Changelog: New ISE Guide, Content Categories, and Network Usage Alerts

2017 Updated Integrating Meraki Networks with ISE Guide

Hot off the press! New updates to the Integrating Meraki Networks with Cisco Identity Services Engine guide.

cisco meraki ise integration guide

MR ISE support has been strong for a while now and most of the enhancements over the past year have been on the MS side. I’m seeing more and more enterprise networks adopting wired auth policies, so this should be great news for many Identity Services Engine and Meraki switching customers.

Template Overrides for Port Forwarding Rules

At a basic level port forwarding takes internet traffic destined to the public IP address of an firewall interface and forwards them to specific internal IPs (usually servers hosting web services or the like). The allows multiple servers to be securely accessible from the same public IP address behind an MX appliance listening on different UDP or TCP ports.

Port forwarding has been supported in MX template networks and a recently added enhancement allows for local port forwarding overrides if different rules are required at some MX sites.

If port forwarding rules are configured on a template network, all bound networks will automatically inherit and open the same rules. Note that this is only possible for MX template subnets using “same” IP addressing.

meraki mx port forward template override

The enhancement enables an administrator to override rules configured on the template network, if any. Keep in mind this effectively overwrites all template port forwarding rules set on the template to the child network. It does not simply append the locally created rules.

Content Filtering Category Lookups

MX just added a small but useful tool on the Content Filtering configuration page. The new URL Category Lookup tool enables an administrator to perform a quick content filtering category lookup for a particular domain before configuring new rules.

This can be especially helpful when trying to determine why a web request might be blocked by the MX’s content filtering engine.

Meraki MX uses Webroot Brightcloud’s authoritative index for URL categorization. The new addition provides a better experience to be able to do the lookups natively in the configuration workflow using the Brightcloud API on the backend.

Meraki Content Filtering Category Lookup Tool

New Network Usage Alerts

A new and very interesting alert was silently pushed to the network-wide Alerts page.

Meraki network usage exceeds alerts

If the specified usage threshold is exceeded in the specified timespan, an email alert will be sent to the recipient(s).

Two use cases immediately come to mind. First, this could be exceedingly useful for cellular-connected MX networks to keep tabs on excess 3G/4G data consumption. Second, if you lower the timespan threshold this could be an interesting sensor for traffic anomalies which could be initiated by malware infections or botnet behavior.