VPN full-tunnel exclusion is a feature on the MX whereby the administrator can configure layer-3 (and some layer-7) rules to determine exceptions to a full-tunnel VPN configuration. This feature is also known as Local Internet Breakout in the industry.
When configuring a VPN spoke, the administrator can choose what client traffic is sent to the hub: either only traffic destined for subnets that are part of the VPN or all traffic that does not have a more specific route than the default route. This choice is made in Dashboard by checking the Default Route box for the desired hub on the Site-to-site VPN configuration page. On the MX-Z, this changes the default route from pointing through the uplink to point to the VPN hub.
In certain situations, an administrator wants most non-local traffic to exit to the Internet via the VPN hub, but there is specific traffic that is desired to exit locally, perhaps because the services being accessed are available locally much faster. VPN full-tunnel exclusion is meant to allow this. The configuration model is that one would configure rules to match the traffic that should exit locally.
Note: This feature requires the Meraki MX and Z3 devices on the latest MX 15.X series firmware. Z1, MX60, MX60W, MX80, and MX90 devices are not supported as they cannot upgrade to MX 15.X firmware.
Configuring VPN Exclusion Rules (IP/Port)
The L3 VPN Exclusion configuration is available under Security & SD-WAN > SD-WAN and Traffic Shaping.
It will show up if:
- the Spoke has at least one default route configured for a hub or
- a hub is sharing the default route via advance routing protocol or
- a hub with at least one exit hub configured.
By clicking on the Add+ button, the configuration wizard will pop up as shown below:
This wizard will allow configuration of IP based rules. The protocol can be selected as TCP / UDP / ICMP or All. The destination can be a single IP address or CIDR/subnet. A destination port can also be defined or it can be set as any.
Once the rules are configured it will show up in the dashboard as shown below:
The above image shows configured rules which means that all the traffic is sent to Hub by default except the above-mentioned destination IPs for all the Port.
Configuring VPN Exclusion Rules (DNS Hostname)
To configure the DNS hostname, simply click on the Add+ button and select the protocol as DNS. It will give an option to configure the URL as shown below:
Note: To configure a wildcard that would include all subdomains of a domain, for example, all subdomains of 'google.com' then simply enter 'google.com' into the DNS hostname text box. This will create a wildcard entry in the MX configuration for all subdomains of the domain entered, if you just want to exclude specific subdomains, then only enter those specific subdomains, for example 'mail.google.com'.
Configuring Application Based VPN Exclusion Rules
Meraki MX supports L7 Application based Local Internet Breakout for the top SD-WAN Applications. The following are the list of applications that can be excluded from the full tunnel VPN.
Office 365 Suite
Office 365 Sharepoint
Skype & Teams
The following are the requirements to utilize this feature in a network:
Latest MX 15.X version firmware
Secure SD-WAN Plus license
All other requirements listed for IP/URL based Local Internet Breakout
Note: Application based VPN exclusion rules are not supported on Z-Series units as they are not compatible with the Secure SD-WAN Plus license. For additional info on MX family features and license options, please refer to our Meraki MX Security and SD-WAN Licensing article.
Once a network qualifies the requirements, the option will be available under Security and SD-WAN appliance > SD-WAN and Traffic Shaping > Local Internet Breakout as shown in the image below:
How does the update of the application endpoints work?
The providers who update their endpoints on a regular basis are monitored via the Meraki Dashboard. We periodically check the updates in the backend. If there is new information found, the Meraki dashboard will automatically update its configurations and push those changes to all the customers without their intervention.
A service (any of the applications listed above) is hosted on a private datacenter: If the application hosted in private DC can also be accessed via Public Internet, simply selecting the application to exclude will not work.
A service that is hosted privately on public cloud infrastructure such as an Email Server hosted in Azure: Simply selecting an application will not exclude traffic if the hosted email server is also reachable via the public internet.