Hello,
We currently have one HQ network with multiple branch networks with site to site vpn. I'm in the process of setting up content filtering and I was wondering:
1. If the HQ network is set as an exit hub NOT default route, will I need to set up content filtering for each network or will it mirror the HQ network since it is set up as the exit hub? If no, will it mirror the HQ network if it is set up as a default route for the spokes?
2. We have to have all of our networks setup as a hub at the moment because of our phones not working in hub/spoke mode. Will this significantly decrease performance in the network as Meraki stated?
Thank you.
Solved! Go to solution.
>If the HQ network is set as an exit hub NOT default route, will I need to set up content filtering for each network
Yes you will.
>Will this significantly decrease performance in the network as Meraki stated?
Not enough information to answer that one. How many sites and what model MXs are you using?
>If the HQ network is set as an exit hub NOT default route, will I need to set up content filtering for each network
Yes you will.
>Will this significantly decrease performance in the network as Meraki stated?
Not enough information to answer that one. How many sites and what model MXs are you using?
Well to your second question, i am not sure but i found this below. So if you have mesh topology stated as performance degraded.
When you selected a exit hub at another hub then you already learn a default route in the vpn?
But in that case it wil still not use the content filter only the firewall from the routed mode exit hub
So the exit hub network Firewall Rules will be applied to other networks??
Only if they use the internet of that exit hub that fw rules of that hub will also be applied (at that exit hub). It doesnt copy it somehow to other locations.
But its best practice to cut down traffic as close to the source. Not tunnel it first to a hub and then block it
In response to the second part...
>Will this significantly decrease performance in the network as Meraki stated?
The decrease in performance is due to the additional VPN tunnels that the MX has to maintain. In a hub and spoke each spoke will have between 1 and 4 VPN tunnels depending on the design. When running in hub mode the MX is having to maintain 1 to 4 VPN tunnels to all other hubs in the organisation... a significant increase, which is what creates the load on the MX. You need to check the MX Sizing Guide to see how many VPN tunnels your devices will support.