Skip to main content

 

Cisco Meraki Documentation

Adaptive Policy for MX/Z Platforms

  1. Last updated
  2. Save as PDF

Overview 

This document will cover only the WAN Appliance aspects of the feature enablement process. For more details on the Adaptive Policy feature and its supportability with other platforms, please review this documentation article.

Companies are looking for more granular security and control over segmentation across their network infrastructure. The most challenging part when it comes to network administration and compliance management is monitoring, scaling, and proper security policy of a user/device regardless of where and how the device connects. A security breach can occur with any organization that has to manage many different security policies that are not using the same policy constructs and allow for the same controls.

Traditional segmentation is based on subnets, VLANs and ACL rules. The rule sets are limited to the network which it resides in and is not meant to be globally scalable. Moreover, maintaining ACL based rules can become an operation challenge in sizable deployments with thousands of rules to maintain. Modification of any rule set requires removal/addition/resequencing which brings administrative overhead and complexity. This is a big operational challenge and oftentimes, administrators prefer to add more rules instead of optimizing existing ones. 

Cisco’s solution to this challenging problem is Cisco TrustSec (CTS). CTS simplifies policy management by segregating endpoint traffic into groups. Each group is assigned to a Security Group Tag (SGT) and all user traffic associated with the group inherits the tag and its associated enforcement policy (decentralized policy enforcement). The policy should be applied locally and across infrastructures for better security and administration. When a user connects to the network, the assigned tag to the user becomes the identity, and the networking devices use this tag to enforce policies and to make forwarding decisions regardless of where and how the end device connects to the network. In addition, policies can be managed centrally using Cisco ISE and are provisioned dynamically on demand.

Adaptive Policy Architecture 

Adaptive Policy has three key components: 

  • Identity classification and propagation 

    •  A tag that is applied to frames from a source device and acts as an identity or grouping for a user/device

  • Security policy definition 

    • A policy comprised of a source tag, destination tag, and the permissions between them

  • Policy deployment and orchestration

    • An engine that implements the policy on supported network devices 

    • Enforcement is done on the destination networking device for scalability

    • Destination networking device will deny or allow the flow on the egress based on the policy rules

Functionality Breakdown

To enable Adaptive Policy on a MX/Z network the following conditions must be met:

Supported models include all Models that can upgrade to firmware 18.1, except MX84. 

Type SGT Functionalities  Minimum Firmware Minimum License
SGT Transport Intra-VLAN transport  TBD Advanced Security
SGT Transport Inter-VLAN transport  MX18.1 Advanced Security
SGT Transport WLAN transport TBD Advanced Security
SGT Transport WAN transport for VPN concentrator mode  MX18.2 Advanced Security
SGT Transport AutoVPN transport MX18.1 Advanced Security
SGT Assignment and Transport Per port assignment and transport  MX18.2 Secure SD-WAN Plus
SGT Assignment and Transport VLAN assignment and Inter-VLAN transport  MX18.2 Secure SD-WAN Plus
SGT Assignment and Transport VLAN assignment and Intra-VLAN transport TBD Secure SD-WAN Plus
SGT Assignment and Transport Per SSID assignment (obtained from the VLAN assignment) TBD Secure SD-WAN Plus
SGT Assignment and Transport IP to SGT assignment and transport (includes AutoVPN) TBD Secure SD-WAN Plus
SGT Assignment and Transport Client VPN assignment and transport (AnyConnect support required) TBD Secure SD-WAN Plus
SGT Assignment and Transport WAN assignment and transport for VPN concentrator mode (includes vMX) TBD Secure SD-WAN Plus
SGT Assignment and Transport RADIUS/NAC assignment and transport TBD Secure SD-WAN Plus
SGT Assignment and Transport Group Policy assignment and transport  TBD Secure SD-WAN Plus
SGT Enforcement, Assignment, and Transport Enforcement  TBD Secure SD-WAN Plus

Prerequisites  

  1. Verify the MX/Z is running the latest MX18.x and above firmware
  2. Verify the minimum license support
    • SGT Transport requires an Advanced Security license
    • SGT Assignment and Transport requires the Secure SD-WAN Plus license
    • SGT Enforcement, Assignment, and Transport requires the Secure SD-WAN Plus license
    • For license details, please refer to the MX licensing page

Configuration

Inter-VLAN transport

  1. Verify and confirm all the prerequisites are met
  2. Enable adaptive policy for the network
    • Navigate to Organization > Configure > Adaptive policy. Select the Networks tab, then select the desired network and Enable adaptive policy for the network

Organization > Configure > menu option for navigating to Adaptive policy.

