Meraki

Community

What's the best way to block traffic between site-to-site tunnels

bill_berry32
Conversationalist
‎Aug 21 2019 11:36 AM
‎Aug 21 2019 11:36 AM

What's the best way to block traffic between site-to-site tunnels

We have an MX-250 at corporate configured as a hub.  Remote locations connect with MX-67c's.  What's the best way to restrict traffic from each remote location to only the corporate office?  Basically, deny traffic from one vpn to another?

0 Kudos
4 Replies 4
Nash
Kind of a big deal
‎Aug 21 2019 11:52 AM
‎Aug 21 2019 11:52 AM

So you're using AutoVPN, and you want to grant remote sites access to home base, but you don't want Remote-A to talk to Remote-B? Just to confirm?

Windows 10 Client VPN scripts: Makes life better!
0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Aug 21 2019 2:06 PM
‎Aug 21 2019 2:06 PM

The best way is to have all the remote AutoVPN spokes in a single supernet.  Then just create a VPN firewall rule at the top that is a "deny" to and from this supernet.

https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-site_VPN_Firewall_Rule_Behavior

 

For example, if all the sites can be placed in the supernet 192.168.8.0/21, then create a rule to deny all traffic from 192.168.8.0/21 to 192.168.8.0/21.

In response to PhilipDAth
BrechtSchamp
Kind of a big deal
‎Aug 21 2019 2:22 PM
‎Aug 21 2019 2:22 PM

What @PhilipDAth said. Also don't forget that you have to use the site to site firewall for that and not the regular firewall.

In response to BrechtSchamp
MarcP
Kind of a big deal
‎Aug 21 2019 11:55 PM
‎Aug 21 2019 11:55 PM

@BrechtSchamp wrote:

What @PhilipDAth said. Also don't forget that you have to use the site to site firewall for that and not the regular firewall.

Very good point 😉 

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.