deny one vlan in a site to reach other sites via VPN site to site

Solved
Abechara
Here to help

deny one vlan in a site to reach other sites via VPN site to site

is there any way to deny one VLAN inside a site to reach the network in other sites via vpn site to site because the auto vpn is always on

1 Accepted Solution
jimmyt234
Building a reputation

Yes - use the site-to-site outbound firewall to create a deny policy matching the subnets.

 

Site-to-site VPN Firewall Rule Behavior - Cisco Meraki Documentation

View solution in original post

8 Replies 8
jimmyt234
Building a reputation

Yes - use the site-to-site outbound firewall to create a deny policy matching the subnets.

 

Site-to-site VPN Firewall Rule Behavior - Cisco Meraki Documentation

Abechara
Here to help

in the Site-to-site outbound firewall if i choose the subnet and deny all, it still can connect inside network and internet and stop connecting to other sites ?

jimmyt234
Building a reputation

That's right, it only affects VPN traffic. You'd have to create Layer 3 outbound rules (on the Firewall page) if you wanted to restrict traffic to another on-site VLAN or the internet.

Abechara
Here to help

thank you , what i want is to deny access to other sites so i shoose my subnet and i deny all

jimmyt234
Building a reputation

If the VLAN requires absolutely no site-to-site traffic at all then the easier solution would to just stop advertising it to other sites by setting VPN Mode to Disabled...

Abechara
Here to help

i would like to reach this vlan from outside site but i dont want this vlan to reach other sites

 

Brash
Kind of a big deal
Kind of a big deal

As @jimmyt234 said, if you don't want the VLAN to communicate to any sites across the AutoVPN, it's easiest to disable it for that vlan under Sd-WAN -> Site to Site VPN settings.

 

Otherwise if it's just specific sites, the site to site outbound firewall rules need to be used.

Abechara
Here to help

i would like to reach this vlan from outside site but i dont want this vlan to reach other sites so i think deny source this vlan destination all

 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels