Meraki site-to-site vpn with two isolated networks, is it possible?

Solved
Atkguru
Here to help

Meraki site-to-site vpn with two isolated networks, is it possible?

I have scenario and I'm not sure if this can be done with meraki site-to-site vpn.

10 sites, each has two different networks that we dont want to see each other, lets say production network and house automation network.

We want all sites house automation to see each other. We want all sites production network to see other sites production network. But we dont want to see house automation has any access to production network. Can this be done with single (for example mx68cw) device per site or is the only solution to build two separate networks per site for this purpose?

1 Accepted Solution
Brash
Kind of a big deal
Kind of a big deal

It's technically possible to achieve this with L3 firewall rules. Both networks will be in the same AutoVPN but they will be restricted from communication by firewall rules. It will be a little painful to manage but it's achievable.

View solution in original post

5 Replies 5
Brash
Kind of a big deal
Kind of a big deal

It's technically possible to achieve this with L3 firewall rules. Both networks will be in the same AutoVPN but they will be restricted from communication by firewall rules. It will be a little painful to manage but it's achievable.

Atkguru
Here to help

Is it necessary to configure L3 firewall rule to all sites to prevent these two different accessing each other? Sounds like a lot of work.

djgrothe
Conversationalist

No, you can add firewall rules to the site-to-site VPN itself that will apply to all connected sites.

Security & SDWAN > Site-to-site VPN > Site-to-site outbound firewall section at the bottom

Atkguru
Here to help

Oh, Just found it. tried to check site-to-site vpn settings and couldn't find it but it was so low at the bottom of the page that I didn't scroll enough. This makes it much easier. 👍

rhbirkelund
Kind of a big deal
Kind of a big deal

This ought to be possible using a combination of local L3 rules on the MX and S2S VPN FW rules.

 

On each site you'd have to separate the networks in Vlans on the MX. Then you'll have to create a FW rule per MX that denies traffic between the two vlans, within each site.

E.g. if site A uses 10.10.1.0/24 for prod, and 10.20.1.0/24, then you'd define a fw rule that denies traffic from 10.10.1.0/24 to 10.20.1.0/24 and vice versa.

 

Then you'll have to create a rule on on Site-to-Site VPN Firewall rules which denies all traffic between 10.10.0.0/16 and 10.20.0.0/16, and one vice-versa.

 

The rules per MX allows separation between the Vlan per site, and the S2S rules should allow for sepearation between the Prod and HA supernets.

LinkedIn ::: https://blog.rhbirkelund.dk/

Like what you see? - Give a Kudo ## Did it answer your question? - Mark it as a Solution 🙂

All code examples are provided as is. Responsibility for Code execution lies solely your own.
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels