Client Isolation on Client VPN

Getting noticed

Client Isolation on Client VPN

Happy Monday Everyone,


Is there way we can implement client isolation on VPN clients so 1 VPN client can't reach/see other VPN client ?

Kind of a big deal
Kind of a big deal

Hi ,


Unfortunately I don't think that is possible for the moment. Even with Group Policy I don't see how you could achieve this.

Here to help

Check this out on the AnyConnect documentation page (emphasis mine):

AnyConnect on the MX does not support multiple VLANs or address pools for Client VPN users. However, the MX supports the application and enforcement of policies to AnyConnect users on authentication. It is also important to note that, from a Client VPN standpoint on the MX, having users on the same subnet does not mean they are in the same VLAN. Users are assigned a /32 address (one address) from the pool configured on Dashboard. Group Policies can then be used to limit users on the same AnyConnect subnet from talking to each other or other resources on the network.

AnyConnect on the MX Appliance - Cisco Meraki

Group policies are not an AnyConnect-only feature, so it may be possible to achieve with vanilla Client VPN

@JamesC_AB  Interesting. I will give a try on group policy. Thanks

Kind of a big deal
Kind of a big deal

It will be easier to do with this AnyConnect, as you can assign a default group policy to be used for al AnyConnect users.

With the Windows client VPN, you have to log in each user one at a time, and then assign the group policy, and then it will stick.  Ok for a small number of users.  A nightmare for lots of users.

Unfortunately we don't use anyclient but thanks for the tip @PhilipDAth 

Kind of a big deal
Kind of a big deal

AnyConnect is relatively cheap and so much better ...

@PhilipDAth Agree with you it is much better than normal client VPN. 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.