Meraki

Community

Adaptive Policy not working?

Solved
ksumann
Getting noticed
yesterday
yesterday

Adaptive Policy not working?

Hello everyone,

 

i'm trying to test adaptive policy and i'm wondering why its not working.

 

So here my current setup:

 

- MX68 with Advanced Security License

- 2 VLans: A 192.168.0.0/24 (MX IP: 92.168.0.1) and B 192.168.1.0/24 (MX IP: 92.168.1.1)

- Port 3 Access, VLan A

- Port 4 Access, Vlan B

- 2 Adaptive Policy Objects, matching the VLans

- 2 Adaptive Policy Groups containing one of the policy Objects (Policy Object Binding)

- An adaptive Policy to deny any traffic between those two groups

- Enabled adaptive Policy for the network

 

Still a client connected to Port 4 (VLAN B) is able to ping the MX IP in VLan A.

A packet capture on the MX, LAN side does not show any tagging.

 

What did i miss?

 

Is the MX capable of tagging the packets? Policy Object Binding sounds so.

 

Greetings

0 Kudos
1 Accepted Solution
RWelch
Kind of a big deal
Kind of a big deal
yesterday
yesterday

What did i miss?  The scenario you describe above would likely work IF you had a TrustSec capable switch in the equation and your client devices were connected to the switch ports vs MX itself.

As mentioned by @alemabrahao: The MX can tag packets with Security Group Tags (SGTs) for Adaptive Policy, but enforcement is always done at the destination device - not at the MX itself.

SGT tagging is only visible and enforced when the destination device supports SGT and Adaptive Policy. If your MX is the only device in the path, it will tag traffic, but there is no enforcement unless another device (like a Meraki switch with Adaptive Policy enabled) is the destination.

 

SGTs are not visible in standard IP packet captures as they are part of Cisco's proprietary CMD encapsulation.

 

In an Adaptive Policy network, the policy is enforced at the destination network device. This creates a highly scalable policy framework as the network device only needs to worry about the tags of the clients that are directly attached to it and not of the IP prefixes. This does however come with some fairly rigid requirements for micro-segmentation including end to end support of the CMD encapsulation. 


Adaptive Policy Overview 

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.

View solution in original post

4 Replies 4
alemabrahao
Kind of a big deal
Kind of a big deal
yesterday
yesterday

If you're only using the MX68 without any Meraki MS switches, then Adaptive Policy won't be enforced between VLANs. The MX can define policies, but enforcement happens on MS switches that support TrustSec.

 

https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Adaptive_Policy_Overv...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
RWelch
Kind of a big deal
Kind of a big deal
yesterday
yesterday

What did i miss?  The scenario you describe above would likely work IF you had a TrustSec capable switch in the equation and your client devices were connected to the switch ports vs MX itself.

As mentioned by @alemabrahao: The MX can tag packets with Security Group Tags (SGTs) for Adaptive Policy, but enforcement is always done at the destination device - not at the MX itself.

SGT tagging is only visible and enforced when the destination device supports SGT and Adaptive Policy. If your MX is the only device in the path, it will tag traffic, but there is no enforcement unless another device (like a Meraki switch with Adaptive Policy enabled) is the destination.

 

SGTs are not visible in standard IP packet captures as they are part of Cisco's proprietary CMD encapsulation.

 

In an Adaptive Policy network, the policy is enforced at the destination network device. This creates a highly scalable policy framework as the network device only needs to worry about the tags of the clients that are directly attached to it and not of the IP prefixes. This does however come with some fairly rigid requirements for micro-segmentation including end to end support of the CMD encapsulation. 


Adaptive Policy Overview 

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
ksumann
Getting noticed
yesterday
yesterday

Thanks for answering. I thought it would work if the MX is the destination device.

So to make it work, there must be always a switch between the MX and a client, its not possible to have a client directly connected to the MX

0 Kudos
In response to ksumann
RWelch
Kind of a big deal
Kind of a big deal
yesterday
yesterday

The MX tags traffic, but does not enforce Adaptive Policy rules for traffic between directly connected clients on its own LAN ports. Enforcement is designed for scenarios where the destination is another network device (such as a Meraki switch) that supports Adaptive Policy.

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.