Firewall and traffic shaping rules available on the AP - if SSID is tunneled

SOLVED
Aneeshram
Here to help

Firewall and traffic shaping rules available on the AP - if SSID is tunneled

Can the “Firewall and traffic shaping rules” be applied to tunneled traffic, as in if a SSID is tunneled to the concentrator ?

(talking about the Firewall capabilities on the AP)

Trying to work out if the traffic has to be inline (bridged) for any filtering to work at an AP level ?

1 ACCEPTED SOLUTION
Bruce
Kind of a big deal

@Aneeshram, yes the firewall and traffic shaping rules apply to the traffic on the SSID no matter which client IP assignment mode (e.g. NAT mode, bridge mode, or Layer 3 roaming with a concentrator) is chosen for the SSID. The traffic shaping rules are applied to the traffic as it ingresses/egresses the access point.

View solution in original post

8 REPLIES 8
Brash
Kind of a big deal
Kind of a big deal

If I understand correctly, you're asking whether the AP firewall rules are applicable to site-to-site VPN traffic?

 

The firewall rules present under the wireless configuration is specific to a give SSID.

These rules are applied when traffic hits the AP prior to being sent over a site-to-site VPN.

MR Firewall Rules - Cisco Meraki

So all network traffic on that SSID will have the rules applied to them, regardless of whether it will end up traversing the site-to-site VPN or going directly to the Internet.

 

The AP doesn't need to be in bridged mode for the rules to be applied. For example, the NAT mode configuration suggests adding additional L3 firewall rules

NAT Mode with Meraki DHCP - Cisco Meraki


As a point of difference, firewall rules configured under "Security and SD-WAN" are enforced on the MX device and is where you need to look at traffic destined for Internet vs Site-to-site VPN.

Hi Brash

The design I am working on will have a MX operating in "One Arm Concentrator Mode" in the Data Centre. The tunnels I was referring to are between the AP's and the MX in VPN concentrator mode. 

 

So yes, as you stated in your response, I am trying to understand if the AP firewall rules are applicable to a SSID that will have its traffic tunneled to the VNP concentrator.

 

Guess i am trying to get my head around how the VPN traffic will be subject to the stateful firewall when the MR Access Points has no visibility inside this tunnel.

 

But as per you response

"These rules are applied when traffic hits the AP prior to being sent over a site-to-site VPN."

Then i suppose thats how the rules are applicable.

 

Thanks for your response 

 

Brash
Kind of a big deal
Kind of a big deal

I think there's a little bit of confusion regarding the site-to-site VPN.

 

The VPN tunnel itself begins and terminates at the MX device, not the AP's.

Network traffic originating from the AP's will need to be routed (via Meraki or non-Meraki devices) to the MX, at which point it will be encapsulated and passed to the MX at the other site. This is the same for both VPN concentrator and routed modes.

 

Therefore, the AP doesn't discriminate between network traffic that will end up on a VPN tunnel and traffic that won't. It simply enforces the per-SSID firewall rules configured.

 

 

Also, a quick note in regards to:
"Guess i am trying to get my head around how the VPN traffic will be subject to the stateful firewall when the MR Access Points has no visibility inside this tunnel."
 - Firewall rules on the AP are stateless

Hi Brash

 

I not talking about a Site-to-Site VPN.

Scenario I am referring to will have the tunnels between the AP and the Data Centre MX (one arm concentrator mode) 

(SSID tunneling) 

The SSID will be configured with "Layer 3 roaming with a concentrator" 

Will the L3/7 rules still function ?

Brash
Kind of a big deal
Kind of a big deal

Right!

Sorry, i guess I'm the one who was confused!

 

I haven't used SSID tunneling myself so I'm not sure whether the MR's L3 firewall rules are applied. 

My hunch is that they are still applicable but I'll let someone more knowledgeable comment with the correct answer 🙂

Bruce
Kind of a big deal

@Aneeshram, yes the firewall and traffic shaping rules apply to the traffic on the SSID no matter which client IP assignment mode (e.g. NAT mode, bridge mode, or Layer 3 roaming with a concentrator) is chosen for the SSID. The traffic shaping rules are applied to the traffic as it ingresses/egresses the access point.

Bear in mind, you should only really use Layer-3 roming when your deploying a large network, with contiguous wifi coverage, where the clients would normally need to be dropped into different VLANs in different places, to aid with scaling.   In my experience there are very few sites that necessitate this.  Most wifi networks work just fine (actually better, as it's simpler) using Layer-2 roaming;   you ensure that the client is always dropped into the same VLAN, when moving between APs.

Hi GreenMan

I'll keep that in mind. 

 

thanks for the advice 

 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels