Skip to main content
Cisco Meraki Documentation

SD-WAN Internet Policies (SD-Internet)

By Steve Harrison


This document covers the configuration, operation, and support of the SD-Internet feature in the MX16.X code.  The function of this feature is to steer customer traffic to SaaS or public cloud-based applications over the best-performing WAN connection at the time the traffic is forwarded.  Whilst this feature shares a lot of functionality with Meraki SD-WAN the nature of it being outside of any transport tunnel does yield some key differences in behavior.  


Currently, Meraki supports features like dynamic path selection, performance-based routing, etc on the overlay (Meraki AutoVPN) traffic as SD-WAN. This works great for the customers who have their resources located in private data centers or in the cloud infrastructure (Amazon AWS and Microsoft Azure in particular). However, many customers are moving their resources more towards cloud-based applications, some examples are Office 365, SalesForce, Oracle DB, Google Cloud, etc. Many resources like Voice and Video conferencing solutions are also mainly cloud-based for instance our own Cisco WebEx, RingCentral, Zoom, etc. These resource providers are recommending to access them over a direct internet link (Internet broadband) for better performance. 

To accommodate the needs of our customers and make our solution even more effective, we have implemented a traffic steering mechanism on the direct internet links. This feature builds upon and works with the VPN exclusion feature but does not require it, to allow customers to direct new flows matching internet traffic SD-WAN policies to the best available WAN connection. 

As SD-WAN over the internet suggests, this feature will be providing the similar functionality that we have on the SD-WAN overlay deployments such as Performance-based steering. 

  1. Customers will have the ability to set a policy for the applications that are excluded from VPN and routed over direct internet access.

  2. Customers will be able to define their custom performance class for the applications that are accessed over direct internet access (DIA).

  3. The feature will steer traffic based on the best performing available uplinks given the configured policy.  E.g. if 'Best for VoIP' is configured the uplink with the best MOS will be used.

SD-Internet policies are not as fully featured as SD-WAN policies right now and at this time they only support the definition of Layer 3 & 4 source and destination-based rules whilst allowing you to define a preferred uplink policy and a ‘failover if’ condition in the same way that you can for VPN traffic policies.  

The expected behavior is that the feature will failover between uplinks within 30 seconds of ‘route change needed’ detection for all new flows. 

Enabling SD-Internet

SD-Internet is still in active development hence there are certain requirements that must be met in order for the feature to be used:

Supported MX models - MX64, MX65, MX67, MX68, MX75, MX84, MX85, MX95, MX100, MX105, MX250, MX450

Unsupported MX models - MX50, MX60, MX70, MX80, MX90, MX400, MX600, vMX (all)

The SD-Internet feature is exclusively included in the SD-WAN Plus license tier, for more details on the license tiers look here.

A firmware version (16-X) is required.

Once this has been done you will be in a position to test the feature, it is recommended that testing is done in a manner that allows for the flexible control of latency, jitter, loss, and WAN availability for both primary and secondary WAN connections.  An example of such a testing setup is below:

SD WAN topology including WAN 1, WAN 2, switches and another location.

In the above example, each WAN service is connected to an inline VM that allows for the manipulation of the required criteria.  If you are interested in replicating such a setup please take a look here.

SD-WAN Plus licensed customers will see the “SD-WAN policies for Internet traffic” option while Enterprise and Advanced Security licensed customers will see “Internet flow preferences”

SD-WAN Plus licensed Dashboard

SD-WAN plus license policies.

Enterprise and Advanced Security licensed Dashboard

Enterprise and Advanced Security flow preferences for traffic shaping.

Custom performance classes shared between VPN traffic and Internet traffic SD-WAN policies.  

SD-WAN Internet policies configuration

The following policies can be configured:

  • Application categories/Major application policies

  • Custom expression policies

For some UI features that you see in the sections below, MX18.2+ is required. MX devices on firmware versions below MX18.2 can still use the feature in the same manner but the UI view is slightly different. 

