SD-Access and Meraki AP local switching mode compatibility

Madura Malwatte · ‎08-23-2022

Trying to get my head around how WLAN's advertised on Meraki AP's work in an SD-Access environment.

- Meraki AP connected to a fabric enabled SD-Access switch port

- Meraki obviously doing local switching (flex connect mode), where data traffic for each WLAN is dumped onto the fabric switchport.

- Meraki AP doing radius with ISE for WLAN-Corp but no radius for WLAN-Guest (instead using meraki captive portal)

So how does this actually work? I see a few issues: for WLAN-Guest - Meraki just dumps the guest user into a vlan (say VLAN 10), ISE has no notion of the guest endpoint except for the mac address of the guest that shows up on the fabric enabled switchport (is my understanding correct)? So on ISE I guess we need to somehow match this guest MAC addr then have an authz policy to tell SDA to put the guest into the correct VN,SGT, IP Pool?

For WLAN-Corp where Meraki is using ISE for radius, we authenticate the corp user and set the SGT and have the same SGT value created on Meraki dashboard's Adaptive Policy Group Tag setting? But how do we set the SDA VN and IP Pool for this wifi user when their traffic hits the fabric enabled port?

Is just setting the SGT via ISE enough (with matching SGT on Meraki as Adaptive Policy Group Tag), would this be enough for fabric enabled switch to know what do it?

I think I am missing something fundamental here. Is there any guide explaining in detail how meraki AP flexconnect mode can work with SDA?

jedolphi · ‎08-24-2022

Hi Madura,

At the time of this writing our lead motion for seamless wired and wireless configuration and policy in SD-Access is Fabric Enabled Wireless which is built upon Catalyst 9000 WLC and the Cisco AP models listed in the SD-Access Compatibility Matrix -> http://cs.co/sda-compatibility-matrix

You'll notice that right now Meraki is not listed in the SDA CM. This means the two systems are configured as "ships in the night" and you'll need to stitch them together yourself.

Regarding the data plane, if you connect Meraki AP to an SDA FE trunk port then you can align the VLAN ID handed off from Meraki AP to a commensurate SDA FE access VLAN and IP pool.

Regarding SGT, I don't know if Meraki AP supports data plane SGT propagation, it's possible they do, and if they do you could _maybe_ manually enable SGT propagation between the Cisco wired SDA switch and the Meraki AP, remaining cognizant of the Meraki TrustSec scale limits (per-AP max number of SGTs, max number of SGACLs, number of endpoints, etc). By today's standards wired SDA + Merkai wireless + e2e SGT would qualify as an advanced and uncommon design and as such there's nothing on cisco.com covering this topic. I suggest you talk to your SE about this proposal because it will require thorough scrutiny to make sure nothing has been missed.

Also I might mention that when the wireless solution is not integrated to LISP (i.e. non-fabric wireless) then there can be a roaming latency increase (driven by SDA native MAC and IP theft checks) that can interfere with realtime voice on the wireless endpoints. I’m not sure if you're aware of that roaming latency limitation and/or have factored it into your design. There is some potential workarounds but they also come with caveats - again please talk to your SE about it because this is a deep topic not easily covered in a written forum.

Best regards, Jerome