We‘re also eagerly waiting for that feature. It‘s something that other vendors handle since „ages“ and is a showstopper at least in many RFPs regarding SD-WAN. 😞

Yes, it works like a local breakout.

Now you can have traffic controlled based on L3/L4 destination information.

Smart Breakout should be able to let you control traffic based on L7 information.

>Smart Breakout should be able to let you control traffic based on L7 information.

Thank you kn-kimura for your reply. Let me pls ask some more questions.

- Can Smart Breakout function as true Application Based Routing which watchs HTTP GET and RESPONSE packets?

- Or mere DPI (Deep Packet Inspection) which watchs only 1 packet's L7 header?

- If the former, Can Smart Breakout deal with the 1st packet identification?

Application based breakout is out now  gentlemen:

https://documentation.meraki.com/MX/Site-to-site_VPN/VPN_Full-Tunnel_Exclusion_(Application_and_IP%2...

I guessed that this was a feature that allows you to exclude certain applications from the VPN traffic.

I would appreciate the ability to sort out WAN ports (WAN1 or WAN2) from the traffic accessing the Internet directly from my station.

Hi,

I am wondering if the VPN tunnels between SPOKE and HUB are passing over IP MPLS VRF setup (no internet)

And the HUB provides default route (exit-HUB).

So if I want some local traffic to exit directly to internet, I would assume to have at least a second WAN directly connected to the internet, correct?

Let's say I create a static default route over a LAN port... Will this static default route be used by SMART breakout?

This is no where to be found in the Meraki documentation, which according to me is rather limited for such a desired and impacting feature.

Thanks

P.

I’m not entirely sure what you are asking, but it seems to be made up of two parts. First, static routes can only point to LAN ports, but these will always override Auto-VPN routes, thus they will create a ‘breakout’. Routing precedence on the MX can be found here, https://documentation.meraki.com/MX/Networks_and_Routing/MX_Routing_Behavior.

If you’re looking for Full-Tunnel Exclusion (Breakout), which appears to cover your MPLS question, then that is covered in this document, https://documentation.meraki.com/MX/Site-to-site_VPN/VPN_Full-Tunnel_Exclusion_(Application_and_IP%2.... My assumption would be that if traffic hits the exclusion it would then be routed as normal internet traffic. So if you had a direct internet connection configured as your primary link, no load-balancing (or other internet flow preferences) then it should use that.

Hope this helps with your scenario.

Hi Bruce,

My concern is the following:

I have a primary WAN link and it is an IP MPLS connection (with an internet breakout on an exit HUB) and all VPN tunnels pass over it

A secondary WAN link is a direct internet connection and active-active VPN is off and no load balancing.

I suppose using SMART breakout should exclude VPN tunnel traffic (even avoiding the default route, learned from the exit HUB) and pass the excluded traffic over the secondary WAN link.

Another scenario:

You have a single public internet WAN link and all traffic (VPN tunnel) and non-VPN tunnel pass over the same connection.

This case is obvious and  excluded VPN traffic will pass in underlay to the public internet over the same WAN link.

Last scenario:

single WAN link only MPLS and default route via exit hub for overlay VPN traffic.

Static default route to LAN, where a CPE router or modem allows a breakout to the internet.

Assumption: all internet oriented traffic should pass over the static default route, both excluded VPN traffic as local traffic which normally would take the default route, announced by the exit HUB.

In this scenario, the exclusion of VPN traffic has no added value, only when the static default route is not working properly (ping next hop...).

But then the excluded VPN traffic should drop, as it is not allowed to pass over the VPN tunnel.

Correct?

Thanks

P.

Let’s start at the beginning: there are two ways that the Auto-VPN can work, either Full Tunnel or Split Tunnel. In Split Tunnel mode traffic is only encrypted into the VPN tunnel if it’s destined for a subnet advertised by another node on the Auto-VPN. In Full Tunnel mode all traffic leaving the site is encrypted into the VPN tunnel and sent to the hub site, where it is then decrypted and forwarded on. The VPN Full Tunnel Exclusion (breakout) applies only to the Full Tunnel mode and allows you to exclude specific destinations from the full tunnel.

For your scenarios:

In the initial one you could use Split Tunnel mode so that only traffic destined for an internal subnet is sent over the VPN on the MPLS link, and then use an Internet Flow Preference to send all internet traffic over the direct internet link on the second WAN link. There is no need to use the Full Tunnel Exclusion (breakout). If you do use a Full Tunnel and an Exclusion the internet traffic would be sent based on the Internet Flow Preferences. Incidentally you could also send the internet traffic unencrypted across the MPLS link so it is sent via the hub, and you could also use a VPN Tunnel over the direct internet link, these could be for failover of flow/performance based - this is the essence of a SD-WAN solution.

The the second scenario, as you say, is straightforward. You can use Split Tunnel or Full Tunnel, and if you do Full Tunnel you could use the Full Tunnel Exclusion (breakout) feature.

For the third scenario to work (which also applies to the MPLS link in the initial scenario) there must be a path to the internet from the MPLS underlay, not just the overlay. This scenario is pretty much as you describe, all traffic goes to the exit hub, the difference will be whether it is encrypted or not which has an impact on the CPU/utilisation of the MX device. Internet traffic will still be passed over the MPLS link in Split Tunnel mode or with a Full Tunnel Exclusion (breakout), it will just be unencrypted, it would not be dropped. Although if you wanted to you could configure the underlay to drop this traffic, so long as there is still access to the Meraki cloud.

Hope this explains it a bit more.