cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

MX65W layer 7 firewall rules only to apply when on cellular ?

SOLVED
Conversationalist

MX65W layer 7 firewall rules only to apply when on cellular ?

We have USB dongle cellular connected to the MX65W as a fail over, and that works well, but we need to limit its data usage only when on cellular to avoid being charged too much when the line fails and the cellular takes over, is there a way to do it ?

1 ACCEPTED SOLUTION

Accepted Solutions
Kind of a big deal

Re: MX65W layer 7 firewall rules only to apply when on cellular ?

Oh, sorry @FrancisDorta, I'm not reading your question properly. 

 

No, you are limited to L3/4 rules only for cellular failover. There's on option to do L7 rules. 

6 REPLIES 6
Kind of a big deal

Re: MX65W layer 7 firewall rules only to apply when on cellular ?

There's two ways. 

 

You can rate limit the cellular in the Security > Traffic shaping page

 

image.png

 

And you can write ACLs to restrict traffic on the cellular link under Security appliance > Firewall

 

image.png

 

 

 

Conversationalist

Re: MX65W layer 7 firewall rules only to apply when on cellular ?

is there a way to get L7 FW rules to apply only when failing over to cellular ? I need to get L7 rules but only when in cellular is there a way, the issue is that once it goes on cellular I can block for example software updates, social media, etc etc that already exist on L7

Kind of a big deal

Re: MX65W layer 7 firewall rules only to apply when on cellular ?

Oh, sorry @FrancisDorta, I'm not reading your question properly. 

 

No, you are limited to L3/4 rules only for cellular failover. There's on option to do L7 rules. 

Conversationalist

Re: MX65W layer 7 firewall rules only to apply when on cellular ?

One last question do those rules on cellular failover apply to VPN traffic ?

Kind of a big deal

Re: MX65W layer 7 firewall rules only to apply when on cellular ?

Hah! That's the big question isn't it!

 

Unfortunately, in my testing the answer is No. The cellular failover rules seem to apply to the egress direction of the WAN interface, meaning by the time all traffic hits the rules it's already IPsec encrypted and you can no longer distinguish what it is.   You can filter Internet bound traffic, but not traffic inside a IPsec tunnel.

 

😞

Conversationalist

Re: MX65W layer 7 firewall rules only to apply when on cellular ?

Good stuff
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.