VPN Full-Tunnel Exclusion (Application and IP/URL Based Local Internet Breakout)
Click 日本語 for Japanese
Overview
VPN full-tunnel exclusion is a feature on the MX and some Z Series devices whereby the administrator can configure layer-3 (and some layer-7) rules to determine exceptions to a full-tunnel VPN configuration. This feature is also known as Local Internet Breakout in the industry. The feature applies to both AutoVPN and Non-Meraki VPN (NMVPN) connections.
When configuring a VPN spoke, the administrator can choose what client traffic is sent to the hub: either only traffic destined for subnets that are part of the VPN or all traffic that does not have a more specific route than the default route. This choice is made in Dashboard by checking the Default Route box for the desired hub on the Site-to-site VPN configuration page or by having a NMVPN VPN with a default route associated. On the MX-Z, this changes the default route from pointing to the uplink to pointing to the VPN hub or NMVPN peer.
In certain situations, an administrator may want most non-local traffic to exit to the Internet via the VPN hub, but there is specific traffic that is desired to exit locally, perhaps because the services being accessed are available locally much faster. VPN full-tunnel exclusion is meant to allow this. The configuration model is that one would configure rules to match the traffic that should exit locally.
Meraki AutoVPN support: This feature requires the Meraki MX and Z devices on MX 15+ series firmware. Z1, MX60, MX60W, MX80, and MX90 devices are not supported as they cannot upgrade to MX 15 firmware.
Non-Meraki VPN support: This feature requires the Meraki MX and Z devices on MX 18.1+ series firmware. Z1, MX50, MX60, MX60W, MX70, MX80, MX90, MX400, MX600 devices are not supported as they cannot upgrade to MX 18.1 firmware.
Traffic sourced from the MX itself will not adhere to VPN exclusion rules.
Configuring VPN Exclusion Rules (IP/Port)
The L3 VPN Exclusion configuration is available under Security & SD-WAN > SD-WAN and Traffic Shaping or Teleworker Gateway > Traffic Shaping.
The option is available in networks where at least one of the following configurations is present:
- The network is a spoke and has at least one default route configured for a hub.
- A hub the spoke in question is connected to is configured with at least one eBGP peer.
- The network is a hub with at least one exit hub configured.
- The network has a Non-Meraki VPN tunnel with a default (0.0.0.0/0) route configured, and the MX is in Routed/NAT mode, and the MX is running firmware 18.1 or newer.
By clicking on the Add+ button, the configuration wizard will pop up as shown below:
This wizard will allow for the configuration of IP based rules. The protocol can be selected as TCP / UDP / ICMP or All. The destination can be a single IP address or CIDR/subnet. A destination port can also be defined or it can be set as any.
Once the rules are configured they will appear in the dashboard as shown below:
The above image shows configured rules which means that all the traffic is sent to the hub by default except for the above-mentioned destination IPs for all the ports.
Configuring VPN Exclusion Rules (DNS Hostname)
To configure the DNS hostname, simply click on the Add+ button and select the protocol as DNS. This will match DNS queries sent over UDP port 53 and will give the option to configure the URL that will be excluded as shown below:
Encrypted DNS (eDNS) or TCP DNS query responses will not generate tunnel exclusions. If an MX does not observe an unencrypted UDP DNS query response matching the FQDN, then an exclusion for the IP address(es) in the DNS query response will not be generated.
Any other DNS query response gets added to the VPN exclusion. Keep in mind that the DNS hostname will be in exclusion for as long as the DNS query response TTL; i.e.: the exclusion will be valid for the duration of the DNS TTL, after that, it expires and further traffic will be diverted over the tunnel instead of its WAN interface.
Configuring Application Based VPN Exclusion Rules
Meraki MX/Z supports L7 Application based Local Internet Breakout for the top SD-WAN Applications. The following is the list of applications that can be excluded from the full tunnel VPN.
-
Office 365 Suite
-
Office 365 Sharepoint
-
Skype & Teams
-
Webex
-
Zoom
-
Box
-
SalesForce
-
SAP
-
Oracle
-
AWS
Requirements:
The following are the requirements to utilize this feature in a network:
-
Meraki AutoVPN support: This feature requires the Meraki MX on MX 15+ series firmware
-
Non-Meraki VPN support: This feature requires the Meraki MX on MX 18.1+ series firmware
-
Minimum License Type: Secure SD-WAN Plus or Advance Teleworker
-
All other requirements listed for IP/URL based Local Internet Breakout
Note: Application-based VPN exclusion rules are only supported on MX devices with Secure SD-WAN Plus or Z Series devices with Secure Teleworker License.
For additional info on MX/Z family features and license options, please refer to our Meraki MX Security and SD-WAN Licensing article.
If you intend to use Application Based VPN Exclusions on templates, you must be using both MX SD-WAN+ as well as Z Secure Teleworker Licenses.
Configuration options:
Once a network qualifies the requirements, the option will be available under Security & SD-WAN > SD-WAN & Traffic Shaping > Local Internet Breakout or Teleworker Gateway > Traffic Shaping > Local Internet Breakout as shown in the image below:
How does the update of the application endpoints work?
The providers who update their endpoints on a regular basis are monitored via the Meraki Dashboard. We periodically check the updates in the backend. If there is new information found, the Meraki dashboard will automatically update its configurations and push those changes to all the customers without their intervention.
Scenario Considerations:
-
A service (any of the applications listed above) is hosted on a private datacenter: If the application hosted in private DC can also be accessed via Public Internet, simply selecting the application to exclude will not work.
-
A service that is hosted privately on public cloud infrastructure such as an email server hosted in Azure: Simply selecting an application will not exclude traffic if the hosted email server is also reachable via the public internet.
VPN Exclusion API
VPN Exclusions can be configured via API. The GET API can be used to retrieve all VPN Exclusions configured within an Organization. The PUT APIs can be used to configure VPN Exclusions. See API docs for more information.