Skip to main content
Cisco Meraki

Adaptive Policy Configuration Guide

Overview 

This document explains how to configure Adaptive Policy in a Dashboard Organization.

 

In addition to configuring Adaptive Policy at the Organization level, some deployments may need device-specific configurations. For more information on how Adaptive Policy works in a Meraki Dashboard Organization, please refer to the Adaptive Policy Overview document.  For details on how to configure apply Adaptive Policy to client devices on your MR and MS devices, please refer to the Additional Reading section of this document.

Prerequisites, Guidelines & Limitations

Hardware and software requirements
Platform Minimum Firmware Version
Switches
MS390   MS14.5
Access Points
Meraki 802.11ac Wave 2 & Wi-FI 6 MR Access Points MR27

Note: It is recommended that a network only contain Adaptive Policy capable MRs in order ensure policy is consistently applied across all devices.

 

Licensing Requirements

In an Organization using Co-Term Licensing all MS390 switches in the Organization must have the Advanced license.

 

For Organizations with Per-Device Licensing, all MS390 switches in a network must have Advanced licensing in order to enable Adaptive Policy on that network.

 

MR access-points will require Advanced licensing after the end of the BETA. For BETA testing, please reach out to your Cisco Meraki Sales-rep or to Cisco Meraki Support to have an Adaptive Policy MR beta license exemption set up for you Organization.

 

Before you begin

This section provides an outline of the configuration process and a summary of the terms and concepts you should be aware of while configuring Adaptive Policy on your Cisco Meraki Dashboard Organization.

 

Group is an identity class for users or devices in your Dashboard Organization which require access to the same set of services over the network. Within the scope of Adaptive Policy configuration the Group would be the reference name for this class of users across your Dashboard Organization.

 

SGT tag (or SGT value) is a unique number associated with a Group in your Organization. The SGT value is what Adaptive Policy capable devices in your network use to refer to an Adaptive Policy Group at the hardware level. Traffic from a device belonging to an Adaptive Policy Group is tagged with the SGT value. For more details on how SGT tags work, please refer to Adaptive Policy Overview document. Some other values of note, with regards to SGTs, are as follows.

Infrastructure Group Value is the value used to tag Meraki Cloud traffic on networks. Default value is 2. It cannot be modified if any user-defined adaptive policy group exists. Pick a number between 2 and 65519.

Minimum User Group Value is the minimum user-defined adaptive policy group SGT value allowed. Pick a number between 2 and 65519.

Maximum User Group Value is the maximum user-defined adaptive policy group SGT value allowed. Pick a number between 2 and 65519.

 

Policy is the set of rules which define what kind of traffic is permitted to flow from one group to another. A policy can also be applied to define the traffic permission from one-to-many groups or from many-to-one group. A permissions between two groups could be one of Allow [all], Deny [all], or a more detailed Custom Policy.

Custom Policy is a list of user-defined ACL rules

 

Custom ACL is a list of user-defined Layer-4 access-control entires. They allow the user to allow or deny a traffic flow based on its IP version, Layer 4 protocol, and Layer-4 source and destination ports.

 

Network Object is a label associated with and IP, FQDN or CIDR address. While multiple network objects can be combined to create a Network Object Group, only one network object can be mapped to an Adaptive Policy group. Also, an Adaptive Policy can only be mapped to an IP-based network object, i.e., FQDN objects are not supported. Network Objects functionality is not available in the BETA phase.

Setting up Adaptive Policy on your Dashboard

 

The Adaptive Policy configuration on your Cisco Meraki Dashbaord can be largely broken into the 3 key steps explained below.

  1. Creating the user groups
  2. Defining traffic policies between groups.
  3. Applying Adaptive Policy to your Dashboard Networks.

Creating or editing user groups

To create an Adaptive Policy user groups, 

If you DELETE a tag, it will be removed from mapping on every network device and every configuration including static port mappings and SSID configurations. DO NOT delete a tag unless that is the desired outcome.

Defining the traffic policies between groups

  1. Click on the Policies tab on the Adaptive policy page. Here you should see a list of all the groups in your Organization.
  2. Select the source and destination groups you want to modify the traffic policy for. The policy permission options are displayed once at least one source and one destination group have been selected. The options are explained in the table below.
     Allow Permits all traffic between the selected groups
     Deny Drops all traffic between the selected groups
     Default Removes any existing policies between selected groups and apply the default permission (permit all)
     Custom Applies a set of user-defined Custom ACL rules to the traffic between selected groups. Steps for creating these ACL rules can be found in the Creating Custom ACLs section.
  3. If you choose Allow, Deny or Default, you would be prompted to confirm the change. Selecting Custom policy would bring up the following options.

 

Custom ACL policies can allow for multiple ACLs to be appended to a final default rule of either allow or deny. These ACLs are processed from the top down, with the first rule taking precedence over any following rules.

Creating Custom ACLs

Custom ACLs are used to perform custom permissions between SGTs. It is best to configure smaller, purpose built, ACLs for services and compounding them in the custom permissions configuration.

  1. Go to the Custom ACLs tab on the Adaptive Policy page.
  2. Click on Add Custom ACL
  3. Configure the ACL Name and Description, and choose if the IP Version these ACL rules should apply to would be IPv4, IPv6 or both (Agnostic). 
  4. Click Add ACL Rule to add an entry to Allow or Deny a traffic traffic flow based on:
    1. IP protocol : TCP, UDP, ICMP or Any

    2. Source Port

    3. Destination Port

      Click Update to save the changes.Applying user groups to client devices

Enabling or disabling Adaptive Policy in a Network

Adaptive Policy can be enabled in Switch or Wireless networks that meet the hardware and software qualifications. Please refer to the Prerequisites, Guidelines & Limitations for details.

 

To enable or disable Adaptive Policy in a network,

  1. Navigate to Organization > Adaptive Policy and click on the Networks tab.clipboard_ebf8c0f774986a0850d448dd54ca8d394.png
  2. Select the networks to be modified.
  3. Enable or Disable to apply or remove Adaptive Policy from the selected networks.

Removing Adaptive Policy from a network will affect all Adaptive Policy capable devices in that network.

  • Was this article helpful?