Application Policy Configuration

In order to configure a custom expression policy, we simply click on the 'Add Policy' at the top right corner of the Internet policies table. This will launch the configuration element shown below:

Configuring traffic shaping policies per application.

Custom Expression Policy Configuration 

In order to configure a custom expression policy, we simply click on the 'Add Policy' at the top right corner of the Internet policies table. This will launch the configuration element shown below:

Customer traffic shaping expressions and policy configuration.

With a source and destination defined;

  1. A preferred uplink can be selected

  2. The 'failover if' policy can can be selected. Failover behavior can be performance-based or WAN state-based

  3. Finally a custom performance class can be chosen for the policy

Path Quality Data

In addition to configuring a policy to define how packets will be routed, with SD-WAN over the internet we can also configure the endpoint that we connect to in order to judge the quality of the internet connection being used.  This is possible because the SD-WAN over Internet feature uses the IP addresses that the network has configured to use for uplink statistics, this can also be found on the SD-WAN & traffic shaping page of dashboard. 

The IP address chosen as the default endpoint is pinged (ICMP echo request) by the MX and the time take to respond (latency), the number of packets not returned (loss) and the variability in the linearity of the received packets (jitter) is calculated and this is used as the performance score for the entire WAN connection.  In future releases of this feature, the endpoints used will be both application-specific and automatically chosen to be the most appropriate for each network.

In order to change the default Google DNS ( endpoint to something more appropriate, e.g. a known perimeter IP address to a peering point for your local ISP, or a known SaaS or IaaS endpoint simply configure the IP as per the below example (that shows the use of Cisco Umbrella's primary DNS resolver):

Uplink statistics destination IPs configuration.

This will result in routing decisions for the available internet connections being made by the availability of this endpoint.

In order for the MX to be able to utilize an endpoint, it needs to respond to ICMP echo requests (ping) otherwise the functionality of SD-WAN-over-Internet will be negatively impacted.

Expected Behavior

When we think about expected behavior for SD-Internet there are 2 key factors we need to consider:

  1. Due to the stateful nature of the MX when the performance threshold of for example  WAN1 connection changes such that it is no longer considered the ‘Best for VoIP’, then all new flows matching the rule for which ‘Best for VoIP’ is the preferred uplink will route via WAN2.  All existing flows that are already in the MXs flow table will remain on WAN1, this is because any such existing flow would have to be reset or terminated which could lead to unwanted behavior of the application in question.

  2. Due to the fact that SD-Internet decisions are based on the generic state of the WAN connection as measured by the MX and not of the specific path between 2 VPN endpoints, as it is for VPN traffic SD-WAN policies.  Then the MX cannot confidently re-route flows as quickly as we can with VPN traffic SD-WAN policies.  Such re-routing of new flows is expected to be completed within 30 seconds



1. How can I get this feature enabled?

Please raise a ticket with Meraki support who can make and request the necessary changes to enable this feature.

2. How will SD-Internet be licensed?

The SD-Internet feature requires the MX SD-WAN plus license, if you would like to test it please reach out to your Meraki sales representative or systems engineer or check here.

3. Does my MX support SD-Internet?

The SD-Internet feature is supported on all MXs except the following - MX50, MX60, MX70, MX80, MX90, MX400, MX600, vMX (all).

4. Will SD-Internet include L7 applications?

In the future, we plan to support L7 applications.

5. Why isn’t my traffic failing over when my WAN performance changes?

Changes in SD-Internet policies only apply to new flows, not existing flows.  This is due to the stateful nature of the MX, to change such existing flows we would have to disconnect or reset the flow.  This could lead to unwanted application behavior.

6. Where does SD-Internet get its data about the performance of the WAN connections?

SD-Internet currently uses ICMP gathered statistics from the IP address defined by the administrator in the uplink statistics section of the ‘SD-WAN & traffic shaping’ page.

7. How can I see which of my WAN connections is being used?

Currently, the only way to see which WAN connection is being used in the UI is via the ‘Live data -> Uplink traffic’ section on the ‘Uplink’ tab of the ‘Appliance status’ page.


  • Was this article helpful?