Z3 Remote s2s lockdown to spoke VPN

Here to help

Z3 Remote s2s lockdown to spoke VPN

Hello hope  all is well. we are now at a point to deploy the Z3 to remote workers for vpn phone (Avaya's).we want  to restrict everything as much as possible.


So here's what I'm goanna do make sure if anyone plugs into the  z3 besides our equipment to help it

  • Remote end user to plug in from whatever soho device  they use at home to the wan/internet port of the Z3 gets uplink
  • Z3 then has its own network segregated form the home they're  in.( I tested this at my house so I know this works)
  • Build the z3 local vlan as xxx.xxx.xxx.xxx / 30 to try keep down from anyone plugging extra in and not work by limiting IP's.
  • Have remote user plug into port 5 as POE Power phone
  • reserve the avaya phone ip it gets via dashboard
  • setup tunnel in z3 network to spoke/hub where call server is

All the above works and call talk call server etc. Now here's where I'm stuck

I want to limit if possible the one ip the Avaya phone has at the remote site on the tunnel to the vpn site where call server resides.in s2s scenario with asa's. I had no issue just assigning one host.  I don't want anything else  from the remote user  to ever  pass  traffic just incase by some miracle they plugged a  pc in same network on z3. 

Is there a way to do that with out breaking all other  other S2S corporate vpns we have setup? Should this be on the s2s firewall rules? I'm worried this will affect other S2S rules as i read it applies tot all mx s2s.

any input would highly be appreciated. thanks for all the help.




Kind of a big deal
Kind of a big deal

ok do i do this on the z3 grouup  policiy side or  the corporate side.

Kind of a big deal
Kind of a big deal

You could create a group policy on the z3 vlan with a deny any any.


Then you can add the mac of the avaya phone to a whitelist/allow list.




Or assign a second group policy to that client without or with restricted firewall rules. https://documentation.meraki.com/General_Administration/Tools_and_Troubleshooting/Troubleshooting_Gr...





Other option is using port authentication



Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.