Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Site-to-site VPN rules - Best Practices (Need to restrict a VLAN from accessing org assets on SDWAN)

arslan
Here to help
‎Aug 23 2023 9:19 PM
‎Aug 23 2023 9:19 PM

Site-to-site VPN rules - Best Practices (Need to restrict a VLAN from accessing org assets on SDWAN)

I'd like to block SD-WAN traffic from about 700 sites (specific vlan) to access organization assets and allow monitoring and logging systems only.

 

I have got about 700 subnets, what could be the best way to formulate site-to-site vpn rules to accommodate this requirement.

 

L3 Firewall rules are already in place to blocking/Isolating that specific vlan from other site internal network.

 

 

Site-to-site outbound firewall 

Labels:
0 Kudos
Subscribe
4 Replies 4
GreenMan
Meraki Employee
Meraki Employee
‎Aug 24 2023 2:13 AM
‎Aug 24 2023 2:13 AM

Do those 700 subnets lie inside a unique supernet, which you can use to simplify your ruleset?

Are you using templates?

Subscribe
In response to GreenMan
arslan
Here to help
‎Aug 24 2023 9:42 PM
‎Aug 24 2023 9:42 PM

Not unique supernet.

Using templates and yeah, blocking the internet and inter vlan traffic in L3 firewall rules.

0 Kudos
Subscribe
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Aug 24 2023 2:23 PM
‎Aug 24 2023 2:23 PM

Like @GreenMan , I pray that they are all in a supernet.  Even if only 80% of them are, you could still user the supernet and create exceptions.

 

Otherwise, I would create a policy object group and add everything.  I've never made a group that big.  I'm unsure about the scalability (including what processing load this might place on smaller MX devices).

https://documentation.meraki.com/MX/Firewall_and_Traffic_Shaping/Network_Objects_Configuration_Guide... 

Subscribe
In response to PhilipDAth
arslan
Here to help
‎Aug 25 2023 12:22 AM
‎Aug 25 2023 12:22 AM

These are the supernets for all of the sites.

Brand A
10.5.0.0./16

Brand B
10.1.0.0/16
10.2.0.0/16
10.3.0.0/16
10.31.0.0/16

Brand C
10.4.0.0./16
10.15.0.0/16

Brand D
10.27.0.0/16
10.28.0.0/16

 

MX67s are being used on remote sites and MX450s as Hubs.

0 Kudos
Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.