When it comes to networking and user based security policies in a Cisco environment, a lot of people will immediately point to Cisco ISE and its process of creating policies based on a wide range of factors. Now when you think of Meraki, a lot of people still have the mindset that Meraki is built around simple network management and easy of deployment, which it is. They look to other Cisco products for the larger scale, more in depth, and customizable security features. That is a view that a lot of “old-school” engineers still keep. Meraki is now once again pushing boundaries and bridging the gap, bringing their product forward as a true enterprise option.
User based security and microsegmentation are topics that are hot in the market right now, and for good reason. The idea is that admins should only give the required, minimum amount of permissions needed for each user or application. Period. Housing users and devices on a flat network where everyone shares the same permissions is just not a viable option in the enterprise nowadays. By using Meraki Adaptive Policies, Meraki is making sure they are a viable enterprise option for the more security minded environments.
How are they going to pull that off?
By using numerical tags or Cisco SGT’s (security group tags), you can now configure policies in the Meraki environment to determine what exactly users and devices are able to access. When you create these policies in the Meraki dashboard, you can then choose how to apply them to groups of devices and users. There are a few options which make this very tunable and usable in your Meraki network. You can assign an SGT statically to a switchport for whichever device is connected, utilize a radius server such as ISE to pass this value once a device\user is authenticated, or use the fallback method of IP to SGT mapping for external resources you wish to give permissions to. Does this all sound familiar? Just a little bit? Sounds a lot like the core functionality of Cisco ISE to me at least.
So about these policies, how easy are they to configure? One thing I was struck with was how creating a policy looked very similar to Cisco DNA Center. Objects are grouped, and then you control which groups can communicate with which groups. A few clicks and you could make any range of needed changes to your network, large or small.
Time to go Hybrid
So what happens if you are not a 100% Meraki enterprise? Or maybe your environment consists of Meraki at some locations and then Cisco + ISE at other locations. To ensure the best experience for your users you would want policies to be the same in both areas right? Meraki understands that is a very real scenario. They have created an open-source docker container which acts as a policy sync tool. Create your policies in either ISE or the Meraki dashboard and the other will be updated accordingly.
As it stands, this is still in beta, but is a large step forward for Meraki to be more of an enterprise solution. From the beginning, Meraki seemed to be positioned for smaller environments and then the “classic” Cisco products handled the enterprise… Meraki is truly bringing Cloud Networking to the enterprise though with these recent features. They simply cannot be ignored any longer. With these and future feature additions, Meraki can now be seen as a parallel option to other classic Cisco products for a lot of use cases. Go ahead and think of a feature you would want that Meraki is lacking…. Now wait… I bet they try to address that with a future feature release too!
For more information on this and other new Meraki features, be sure to catch one of the latest episodes of Tech Field Day from their Cisco Live Virtual Experience, which I was fortunate enough to be a part of. You can find that below: