Home > Wireless LAN > Firewall and Traffic Shaping > Wireless Client Isolation

Wireless Client Isolation


Wireless Client Isolation is a security feature that prevents wireless clients from communicating with one another. This feature is useful for guest and BYOD SSIDs adding a level of security to limit attacks and threats between devices connected to the wireless networks.  The below sections describe the feature in more detail. 

Bridge Mode Client Isolation 

Client Isolation is available for SSIDs configured for Bridge mode however is disabled by default. When a SSID is configured for bridge mode, clients are bridged through the Access Point potentially to a specific VLAN. Upon connection to the AP, clients will be permitted to make a DHCP request on the vlan they are assigned to. After DHCP is completed, the MAC address of the default gateway is tracked for the particular client. The MAC address of the default gateway is then permitted in a layer 2 firewall that restricts all other traffic to and from the wireless client. 

This feature is included within MR25.8 and later firmware versions.

With Client Isolation enabled, clients will only be able to communicate with the default gateway and will not be able to communicate with any other devices on the same VLAN (or broadcast domain). In order for the wireless client to communicate with another device, the upstream gateway must be used to enable this communication (Eg Inter VLAN routing and ACLs). Any traffic bound for an address on the same VLAN as a device in client isolation will be denied. Traffic bound for other VLANs will be forwarded and routed normally.


When an SSID is configured for Bridge mode a configuration option becomes visible on the Firewall and Traffic Shaping page for the SSID. This configuration option is disabled by default but can be enabled on a per SSID basis.

Client Isolation does not interoperate with IPv6-only networks

Screen Shot 2017-09-18 at 2.33.48 PM.png

Client Isolation also extends to Port Profiles that can be leveraged on Access Points such as the MR30H, MR52, MR53 and MR84. More information on creating Port Profiles can be found here: https://documentation.meraki.com/MR/.../Port_Profiles

Example Scenarios

The figure below shows that DHCP traffic is allowed in addition to unicast and broadcast traffic with the gateway the client obtained though DHCP process. 

DNS and DHCP are both allowed through the MR.

Screen Shot 2017-10-17 at 2.14.29 PM.png

The figure below shows that broadcast or unicast traffic sourced from the wireless client will not be sent to the other wireless clients on the SSID. 

Screen Shot 2017-10-17 at 2.08.45 PM.png

The figure below shows that broadcast or unicast traffic sourced from a wired client on the same VLAN as the client will be blocked by the Access Point. 

Screen Shot 2017-10-17 at 2.11.35 PM.png

NAT Mode Client Isolation

SSIDs that are configured for NAT Mode also have basic client isolation. Basic Client Isolation is enabled by default when the SSID is configured for NAT mode and may not be disabled. 

The implications of enabling NAT mode are as follows:

  • Devices outside of the wireless network cannot initiate a connection to a wireless client.
  • Wireless clients cannot use Layer 2 discovery protocols to find other devices on either the wired or wireless network.


Last modified



This page has no classifications.

Explore the Product

Click to Learn More

Article ID

ID: 6346

Explore Meraki

You can find out more about Cisco Meraki on our main site, including information on products, contacting sales and finding a vendor.

Explore Meraki

Contact Support

Most questions can be answered by reviewing our documentation, but if you need more help, Cisco Meraki Support is ready to work with you.

Open a Case

Ask the Community

In the Meraki Community, you can keep track of the latest announcements, find answers provided by fellow Meraki users and ask questions of your own.

Visit the Community