Spoke and Hubz Firewall wall.

SOLVED
TLO3346
Getting noticed

Spoke and Hubz Firewall wall.

"Please note that in a Hub-Spoke topology where the spoke is using the Hub as its default route, internet-bound traffic from the Spoke will be subjected to the outbound Layer 3 firewall rules configured on the Hub. For information on Hub-Spoke topology please refer to Configuring Hub-and-spoke VPN Connections on the MX Security Appliance."

 

Does this mean I don't have to set up layer 3 firewall rules on my VPN spoke sites that use the hub as default route?

1 ACCEPTED SOLUTION
Bruce
Kind of a big deal

Yep, it means that. If you are doing a full tunnel (I.e. the hub is the default route) then no traffic will exit the spoke directly to the internet, it will all go into the tunnel and exit via the hub. However, I’d suggest that more often than not the spoke MX would be configured as split tunnel so internet traffic gets routed directly from the spoke MX so the hub doesn’t become a bottleneck.

Configuring the firewall rules on a MX isn’t generally too hard anyway. By default they allow all outbound initiated connections, and deny all inbound initiated connections.

View solution in original post

1 REPLY 1
Bruce
Kind of a big deal

Yep, it means that. If you are doing a full tunnel (I.e. the hub is the default route) then no traffic will exit the spoke directly to the internet, it will all go into the tunnel and exit via the hub. However, I’d suggest that more often than not the spoke MX would be configured as split tunnel so internet traffic gets routed directly from the spoke MX so the hub doesn’t become a bottleneck.

Configuring the firewall rules on a MX isn’t generally too hard anyway. By default they allow all outbound initiated connections, and deny all inbound initiated connections.

View solution in original post

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels