Home > Security and SD-WAN > Networks and Routing > Source Based Default Routing

Source Based Default Routing

Source-Based Default Routing allows the MX Appliance to fit within more complex and demanding network topologies while giving administrators the simplicity of the dashboard.


Source-Based Default Routing is a per-VLAN default route feature. It is supported on the MX security appliance when running MX 15.4 firmware or higher. This feature enables an administrator to create a source-based default route and specify a next-hop as a security appliance over AutoVPN or on a device on the LAN.


There are two types of source based default routes. The only difference between a LAN and VPN source-based default routes is the next hop.

i. LAN based default route

ii. VPN based default route


LAN source based default route - The next hop of a LAN source-based default route is on the LAN side of the MX security appliance. The next-hop IP is known to the security appliance on the LAN side either by a VLAN or a static route.


VPN source based default route - The next-hop of a VPN source-based default route is an MX security appliance on another network with the same dashboard Organization. This option if the source subnet is participating in AutoVPN.


Please note the key word default route, this means that a source-based default route, will not force all traffic to a configured next hop. It will only forward traffic for destinations that are unknown in its routing table.

Use Case

A simple use case is segmentation. With Source-based default routing, a default route per VLAN can be configured, (for example, Guest VLAN) with a next-hop as another MX security appliance over Meraki AutoVPN or a gateway device on the LAN.


This feature requires running MX 15.4 firmware or higher.


To configure Source-based default routes, navigate to Dashboard > Security & SD-WAN > Addressing & VLANs



Click on add source-based route


Example I - LAN source based routing



In the example above a LAN source-based default route was added for VLAN 1 with next hop set as 


The MX security appliance will make the new default route for VLAN 1. If the next hop ( stops responding to pings the MX security appliance will default to the global default route.


Example II - VPN sourced-based default routing



In the example above a VPN source-based default route is being created for VLAN 1 with next hop set to the Boston’s network security appliance. This MX security appliance will use the Boston security appliance as the new default route for traffic sourced from VLAN 1.


Note: You can only add VPN based default routes for subnets that are participating in Meraki AutoVPN. 



Take packet captures to verify traffic flow. Verify the MX security appliance has an ARP entry for the next-hop. If you are tracking your source based default route, ensure the next-hop responds to pings else the route will not be active.

Last modified



This page has no classifications.

Explore the Product

Click to Learn More

Article ID

ID: 8682

Explore Meraki

You can find out more about Cisco Meraki on our main site, including information on products, contacting sales and finding a vendor.

Explore Meraki

Contact Support

Most questions can be answered by reviewing our documentation, but if you need more help, Cisco Meraki Support is ready to work with you.

Open a Case

Ask the Community

In the Meraki Community, you can keep track of the latest announcements, find answers provided by fellow Meraki users and ask questions of your own.

Visit the Community