TTechclick All lessons
Progress0%
Cisco Meraki · Access Control · NAC & SGTInteractive · L1 / L2 / L3

Cisco Meraki Access Control — 802.1X, RADIUS, ISE & Adaptive Policy (SGT)

Who gets onto the network, and what are they allowed to touch once they are in? That is access control. Skip the wall of text — pick a control below, watch the 802.1X handshake and an SGT-tagged frame actually move, ask the in-page AI tutor anything, and you are done.

📅 2026-05-31 · ⏱ 12 min · 3 animated demos + flip cards · 🏷 10-Q assessment + AI Tutor inline

By the end you will be able to

⚡ Quick Answer

Cisco Meraki access control explained the AI-era way — pick a control type, watch an 802.1X / RADIUS handshake and an SGT-tagged packet transform live, ask the in-page AI tutor, and master 802.1X, dynamic VLANs, Cisco ISE and Adaptive Policy (SGT) in 12 minutes instead of 60.

Pick a control — jump straight to it

1

802.1X & RADIUS

WPA2-Enterprise on MR, port auth on MS. The supplicant / authenticator / server handshake.

 2

Dynamic VLAN + ISE

RADIUS returns a VLAN, a group policy, an SGT. Cisco ISE decides by user + device + posture.

 3

Adaptive Policy (SGT)

Tag the traffic, not the subnet. One policy matrix replaces a forest of ACLs.

 4

Troubleshoot

"Auth failing / VLAN wrong / SGT dropped" → a 4-step playbook + a 2025 CVE you must patch.
Read as:

Before anything — the doorman, the ID-checker and the ID card

Imagine a fancy office building. The doorman at the gate does not personally know everyone — he just relays your ID to the security desk at the back, which holds the real records. The desk says "yes, let her in, give her the 3rd-floor badge", and only then does the doorman open the gate. That is 802.1X in one sentence.

Meraki access control has two halves. Authentication answers "who are you?" using 802.1X talking to a RADIUS server. Authorization answers "what may you touch?" using a returned VLAN, group policy, or — the modern way — a Security Group Tag enforced by Adaptive Policy.

Architecturally, Meraki separates the policy decision point (RADIUS / Cisco ISE) from the policy enforcement point (MR access point, MS switch, MX). 802.1X / RADIUS carry identity inbound; the Access-Accept carries authorization outbound (VLAN, Filter-Id group policy, or SGT). Adaptive Policy decouples policy from topology entirely by tagging traffic at ingress and enforcing the group-to-group matrix at egress, which is what lets it scale across many sites without per-VLAN ACL sprawl.

Three roles repeat through every demo below — learn them once and the rest is easy:

💻
Supplicant
tap to flip

The client — laptop, phone, camera. It runs the 802.1X "supplicant" software and presents credentials (password, certificate, or just its MAC for MAB).

📡
Authenticator
tap to flip

The Meraki MR / MS / MX. It is the doorman — it relays EAP between the client and the server but makes no decision itself. Also called the NAS (Network Access Server).

🗄
RADIUS / ISE
tap to flip

The authentication server — Windows NPS, Cisco ISE, or a cloud RADIUS. It holds the identity store and returns Access-Accept (with VLAN/group/SGT) or Access-Reject.

🏷
The ID card
tap to flip

The authorization result: a VLAN, a group policy, or an SGT. This is the badge that decides which floors you can reach once you are inside.

Meraki access-control architecture: client to MR/MS to RADIUS/ISE and back with VLAN, group policy and SGT A left-to-right diagram showing a supplicant connecting to a Meraki access point and switch (the authenticator), which relays EAP over RADIUS to Cisco ISE, which returns an Access-Accept carrying a VLAN, a group policy and a Security Group Tag. The three roles, end to end 💻 Supplicant laptop / phone / IoT 📡 Meraki MR / MS / MX authenticator (NAS) relays EAP, makes no decision 🗄 RADIUS / Cisco ISE decision point identity + posture store EAP / RADIUS UDP 1812 Access-Accept What the Accept carries (the "ID card") VLAN GroupPolicy SGT 🏷
Figure 1 — Identity flows in (left→right), authorization flows back out (the pink Access-Accept). The doorman never decides; the desk does.

