MX categorizing switch DNS traffic as BitTorrent

newengineerhere
Here to help

MX categorizing switch DNS traffic as BitTorrent

Over the last few months, we've had instances where the MX would categorize our switch's statically set DNS IP addresses (they're set to use Cisco Umbrella) as BitTorrent traffic, and would block it due to our layer7 firewall rules which block BitTorrent.

 

To be more specific, our Meraki switches are statically set to Cisco Umbrella IP addresses, so once they get categorized and blocked, our entire office goes down. I confirmed this through the event log. MX appliance is using 16.16 firmware.

9 Replies 9
alemabrahao
Kind of a big deal
Kind of a big deal

Request for reclassification:

 

https://www.brightcloud.com/tools/change-request.php

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
ww
Kind of a big deal
Kind of a big deal

Thats for content filtering. L7 firewall uses nbar.

 

alemabrahao
Kind of a big deal
Kind of a big deal

Yes I know, but It's just a test, because It does not make any sense. I use Umbrella too, and It has been working well. He can try to put the switches on the allow list.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
newengineerhere
Here to help

What's even weirder is I have other networks with MX 16.16 using Cisco Umbrella as DNS and they weren't affected

ww
Kind of a big deal
Kind of a big deal

There are some nbar fixes  in 16.16.4. Are you running 16.16 or 16.16.6?

 

The network should keep working even if the management tunnel is down

newengineerhere
Here to help

Running 16.16. Entire network went down. My assumption was that data plane would still function, but that was not the case. Switches all had "Bad DNS" errors.

ww
Kind of a big deal
Kind of a big deal

I would try 16.16.6 or contact support to check if the nbar update in 16.16.4+ has a fix for this

alemabrahao
Kind of a big deal
Kind of a big deal

https://community.meraki.com/t5/Security-SD-WAN/NBAR-blocking-traffic-to-Umbrella-DNS/m-p/159047#M39...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
BlakeRichardson
Kind of a big deal
Kind of a big deal

Owch thats not a good problem to have, odd its taking everything offline though you should only lose management access with your dashboard reporting an issue with the device. 

 

The other option would be do you need to use Umbrella with your switches or could you use something else like Google. I know that doesn't resolve why thats happening but at least its a work around. 

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels