East-West segmentation on Meraki SWs

Solved
nwstud
New here

East-West segmentation on Meraki SWs

Hi fellow community members, I am in the middle of an implementation of a new branch office using MX firewalls, Cat9300x and MS250 switches.  The plan is to have all layer3 vlans of the customer site on the Cat9300x meraki managed switches. So basically they will host all the layer3 vlans of the site and there will be a default route pointing to the MX security appliances. 

Now I was looking for a way to do East-West segmentation or in other words inter-vlan segmentation using group policies. But to my surprise, group policies are only available as an option for Security appliances and Wireless. So you need to have your Layer3 vlans on the MX otherwise you cannot apply them. 

 

What options do I have for East-West segmentation in my current design? I am sure this is a common scenario outthere. 

1 Accepted Solution
MartinLL
Building a reputation

You have the ACL options.

Check here and here.

I would consider having the tightly controlled networks on the MX while keeping networks of the same security regiment on the switch for example.

MLL

View solution in original post

8 Replies 8
dcatiller
Getting noticed

Are you native IOSXE on the Cat 9300s or did you put them into Meraki with CS software? 

I have a couple of Cat 9300s stacked and wedged between my MX pair and MS switches, but I'm using extended access lists on the Cat9300s because they are native. I would think going with Meraki CS on the Catalyst switches would allow you to use Group Policy on them, but don't know for sure. 

nwstud
New here

They are in Meraki CS software, not native. And strangely no Group Policies available for the switches. This is disappointing!

RWelch
A model citizen
nwstud
New here

All this points to MX, nothing for the switches. 

RWelch
A model citizen

Correct and for full implementation of Adaptive Policy is referenced in the link shared.

Adaptive Policy with Security Group Tags simplifies network segmentation and boosts security without sacrificing agility or flexibility.

Additional Adaptive Policy Resources 

Adaptive Policy Overview
Adaptive Policy Configuration Guide
Adaptive Policy MS Configuration Guide
Adaptive Policy MR Configuration Guide
Adaptive Policy Telemetry

MartinLL
Building a reputation

You have the ACL options.

Check here and here.

I would consider having the tightly controlled networks on the MX while keeping networks of the same security regiment on the switch for example.

MLL
DarrenOC
Kind of a big deal
Kind of a big deal

As mentioned by @MartinLL , I’d move my L3 up to the MX

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
PhilipDAth
Kind of a big deal
Kind of a big deal

If you buy an MS Advanced Licence, you can use Adaptive Policy on your C9300.

https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Adaptive_Policy_Overv...

 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels