Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Restricted VPN traffic when MX use it Cellular Interface

Solved
WaterBack
Conversationalist
‎Mar 12 2019 12:02 PM
‎Mar 12 2019 12:02 PM

Restricted VPN traffic when MX use it Cellular Interface

Hi all,

 

Is there a way to deny identified traffic that going through the VPN tunnel when the MX used it Cellular interface (USB), but this traffic is normally granted in the VPN tunnel when the MX use it primary WAN1 circuit ?  This is to manage the data package on the LTE service to grant only business critical service.

0 Kudos
Subscribe
1 Accepted Solution
In response to WaterBack
jdsilva
Kind of a big deal
‎Mar 12 2019 12:34 PM
‎Mar 12 2019 12:34 PM

@WaterBack Right! That was what I recall finding too. I was never able to find a way to enforce ACL's inside a VPN tunnel while the MX is using it's cellular interface only. 

http://blog.brokennetwork.ca | @jdsilva

View solution in original post

0 Kudos
Subscribe
7 Replies 7
NolanHerring
Kind of a big deal
‎Mar 12 2019 12:18 PM
‎Mar 12 2019 12:18 PM

You would have to use the firewall rules, specifically the cellular ones, to allow only what you want and then deny any any at the end.
Nolan Herring | nolanwifi.com
TwitterLinkedIn
0 Kudos
Subscribe
In response to NolanHerring
jdsilva
Kind of a big deal
‎Mar 12 2019 12:32 PM
‎Mar 12 2019 12:32 PM

@NolanHerring wrote:
You would have to use the firewall rules, specifically the cellular ones, to allow only what you want and then deny any any at the end.

I think I tested this and the cellular FW rules were enforced AFTER traffic was IPsec encrypted, meaning you can't block specific flows inside the tunnel, only the tunnel itself. 

 

I haven't checked this in a while, and my memory might be off... Can anyone confirm or deny?

http://blog.brokennetwork.ca | @jdsilva
Subscribe
In response to NolanHerring
WaterBack
Conversationalist
‎Mar 12 2019 12:32 PM
‎Mar 12 2019 12:32 PM

You are right if the traffic is not part of a VPN tunnel.

 

But base on the documentation:

 

When traffic passing through the MX matches a site-to-site VPN route, VPN firewall rules are applied in descending order. VPN traffic is only subject to the site-to-site firewall rules and is never subject to Layer 3 firewall rules.

Then, I do not think this is the way to go, but I'm may be in error since I never do that in a MX before.

Subscribe
In response to WaterBack
jdsilva
Kind of a big deal
‎Mar 12 2019 12:34 PM
‎Mar 12 2019 12:34 PM

@WaterBack Right! That was what I recall finding too. I was never able to find a way to enforce ACL's inside a VPN tunnel while the MX is using it's cellular interface only. 

http://blog.brokennetwork.ca | @jdsilva
0 Kudos
Subscribe
In response to WaterBack
NolanHerring
Kind of a big deal
‎Mar 12 2019 12:35 PM
‎Mar 12 2019 12:35 PM

Well disregard then 😃

Where can you edit the VPN firewall rules? The only thing I see are the ORG WIDE settings
Nolan Herring | nolanwifi.com
TwitterLinkedIn
Subscribe
In response to NolanHerring
jdsilva
Kind of a big deal
‎Mar 12 2019 12:41 PM
‎Mar 12 2019 12:41 PM

The Org wide setting in the site-to-site config page is the only place I know of. 

http://blog.brokennetwork.ca | @jdsilva
Subscribe
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Mar 12 2019 8:05 PM
‎Mar 12 2019 8:05 PM

No.

0 Kudos
Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.