Content filtering on HUB for VPN sites

SOLVED
Smail
Conversationalist

Content filtering on HUB for VPN sites

Hi,

 

I am new here and for some time I am learning what Meraki can do. I am doing my best to sell Meraki products to our clients.

 

I have a question regarding SD-WAN and Content filter, AV etc on HUB. Idea is that all sites reach the internet over the hub site, for better control and visibility.

Here I am reading that the exit Hub cannot do content filtering. 

"In a full tunnel topology, all security and content filtering must be performed on the full tunnel client. The Exit hub will not apply Content Filtering, IPS blocking, or Malware Scanning to traffic coming in over the VPN. However, IDS scanning will be performed for this traffic."

 

Maybe because Meraki does want to sell SEC license for every site?

So, can I add an additional MX with SEC license just for internet access on the main site? Traffic flow would be SiteA AutoVPN ---> MX84 Edge ---> MX84 VPN Hub (decrypt traffic) ---> MX84 Edge (regular traffic) ---> Internet

A simple drawing is attached.

Meraki SD WAN.jpg

1 ACCEPTED SOLUTION

Yes, thats what I said. It is the same license level across an organization.

So in your case you need two organizations.

 

If the tunnel ends on a different MX then the one that does the filtering, your setup should work from my point of view.

The edge MX treats all traffic coming from the LAN side as internal. It does not make a difference if this traffic comes from a VPN concentrator or not.

 

It does not work if you do filtering on the MX that terminates the VPN tunnels.

 

I have never built this design so far, so best would be if you have the chance to verify it. But from my point of view it works if you create a dedicated organization for the edge MX.

View solution in original post

8 REPLIES 8
Markus
Here to help

Hi,

as far as I understand the license model of Meraki, all MX within an organization have the same level.

You cannot upgrade single MX within your organization. Either all of them are with the basic license or all of them are advanded.

 

Regards,

Markus

Smail
Conversationalist

Even when there are different models? That's unfortunate.

yes, I dont like it as well.

But have a look at following link:

https://documentation.meraki.com/zGeneral_Administration/Licensing/Cisco_Meraki_Licensing_Guidelines...

 

This statement is from the referenced page:

Please note that the MX licensing edition is uniform across the Organization. For example, you can have all 25 appliances using Enterprise Edition or Advanced Security Edition, but you cannot have 20 appliances using one edition and 5 using the other edition. If you wish to use Enterprise Edition for some appliances and Advanced Security Edition for other appliances, you need to create two Organizations, one for your appliances with the Enterprise Edition, and another for the appliances with the Advanced Security Edition.

Smail
Conversationalist

Well, it says that I need to create two organizations. That will work for me.

Can you please tell me if my setup would work?

Yes, thats what I said. It is the same license level across an organization.

So in your case you need two organizations.

 

If the tunnel ends on a different MX then the one that does the filtering, your setup should work from my point of view.

The edge MX treats all traffic coming from the LAN side as internal. It does not make a difference if this traffic comes from a VPN concentrator or not.

 

It does not work if you do filtering on the MX that terminates the VPN tunnels.

 

I have never built this design so far, so best would be if you have the chance to verify it. But from my point of view it works if you create a dedicated organization for the edge MX.

Smail
Conversationalist

Thanks!

I could also use OpenDNS for basic filtering. This would be cheaper and more simple.
jdsilva
Kind of a big deal

Just a thought: You can't use AutoVPN between organizations... If you do two Orgs then you have to use non-meraki VPN, and you lose your SD-WAN functionality.

Smail
Conversationalist

AutoVPN will be between sites and hub with same license (Enterprise). Only the Edge MX that will be a regular FW and gateway will have the SEC license. In this case it should not be a problem with AutoVPN.
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels