Source-Based Default Routing allows the MX Appliance to fit within more complex and demanding network topologies while giving administrators the simplicity of the dashboard.
Source-Based Default Routing is a per-VLAN default route feature. It is supported on the MX security appliance when running MX 15.4 firmware or higher. This feature enables an administrator to create a source-based default route and specify a next-hop as a security appliance over AutoVPN or on a device on the LAN.
There are two types of source based default routes. The only difference between a LAN and VPN source-based default routes is the next hop.
i. LAN based default route
ii. VPN based default route
LAN source based default route - The next hop of a LAN source-based default route is on the LAN side of the MX security appliance. The next-hop IP is known to the security appliance on the LAN side either by a VLAN or a static route.
VPN source based default route - The next-hop of a VPN source-based default route is an MX security appliance on another network with the same dashboard Organization. This option if the source subnet is participating in AutoVPN.
Note: the keyword default route, means that a source-based default route, will not force all traffic to a configured next hop. It will only forward traffic for destinations that are unknown in its routing table.
Note: This option cannot be configured if utilizing a single VLAN
A simple use case is segmentation. With Source-based default routing, a default route per VLAN can be configured, (for example, Guest VLAN) with a next-hop as another MX security appliance over Meraki AutoVPN or a gateway device on the LAN.
This feature requires running MX 15.4 firmware or higher.
To configure Source-based default routes, navigate to Dashboard > Security & SD-WAN > Addressing & VLANs
Click on add source-based route
Example I - LAN source based routing
In the example above a LAN source-based default route was added for VLAN 1 with next hop set as 192.168.1.250.
The MX security appliance will make 192.168.1.250 the new default route for VLAN 1. If the next hop (192.168.1.250) stops responding to pings the MX security appliance will default to the global default route.
Example II - VPN sourced-based default routing
In the example above a VPN source-based default route is being created for VLAN 1 with next hop set to the Boston’s network security appliance. This MX security appliance will use the Boston security appliance as the new default route for traffic sourced from VLAN 1.
Note: You can only add VPN based default routes for subnets that are participating in Meraki AutoVPN.
Take packet captures to verify traffic flow. Verify the MX security appliance has an ARP entry for the next-hop. If you are tracking your source based default route, ensure the next-hop responds to pings else the route will not be active.