uniope shanna darvyn

0 views
Skip to first unread message

Cloris Sopha

unread,
Aug 2, 2024, 9:25:33 AM8/2/24
to visomina

So still working on becoming skilled on our MX400. So we filtered Netflix so it would be blocked. is there a way then to add clients (devices) to a group to then allow Netflix for them, but continue to block everyone else. Looking for any advice.

No need for apologies, @CaseyBrown. I'm working with a combined network for simplicity of policy enforcement and probably don't have a network the size of yours. Since you have your MX and MR in two separate dashboard networks, I think your best bet would be to allow Netflix in your default policy on your MX or within a group policy tied to the VLAN for your MR and MR Clients. Then have two different policies on your MR network. One that blocks Netflix and one that allows.

@CaseyBrown, you have the option to "Clone" existing group policies that you can in turn mold to fit another use. You can also apply group policies to entire VLANs which may benefit depending on your network structure. You could copy your campus wide policy and remove the Netflix restriction and apply that to the clients that need it. Make sure to remember the order in which the policies are applied, as well.

Sorry for the confusion.....So through the Appliance/Content Filtering/URL Blocking we have Netflix.com blocked. I have created a wireless group policy called Netflix that I will addd clients to. The new policy copies what we have for campus wide. So with the new Netflix Policy how do you then circumvent the content filtering?

If the MX and MR are in the same (combined) network, then you have the option of altering settings in the Group Policy that affect just wired/wireless filters. You'll see "Wireless Only" and "Security Appliance only" in the group policy settings page. Here, you can "use network default" (follows the network-wide rules), "append" (adds to the existing list of rules), or "override" (creates a completely new list of rules and disregards the network's).

In this instance, you would create a group policy that overrides the network-wide list (make sure to include anything that should still stay), then apply that policy in the Network-wide > Clients list.

It sounds like your "Campus Wide" filtering is the Default Network Policy, rather than a separate Group Policy. In your case, I would create a copy of your Default Network settings in a Group Policy to use as a template going forward. You will have to recreate these settings in a Group Policy manually the first time. You might name it Default Template, Campus Wide Template, or something along those lines. This will give you a group policy that mirrors your default network policy and one you can Clone to create different variations as needed. (I would also include a note to manually update the template policy as changes network wide are made in the future). Now you can clone the newly created Group Policy and change it's settings to allow Netflix. When you apply a group policy to a client, it overrides the Network Default (or your Campus Wide). Apply it to your client that need Netflix and you should be good to go and decently setup for changes in the future.

So I go into Network/Wireless group policy and copy the policy that we are using currently. I call it Netflix. Nowhere in there can I see to override the blacklist. What amI missing here? Sorry for being a noob.

Thank you Wade for the continual follow up. Your last reply is the lost in translation feeling I am having. So the screen shot you sent is from the Group Policy for our Appliance. So we have three Networks.....Appliance, Wireless, and Switches. Per our Meraki rep's advice. So on the Appliance network that screen shot is available, but those Group Policies are not available to the Wireless Network. This is the "network" I need to create the Group Policy on. When I create a group policy for Netflix on the Wireless Network the only screen I get is this one. So not sure how to create a Group Policy on the Wireless Network, and have a different Firewall options for Netflix. Again sorry about my lack of knowledge.

So we are built just like you suggested. The MX (appliance) has the firewall and some group policies. The policies allow for Netfliux, but we turned off at the content filter. The Wireless Network, which 99% of all devices use, has one group policy that they use. So we block Netflix via the content filter. Should we block via the filter or somehow in the actual group policy? Because the problem we are having is I create a new group policy, on the Wireless Network, that is allowing Netflix, but gets blocked at the content filter.

Thank you all for your help. Per your advice, just gave the original group policy a Layer 7 Deny for Netflix. Then made a new Netflix Policy without the Deny. Added clients and all is working as it should.

