Meraki

Community

Intrusion detection and prevention

ITDUDE
New here
‎Aug 7 2024 11:26 AM
‎Aug 7 2024 11:26 AM

Intrusion detection and prevention

does VPN to VPN traffice pass though the Intrusion detection and prevention threat proteection  or does it bypass this?

Labels:
0 Kudos
6 Replies 6
KarstenI
Kind of a big deal
Kind of a big deal
‎Aug 7 2024 11:49 AM
‎Aug 7 2024 11:49 AM

IPS is done on the MX where the traffic enters the AutoVPN system; not on the Hub if you have Spoke -> Hub -> Spoke traffic.

But if I remember right, IDS would still be done on the Hub.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
0 Kudos
In response to KarstenI
Jinbe
Meraki Employee
Meraki Employee
‎Aug 8 2024 10:20 AM
‎Aug 8 2024 10:20 AM

That is correct, security inspection such as Content Filtering and Threat Protection is done locally on the MX. The hub/concentrator MX will not inspect traffic from the remote VPN subnets.

 

You can find this information referenced here: https://documentation.meraki.com/MX/Content_Filtering_and_Threat_Protection/Content_Filtering_and_Th...

 

 

If you found this post helpful, please give it kudos. If my answer solved your problem, click "accept as solution" so that others can benefit from it.
In response to Jinbe
pdeleuw
Building a reputation
‎Nov 27 2024 12:11 AM
‎Nov 27 2024 12:11 AM

Sorry for the late reply ... But there is a discrepancy between your answer and Karsten's answer. My understanding is, that Threat Protection includes IPS/IDS and AMP. Karsten mentions, IDS is done on the hub/concentrator. Your answer says, there is no inspection with Content Filtering and Threat Protection on the hub/concentrator. Please, clarify: Is IDS/IDS done on the concentrator for the remote subnets?

0 Kudos
In response to pdeleuw
KarstenI
Kind of a big deal
Kind of a big deal
‎Nov 27 2024 5:03 AM
‎Nov 27 2024 5:03 AM

There doesn't have to be a discrepancy. IPS is always done on the ingress MX. The second sentence was about pure IDS. I remember seeing alerts from the hub device when there was no IPS on the Spoke, but I could have remembered this wrong. Most importantly, for real protection, the Hub is not used and the function has to be implemented on the spoke.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
In response to pdeleuw
KarstenI
Kind of a big deal
Kind of a big deal
‎Dec 4 2024 10:35 AM
‎Dec 4 2024 10:35 AM

Just found it, it's even documented:

KarstenI_0-1733337292702.jpeg

 

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
pdeleuw
Building a reputation
‎Dec 4 2024 12:48 PM
‎Dec 4 2024 12:48 PM

Thank you, Karsten. IDS and IPS have different behaviors. Very new finding for me ...

Back to the top
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.