cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

How to policy on site-to-site VPN to select which sites can connect to the Hub

Highlighted
Here to help

How to policy on site-to-site VPN to select which sites can connect to the Hub

We are working in an environment where all Meraki devices (MX, MS & MRs) are in same organization. Now while establishing site-to-site VPN, any spoke can connect to the any hub they want to. We want to put policy on the hubs, that only allowed spokes should be allowed to connect to the Hub. Can someone tell me if thats possible? If yes, how? 

3 REPLIES 3
Highlighted
Kind of a big deal

Re: How to policy on site-to-site VPN to select which sites can connect to the Hub

A spoke can only connect to a hub if you have configured it to.

 

If you are instead wanting to limit what subnets can talk to other subnets then you need VPN firewall rules - which apply globally to all sites.

https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-site_VPN_Firewall_Rule_Behavior 

Highlighted
Here to help

Re: How to policy on site-to-site VPN to select which sites can connect to the Hub

Dear @PhilipDAth 

Thanks for your reply.

What I am actually looking is a way to control which spoke should be able to connect to the Hub, from the Hub end, and not from the spoke end.

2ndly the VPN firewall rules you are referring, can I control which site should be able to connect to Hub and which not, basically by first adding "deny any" rule and then add specific subnets (of the spokes) which I want to able to connect to the hub. Is that so?

Kind of a big deal

Re: How to policy on site-to-site VPN to select which sites can connect to the Hub

You are thinking in an old school device-centric manner, not a modern cloud orchestrated manner.

 

The device does not decide who connects to it via AutoVPN.  The cloud does.  So if you have configured one spoke to connect to a hub and another that can not, the cloud will control it and make sure that is what happens.

 

If you are instead referring to what traffic can flow from one subnet to another over AutoVPN - then that is done using the VPN firewall rules.  Once again, this is not device-centric.  You specify it globally, and the cloud applies those policies to all devices and the network as a whole ensures the security policy is met.

 

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.