Prioritizing user traffic on Meraki ?

SOLVED
KarimB
Here to help

Prioritizing user traffic on Meraki ?

Dear all,

 

I have a setup where 2 types of clients are connected to my MX

- Business critical devices - endpoint of an encrypted VPN (directly connected to MX)

- Non business critical devices & normal users - unencrypted (connected via MS & MR devices)

 

Business critical devices are physically separated from the rest of the devices.

 

How can I provide strict priority for internet access to the business critical devices & prevent non business critical devices from impacting the business critical devices internet access?

 

I so far only found the option to create a group policy with non business critical clients and limit per client bandwidth. May help, but does not ensure some BW is prioritized to business critical devices

 

Thanks in advance! Karim.

 

1 ACCEPTED SOLUTION
PhilipDAth
Kind of a big deal
Kind of a big deal

Have a look at using QoS, and asssign your business ciritical traffic a hgher priority.  Look under "Security & SD-WAN/SD-WAN & Traffic Shapping/Traffic Shapping Rules".

 

Also make sure you have correctly configured you WAN uplink speeds.  It is on the same page under "Uplink Configuration" at the top.

View solution in original post

5 REPLIES 5
PhilipDAth
Kind of a big deal
Kind of a big deal

Have a look at using QoS, and asssign your business ciritical traffic a hgher priority.  Look under "Security & SD-WAN/SD-WAN & Traffic Shapping/Traffic Shapping Rules".

 

Also make sure you have correctly configured you WAN uplink speeds.  It is on the same page under "Uplink Configuration" at the top.

Hi Philip,

 

Thanks for your response.

 

The challenge here is that the mission critical servers are terminating VPNs from the internet. So from the MX standpoint to which they are connected, those clients just have 99% UDP traffic (encrypted traffic) - and MX has no visibility into the traffic actually inside.

 

What I'd ideally be looking for is a QoS setting like

- Give VLAN 2 or address range 192.168.2.x/24 or set of clients a,b,c "guaranteed 10mbps"

- or "Give other VLANs, address ranges or set of clients a maximum aggregated 40 mbps during work hours"

 

Looked around and the only option I see is to tag VLAN 2 (mission critical servers) with DSCP tags and high priority.

 

Is there any way to provide clients of a VLAN guaranteed BW ?

 

Thanks!

CptnCrnch
Kind of a big deal
Kind of a big deal

Would Group Policies applied to the specific VLANs be useful in your environment?

 

https://documentation.meraki.com/MR/Group_Policies_and_Blacklisting/Creating_and_Applying_Group_Poli...

PhilipDAth
Kind of a big deal
Kind of a big deal

You can't control traffic coming into your site - only traffic leaving (not an MX issue - a general one - you can't control what everyone else on the Internet sends towards you).

 

I can tell you an approach I have used before - two Internet circuits.  Devote one circuit to the ciritical traffic, and use the other for everything else.

Thanks All. I have for now moved the mission critical servers into separate VLANs, and used SD-WAN traffic shaping to assign a high priority ratio; and limited during working hours the BW for normal users with group policies. I'll give it a go, and consider a 2nd uplink if the current setup isn't good enough in the future.

 

Thanks, Karim.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels