I am setting up a staff, guest and executive wi-fi network all on different VLAN's.
I'm interested to know if group policies are best assigned at SSID level (wi-fi bandwidth limit), the addressing and VLAN's section within security appliance, or in network-wide?
Many thanks in advance,
This KB article provides a good overview of the limitations of group policies based on product and how you can apply them: https://documentation.meraki.com/MX-Z/Group_Policies_and_Blacklisting/Creating_and_Applying_Group_Po...
Generally it comes down to what you want to do with the policies. If you're only assigning a VLAN through the policy that matters for WiFi users, you could apply them via MR SSID's and leave wired users going through the MX unaffected.
If you just want to limit per client or per SSID bandwidth you can do that on the SSID without a policy. Policies would be for more customized things like different content filters etc... Or possibly bandwidth restrictions for a specific client.
I'm with @Adam. If you just want to limit WiFi client speed then don't bother using group policies - do it on the SSID.
When I do use group policies I tend to apply them on the VLAN on the MX. This is because the MX can apply many more types of restrictions.