① 802.1X & RADIUS — the front door

👩‍💻

Sneha, an L1 at a Bengaluru SaaS firm, is told "make the corporate Wi-Fi ask for AD logins, not a shared password." That single sentence is a WPA2-Enterprise SSID pointed at RADIUS. Let us build it.

On the dashboard you go to Wireless > Configure > Access control, pick the SSID, and under Security choose Enterprise with my RADIUS server (this is 802.1X / WPA2-Enterprise). Then add the RADIUS server's IP, port 1812, and the shared secret.

▶ Watch an 802.1X / WPA2-Enterprise handshake

Click Play. Each stage lights up as Sneha's laptop authenticates to the corporate SSID.

① ASSOCIATE Laptop AC:DE:48:11:22:33 → SSID "Corp-Secure" on MR
Port stays in the unauthorized state — only EAPOL is allowed through.
② EAP-REQUEST MR (authenticator) asks: "Identity?" Laptop replies sneha@corp.local
③ RADIUS MR wraps EAP into Access-Request → RADIUS server 10.1.10.20:1812
Shared secret authenticates the AP to the server. Server must list the AP as a NAS client.
④ EAP CHALLENGE Server runs EAP method (e.g. PEAP / EAP-TLS), validates the credential or certificate.
⑤ ACCESS-ACCEPT Accept + attributes (VLAN 30, group policy, optional SGT) → MR
⑥ PORT OPEN MR moves the client to the authorized state. Laptop gets an IP on VLAN 30 and is on the network.
Press Play to step through the handshake. Each press of Next advances one stage.
Dashboard equivalent — what you actually fill in (MR SSID) 
Wireless > Configure > Access control > SSID "Corp-Secure"
  Association requirements : WPA2-Enterprise with my RADIUS server
  RADIUS servers           : 10.1.10.20  port 1812  secret ********
  RADIUS accounting (opt)  : 10.1.10.20  port 1813
  Client VLAN tagging      : RADIUS assigned VLAN
Expected output — on the RADIUS / ISE live log 
Access-Request  : User-Name=sneha@corp.local  Called-Station-Id=AP-3F
Access-Accept   : Tunnel-Type=VLAN  Tunnel-Medium-Type=802
                  Tunnel-Private-Group-Id=30
Client status   : 802.1X authenticated, VLAN 30, signal -54 dBm

On wired MS switches the idea is identical: Switch > Configure > Access policies, create an 802.1X policy, point it at the same RADIUS server, then apply that policy to the access ports. One important wired detail: when an MS access policy uses a RADIUS server, the switch authenticates using PAP, so your server must accept PAP for those requests.

Pause & predict: a laptop with perfect AD credentials fails to join, and the RADIUS server logs show zero Access-Requests. Before you read on — where is the break?

The AP can't reach the server, or isn't a registered client. No Access-Request at all means the conversation never started: the AP's IP is not added as a network device / NAS client on RADIUS, UDP 1812 is filtered, or the shared secret host is wrong. Credentials are irrelevant until the request actually arrives.
Quick check · Q1 of 10 · Analyze

On a Meraki MR SSID you set Security to WPA2-Enterprise with "my RADIUS server". A laptop with valid AD credentials still fails to associate, and the RADIUS server logs no Access-Request at all. Most likely cause?

Correct: c. "No Access-Request" means the AP never successfully talked to the server. Wrong passwords or EAP mismatches would still produce an Access-Request followed by a Reject. Fix: add every AP (or the Meraki NAT IP) as a RADIUS client and open UDP 1812/1813.
Meraki access-control deployment maturity timeline from open SSID to Adaptive Policy A five-stop timeline: open or pre-shared key, then WPA2-Enterprise 802.1X, then dynamic VLAN, then Cisco ISE with profiling and posture, then Adaptive Policy with Security Group Tags. Your maturity path — weak to strong 1 Open / PSK one shared key 2 WPA2-Enterprise 802.1X + RADIUS 3 Dynamic VLAN RADIUS picks VLAN 4 Cisco ISE profiling + posture 5 Adaptive Policy SGT matrix Most Indian campuses sit at stop 2–3 today. This lesson takes you to 4–5.
Figure 4 — The journey. You rarely jump straight to Adaptive Policy; you climb the ladder, hardening one rung at a time.

② Dynamic VLAN + group policy + Cisco ISE

🧑‍🔧

Rahul, an L2 at a Pune services firm, wants finance laptops on VLAN 30 and guests on VLAN 80 — on the same SSID. He does not want two SSIDs. The answer is RADIUS-assigned VLAN: the Access-Accept itself tells the AP which VLAN to drop the client into.

Three RADIUS attributes do this, and you need all three in the Access-Accept:

Dynamic VLAN assignment flow: the three RADIUS attributes that place a client on a VLAN A flow showing a client authenticating, ISE returning Tunnel-Type VLAN, Tunnel-Medium-Type 802 and Tunnel-Private-Group-ID 30, and the Meraki device placing the client on VLAN 30. A warning box shows that returning a VLAN name needs VLAN Profiles. The three attributes that pick the VLAN Client authenticates finance laptop Cisco ISE decides user + device + posture → choose VLAN 30 Tunnel-Type = VLAN (13) Tunnel-Medium-Type = 802 (6) Tunnel-Private-Group-ID = 30 Client lands on VLAN 30 ✓ ⚠ The name-vs-ID trap Return the NUMBER 30, not the name "CORP". Meraki has no concept of VLAN names — unless you enable VLAN Profiles (Network-wide > Configure > VLAN profiles) to map names to IDs.
Figure 2 — Miss any one of the three attributes and the client silently lands on the default VLAN. Return a name without VLAN Profiles and it fails the same way.

Where does Cisco ISE fit? RADIUS alone is a yes/no oracle. ISE is the brains on top: it can choose the VLAN, group policy or SGT dynamically based on who the user is, what device they are on, the device's posture, and the device profile. A managed laptop with healthy posture gets VLAN 30; the same user on a personal phone gets a guest VLAN.

Quick check · Q2 of 10 · Analyze

You configure dynamic VLAN on an MS switch access policy. Your RADIUS server returns Tunnel-Private-Group-ID = "CORP" (the VLAN name). Clients authenticate fine but always land on the default VLAN. Why?

Correct: b. Meraki reads Tunnel-Private-Group-ID as a numeric VLAN ID and has no concept of VLAN names by default. Either return the number (e.g. 30) or enable VLAN Profiles (Network-wide > Configure > VLAN profiles) so the name resolves. A shared-secret error would block auth entirely, not just misplace the VLAN.

For devices that cannot run a supplicant at all — printers, badge readers, IP cameras — you use MAB. The port still authenticates, but the "credential" is just the device MAC. It is weaker (MACs are trivially spoofed) so always pair MAB with ISE profiling and a tight authorization.

Best-practice default for a mixed campus

Use 802.1X with MAB fallback. Capable devices get strong certificate or credential auth; printers and phones that can't do 802.1X fall back to MAB without you leaving the port wide open. MAB-only everywhere is weak; 802.1X-only locks out the half of your fleet that has no supplicant.

Pause & predict: finance laptops should hit VLAN 30, but they all land on the default VLAN even though auth succeeds. The Accept contains only Tunnel-Private-Group-ID=30. What is missing?

The other two attributes. Dynamic VLAN needs the full trio: Tunnel-Type=VLAN(13) + Tunnel-Medium-Type=802(6) + Tunnel-Private-Group-ID=30. With only the group-ID present, Meraki ignores the assignment and uses the SSID/port default VLAN.
Quick check · Q3 of 10 · Apply

An IoT camera can't run an 802.1X supplicant. You need it online without leaving the port open. Correct Meraki approach?

Correct: a. MAB is the standard fallback for supplicant-less devices. Because MACs spoof easily, treat MAB as identification, not strong authentication — back it with ISE profiling and a restrictive authorization (a low-trust SGT). Disabling 802.1X switch-wide throws away all your access control.

③ Adaptive Policy — tag the traffic, not the subnet

👩‍💼

Priya, an architect at a multi-site retailer, is drowning in inter-VLAN ACLs — 40+ rules per site, all breaking whenever someone re-IPs a subnet. Adaptive Policy is the fix: stop writing rules about subnets, start writing rules about groups.

Here is the core idea. Every endpoint is classified into an Adaptive Policy Group, and that group has a number called a Security Group Tag (SGT). As traffic enters the network, the Meraki device stamps that SGT into the frame's CMD header. As traffic leaves toward its destination, the destination device looks up a simple matrix — "is Group A allowed to talk to Group B?" — and permits or drops it.

Think of it like coloured wristbands at a festival. Instead of guards memorising which gate each person came from, everyone wears a colour. A red band can enter the red zone, not the green zone — no matter which gate they used to get in. The colour is the SGT.

Two default groups exist out of the box: Infrastructure and Unknown. SGT values are unique numbers from 3 to 65519 (auto-allocated if you don't pick one), and once assigned a value can't be changed. Supported platforms include modern MS switches (MS130 / MS150 / MS390 / C9K-M), MR/CW Wi-Fi 5/6/7 APs, and MX/Z3+ on recent firmware — the catch is that every device in the path must support and carry the tag.

The architectural win is decoupling: policy is expressed group-to-group and enforced at the destination (egress), so it is IP- and VLAN-agnostic and globally scalable. One matrix replaces many per-site ACLs, and a re-IP or re-VLAN event does not touch policy. The classification source is typically Cisco ISE, which can push the SGT dynamically by user/device/posture and re-tag via Change of Authorization (CoA) without disrupting the client. The price: hardware/firmware support everywhere and a disciplined monitor-first rollout.

▶ Watch a Security Group Tag travel

A finance laptop (SGT 30) tries to reach an HR server (SGT 40). The matrix says DENY.

① CLASSIFY Finance laptop authenticates → ISE assigns SGT 30 "Finance"
② TAG (ingress) MS switch stamps SGT 30 into the CMD header of the frame as it enters
③ CARRY Frame crosses the fabric to the server: 10.20.30.11 [SGT 30]10.20.40.10 [SGT 40]
Every transit device must support Adaptive Policy or the tag gets stripped.
④ MATRIX LOOKUP Destination device checks the matrix cell: source SGT 30 → dest SGT 40
⑤ ENFORCE (egress) Cell = DENY → frame dropped at the destination, before it reaches the HR server
Notice where enforcement happens — at the DESTINATION (egress), not the source. That is what makes it scale.
Comparison: a traditional inter-VLAN ACL sprawl versus a single SGT policy matrix On the left, many tangled ACL rules tied to subnets and VLANs. On the right, one compact group-to-group matrix with allow and deny cells between Finance, HR and IoT groups. Old way vs Adaptive Policy Traditional: per-subnet ACL sprawl permit 10.20.30.0/24 → 10.20.50.0/24 eq 443 deny 10.20.30.0/24 → 10.20.40.0/24 permit 10.20.31.0/24 → 10.20.50.0/24 eq 443 deny 10.20.31.0/24 → 10.20.40.0/24 ... ×40 more, per site, breaks on re-IP 😵 Grows with every subnet × every site Adaptive Policy: one group matrix Finance HR IoT Finance HR IoT allow deny deny deny allow deny deny deny allow 😌 Same matrix everywhere, survives re-IP / re-VLAN When is the matrix worth it? At scale (many sites, many subnets) — yes, it is genuinely more scalable, not marketing. But it needs supported hardware/firmware everywhere + an SGT source (ISE) + a monitor-first rollout.
Figure 3 — The decision: ACLs grow with subnets × sites; an SGT matrix stays the same size as the network grows. Pick the matrix at scale, with the right prerequisites.
Quick check · Q4 of 10 · Remember

In Meraki Adaptive Policy, what is a Security Group Tag (SGT), and where is the policy actually enforced?

Correct: d. The SGT is carried in the Cisco MetaData (CMD) header and names a group, not a subnet. Enforcement happens at the destination device, which is exactly what lets one matrix replace many ACLs and scale across sites.

④ Troubleshoot — auth, VLANs, SGTs & a CVE you must patch

You've configured it. Something's broken. Here's the 4-step ladder that resolves most Meraki access-control tickets in under 5 minutes.

Read the live log
tap

On ISE/NPS, is there an Access-Request? No request = AP not a NAS client / UDP 1812 blocked. Reject = credential / EAP / cert issue.

Check the Accept attrs
tap

All three VLAN attributes present? Numeric ID (not a name)? Wrong VLAN = missing attribute or name-vs-ID trap.

Client details page
tap

Dashboard > Clients > the device. Shows 802.1X status, assigned VLAN, group policy and SGT. Compare to what you expected.

Verify SGT path
tap

If an allowed flow drops, a transit device is stripping the tag — an unsupported model or old firmware sees Unknown and the matrix denies it.

