Meraki

Dom2003 · ‎Aug 13 2025

I have the following requirement:

I have multiple stores and branch offices connected via SD-WAN, with the hubs located in my Data Center. I need to block traffic between branch offices and only allow traffic from the stores to the Data Center.

Does Meraki have any feature that allows this directly, or would I need to configure it using a traditional firewall by creating inbound rules on the hub?

ww · ‎Aug 13 2025

You have to use the meraki vpn statefull firewall

https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-site_VPN_Firewall_Rule_Behavior

Or the group policy stateless rules

https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Using_Layer_3_Firewal...

Brash · ‎Aug 13 2025

As said above, there's a separate section for site-to-site vpn rules that can be used to block spoke to spoke communication.

Suar_Mustafa · ‎Aug 13 2025

Yes you can do this directly in Meraki without an external firewall.
Go to Security & SD-WAN → Site-to-site VPN in Dashboard. In the VPN settings section, look at the VPN firewall rules (sometimes labeled “VPN firewall” or “Custom rules” under “Site-to-site VPN”).

These rules control traffic that traverses the AutoVPN fabric. You can explicitly deny branch-to-branch subnets while allowing branch-to-DC traffic. For example:

Deny: Source = Branch subnet(s), Destination = other Branch subnet(s)

Allow: Source = Branch subnet(s), Destination = DC subnet(s)

Since these rules are enforced in the VPN overlay, the block happens before traffic can pass between branches, and you don’t need to touch the traditional firewall at the hub.