Meraki

Community

Z3 - change routes

FlyingDutchman
Here to help
‎Jun 12 2021 9:37 PM
‎Jun 12 2021 9:37 PM

Z3 - change routes

Hi,

 

I have a challenge with the following setup:

 

  • Z3 to MX250 - default DNS server = corporate
  • The default route on the S2S VPN settings for the hub is disabled (=local internet breakout on the Z3)
  • Telefon service for Cisco Webex connects to voipserver.company.com
  • Corporate DNS server has an internal IP for voipserver.company.com that routes the VoIP-traffic internally via MPLS to the VoIP-provider
  • Public DNS also has an IP for voipserver.company.com that points to the public Expressway of the VoIP-provider for external clients

How do I setup the Z3/ network so that all Z3's connect to the public instead of the corporate IP of the VoIP-Provider?

 

Thanks in advance!

 

0 Kudos
6 Replies 6
DarrenOC
Kind of a big deal
Kind of a big deal
‎Jun 12 2021 11:30 PM
‎Jun 12 2021 11:30 PM

Are you over thinking this?  Can’t you create a new vlan and dhcp pool that assigns a public dns IP address?

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
0 Kudos
In response to DarrenOC
cmr
Kind of a big deal
Kind of a big deal
‎Jun 13 2021 1:04 AM
‎Jun 13 2021 1:04 AM

@DarrenOC I think @FlyingDutchman wants to use their internal DNS for internal servers, but not for the VoIP server.  However they have a DNS entry for the VoIP server on their internal servers that points to a suboptimal IP address.

 

Therefore the only options I can think of are:

 

  • Remove internal entry for VoIP server and use public expressway for all connections
  • Allow remote users to connect to VoIP server via existing MPLS route
  • Maintain a second internal DNS server with only a subset of internal entries (not including the VoIP server) and point the VPN clients to that
  • Somehow filter the responses the DNS server gives, so only internal hosts get the private VoIP server entry, but VPN hosts get the public entry <--- can this be done?

Unless of course I am overthinking this!

If my answer solves your problem please click Accept as Solution so others can benefit from it.
In response to cmr
DarrenOC
Kind of a big deal
Kind of a big deal
‎Jun 13 2021 1:31 AM
‎Jun 13 2021 1:31 AM

@cmr  😆

 

I think you’re right.

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
0 Kudos
KarstenI
Kind of a big deal
Kind of a big deal
‎Jun 13 2021 2:57 AM
‎Jun 13 2021 2:57 AM

The forth option that @cmr mentioned would work well, this feature is named "DNS views" and is supported in BIND, but sadly not on Windows Server DNS.

So the best long-term solution would be not to use the same domain for internal and external resources. The internal resources should be better migrated to a different domain or a subdomain of company.com.

 

EDIT: Wait ... just the moment I pressed "Post" I remembered there was a new feature that does exactly what DNS views in BIND are doing, the DNS policies:

https://docs.microsoft.com/en-us/windows-server/networking/dns/deploy/dns-policies-overview

These can be used for this, but are not that easy to configure.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
In response to KarstenI
FlyingDutchman
Here to help
‎Jun 13 2021 4:50 AM
‎Jun 13 2021 4:50 AM

Hi @KarstenI & @cmr ,

this is certainly an interesting approach that I will gonna test. 
I'll get back as soon as possible, thanks!

0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jun 13 2021 12:46 PM
‎Jun 13 2021 12:46 PM

You could configure Windows 10 NRPT - DNS resolution policy.

 

Configure the policy to send voipserver.company.com to public DNS servers (like 8.8.8.8) and let everything use the default configured DNS servers.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.