Source Based Default Routing
Source-Based Default Routing allows the MX Appliance to fit within more complex and demanding network topologies while giving administrators the simplicity of the dashboard.
Feature
Source-Based Default Routing is a per-VLAN default route feature. It is supported on the MX security appliance when running MX 15.4 firmware or higher. This feature enables an administrator to create a source-based default route and specify a next-hop as a security appliance over AutoVPN or on a device on the LAN.
There are two types of source based default routes. The only difference between a LAN and VPN source-based default routes is the next hop.
i. LAN based default route
ii. VPN based default route
LAN source based default route - The next hop of a LAN source-based default route is on the LAN side of the MX security appliance. The next-hop IP is known to the security appliance on the LAN side either by a VLAN or a static route.
VPN source based default route - The next-hop of a VPN source-based default route is an MX security appliance on another network within the same dashboard Organization. Use this option if the source subnet is participating in AutoVPN.
Note: the keyword default route, means that a source-based default route, will not force all traffic to a configured next hop. It will only forward traffic for destinations that are unknown in its routing table.
Note: This option cannot be configured if utilizing a single VLAN
Note: Pings sourced from the VLAN specified within the source-based default routing configuration do not adhere to routing policies. In order to properly test source-based default routing, the ping must be sourced from an internal client.
Use Case
A simple use case is segmentation. With Source-based default routing, a default route per VLAN can be configured, (for example, Guest VLAN) with a next-hop as another MX security appliance over Meraki AutoVPN or a gateway device on the LAN.
Prerequisites
This feature requires running MX 15.4 firmware or higher.
Configuration
To configure Source-based default routes, navigate to Security & SD-WAN > Configure > Addressing & VLANs
Click on Add source-based route
Example I - LAN source based routing
In the example above a LAN source-based default route was added for VLAN 1 with next hop set as 192.168.1.250.
The MX security appliance will make 192.168.1.250 the new default route for VLAN 1. If the next hop (192.168.1.250) stops responding to pings the MX security appliance will default to the global default route.
Example II - VPN sourced-based default routing
In the example above a VPN source-based default route is being created for VLAN 1 with next hop set to the Boston’s network security appliance. This MX security appliance will use the Boston security appliance as the new default route for traffic sourced from VLAN 1.
Note: You can only add VPN based default routes for subnets that are participating in Meraki AutoVPN.
Troubleshooting
Take packet captures to verify traffic flow. Verify the MX security appliance has an ARP entry for the next-hop. If you are tracking your source based default route, ensure the next-hop responds to pings else the route will not be active.