Site-to-site VPN rules - Best Practices (Need to restrict a VLAN from accessing org assets on SDWAN)

arslan
Here to help

Site-to-site VPN rules - Best Practices (Need to restrict a VLAN from accessing org assets on SDWAN)

I'd like to block SD-WAN traffic from about 700 sites (specific vlan) to access organization assets and allow monitoring and logging systems only.

 

I have got about 700 subnets, what could be the best way to formulate site-to-site vpn rules to accommodate this requirement.

 

L3 Firewall rules are already in place to blocking/Isolating that specific vlan from other site internal network.

 

 

Site-to-site outbound firewall 

4 Replies 4
GreenMan
Meraki Employee
Meraki Employee

Do those 700 subnets lie inside a unique supernet, which you can use to simplify your ruleset?

Are you using templates?

arslan
Here to help

Not unique supernet.

Using templates and yeah, blocking the internet and inter vlan traffic in L3 firewall rules.

PhilipDAth
Kind of a big deal
Kind of a big deal

Like @GreenMan , I pray that they are all in a supernet.  Even if only 80% of them are, you could still user the supernet and create exceptions.

 

Otherwise, I would create a policy object group and add everything.  I've never made a group that big.  I'm unsure about the scalability (including what processing load this might place on smaller MX devices).

https://documentation.meraki.com/MX/Firewall_and_Traffic_Shaping/Network_Objects_Configuration_Guide... 

arslan
Here to help

These are the supernets for all of the sites.

Brand A
10.5.0.0./16

Brand B
10.1.0.0/16
10.2.0.0/16
10.3.0.0/16
10.31.0.0/16

Brand C
10.4.0.0./16
10.15.0.0/16

Brand D
10.27.0.0/16
10.28.0.0/16

 

MX67s are being used on remote sites and MX450s as Hubs.

Get notified when there are additional replies to this discussion.