Skip to main content
Cisco Meraki Documentation

Alternate Management Interface on MR Devices

  1. Last updated
  2. Save as PDF

Overview   

In traditional Meraki network deployment, management traffic such as Syslog messages, responses to SNMP polling, and communication to RADIUS servers, is sourced from the LAN IP - the address of the device's default management VLAN. Because this VLAN is also used by the MR device to communicate with the Meraki Dashboard, it has connectivity to the Internet.

 

Security policies in certain deployments may mandate isolation of management traffic from the public networks. The Alternate Management Interface (AMI) feature provides for this option by enabling an MR series access point to source its management traffic from an IP address other than that of the default management-VLAN.

 

Note: Alternate Management Interface on MR is supported on firmware releases MR 26.X onwards. This feature is not supported on MR access points in repeater mode.  

Flow of Traffic with Alternate Management Interface

Traffic for the services selected under the Alternate Management Interface configuration is routed using the default-gateway of the Alternate Management VLAN. Sourcing this traffic from the IP address of the Alternate Management VLAN allows us to avoid any overlap and ensure that the return traffic from servers can be separated from the public network.

 

AMI - traffic flow.png

Note: The AMI only responds to ICMP requests within its own network.

Configuring the Alternate Management Interface  

Configuring the Alternate Management VLAN and Associated Services

 

To enable the Alternate Management Interface, navigate to Network-wide > General. The configuration options can be found under the section Alternate Management Interface if the network-type is Wireless and under Wireless Alternate Management Interface if the network-type is Combined.

 

AMI - single network.png

If you are using Meraki Cloud Authentication for your RADIUS, this traffic will be sent across the management tunnel to Dashboard

 

When enabled, this configuration section allows us to specify the alternate management VLAN, and choose a combination of services, from amongst RADIUS, SNMP and Syslog, to which the Alternate Management Interface configuration would be applicable.

Configuring the Alternate Management IP and Network Settings

Once the Alternate Management Interface has been configured, the options to specify the interface details will become available on the Access Point details page. To configure the Alternate Management Interface for an MR access point, navigate to Wireless > Access Points and select the device you wish to configure. 

 

AMI - wireless configuration.png