Hi ,
After hearing couple sessions about SGT and TrustSec at Cisco Live , we are now interested to try SGT/Adaptive Policy on our Meraki environement. We already have tons of MS350 and a working Cisco ISE.
1- Do you really need a MS390 to make SGT work ? I don't get that part : Without this configured on Peer to Peer links, the SGT value will not be propagated on packets. This configuration is ONLY for inline SGT capable devices and will not work with MS switches previous to the MS390 https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Adaptive_Policy/Adapt...
We obviously don't want to do static assignement to ports. All dynamic via ISE.
Has anyone tried that yet ? What was your experience and setup ?
EDIT : then found the more detailed doc : https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Adaptive_Policy/Adapt... Which explained some of my questions. Silly me
Thanks 🙂
My understanding is that you would require MS390’s throughout for SGT and adaptive policy. Which of course is a big shame for all.
The explanation is simple in that the hardware forwarding ASIC's on Classic MS switches simply does not support the extra tag in the layer 2 header. This is the actual disadvantage of switches is that they are constricted to what the ASIC's support. We're in the same boat where it comes to NBAR on MS switches.
Let's say our branch look like that : (Branch A ) MS390 -> MX250 ( Internet ) -> MX450 ( HUB ) -> ( internet ) -> MX250 -> MS390 ( Branch B )
Does the MX need to support SGT ? Or only the access layer ?
So you don't think that the SGT are coming to existing models , they will need to release new models to support it ?
Also note you need the "SDWAN Plus" licence for the SGT tags to travel over AutoVPN.
Check out the SGT overview. I think it might answer quite a few of your questions, plus some you haven't thought about asking yet.
Maybe take a read over the Meraki ISE SGT deployment guide. It might fill in a few more gaps.
>So you don't think that the SGT are coming to existing models
It's not possible, the hardware doesn't support it.
Also note you'll need the "MR Advanced" licence if you want SGT tags for WiFi as well.
Thanks Phil ! Lots of bedtime reading 🙂