Meraki

Community

Best way to restrict VPN client access to specific hub servers (hub-and-spoke topology)

athan1234
A model citizen
yesterday
yesterday

Best way to restrict VPN client access to specific hub servers (hub-and-spoke topology)

Hi everyone,

I need some advice on a network design scenario and would like to hear different points of view.

Here’s the situation:

  • We have a hub-and-spoke topology.

  • The servers are located in the hub VLAN.

  • The goal is for a VPN client that connects through a spoke to only reach specific servers at the hub, not the entire network.

When I spoke with the customer, they said they prefer the VPN connection to terminate at the spoke, not at the hub. Their requirement is that users can reach only certain hub servers from that spoke.

My initial idea was to create a group policy where I allow access only to the authorized servers and deny the rest. I was thinking of applying this group policy when the client connects through the VPN, but I see some challenges with dynamic IP addresses, and I’m not sure if this is the best solution.

So, my questions are:

  • Is it possible to configure rules on the MX at the spoke so that VPN clients connected to that spoke can only reach certain hub servers?

  • Is it a better practice to suggest creating IPsec tunnels specifically for this purpose?

  • Are there alternative ways (without using RADIUS or AnyConnect) to apply rules only to traffic from these VPN clients?

I would really appreciate your insights or best practices for implementing this in a clean and scalable way.

Thanks in advance for your feedback

0 Kudos
11 Replies 11
jimmyt234
Head in the Cloud
yesterday
yesterday

A little more information required to give a proper answer:

  • Native Meraki Client VPN or the full Cisco Secure Client?
  • Are you referring to a per-user restriction? EG. User 1 can access Server 1 and User 2 and access Server 2? Or just that all VPN users can only access server 1?
In response to jimmyt234
athan1234
A model citizen
yesterday
yesterday

HI  @jimmyt234  

 

I reply to you 

 

 

  • Native Meraki
  • The idea is that this VPN only provides access to the specific servers
0 Kudos
In response to athan1234
jimmyt234
Head in the Cloud
yesterday
yesterday

In this case, as it is all VPN users, I believe you could use the VPN site-to-site outbound firewall policies to restrict your Spoke<>Hub traffic by using the appropriate source/destination IPs.

 

For example your policy could be source of VPN subnet, destination of the list of specific servers, you would then need a deny policy below this (if you don't already have a default deny all).

 

Site-to-site VPN Firewall Rule Behavior - Cisco Meraki Documentation

In response to jimmyt234
athan1234
A model citizen
yesterday
yesterday

Thanks for the suggestion and the documentation link!

After reviewing the Site-to-Site VPN Firewall Rule documentation, I understand that these rules are organization-wide and apply to all MX networks participating in site-to-site VPN.

To confirm my understanding of your approach:

I would configure the rules under Security & SD-WAN > Configure > Site-to-site VPN > Organization-wide settings:

  1. Allow rule:
    • Source: VPN client subnet (e.g., 192.168.100.0/24)
    • Destination: Specific hub servers (e.g., 10.0.1.50, 10.0.1.51, 10.0.1.52)
    • Action: Allow
  2. Deny rule (below the allow rule):
    • Source: VPN client subnet (192.168.100.0/24)
    • Destination: Any
    • Action: Deny

My question: Since these are organization-wide rules, will this configuration affect VPN clients from other spokes that might use different subnets? Or as long as I specify the exact VPN client subnet from this particular spoke, other spoke traffic won't be impacted?

Is this the correct implementation of your suggestion? Want to make sure I understand the scope and impact before implementing.

Thanks for pointing me in the right direction!

0 Kudos
In response to athan1234
jimmyt234
Head in the Cloud
yesterday
yesterday

Your understanding is exactly what I was thinking.

 

As you say - client VPNs on other spokes will be different source subnets so not subject to your policies. As with anything, make sure you test after implementation to ensure it is working as desired.

0 Kudos
athan1234
A model citizen
yesterday
yesterday

 

Hello, I'm experiencing some strange behavior and I’m not sure if it’s normal.

Here’s my setup:

  • On the spoke, I created outbound rules.


     

     

 

  • I unchecked the split tunneling option on the network adapter.

When I test the connection:

  • I get Internet access, but I cannot reach the server when the adapter is configured with split tunneling.

  • I cannot ping the servers or the MX hub gateway.

The server VLAN in the hub is enabled, and I can see the route in the spoke’s routing table.

On the other hand, when

I configure the adapter as full tunnel,

athan1234_1-1758031950174.png

 

I can reach the hub VLAN server and the tracert completes to the Meraki hub gateway — but then I lose Internet access (maybe because I set the DNS server to the customer’s DNS).

Is this behavior normal?

 

 

0 Kudos
In response to athan1234
jimmyt234
Head in the Cloud
yesterday
yesterday

I believe you've created those firewall policies under the Layer 3 section rather than the site-to-site VPN section.

0 Kudos
In response to jimmyt234
athan1234
A model citizen
yesterday
yesterday

Sorry, yes you are right. I created the rules in the Site-to-Site outbound firewall

 

athan1234_1-1758038202173.png

 

Same reoult like this :

 

  • I unchecked the split tunneling option on the network adapter.

When I test the connection:

  • I get Internet access, but I cannot reach the server when the adapter is configured with split tunneling.

  • I cannot ping the servers or the MX hub gateway.

The server VLAN in the hub is enabled, and I can see the route in the spoke’s routing table.

On the other hand, when

I configure the adapter as full tunnel,

athan1234_0-1758038130009.png

 

 

I can reach the hub VLAN server and the tracert completes to the Meraki hub gateway — but then I lose Internet access (maybe because I set the DNS server to the customer’s DNS).

Is this behavior normal?

 

 

0 Kudos
In response to athan1234
jimmyt234
Head in the Cloud
14 hours ago
14 hours ago

Has the VPN policies created this problem or did you never have connectivity to the Hub servers in the first place?

0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
yesterday
yesterday

> I was thinking of applying this group policy when the client connects through the VPN

 

When you apply a group policy to a VPN user it is applied to the machine they VPN in from - and is not related to the public IP addresses that they come from.

 

If you use RADIUS authentication, you can pass the Filter-Id attribute.

https://documentation.meraki.com/MR/Group_Policies_and_Block_Lists/Using_RADIUS_Attributes_to_Apply_...

 

If using SAML (such as Entra ID), you can also pass a group policy to apply.

In response to PhilipDAth
athan1234
A model citizen
14 hours ago
14 hours ago

Hi,

Thanks for the clarification. I believed group policy was applied by IP, but it's actually by machine MAC address, correct?

The problem is that I would need to wait for the customer to connect, then search for them in the Client VPN section and manually assign the group policy to their device. Isn't that right?

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.