SDWAN Site to site Outbound firewall rules

hmc250000
Getting noticed

SDWAN Site to site Outbound firewall rules

Assume you add these new rules for site to site VPNs: 

allow source 192.168.1.x destination 192.168.2.x

allow source 192.168.2.x destination 192.168.1.x

 

there are no explicit rules defined other than the allow Default rule (Any, Any, Any, Any)

 

Will other sites in the SDWAN be able to communicate with sites 192.168.1.x and/or 192.168.2.x?

4 Replies 4
Ryan_Miles
Meraki Employee
Meraki Employee

The default is allow between autovpn spokes. So, you wouldn't need allow rules unless you had a deny rule in place.

 

What's your intended outcome here?

Ryan

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
hmc250000
Getting noticed

My goal is to deny access from all other Meraki SDWAN sites (192.168.0.0/16) to sites 192.168.1.x and 192.168.2.x. 

 

So I guess I would have to create a explicit deny rule from source 192.168.x.x/16 to 192.168.1.x and 192.168.2.x?

Ryan_Miles
Meraki Employee
Meraki Employee

Yeah, create the allow rules then throw a broader deny at the bottom

 

https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-site_VPN_Firewall_Rule_Behavior

Ryan

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
Iridium79
Getting noticed

Fix the LLDP on the MX250/450 issue.  2 years left on advanced security on 24 MX250/450.  2 Years on an open case and no result.   Clock is ticking.  Gotta start looking for a new solution!

Get notified when there are additional replies to this discussion.