For complete security and functionality, Adaptive Policy (SGT) must be supported by every device in the network. If an intermediate device does not support the CMD encapsulation used for SGT, it will drop SGT-tagged frames.

Pro Tip

Adaptive Policy definitions only apply in one direction. To block traffic entirely between two groups, you must manually define a block policy for both directions of traffic.

When considering MS SGT assignments, it is essential to keep the following considerations in mind:

Hardware requirements:

Switch and firewall: Ensure that your Meraki switch and firewall model support SGT functionality. Check the datasheet or documentation for hardware compatibility.

Catalyst in Meraki-managed mode: If using a Cisco Catalyst switch in Meraki-managed mode, verify that the specific Catalyst model and software version support SGT assignments.

Wireless: If integrating SGT assignments with wireless devices, confirm that your wireless access points are compatible with SGT functionality.

Compatibility with other Cisco technologies: Consider how SGT assignments interact with your network’s other Cisco technologies. Ensure compatibility with technologies such as Cisco ISE for authentication and authorization.

Software and licensing requirements: The Adaptive Policy feature is part of the MS Advanced license, which provides additional security features beyond the standard Enterprise license. To use the Adaptive Policy feature, you need to have the appropriate licensing level that includes this feature. Refer to the official Cisco Meraki documentation to get accurate and up-to-date information about licensing requirements and feature availability.

For more detailed information regarding micro-segmentation on the Meraki platform, visit https://documentation.meraki.com and search for the keyword Adaptive Policy or Micro-segmentation.

Operating and Optimizing Meraki Switches

This section covers several tools and tricks available in the Dashboard to help you easily manage your switching deployment, regardless of the scope or scale of your deployment or the changes you are making.

Virtual Stacking

Meraki MS switches offer centralized management of switch ports through site-level virtual stack logic, enabling seamless search and configuration changes across thousands of switch ports in a network. Unlike traditional stacking methods, virtual stacking does not demand a physical connection, allowing switches to be located in different physical places and even consist of various switch models.

Consider the scenario of adding a new service VLAN that would require modifying the allowed-VLAN configuration across multiple trunk ports on multiple switches. In the Dashboard, you can open the virtual stacking page by navigating to Switch> Switch Ports. Once there, you can easily search for all trunk ports using the term is:trunk, as shown in Figure 7-31. You can then select a subset of these ports and make a bulk edit on the switch port.

Figure 7-31 Using Virtual Stacking to Search for and Edit Multiple Trunk Ports in a Network

You can also use combination filters to add more search criteria, such as is:trunk VLAN:native 128 to search for all trunk ports configured with native VLAN 128, as shown in Figure 7-32.

Figure 7-32 Using Combo Filters in Search Criteria

Here are few other useful search filters:

lldp:mr: To search for switch ports connected to Meraki access points

lldp:mr56: To search for switch ports connected to MR56 access points

is:uplink: To search for uplink ports

vlan:”60″: To search for switch ports on VLAN number 60

vlan:”native 60″: To search for switch ports with native VLAN number 60

tag:”myfavport”: To search for switch ports that match the given tag value

Note

These are only a few sample filters. For all available ports, search https://documentation.meraki.com with keywords Searching ports.

You can find more information on virtual stacking shortcuts at https://documentation.meraki.com by viewing the article “Switch Ports.”

Firmware Upgrade Consideration on MS

We recommend allocating a minimum of 30 minutes for a firmware upgrade window on Meraki switches. The actual duration can vary depending on factors such as the time of day and the bandwidth of your Internet connection, which can affect the download speed of the firmware across all your switches.

During the firmware upgrade window, the switches will initiate the new firmware download. Once the download is complete, a 20-minute timer starts before the switches reboot and install the new firmware. Meraki recommends that, outside of an upgrade process, all switches within a network should run the same firmware version. This ensures consistency and compatibility across the network. In some cases, if necessary, the Meraki support team can pin a specific firmware version to a switch. This means the switch will not receive the standard firmware upgrades and will remain on the pinned version until further notice or a different pinning instruction is given.

By allowing sufficient time for the firmware upgrade window and ensuring that all switches within the network run the same firmware version, you can effectively manage firmware updates on your Meraki switches and maintain a stable and up-to-date network environment.

An important and useful feature to be aware of when working with switch firmware upgrades is the staged upgrade feature in Meraki switches, which allows administrators to divide a network of switches into smaller groups. Each group can then have its firmware upgraded at separate times. This approach provides more flexibility and control during the upgrade process.

When planning to upgrade upstream and downstream switches on the same day, it is extremely helpful to schedule a 30- to 60-minute interval between each stage. This time gap allows for the complete download and verification of the new firmware, ensuring it does not disrupt an ongoing upgrade in a downstream switch. Another common use case for staged upgrades is to upgrade a large network over an extended period of time, such as several days or even weeks. For example, initially the upgrade may be pushed to a single IDF closet each round, culminating with the MDF finally being upgraded after all IDF devices have successfully upgraded.

For more information on MS firmware upgrades, go to https://documentation.meraki.com and view the article “MS Firmware Upgrades.”