Traffic shaping on Meraki Client VPN

SOLVED
JoshC1
Conversationalist

Traffic shaping on Meraki Client VPN

Hey guys I have been looking over some documentation and don't seem to find how to do traffic shaping on our client VPN. What I am trying to reduce is users watching Netflix over VPN, which seems like some of them are. Is this possible with the MX100? or is there another method to do this?

1 ACCEPTED SOLUTION
ConnorL
Meraki Employee
Meraki Employee

Hey Josh,

I'd focus on trying to configure split tunnel on Client VPN rather than traffic shaping their traffic for stuff like Netflix. We've got a doc about this: https://documentation.meraki.com/MX/Client_VPN/Configuring_Split_Tunnel_Client_VPN

This would allow employees to access internal resources, and all other traffic wouldn't be routed over the VPN tunnel. It'll save you a lot of bandwidth as all non-internal stuff won't be routed over the Client VPN tunnel and instead use the client's standard internet connection. This means they could still watch Netflix for example, but it won't impact the Hub MX's bandwidth at all.

Kind regards,

--

Connor Loughlin
Network Support Engineer

.:|:.:|:. Cisco Meraki EMEAR 🇬🇧

For reference, many questions can be easily answered by searching our online documentation: http://documentation.meraki.com

View solution in original post

12 REPLIES 12
BlakeRichardson
Kind of a big deal
Kind of a big deal

@JoshC1  This is mentioned in the Meraki documentation for security appliances.

 

" Traffic shaping rules will apply to traffic sent over an AutoVPN tunnel between Meraki devices. Please note that traffic shaping rules do not apply to traffic that passes over a non-Meraki VPN tunnel."

 

Full link here

https://documentation.meraki.com/MX/Firewall_and_Traffic_Shaping/SD-WAN_and_Traffic_Shaping

 

 

Based on that wording I am not sure if that only refers to site to site or includes client VPN. 

ConnorL
Meraki Employee
Meraki Employee

Hey Josh,

I'd focus on trying to configure split tunnel on Client VPN rather than traffic shaping their traffic for stuff like Netflix. We've got a doc about this: https://documentation.meraki.com/MX/Client_VPN/Configuring_Split_Tunnel_Client_VPN

This would allow employees to access internal resources, and all other traffic wouldn't be routed over the VPN tunnel. It'll save you a lot of bandwidth as all non-internal stuff won't be routed over the Client VPN tunnel and instead use the client's standard internet connection. This means they could still watch Netflix for example, but it won't impact the Hub MX's bandwidth at all.

Kind regards,

--

Connor Loughlin
Network Support Engineer

.:|:.:|:. Cisco Meraki EMEAR 🇬🇧

For reference, many questions can be easily answered by searching our online documentation: http://documentation.meraki.com

Also from the same doc:

"Cisco Meraki Client VPN only establishes full-tunnel connections, which will direct all client traffic through the VPN to the configured MX. As such, any content filtering, firewall or traffic shaping rules will apply to the VPN client's outbound traffic. "
JoshC1
Conversationalist

I think this is the way to go! Thanks!
CharlesIsWorkin
Building a reputation

Hey ConnorL,

I like the idea of the split tunnel deal, but what about employees using their personal comps to connect? We don't have access to those...

So I kind of go back to the OP's question on this....

PhilipDAth
Kind of a big deal
Kind of a big deal

Why not use a split VPN so only traffic for your company goes over the VPN?

https://www.ifm.net.nz/cookbooks/meraki-client-vpn.html 

That's an awesome tool! One I've now bookmarked - thanks for sharing!
PhilipDAth
Kind of a big deal
Kind of a big deal

>That's an awesome tool! One I've now bookmarked - thanks for sharing!

 

Now if I could just get Meraki to feature it on their blog I could save a lot of companies grief while we wait for AnyConnect.

I'll see what I can do, can't promise anything though! 🙂
PhilipDAth
Kind of a big deal
Kind of a big deal

>I'll see what I can do, can't promise anything though!

 

I can see you don't work in sales.

JoshC1
Conversationalist

Yeah split tunnel is the way to go and great tool btw! 

PhilipDAth
Kind of a big deal
Kind of a big deal

Or you could exclude all 155 of their ranges from the VPN (split VPN better ...):

https://ipinfo.io/AS2906

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels