The Guide to Cisco Meraki Adaptive Policy

Traditional network security operates on a simple premise: devices inside the network perimeter are trusted, and devices outside are not. This model worked reasonably well when all employees sat in the same office, used company-owned desktop computers, and accessed applications hosted on local servers. But that world no longer exists. Today's UK businesses operate with hybrid workforces, cloud applications, personal devices, IoT sensors, guest Wi-Fi, and third-party contractors — all connecting to the same network infrastructure. The perimeter has dissolved, and with it, the effectiveness of perimeter-based security.

Cisco Meraki Adaptive Policy represents a fundamental shift in how network access is controlled. Rather than defining access rules based on IP addresses, VLANs, and physical switch ports — which are complex to manage and easy to circumvent — Adaptive Policy defines access based on the identity and role of the device or user. It is a practical implementation of Zero Trust networking principles, delivered through the cloud-managed Meraki dashboard that thousands of UK businesses already use to manage their network infrastructure.

This guide explains what Adaptive Policy is, how it works, why it matters for UK businesses, and how to plan and implement it in your Meraki environment.

The Problem with Traditional Network Segmentation

Before understanding Adaptive Policy, it helps to understand why traditional approaches to network segmentation are failing. In a traditional network, segmentation is achieved through VLANs (Virtual Local Area Networks) and Access Control Lists (ACLs). Devices are assigned to a VLAN based on the physical port they connect to, and ACLs control which VLANs can communicate with each other.

This approach has several critical weaknesses. First, it is operationally complex. A medium-sized UK business might have dozens of VLANs, each with its own subnet, DHCP scope, and set of ACLs. Adding a new segmentation rule requires changes across multiple switches, routers, and firewalls — a process that is time-consuming, error-prone, and difficult to audit. Second, it is static. VLAN assignments are tied to physical ports, not to users or devices. If an employee moves their laptop from their desk to a meeting room, or connects via Wi-Fi instead of Ethernet, they may end up in a different VLAN with different access rights — or worse, in an unsegmented VLAN with full network access.

Third, traditional segmentation does not scale with modern device types. IoT devices, personal smartphones on guest Wi-Fi, cloud-connected printers, and wireless presentation systems all need network access but should not have the same access as employee workstations. Managing these devices through VLANs alone creates a tangled web of rules that becomes increasingly fragile and difficult to maintain.

The Flat Network Problem

Many UK small and medium-sized businesses operate what is effectively a flat network — all devices share a single network segment with unrestricted lateral communication between them. This configuration is simple to set up and inexpensive to manage, which explains its prevalence, but it creates a serious security weakness. If an attacker compromises a single device on a flat network — whether through a phishing email, an unpatched vulnerability, or a compromised IoT device — they can move laterally to reach every other device and service on that network without encountering any barriers whatsoever.

The consequences of lateral movement attacks are severe and well-documented. The UK's National Cyber Security Centre has repeatedly highlighted lateral movement as a primary technique used in ransomware attacks against British organisations. Once inside the network, attackers can enumerate file shares, access databases containing sensitive customer data, compromise Active Directory domain controllers, and deploy ransomware across the entire estate — all because nothing within the network restricts which devices can communicate with which services. Effective internal segmentation is the single most impactful control for limiting the blast radius of a security breach and preventing a compromised workstation from becoming a full-scale data breach.

The fundamental challenge is that traditional segmentation methods — VLANs and ACLs — are so operationally burdensome that many UK organisations either implement them poorly, with gaps and inconsistencies that attackers can readily exploit, or abandon the effort entirely in favour of a flat network that is simple to manage but dangerously exposed. Adaptive Policy addresses this gap directly by making robust segmentation operationally manageable, even for organisations without large dedicated networking teams or specialist security staff.

How Adaptive Policy Works

Adaptive Policy replaces the traditional model of port-based VLAN assignment with identity-based group assignment. Instead of thinking about which VLAN a device belongs to, you think about which group it belongs to — and then define what each group can access.

The system works in three layers. The classification layer identifies devices and assigns them to a group based on their identity. This can be determined by 802.1X authentication (using Active Directory credentials), MAC address, device type detected through profiling, or manual assignment. The policy layer defines the rules governing how groups interact. For example: "Employee Workstations can access Servers and Printers but not IoT Devices" or "Guest Devices can access the Internet but nothing on the internal network." The enforcement layer applies these policies at the switch port level using Scalable Group Tags (SGTs), ensuring that the rules are enforced regardless of where or how a device connects.

Classification in Practice

The classification layer is the foundation upon which all of Adaptive Policy depends, and getting it right is essential for the entire system to function correctly. For corporate workstations and laptops, 802.1X authentication using Active Directory or Azure AD credentials provides the most reliable and secure classification method. When an employee connects their company laptop to the network — whether via Ethernet at their desk or Wi-Fi in a meeting room — the device presents its credentials, and the Meraki infrastructure automatically assigns it to the correct group based on the user's directory attributes. This means the device receives the correct access permissions regardless of where in the building or across which office location the employee connects, eliminating the location-dependent access inconsistencies inherent in VLAN-based approaches.

For devices that cannot perform 802.1X authentication — which includes most printers, IoT sensors, security cameras, and other non-user equipment — Meraki's device profiling capabilities identify the device type based on its network behaviour patterns, MAC address vendor prefix, and DHCP fingerprint characteristics. This automatic classification significantly reduces the administrative burden of manually tracking and assigning every non-user device on the network. For high-value or specialised equipment where automatic profiling may not provide sufficient classification confidence, static assignment by MAC address offers a deterministic fallback that ensures critical infrastructure devices are always correctly classified and granted appropriate network access.

Policy Definition and the Access Matrix

The policy layer in Adaptive Policy uses a matrix model that is remarkably intuitive compared to the dense and cryptic syntax of traditional ACLs. Each cell in the matrix represents the access relationship between a source group and a destination group, and the policy for that cell is simply one of three options: allow, deny, or a custom rule specifying which protocols and ports are permitted. For a typical UK SME with between 50 and 300 employees, the policy matrix might have only six to ten groups, resulting in a manageable number of policy decisions that can be reviewed, understood, and approved by non-networking staff including compliance officers, data protection leads, and senior management — a significant advantage when demonstrating security controls to external auditors and regulatory assessors.

Planning Your Adaptive Policy Deployment

Successful Adaptive Policy implementation starts with careful planning. Before touching the Meraki dashboard, you need to define your groups, map your access requirements, and plan your rollout approach.

Defining Groups

Groups should reflect the different types of devices and users on your network. For a typical UK SME, a practical starting set of groups might include the following categories.

The design of your group structure is a strategic decision that has lasting implications for both the security effectiveness and the operational manageability of your segmentation implementation. Too few groups and you lose the granularity needed for meaningful security controls — grouping all employee devices together regardless of department or function provides little real benefit when Finance workstations can freely access Engineering development servers and vice versa. Too many groups and the policy matrix becomes unwieldy, with hundreds of source-destination combinations to define, test, and maintain on an ongoing basis. For most UK businesses with between 50 and 500 employees, a group structure of six to ten groups provides an effective balance between security granularity and day-to-day operational manageability.

Consider the sensitivity of the data and systems each group needs to access when defining your category structure. Devices that handle payment card data, for instance, should be placed in a dedicated group with tightly restricted access rights in accordance with PCI DSS requirements. Systems processing personal data subject to GDPR deserve their own segmentation boundary to support the principle of data protection by design and by default. Guest and BYOD devices should always be fully isolated from internal resources, as these represent the highest-risk categories on most corporate networks due to their fundamentally unmanaged nature and the unpredictable security posture of the devices themselves.

Implementation Best Practices

Roll out Adaptive Policy in phases, starting with monitor mode. In monitor mode, the system classifies devices and applies group tags but does not enforce access restrictions. This allows you to verify that devices are being classified correctly, identify any devices that are not being detected or are being assigned to the wrong group, and understand the current traffic patterns between groups before restricting them.

Run monitor mode for at least two to four weeks in a production environment. During this period, review the Adaptive Policy traffic flow reports in the Meraki dashboard to understand which groups are communicating with each other and whether the patterns match your expectations. Only when you are confident that classification is working correctly and you understand the traffic flows should you move to enforcement mode.

When you do enable enforcement, start with a permissive baseline and progressively tighten restrictions. Begin by blocking only the most obviously inappropriate traffic — such as guest devices accessing internal servers — and then gradually add restrictions for more nuanced scenarios. This approach minimises the risk of blocking legitimate traffic and gives your team time to report any issues before they become critical.

Handling Unclassified and Rogue Devices

No classification system is perfect, and your Adaptive Policy deployment must account for devices that fail to classify correctly or that connect to the network without any recognised identity. The recommended approach is to create a quarantine group — a restricted segment that provides basic internet access but blocks all communication with internal network resources. Devices that cannot be classified through 802.1X, device profiling, or MAC authentication bypass are automatically placed in this quarantine group until an administrator reviews them and assigns them to the appropriate permanent group. This default-deny posture ensures that unknown or unexpected devices cannot access sensitive resources, whilst still providing enough connectivity for the device to be identified and investigated.

Rogue device detection is a related but distinct concern. A rogue device is an unauthorised access point or network device connected to your infrastructure without approval — for example, an employee who brings a personal wireless router from home and plugs it into a network port to create their own Wi-Fi network. Rogue devices bypass your security controls entirely and create an unmonitored entry point into your network. Meraki access points include a dedicated scanning radio that continuously monitors the radio environment for unauthorised wireless devices, alerting administrators and optionally containing rogue access points by sending deauthentication frames to any clients that attempt to associate with them.

Integrating Adaptive Policy with Broader Security Architecture

Adaptive Policy delivers the greatest security value when integrated with your broader security infrastructure rather than operating in isolation. Feed Adaptive Policy event logs — including group assignment changes, policy violations, and quarantine events — into your SIEM or security monitoring platform. This integration enables your security team to correlate network segmentation events with other security telemetry, such as endpoint detection alerts, firewall logs, and authentication events, building a comprehensive picture of any emerging threat.

For UK organisations using Microsoft Sentinel, Splunk, or similar SIEM platforms, the Meraki dashboard provides API access to security events that can be ingested through standard log collection mechanisms. When an endpoint detection tool identifies suspicious behaviour on a workstation, the corresponding Adaptive Policy logs reveal exactly which network segments that device accessed and when — information that is invaluable for incident response and forensic investigation. The combination of endpoint security and identity-based network segmentation creates a genuine defence-in-depth architecture where each layer compensates for the limitations of the others.

Compliance and Audit Benefits

For UK businesses pursuing Cyber Essentials Plus certification, implementing network segmentation is a key requirement. Adaptive Policy provides a cleaner, more auditable approach to segmentation than traditional VLANs, because the policies are defined in plain language in a central dashboard rather than scattered across ACLs on multiple network devices. This makes it significantly easier to demonstrate your segmentation controls to auditors and assessors.

Similarly, for businesses subject to GDPR, the ability to isolate systems that process personal data from the rest of the network — and to prove that isolation through clear, centralised policies — strengthens your data protection posture and simplifies compliance reporting to the ICO in the event of an investigation.

Sector-Specific Regulatory Requirements

Different UK industries face distinct regulatory frameworks that impose specific requirements on network security and segmentation. Healthcare organisations handling NHS patient data must comply with the Data Security and Protection Toolkit (DSPT), which mandates demonstrable controls over network access and the segregation of clinical systems from general-purpose networks. Financial services firms regulated by the Financial Conduct Authority (FCA) and the Prudential Regulation Authority (PRA) must implement robust access controls as part of their operational resilience obligations, with particular emphasis on protecting trading systems, customer data repositories, and payment processing infrastructure from unauthorised lateral access.

Legal practices have professional obligations under the Solicitors Regulation Authority (SRA) to protect client-privileged information with appropriate technical safeguards, and the increasing frequency of targeted cyber attacks against UK law firms has made network segmentation a practical necessity rather than merely a regulatory aspiration. The Payment Card Industry Data Security Standard (PCI DSS), applicable to any UK business that processes, stores, or transmits payment card data, explicitly requires network segmentation to isolate cardholder data environments from the general corporate network. Adaptive Policy provides a clean, auditable implementation of PCI segmentation that is significantly easier to demonstrate to Qualified Security Assessors than the sprawl of VLANs and ACLs that characterise traditional approaches.

Scaling Adaptive Policy Across Multiple Sites

For UK businesses with multiple office locations — whether two offices or twenty — Adaptive Policy delivers consistent segmentation across the entire estate from the centralised Meraki dashboard. When you define a group and its associated policies, those definitions apply automatically to every Meraki switch and access point across every site in your organisation. A new branch office inherits the full segmentation policy the moment its Meraki hardware is provisioned and connected, with no per-site configuration required. This is a transformative advantage over traditional segmentation, where each office typically has its own VLAN structure, its own ACL configuration, and its own inconsistencies and gaps that accumulate over time as different engineers make changes without coordinating with other sites.

The consistency of cross-site segmentation also simplifies compliance and audit activities. A single set of policies governs the entire network, producing a single audit artefact that demonstrates your segmentation controls comprehensively. There is no need to audit each site individually, reconcile differences between VLAN structures, or explain why the Manchester office has different ACLs from the London headquarters. This operational simplicity is particularly valuable for growing UK businesses that are adding new locations and need their security posture to scale seamlessly alongside their physical footprint.

Future-Proofing Your Network Architecture

Adaptive Policy is not merely a security enhancement for your current network — it is a strategic investment in a network architecture that adapts to the evolving technology landscape. As UK businesses adopt new categories of connected devices — smart building management systems, AI-powered meeting room hardware, autonomous environmental sensors, wireless charging infrastructure — each new device category can be incorporated into Adaptive Policy simply by creating a new group and defining its access matrix. The network architecture itself does not need to change; the segmentation framework absorbs new device types and new requirements without the upheaval of VLAN redesigns, subnet restructuring, or ACL rewrites.

For organisations considering mergers, acquisitions, or rapid organic growth, this adaptability is especially valuable. Integrating a newly acquired company's devices into your network is dramatically simpler when segmentation is managed through identity-based policies rather than location-specific VLAN assignments. The acquired estate's devices are classified into groups based on their function and identity, and the existing policy matrix governs their access from day one — reducing the network integration timeline from months to weeks and ensuring that security standards are maintained throughout the transition period.

Cisco Meraki Adaptive Policy brings enterprise-grade Zero Trust segmentation to organisations of all sizes, delivered through the intuitive cloud dashboard that makes Meraki the platform of choice for thousands of UK businesses. If you are already invested in the Meraki ecosystem, Adaptive Policy is the logical next step in maturing your network security posture.

The investment required to implement Adaptive Policy is modest compared to the security benefit it delivers. For organisations already running Meraki switches and access points with the appropriate licence tier, Adaptive Policy is a feature that can be enabled and configured through the existing dashboard at no additional hardware cost. The primary investment is in planning time — designing your group structure, mapping access requirements, and running through a proper monitor-then-enforce deployment cycle. For UK businesses that have experienced the frustration of failed traditional segmentation projects or that recognise the unacceptable risk of operating a flat network in an increasingly hostile threat landscape, Adaptive Policy provides a practical, achievable path to meaningful network segmentation that scales with the organisation and stands up to audit scrutiny.