What is in the nature of Wi-Fi is the request to provide guest Wi-Fi. For some, this is a very dreaded request and usually met with angst and hand wringing. Guest are notorious for having wonky devices that are out of date and unwilling to admit that they need to pony up and purchase a new device that is up to some type of current standards. A great write up about that came from Lee Badman over at @wirednot and if so inclined, he offers a decent insight to the thinking of the Wi-fi administrator who is met with this request.

This seems like a pretty simple step so I boiled down my question to this. Can having Netflix users on your guest Wi-Fi negatively affect the WLAN environment, and in turn, congest the system to the point that mission critical and/or life saving devices can no longer function, in turn leading to loss of life and/or revenue?

Most of this is anecdotal at best, this I will admit. A quick search of Netflix and Wi-Fi will turn up numerous hits about how important these two items are, especially in the world of hospitality. My best suggestion to prove this yourself is get a couple of Wi-Fi architects, engineers, and administrators in a room and just ask the question about how Netflix impacts the corporate WLAN. You better pack a lunch because you are going to be a while.

While heavy downloading can and will have a negative impact on a WLAN environment, my belief is that all operators of guest Wi-Fi networks greatly over-exaggerate the amount of this heavy downloading, and in turn, make changes and insert devices or mechanisms to throttle this activity in an attempt to prevent the negative impact from happening.

My hypothesis is that this very act of trying to limit the impact of these devices is instead creating a greater impact on the overall health of the network, sometimes to the detriment of the corporate wired and wireless network.

The stated purpose of these tests are to discover the impact to both the wired and wireless network a single user has on a WLAN system. As such, I set up a test to measure what would happen as rate limits were applied in different increments. My testing set up is as follows:

All of the graphs you are going to see were pulled from a pfSense firewall that acted as my firewall and all Layer 3 functions on my private VLAN. Also, these graphs are updated about every 1 or 2 seconds so they could update as fast as I wanted them to. Unfortunately, none of my other tools updated that much, so the resolution was much less. This does call into questions about what these graphs are showing, so let me walk you though it before we continue.

The X Axis of the graph is showing the minutes and seconds pulled from the firewall system clock. What you are seeing is not hours and minutes, but minute and seconds of the day. The time of this test was actually 06:13:39, not 1:39 PM. This will also indicate that this graph only shows 2 minutes of time. If you see a graph that starts, peaks, and then falls off all within the display, it means that event took 2 minutes or less of actual clock time.

Speaking of the table on the right, this shows the current LAN traffic and the client IP involved. Depending on the direction of the traffic, upload or download, it will show the current speed of that traffic. This table is not historical, it only shows active traffic. If there is no traffic, that table will be blank. In those cases, I have removed the table in some instances so the graph can display bigger.

As you can see, the Y Axis has adjusted to match the rate limit, the time to download the file is now longer, and as proof of the bug I mentioned earlier on the Y Axis, you can see the actual rate that the client is getting at that second on the right side, not the smaller number on the Y Axis. However, we still get to see the spikes in the throughput that we like to see in a well performing network. This is critical later, so remember this.

As you can see, the graph gets really flat, and the length of time to download movies gets longer. Due to the linear path of the testing, I felt like this was a waste of my time, and my graph of the data backs me up. At least I think it backs me up:

For the download testing, the premise was end users were going to ask their device to pull a full video file from a remote server to store on their device so they could view that content at a later date. You remember, the underground cave scenario.

As you look through the three graphs, you can see the time move as I watched the movie. The other thing I found interesting that I will point out on the first graph is what I call the setup period. This is where the device is pulling the first bit of content down to the device to buffer. The set up data and then the first pull of data was interesting, and then it settled down to a routine pattern. Every 20 seconds or so, as the buffer on the device was depleted by playing the video on the screen, the device would go back to the well, so to speak, to top of.

90f70e40cf
Reply all
Reply to author
Forward
0 new messages