Meraki

Community

Content filtering on HUB for VPN sites

Solved
Smail
Conversationalist
‎Feb 22 2018 2:21 AM
‎Feb 22 2018 2:21 AM

Content filtering on HUB for VPN sites

Hi,

 

I am new here and for some time I am learning what Meraki can do. I am doing my best to sell Meraki products to our clients.

 

I have a question regarding SD-WAN and Content filter, AV etc on HUB. Idea is that all sites reach the internet over the hub site, for better control and visibility.

Here I am reading that the exit Hub cannot do content filtering. 

"In a full tunnel topology, all security and content filtering must be performed on the full tunnel client. The Exit hub will not apply Content Filtering, IPS blocking, or Malware Scanning to traffic coming in over the VPN. However, IDS scanning will be performed for this traffic."

 

Maybe because Meraki does want to sell SEC license for every site?

So, can I add an additional MX with SEC license just for internet access on the main site? Traffic flow would be SiteA AutoVPN ---> MX84 Edge ---> MX84 VPN Hub (decrypt traffic) ---> MX84 Edge (regular traffic) ---> Internet

A simple drawing is attached.

Meraki SD WAN.jpg

0 Kudos
1 Accepted Solution
In response to Smail
Markus
Here to help
‎Feb 22 2018 5:41 AM
‎Feb 22 2018 5:41 AM

Yes, thats what I said. It is the same license level across an organization.

So in your case you need two organizations.

 

If the tunnel ends on a different MX then the one that does the filtering, your setup should work from my point of view.

The edge MX treats all traffic coming from the LAN side as internal. It does not make a difference if this traffic comes from a VPN concentrator or not.

 

It does not work if you do filtering on the MX that terminates the VPN tunnels.

 

I have never built this design so far, so best would be if you have the chance to verify it. But from my point of view it works if you create a dedicated organization for the edge MX.

View solution in original post

8 Replies 8
Markus
Here to help
‎Feb 22 2018 3:30 AM
‎Feb 22 2018 3:30 AM

Hi,

as far as I understand the license model of Meraki, all MX within an organization have the same level.

You cannot upgrade single MX within your organization. Either all of them are with the basic license or all of them are advanded.

 

Regards,

Markus

0 Kudos
In response to Markus
Smail
Conversationalist
‎Feb 22 2018 3:35 AM
‎Feb 22 2018 3:35 AM

Even when there are different models? That's unfortunate.
0 Kudos
In response to Smail
Markus
Here to help
‎Feb 22 2018 3:38 AM
‎Feb 22 2018 3:38 AM

yes, I dont like it as well.

But have a look at following link:

https://documentation.meraki.com/zGeneral_Administration/Licensing/Cisco_Meraki_Licensing_Guidelines...

 

This statement is from the referenced page:

Please note that the MX licensing edition is uniform across the Organization. For example, you can have all 25 appliances using Enterprise Edition or Advanced Security Edition, but you cannot have 20 appliances using one edition and 5 using the other edition. If you wish to use Enterprise Edition for some appliances and Advanced Security Edition for other appliances, you need to create two Organizations, one for your appliances with the Enterprise Edition, and another for the appliances with the Advanced Security Edition.

0 Kudos
In response to Markus
Smail
Conversationalist
‎Feb 22 2018 3:49 AM
‎Feb 22 2018 3:49 AM

Well, it says that I need to create two organizations. That will work for me.

Can you please tell me if my setup would work?
0 Kudos
In response to Smail
Markus
Here to help
‎Feb 22 2018 5:41 AM
‎Feb 22 2018 5:41 AM

Yes, thats what I said. It is the same license level across an organization.

So in your case you need two organizations.

 

If the tunnel ends on a different MX then the one that does the filtering, your setup should work from my point of view.

The edge MX treats all traffic coming from the LAN side as internal. It does not make a difference if this traffic comes from a VPN concentrator or not.

 

It does not work if you do filtering on the MX that terminates the VPN tunnels.

 

I have never built this design so far, so best would be if you have the chance to verify it. But from my point of view it works if you create a dedicated organization for the edge MX.

In response to Markus
Smail
Conversationalist
‎Feb 22 2018 5:45 AM
‎Feb 22 2018 5:45 AM

Thanks!

I could also use OpenDNS for basic filtering. This would be cheaper and more simple.
0 Kudos
In response to Smail
jdsilva
Kind of a big deal
‎Feb 22 2018 7:41 AM
‎Feb 22 2018 7:41 AM

Just a thought: You can't use AutoVPN between organizations... If you do two Orgs then you have to use non-meraki VPN, and you lose your SD-WAN functionality.

http://blog.brokennetwork.ca | @jdsilva
0 Kudos
In response to jdsilva
Smail
Conversationalist
‎Feb 22 2018 8:09 AM
‎Feb 22 2018 8:09 AM

AutoVPN will be between sites and hub with same license (Enterprise). Only the Edge MX that will be a regular FW and gateway will have the SEC license. In this case it should not be a problem with AutoVPN.
0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.