Content Filtering need to be configured for every network?

SOLVED
TLO3346
Getting noticed

Content Filtering need to be configured for every network?

Hello, 

We currently have one HQ network with multiple branch networks with site to site vpn. I'm in the process of setting up content filtering and I was wondering:

 

1. If the HQ network is set as an exit hub NOT default route, will I need to set up content filtering for each network or will it mirror the HQ network since it is set up as the exit hub? If no, will it mirror the HQ network if it is set up as a default route for the spokes?

 

2. We have to have all of our networks setup as a hub at the moment because of our phones not working in hub/spoke mode. Will this significantly decrease performance in the network as Meraki stated?   

 

Thank you. 

1 ACCEPTED SOLUTION
PhilipDAth
Kind of a big deal

>If the HQ network is set as an exit hub NOT default route, will I need to set up content filtering for each network

 

Yes you will.

 

>Will this significantly decrease performance in the network as Meraki stated?   

 

Not enough information to answer that one.  How many sites and what model MXs are you using?

View solution in original post

6 REPLIES 6
PhilipDAth
Kind of a big deal

>If the HQ network is set as an exit hub NOT default route, will I need to set up content filtering for each network

 

Yes you will.

 

>Will this significantly decrease performance in the network as Meraki stated?   

 

Not enough information to answer that one.  How many sites and what model MXs are you using?

View solution in original post

Inderdeep
Kind of a big deal

Well to your second question, i am not sure but i found this below. So if you have mesh topology stated as performance degraded.

Inderdeep_0-1619036433932.png

 

Regards
Inderdeep Singh
www.thenetworkdna.com ( Awarded by Cisco IT Blogs award 2020)
ww
Kind of a big deal
Kind of a big deal

When you selected a exit hub at another hub then you already learn a default route in the vpn? 

But in that case it wil still not use the content filter only the firewall from the routed mode exit hub

TLO3346
Getting noticed

So the exit hub network Firewall Rules will be applied to other networks??

ww
Kind of a big deal
Kind of a big deal

Only if they use the internet of that exit hub that fw rules of that hub will also be applied (at that exit hub). It doesnt copy it somehow to other locations.

 

But its best practice to cut down traffic as close to the source. Not tunnel it first to a hub and then block it

Bruce
Kind of a big deal

In response to the second part...

 

>Will this significantly decrease performance in the network as Meraki stated?

 

The decrease in performance is due to the additional VPN tunnels that the MX has to maintain. In a hub and spoke each spoke will have between 1 and 4 VPN tunnels depending on the design. When running in hub mode the MX is having to maintain 1 to 4 VPN tunnels to all other hubs in the organisation... a significant increase, which is what creates the load on the MX. You need to check the MX Sizing Guide to see how many VPN tunnels your devices will support.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels