NAT mode with Meraki DHCP allows a MR Access Point to provide client addressing by running its own DHCP server to simplify management, allow guest access, and provide client isolation functionality.
The DHCP server run by the Cisco Meraki AP provides addresses in the 10.0.0.0/8 subnet (10.x.x.x). Outbound connections will be initiated with the LAN IP address of the AP using Network Address Translation. Wireless clients that connect to the network will be given the following configuration via Meraki DHCP:
A wireless network using NAT Mode with Meraki DHCP can be seen below. When clients on the wireless network access resources upstream of the AP, their IP addresses will be translated to the IP address of the AP (192.168.1.1):
NAT mode with Meraki DHCP isolates clients. Devices with a Meraki DHCP address will be able to access external and internal resources, such as the Internet and LAN (if firewall rules permit). However, connected clients will be unable to contact each other. The client isolation features of Merkai DHCP can be seen above in Figure 1. Client A and Client B can both access the Internet. When Client A wants to send traffic to Client B, the traffic will reach the AP. However, the AP will not forward this traffic to Client B. Therefore, the two clients are isolated from each other.
Since the client isolation function of NAT mode prevents wireless deices on the SSID from communicating with each other, NAT mode is not recommended for use with wireless peer-to-peer devices like a wireless printer or Google Chromecast.
To configure NAT mode with Meraki DHCP on an SSID, follow the directions below:
There are a few common problems that can arise when deploying NAT mode with Meraki DHCP to provide client addressing. These problems are outlined in detail below:
The issues described above can be resolved by using bridge mode for client addressing. Bridge mode simply passes traffic between the wireless client and wired distribution system. An upstream DHCP server will be required to handle client addressing.