Home > Security Appliances > Content Filtering and Threat Protection > Content Filtering and Threat Protection over Full-tunnel Site-to-site VPN

Content Filtering and Threat Protection over Full-tunnel Site-to-site VPN

Table of contents
No headers

In full-tunnel site-to-site VPN scenarios, all Internet traffic from the remote sites passes through the full-tunnel concentrator before being sent out to the Internet. This article describes how content filtering and threat protection are applied to Internet traffic in full-tunnel VPN scenarios.

The image below shows an MX60 and Z1 configured for full-tunnel Site-to-site VPN, terminating at the MX100:

 

The full-tunnel concentrator does not apply content filtering rules to VPN clients from remote subnets. Instead, Content filtering in full-tunnel scenarios is done locally at the source MX before the traffic is encrypted and encapsulated for the VPN.

In the above example, the MX60 and Z1 are full-tunneling to the MX100. the MX60 applies any configured Content filtering rules before sending the traffic across the VPN tunnel to the MX100. However, the MX100 does not apply its local Content filtering rules to inbound VPN traffic from the MX60. Since the Z1 does not support content filtering, traffic from the Z1's local subnet will not be filtered.

Note: Security reporting (IDS) will occur at the hub site, so traffic sent from the Z1 or MX60 will be scanned on the MX100. Other security features will only be applied by the spoke appliances.

You must to post a comment.
Last modified
11:16, 1 Jun 2016

Tags

This page has no custom tags.

Classifications

This page has no classifications.

Article ID

ID: 1458

Contact Support

Most questions can be answered by reviewing our documentation, but if you need more help, Cisco Meraki Support is ready to work with you.

Open a Case

Ask the Community

In the Meraki Community, you can find answers provided by fellow Meraki users and ask questions of your own.

Visit the Community