Customers who run multiple Cisco Meraki MX Security Appliances in their networks already enjoy effortless site-to-site VPN between them. But often, remote sites using non-Meraki VPN peers need to be assimilated into these VPN networks. We were thrilled to announce a new feature that gives IT administrators more flexibility in configuring Phase 1 and Phase 2 parameters of these third-party connections. Now, we’ve extended that flexibility to allow Meraki customers control over which Meraki MX or Z1 networks connect to specific third-party peers.

For example, suppose a large, distributed medical organization manages hundreds of hospitals that are securely connected via meshed Meraki site-to-site VPN, all sharing resources. Let’s say that this medical organization must securely connect with an external firm—which does not use Meraki MX Security Appliances—to back up electronic medical records from specific hospitals. With MX VPN tagging, only the specific hospital networks needing backups would be made available to the external firm.

How it works

If customers have tagged their Meraki networks, they can make third-party VPN peer connections available based on these tags. Before (and by default), these third-party peer connections were available organization-wide. To restrict VPN availability, simply select the Meraki network tags that should have access to remote, third-party VPN sites; any Meraki network not suitably tagged will not have VPN access to these sites.

Configuring non-Meraki peer VPN settings and allowing this connection based on tag.

To tag a Meraki network, simply navigate to Organization > Overview in the Meraki dashboard and select one or more networks to tag. Then click the “Tag” button at the top left corner of the network listing table, and add, remove, or create a new tag.

This feature greatly enhances flexibility and control in managing non-Meraki VPN peers in a hybrid VPN network. We’d be excited to hear what you think, so please don’t hesitate to drop us a line or make a wish!