Meraki

Community

Adaptive Policy limitations

cmr
Kind of a big deal
Kind of a big deal
‎Jul 12 2025 5:07 AM
‎Jul 12 2025 5:07 AM

Adaptive Policy limitations

I was looking into using adaptive policy and it seems that objects can only be matched on CIDR.  I was wanting to use it in lieu of Smartports not being supported on any of the Catalyst based switches.  This would require matching on MAC or something else that does not seem to be supported.

 

Is there a way of putting IoT devices of a known type into a specific VLAN other than Smartports?  Or is there a plan to roll Smartports out to the C9x00 switches?

If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
7 Replies 7
RWelch
Kind of a big deal
Kind of a big deal
‎Jul 12 2025 6:49 AM
‎Jul 12 2025 6:49 AM

Unfortunately none of the C9X00 switches offer smartports (and I doubt it ever will), believe you’d need to adopt Cisco ISE into this equation to achieve your goal. 

 

I am not familiar enough with Cisco DNA to understand if it might offer an alternative solution but it may?

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
alemabrahao
Kind of a big deal
Kind of a big deal
‎Jul 12 2025 7:05 AM
‎Jul 12 2025 7:05 AM

I

@cmr wrote:

I was looking into using adaptive policy and it seems that objects can only be matched on CIDR.  I was wanting to use it in lieu of Smartports not being supported on any of the Catalyst based switches.  This would require matching on MAC or something else that does not seem to be supported.

 

Is there a way of putting IoT devices of a known type into a specific VLAN other than Smartports?  Or is there a plan to roll Smartports out to the C9x00 switches?

Yes, using MAB with RADIUS or profiling with ISE on Catalyst C9k. On Meraki MS, also possible via MAB (but less granular, no native profiling).

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
cmr
Kind of a big deal
Kind of a big deal
‎Jul 12 2025 9:38 AM
‎Jul 12 2025 9:38 AM

Thanks @alemabrahao using MAB and then selecting Access Manager and picking MAC address might do what I want.  Time to experiment!

If my answer solves your problem please click Accept as Solution so others can benefit from it.
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jul 13 2025 6:04 PM
‎Jul 13 2025 6:04 PM

You could use Meraki Access Manager and the MAB feature to assign SGT tags.

https://documentation.meraki.com/Access_Manager/Access_Manager_Overview/Architecture_and_Example_Use...

 

 

0 Kudos
GIdenJoe
Kind of a big deal
Kind of a big deal
‎Jul 25 2025 6:35 AM
‎Jul 25 2025 6:35 AM

I always hated smartports on Cisco small business switches since they would destroy your network just by connecting one type of device on a port.

However I don't really get OP's question.
The application of the correct tag happens only happens on IP as a last resort.  You're supposed to use a radius solution and profiling to assign the correct tag to the session because the tag itself is just an identifier that helps for policy enforcement.

0 Kudos
In response to GIdenJoe
cmr
Kind of a big deal
Kind of a big deal
‎Jul 25 2025 12:13 PM
‎Jul 25 2025 12:13 PM

@GIdenJoe are you referring to me as OP?  If so I wasn't trying to use IP, I wanted to use MAC address and I don't want the headache of running a RADIUS solution where I have a cloud managed network.  @alemabrahao's suggestion might be the way forward in the Merakiverse, unfortunately I haven't had a chance to test it yet...

If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
In response to cmr
GIdenJoe
Kind of a big deal
Kind of a big deal
‎Jul 26 2025 10:47 AM
‎Jul 26 2025 10:47 AM

I see.  Well for modern workplace kind of customers that don't want to run own server, you can use access manager as the radius solution.  that gives you 802.1x + MAB with an easy tagging method.

However you can just put an adaptive policy tag on a switchport if you want 😉

What I took away from the whole trustsec/adaptive policy is that the solution is meant to do away with VLAN sprawl which I really get.  Because yes I have customers with small branch sites that sport 20+ VLANs just to have some policies between them.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
© 2025 Cisco Systems, Inc.