High Usage - UDP + P2P - Blocked at layer 7 but staffic still coming through

WhitwickWindmil
Conversationalist

High Usage - UDP + P2P - Blocked at layer 7 but staffic still coming through

Hi guys, hope you can help. 

 

I still have annumber of clients that have high usage on our network for UDP apps and high usage in P2P (random ports) 

 

I have created layer 7 rules and tried to block all P2P applications, but traffic still seems to be getting through. 

 

Can anyone advise me on what im doing wrong here? I mus be doing something stupid. Any help is appreciated guys 🙂

 

Cisco.png 

7 Replies 7
alemabrahao
Kind of a big deal
Kind of a big deal

File sharing programs, such as BitTorrent, are now able to be configured to encrypt traffic as secure HTTPS, potentially bypassing P2P traffic shaping rules that have been configured. Cisco Meraki MX Security Appliances and Wireless APs are capable of detecting some of the encrypted P2P traffic on the network. When encrypted P2P traffic is detected, it will be matched to any configured P2P traffic shaping rules, and honor the limitations that have been configured.  However, if the traffic is encrypted, it may not be possible to accurately classify all of the offending traffic.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
WhitwickWindmil
Conversationalist

Hi alemabrahao, thanks for responding. I can also see a lot of usage on application UDP, i have no idea what this is. Is there anyway of finding out exactly what this application is via the meraki dashboard? Cisco2.jpg

alemabrahao
Kind of a big deal
Kind of a big deal

There are a lot of applications that use UDP ports, you can try to perform a packet capture, but it seems to me a relatively small volume of traffic. You can also send the logs to a syslog server, but I think that packet capture is enough.

 

https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Mapping_Layer_7_Firew...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
alemabrahao
Kind of a big deal
Kind of a big deal

you can also check the Network-wide > Monitor > Traffic analytics

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
ww
Kind of a big deal
Kind of a big deal

@WhitwickWindmil  you could try turning on traffic analytics  to get used port details/ip' like @alemabrahao suggests

 

https://documentation.meraki.com/MS/Monitoring_and_Reporting/Switch_Traffic_Analytics

WhitwickWindmil
Conversationalist

Thanks so much. I've started a packet capture, so hopefully that'll highlight the usage. This AP is running of a 4G sim card, so i need to keep the usage to a minimum as its very expensive once you go over your limit. Cisco3.jpg

WhitwickWindmil
Conversationalist

Thanks guys, i tried all the things you suggested, reall really helpful. It turns out they were just accessing microsoft services, our warehouse system relies on this and is quite heavy in terms of traffic passing though it, nothing 

suspicious to report here 😁

Get notified when there are additional replies to this discussion.