Skip to main content

 

Cisco Meraki Documentation

Adaptive Policy Telemetry

Overview:

The tools discussed in this page will provide users the telemetry and visibility needed to verify and Adaptive Policy enabled network.

 

Adaptive Policy Hit Counters Live Tool

Available on MS390 and C9300-M platforms.

Adaptive Policy Hit counters live tool allows the user to see SGACL rule hit counts over a 30 second time span. This hit counter will pull the live counters and then poll again in 30 seconds. Search filters are available to use to allow the user to quickly find the SGTs they are looking for in the hit counters table.

 

NOTE: Remember counters will only increment on the EGRESS switch, as Adaptive policy is an egress enforcement methodology.

To use the Live Tool:

Use of the Adaptive policy Hit counters live tool:

  • Go to Switches->Select your switch->Tools Tab

  • Click Run under Adaptive Policy Counters

  • (Optional): You can filter based on source or destination SGT value

In the above example we are showing the hit counter table filtered on all SGACLs that match source group tag 7.

Adaptive Policy Custom ACL (SGACL) Logging

This feature allows users to configure specific rules in their AdP policy to log the events to the switch and network wide log pages. This is particularly useful for troubleshooting traffic flows and also for security compliance where permit or denies of packets need to be logged.

Configuration

Configuration:

  • Navigate to Organization-> Adaptive policy

  • Click Custom ACLs tab

  • Click the button Add custom ACL

    • Enter a name for the ACL

    • Enter a description for the rule

    • Select the IP Version (any/IPv4/IPv6)

    • Click the button to add ACL Rule

      • Select Policy (Deny or Allow)

      • Select protocol (TCP, UDP, ICMP, or Any)

      • Enter Source port or Leave ANY

      • Enter Destination port or Leave ANY

      • Check the box for LOG

      • Click the done button

    • Add Any additional ACL rules following the steps above

    • Click the button Create

 

In this example we have created an ACL to Deny ALL traffic and log it to the dashboard.

 

To view logs from the enforcing/egress switch:

  • Navigate to switch->select your switch->click the event log tab

 

To view logs from the network-wide event log:

  • Navigate to Network-wide->Event log

 

 

Adaptive Policy Custom ACL (SGACL) TCP Established

Adaptive Policy TCP established is an option on policy ACLs that when enabled requires a full TCP connection to be set up before information can be transmitted between two endpoints. Enabling this feature eliminates the need for Bidirectional ACL policies between two SGTs.

Configuration

Configuration:

  • Navigate to Organization->Adaptive Policy

  • Click Custom ACLs tab

  • Click the button Add custom ACL

    • Enter a name for the ACL

    • Enter a description for the rule

    • Select the IP Version (any/IPv4/IPv6)

    • Click the button to add ACL Rule

      • Select Policy (Deny or Allow)

      • Select protocol TCP

      • Enter Source port or Leave ANY

      • Enter Destination port or Leave ANY

      • (optional) Check the box for LOG 

      • Check the box for TCP Established

      • Click the done button

    • Add Any additional ACL rules following the steps above

    • Click the button Create/Update

  • Was this article helpful?