>Is there no way to configure MX as spoke that they'll have VPN session only to ASAs in primary/secondary DC? No. You can configure firewall rules to block spoke to spoke traffic. https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-site_VPN_Firewall_Rule_Behavior Your experiencing this dilemna because your network design is not appropriate for the solution being deployed.
... View more
