Home > Wireless LAN > Client Addressing and Bridging > SSID Tunneling and Layer 3 Roaming - VPN Concentration Configuration Guide

SSID Tunneling and Layer 3 Roaming - VPN Concentration Configuration Guide

Meraki access points may be configured to concentrate traffic to a single point either for layer 3 roaming or teleworker use cases. Teleworker VPN and Layer 3 roaming with a concentrator both use the same Meraki Auto VPN technology.  Wireless access points should concentrate to a Meraki MX security appliance.


It is recommended that a separate network be created in dashboard for each remote site location for purposes of manageability and usage tracking. Remote site networks should be created and access points added to the networks using the Quick Start guide. Get started by selecting “Create a network” from the network selector in dashboard. 

SSID Configuration

Configuring a SSID to concentrate to a MX security appliance or the VPN concentrator is simple for both Layer 3 Roaming and VPN Concentrator.


1) Configure the SSID on the Access Control Page to either Layer 3 Roaming or VPN Concentration.


2) Select the MX security appliance concentrator that exists within the same Dashboard organization



3) Optional: Configure a specific VLAN to terminate the SSID on at the VPN concentrator. A list of available VLANs will be displayed if a MX security appliance is selected for concentration,

VPN Traffic Handling 

An SSID that is configured for teleworker VPN can be configured in two different traffic handling modes Full Tunnel and Split Tunnel. The split tunnel feature can route selected traffic over the VPN and route all other traffic to the local network upstream (and to the Internet).


WPA2-Enterprise RADIUS Authenticator

WPA2-Enterprise uses 802.1x to secure the wireless network. There are three pieces to 802.1x authentication; a supplicant, an authenticator, and an authentication server. Other operating modes like Bridge Mode and NAT Mode, the AP assumes the authenticator. SSID configured for VPN Concentrator and concentrated Layer 3 roaming SSIDs will pass the authenticator role to the VPN Concentrator.  


In many cases each RADIUS authenticator must be added to the RADIUS authentication server such as Microsoft NPS or Cisco ISE. For VPN concentration and concentrated Layer 3 roaming SSIDs, just concentrators would need to be added to the RADIUS authentication server.

SSID Tunneling to an MX VPN Concentrator 

The MX security appliance is the ideal solution for SSID Tunneling using VPN concentration as it is custom built for mission critical networks. Choose the MX security appliance that is best fit for your needs based on the Sizing Guide.

The MX security appliance is ready to concentrate SSIDs out of the box without any additional configuration beyond what is outlined in the quick start guide. VPN Concentrator tunneling is only officially supported for passthrough/concentrator mode MX devices so it is important to ensure your MX is in passthrough/concentrator mode for this feature to work correctly.

For additional information on how to set this up, please refer to this section.

To increase reliability, a second MX security appliance can be paired in HA mode. In the case that the primary MX becomes unreachable from the Meraki Cloud, the Access Points will failover to the HA standby MX.

Last modified



This page has no classifications.

Explore the Product

Click to Learn More

Article ID

ID: 4186

Explore Meraki

You can find out more about Cisco Meraki on our main site, including information on products, contacting sales and finding a vendor.

Explore Meraki

Contact Support

Most questions can be answered by reviewing our documentation, but if you need more help, Cisco Meraki Support is ready to work with you.

Open a Case

Ask the Community

In the Meraki Community, you can keep track of the latest announcements, find answers provided by fellow Meraki users and ask questions of your own.

Visit the Community