Adaptive policy network menu option.

  • Note: Ensure you have a combined network with SGT compatible devices. For more details, refer to this documentation.

3. Go to the adaptive policy enabled network and select Routed mode in deployment settings

  • Under Security & SD-WAN > Configure > Addressing & VLANs, select Routed mode at Deployment Settings

Addressing & VLANs menu option to change between routed and passthrough mode.

4. Trusting incoming SGT is enabled only via trunk ports and hence requires selecting VLANs for LAN settings. For MX18.2 and beyond, SGT Assignment can be configured on trunk or access ports. 

  • Under Security & SD-WAN > Configure > Addressing & VLANs,  enable VLANs under Routing > LAN settings section

Menu option to change between VLANs and Single LAN on the MX appliance.

5. Enabling peer SGT capable requires a trunk port. As a result, the WAN Appliance will trust incoming SGT packets via the directly connected peer, and will not override the incoming SGT value. When trunk mode is selected, you will see the option to configure peer SGT capable on the LAN. 

  • Under Security & SD-WAN > Configure > Addressing & VLANs page, select Routing > Per-port VLAN settings > Trunk > Peer SGT capable, then select Enable

MX LAN port menu option to enable Peer SGT capable.

  • With the introduction of peer SGT capable configuration, you will now see an additional column in the Per-port VLAN Settings table:

Table view of ports displaying the new Peer SGT capable column.

Note: Template, API, and logging support are TBD. SGT Assignment and Policy enforcement is currently done by MS and MR.

Static VLAN Assignment

  1. Navigate to Security & SD-WAN > Configure > Addressing & VLANs

  2. Select the VLAN you would like to statically tag

  3. Set the “Adaptive policy” to the desired group. This will tag the traffic with the SGT identified for the group. 

  4. Click “Next”

  5. Click “Preview”

  6. Click “Update”

  7. Save

Modify VLAN menu option to change the adaptive policy group.

Static LAN Port Assignment 

  1. Navigate to Security & SD-WAN > Configure > Addressing & VLANs

  2. Select the port(s) you would like to statically tag

  3. Set the “Adaptive policy” to the desired group. This will tag the traffic with the SGT identified for the group. 

  4. Save

Menu option to configure adaptative policy on MX LAN ports.

Enable SGT Peer on WAN interface (Concentrator Only)

  1. Navigate to Security & SD-WAN > Monitor > Appliance Status. Click on the “Uplink” tab.

  2. Click the pencil next to “Adaptive Policy”

  3. Set Peer SGT Capable to “Enabled”

  4. Click “Update” to save
    Configure WAN for Peer SGT capable option.

 

Expected Behavior 

Test conditions are broken down to East-West and North-South traffic. Let's compare the difference between East-West and North-South traffic:

Network diagram showing east to west and north to south traffic flow.

  • East-West traffic usually refers to the traffic enclosed within the same network. North-south on the hand refers to the traffic traversing different networks.
  • For Inter-VLAN functionality, our test conditions are restricted to East-West traffic as shown below:

Port_1 Peer SGT Capable

[Enable/Disable]

What's the ingress packet type?

[SGT/non-SGT packet]

What's the ingress behavior?

Port_2 Peer SGT Capable

[Enable/Disable]

What's the egress packet type?

[SGT/non-SGT packet]

What's the egress behavior?
Enable SGT packet Preserve and forward the SGT packet Enable SGT packet Forward the SGT packet
Disable SGT packet Strip the SGT tag and forward the non-SGT packet Enable Add SGT tag =0 and forward the SGT packet Forward the SGT packet
Enable Non-SGT packet Add SGT tag=0 and forward the SGT packet  Enable SGT packet  Forward the SGT packet
Disable Non-SGT packet Forward the non-SGT packet Enable Add SGT tag=0 and forward the SGT packet  Forward the SGT packet 
Enable SGT packet Preserve and forward the SGT packet Disable Strip the SGT tag and forward the non-SGT packet Forward the non-SGT  packet
Disable SGT packet Strip the SGT tag and forward the non-SGT packet Disable Non-SGT packet Forward the non-SGT packet
Enable Non-SGT packet Add SGT tag=0 and forward the SGT packet  Disable Strip the SGT tag and forward the non-SGT packet  Forward the non-SGT  packet 