Symptom → cause: three you'll hit in week one

Symptom: client never connects, RADIUS shows nothing. Cause: AP isn't a registered NAS client or UDP 1812 is filtered.

Symptom: auth succeeds but everyone lands on the wrong VLAN. Cause: a VLAN attribute is missing, or you returned the VLAN name without enabling VLAN Profiles.

Symptom: Adaptive Policy drops an allowed flow on some paths only. Cause: a transit switch/AP doesn't support Adaptive Policy or is on old firmware (pre-MS17 / MR27), so it strips the SGT and the destination sees Unknown.

Patch this: a real 2025 Meraki advisory

Access control is not just config — it is also keeping the boxes patched. In 2025 Cisco disclosed CVE-2025-20271 and related advisories affecting the AnyConnect VPN server on Meraki MX and Z-series gateways (unauthenticated denial-of-service / session issues). Separately, CVE-2025-20352 (a Cisco IOS-affecting SNMP flaw) was reported exploited in the wild. Lesson: subscribe to Cisco Security Advisories and keep MX/MR/MS firmware current — an unpatched edge undermines every access-control rule behind it.

Quick check · Q5 of 10 · Apply

Which RADIUS attributes must the Access-Accept contain for Meraki dynamic VLAN assignment to work?

Correct: b. The complete trio is required. Filter-Id maps to a named group policy, not a VLAN; Reply-Message/Class are informational. Send only the group-ID and the client falls back to the default VLAN.

🤖 Ask the AI Tutor

Tap any question — instant context-aware answer. No login, no waiting.

Pre-curated answers from Meraki docs + community Q&A. For complex prod issues, paste your ISE live-log line + the client details page into chat.techclick.in.

📝 Wrap-up — five more

You've already answered 5 inline. Five left. 70% (7 of 10) total marks the lesson complete on your profile. Tap Submit all answers at the end.

Q6 · Analyze

A new admin enables Adaptive Policy, leaves every client on the default Unknown SGT, then writes an Unknown → Unknown = DENY rule "to be safe". Half the office instantly loses connectivity. What went wrong?

Correct: c. "Unknown" is the catch-all for not-yet-classified endpoints. Denying Unknown-to-Unknown before classification is live punishes everyone. Roll out in monitor/allow mode, classify endpoints into real groups, then tighten the matrix cell by cell.
Q7 · Analyze

After enabling Adaptive Policy, an allowed east-west flow between two SGTs is dropped only between specific switches; other paths pass. Most likely root cause?

Correct: a. SGT propagation needs every device in the path to support Adaptive Policy and carry the inline tag. One unsupported/old-firmware hop strips it; the egress device then sees Unknown and applies the deny. Verify all transit devices and firmware.
Q8 · Apply

A finance SSID on a Meraki MR: should you pick WPA2-Enterprise or WPA3-Enterprise? Best guidance?

Correct: b. WPA3-Enterprise hardens the handshake and offers a 192-bit suite for high-security networks, but every client must support WPA3. Transition mode lets older clients fall back to WPA2 during migration. Both still use 802.1X/RADIUS for identity.
Q9 · Evaluate

For a mixed campus of laptops, printers and IP phones, choose between MAB-only, 802.1X-only, and 802.1X with MAB fallback. Which is the right default and why?

Correct: c. MAB-only is weak everywhere (MACs spoof). 802.1X-only locks out devices with no supplicant. 802.1X with MAB fallback is the pragmatic campus default — strongest auth where possible, controlled admission for the rest.
Q10 · Evaluate

A consultant proposes replacing 40 inter-VLAN ACL rules across 6 sites with a single Adaptive Policy SGT matrix. The CFO asks if this is just marketing. Sound engineering verdict?

Correct: b. The scalability claim is real — one matrix replaces many per-site ACLs and decouples policy from topology. But it has hard prerequisites (hardware/firmware support, an SGT classification source, careful rollout). The honest answer to the CFO is "yes, at scale, with these conditions" — not a free flip and not marketing.
Lesson complete — saved to your profile.
Almost! You need 70% (7 of 10) — re-read the section that tripped you up and tap "Try again".

🧠 Lock it in — explain it in your own words

In two or three lines, write how you'd explain to a junior the difference between authentication (802.1X / RADIUS) and authorization (VLAN / SGT). Writing it from memory is what moves it to long-term recall.

