Traditional network security operates on a simple premise: devices inside the network perimeter are trusted, and devices outside are not. This model worked reasonably well when all employees sat in the same office, used company-owned desktop computers, and accessed applications hosted on local servers. But that world no longer exists. Today's UK businesses operate with hybrid workforces, cloud applications, personal devices, IoT sensors, guest Wi-Fi, and third-party contractors — all connecting to the same network infrastructure. The perimeter has dissolved, and with it, the effectiveness of perimeter-based security.
Cisco Meraki Adaptive Policy represents a fundamental shift in how network access is controlled. Rather than defining access rules based on IP addresses, VLANs, and physical switch ports — which are complex to manage and easy to circumvent — Adaptive Policy defines access based on the identity and role of the device or user. It is a practical implementation of Zero Trust networking principles, delivered through the cloud-managed Meraki dashboard that thousands of UK businesses already use to manage their network infrastructure.
This guide explains what Adaptive Policy is, how it works, why it matters for UK businesses, and how to plan and implement it in your Meraki environment.
The Problem with Traditional Network Segmentation
Before understanding Adaptive Policy, it helps to understand why traditional approaches to network segmentation are failing. In a traditional network, segmentation is achieved through VLANs (Virtual Local Area Networks) and Access Control Lists (ACLs). Devices are assigned to a VLAN based on the physical port they connect to, and ACLs control which VLANs can communicate with each other.
This approach has several critical weaknesses. First, it is operationally complex. A medium-sized UK business might have dozens of VLANs, each with its own subnet, DHCP scope, and set of ACLs. Adding a new segmentation rule requires changes across multiple switches, routers, and firewalls — a process that is time-consuming, error-prone, and difficult to audit. Second, it is static. VLAN assignments are tied to physical ports, not to users or devices. If an employee moves their laptop from their desk to a meeting room, or connects via Wi-Fi instead of Ethernet, they may end up in a different VLAN with different access rights — or worse, in an unsegmented VLAN with full network access.
Third, traditional segmentation does not scale with modern device types. IoT devices, personal smartphones on guest Wi-Fi, cloud-connected printers, and wireless presentation systems all need network access but should not have the same access as employee workstations. Managing these devices through VLANs alone creates a tangled web of rules that becomes increasingly fragile and difficult to maintain.
Adaptive Policy (Identity-Based)
- Access based on user and device identity
- Policies follow devices across ports and SSIDs
- Centralised management through Meraki dashboard
- Simple, human-readable policy definitions
- Scales easily with new devices and locations
- Real-time visibility into who accesses what
- Automatic policy application on connection
- Aligns with Zero Trust security principles
Traditional Segmentation (VLAN/ACL)
- Access based on physical port and IP address
- Policies tied to specific network locations
- Distributed management across multiple devices
- Complex ACLs requiring networking expertise
- Difficult to scale without operational overhead
- Limited visibility into actual device behaviour
- Manual VLAN assignment and configuration
- Perimeter-based trust model
How Adaptive Policy Works
Adaptive Policy replaces the traditional model of port-based VLAN assignment with identity-based group assignment. Instead of thinking about which VLAN a device belongs to, you think about which group it belongs to — and then define what each group can access.
The system works in three layers. The classification layer identifies devices and assigns them to a group based on their identity. This can be determined by 802.1X authentication (using Active Directory credentials), MAC address, device type detected through profiling, or manual assignment. The policy layer defines the rules governing how groups interact. For example: "Employee Workstations can access Servers and Printers but not IoT Devices" or "Guest Devices can access the Internet but nothing on the internal network." The enforcement layer applies these policies at the switch port level using Scalable Group Tags (SGTs), ensuring that the rules are enforced regardless of where or how a device connects.
Scalable Group Tags are the technical mechanism underpinning Adaptive Policy. Each device that connects to the network is assigned a tag based on its group membership. This tag travels with the device's traffic throughout the network, enabling switches to make access decisions based on the source and destination tags rather than IP addresses. Because tags are assigned at the point of connection and carried in the network frame, they work consistently regardless of which port the device uses, which SSID it connects to, or which office it is in.
Planning Your Adaptive Policy Deployment
Successful Adaptive Policy implementation starts with careful planning. Before touching the Meraki dashboard, you need to define your groups, map your access requirements, and plan your rollout approach.
Defining Groups
Groups should reflect the different types of devices and users on your network. For a typical UK SME, a practical starting set of groups might include the following categories.
| Group Name | Description | Classification Method | Typical Access |
|---|---|---|---|
| Employee Workstations | Company-owned laptops and desktops | 802.1X (AD credentials) | Servers, printers, internet, cloud apps |
| Servers | On-premises servers and services | Static assignment by IP/MAC | Controlled inbound from workstations |
| Printers | Network printers and MFDs | Device profiling | Inbound from workstations only |
| IoT Devices | Sensors, cameras, access control | Device profiling / MAC | Management server and cloud only |
| Guest Devices | Visitor and personal devices | Guest SSID association | Internet only — no internal access |
| BYOD | Employee personal devices | 802.1X with device certificate | Cloud apps and internet only |
Implementation Best Practices
Roll out Adaptive Policy in phases, starting with monitor mode. In monitor mode, the system classifies devices and applies group tags but does not enforce access restrictions. This allows you to verify that devices are being classified correctly, identify any devices that are not being detected or are being assigned to the wrong group, and understand the current traffic patterns between groups before restricting them.
Run monitor mode for at least two to four weeks in a production environment. During this period, review the Adaptive Policy traffic flow reports in the Meraki dashboard to understand which groups are communicating with each other and whether the patterns match your expectations. Only when you are confident that classification is working correctly and you understand the traffic flows should you move to enforcement mode.
When you do enable enforcement, start with a permissive baseline and progressively tighten restrictions. Begin by blocking only the most obviously inappropriate traffic — such as guest devices accessing internal servers — and then gradually add restrictions for more nuanced scenarios. This approach minimises the risk of blocking legitimate traffic and gives your team time to report any issues before they become critical.
Compliance and Audit Benefits
For UK businesses pursuing Cyber Essentials Plus certification, implementing network segmentation is a key requirement. Adaptive Policy provides a cleaner, more auditable approach to segmentation than traditional VLANs, because the policies are defined in plain language in a central dashboard rather than scattered across ACLs on multiple network devices. This makes it significantly easier to demonstrate your segmentation controls to auditors and assessors.
Similarly, for businesses subject to GDPR, the ability to isolate systems that process personal data from the rest of the network — and to prove that isolation through clear, centralised policies — strengthens your data protection posture and simplifies compliance reporting to the ICO in the event of an investigation.
Cisco Meraki Adaptive Policy brings enterprise-grade Zero Trust segmentation to organisations of all sizes, delivered through the intuitive cloud dashboard that makes Meraki the platform of choice for thousands of UK businesses. If you are already invested in the Meraki ecosystem, Adaptive Policy is the logical next step in maturing your network security posture.
Ready to Implement Adaptive Policy?
Cloudswitched is a Cisco Meraki specialist, helping UK businesses design, deploy, and manage Adaptive Policy for stronger network segmentation. Get in touch to discuss how identity-based access control can protect your network.
GET IN TOUCH
CloudSwitched
Centrally located in London, Shoreditch, we offer a range of IT services and solutions to small/medium sized companies.