How to policy on site-to-site VPN to select which sites can connect to the Hub

Getting noticed

How to policy on site-to-site VPN to select which sites can connect to the Hub

We are working in an environment where all Meraki devices (MX, MS & MRs) are in same organization. Now while establishing site-to-site VPN, any spoke can connect to the any hub they want to. We want to put policy on the hubs, that only allowed spokes should be allowed to connect to the Hub. Can someone tell me if thats possible? If yes, how? 

Kind of a big deal
Kind of a big deal

A spoke can only connect to a hub if you have configured it to.


If you are instead wanting to limit what subnets can talk to other subnets then you need VPN firewall rules - which apply globally to all sites. 

Dear @PhilipDAth 

Thanks for your reply.

What I am actually looking is a way to control which spoke should be able to connect to the Hub, from the Hub end, and not from the spoke end.

2ndly the VPN firewall rules you are referring, can I control which site should be able to connect to Hub and which not, basically by first adding "deny any" rule and then add specific subnets (of the spokes) which I want to able to connect to the hub. Is that so?

You are thinking in an old school device-centric manner, not a modern cloud orchestrated manner.


The device does not decide who connects to it via AutoVPN.  The cloud does.  So if you have configured one spoke to connect to a hub and another that can not, the cloud will control it and make sure that is what happens.


If you are instead referring to what traffic can flow from one subnet to another over AutoVPN - then that is done using the VPN firewall rules.  Once again, this is not device-centric.  You specify it globally, and the cloud applies those policies to all devices and the network as a whole ensures the security policy is met.


Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.