cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

High Usage - UDP + P2P - Blocked at layer 7 but staffic still coming through

WhitwickWindmil
Conversationalist
‎01-27-2023 04:03 AM
‎01-27-2023 04:03 AM

High Usage - UDP + P2P - Blocked at layer 7 but staffic still coming through

Hi guys, hope you can help. 

 

I still have annumber of clients that have high usage on our network for UDP apps and high usage in P2P (random ports) 

 

I have created layer 7 rules and tried to block all P2P applications, but traffic still seems to be getting through. 

 

Can anyone advise me on what im doing wrong here? I mus be doing something stupid. Any help is appreciated guys 🙂

 

Cisco.png 

0 Kudos
Subscribe
7 REPLIES 7
alemabrahao
Kind of a big deal
Kind of a big deal
‎01-27-2023 04:18 AM
‎01-27-2023 04:18 AM

File sharing programs, such as BitTorrent, are now able to be configured to encrypt traffic as secure HTTPS, potentially bypassing P2P traffic shaping rules that have been configured. Cisco Meraki MX Security Appliances and Wireless APs are capable of detecting some of the encrypted P2P traffic on the network. When encrypted P2P traffic is detected, it will be matched to any configured P2P traffic shaping rules, and honor the limitations that have been configured.  However, if the traffic is encrypted, it may not be possible to accurately classify all of the offending traffic.

Subscribe
WhitwickWindmil
Conversationalist
‎01-27-2023 04:24 AM
‎01-27-2023 04:24 AM

Hi alemabrahao, thanks for responding. I can also see a lot of usage on application UDP, i have no idea what this is. Is there anyway of finding out exactly what this application is via the meraki dashboard? Cisco2.jpg

0 Kudos
Subscribe
In response to WhitwickWindmil
alemabrahao
Kind of a big deal
Kind of a big deal
‎01-27-2023 04:28 AM
‎01-27-2023 04:28 AM

There are a lot of applications that use UDP ports, you can try to perform a packet capture, but it seems to me a relatively small volume of traffic. You can also send the logs to a syslog server, but I think that packet capture is enough.

 

https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Mapping_Layer_7_Firew...

Subscribe
In response to alemabrahao
alemabrahao
Kind of a big deal
Kind of a big deal
‎01-27-2023 04:47 AM
‎01-27-2023 04:47 AM

you can also check the Network-wide > Monitor > Traffic analytics

Subscribe
In response to alemabrahao
ww
Kind of a big deal
Kind of a big deal
‎01-27-2023 05:12 AM
‎01-27-2023 05:12 AM

@WhitwickWindmil  you could try turning on traffic analytics  to get used port details/ip' like @alemabrahao suggests

 

https://documentation.meraki.com/MS/Monitoring_and_Reporting/Switch_Traffic_Analytics

Subscribe
WhitwickWindmil
Conversationalist
‎01-27-2023 04:58 AM
‎01-27-2023 04:58 AM

Thanks so much. I've started a packet capture, so hopefully that'll highlight the usage. This AP is running of a 4G sim card, so i need to keep the usage to a minimum as its very expensive once you go over your limit. Cisco3.jpg

0 Kudos
Subscribe
WhitwickWindmil
Conversationalist
‎02-06-2023 02:32 AM
‎02-06-2023 02:32 AM

Thanks guys, i tried all the things you suggested, reall really helpful. It turns out they were just accessing microsoft services, our warehouse system relies on this and is quite heavy in terms of traffic passing though it, nothing 

suspicious to report here 😁

Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
© 2023 Meraki