Correct, but what I want to know is if I create an object and assign it an IP address or range specific to one network, and want to re-use that name in another network, I cannot use a different IP address or range?

The Meraki examples that explain how all this works shows an object name, Support, which is 192.168.1.0/24.  Suppose we have support in two buildings with a site-to-site VPN, and the second building also has Support, but with a different subnet.  Does that mean if I want to use an object called Support for that other network, I would have to call it Support 2?  

I have never managed any ASA firewalls and had an object whose name could not be assigned a different IP address on another ASA.  Why would I want my object names to be unique organization-wide?  For 50 sites, this will turn into Wireless01, Wireless02, ... WirelessN, and repeat it for every other object I want to create with unique IPs or subnets.  

I have not yet flipped the switch on this due to internal policy with betas in a production environment, so I don't have a way to navigate and test.

It seems like there should be both Network > Policy Objects and Organization > Policy Objects, and when applying objects to rules, some sort of notation could be displayed so an admin can differentiate them.

---

@cmr wrote:

@Brian_Scheele they are org wide, there is only Organization - Policy Objects.  I think the use is more aimed at say access to central servers where multiple networks are traffic to servers x,y and z is allowed, with policy objects you can define the server group once and re-use.

 

Are you managing multiple ASAs on different sites through one console?

---

Yes and No.  I use ASDM, which just has multiple saved connections to multiple ASAs, or SSH, but never to more than one ASA at a time, and there is no central repository of objects.  If they have/had a central object repository, it would make life nice, sort of like what Meraki is doing with Policy Objects.  It seems like they missed an opportunity here, but it is still helpful. 

From what everyone has responded, it seems like I can make it work, but I would just need to be careful not to accidentally give some random vendor, service, etc. access to multiple sites.  If Users can talk to Printers in one network, then it is quite likely then can talk to printers in any network, and a group object of Printers covering multiple sites is fine.  If a vendor needs access to something in Management, then I get more granular, not just grant access to Management itself, but instead to the exact resources needed.

The more I think of it, this probably a good way to go the way it is designed.  Create my objects, assign them to groups, apply rules, policies, etc. - whatever Meraki has enabled so far - to those groups. Not much different than with an ASA...

I always prefix  the object wit a network-identifier and if there are multiple networks with similar objects I put them in a group. But yes, for templated networks, an override-feature would be nice.

>Correct, but what I want to know is if I create an object and assign it an IP address or range specific to one network, and want to re-use that name in another network, I cannot use a different IP address or range?

You can not do that.

You can create a group called Management and add all the management subnets to it.