Client-Tracking Options
Overview
There are three ways for Meraki devices to identify clients: Unique client identifier, Track by MAC, and Track by IP. These tracking methods determine how key information such as the clients list and network usage data is populated in the Meraki dashboard.
This article outlines how to change client tracking in the dashboard, the differences between the three options, and the best use cases for each in different topologies. See Client-Tracking in IOS-XE for the further information on device tracking on Catalyst 9000 series and other IOS-XE devices within the dashboard.
Note: Only the MX WAN appliance supports Unique Client Identifier or Track by IP. All other Cisco Meraki devices distinguish clients based on MAC addresses only.
Note: The following ports don't support Traffic Analytics (AVC) features on MS390 & C9300/L/X-M switches
1. Ports with supported maximum speeds of 25G or greater
2. Link Aggregation ports
Client Tracking (Device Tracking) is supported on all speed ports.
Note: Beginning with CS version 17.2.1 and later, client tracking on trunk ports will be disabled by default from the dashboard perspective.
Step-by-step instructions
Configuring client tracking
The following instructions outline how to change the client tracking method:
- In the dashboard, navigate to Security & SD-WAN > Configure > Addressing & VLANs.
- Under Deployment Settings, change Client tracking to the desired option:
- Select Save Changes at the bottom of the page.
Changing the client tracking method will reset your historical client usage statistics. Any Group policies or custom hostnames applied to clients may also need to be reapplied.
Client tracking option use cases
The best tracking method depends on whether any Layer 3 devices are routing between the MX WAN appliance and end clients. Layer 3 routing between these devices introduces multiple broadcast domains. The recommendations are detailed below.
|
Is there a L3 device routing between MX-Z and end clients? |
Recommended Tracking Option |
|---|---|
|
None, or L2-only switches |
Track by MAC |
|
Meraki MS switches with L3 enabled |
Unique client identifier |
|
Non-Meraki L3 switches/routers |
Track by IP |
|
Combination of Non-Meraki and Meraki switches with L3 |
Track by IP |
Unique client identifier
Unique client identifier is a Meraki technology that uses network topology and device information to uniquely identify and track clients. It uses an algorithm that correlates client MAC and IP addresses seen across the Meraki stack, allowing the MX WAN appliance to generate a unique identifier for each client in a combined network with other Meraki devices. Unique Client Identifier is useful when Cisco Meraki MS switches perform Layer 3 routing between end clients and the MX WAN appliance, which segregates broadcast traffic containing the client's MAC address.
Use this method only if the network has downstream Layer 3 routing devices that are all Meraki devices. In this deployment scenario:
- Tracking by IP would otherwise require the security appliance to be split into a separate dashboard network, as tracking by IP is not supported in combined networks.
- Tracking by MAC would fail to identify end client devices due to the layer 3 boundary, associating downstream client traffic to the routing switch and negatively affecting network usage numbers in dashboard.
Tracking by unique client identifier also disables uplink sampling for clients. This can be helpful in certain scenarios where non-Meraki Network Access Control (NAC) solutions are deployed in mixed vendor environments.
Note: Unique Client Identifier does not allow the MX WAN appliance to identify clients connected to an SSID using NAT mode with Meraki DHCP, even for MR access points in the same dashboard network.
Note: Some tools, such as client connectivity alerts and client ping, are based on ARP and are not available when using Unique client identifier.
Note: Onboarding a Catalyst 9300 Series switch for Cloud Monitoring automatically enforces Unique Client Identifier as the tracking method for the network. Refer to the Cloud Monitoring for Catalyst Onboarding for additional details.
This also is the case for Meraki Managed C9300 switches on IOS-XE cloud native firmware and Catalyst 9000 series switches that are onboarded in device configuration mode.
Requirements and conditions
Review the requirements and conditions below before enabling Unique Client Identifier on your network.
To see the Unique Client Identifier option in Addressing & VLANs, the following conditions must be met:
- There must be a security appliance with at least one Meraki MS or Meraki Managed/Monitored Catalyst L3 switch in the same network in the dashboard. To avoid incorrect tracking data, the devices in this dashboard network should also be in the same physical network.
- This option is only shown if the MX firmware version is 9+ and the MS firmware version is 10+.
- Do not use Unique Client Identifier in a dashboard network where the MX's WAN ports are connected to a Meraki switch in the same Dashboard network. If you need to use a Meraki switch in between your ISP and the MX WAN please isolate this switch into a separate Dashboard network.
If you are currently tracking by IP, you will need to temporarily change it to track by MAC in order to combine the network. Once the network is combined, you should see the option for the ‘Unique Client Identifier’ under ‘Addressing and VLANs’ on your MX.
When modifying the 'Client tracking' the change will reset any client device with a manually configured group policy associated. Manual group policies are on the Network-Wide > Monitor > Clients page under the policy column. If a policy is needed for a particular associated device, it must be re-added once the change is made and the device populates on the client list.

Changing the client tracking method will reset your client usage statistics.
Note that switching from Unique Client Identifier to Track by IP or Track by MAC may take up to 30 days for client tracking information to update on active devices, which may result in duplicate entries with different client details. Switching from Track by IP or Track by MAC to Unique Client Identifier should update within 24 hours for active devices. Inactive devices may take up to 30 days to age out for all tracking options.
Track by MAC
In many deployments, the MX WAN appliance acts as the gateway for the network and performs inter-VLAN routing if necessary. In this scenario, the MX WAN appliance is in the same broadcast domain as all clients in the network, so the client's MAC address appears in all traffic seen by the MX WAN appliance.
The diagram below illustrates how the MX WAN appliance identifies client MAC addresses in this topology.

Track by IP
Note: Track by IP is not supported in combined dashboard networks. To combine an MX network that is tracking clients by IP, switch to Track by MAC first before proceeding.
Note: Similar to Track by Unique client identifier, some tools, such as client connectivity alerts and client ping, are based on ARP and will not be available when using Track by IP.
Track by IP is best used in the following two scenarios:
- Split networks: All Layer 3 devices are Meraki devices but are in separate dashboard networks.
- Non-Meraki Layer 3 switch downstream of the MX WAN appliance: A non-Meraki Layer 3 switch performs inter-VLAN routing downstream of the MX WAN appliance. If Meraki Layer 3 switches are in use, enable Unique Client Identifier instead. Non-Meraki Layer 3 devices modify the source MAC address of client traffic, so the MX WAN appliance cannot identify clients by their MAC address. Refer to the image below.

To identify clients downstream of the non-Meraki Layer 3 switch, change the MX WAN appliance to Track by IP. The non-Meraki Layer 3 switch does not modify the source IP of client traffic, so the MX WAN appliance can identify different clients by IP.

When the MX WAN appliance is set to Track by IP, the client MAC addresses displayed on the clients list may not be accurate.
Additional resources

