We are working in an environment where all Meraki devices (MX, MS & MRs) are in same organization. Now while establishing site-to-site VPN, any spoke can connect to the any hub they want to. We want to put policy on the hubs, that only allowed spokes should be allowed to connect to the Hub. Can someone tell me if thats possible? If yes, how?
A spoke can only connect to a hub if you have configured it to.
If you are instead wanting to limit what subnets can talk to other subnets then you need VPN firewall rules - which apply globally to all sites.
Thanks for your reply.
What I am actually looking is a way to control which spoke should be able to connect to the Hub, from the Hub end, and not from the spoke end.
2ndly the VPN firewall rules you are referring, can I control which site should be able to connect to Hub and which not, basically by first adding "deny any" rule and then add specific subnets (of the spokes) which I want to able to connect to the hub. Is that so?
You are thinking in an old school device-centric manner, not a modern cloud orchestrated manner.
The device does not decide who connects to it via AutoVPN. The cloud does. So if you have configured one spoke to connect to a hub and another that can not, the cloud will control it and make sure that is what happens.
If you are instead referring to what traffic can flow from one subnet to another over AutoVPN - then that is done using the VPN firewall rules. Once again, this is not device-centric. You specify it globally, and the cloud applies those policies to all devices and the network as a whole ensures the security policy is met.