Home > Switches > Port and VLAN Configuration > Switch Ports

Switch Ports

Meraki's MS switch allows you to configure anything from a single port to thousands of ports through our industry-first, Virtual Stacking technology. Virtual Stacking provides centralized management for up to 10,000 switch ports and unlike traditional stacking, virtually stacked switches do not require a physical connection, can be in different physical locations, and can be of different switch models, thereby simplifying large scale, distributed deployments.

From the Configure > Switch Ports page, you can name your ports, turn ports on/off, enable spanning tree (RSTP), define port types (access/trunk), and specify VLANs (data and voice).

Searching for ports

The virtual stack allows for you to view all your switch ports in one easy-to-navigate page. To further simplify switch port management, a dynamic search bar is available at the top to allow for you to quickly find the port(s) you are looking for.

Search terms

  • Enter any value in to the search omnibox for an instant search result
  • Use conditional operators to separate multiple search queries (AND, OR)
  • Use a wildcard to search for more general results ( * )
  • Enter specific search terms to find a particular port:


Search Type
Search Value




return all specified ports or port ranges port:1-10



return all ports with the specified switch name

name:"joe's desktop"

Switch switch:value return all ports for the designated switch(es) switch:"1st floor"
Detected Uplink is:uplink return interface(s) detected as uplink to Meraki Cloud





return all ports with the specified tag

tag:"blue 132"





return all ports with the specified vlan

return all ports with a native vlan

return all ports with a voice vlan


vlan:"native 60"

vlan:"voice 20"

LLDP lldp:value return all ports containing matching LLDP information lldp:"MR24"



will return all ports with type "trunk" or type "access"




return all ports with the link type set to specified speed/duplex

link:"100 mbps"

link:"10 gbps"

Link Aggregate is:aggregated return only link aggregated (LACP) ports is:"aggregated"
Access Policy ap:value return all ports with the specified access policy applied (wildcard supported) ap:*
Port Schedule schedule:value return all ports with the specified port schedule (wildcard supported) schedule:*
Group group:value return all ports belonging to a common group (the virtual stack automatically categorizes the 3 most common configuration types into groups 1,2 and 3)




MAC Whitelist mac_whitelist:* return all ports with a mac-whitelist enabled (you can substitute the * with a mac address value using colons as separators)



The search tool is also capable of intelligently combining multiple search queries. See a few examples below.


Search: name:"joe's port" AND switch:"2nd floor POE"

Result: returns all port(s) with the name "joe's port" on the switch named "2nd floor POE"

Search: port:1-15 link:"10 gbps" switch:"2nd floor IDF"

Result: Returns all ports configured for 10gbit from the port range of 1-15 on the switch named "2nd floor IDF"


Making Configuration Changes

Making a Selection

In order to make changes to a port or port group on your MS switch, select the port or ports you would like to change by checking their prospective check box(es). 

Editing your Selection

Choose "Edit selected items" and make the desired changes. See the screenshot below for all configurable items.

Applying your Changes

Once you are satisfied with the changes you've made, save them by selecting "Update ports". This will instantly push the changes to your MS Switch.

Configuring a Trunk Port

Configuring a trunk port will cause the selected port(s) to accept 802.1Q tagged traffic for the VLANs specified. You will also have the opportunity to specify a Native VLAN for traffic that has no VLAN tag on ingress. This port configuration type is often used when configuring ports uplinks and devices that support 802.1Q.

Selecting a Native VLAN

If you would like untagged traffic to be tagged with a Native VLAN on egress, specify the Native VLAN by entering the VLAN ID in the appropriate field.

Choosing Allowed VLANs

In the VLAN field on the configuration window, enter the VLAN ID for the appropriate VLAN. Please note that making changes to your uplink port is not recommended as you may lose connectivity to the Meraki Cloud Controller.

Configuring an Access Port

Configuring a port with type "access" will cause for port to accept untagged traffic on ingress and send it to the VLAN specified. This is often used when configuring ports for edge devices.

Specifying the VLAN

In the VLAN field on the configuration window, enter the VLAN ID for the appropriate VLAN. Please note that making changes to your uplink port is not recommended as you may lose connectivity to the Meraki Cloud Controller.

Adding a Voice VLAN

If a voice VLAN is specified, the port will accept tagged traffic on the voice VLAN. In addition, the port will send out LLDP and CDP advertisements recommending devices use that VLAN for voice traffic.

Please note that STP Portfast (immediate forwarding state) is enabled by default on ports configured as Access ports

Enabling BPDU Guard 

BPDU guard is a spanning tree enhancement that will instruct the switchport to go into a discarding state if a BPDU is received on the interface. The interface will remain in discarding state for 15 seconds.

