Hello,
I am not sure if this is a feature request, but the Meraki site-to-site VPN does not work the way i hoped it would. My architecture is to have several MX appliances acting as hubs across geographic regions. These hubs reside in our datacenters and I do want them to be able to communicate with each other with all VLANs that I configure. However I have several MX appliances at remote office locations, which i am configuring as spokes. These spoke MXs should only have access to one or two of the vlans that the hubs have. There doesn't appear to be any way to restrict what vlans appear in a spoke vpn connection. Currently I am restricting the traffic using deny policies on the firewall, but this doesn't seem clean to me, because the remote offices are getting routes added to their network that will be blocked. I'd prefer the routes not be advertised to them at all.
here's an depiction of how i would like this to work:
1. hub 1. vlans 1,2,3,4,5,6,7,8 in vpn
2. hub 2. vlans 1,2,3,4,5,6,7,8 in vpn (hub 1 and 2 can talk to each other on any vlan)
3. spoke 1. vlan 3 only in vpn
4. spoke 2. vlan 4 and 5 in vpn.
Easiest GUI implementation i can think of for this would be in the 'spoke' configuration page, i would be able to configure what vlans from the hubs I would accept. perhaps a little better would be to have the vlan delegation on the hub page, perhaps with a text box next to the 'use vpn' toggle where you can choose the devices to share. The latter would be better if someone wanted to give RO rights to an admin at that remote office.
I'll 'make a wish' with this request, but if someone could point out how i could already do this with the existing mx functionality i'd appreciate it greatly