By default the branches (spokes) will learn the routes for all the other branches (though it doesn't actually use OSPF to achieve that - they would still be able to reach them, even with OSPF disabled). It is possible to have Support configure a back-end setting to prevent spokes from learning about subnets at other spokes, if you so wish - in some large solutions, this saves resources on the 'smaller' MX models. bear in mind - even with that configured, if you advertised a supernet which included all your branch subnets, from the vMX Hub, each spoke would still be able to reach other spoke. You can indeed filter the traffic flowing over the AutoVPN tunnels though, even if the routes are available, using VPN firewall rules, configured under Security appliance > Configure > Site-to-site VPN https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-site_VPN_Firewall_Rule_Behavior Remember too, when using OSPF - it's a one-way street; the Spokes do not automatically learn what subnets you're using for your services, within the cloud DC. You have to configure those as Local networks at the Hub.
... View more