VPN full-tunnel exclusion is a feature on the MX whereby the administrator can configure layer-3 (and some layer-7) rules to determine exceptions to a full-tunnel VPN configuration. This feature is also known as Local Internet Breakout in the industry. The feature applies to both AutoVPN and Non-Meraki VPN (NMVPN) connections.
When configuring a VPN spoke, the administrator can choose what client traffic is sent to the hub: either only traffic destined for subnets that are part of the VPN or all traffic that does not have a more specific route than the default route. This choice is made in Dashboard by checking the Default Route box for the desired hub on the Site-to-site VPN configuration page or by having a NMVPN VPN with a default route associated. On the MX-Z, this changes the default route from pointing to the uplink to pointing to the VPN hub or NMVPN peer.
In certain situations, an administrator may want most non-local traffic to exit to the Internet via the VPN hub, but there is specific traffic that is desired to exit locally, perhaps because the services being accessed are available locally much faster. VPN full-tunnel exclusion is meant to allow this. The configuration model is that one would configure rules to match the traffic that should exit locally.
Meraki AutoVPN support: This feature requires the Meraki MX and Z3 devices on MX 15+ series firmware. Z1, MX60, MX60W, MX80, and MX90 devices are not supported as they cannot upgrade to MX 15 firmware.
Non-Meraki VPN support: This feature requires the Meraki MX and Z3 devices on MX 18.1+ series firmware. Z1, MX50, MX60, MX60W, MX70, MX80, MX90, MX400, MX600 devices are not supported as they cannot upgrade to MX 18.1 firmware.
Configuring VPN Exclusion Rules (IP/Port)
The L3 VPN Exclusion configuration is available under Security & SD-WAN > SD-WAN and Traffic Shaping.
The configuration option will appear if:
- The spoke has at least one default route configured for a hub or
- A hub is sharing the default route via an advanced routing protocol or
- A hub with at least one exit hub configured.
By clicking on the Add+ button, the configuration wizard will pop up as shown below:
This wizard will allow for the configuration of IP based rules. The protocol can be selected as TCP / UDP / ICMP or All. The destination can be a single IP address or CIDR/subnet. A destination port can also be defined or it can be set as any.
Once the rules are configured they will appear in the dashboard as shown below:
The above image shows configured rules which means that all the traffic is sent to the hub by default except for the above-mentioned destination IPs for all the ports.
Configuring VPN Exclusion Rules (DNS Hostname)
To configure the DNS hostname, simply click on the Add+ button and select the protocol as DNS. It will give an option to configure the URL as shown below:
Note: To configure a wildcard that would include all subdomains of a domain, for example, all subdomains of 'google.com' then simply enter 'google.com' into the DNS hostname text box. This will create a wildcard entry in the MX configuration for all subdomains of the domain entered, if you just want to exclude specific subdomains, then only enter those specific subdomains, for example 'mail.google.com'.
Note: If a flow to a domain matching a VPN tunnel Exclusion rule is active, and the DNS record TTL expires, an MX will divert traffic over VPN instead of its WAN interface.
Configuring Application Based VPN Exclusion Rules
Meraki MX supports L7 Application based Local Internet Breakout for the top SD-WAN Applications. The following is the list of applications that can be excluded from the full tunnel VPN.
Office 365 Suite
Office 365 Sharepoint
Skype & Teams
The following are the requirements to utilize this feature in a network:
Meraki AutoVPN support: This feature requires the Meraki MX on MX 15+ series firmware
Non-Meraki VPN support: This feature requires the Meraki MX on MX 18.1+ series firmware
Minimum License Type: Secure SD-WAN Plus
All other requirements listed for IP/URL based Local Internet Breakout
Note: Application based VPN exclusion rules are not supported on Z-Series units as they are not compatible with the Secure SD-WAN Plus license. For additional info on MX family features and license options, please refer to our Meraki MX Security and SD-WAN Licensing article.
Once a network qualifies the requirements, the option will be available under Security and SD-WAN appliance > SD-WAN and Traffic Shaping > Local Internet Breakout as shown in the image below:
How does the update of the application endpoints work?
The providers who update their endpoints on a regular basis are monitored via the Meraki Dashboard. We periodically check the updates in the backend. If there is new information found, the Meraki dashboard will automatically update its configurations and push those changes to all the customers without their intervention.
A service (any of the applications listed above) is hosted on a private datacenter: If the application hosted in private DC can also be accessed via Public Internet, simply selecting the application to exclude will not work.
A service that is hosted privately on public cloud infrastructure such as an email server hosted in Azure: Simply selecting an application will not exclude traffic if the hosted email server is also reachable via the public internet.