I'll give you a couple of options.  I'm assuming you are using the Microsoft client VPN.   Configure a split tunnel connection on the clients.  For each client, only include their subnet.  You can do this using this tool to deploy the client VPN connection on the machines using powershell. https://ifm.net.nz/cookbooks/meraki-client-vpn.html    Another option is to use group policy (one for each client).  Create a firewall rule only allowing them access to their respective VLAN.  Wait for them to VPN in one, and then apply the group policy to their connection.  It will stick after that.     Another option is using RADIUS (such as Windows NPS).  You can return the Filter-Id attribute to automatically select the correct group policy. https://documentation.meraki.com/MX/Client_VPN/AnyConnect_on_the_MX_Appliance#Group_Policies_with_RADIUS_Filter-ID  ... View more