Meraki

Community

East-West segmentation on Meraki SWs

Solved
nwstud
New here
‎Oct 23 2024 8:56 AM
‎Oct 23 2024 8:56 AM

East-West segmentation on Meraki SWs

Hi fellow community members, I am in the middle of an implementation of a new branch office using MX firewalls, Cat9300x and MS250 switches.  The plan is to have all layer3 vlans of the customer site on the Cat9300x meraki managed switches. So basically they will host all the layer3 vlans of the site and there will be a default route pointing to the MX security appliances. 

Now I was looking for a way to do East-West segmentation or in other words inter-vlan segmentation using group policies. But to my surprise, group policies are only available as an option for Security appliances and Wireless. So you need to have your Layer3 vlans on the MX otherwise you cannot apply them. 

 

What options do I have for East-West segmentation in my current design? I am sure this is a common scenario outthere. 

Labels:
0 Kudos
1 Accepted Solution
MartinLL
Building a reputation
‎Oct 23 2024 9:15 AM
‎Oct 23 2024 9:15 AM

You have the ACL options.

Check here and here.

I would consider having the tightly controlled networks on the MX while keeping networks of the same security regiment on the switch for example.

MLL

View solution in original post

8 Replies 8
dcatiller
Getting noticed
‎Oct 23 2024 9:12 AM
‎Oct 23 2024 9:12 AM

Are you native IOSXE on the Cat 9300s or did you put them into Meraki with CS software? 

I have a couple of Cat 9300s stacked and wedged between my MX pair and MS switches, but I'm using extended access lists on the Cat9300s because they are native. I would think going with Meraki CS on the Catalyst switches would allow you to use Group Policy on them, but don't know for sure. 

0 Kudos
In response to dcatiller
nwstud
New here
‎Oct 23 2024 10:03 AM
‎Oct 23 2024 10:03 AM

They are in Meraki CS software, not native. And strangely no Group Policies available for the switches. This is disappointing!

0 Kudos
RWelch
A model citizen
‎Oct 23 2024 9:15 AM
‎Oct 23 2024 9:15 AM

This might help answer your question:

https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Adaptive_Policy_for_M...

0 Kudos
In response to RWelch
nwstud
New here
‎Oct 23 2024 11:01 AM
‎Oct 23 2024 11:01 AM

All this points to MX, nothing for the switches. 

0 Kudos
In response to nwstud
RWelch
A model citizen
‎Oct 23 2024 11:11 AM
‎Oct 23 2024 11:11 AM

Correct and for full implementation of Adaptive Policy is referenced in the link shared.

Adaptive Policy with Security Group Tags simplifies network segmentation and boosts security without sacrificing agility or flexibility.

Additional Adaptive Policy Resources 

Adaptive Policy Overview
Adaptive Policy Configuration Guide
Adaptive Policy MS Configuration Guide
Adaptive Policy MR Configuration Guide
Adaptive Policy Telemetry

0 Kudos
MartinLL
Building a reputation
‎Oct 23 2024 9:15 AM
‎Oct 23 2024 9:15 AM

You have the ACL options.

Check here and here.

I would consider having the tightly controlled networks on the MX while keeping networks of the same security regiment on the switch for example.

MLL
In response to MartinLL
DarrenOC
Kind of a big deal
Kind of a big deal
‎Oct 23 2024 10:25 AM
‎Oct 23 2024 10:25 AM

As mentioned by @MartinLL , I’d move my L3 up to the MX

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Oct 23 2024 12:59 PM
‎Oct 23 2024 12:59 PM

If you buy an MS Advanced Licence, you can use Adaptive Policy on your C9300.

https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Adaptive_Policy_Overv...

 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.