Home > Security Appliances > Site-to-site VPN > VPN Full-Tunnel Exclusion

VPN Full-Tunnel Exclusion

Table of contents

This is currently a beta feature available in 15.4+ firmware and there is presently no UI option available (coming soon).  Please contact Meraki support to upgrade firmware and enable this feature if it is not available in your Meraki dashboard's firmware manager.


VPN full-tunnel exclusion is a feature on the MX whereby the administrator can configure layer-3 (and some layer-7) rules to determine exceptions to a full-tunnel VPN configuration.


When configuring a VPN spoke, the administrator can choose what client traffic is sent to the hub: either only traffic destined for subnets that are part of the VPN or all traffic that does not have a more specific route than the default route. This choice is made in Dashboard by checking the Default Route box for the desired hub on the Site-to-site VPN configuration page. On the MX-Z, this changes the default route from pointing through the uplink to point to the VPN hub.

In certain situations, an administrator wants most non-local traffic to exit to the Internet via the VPN hub, but there is specific traffic that is desired to exit locally, perhaps because the services being accessed are available locally much faster.  VPN full-tunnel exclusion is meant to allow this.  The configuration model is that one would configure rules to match the traffic that should exit locally.


Last modified



This page has no classifications.

Explore the Product

Click to Learn More

Article ID

ID: 6955

Explore Meraki

You can find out more about Cisco Meraki on our main site, including information on products, contacting sales and finding a vendor.

Explore Meraki

Contact Support

Most questions can be answered by reviewing our documentation, but if you need more help, Cisco Meraki Support is ready to work with you.

Open a Case

Ask the Community

In the Meraki Community, you can keep track of the latest announcements, find answers provided by fellow Meraki users and ask questions of your own.

Visit the Community