Meraki

Community

MX Templates for with VPN firewall rules

Solved
Bobcheese
Conversationalist
‎Nov 27 2023 7:53 AM
‎Nov 27 2023 7:53 AM

MX Templates for with VPN firewall rules

Hi All, I’m planning a deployment of multiple MXs where I need to apply a common set of firewall rules to the auto-vpn. Can this be achieved via templates?

0 Kudos
1 Accepted Solution
In response to alemabrahao
RaphaelL
Kind of a big deal
Kind of a big deal
‎Nov 27 2023 8:38 AM
‎Nov 27 2023 8:38 AM

Hi , yes I'm 99% sure. 

 

These firewall rules will apply to all MX networks in the organization that participate in site-to-site VPN (both AutoVPN and Non-Meraki).

 

Also if you scroll a bit higher on the S2S page you will see  :

 

RaphaelL_0-1701103060987.png

 

 

I'm assuming OP wants to modify VPN Site-to-Site rules

View solution in original post

13 Replies 13
alemabrahao
Kind of a big deal
Kind of a big deal
‎Nov 27 2023 8:07 AM
‎Nov 27 2023 8:07 AM

Definitely yes. See this link.

 

https://documentation.meraki.com/General_Administration/Templates_and_Config_Sync/Managing_Multiple_...

 

https://documentation.meraki.com/Architectures_and_Best_Practices/Cisco_Meraki_Best_Practice_Design/...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
RaphaelL
Kind of a big deal
Kind of a big deal
‎Nov 27 2023 8:25 AM
‎Nov 27 2023 8:25 AM

Hi , 

 

No  Yes but since VPN firewall rules are org-wide. https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-site_VPN_Firewall_Rule_Behavior

See example below

0 Kudos
In response to RaphaelL
alemabrahao
Kind of a big deal
Kind of a big deal
‎Nov 27 2023 8:34 AM
‎Nov 27 2023 8:34 AM

Are you sure about this? It's a template example?

 

 

alemabrahao_0-1701102823676.png

 

And the documentation you sent does not explicitly say what you are stating.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
RaphaelL
Kind of a big deal
Kind of a big deal
‎Nov 27 2023 8:38 AM
‎Nov 27 2023 8:38 AM

Hi , yes I'm 99% sure. 

 

These firewall rules will apply to all MX networks in the organization that participate in site-to-site VPN (both AutoVPN and Non-Meraki).

 

Also if you scroll a bit higher on the S2S page you will see  :

 

RaphaelL_0-1701103060987.png

 

 

I'm assuming OP wants to modify VPN Site-to-Site rules

In response to RaphaelL
alemabrahao
Kind of a big deal
Kind of a big deal
‎Nov 27 2023 8:40 AM
‎Nov 27 2023 8:40 AM

Yes, but that doesn't mean I can't apply it via template, right? that's actually the way we do it today and it works very well.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
RaphaelL
Kind of a big deal
Kind of a big deal
‎Nov 27 2023 8:44 AM
‎Nov 27 2023 8:44 AM

Yes probably , but  the goal from templates is to have unified configurations between all child networks binded to that template. 

 

Template A and B can't have different Site-to-Site VPN rules is what I tried to explain (which wasn't very clear I have to admit haha )

Sorry bout the confusion.

 

0 Kudos
In response to RaphaelL
alemabrahao
Kind of a big deal
Kind of a big deal
‎Nov 27 2023 8:46 AM
‎Nov 27 2023 8:46 AM

No no no, everything is fine, it's just to try to make everything clearer. 😊

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
Ryan_Miles
Meraki Employee
Meraki Employee
‎Nov 27 2023 8:48 AM
‎Nov 27 2023 8:48 AM

@RaphaelL is correct, VPN S2S rules are not set in a template. Yes, you can see and edit the S2S rules when in a template network, but that's still simply an org wide section visible in any network or template.

Ryan

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
In response to Ryan_Miles
alemabrahao
Kind of a big deal
Kind of a big deal
‎Nov 27 2023 8:50 AM
‎Nov 27 2023 8:50 AM

Yes, I know, there was just a little confusion, which we have now resolved. 😉

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Bobcheese
Conversationalist
‎Nov 27 2023 9:04 AM
‎Nov 27 2023 9:04 AM

Ok this escalated 🤣.

So Site-to-Site VPN firewall rules are org wide? What if I want to implement the opposite where I want one site to have additional rules, is that possible?

0 Kudos
In response to Bobcheese
Ryan_Miles
Meraki Employee
Meraki Employee
‎Nov 27 2023 9:15 AM
‎Nov 27 2023 9:15 AM

Create a rule(s) that only have source or destinations of the specific site you want additional rules applied to. The ruleset still lives in the org wide section.

 

Example, if you wanted to deny traffic from Spoke 1 to Spoke 2, but allow Spoke 1 to Spokes 3 and beyond just create a rule that denies Spoke 1 to Spoke 2. Traffic to anything besides Spoke 2 would still be permitted.

Ryan

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
In response to Ryan_Miles
Bobcheese
Conversationalist
‎Nov 27 2023 9:19 AM
‎Nov 27 2023 9:19 AM

Gotcha, so it’s just one big table of rules that’s org wide.

0 Kudos
Bobcheese
Conversationalist
‎Nov 27 2023 9:06 AM
‎Nov 27 2023 9:06 AM

Thanks for all the input so far BTW guys most helpful.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.