Teach a friend: message one teammate the single sentence — "The doorman (AP) never decides; the desk (RADIUS/ISE) does, and hands back a badge (VLAN or SGT)." If they get it, you've got it.

⏰ Remember this in 7 days

Want a 3-question spaced-recall nudge on Meraki access control in a week? Drop your email — we'll send one short quiz to cement it.

✓ Saved — we'll nudge you in 7 days. Keep building.

📖 Glossary

802.1X
IEEE port-based Network Access Control — the standard behind WPA2/WPA3-Enterprise and wired port authentication.
RADIUS
Remote Authentication Dial-In User Service — the AAA protocol (UDP 1812 auth, 1813 accounting) the AP/switch queries.
WPA2/WPA3-Enterprise
Wi-Fi security in Enterprise mode — per-user authentication via 802.1X/EAP instead of one shared key.
Cisco ISE
Identity Services Engine — the policy server that authenticates and returns rich authorization (VLAN, group policy, SGT).
MAB
MAC Authentication Bypass — admits supplicant-less devices using their MAC as the RADIUS identity; weaker, pair with profiling.
SGT
Security Group Tag — a number (3–65519) in the CMD header naming a source's group, independent of IP/VLAN.
Adaptive Policy
Meraki's group-to-group policy framework enforced at egress, replacing per-subnet ACL sprawl.
CoA
Change of Authorization — RADIUS lets ISE re-authorize a live session (e.g. re-tag the SGT) without disconnecting the user.
Meraki access-control one-page cheat sheet: ports, attributes, SGT facts and a fast triage line A reference card listing the RADIUS ports, the three dynamic-VLAN attributes, the SGT value range and default groups, the MAB and 802.1X choice, and a one-line troubleshooting decision. Meraki access control — pocket cheat sheet RADIUS ports & auth UDP 1812 = authentication UDP 1813 = accounting MS access policy → uses PAP Dynamic VLAN — all 3 needed Tunnel-Type = VLAN (13) Tunnel-Medium-Type = 802 (6) Tunnel-Private-Group-ID = <ID> SGT facts value range: 3 – 65519 defaults: Infrastructure, Unknown enforced at the destination Which auth? laptops/phones → 802.1X printers/cameras → MAB default → 802.1X + MAB fallback 5-second triage No Access-Request on the server? → AP not a NAS client / UDP 1812 blocked. Auth OK but wrong VLAN? → missing attribute, or VLAN name without VLAN Profiles. Allowed SGT flow dropped on one path? → transit device strips the tag (old firmware/model).
Figure 5 — Screenshot this. Ports, the dynamic-VLAN trio, SGT facts, the auth choice, and a 5-second triage line — everything from this lesson on one card.

📚 Sources

  1. Cisco Meraki Documentation — Access Control (MR) & Configuring RADIUS Authentication with WPA2-Enterprise. documentation.meraki.com
  2. Cisco Meraki Documentation — MS Switch Access Policies (802.1X) & MX Access Policies (802.1X). documentation.meraki.com
  3. Cisco Meraki Documentation — Adaptive Policy Overview / Configuration Guide & Adaptive Policy and Cisco ISE (SGT range 3–65519, default Infrastructure/Unknown). documentation.meraki.com
  4. Cisco Meraki Documentation — MAC Authentication Bypass (MAB) and iPSK & VLAN Profiles. documentation.meraki.com
  5. The Meraki Community — 802.1X w/ Dynamic VLAN Assignment & Does Meraki accept Tunnel-Private-Group-Id as a VLAN name? community.meraki.com
  6. Cisco Security Advisories — CVE-2025-20271 (Meraki MX/Z AnyConnect VPN DoS) & CVE-2025-20352 (IOS SNMP, exploited in the wild). sec.cloudapps.cisco.com
  7. Cisco Learning Network — 500-220 ECMS Exam Topics (Engineering Cisco Meraki Solutions) & Cisco Live BRKSEC-2100: ISE Your Meraki Network with Group-Based Adaptive Policy (2025).

What's next?

You can now get the right people onto the network with the right badge. Next we go deeper into the wired fabric — how Meraki MS switches stack, route at Layer 3, and enforce ACLs and QoS so all that tagged traffic actually moves fast and clean.

Next · Meraki MS Switching — Stacking, Layer-3, ACLs & QoS → ← All lessons