Meraki

Community

Switching to local Internet breakout advice

Rodan65
New here
‎Jan 8 2024 7:56 AM
‎Jan 8 2024 7:56 AM

Switching to local Internet breakout advice

Hi,

 

Apologies if this has been asked before, I expect it has, but if I explain our situation perhaps someone would be able to advise me.

 

We have a main local college, which has a pair of Meraki MX250's which provide auto VPN through to our other sites nationally. The college in question also has a couple of local, but remote sites situated in the same town. Currently these sites each have an MX84 installed which acts as the gateway for the remote site subnets. The MX84's are configured at the 'IPv4 default route' and each subnet is in VPN enabled mode. This is because we need to provide a safe connection for our students and need all traffic to go through the web filter at the main college site. However, this of course means that some speed / responsiveness is lost due to going through a VPN and then the web filter at the main college which is of course dealing with traffic from the main site as well.

 

It has been suggested that we could install a smaller version of our main site firewall/web filter at the remote site, and then do local Internet breakout through that, while any traffic for internal resources would still go down the Auto VPN to the main site. OK, but looking at the dashboard SD-WAN section for the MX84 it looks like I can only exclude traffic from the VPN, rather than Include traffic, which would be easier.. since then we'd only be including private IP address ranges in the VPN. I'm wondering however if I unchecked the box for IPv4 default route, if I could then just specify which subnets would be included in the VPN and any that are disabled for VPN would just be sent out out the WAN interface alongside the VPN?

 

I'm not sure if I'm explaining that correctly.. TL:DR

 

We want to have all traffic destined for 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 going down the Auto VPN and everything else (0.0.0.0/0) breaking out locally to a firewall/web filter. Currently IPv4 Default Route is enabled as this is setup as a spoke site. 

 

Any advice on how to achieve this easily would be appreciated.

 

Thanks

 

Labels:
0 Kudos
4 Replies 4
alemabrahao
Kind of a big deal
Kind of a big deal
‎Jan 8 2024 8:06 AM
‎Jan 8 2024 8:06 AM

You can use the VPN Full-Tunnel Exclusion (Application and IP/URL Based Local Internet Breakout).

 

https://documentation.meraki.com/MX/Site-to-site_VPN/VPN_Full-Tunnel_Exclusion_(Application_and_IP%2...

 

Requirements:

The following are the requirements to utilize this feature in a network:

  • Meraki AutoVPN support: This feature requires the Meraki MX on MX 15+ series firmware

  • Non-Meraki VPN support: This feature requires the Meraki MX on MX 18.1+ series firmware 

  • Minimum License Type: Secure SD-WAN Plus or Advance Teleworker

  • All other requirements listed for IP/URL based Local Internet Breakout

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
In response to alemabrahao
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jan 8 2024 12:41 PM
‎Jan 8 2024 12:41 PM

I'm with @alemabrahao - I would look into changing over to the SD-WAN licence, and then you can send specific types of traffic directly to the Internet (such as Office 365, Google Suite, etc).

0 Kudos
ww
Kind of a big deal
Kind of a big deal
‎Jan 8 2024 8:16 AM
‎Jan 8 2024 8:16 AM

Yes, You can uncheck the default route option on the spoke.

Only vpn destinations/routes will use the vpn in that case. You dont need to specify those, they should be learned automatically using the autovpn. Just check your spoke routing table to make sure

 

PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jan 8 2024 12:46 PM
‎Jan 8 2024 12:46 PM

Actually, going in a different direction, you could also consider Cisco Meraki Secure Connect (a SASE play).

https://documentation.meraki.com/CiscoPlusSecureConnect 

 

With this solution you throw away your existing web filter and you use Cisco Umbrella instead (a cloud-based solution).  This is a comprehensive filtering, auditing and logging platform.

 

You add two new "virtual MXs" (which are actually Umbrella data centres), and your default route points to them instead.  All your Internet traffic then flows directly from each site to Cisco Umbrella (in the cloud) for filtering.

 

As a bonus, you can also install an agent on machines, mobile devices, etc, that provides this same level of protection, auditing and filtering, no matter where they are (for example, it continues to work when they are home).

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.