Specify which clients can use site to site vpn?


Specify which clients can use site to site vpn?

Is it possible to specify which clients can / cannot traverse a site-to-site VPN?


I have a site-to-site vpn setup between a MX 84 and a Z3.  I'd like to specifically allow certain hosts attached to the Z3 to use the VPN, and deny access to the VPN to other hosts.

2 Replies 2
Kind of a big deal
Kind of a big deal

@ShawnL : Check this out 


Cisco IT Blogs awarded in 2020 & 2021
Kind of a big deal

@ShawnL, that’s a bit of a tricky one to achieve, but can be done. There are a couple of ways I can think of doing it. Probably the most appropriate is to have two VLANs, one VLAN is included in the VPN, the other isn’t. Then you just have to make sure that clients are added to the correct VLAN - easiest way is static port assignments (or one SSID per VLAN if using wireless).


The other way you could do it is using the Site-to-site VPN inbound firewall to limit the local IP addresses that can access the IP addresses across the VPN - but note that this will drop traffic rather than divert it to the local internet. This obviously relies on having known (likely static} IP addresses.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.