What's the best way to block traffic between site-to-site tunnels

bill_berry32
Conversationalist

What's the best way to block traffic between site-to-site tunnels

We have an MX-250 at corporate configured as a hub.  Remote locations connect with MX-67c's.  What's the best way to restrict traffic from each remote location to only the corporate office?  Basically, deny traffic from one vpn to another?

4 Replies 4
Nash
Kind of a big deal

So you're using AutoVPN, and you want to grant remote sites access to home base, but you don't want Remote-A to talk to Remote-B? Just to confirm?

PhilipDAth
Kind of a big deal
Kind of a big deal

The best way is to have all the remote AutoVPN spokes in a single supernet.  Then just create a VPN firewall rule at the top that is a "deny" to and from this supernet.

https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-site_VPN_Firewall_Rule_Behavior

 

For example, if all the sites can be placed in the supernet 192.168.8.0/21, then create a rule to deny all traffic from 192.168.8.0/21 to 192.168.8.0/21.

BrechtSchamp
Kind of a big deal

What @PhilipDAth said. Also don't forget that you have to use the site to site firewall for that and not the regular firewall.

MarcP
Kind of a big deal


@BrechtSchamp wrote:

What @PhilipDAth said. Also don't forget that you have to use the site to site firewall for that and not the regular firewall.


Very good point 😉 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels