Meraki

Community

MX Hub block from talking to other MX Hubs

MrFun7177
Comes here often
3 weeks ago
3 weeks ago

MX Hub block from talking to other MX Hubs

Hello,

 

We have multiple sites and multiple sites with MX Hubs configured. In a perfect world, meshing sounds good. Think about each site having their own servers and sister sites connecting to that site. 

 

I have 1 site that I do not want it to mesh with the other hubs. By default ALL hubs mesh with with each other. I would like to keep that for the most part. I just do not want this one hub to mesh with any of the other hubs. 

 

I tried Layer 3 firewall and that did not seem to work. Has anyone tried to do this?

Labels:
0 Kudos
5 Replies 5
Mloraditch
Kind of a big deal
3 weeks ago
3 weeks ago

Your options are turn VPN off for that hub, make it a spoke, or you can use the Site to Site Firewall Rules: https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-site_VPN_Firewall_Rule_Behavior

 

What is the goal here besides make it not mesh? If you don't want it to talk to other sites and other sites to it, turning off VPN is the easiest.

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
In response to Mloraditch
MrFun7177
Comes here often
3 weeks ago
3 weeks ago

I want other sites to connect to it. We have another hub that has a default route that is being broadcast as 0.0.0.0/0 so that means everything. I want to keep that from leaking to this other hub if I had spokes connecting only to it. 

0 Kudos
In response to MrFun7177
Mloraditch
Kind of a big deal
3 weeks ago
3 weeks ago

I'm not sure what you want is possible. I'm guessing you are using BGP somewhere along the way as thats the only way I can think that a 0.0.0.0/0 route could be injected into the AutoVPN routes. I'm also not sure that your concern is actually possible and nothing may be needed to be done.

You may want to contact support, although someone else may chime in with slightly more knowledge. I don't use any dynamic routing in my setups so have limited familarity

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
alemabrahao
Kind of a big deal
3 weeks ago
3 weeks ago

I can think of two possibilities. Instead of turning this site into a full AutoVPN hub, you could either convert it to a spoke or set up a non-Meraki VPN peer.

That way, it won't be part of the hub-to-hub mesh, but it can still connect to specific targets (like partner networks or isolated branches).

Or, you could set it up as a spoke, selecting only the hubs you want it to connect to. This breaks the mesh laterally, but keeps the rest of the hubs in the mesh.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
In response to alemabrahao
JonoM
Meraki Employee
Meraki Employee
3 weeks ago
3 weeks ago

Just to add to this, the non-Meraki VPN method will only work if you separate this site into a different dashboard organization, since enabling VPN will automatically create an AutoVPN connection. You can manage multiple organizations from your dashboard account, so this could be a potential solution to your particular design needs.

As mentioned by everyone else though, preventing a single hub from speaking to other hubs is not possible. 

If you found this post helpful, please give it kudos. If my answer solved your problem, click "accept as solution" so that others can benefit from it.
0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.