Skip to main content

 

Cisco Meraki Documentation

Source Based Default Routing

Source-Based Default Routing allows the MX Appliance to fit within more complex and demanding network topologies while giving administrators the simplicity of the dashboard.

Feature

Source-Based Default Routing is a per-VLAN default route feature. It is supported on the MX security appliance when running MX 15.4 firmware or higher. This feature enables an administrator to create a source-based default route and specify a next-hop as a security appliance over AutoVPN or on a device on the LAN.

 

There are two types of source based default routes. The only difference between a LAN and VPN source-based default routes is the next hop.

i. LAN based default route

ii. VPN based default route

 

LAN source based default route - The next hop of a LAN source-based default route is on the LAN side of the MX security appliance. The next-hop IP is known to the security appliance on the LAN side either by a VLAN or a static route. 

 

VPN source based default route - The next-hop of a VPN source-based default route is an MX security appliance on another network within the same dashboard Organization. Use this option if the source subnet is participating in AutoVPN.

 

Note: the keyword default route, means that a source-based default route, will not force all traffic to a configured next hop. It will only forward traffic for destinations that are unknown in its routing table.

Note: This option cannot be configured if utilizing a single VLAN

Note: Pings sourced from the VLAN specified within the source-based default routing configuration do not adhere to routing policies. In order to properly test source-based default routing, the ping must be sourced from an internal client.

Use Case

A simple use case is segmentation. With Source-based default routing, a default route per VLAN can be configured, (for example, Guest VLAN) with a next-hop as another MX security appliance over Meraki AutoVPN or a gateway device on the LAN.

Prerequisites

This feature requires running MX 15.4 firmware or higher.

Configuration

To configure Source-based default routes, navigate to Security & SD-WAN > Configure > Addressing & VLANs

 

Click on Add source-based route

 

Example I - LAN source based routing

 

Screenshot of a dashboard configuration for a LAN source-based default route. A next hop IP is specified and Active is set to While next hop responds to ping.

 

In the example above a LAN source-based default route was added for VLAN 1 with next hop set as 192.168.1.250. 

 

The MX security appliance will make 192.168.1.250 the new default route for VLAN 1. If the next hop (192.168.1.250) stops responding to pings the MX security appliance will default to the global default route.

 

Example II - VPN sourced-based default routing

 

Screenshot of a dashboard configuration for a VPN source-based default route. A next hop VPN peer is specified and Active is set to While next hop responds to ping.

 

In the example above a VPN source-based default route is being created for VLAN 1 with next hop set to the Boston’s network security appliance. This MX security appliance will use the Boston security appliance as the new default route for traffic sourced from VLAN 1.

 

Note: You can only add VPN based default routes for subnets that are participating in Meraki AutoVPN. 

Troubleshooting

Take packet captures to verify traffic flow. Verify the MX security appliance has an ARP entry for the next-hop. If you are tracking your source based default route, ensure the next-hop responds to pings else the route will not be active.

  • Was this article helpful?