Enabling Root Guard

Root guard is typically enabled on switch to switch connections and when enabled, will keep the port in a designated role. If a superior BPDU is received, the port will go into a discarding state. Once the port stops receiving superior BPDUs it will automatically go back to learning/forwarding state

Configuring MAC whitelist

MS switches support whitelist based port-security which allows administrators to configure basic port-level protection against unauthorized network access. By default the whitelist is empty and disabled, thus allowing the switch to add any mac address to its forwarding table. However, by specifying one or more mac addresses (separated by whitespace), one can limit which devices are permitted on a per-port basis.

Port Isolation

In certain deployments, it may be desired to enable Port Isolation. Enabling this feature prevents any isolated port from communicating with other isolated ports. This feature has two options:

  • Enabled - Port has complete Layer 2 separation from all other isolated ports on the same VLANs. Port can only receive/send traffic to non-isolated ports.
  • Disabled - Port can communicate with all interfaces on the same VLANs, including isolated ports.

A common use case for this feature is a hotel that wants to enable guest isolation between rooms for wired ports. For further information on this feature, please reference our documentation.

MAC whitelist with Sticky

In addition to MAC Whitelisting, you can optionally enable "Sticky MAC" learning with a maximum quantity of learned addresses. This will instruct the configured switch port(s) to dynamically learn the MAC addresses of the connected devices up to the maximum amount specified.

This feature is useful for secured environments where the connected devices do not and should not change (i.e. a point of sale system in a retail environment with PCI compliance requirements).

Identifying ports

It can be very useful to name or tag individual ports for management and troubleshooting purposes. For example, you may want to label the Uplink or stack interconnect port in the event you need to make a change to that port. You can then search your entire virtual stack by port name to easily locate a particular port or range of ports (ie. all ports containing the term "uplink"). See Searching for ports for more info.

Applying an Access Policy (802.1x)

If you would like to configure and implement 802.1x wired authentication, you must first create an Access policy. For more information, see Creating an Access Policy.

Once you have successfully created an access policy, simply select the port or ports you would like to configure. Now, select the appropriate policy from the "Access Policy" dropdown. Choosing "open" will remove all authentication requirements from the ports you're modifying.

Note: In order to configure 802.1x wired authentication, you must configure the port as an Access port.

Link Aggregation

The MS series supports Link Aggregation (LACP) groups of up to 8 ports. To configure an aggregate, simply choose the ports you would like to aggregate by checking their respective boxes and then select the "Aggregate" option at the top of the page (see video 1 below). 

Doing this will create an LACP port group running mode:active.


A "Link Aggregate" is a combination of ports that act as one logical link. This is often referred to as Link Bonding, Link Aggregation, or EtherChannel. A link aggregate will load balance across the different physical links for additional performance, and will also give higher reliability because the link aggregate will continue to function as long as at least one of the physical links is working.


By default the MS series runs an LACP Passive instance per port. This is to prevent loops when a bond is connected to a switch running default configuration.


It is generally recommended that you first configure a link aggregate and then physically connect the aggregated ports. Be sure to configure the aggregate (or have LACP enabled) on both ends of the link.


Aggregated ports allow you to use multiple physical ports on your switch in order to create one logical connection with another switch or host. This assumes that the device you're connecting to is also configured to aggregate its connected ports. This is useful for providing higher throughput as well as high availability as the link continues to function even if part of the aggregate connection fails.

Selecting your Aggregate ports

In your virtual stack, select the ports you would like to aggregate. Once you have selected the target ports, choose "Aggregate Ports" at the top or bottom of the port list and accept the change notification. 

Splitting your Port Aggregates

If you decide to remove or modify your port aggregation links, simply select the aggregated port and choose "Split Aggregates". This will revert the changes and split the group into it's own separate ports.

*For more specific configuration and interoperability information, please reference our documentation.

Port Mirroring

It may be necessary to configure a mirrored port or range of ports. This is often useful for network devices that require monitoring of network traffic, such as a VoIP recording solution or an IDS (Intrusion Detection System).

MS switches support one-to-one or many-to-one mirror sessions. 


In order to enable and configure a mirrored port or range of ports, navigate to Switch >> Switch Ports. On this page select the ports that are intended for mirroring and hit the mirror button.


After which enter the destination port for the mirror session. If the ports are in a switch stack then also select the desired switch in the stack for the mirror destination.

Once the Mirror is configured it can be easily identified using the "Mirror" column in dashboard.

You must to post a comment.
Last modified
16:35, 12 Aug 2016


This page has no custom tags.


This page has no classifications.

Article ID

ID: 4462

Contact Support

Most questions can be answered by reviewing our documentation, but if you need more help, Cisco Meraki Support is ready to work with you.

Open a Case