Skip to main content

 

Cisco Meraki Documentation

Trusted Traffic Exclusions

The article discusses Trusted Traffic Exclusions in Meraki MX, allowing users to bypass threat protection features for specified traffic, balancing network security and performance.

Introduction

Trusted Traffic Exclusions are available to help strike a balance between security and performance. To achieve this, Network Administrators can identify trusted traffic and fast-path the traffic through the Security Appliance without going through the resource-intensive and time-consuming deep inspection process. This allows the Security Appliance to focus resources on analyzing and inspecting untrusted traffic.

Note: This feature is available on MX’s with 18.2 and newer firmware.

Learn more with these free online training courses on the Meraki Learning Hub:

Sign in with your Cisco SSO or create a free account to start training.

How does it work?

Applications and IPs configured for Trusted Traffic Exclusions will take an accelerated forwarding path. This means that packets will be expedited through the processing and filtering of the following features:

  • Intrusion Prevention/Detection (IPS/IDS)

  • Advanced Malware Protection (AMP)

  • Secure Malware Analytics (formally Threat Grid)

Trusted traffic exclusions main page showing all available configuration options like applications and subnets

Quick Start Guide

Note: Configuration changes for Trusted Traffic Exclusions are organization-wide, so changes will affect all networks within your organization.

  1. Navigate to Security & SD-WAN > Threat Protection

  2. Scroll down to the ‘Trusted Traffic Exclusions’ Section

  3. Select any Trusted Traffic categories and/or configure an IP/subnet using CIDR notation

  4. Save

Configuration

Traffic that matches the configured parameters will be exempt from inspection. You can choose from a curated list of traffic categories, and/or identify IP/subnet using CIDR notation. The Cisco Meraki Cloud and Umbrella Cloud communications are trusted by default.  

Traffic Applications

Trusted Applications allows you to choose from a curated list of well-known applications. Applications are identified using Cisco’s next-gen traffic analytics engine, NBAR. To learn more about the different types of software included in each category, simply click on the "Show All" button within the respective category or view the list below.  Keep in mind that both the applications and categories may be updated in the future to enhance the selection of trusted applications. 

Trusted traffic exclusions showing trusted application categories: streaming&entertainment, software updates, online storage, collaboration and business critical

How are my applications identified?

Network-Based Application Recognition (NBAR) is an advanced application recognition engine developed by Cisco that utilizes several classification techniques and has the ability to easily update its classification rules. It supports 1,500+ applications and sub-classifications with less than 1% unknown and less than 1% unclassified encrypted traffic.  Meraki platforms with the NBAR engine provide granular and enhanced capabilities in regards to client tracking and application enforcement. For detailed information on NBAR please see this knowledge base article.

Trusted Application Category List

Category Included Applications
Streaming & entertainment

Amazon Video, Google Services, Hulu, Netflix, Pandora Radio, Playstation, Spotify, Xbox, YouTube, iTunes

Software Updates Adobe Updates, Apple Updates, Google Updates, Microsoft Updates
Collaboration Cisco Collaboration, MS Teams, RTP, SCCP, SIP, Skinny Call Control Protocol, Skype, Slack, Zoom Meetings
Online storage Box, Dropbox, Google Workspace, Microsoft OneDrive, iCloud
Business-critical applications AWS, Atlassian, Azure, Concur, Google Workspace, Jira, LogMeIn, Microsoft Live, Microsoft Office, Microsoft Windows, MindTouch, Outlook, RDP, Salesforce, SharePoint, Splunk, TeamViewer, VMware

Trusted IP Addresses/Subnets

Trusted IP Addresses/Subnets allows you to identify specific IPv4 or IPv6 addresses that should be fast-pathed. Each entry should only contain one IP address or Subnet. Fully Qualified Domain Names (FQDN) are not supported for Trusted Traffic Exclusions.

 

Trusted traffic exclusions showing an example subnets configuration with both IPv4 and IPv6 subnets, including comments

  • Was this article helpful?