Are you talking about clients or servers as the 'certain hosts'? If you're talking about some clients, behind the MX, having a different default path to other clients, I think you will need to put those hosts in a specific VLAN - and set the VLAN as VPN disabled. If you're talking about some off-site servers, being accessed by all clients on a site, you need to think about how the route(s) to those servers is being advertised; remember that, if the VPN has no matching route for a destination, then the traffic will automatically be forwarded out of an MX WAN port, outside any tunnel and usually NATed to that interface's IP address. If you have an MX Hub advertising a default route, then you will need to use the VPN full-tunnel exclusion capability. If the traffic in question is on the supported list (commonly O365, for e.g.), this can be done using smart application based rules - but you will need the SD-WAN+ license for the MXs in your Organization: https://documentation.meraki.com/MX/Site-to-site_VPN/VPN_Full-Tunnel_Exclusion_(Application_and_IP%2F%2FURL_Based_Local_Internet_Breakout)
... View more