Policy Based Routing on MS250 or MX250

B_Tyler
Here to help

Policy Based Routing on MS250 or MX250

Network consists of a pair of MX250 security appliances in HA for Internet access with a stack of (4)MS250 switches as a core. with multiple user VLANs configured.   We are bringing up a pair of routers to a remote data center, one router is a 20MB WAN and the other router is a 200MB WAN. The routers will connect to the core switch each with their own /30 layer 3 subnet.  Local clients on VLAN A and VLAN  B will be accessing Host C in the remote data center.  There is a requirement that users in VLAN A access Host C via the 20MB circuit and users in VLAN B access Host C via the 200Mb circuit. 

I believe I need to to policy based routing to accomplish this.  Can the MS250 or the MX250 do policy based routing or is their another trick to accomplish this?

10 REPLIES 10
jdsilva
Kind of a big deal

You can policy route traffic on the MX under Security appliance > Traffic shaping. I'm assuming you're using AutoVPN to connect to the DC? If so you'd use the VPN Flow Preferences section to define your policy routes. 

 

https://documentation.meraki.com/MX/Firewall_and_Traffic_Shaping/MX_Load_Balancing_and_Flow_Preferen...

image.png

Thanks for the response however I am not using the MX WAN connections, they are for redundant Internet connections.  I am accessing the data center via private MPLS circuits terminated on 2 routers. I will have static routes pointing to Host A with a next hop of the router interface.

jdsilva
Kind of a big deal

Then no. You cannot policy route over LAN interfaces on the MX, nor can you do any policy routing at all on the MS. 

PhilipDAth
Kind of a big deal
Kind of a big deal

You can't do this on Meraki switches.

 

What you can do is put a point to point /30 link between the routers, and let the routers handle the policy routing.

The routers belong to Verizon, I'll check and see if they could do PBR for us.  We currently have (2) MX's in the network for failover, could I add a 3rd MX to the Network and terminate the MPLS on the 2 WAN interfaces and route based on source address to WAN1 or WAN2?

PhilipDAth
Kind of a big deal
Kind of a big deal

You can, although note as traffic passes from a VLAN interface to a WAN interface it will be NATed to the IP address of the WAN interface.

What about if I have an MX with non-meraki / non-auto vpn peers.. can I policy based route destined to that vpn (instead of a default route 0.0.0.0/0, aka Internet route) ?

 

@PhilipDAth.. and specifically in this instance.. I don't want any SNAT to occur .. even though it's bound out a WAN interface.. but technically to a non-meraki VPN peer destination.

 

Will that work ?

jdsilva
Kind of a big deal

@mpgioia You have even less control on Non-Meraki VPN. So no, you can't policy based route anything in that scenario. 

 

An MX won't NAT VPN traffic, be it AutoVPN or Non-Meraki VPN. In the new beta v15.x firmware there's also some new knobs for controlling NAT on the MX. 

Yeh wow.. ok..

Any roadmap to include PBF/source based routing that we know of ?

RichG
Getting noticed

Source based routing is now in beta with the 15.23 firmware.  It will require a support ticket to turn on the UI in the dashboard.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels