bypassing few host going through IPSEC tunnel with vendor.

noman
Comes here often

bypassing few host going through IPSEC tunnel with vendor.

can someone advise if there is a possibility on Cisco Meraki to bypass certain hosts traffic going to IPsec tunnel instead going directly to internet.   

3 Replies 3
RaphaelL
Kind of a big deal
Kind of a big deal

Hi ,


Yes there are couple solutions depending on your needs.

 

Exclude ALL trafic for a specific vlan : https://documentation.meraki.com/MX/Networks_and_Routing/Source_Based_Default_Routing

 

Exclude ALL trafic for a specific destination : https://documentation.meraki.com/MX/Site-to-site_VPN/VPN_Full-Tunnel_Exclusion_(Application_and_IP%2...)

noman
Comes here often

Thanks for your quick response RaphaelL, in terms of AutoVPN yes this option works but my issue is I want to bypass on IPSEC tunnel with Zscaler. 

 

For example; I have some MFP printers on same vlan as users since by default all traffic is going through Zscaler via IPSEC tunnel I like to move MFP printers to go out to internet directly. 

GreenMan
Meraki Employee
Meraki Employee

Are you talking about clients or servers as the 'certain hosts'?

If you're talking about some clients, behind the MX, having a different default path to other clients, I think you will need to put those hosts in a specific VLAN - and set the VLAN as VPN disabled.

If you're talking about some off-site servers, being accessed by all clients on a site, you need to think about how the route(s) to those servers is being advertised;   remember that, if the VPN has no matching route for a destination, then the traffic will automatically be forwarded out of an MX WAN port, outside any tunnel and usually NATed to that interface's IP address.

If you have an MX Hub advertising a default route, then you will need to use the VPN full-tunnel exclusion capability.   If the traffic in question is on the supported list (commonly O365, for e.g.), this can be done using smart application based rules - but you will need the SD-WAN+ license for the MXs in your Organization:   https://documentation.meraki.com/MX/Site-to-site_VPN/VPN_Full-Tunnel_Exclusion_(Application_and_IP%2...)

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels