Meraki

Community

MX65W layer 7 firewall rules only to apply when on cellular ?

Solved
FrancisDorta
Conversationalist
‎Aug 28 2018 6:56 AM
‎Aug 28 2018 6:56 AM

MX65W layer 7 firewall rules only to apply when on cellular ?

We have USB dongle cellular connected to the MX65W as a fail over, and that works well, but we need to limit its data usage only when on cellular to avoid being charged too much when the line fails and the cellular takes over, is there a way to do it ?

0 Kudos
1 Accepted Solution
In response to FrancisDorta
jdsilva
Kind of a big deal
‎Aug 28 2018 8:22 AM
‎Aug 28 2018 8:22 AM

Oh, sorry @FrancisDorta, I'm not reading your question properly. 

 

No, you are limited to L3/4 rules only for cellular failover. There's on option to do L7 rules. 

http://blog.brokennetwork.ca | @jdsilva

View solution in original post

6 Replies 6
jdsilva
Kind of a big deal
‎Aug 28 2018 7:17 AM
‎Aug 28 2018 7:17 AM

There's two ways. 

 

You can rate limit the cellular in the Security > Traffic shaping page

 

image.png

 

And you can write ACLs to restrict traffic on the cellular link under Security appliance > Firewall

 

image.png

 

 

 

http://blog.brokennetwork.ca | @jdsilva
0 Kudos
In response to jdsilva
FrancisDorta
Conversationalist
‎Aug 28 2018 8:19 AM
‎Aug 28 2018 8:19 AM

is there a way to get L7 FW rules to apply only when failing over to cellular ? I need to get L7 rules but only when in cellular is there a way, the issue is that once it goes on cellular I can block for example software updates, social media, etc etc that already exist on L7

0 Kudos
In response to FrancisDorta
jdsilva
Kind of a big deal
‎Aug 28 2018 8:22 AM
‎Aug 28 2018 8:22 AM

Oh, sorry @FrancisDorta, I'm not reading your question properly. 

 

No, you are limited to L3/4 rules only for cellular failover. There's on option to do L7 rules. 

http://blog.brokennetwork.ca | @jdsilva
In response to jdsilva
FrancisDorta
Conversationalist
‎Aug 28 2018 8:52 AM
‎Aug 28 2018 8:52 AM

One last question do those rules on cellular failover apply to VPN traffic ?

In response to FrancisDorta
jdsilva
Kind of a big deal
‎Aug 28 2018 8:57 AM
‎Aug 28 2018 8:57 AM

Hah! That's the big question isn't it!

 

Unfortunately, in my testing the answer is No. The cellular failover rules seem to apply to the egress direction of the WAN interface, meaning by the time all traffic hits the rules it's already IPsec encrypted and you can no longer distinguish what it is.   You can filter Internet bound traffic, but not traffic inside a IPsec tunnel.

 

😞

http://blog.brokennetwork.ca | @jdsilva
In response to jdsilva
FrancisDorta
Conversationalist
‎Aug 28 2018 8:59 AM
‎Aug 28 2018 8:59 AM

Good stuff
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.