973693.png

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
GIdenJoe
Kind of a big deal
Kind of a big deal

At this time as @alemabrahao said you can only use flow preferences.
In the future releases SD-Internet will be available to use the actual NBAR application recognition to select the uplink and that is the actual feature you are looking for. I'm also hoping they will make it possible to add matching based on IP ranges or FQDN's.

Ryan_Miles
Meraki Employee
Meraki Employee

To be clear SD-Internet with NBAR is available now if running 18.207 on a supported MX model and SD-WAN licensing.

Ryan

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
GIdenJoe
Kind of a big deal
Kind of a big deal

Thanks for that update. We don't have any MX on that firmware yet so it's good to know thanks!

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels