MX Templates for with VPN firewall rules

Solved
Bobcheese
Conversationalist

MX Templates for with VPN firewall rules

Hi All, I’m planning a deployment of multiple MXs where I need to apply a common set of firewall rules to the auto-vpn. Can this be achieved via templates?

1 Accepted Solution
RaphaelL
Kind of a big deal
Kind of a big deal

Hi , yes I'm 99% sure. 

 

These firewall rules will apply to all MX networks in the organization that participate in site-to-site VPN (both AutoVPN and Non-Meraki).

 

Also if you scroll a bit higher on the S2S page you will see  :

 

RaphaelL_0-1701103060987.png

 

 

I'm assuming OP wants to modify VPN Site-to-Site rules

View solution in original post

13 Replies 13
alemabrahao
Kind of a big deal
Kind of a big deal

Definitely yes. See this link.

 

https://documentation.meraki.com/General_Administration/Templates_and_Config_Sync/Managing_Multiple_...

 

https://documentation.meraki.com/Architectures_and_Best_Practices/Cisco_Meraki_Best_Practice_Design/...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
RaphaelL
Kind of a big deal
Kind of a big deal

Hi , 

 

No  Yes but since VPN firewall rules are org-wide. https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-site_VPN_Firewall_Rule_Behavior

See example below

alemabrahao
Kind of a big deal
Kind of a big deal

Are you sure about this? It's a template example?

 

 

alemabrahao_0-1701102823676.png

 

And the documentation you sent does not explicitly say what you are stating.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
RaphaelL
Kind of a big deal
Kind of a big deal

Hi , yes I'm 99% sure. 

 

These firewall rules will apply to all MX networks in the organization that participate in site-to-site VPN (both AutoVPN and Non-Meraki).

 

Also if you scroll a bit higher on the S2S page you will see  :

 

RaphaelL_0-1701103060987.png

 

 

I'm assuming OP wants to modify VPN Site-to-Site rules

alemabrahao
Kind of a big deal
Kind of a big deal

Yes, but that doesn't mean I can't apply it via template, right? that's actually the way we do it today and it works very well.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
RaphaelL
Kind of a big deal
Kind of a big deal

Yes probably , but  the goal from templates is to have unified configurations between all child networks binded to that template. 

 

Template A and B can't have different Site-to-Site VPN rules is what I tried to explain (which wasn't very clear I have to admit haha )

Sorry bout the confusion.

 

alemabrahao
Kind of a big deal
Kind of a big deal

No no no, everything is fine, it's just to try to make everything clearer. 😊

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Ryan_Miles
Meraki Employee
Meraki Employee

@RaphaelL is correct, VPN S2S rules are not set in a template. Yes, you can see and edit the S2S rules when in a template network, but that's still simply an org wide section visible in any network or template.

Ryan

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
alemabrahao
Kind of a big deal
Kind of a big deal

Yes, I know, there was just a little confusion, which we have now resolved. 😉

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Bobcheese
Conversationalist

Ok this escalated 🤣.

So Site-to-Site VPN firewall rules are org wide? What if I want to implement the opposite where I want one site to have additional rules, is that possible?

Ryan_Miles
Meraki Employee
Meraki Employee

Create a rule(s) that only have source or destinations of the specific site you want additional rules applied to. The ruleset still lives in the org wide section.

 

Example, if you wanted to deny traffic from Spoke 1 to Spoke 2, but allow Spoke 1 to Spokes 3 and beyond just create a rule that denies Spoke 1 to Spoke 2. Traffic to anything besides Spoke 2 would still be permitted.

Ryan

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
Bobcheese
Conversationalist

Gotcha, so it’s just one big table of rules that’s org wide.

Bobcheese
Conversationalist

Thanks for all the input so far BTW guys most helpful.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels