MX advanced features - Do they only work if the traffic passes through the WAN interface???

Solved
DevOps_RC
Getting noticed

MX advanced features - Do they only work if the traffic passes through the WAN interface???

So this might sound a little odd, but I'm trying to understand whether the advanced features included in the advanced license will work if traffic is not going down the WAN link of an MX appliance...We will be tunnelling wireless clients back to a MX450 onto a specific vlan, however, the default route for the clients will actually be another non-meraki appliance on that vlan, so clients accessing resources on the internet will not be leaving through the WAN interface, instead they will leave on a vlan attached to the MX...so will clients get any benefit from the advanced license? Will content filtering kick in, or does the traffic have to pass through the WAN interface for it to apply filtering?

No point asking why we are passing traffic this way, we just are and it's not going to change for the time being, but I need to know whether purchasing an advanced license will have any benefit when no traffic will technically be traversing the WAN interface. All feedback is appreciated, unless it's Why are you doing it that way....

1 Accepted Solution
PhilipDAth
Kind of a big deal
Kind of a big deal

Content filtering only applies to traffic going through the WAN interface.

 

However IPS also applies to inter-vlan traffic.  I'm not sure if this use case goes through IPS or not.

https://documentation.meraki.com/MX/Content_Filtering_and_Threat_Protection/Threat_Protection#Intrus... 

View solution in original post

7 Replies 7
alemabrahao
Kind of a big deal
Kind of a big deal

In this case, it makes no sense to use an advanced license.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
DevOps_RC
Getting noticed

Thanks for your reply, but I was hoping that I could use the features as it would add to the protections applied to the network and attached devices, security in depth and all.

Madhan_kumar_G
Getting noticed

Hi,

Advance Security License gives below benefits.

  • URL Content Filtering
  • Google SafeSearch enforcement
  • Youtube EDU enforcement
  • Intrusion Prevention
  • Advanced Malware Protection (AMP) with Threat Grid support
  • Layer 7 Geo-IP Firewall Rules

 

As you see, if you are not using URL filtering also at the least, then there is no need to go to an advanced license now.

DevOps_RC
Getting noticed

I would like to use all of these features, but I don't know which of these only work if traffic leaves on the WAN or cross-vlan. Can you advise please.

PhilipDAth
Kind of a big deal
Kind of a big deal

Content filtering only applies to traffic going through the WAN interface.

 

However IPS also applies to inter-vlan traffic.  I'm not sure if this use case goes through IPS or not.

https://documentation.meraki.com/MX/Content_Filtering_and_Threat_Protection/Threat_Protection#Intrus... 

DevOps_RC
Getting noticed

Thank you for your reply. When you state Content filtering do you just mean URL filtering including safe search enforcement and AMP?

I assume that since the traffic won't technically cross vlans as such (i.e. the client will leave on the vlan that they logicially exist on but not through the MX, but the traffic will since the tunnel from the AP comes in on a different vlan), then IPS won't even be applied?

I would like to use as many of the advanced features to add to the security of the network and the devices attached to it, but don't want to go spend a significant amount of money without knowing what will and won't work in my scenario.

PhilipDAth
Kind of a big deal
Kind of a big deal

> When you state Content filtering do you just mean URL filtering

 

Yes.

 

>including safe search enforcement and AMP?

 

I don't know about these two.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels