Site-to-site VPN firewall

Solved
harmankardon
Building a reputation

Site-to-site VPN firewall

Hi all, two questions regarding site-to-site VPN firewall:

 

Question 1:

I have 30 networks in the same dashboard organization with site-to-site VPN (Auto VPN) enabled in hub (mesh) mode at all locations. One location is "headquarters" and the other 29 are smaller remote locations.

 

We'd like to change things so the remote locations cannot talk to each other and only talk with headquarters. To do that, I believe I have to change all the remote locations to Spoke mode instead of hub, and then implement outbound firewall rules to block traffic between the remote sites. 

 

Is there someway to write the rules so that hundreds of rules aren't required? Some sites are 192.168.x.x/24 and others are 10.x.x.x/24.

 

Question 2:

If IPv4 translation is enabled under VPN settings, should the above mentioned firewall rules be written using the translated subnets?

 

Thanks!

 

 

1 Accepted Solution
Bruce
Kind of a big deal

@harmankardon you’re on the right track. Hub and spoke is the way to go, as everyone else has said, and yes, the spokes can still communicate via the hub.

 

The site-to-site VPN rules are organisation-wide - so you only create and apply one set of rules and they appear on all sites. They are also applied in the outbound direction only (I.e. as the traffic leaves the site over the AutoVPN).

 

I’d create rules that allow connections from the HQ subnets to all the other site subnets and from the site subnets to the HQ subnets, and then after them a series of deny rules that prevent traffic between the site subnets.

View solution in original post

5 Replies 5
ww
Kind of a big deal
Kind of a big deal

If you only need to talk to hq then the others are best set to spoke mode.

You can make some rules from "any to hq subnets"  and after that a " deny  any any"

RaphaelL
Kind of a big deal
Kind of a big deal

That rule needs to be a Site-To-Site VPN rule and not a L3 firewall rule . Correct me if I'm wrong

Brash
Kind of a big deal
Kind of a big deal

@ww  Beat me to it 😉

 

Exactly as said above, hub-spoke is the best design for what you're looking to achieve.

For rules, depending on what you want to send over the site-to-site vpn, it may be easier to add allow rules and an explicit deny any any rule at the end.

harmankardon
Building a reputation

I should have added: In addition to the spokes only being allowed to communicate with the hub, we also want the hub to be able to communicate with the spokes. 

 

And my understanding of the hub-spoke model with Meraki is that even though the spokes don't create tunnels directly to each other, by default they can still communicate with each other via the hub. 

 

So it sounds like an allow "any to hq" rule is needed, as well as allow "hq to any" rule, and then a deny all which will block the spoke-to-spoke traffic?

Bruce
Kind of a big deal

@harmankardon you’re on the right track. Hub and spoke is the way to go, as everyone else has said, and yes, the spokes can still communicate via the hub.

 

The site-to-site VPN rules are organisation-wide - so you only create and apply one set of rules and they appear on all sites. They are also applied in the outbound direction only (I.e. as the traffic leaves the site over the AutoVPN).

 

I’d create rules that allow connections from the HQ subnets to all the other site subnets and from the site subnets to the HQ subnets, and then after them a series of deny rules that prevent traffic between the site subnets.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels