Home > Wireless LAN > Client Addressing and Bridging > SSID Tunneling and Layer 3 Roaming - VPN Concentration Configuration Guide

SSID Tunneling and Layer 3 Roaming - VPN Concentration Configuration Guide

Meraki Access Points may be configured to concentrate traffic to a single point either for layer 3 roaming or teleworker use cases. Teleworker VPN and Layer 3 roaming with a concentrator both use the same Meraki Auto VPN technology.  Wireless Access Points may concentrate to either a Meraki MX security appliance or a VM VPN Concentrator.


It is recommended that a separate network be created in Dashboard for each remote site location for purposes of manageability and usage tracking. Remote site networks should be created and access points added to the networks using the Quick Start guide. Get started by selecting “Create a network” from the network selector in Dashboard. 

SSID Configuration

Configuring a SSID to concentrate to a MX security appliance or the VPN concentrator is simple for both Layer 3 Roaming and VPN Concentrator.


1) Configure the SSID on the Access Control Page to either Layer 3 Roaming or VPN Concentration.


2) Select the Concentrator which can either be a MX security appliance or a VM Concentrator that exists within the same Dashboard Organization



3) Optional: Configure a specific VLAN to terminate the SSID on at the VPN concentrator. A list of available VLANs will be displayed if a MX security appliance is selected for concentration,

VPN Traffic Handling 

An SSID that is configured for teleworker VPN can be configured in two different traffic handling modes Full Tunnel and Split Tunnel. The split tunnel feature can route selected traffic over the VPN and route all other traffic to the local network upstream (and to the Internet).


WPA2-Enterprise RADIUS Authenticator

WPA2-Enterprise uses 802.1x to secure the wireless network. There are three pieces to 802.1x authentication; a supplicant, an authenticator, and an authentication server. Other operating modes like Bridge Mode and NAT Mode, the AP assumes the authenticator. SSID configured for VPN Concentrator and concentrated Layer 3 roaming SSIDs will pass the authenticator role to the VPN Concentrator.  


In many cases each RADIUS authenticator must be added to the RADIUS authentication server such as Microsoft NPS or Cisco ISE. For VPN concentration and concentrated Layer 3 roaming SSIDs, just concentrators would need to be added to the RADIUS authentication server.

SSID Tunneling to an MX VPN Concentrator 

The MX security appliance is the ideal solution for SSID Tunneling using VPN concentration as it is custom built for mission critical networks. Choose the MX security appliance that is best fit for your needs based on the Sizing Guide.

The MX security appliance is ready to concentrate SSIDs out of the box without any additional configuration beyond what is outlined in the quick start guide. VPN Concentrator tunneling is only officially supported for passthrough/concentrator mode MX devices so it is important to ensure your MX is in passthrough/concentrator mode for this feature to work correctly.

For additional information on how to set this up, please refer to this section.

To increase reliability, a second MX security appliance can be paired in HA mode. In the case that the primary MX becomes unreachable from the Meraki Cloud, the Access Points will failover to the HA standby MX.

VM Concentrator

The VM Concentrator is deprecated, and support for the feature ended on July 31st, 2017. An MX Security Appliance is recommended as an alternative for deployments that currently rely on the VM Concentrator. For more information, please contact Cisco Meraki sales.

The VM concentrator was an alternative solution to the MX Security Appliance that could be used to concentrate SSIDs. It is no longer supported or available for purchase.


Meraki VPN tunnels terminate on a virtual concentrator rather than on a typical hardware VPN concentrator appliance. The concentrator image could be downloaded from Dashboard and installed in VMware (vSphere Hypervisor (ESXi), Workstation and Player are supported) on any enterprise-grade server. The virtual concentrator could then be managed using Dashboard like any other Meraki networking hardware. Full monitoring and logging capabilities (eg. connected clients, traffic analysis, etc) could be utilized in the concentrator network. Just like a Meraki AP, the concentrator firmware was automatically updated by the Cloud Controller. 

Creating the Virtual Concentrator Network 

A virtual concentrator is located in a separate concentrator network, separate from the networks containing the access points that will be connected via VPN. A concentrator network is created in the same manner as an AP network, using the network drop-down selector at the top of the Dashboard.

Installing the Virtual Concentrator

Once the concentrator network has been created, the concentrator virtual machine image can be downloaded from Dashboard from the Status page under the Monitor tab in the concentrator network. 


Once the image has been downloaded, it can be run in VMware on an existing server in the LAN. Minimum hardware requirements for the server are:

  • 1 GHz processor
  • 1 GB available hard drive space
  • 500 MB dedicated RAM

Configuring the Virtual Concentrator


Minimal configuration is required for the virtual concentrator. The configuration settings that are required can be managed under the Configure tab. 

Concentrator Settings

There are three configuration settings that can be found on this page: concentrator name, tunneling settings and traffic analysis.

