SDWAN Site to site Outbound firewall rules

hmc250000
Getting noticed

SDWAN Site to site Outbound firewall rules

Assume you add these new rules for site to site VPNs: 

allow source 192.168.1.x destination 192.168.2.x

allow source 192.168.2.x destination 192.168.1.x

 

there are no explicit rules defined other than the allow Default rule (Any, Any, Any, Any)

 

Will other sites in the SDWAN be able to communicate with sites 192.168.1.x and/or 192.168.2.x?

4 REPLIES 4
Ryan_Miles
Meraki Employee
Meraki Employee

The default is allow between autovpn spokes. So, you wouldn't need allow rules unless you had a deny rule in place.

 

What's your intended outcome here?

My goal is to deny access from all other Meraki SDWAN sites (192.168.0.0/16) to sites 192.168.1.x and 192.168.2.x. 

 

So I guess I would have to create a explicit deny rule from source 192.168.x.x/16 to 192.168.1.x and 192.168.2.x?

Yeah, create the allow rules then throw a broader deny at the bottom

 

https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-site_VPN_Firewall_Rule_Behavior

Iridium79
Getting noticed

Fix the LLDP on the MX250/450 issue.  2 years left on advanced security on 24 MX250/450.  2 Years on an open case and no result.   Clock is ticking.  Gotta start looking for a new solution!

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels