Home > Security and SD-WAN > Content Filtering and Threat Protection > Content Filtering and Threat Protection over Full-tunnel Site-to-site VPN

Content Filtering and Threat Protection over Full-tunnel Site-to-site VPN

Table of contents
No headers

In full-tunnel site-to-site VPN scenarios, all Internet traffic from the remote sites passes through the full-tunnel concentrator before being sent out to the Internet. This article describes how content filtering and threat protection are applied to Internet traffic in full-tunnel VPN scenarios.

The image below shows a remote MX and Z-series device configured for full-tunnel Site-to-site VPN, terminating at a VPN concentrator:

Full Tunnel VPN.png


The full-tunnel concentrator does not apply content filtering rules to VPN clients from remote subnets. Instead, Content filtering in full-tunnel scenarios is done locally at the source MX before the traffic is encrypted and encapsulated for the VPN.

In the above example, the remote MX and Z-series are full-tunneling to the VPN concentrator. The remote MX applies any configured Content filtering rules before sending the traffic across the VPN tunnel to the VPN concentrator. However, the VPN concentrator does not apply its local Content filtering rules to inbound VPN traffic from the remote MX. Since the Z1 and Z3 do not support content filtering, traffic from both the Z1 or Z3 local subnet will not be filtered.


Similarly, security inspection such as Content Filtering and Threat Protection is done locally on the MX. The hub/concentrator MX will not inspect traffic from the remote VPN subnets.

Last modified



This page has no classifications.

Explore the Product

Click to Learn More

Article ID

ID: 1458

Explore Meraki

You can find out more about Cisco Meraki on our main site, including information on products, contacting sales and finding a vendor.

Explore Meraki

Contact Support

Most questions can be answered by reviewing our documentation, but if you need more help, Cisco Meraki Support is ready to work with you.

Open a Case

Ask the Community

In the Meraki Community, you can keep track of the latest announcements, find answers provided by fellow Meraki users and ask questions of your own.

Visit the Community