Meraki

rsage_voda

I have a customer with a HA pair of MX450 that Meraki have advised are running very close to the limit. Anyone have experience of deploying Firewall rules on the MR's. Logically to me it makes sense to drop traffic as close to the source as possible.

Any gotcha's I need to be aware of

KarstenI

IMO, it only makes sense if you have separated VLANs for Wireless. If not, you need the Firewall controls on the MR and MX sides, which can be an administrative burden.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.

rsage_voda

I am not proposing to remove the firewall rules from the MX. It just makes sense to me to drop the traffic close to the source if its going to be dropped on the MX. The plan is to apply the rules on the Guest SSID only as that is the bulk of the traffic.

PhilipDAth

Which limit are you running into?

Session limit?

CPU limit?

rsage_voda

According to Meraki we are hitting all of them. We have deployed a second pair of MX450 and attempted to alleviate the load by splitting the site in two and crudely load balancing using VLANs.

This an attempt to buy time whilst a permanent solution is sought.

PhilipDAth

Wow, ok. Sounds like you need MX650s ....

KarstenI

Sadly, up to now, this device is only a VPN-Concentrator and not a regular firewall.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.

Meraki

Community

Moving Layer 3 & 7 firewall rules from the MX to MR

Moving Layer 3 & 7 firewall rules from the MX to MR