Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

How to block a port from WAN 2 on Failover

Mikeathorseshoe
Just browsing
‎Feb 14 2020 8:28 AM
‎Feb 14 2020 8:28 AM

How to block a port from WAN 2 on Failover

Hey

 

I have a MX68 (no built in cellular)  new install with two Netgear switches each on a different lan.  Voice on one switch and data on the other.  I have fibre link coming into WAN 1 and is primary.  WAN 2 is a cellular router and is set to failover from WAN1.  

 

Data LAN (switch V1 ) carries the data for all users and connects to port 3 on the MX

 

Voice LAN (switch v2) carries the VOIP for all phones and connects to port 4 on the MX.

 

What I would like to do is if there is a failover to only allow data from V2 out WAN 2 until WAN 1 comes back on.  

 

Is this accomplished by putting a firewall a rule in the firewall that block all traffic from port 3 going to port 2?

 

Will this have any adverse affects ?

 

would it look like this: 

 

Policy           Protocol                    Source                     Src port              Destination                         Dst port Comment

DENY              ANY.                       192.168.11.0/24       3                       0.0.0.0/24                             2 

 

 

Do I need to add anything to the route table?

 

THanks 

0 Kudos
Subscribe
8 Replies 8
Mikeathorseshoe
Just browsing
‎Feb 14 2020 8:31 AM
‎Feb 14 2020 8:31 AM

Sorry about the poor typing. Wrote this without my glasses...
0 Kudos
Subscribe
Johnfnadez
Building a reputation
‎Feb 14 2020 9:08 AM
‎Feb 14 2020 9:08 AM

Hi,

The best option for U is using the SD-WAN on your MX. 

You can set different firewall rules defining by subnet or service.

 

Security & SDWAN --> SD-WAN & Trafic Shaping

Johnfnadez_0-1581700065749.png

 

Regards

 

Johnny Fernandez
Network & Security Engineer
CCNP | JNCIP-SEC | CMNA
Subscribe
In response to Johnfnadez
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Feb 14 2020 6:03 PM
‎Feb 14 2020 6:03 PM

If you open a support ticket you can ask them to make WAN2 act like the cellular circuit.

 

Then you can use the cellular firewall rules.

https://documentation.meraki.com/MX/Cellular/3G%2F%2F4G_Cellular_Failover_with_USB_Modems#Cellular_F... 

 

Note after doing this the cellular modem can strictly only be used for failover.

Subscribe
In response to PhilipDAth
CCIE-Adam
Getting noticed
‎Mar 26 2020 5:45 PM
‎Mar 26 2020 5:45 PM

@PhilipDAth   This is what we do. Works well. You can also apply it at the template level and it will propagate to all networks on that template.

Subscribe
In response to CCIE-Adam
Reppel
Conversationalist
‎Oct 29 2021 2:37 AM
‎Oct 29 2021 2:37 AM

Hi,
 
I was really happy to find this feature here in the community and immediately opened a support case to activate it.
Unfortunately I was told that this feature is for internal testing only because after a firmware upgrade it would be gone.
 
What are your experiences? I urgently need the possibility configure such FW rules.
0 Kudos
Subscribe
In response to Reppel
CCIE-Adam
Getting noticed
‎Oct 29 2021 4:41 AM
‎Oct 29 2021 4:41 AM

I have done several firmware upgrades and the feature is still there.  

Subscribe
In response to PhilipDAth
Crocker
Building a reputation
‎Nov 24 2021 2:40 PM
‎Nov 24 2021 2:40 PM

One thing to note here. If this traffic is flowing over a Site-to-Site/Meraki AutoVPN, the cellular FW rules will not have any effect.

0 Kudos
Subscribe
In response to Crocker
CCIE-Adam
Getting noticed
‎Nov 27 2021 11:56 AM
‎Nov 27 2021 11:56 AM

That's not how it works for us.  The rules are applied to all traffic coming through the firewall.   Even traffic between VLANs where the default gateway resides on the MX is subject to the firewall rules configured.

0 Kudos
Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
© 2024 Cisco Systems, Inc.