Lock down Z3 site 2 site

New here

Lock down Z3 site 2 site

Is it possible with the Z3 to lock down which IP address it will establish its VPN connection from? For example it can connect to the corp office from my house, but I can't take it over to someone else's house and establish the tunnel? Or similarly is there a way to restrict, by MAC address or similar, which devices are allowed to communicate over the tunnel? 


Thanks in advance,


2 Replies 2
Building a reputation

Probably not the most secure approach, but I suspect you could, under "Site-to-site VPN" then, at the bottom, "site-to-site Firewall" set an allow rule for only the computer/client you want to be able to access the VPN resources then block everything else. 

Kind of a big deal

No, there is no way to block which IP address the Z3 can establish its tunnel from - that is the ease of the Meraki solution, you don’t need a static IP address. You’ll have to lock the Z3 on the LAN side so that if it is moved somewhere else it is useless unless the right credentials are used on the LAN side - e.g. look at using 802.1x on both wired and wireless.


Obviously, if you know the device has moved you can shut down the VPN tunnel manually. Using this principle you could write a script to monitor the WAN IP address of the Z3 using the API, and if changes then drop the VPN. (Although I don’t think there is an API endpoint to drop the VPN, but you can remove the subnet from the site-to-site VPN which should have the same effect).

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.