Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Meraki MS and SGT ( Adaptive Policy )

RaphaelL
Kind of a big deal
Kind of a big deal
‎Jun 20 2022 6:31 PM
‎Jun 20 2022 6:31 PM

Meraki MS and SGT ( Adaptive Policy )

Hi ,

 

After hearing couple sessions about SGT and TrustSec at Cisco Live , we are now interested to try SGT/Adaptive Policy on our Meraki environement. We already have tons of MS350 and a working Cisco ISE. 

 

1- Do you really need a MS390 to make SGT work ? I don't get that part : Without this configured on Peer to Peer links, the SGT value will not be propagated on packets. This configuration is ONLY for inline SGT capable devices and will not work with MS switches previous to the MS390  https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Adaptive_Policy/Adapt...

 

We obviously don't want to do static assignement to ports. All dynamic via ISE.

 

Has anyone tried that yet ? What was your experience and setup ? 

 

 

EDIT : then found the more detailed doc : https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Adaptive_Policy/Adapt...  Which explained some of my questions. Silly me

 

Thanks 🙂 

Labels:
0 Kudos
Subscribe
7 Replies 7
DarrenOC
Kind of a big deal
Kind of a big deal
‎Jun 20 2022 10:42 PM
‎Jun 20 2022 10:42 PM

My understanding is that you would require MS390’s throughout for SGT and adaptive policy.  Which of course is a big shame for all.

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
Subscribe
In response to DarrenOC
GIdenJoe
Kind of a big deal
Kind of a big deal
‎Jun 21 2022 4:59 AM
‎Jun 21 2022 4:59 AM

The explanation is simple in that the hardware forwarding ASIC's on Classic MS switches simply does not support the extra tag in the layer 2 header.  This is the actual disadvantage of switches is that they are constricted to what the ASIC's support.  We're in the same boat where it comes to NBAR on MS switches.

Subscribe
In response to GIdenJoe
RaphaelL
Kind of a big deal
Kind of a big deal
‎Jun 21 2022 5:11 AM
‎Jun 21 2022 5:11 AM

Let's say our branch look like that :  (Branch A ) MS390 -> MX250 ( Internet ) -> MX450 ( HUB ) -> ( internet ) -> MX250 -> MS390 ( Branch B )

 

Does the MX need to support SGT ? Or only the access layer ?

 

So you don't think that the SGT are coming to existing models , they will need to release new models to support it ?

0 Kudos
Subscribe
In response to RaphaelL
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jun 21 2022 1:53 PM
‎Jun 21 2022 1:53 PM

Also note you need the "SDWAN Plus" licence for the SGT tags to travel over AutoVPN.

 

Check out the SGT overview.  I think it might answer quite a few of your questions, plus some you haven't thought about asking yet.

https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Adaptive_Policy/Adapt... 

 

Maybe take a read over the Meraki ISE SGT deployment guide.  It might fill in a few more gaps.

https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Adaptive_Policy/Adapt... 

Subscribe
In response to RaphaelL
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jun 21 2022 1:54 PM
‎Jun 21 2022 1:54 PM

>So you don't think that the SGT are coming to existing models

 

It's not possible, the hardware doesn't support it.

Subscribe
In response to RaphaelL
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jun 21 2022 1:54 PM
‎Jun 21 2022 1:54 PM

Also note you'll need the "MR Advanced" licence if you want SGT tags for WiFi as well.

Subscribe
In response to PhilipDAth
RaphaelL
Kind of a big deal
Kind of a big deal
‎Jun 21 2022 7:38 PM
‎Jun 21 2022 7:38 PM

Thanks Phil ! Lots of bedtime reading 🙂 

0 Kudos
Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.