Skip to main content

 

Cisco Meraki Documentation

Adaptive Policy Configuration Guide

Overview 

This document explains how to configure Adaptive Policy in a Dashboard Organization.

 

In addition to configuring Adaptive Policy at the Organization level, some deployments may need device-specific configurations. For more information on how Adaptive Policy works in a Meraki Dashboard Organization, please refer to the Adaptive Policy Overview document.  For details on how to configure apply Adaptive Policy to client devices on your MR and MS devices, please refer to the Additional Reading section of this document.

Prerequisites, Guidelines & Limitations

Hardware, licensing, and software requirements
Platform Minimum License Minimum Firmware Version Recommended Version
Switches  
MS390   Advanced MS14.33.1 Latest MS release
C9300-M Advanced CS15.21.1 Latest MS release
C9300\L\X-M Advanced CS16.7 (15 new models) Latest MS release
MS130X/R Advanced MS17 Latest MS release
Access Points  
Meraki MR and CW Access Points** Advanced MR27 Latest MR release

MX Next Generation Firewalls

MX64/67/68/75/85/95/100/105/250/450 & Z3

Adaptive Policy (SGT Transport)

Advanced MX18.1 Latest MX Release

Adaptive Policy (SGT Assignment)

Secure SD-WAN Plus MX18.2 Latest MX Release

Note: It is recommended that a network only contain Adaptive Policy capable MRs in order ensure policy is consistently applied across all devices.

** Meraki MR pre-802.11ac Wave 2 are not supported with Adaptive Policy

 

Licensing Requirements

In an Organization using Co-Term Licensing all MS390 and Catalyst switches in the Organization must have the Advanced license.

 

For Organizations with Per-Device Licensing, all MS390 and Catalyst switches in a network must have Advanced licensing in order to enable Adaptive Policy on that network.

 

MR access-points will require Advanced licensing after the end of the BETA. For BETA testing, please reach out to your Cisco Meraki Sales-rep or to Cisco Meraki Support to have an Adaptive Policy MR beta license exemption set up for you Organization.

 

Before you begin

This section provides an outline of the configuration process and a summary of the terms and concepts you should be aware of while configuring Adaptive Policy on your Cisco Meraki Dashboard Organization.

 

Group is an identity class for users or devices in your Dashboard Organization which require access to the same set of services over the network. Within the scope of Adaptive Policy configuration the Group would be the reference name for this class of users across your Dashboard Organization.

 

SGT tag (or SGT value) is a unique number associated with a Group in your Organization. The SGT value is what Adaptive Policy capable devices in your network use to refer to an Adaptive Policy Group at the hardware level. Traffic from a device belonging to an Adaptive Policy Group is tagged with the SGT value. For more details on how SGT tags work, please refer to Adaptive Policy Overview document. Some other values of note, with regards to SGTs, are as follows.

Infrastructure Group is the value used to tag Meraki Cloud traffic on networks and the networking device's originating traffic. The default value is 2 and unless necessary to integrate with other deployments, it is not suggested to modify this value. If it is necessary to change the Infrastructure group, be careful if modifying in production as a mistake can isolate the network device's originated traffic if an upstream device does not permit the traffic due to policy. Pick a number between 2 and 65519.

Policy is the set of rules which define what kind of traffic is permitted to flow from one group to another. A policy can also be applied to define the traffic permission from one-to-many groups or from many-to-one group. A permissions between two groups could be one of Allow [all], Deny [all], or a more detailed Custom Policy.

Custom Policy is a list of user-defined ACL rules

Custom ACL is a list of user-defined Layer-4 access-control entires. They allow the user to allow or deny a traffic flow based on its IP version, Layer 4 protocol, and Layer-4 source and destination ports.

Policy Object is a label associated with an IP, or CIDR address. Adaptive Policy does not allow use of groups, and instead requires each network object to be specified in the Network Object binding field as an Adaptive Policy Object configured in the Policy Objects Org-Wide menu.  

Adaptive Policy Object creation: Name and FDQN/IP/CIDR

Setting up Adaptive Policy on your Dashboard

 

The Adaptive Policy configuration on your Cisco Meraki Dashbaord can be largely broken into the 3 key steps explained below.

  1. Creating the user groups
  2. Defining traffic policies between groups.
  3. Applying Adaptive Policy to your Dashboard Networks.

Creating or editing user groups

To create an Adaptive Policy user groups, 

  1.  

If you DELETE a tag, it will be removed from mapping on every network device and every configuration including static port mappings and SSID configurations. DO NOT delete a tag unless that is the desired outcome.

Defining the traffic policies between groups

  1. Click on the Policies tab on the Adaptive policy page. Here you should see a list of all the groups in your Organization.
  2. Select the source and destination groups you want to modify the traffic policy for. The policy permission options are displayed once at least one source and one destination group have been selected. The options are explained in the table below.
     Allow Permits all traffic between the selected groups
     Deny Drops all traffic between the selected groups
     Default Removes any existing policies between selected groups and apply the default permission (permit all)
     Custom Applies a set of user-defined Custom ACL rules to the traffic between selected groups. Steps for creating these ACL rules can be found in the Creating Custom ACLs section.
  3. If you choose Allow, Deny or Default, you would be prompted to confirm the change. Selecting Custom policy would bring up the following options.
    Custom adaptive policy configuration

 

Custom ACL policies can allow for multiple ACLs to be appended to a final default rule of either allow or deny. These ACLs are processed from the top down, with the first rule taking precedence over any following rules.

Creating Custom ACLs

Custom ACLs are used to perform custom permissions between SGTs. It is best to configure smaller, purpose built, ACLs for services and compounding them in the custom permissions configuration.

  1. Go to the Custom ACLs tab on the Adaptive Policy page.
  2. Click on Add Custom ACL
  3. Configure the ACL Name and Description, and choose if the IP Version these ACL rules should apply to would be IPv4, IPv6 or both (Agnostic). 
  4. Click Add ACL Rule to add an entry to Allow or Deny a traffic traffic flow based on:
    1. IP protocol : TCP, UDP, ICMP or Any

    2. Source Port

    3. Destination Port
      Custom ACLs creation including Name, Description, IP version and rules to be specified
      Click Update to save the changes. Applying user groups to client devices

Enabling or disabling Adaptive Policy in a Network

Adaptive Policy can be enabled in Switch or Wireless networks that meet the hardware and software qualifications. Please refer to the Prerequisites, Guidelines & Limitations for details.

 

To enable or disable Adaptive Policy in a network,

  1. Navigate to Organization > Configure > Adaptive Policy and click on the Networks tab.Adaptive Policy enablement in Organization settings
  2. Select the networks to be modified.
  3. Enable or Disable to apply or remove Adaptive Policy from the selected networks.

Removing Adaptive Policy from a network will affect all Adaptive Policy capable devices in that network.

Scaling Considerations

Adaptive policy scaling numbers are based on number of SGTs and policies configured.

Maximum number of Adaptive Policy Groups: 60

Maximum number of policies configured: 3600

NOTE: This is calculated in the scenario of 60x groups are configured  and a policy is defined between each group

Maximum Custom ACLs per (Group > Group) policy: 7

Maximum number of ACE entries per Custom ACL: 16

NOTE: the above means it is possible to configure 112 ACE entries per source group to destination group policy. 

Maximum IP to SGT mappings:  8000

NOTE: a mapping is an object. For example an object can be 10.10.10.10/32 or 10.10.10.0/24. Either definition takes up a mapping entry.

  • Was this article helpful?