  1. Concentrator name – The device name can be set or changed from this page.
  2. Tunneling – In order for a remote AP to successfully connect to the virtual concentrator, it will likely have to traverse a NAT. There are two methods for doing this NAT traversal: automatic and manual.
    1. Automatic – NAT traversal is auto-negotiated by the Cloud Controller. The method works for most NATs and requires an active Internet connection to function properly. In order for automatic NAT traversal to work, outbound UDP port 9350 should be opened to allow the virtual concentrator to communicate with the Cloud Controller during initial negotiation of NAT traversal connection. After connection is established between remote AP and the virtual concentrator, the Cloud Controller is no longer involved in VPN communication.
    2. Manual – With certain types of NATs, automatic NAT traversal will not work. In this case, a connection can be manually established via port forwarding by specifying the IP address of the NAT and an open port on the NAT. The specified NAT port should be configured to forward to the concentrator’s IP address at port 9350. The concentrator’s IP address can be found on the Concentrator status page.
  3. Traffic Analysis – This feature may be enabled and disabled on this page, and custom pie charts created.

Concentrator Location(s)

Depending on the VLAN and firewall configuration of an administrator’s network as well as how the VPN will be used, the optimal concentrator location and number of concentrators may vary.

Multiple VLAN Deployments

The concentrator does not currently support VLAN tagging. Clients will be assigned to the VLAN that the concentrator is located in. Depending on the desired VPN usage and the network configuration, this will dictate where the VPN concentrator is located and whether multiple concentrators are required.


At Acme Corporation, two VLANs exist: VLAN 30, for end user data traffic (including wireless users) and VLAN 20, for traffic from their PBX phone system (the PBX at HQ sits in this VLAN). The administrator would like to deploy remote APs and IP phones to all of the company’s traveling salespersons.

In this scenario there are two concentrator deployment options:

Option 1 – Single concentrator

In this scenario, a single concentrator can be deployed in either VLAN 20 or 30, and static routes or firewall exceptions created in the LAN to allow the IP phones to communicate with the PBX or to allow wireless clients to access corporate resources in VLAN 30.

Option 2 – Two concentrators

In this scenario, a concentrator is placed in both VLAN 20 and 30. Data traffic on the corporate SSID is tunneled to the VLAN 30 concentrator, and voice traffic from the IP phones is tunneled to the VLAN 20 concentrator using a second tunneled SSID associated to the Ethernet port on the AP that the phone is connected to. 

Configuring VLAN tagging, Static IP and Web Proxy Settings

By visiting the 'Local Status' configuration page, it is possible to assign a particular VLAN, set a static IP, and configure web proxy settings.  There are three steps involved in this process:

  1. Locate the concentrator's IP address, which can be found on the Conentrator > VM status page. On this page, also take a note of the Serial Number, which you will need for Step 3. 
  2. While connected on the same Layer 2 network as the VPN concentrator, use a web browser to visit the local configuration page of the Concentrator which is located at the IP address obtained in step 1. 
  3. Click on 'Static IP Configuration' and enter in the Serial Number as your Username. The password is blank. On this page you can now change VLAN, Static IP, and web proxy settings. 

Firewall Settings

Depending on the administrator’s corporate firewall policies, the IP addresses of the concentrator might need to be whitelisted for outbound UDP traffic, and the cloud controller IP addresses for inbound UDP traffic. In addition, if using automatic NAT traversal, certain IP addresses in the Cloud Controller might need to be whitelisted to allow the Cloud Controller to negotiate the connection between the concentrator and the remote APs. A list of the required Cloud Controller IP addresses can be found here.


Alerts and Administrators

On this page, the network time zone may be set, email alerts configured for concentrator outages, administrators designated and firmware update time windows specified. See related manual sections for AP network for more details. 


Monitoring the Virtual Concentrator 

Once the virtual concentrator is running, it can be monitored in Dashboard similarly to Meraki APs. The following is a short description of each page under the Monitor tab and what features can be found there: 


The overview page shows high-level summary information about the concentrator network including geographic location of the concentrator on a Google map, overall bandwidth usage of VPN clients and recent and currently connected client counts. For more information about the features on this page, see Section 8.1, “Overview”. 

Concentrator Status

The concentrator status page is very similar to the AP status page. Configuration settings can be edited here including device name, tags and address (this address is what determines where the concentrator location is displayed in the Google map on the Overview page). The concentrator virtual machine image can be downloaded from this page. Various live troubleshooting tests such as list active clients, ping and throughput tests are located on this page, as are various diagnostic graphs showing connectivity and latency. . 


The clients page shows a list of all recent VPN clients and network usage, including application-level traffic analysis. 

Event Log

The Event Log page provides detailed logging about various client activities, including the following:

  • Associations/disassociations
  • Authentication attempts and outcomes
  • DHCP activity
  • Initial traffic

Summary Report

An administrator can obtain network analytics from the Summary Report page under the Monitor tab. This report provides information about the VPN usage and uptime of the Meraki VPN concentrators, and can be e-mailed on a configurable schedule for constant visibility. Administrators can also add their organization’s logo to the report.

Last modified



This page has no classifications.

Explore the Product

Click to Learn More

Article ID

ID: 4186

Explore Meraki

You can find out more about Cisco Meraki on our main site, including information on products, contacting sales and finding a vendor.

Explore Meraki

Contact Support

Most questions can be answered by reviewing our documentation, but if you need more help, Cisco Meraki Support is ready to work with you.

Open a Case

Ask the Community

In the Meraki Community, you can keep track of the latest announcements, find answers provided by fellow Meraki users and ask questions of your own.

Visit the Community