Skip to main content
Cisco Meraki Documentation

VPN Full-Tunnel Exclusion (Application and IP/URL Based Local Internet Breakout)

Click 日本語 for Japanese

Overview

VPN full-tunnel exclusion is a feature on the MX and some Z Series devices whereby the administrator can configure layer-3 (and some layer-7) rules to determine exceptions to a full-tunnel VPN configuration. This feature is also known as Local Internet Breakout in the industry. The feature applies to both AutoVPN and Non-Meraki VPN (NMVPN) connections.

When configuring a VPN spoke, the administrator can choose what client traffic is sent to the hub: either only traffic destined for subnets that are part of the VPN or all traffic that does not have a more specific route than the default route. This choice is made in Dashboard by checking the Default Route box for the desired hub on the Site-to-site VPN configuration page or by having a NMVPN VPN with a default route associated. On the MX-Z, this changes the default route from pointing to the uplink to pointing to the VPN hub or NMVPN peer.

Site to site VPN overview

Non Meraki VPN configuration

In certain situations, an administrator may want most non-local traffic to exit to the Internet via the VPN hub, but there is specific traffic that is desired to exit locally, perhaps because the services being accessed are available locally much faster. VPN full-tunnel exclusion is meant to allow this. The configuration model is that one would configure rules to match the traffic that should exit locally.

Meraki AutoVPN support: This feature requires the Meraki MX and Z devices on MX 15+ series firmware. Z1, MX60, MX60W, MX80, and MX90 devices are not supported as they cannot upgrade to MX 15 firmware.

Non-Meraki VPN support: This feature requires the Meraki MX and Z devices on MX 18.1+ series firmware. Z1, MX50, MX60, MX60W, MX70, MX80, MX90, MX400, MX600 devices are not supported as they cannot upgrade to MX 18.1 firmware.

Traffic sourced from the MX itself will not adhere to VPN exclusion rules.

Configuring VPN Exclusion Rules (IP/Port)

The L3 VPN Exclusion configuration is available under Security & SD-WAN > SD-WAN and Traffic Shaping or Teleworker Gateway > Traffic Shaping.

The configuration option will appear if:

  • The spoke has at least one default route configured for a hub or
  • A hub the spoke in question is connected to is configured with at least one eBGP peer
  • A hub with at least one exit hub configured
    and
  • The MX is in Routed/NAT mode.

Local Internet Breakout              By clicking on the Add+ button, the configuration wizard will pop up as shown below:

VPN exclusion rules TCP

This wizard will allow for the configuration of IP based rules. The protocol can be selected as TCP / UDP / ICMP or All. The destination can be a single IP address or CIDR/subnet. A destination port can also be defined or it can be set as any.

Once the rules are configured they will appear in the dashboard as shown below:

VPN exclusion rules local breakout                 

The above image shows configured rules which means that all the traffic is sent to the hub by default except for the above-mentioned destination IPs for all the ports.

Configuring VPN Exclusion Rules (DNS Hostname)

To configure the DNS hostname, simply click on the Add+ button and select the protocol as DNS. This will match DNS queries sent over UDP port 53 and will give the option to configure the URL as shown below:

Configuring VPN Exclusion DNS Hostname

If an MX does not observe an unencrypted UDP DNS query response matching the FQDN, then an exclusion for the IP address(es) in the DNS query response will not be generated. Encrypted DNS (eDNS) or TCP DNS query responses will not generate tunnel exclusions.

The exclusion is added for the duration of the DNS TTL, at which point it expires and further traffic will be diverted over the tunnel instead of its WAN interface.

Note: To configure a wildcard that would include all subdomains of a domain, for example, all subdomains of 'google.com' then simply enter 'google.com' into the DNS hostname text box. This will create a wildcard entry in the MX configuration for all subdomains of the domain entered, if you just want to exclude specific subdomains, then only enter those specific subdomains, for example 'mail.google.com'.

Configuring Application Based VPN Exclusion Rules 

Meraki MX/Z supports L7 Application based Local Internet Breakout for the top SD-WAN Applications. The following is the list of applications that can be excluded from the full tunnel VPN.

  • Office 365 Suite

  • Office 365 Sharepoint

  • Skype & Teams

  • Webex

  • Zoom

  • Box

  • SalesForce

  • SAP

  • Oracle

  • AWS

Requirements:

The following are the requirements to utilize this feature in a network:

  • Meraki AutoVPN support: This feature requires the Meraki MX on MX 15+ series firmware

  • Non-Meraki VPN support: This feature requires the Meraki MX on MX 18.1+ series firmware 

  • Minimum License Type: Secure SD-WAN Plus or Advance Teleworker

  • All other requirements listed for IP/URL based Local Internet Breakout

Note: Application-based VPN exclusion rules are only supported on MX devices with  Secure SD-WAN Plus or Z Series devices with Secure Teleworker License.

For additional info on MX/Z family features and license options, please refer to our Meraki MX Security and SD-WAN Licensing article.

Configuration options:

Once a network qualifies the requirements, the option will be available under Security & SD-WAN  > SD-WAN & Traffic Shaping > Local Internet Breakout or Teleworker Gateway > Traffic Shaping > Local Internet Breakout as shown in the image below:

Local internet breakout exclusion rules

 

How does the update of the application endpoints work?

The providers who update their endpoints on a regular basis are monitored via the Meraki Dashboard. We periodically check the updates in the backend. If there is new information found, the Meraki dashboard will automatically update its configurations and push those changes to all the customers without their intervention.

Scenario Considerations:

  1. A service (any of the applications listed above) is hosted on a private datacenter: If the application hosted in private DC can also be accessed via Public Internet, simply selecting the application to exclude will not work.

  2. A service that is hosted privately on public cloud infrastructure such as an email server hosted in Azure: Simply selecting an application will not exclude traffic if the hosted email server is also reachable via the public internet.

VPN Exclusion API

VPN Exclusions can be configured via API. The GET API can be used to retrieve all VPN Exclusions configured within an Organization. The PUT APIs can be used to configure VPN Exclusions. See API docs for more information.