cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

What is the best practice for assigning group policies?

JMG
Just browsing

What is the best practice for assigning group policies?

Hi,

 

I am setting up a staff, guest and executive wi-fi network all on different VLAN's.

I'm interested to know if group policies are best assigned at SSID level (wi-fi bandwidth limit), the addressing and VLAN's section within security appliance, or in network-wide?

 

Many thanks in advance,

 

Jake

3 REPLIES 3
Kind of a big deal

Re: What is the best practice for assigning group policies?

This KB article provides a good overview of the limitations of group policies based on product and how you can apply them: https://documentation.meraki.com/MX-Z/Group_Policies_and_Blacklisting/Creating_and_Applying_Group_Po...

 

Generally it comes down to what you want to do with the policies. If you're only assigning a VLAN through the policy that matters for WiFi users, you could apply them via MR SSID's and leave wired users going through the MX unaffected. 

MRCUR | CMNO #12
Kind of a big deal

Re: What is the best practice for assigning group policies?

If you just want to limit per client or per SSID bandwidth you can do that on the SSID without a policy.  Policies would be for more customized things like different content filters etc...  Or possibly bandwidth restrictions for a specific client. 

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
Kind of a big deal

Re: What is the best practice for assigning group policies?

I'm with @Adam.  If you just want to limit WiFi client speed then don't bother using group policies - do it on the SSID.

 

When I do use group policies I tend to apply them on the VLAN on the MX.  This is because the MX can apply many more types of restrictions.

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.