SD-WAN and local breakout for O365 and Microsoft Updates

Nikolai_Borhart
Here to help

SD-WAN and local breakout for O365 and Microsoft Updates

Hello community,

 

I received the following scenario from our customers:

 

MX (Spoke) have one DSL Internet WAN Port 1 and one MPLS WAN Port 2, the MPLS have a local internet breakout. This gives us the opportunity to set up a VPN to the MX (hub) on both WAN ports.

 

Now the voice communication should go over the MPLS VPN and the rest of the internal communication and the internet communication over the VPN at WAN port 1.In addition, the customer wants the Office 365 and Microsoft updates to go out via the local breakout, i.e. directly on the MX via the DSL connection.

 

I can configure voice traffic via VPN TrafficShaping.
And I can configure internal traffic and Internet traffic with the default route in the VPN Site2Site.

 

But how do you configure the routes to push the Office 365 and Microsoft upgrade locally via the DSL connection?

 

Can someone help me here?

 

thank you

8 Replies 8
Uberseehandel
Kind of a big deal

Nikolai_Borhart
Here to help

Hello Uberseehandel,

 

if I now understand the articles correctly, then the VPN settings are on the Windows desktop. But I want to configure the routing on the MX.

 

besrt regards

Nikolai

Uberseehandel
Kind of a big deal
cmr
Kind of a big deal
Kind of a big deal

@Uberseehandel @Nikolai_Borhart is talking about site to site VPNs, not client VPNs

If my answer solves your problem please click Accept as Solution so others can benefit from it.
Uberseehandel
Kind of a big deal

@cmr 

Please see - https://docs.microsoft.com/en-us/Office365/Enterprise/office-365-vpn-split-tunnel 

 

This explains how to identify the O365 traffic, which is why I posted it as "helpful" rather than the solution . . . 

 

MS explains how to select the relevant traffic, specifically "to mitigate the risk of VPN infrastructure saturation", it makes sense to use the same logic to route the O365 traffic to a specific WAN port.🤓😷

 

 

Robin St.Clair | Principal, Caithness Analytics | @uberseehandel
Dave_
Here to help

Support provided me with this link today.

 

VPN Full-Tunnel Exclusion (IP Based Local Internet Breakout) 

VPN full-tunnel exclusion is a feature on the MX whereby the administrator can configure layer-3 (and some layer-7) rules to determine exceptions to a full-tunnel VPN configuration. This feature is also known as Local Internet Breakout in the industry. 

Nikolai_Borhart
Here to help

Hello Dave,


Thank you for your answer, that's what I was looking for.

 

Unfortunately I only see a Layer 3 configuration in the documentation, although there should also be a Layer 7 configuration.

""" the administrator can configure layer-3 (and some layer-7) rules ''''''

Have you ever configured and tested the Local Internet Breakout on an MX?

Greetings

 

Dave_
Here to help

I have not configured this, but if you ask again in a week or two the answer may be different.  For now I'm just gathering info in response to a request.

 

If you look at the LIB (Local Internet Breakout) dialog there are options there for doing specific ports.  The dialog was under the template, BTW.  It took a minute for me to find it.

 

L7 on the Local Internet Breakout dialogL7 on the Local Internet Breakout dialog

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels