Cisco Meraki APs can operate as mesh repeaters, which allows them to extend the wireless network range off of a limited number of gateway APs. Since repeaters also support wired clients plugged into their wired interface, a repeater can be used to bridge a remote LAN segment back to the main network.
Wireless Mesh repeaters can backhaul to APs acting as wireless gateways and:
- Utilize the same radio as used for mesh to serve wireless clients
- Utilize non meshing radios to serve wireless clients
- Utilize wired uplink for use cases described below
This article explains how the LAN can be extended via a wireless bridge, including limitations and requirements. There are 3 supported designs for extending the LAN via wireless mesh.
- Extending the LAN for wired clients
- Extending the LAN for a mixture of wireless access points and wired clients
- Extending the LAN for wireless access points (Introduced in MR 25.2)
Extending the LAN for Wired Clients
Administrators may utilize mesh repeaters to serve remote wired clients.
In order for repeater APs to share their wireless connection over their Ethernet port, the following requirements must be met:
- At least one bridge mode SSID must be configured in Dashboard (can be an existing SSID used by clients, but must be in bridge mode).
- APs must be configured to share the bridge SSID over their interface.
For more information about bridge mode and how to configure a bridge SSID, please refer to our documentation regarding Wireless Client IP Assignment.
By default, a client or device plugged into the Ethernet port of a repeater will gain no network connectivity. Once a bridge SSID has been configured, navigate to Network-wide > Configure > General > Device configuration, find the option to configure Clients wired directly to Meraki APs and set that option to have clients Behave like they are connected to the bridge SSID (as shown below).
Note: The authentication type of the SSID does not matter, wired clients will bypass authentication and gain network connectivity as though they had associated to that SSID.
If the extended LAN segment off the repeater will only be used by wired clients, a Layer 2 "single subnet" switch can be plugged to the wired interface to allow that repeater to serve those clients as a bridge. The following figure details the extended LAN scenario described:
Note: VLAN tags are not maintained across wireless mesh links, any VLAN tags applied by wired infrastructure will be stripped before sent across the air. By extension, wired clients across the mesh link do not support the use of VLANs applied by Group Policies.
Extending the LAN for a Mixture of Wireless Access Points and Wired Clients
Wireless access points and wired clients may coexist on a remote LAN segment served by a repeater AP so long that there is a router segmenting the wireless bridge from the remote wired devices. This segmentation is to keep the possibility of network loops to a minimum.
Follow the same configuration detailed in the "Extending the LAN for wired clients" section. Configure the SSID for bridge mode on Wireless > Configure > Access Control.
There must be a router on the extended LAN that will serve wired clients on their own subnet. Other routers must then be configured with routes that will allow them to communicate with the wired clients on the extended LAN.
Additional wired repeaters cannot be within the same broadcast domain as the wireless repeater that is sharing its wireless connection to the LAN, nor can they exist in the same broadcast domain as any wired clients on the switch. As such, in order to add additional access points to the remote LAN, a router or Layer 3 switch must be used to put the wireless repeater, any wired repeaters, and any wired clients on their own broadcast domains.
While an L2 switch is sufficient for wired clients to access the remote LAN segment, this switch cannot support additional MR access points coexisting with wired clients.
The following image describes an unsupported topology, where an additional MR access point has been connected to the remote L2 switch:
Example Supported Topology
The following image provides an example of a working topology that supports both wired clients and access points on the remote LAN:
Remote side (right side)
- VLAN 1 must be plugged into the WAN port of the MX (if using an MX) to provide connection to the dashboard and for Internet bound traffic
- VLAN 2 must be plugged into the LAN port of the MX (if using an MX) for static routing purposes
- Must have static routes directing traffic bound for VLAN 1 to the router on the left side
- (If the remote router is NOT a Meraki MX) Must not be acting as a DHCP server on its uplink to the wireless repeater (VLAN 1)
Internet side (Left side)
- Must have static routes directing traffic bound for VLAN 2 to the router on right side
In order for the topology above to be fully functional, the following additional requirements must be met:
- The router on remote side (right side) must not be acting as a DHCP server on its uplink to the wireless repeater (VLAN 1).
- The router connected to the internet (left side) must have static routes directing traffic bound for VLAN 2 to the router on right side.
VLAN tags are not maintained across wireless mesh links, any VLAN tags applied by wired infrastructure will be stripped before sent across the air. By extension, wired clients across the mesh link do not support the use of VLANs applied by Group Policies.
Extending the LAN for Wireless Access Points
It is possible to connect multiple repeaters together using Ethernet to increase the mesh speed of the Meraki network. This configuration is referred to as a wired hop or Mesh over Ethernet configuration.
A common scenario would be for one relay access point (AP) to have a solid mesh link to a distant gateway and its ethernet port is connected to an isolated switch. The other relay APs could then be connected to this switch for mesh communication. The switch connection allows for the mesh to be extended beyond the capabilities of wireless mesh. Also note, on dashboard, all relay access points on the isolated switch will report a mesh throughput equivalent to that of the relay access point with the strongest mesh speed.
Included in wireless firmware version r25.2 and later
It is important to not have any other computers or network services such as DHCP running on this switch or the relays will change to gateway mode causing unpredictable network behavior.
IP communication outside of the proprietary mesh traffic will be blocked by the MR repeater thus remote IP access to switches will be lost. In order to mix IP and mesh extension, a router would need to be introduced as described above