Hi fellow community members, I am in the middle of an implementation of a new branch office using MX firewalls, Cat9300x and MS250 switches. The plan is to have all layer3 vlans of the customer site on the Cat9300x meraki managed switches. So basically they will host all the layer3 vlans of the site and there will be a default route pointing to the MX security appliances.
Now I was looking for a way to do East-West segmentation or in other words inter-vlan segmentation using group policies. But to my surprise, group policies are only available as an option for Security appliances and Wireless. So you need to have your Layer3 vlans on the MX otherwise you cannot apply them.
What options do I have for East-West segmentation in my current design? I am sure this is a common scenario outthere.
Solved! Go to solution.
You have the ACL options.
I would consider having the tightly controlled networks on the MX while keeping networks of the same security regiment on the switch for example.
Are you native IOSXE on the Cat 9300s or did you put them into Meraki with CS software?
I have a couple of Cat 9300s stacked and wedged between my MX pair and MS switches, but I'm using extended access lists on the Cat9300s because they are native. I would think going with Meraki CS on the Catalyst switches would allow you to use Group Policy on them, but don't know for sure.
They are in Meraki CS software, not native. And strangely no Group Policies available for the switches. This is disappointing!
This might help answer your question:
All this points to MX, nothing for the switches.
Correct and for full implementation of Adaptive Policy is referenced in the link shared.
Adaptive Policy with Security Group Tags simplifies network segmentation and boosts security without sacrificing agility or flexibility.
Additional Adaptive Policy Resources
Adaptive Policy Overview
Adaptive Policy Configuration Guide
Adaptive Policy MS Configuration Guide
Adaptive Policy MR Configuration Guide
Adaptive Policy Telemetry
As mentioned by @MartinLL , I’d move my L3 up to the MX
If you buy an MS Advanced Licence, you can use Adaptive Policy on your C9300.