For what seems like pretty basic SD-WAN feature on other platforms that I can't figure out here, I have a Hub and Spoke AutoVPN with Site-Site-VPN setting Spokes configured to obtain the IPv4 default route via the Hub appliance. VPN enabled VLAN at spokes obtain this as expected, plus the DC Prefixes I specify on the hub - that all fine I have a VPN Disabled VLAN that I want for local internet access only (guest) - that's fine I have another VLAN that I want to be VPN enabled - so device on here can be in-band managed from across the WAN (AutoVPN) but that I require to *not* obtain the default ipv4 route from the Hub Appliance, I want the default route to NAT out via via local internet, same as as if it were VPN disabled, or have the entire spoke not receive the default route from HUB Appliance. I can use VPN exclusions for specific prefixes and FQDNs and do local breakout... sometimes this works but it's high maintenance, prone to breaking and is a mammoth config for the requirements of the devices on this vlan. I don't want to have to deploy a separate gateway device and add a static default route to it... for 120 spokes. Source based routes... would be nice if they would let you route + NAT out your local WAN interface. Anyone been able to accomplish this in a way I've missed?
... View more