Meraki and SGT

Solved
irwin
Conversationalist

Meraki and SGT

Hello everyone,

 

I have a customer with hybrid Wifi : some remotes sites with Meraki MR and other remotes sites with an other manufacturer.

This customer has also, for wired access the same hybrid : some Meraki MS and some other manufacturer switches.

 

He has also a radius : Windows NPS (don't know yet the Windows version).

 

I think about this design :

  • replace all "other manufacturer" by Meraki (AP and switch)
  • replace Windows NPS by ISE

 

The goal is, more than having 100% Cisco devices (which I know is a good start for every network infrastructure 🙂), to provide EAP-CHAINING (with prerequisite for EAP-TEAP) and microsegmentation. I already did this with DNAC, but I've never done that with Meraki. So my questions are :

  • Am I right saying that SGACL configured in ISE will not be sync in Meraki dashboard ?
  • so what I wish as SGACL will have to be configured in Adaptative Policy ?
  • Adaptative Policy is organisation wide so a rule that deny SGT 2 to SGT 3 will deny it for every Networks ?
  • Is it the NAD that is applying the policy so if it is a wireless access the rule will act (allow or deny) on the MR and if it is a wired access the rule will act on the MS ?
  • Every MS and MR is compatible (no mimimum hardware requirement)  ?

 

Thanks for any reply.

1 Accepted Solution
CptnCrnch
Kind of a big deal
Kind of a big deal
6 Replies 6
CptnCrnch
Kind of a big deal
Kind of a big deal
irwin
Conversationalist

Thank you for your links !

Inderdeep
Kind of a big deal
Kind of a big deal

@irwin : Apart from what @CptnCrnch provided on Adaptive policy. Please find the link how to configure the Adaptive Policy Group Tag (SGT) Creation in Meraki Dashboard and  have rule-set configurations on Cisco ISE. It will definitely help you to answer your queries. 

https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Adaptive_Policy/Adapt... 

Regards/Inder
Cisco IT Blogs awarded in 2020 & 2021
www.thenetworkdna.com
Bruce
Kind of a big deal

@irwin, it’s well worth reading all the documentation others have posted. Hopefully that will answer some questions and provide more detail. Specifically with regards your questions I’ve made some comments below.

 

  • Am I right saying that SGACL configured in ISE will not be sync in Meraki dashboard ?

Yes you are right. There is no native sync between ISE and Adaptive Policy in Cisco ISE. Although I believe there is a small applet that has been developed to sync the trust matrix in ISE with the Adaptive Policy matrix - you have to define one as the master. You will need to contact support or your local Meraki SE about this.

 

  • so what I wish as SGACL will have to be configured in Adaptative Policy ?

If you’re going full Meraki then you need Adaptive Policy anyway, it’s just whether you sync it from Cisco ISE or not (see above). I would only be syncing it from Cisco ISE if I was running a hybrid Catalyst/Meraki environment.

 

  • Adaptative Policy is organisation wide so a rule that deny SGT 2 to SGT 3 will deny it for every Networks ?

Yes, that’s the idea of Adaptive Policy. It negates the need to keep writing and re-writing individual ACLs across all your networks. But you need hardware that supports it across your organisation - see your last question.

 

  • Is it the NAD that is applying the policy so if it is a wireless access the rule will act (allow or deny) on the MR and if it is a wired access the rule will act on the MS ?

Yes, the policy is applied at the edge. Depending on the exact traffic flow it is applied on the ingress/source device, or the egress/destination device. To your point it’s not as clear cut as wireless traffic on the MR, wired traffic on the MS, as often the SGACL is applied at the destination, but it is always processed at the edge. (the reason for processing at the destination is because the frame carries the SGT of the source, the SGT of the destination generally isn’t known until the frame gets to the destination - I know Meraki has a more comprehensive view of the network than the traditional Catalyst world, but I don’t believe there has been any major changes to this approach).

 

  • Every MS and MR is compatible (no mimimum hardware requirement)  ?

Unfortunately not. In the MS range it’s only the MS390 that support Adaptive Policy, and you need to run the MS14 firmware. For the MR devices it needs to be an 802.11ac Wave 2 or later device (excluding MR20 and MR70), with MR27 firmware. If you’re using Meraki SD-WAN between sites then the MX needs a version of MX16 firmware to support the encapsulation of the SGT, I’m not sure if the MX16 version that supports this is available or ‘coming’.

If there are any devices in the network that don’t support SGTs then the tag will just get dropped (best case, worst case with some vendors is the switch believes the frame is corrupt). Unfortunately with Adaptive Policy/Meraki there is currently no implementation of SXP, so once you’ve lost that tag it’s gone, so you need everything to be SGT/Adaptive Policy capable. If you’re not using Meraki SD-WAN this includes the WAN carriage, which it almost certainly won’t be.

PhilipDAth
Kind of a big deal
Kind of a big deal

This is the adaptive policy sync tool that Meraki released (as open-source).

https://github.com/meraki/adaptive-policy-ise-sync 

irwin
Conversationalist

Hello Bruce,

Thank you for your detailled answer !

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels