Assign layer 7 rules to WAN2

SOLVED
Cain
Here to help

Assign layer 7 rules to WAN2

Hi All,

 

Just throwing this out to the community.

 

I have a client that has a large network with branches having MX67W and an attached MG21.  The second WAN port(MG21) is primarily used for failover but some sites do use it for load balancing.

 

Question:

 

Is there a way I can apply layer 7 firewall rules to the WAN2 port thereby limiting the type of traffic across the 4G modem?   For example I want to block all gaming sited when using the MG21 link.

 

Thanks,

1 ACCEPTED SOLUTION
KarstenI
Kind of a big deal
Kind of a big deal

I also have no easy solution and having separate rules per WAN-interface would be really great for this use-case.

But how are your Python skills? Based on the availability of the primary link, you could change the L7 firewall rules with the Dashboard-API.

View solution in original post

6 REPLIES 6
PhilipDAth
Kind of a big deal
Kind of a big deal

I can't quite remember, but I think if you open up a support ticket they can configure WAN2 to act like cellular backup and then it uses the cellular firewall rules.

Hey mate,

 

Yes I did read that on a previous post but regardless from what I can see the cellular rules are only layer 3.  I really need to apply different layer 7 rules.

KarstenI
Kind of a big deal
Kind of a big deal

I also have no easy solution and having separate rules per WAN-interface would be really great for this use-case.

But how are your Python skills? Based on the availability of the primary link, you could change the L7 firewall rules with the Dashboard-API.

Indeed this is my current work around.  I have a webhook that fires off a Python script that modifies the layer 7 rules when the WAN link changes.

 

It's a bit of a hack but it works.

 

There is a beta feature for cellular firewall rules but it seems limited to layer 3 rules.  I may be able to manually group some layer 7 rules into a "Object" and use the new beta object rules filtering.

KarstenI
Kind of a big deal
Kind of a big deal


@Cain wrote:

Indeed this is my current work around.  I have a webhook that fires off a Python script that modifies the layer 7 rules when the WAN link changes.


Do you have a blog? Would be worth publishing your solution.

I don't but I probably should...

 

I work for a large telco here in AUS so I need to be careful with regards to IP etc.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels