Skip to main content

 

Cisco Meraki Documentation

SD-WAN and Traffic Shaping

The MX appliance and Z-series gateway include an integrated Layer 7 packet inspection engine, enabling you to set QoS policies, load balancing, and prioritization based on traffic types and applications.

Uplink configuration

This section allows you to configure bandwidth settings, uplink statistics, and list update interval.

Uplink bandwidth settings

This option allows you to configure the upload and download bandwidth of the uplinks. This information is needed for traffic load balancing between the active WAN / Internet ports as well as for limiting upload and download traffic through the WAN ports. You can configure WAN 1, WAN 2, and the cellular uplink individually. To configure specific upload and download bandwidths for a particular uplink, click the details button next to that uplink's bandwidth slider. The maximum value for each WAN interface is based on the rating of the specific model MX, when this value is chosen there is no enforcement on a bandwidth limit for the WAN interface.

 

Uplink Statistics

Clicking the Add Your Destination option allows you to add a custom destination for the MX to continually test ICMP connectivity for monitoring latency and packet loss. These destinations cannot be private addresses across VPN tunnels and must be reachable through the WAN interface of the MX. Also, they must respond to ICMP traffic. It is good practice to include the MX's default gateway for monitoring the directly connected link. The results for these tests will be visible at Security & SD-WAN > Monitor > Appliance status > Uplink > Historical data. Hostnames/FQDNs are not supported for uplink statistics monitoring.

MXs and Zs with integrated cellular will not send ICMP Uplink Statistic tests through their cellular interface. This is designed to help reduce the amount of traffic that is sent out of these uplinks. If there is a requirement to send ICMP tests for Uplink Statistics please reach out to Meraki Support to have this functionality enabled. Please note only tests to Google DNS (8.8.8.8) will be sent and not to any other Uplink Statistic destinations.

List update interval

This setting determines how often the MX should check for updates to security lists. You can specify an Hourly, Daily, or Weekly update interval. To specify different intervals depending on which uplink is being used to download lists, click "details". This can be useful if you want to control bandwidth usage due to security list downloads on a low-bandwidth WAN link or cellular uplink.

Features affected by this setting include IDS/IPS, Top Sites Content Filtering, and Malware Scanning.

Uplink selection

This option determines which uplink should be the primary connection. VPN traffic and management traffic to the Meraki Dashboard use the primary uplink. If load balancing is disabled, all traffic will use the primary uplink unless an uplink preference is configured specifying otherwise.

Load balancing

When enabled, Load balancing spreads Internet traffic across both uplinks proportional to the Internet1 and Internet2 bandwidths specified above.

Example: If WAN 1's bandwidth is 9 Mbps and WAN 2's bandwidth is 1 Mbps, the load-balancing algorithm sends 90% of the traffic through the WAN 1 uplink and 10% of the traffic through the WAN 2 uplink.

Active-Active AutoVPN

This option is used to determine if AutoVPN tunnels should be formed over only the primary uplink or over both the primary and secondary uplinks simultaneously. There are two options that can be configured:

  • Enabled: Create VPN tunnels over all of the available uplinks (primary and secondary).
  • Disabled: Do not create VPN tunnels over the secondary uplink unless the primary uplink fails.

Flow preferences

Use this option to direct traffic matching a layer 3 definition out a particular uplink. Some common use cases involve sending traffic from different VLANs through different Internet uplinks, sending a particular type of traffic such as FTP traffic out a particular uplink based on the destination port, or sending traffic that is located over the secondary WAN such as a local management page.

Note: ICMP traffic is not subject to traffic shaping rules. As a result, Flow Preference will have no impact on ICMP traffic.

SD-WAN policies

SD-WAN policies can be configured to control and modify the flows for specific VPN traffic. With multiple WAN uplinks, the WAN appliance will proactively build multiple tunnels with each available WAN interface.  In the case where there are redundant WAN connections on the WAN appliance, traffic flows based on the type of traffic traversing the VPN connections can also be configured to allow for best performance. Custom policies set to desired preferences can be set to ensure traffic flows take the appropriate path based on your environment.  If a WAN connection that normally handles traffic such as file transfers begins to have performance issues, the Cisco Meraki WAN appliance can dynamically change the VPN connection to an alternative WAN uplink. This is done with custom policies or predetermined policies on the dashboard. It is encouraged to configure said policies in your deployment to best fit the needs based on the nature of the traffic and the capabilities of the WAN connections available on the WAN appliance

This option appears after Active-Active Auto VPN is enabled.

Once configured, these custom VPN policies are enforced on all VPN traffic that matches the specifications you select. Example configurations can be found in the Meraki SD-WAN configuration guide.

If you do have questions about what policies are best for your deployment, you can always reach out to either a Meraki Sales Engineer or your Meraki partner for a consultation on what best fits your needs.

On MX18.2 firmware while using MultiWAN MXs SD-WAN policies and load balancing policies do not apply to WAN3. You can reference MultiWAN_Backup_Uplink 


SDWAN policies.png

 

Global bandwidth limits

This setting allows you to put limits on each client device's total network traffic (incoming / outgoing). The minimum limit on the throughput is 20 Kb/s. Click details or simple to switch between two possible modes.

  • simple: Single setting that applies to both upload and download traffic throughput. Move the slider control right or left to set the limits.
  • details: Allows you to set different limits on upload and download throughput. Enter the limits manually in Kb/s. You can also use this mode to create more precise per-client limits than in simple mode.

Enable SpeedBurst: To provide a better user experience in bandwidth-limited environments, an administrator can enable SpeedBurst by selecting the Enable Speedburst checkbox. SpeedBurst allows users to exceed their assigned limit in a "burst" for a short period of time, providing a more satisfying Internet browsing experience while still preventing any one user from using more than his or her fair share of bandwidth over the longer term. Users are allowed up to four times their allotted bandwidth limit for a period of up to five seconds.

Traffic shaping rules

To optimize your network, you can create shaping policies to apply per-user controls on a per-application basis. This allows you to reduce bandwidth for recreational applications such as peer-to-peer file sharing programs, and to prioritize bandwidth for your business-critical enterprise applications.

Traffic shaping rules will apply to traffic sent over an AutoVPN tunnel between Meraki devices. Please note that traffic shaping rules do not apply to traffic that passes over a non-Meraki VPN tunnel.

The use of NBAR will add categories to the traffic shaping section that were not available before. More information about NBAR can be found on the Next-gen Traffic Analytics - Network-Based Application Recognition (NBAR) Integration article. 

Security & SD-WAN > Configure > SD-WAN & traffic shaping > Traffic shaping rules > Enforce L7 traffic shaping policy
Wireless > Configure > Firewall and traffic shaping > Enforce L7 traffic shaping policy 

Traffic shaping rules without vs with NBAR.

Creating Shaping Rules

Click Create a new rule to add a traffic shaping rule. Traffic shaping policies consist of a series of rules that are performed in the order in which they appear in the policy, similar to custom firewall rules. There are two main components to each rule: the type of traffic to be limited or shaped (rule definition), and how that traffic should be limited or shaped (rule actions).

 

Note:

Traffic shaping rules are applied per client flow, so setting a limit of 5 Mbps to three different traffic shaping rules will allow 5 Mbps to each client flow matching the different rules. 

Custom traffic shaping rules may be configured on a per-destination basis. Source based configurations are not supported at this time. 

Rule Definition

Rules can be defined in two ways:

  • You can select from various predefined application categories such as Video & Music, Peer-to-Peer, or Email.
  • You can create rules by specifying HTTP hostnames (for example, salesforce.com), port numbers (such as 80), IP ranges (such as 192.168.0.0/16), or IP address range and port combinations (such as 192.168.0.0/16:80). 

The rule action is enforced on all traffic that matches the specifications you select. By clicking Add expression, you can create additional specifications for traffic that is shaped according to the same rule action. 

Note that the rule for HTTP hostname does not require a catch-all "*" (asterisk) to be prefixed to include subdomains. For example, hostname 'google.com' should include its subdomains as well.

Rule Actions

Traffic-matching-specified rule sets can be shaped or prioritized.

  • Bandwidth limits can be specified to ignore any limits specified for the whole network, to obey the specified limits, or to apply more-restrictive limits than the network limits. Use the bandwidth slider control to choose the appropriate limit for each type of traffic. To specify asymmetric limits on uploads and downloads, click details next to the bandwidth slider control.

  • Priority can be set to High, Normal, or Low, allowing the MX series to prioritize a given network flow relative to the rest of the network traffic. Note that realtime is reserved for traffic tagged with a DSCP bit value mapping to EF46 only. 

    • Firmware 18.2 and above: Class Based Weighted Fair Queueing with Deficit Round Robin is enforced on token bucket allocations. Allocation ratios are as follows:

      • Realtime: 8

      • High: 4

      • Medium: 2

      • Low: 1

With deficit round robin, queues which do not actively have traffic to send will see their tokens allocated to the next queue in line. This prevents of starvation for lower priority queues, while continuing to prioritize VoIP traffic and other manually defined high priority traffic. 

    • Firmware 18.1 and lower:  Strict Priority Queueing is enforced with the following ratios enforced on token bucket allocations

      • High: 4/7

      • Normal: 2/7

      • Low: 1/7

  • Quality of Service (QoS) prioritization can be applied to Layer 3 traffic. To prioritize traffic at Layer 3, select a value for the DSCP tag in the IP header on all incoming and outgoing IP packets. This also affects the Wi-Fi Multimedia (WMM) priority of the traffic.

For the Priority feature to work as desired, ensure that uplink throughput settings are accurate.

For QoS prioritization to work as desired, ensure that upstream networking equipment supports QoS prioritization as well.

Creating a Sample Traffic-Shaping Rule

Here is an example of how to set up a traffic shaping policy with multiple traffic-shaping rules. For additional examples, refer to our Simple Traffic Shaping Strategy article.
To prioritize VoIP and minimize peer-to-peer traffic and gaming, create a new traffic-shaping policy by following the steps below:

  1. In the Rule #1 Definition pull-down menu, choose VoIP & video conferencing.
  2. Under Bandwidth limit, choose Ignore network limit.
  3. In the Priority pull-down menu, choose High.
  4. Under DSCP tagging, choose 7 (WMM Voice).
  5. Click Add a new shaping rule.
  6. In the Rule #2 Definition pull-down menu, choose Peer-to-peer (P2P).
  7. Click Add an expression.
  8. In the new pull-down menu, choose Gaming.
  9. In the Bandwidth limit section, click Choose a limit and use the slider to choose a low throughput (the minimum is 20 kb/s).
  10. Save your changes by clicking Save Changes at the bottom of the page.

Web cache

This option is not available on the MX60, MX60W, MX64, MX64W, MX65, MX65W, MX67, MX67W, MX67C, MX68, MX68W, MX68CW, MX75, MX85, MX95, MX105, Z1, Z3, Z3C, Z4, Z4C devices.

 

When HTTP content caching is enabled, the MX will cache web content on its solid-state drive (SSD). This can improve end-user experience by reducing page load times and file download times for frequently accessed web content. Web caching only works for static HTTP content, so it will not be able to cache sites such as YouTube.

 

This feature is recommended only for sites with limited bandwidth. Locations with over 20 Mbps bandwidth will likely not benefit from content caching.

  • Was this article helpful?