As of Oct 2023, on Meraki Launchpad🚀 , we extended the existing Adaptive Policy demonstration from the MS390 switching platform to include MX and MR products. This update lets demo users showcase an end-to-end adaptive policy and secure group tag solution across the Meraki Secure & SD-WAN, switching, and wireless platforms.
Demo org: Meraki Launchpad🚀
Networks: San Francisco - Adaptive Policy and Sydney
Meraki Launchpad is covering the following scenarios:
- Dynamic SGT assignment on the MS390 platform based on RADIUS attributes (Adaptive Policy clients)
- Per-port SGT assignment on the MX (Port 6 > 18: employees-sales)
- SGT transport over AutoVPN (VPN settings > Peer SGT capable)
- Static SGT assignment based on the MR SSID (mCLOUD-RETAIL-SYD-Sales SSID)
Verification
As illustrated, ICMP traffic was initiated between clients. To verify the Adaptive Policy solution in this demonstration, two packet captures were done on points A and B (see the locations in the above topology).
- Point A: port#1 of the MS390-24UX, uplink of both MS390 switches
- Point B: port#2 of the MS390-24UX, the interconnection between two MS390s
Conclusion: As illustrated in the Wireshark screenshot above, both the wired and wireless interfaces of the client, Billy Merchant, from the Sydney network were sending ICMP Echo requests to the client Sam Colt (172.26.10.17) in the SFO-ADP network. The SGT 18 was successfully transmitted over the AutoVPN. However, due to the presence of a deny policy between SGT 17 and 18, the client Sam Colt did not receive these Echo requests, resulting in the absence of captured Echo replies.
Conclusion: As depicted in the Wireshark screenshot above, the client Mary Anderson (172.26.10.19) was able to communicate with the client Sam Colt (172.26.10.17) despite the encapsulation of different SGTs(17 vs 19). Conversely, the client Elijah McCoy (172.26.10.18) was prevented from sending traffic to Sam Colt, even though they are within the same local LAN. This restriction arises from the presence of a traffic denial adaptive policy between SGT 17 and 18.
For more information about this feature and configuration guides for each product, please consult the documentation Adaptive Policy Overview.
