Adaptive policy question

Getting noticed

Adaptive policy question

1. trying to block DNS IP (which is outside AdP domain) from a device in IOT .. IOT has tag 268, for DNS I create an adaptive policy object with DNS IP, then tied policy object to an SGT (10) in a group, then created a policy to block traffic between 268 and 10. but I can still ping it.

My understanding was when the traffic hits switch, switch will look at destination IP, then figure out Dest SGT from ip-sgt mapping, evaluate policy and drop the traffic, but it’s still pinging, am I not understanding this correctly ? 

2. for east west traffic it’s working fine, but I can still ping infrastructure SGT traffic, for instance if I block IOT from staff, then IOT will not ping staff, but IOT can still ping staff SVI IP, which is tagged with infrastructure SGT and IOT to Infra sgt is blocked. 

appreciate any help and meaningful insight

2 Replies 2
Kind of a big deal
Kind of a big deal

Ensure that your policy to block traffic between SGT 268 and 10 is not being overridden by a higher priority policy that allows this traffic, also verify that the IP-SGT mapping is correctly configured and  check your SGACL configuration and make sure the SGACL associated with your policy is correctly configured to deny the desired traffic. The SGACL defines what traffic is permitted or denied between different SGTs. 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

So it’s radius assigned then port based then manual ip-sgt map then manual vlan-sgt map, that’s the order of priority. 
dns is off course not getting tag any other way than ip-sgt mapping, so it’s not over written. Policy is deny, I checked again. 
It’s a Meraki switch, how do I do sgacl? It’s all AdP policy based. 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.