So this might sound a little odd, but I'm trying to understand whether the advanced features included in the advanced license will work if traffic is not going down the WAN link of an MX appliance...We will be tunnelling wireless clients back to a MX450 onto a specific vlan, however, the default route for the clients will actually be another non-meraki appliance on that vlan, so clients accessing resources on the internet will not be leaving through the WAN interface, instead they will leave on a vlan attached to the MX...so will clients get any benefit from the advanced license? Will content filtering kick in, or does the traffic have to pass through the WAN interface for it to apply filtering?
No point asking why we are passing traffic this way, we just are and it's not going to change for the time being, but I need to know whether purchasing an advanced license will have any benefit when no traffic will technically be traversing the WAN interface. All feedback is appreciated, unless it's Why are you doing it that way....
Solved! Go to solution.
Content filtering only applies to traffic going through the WAN interface.
However IPS also applies to inter-vlan traffic. I'm not sure if this use case goes through IPS or not.
In this case, it makes no sense to use an advanced license.
Thanks for your reply, but I was hoping that I could use the features as it would add to the protections applied to the network and attached devices, security in depth and all.
Hi,
Advance Security License gives below benefits.
As you see, if you are not using URL filtering also at the least, then there is no need to go to an advanced license now.
I would like to use all of these features, but I don't know which of these only work if traffic leaves on the WAN or cross-vlan. Can you advise please.
Content filtering only applies to traffic going through the WAN interface.
However IPS also applies to inter-vlan traffic. I'm not sure if this use case goes through IPS or not.
Thank you for your reply. When you state Content filtering do you just mean URL filtering including safe search enforcement and AMP?
I assume that since the traffic won't technically cross vlans as such (i.e. the client will leave on the vlan that they logicially exist on but not through the MX, but the traffic will since the tunnel from the AP comes in on a different vlan), then IPS won't even be applied?
I would like to use as many of the advanced features to add to the security of the network and the devices attached to it, but don't want to go spend a significant amount of money without knowing what will and won't work in my scenario.
> When you state Content filtering do you just mean URL filtering
Yes.
>including safe search enforcement and AMP?
I don't know about these two.