Disable

Non-SGT packet

 Forward the non-SGT packet Disable Non-SGT packet  Forward the non-SGT  packet 

API

https://developer.cisco.com/meraki/a...appliance-port

“peerSgtCapable”: false/true

AutoVPN transport   

  1. Verify and confirm all the prerequisites are met
  2. Enable adaptive policy for the network
    • Navigate to Organization > Configure > Adaptive policy, click on the Networks tab, then select the desired network and click Enable adaptive policy for the network

Organization > Configure > menu option for navigating to Adaptive policy.

Adaptive policy network menu option.

  3. Navigate to VPN settings to enable SGT transport for AutoVPN peering.

  • Navigate to Security & SD-WAN > Configure >Site-to-site VPN, under VPN settings > Peer SGT Capable > Select Enable
  • Enable for both WAN Appliance peers to preserve and transport SGT packets across the AutoVPN fabric.

VPN settings menu to enable peer SGT capable.

Keep in mind you must enable "Peer SGT Capable" for both peers to preserve and carry SGT packets across the AutoVPN fabric. If either WAN Appliance peer have "Peer SGT Capable" disabled, then SGT packets will not be preserved and transported across the AutoVPN network.

Note: Template, API, and logging support are TBD. SGT Assignment and Policy enforcement is currently done by MS and MR.

Expected Behavior 

  • For AutoVPN transport functionality, our test conditions are restricted to North-South traffic as shown below:

Local MX: VPN Peer SGT Capable

[Enable/Disable]

What's the ingress packet type?

[SGT/non-SGT packet]

What's the ingress behavior for AutoVPN transport (including AutoVPN transport)?

Remote MX: VPN Peer SGT Capable

[Enable/Disable]

What's the egress packet type when exiting AutoVPN?

[SGT/non-SGT packet]

What's the egress behavior?
Enable SGT packet Preserve and forward the SGT packet Enable SGT packet Forward the SGT packet
Disable SGT packet Strip the SGT tag and forward the non-SGT packet Enable Non-SGT packet Forward the non-SGT packet
Enable Non-SGT packet Add SGT tag=0 and forward the SGT packet  Enable SGT packet  Forward the SGT packet
Disable Non-SGT packet Forward the non-SGT packet Enable Non-SGT packet  Forward the non-SGT packet 
Enable SGT packet Strip the SGT tag and forward the non-SGT packet Disable Non-SGT packet Forward the non-SGT  packet
Disable SGT packet Strip the SGT tag and forward the non-SGT packet Disable Non-SGT packet Forward the non-SGT packet
Enable Non-SGT packet Forward the non-SGT packet  Disable Non-SGT packet  Forward the non-SGT  packet 

Disable

Non-SGT packet

 Forward the non-SGT packet Disable Non-SGT packet  Forward the non-SGT  packet 

API

https://developer.cisco.com/meraki/a...te-to-site-vpn

“peerSgtCapable”: false/true

Compatibility With Other Cisco Technologies 

With adaptive policy utilizing Cisco’s inline SGT functionality the feature is compatible across a number of solutions including but not limited to:

  • Catalyst switching and routing (3k, 4k, 6k, 9k, ISR)

  • ASR and CSR

  • Sourcefire Next Generation Firewalls (FTD)

  • Adaptive Security Appliances (ASA)

  • Application Centric Infrastructure (ACI)

  • Datacenter switching (Nexus)

  • Software Defined Access (SD-Access)

For more information on which Cisco platforms support inline SGTs please see: Cisco Trustsec Compatibility Matrix

For Documentation on interoperability with Catalyst please see: Adaptive Policy and Catalyst Interoperability

For Documentation on interoperability with Cisco Identity Services Engine please see: Adaptive Policy and Cisco ISE

Additional Adaptive Policy Resources 

For additional information on Adaptive Policy, refer to the following links:

Adaptive Policy Overview
Adaptive Policy Configuration Guide
Adaptive Policy MS Configuration Guide
Adaptive Policy MR Configuration Guide
Adaptive Policy Telemetry

  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Article type
    Reference
  2. Tags
    1. Adaptive Policy
    2. SGT