Meraki

Community

MS425-16 support CMD encapsulation

Solved
Rayw
Here to help
‎Oct 20 2023 9:39 AM
‎Oct 20 2023 9:39 AM

MS425-16 support CMD encapsulation

Will a MS425-16 support CMD encapsulation.  Will a MS425-16 preserve and propagate the CMD header if the MS425-16 is used only as a layer 2 switch for aggregate level.  No client endpoints will terminate on the MS425-16.  This is for Adaptive Policy and SGT tags.

Labels:
0 Kudos
1 Accepted Solution
In response to Rayw
alemabrahao
Kind of a big deal
Kind of a big deal
‎Oct 20 2023 9:57 AM
‎Oct 20 2023 9:57 AM

No

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

View solution in original post

3 Replies 3
alemabrahao
Kind of a big deal
Kind of a big deal
‎Oct 20 2023 9:47 AM
‎Oct 20 2023 9:47 AM

For micro-segmentation policies, each hop must support preserving and propagating the CMD header. Switches that do not support CMD encapsulation may be able to still forward the tagged packets if the switch is operating in an L2 only capacity. This however means that any client / endpoints connected directly to the non-CMD capable switch will not be classified correctly with an Adaptive Policy Group (SGT) and micro-segmentation policy enforcement will not be performed.

 

https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Adaptive_Policy/Adapt...

 

Adaptive Policy Requirements

Adaptive Policy has a few requirements for the feature to be enabled on a network including specific hardware and software revisions. On top of hardware and software there are a few licensing requirements to meet including: 

  • Advanced licensing on all MX/Z3+ (Advanced or SD-WAN), MR, and MS in a network when in a Per-Device Licensing organization

  • Advanced licensing organization-wide on MX/Z3+ (Advanced or SD-WAN), MR, and MS390/C9300-M when in a Co-Termination licensed organization

For more information on Per-device licensing please refer to the following documentation: Meraki Per-Device Licensing Overview

Hardware Requirements:

  • MS390 / C9300-M: all models

  • MR: all Wifi5 wave 2, Wifi6, and Wifi6E MR and CW access points. 

  • MX/Z3+: all models capable of running MX18+ firmware (MX84 is not supported due to hardware limitations)

Software Requirements:

  • MS390: 14 + (latest stable release is recommended)

  • C9300-M: CS15-21-1+  (latest stable release is recommended)

  • MR: 27 +  (latest stable release is recommended)

  • MX/Z3+: 18.1 + 

Note: If the network is a combined network please ensure both MR and MS are on their respective required firmware versions as mentioned above.

MX version 18.1 only supports preserving and propagating SGTs over AutoVPN on NAT mode MXs. Support for VPN concentrator mode MXs will come at a later release. Classification of untagged traffic and policy enforcement on MX will also come at a later release. Please see this article for more information: MX Adaptive Policy Configuration Guide

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
Rayw
Here to help
‎Oct 20 2023 9:55 AM
‎Oct 20 2023 9:55 AM

Yes, I have ready that in documentation but doesn't answer my question.  Can a MS425-16 in layer 2 forward a CMD header? Yes or No?

 

Thanks

0 Kudos
In response to Rayw
alemabrahao
Kind of a big deal
Kind of a big deal
‎Oct 20 2023 9:57 AM
‎Oct 20 2023 9:57 AM

No

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2025 Cisco Systems, Inc.