Client-Tracking Options
There are three different ways for Meraki devices to identify clients: Unique client identifier, Track by MAC, and Track by IP. These tracking methods are how key information like the clients list and network usage data is populated in the dashboard.
This article outlines how to change client tracking in the dashboard, the differences between the three options, and the best use cases for each in different topologies.
Note: Only the MX Security Appliance has the option to use Unique Client Identifier or track clients by IP. All other Cisco Meraki devices will only distinguish clients based on MAC addresses.
Note: The following ports don't support Client Tracking features on MS390 & C9300/L/X-M.
1. Ports with supported max speeds 25G, 40G, 100G.
2. Link Aggregation ports
Configuring Client Tracking
The following instructions outline how to change the client tracking method:
- In the dashboard, navigate to Security & SD-WAN > Configure > Addressing & VLANs.
- Under Deployment Settings, change Client tracking to the desired option:
- Click Save Changes at the bottom of the page.
Changing the client tracking method will reset your historical client usage statistics. Any Group policies or Custom Hostnames applied to clients may also need to be reapplied.
Client Tracking Option Use Cases
The best tracking method to use depends on whether any layer 3 devices are routing between the security appliance and your end clients, which introduces multiple broadcast domains. The recommendations are detailed below.
Is there a L3 device routing between MX-Z and end clients? |
Recommended Tracking Option |
---|---|
None, or L2-only switches |
Track by MAC |
Meraki MS switches with L3 enabled |
Unique client identifier |
Non-Meraki L3 switches/routers |
Track by IP |
Combination of Non-Meraki and Meraki switches with L3 |
Track by IP |
Unique Client Identifier
Unique client identifier is a Meraki technology that leverages network topology and device information to uniquely identify and track clients. It uses an algorithm that intelligently correlates client MAC and IP addresses seen across the Meraki stack, allowing the security appliance to generate a unique identifier for each client in a combined network with other Meraki devices. This is specifically useful when there are Meraki MS switches routing layer 3 between end clients and the security appliance, which segregates broadcast traffic containing the client's MAC address.
This method should be used only if the network has downstream layer 3 routing devices that are all Meraki devices. In this deployment scenario, tracking by IP would otherwise require the security appliance to be split into a separate dashboard network, as tracking by IP is not supported in combined networks. Tracking by MAC would fail to identify end client devices due to the layer 3 boundary, associating downstream client traffic to the routing switch and negatively affecting network usage numbers in dashboard.
Tracking by unique client identifier also disables uplink sampling for clients, which can be helpful in certain scenarios where non-Meraki NAC solutions are deployed in mixed vendor environments.
Note: Unique client identifier does not allow the MX to identify clients connected to an SSID utilizing NAT mode with Meraki DHCP, even for MRs in the same dashboard network.
Note: Some tools, such as client connectivity alerts and client ping, are based on ARP and will not be available when using Unique client identifier.
Note: Onboarding a Catalyst 9000 series switch for Cloud Monitoring will automatically enforce "Unique Client Identifier" as the tracking method for the network. See Cloud Monitoring for Catalyst Onboarding for additional details.
Requirements and Conditions
Please review the requirements and conditions below before enabling this feature on your network.
To see the Unique Client Identifier option in Addressing & VLANs, the following conditions must be met:
- There must be a security appliance with at least one Meraki L3 switch in the same network in the dashboard. To avoid incorrect tracking data, the devices in this dashboard network should also be in the same physical network.
- This option is only shown if the MX firmware version is 9+ and the MS firmware version is 10+.
- Do not use Unique Client Identifier in a dashboard network where the MX's WAN ports are connected to a Meraki switch in the same Dashboard network. If you need to use a Meraki switch in between your ISP and the MX WAN please isolate this switch into a separate Dashboard network.
Note: If you are currently tracking by IP, you will need to temporarily change it to track by MAC in order to combine the network. Once the network is combined, you should see the option for the ‘Unique Client Identifier’ under ‘Addressing and VLANs’ on your MX.
Note: When modifying the 'Client tracking' the change will reset any client device with a manually configured group policy associated. Manual group policies are on the Network-Wide > Monitor > Clients page under the policy column. If a policy is needed for a particular associated device, it must be re-added once the change is made and the device populates on the client list.
Changing the client tracking method will reset your client usage statistics.
Note that switching from Unique Client Identifier to Track by IP or Track by MAC may take up to 30 days for client tracking information to update on active devices, which may result in duplicate entries with different client details. Switching from Track by IP or Track by MAC to Unique Client Identifier should update within 24 hours for active devices. Inactive devices may take up to 30 days to age out for all tracking options.
Track by MAC
In many deployments, the MX security appliance is used as the gateway for the network and performs inter-VLAN routing for the network if necessary. In this circumstance, the MX is in the same broadcast domain as all clients in the network, so the client's MAC address will be found in all traffic seen by the MX.
The following diagram outlines how the MX can see client MAC addresses in this topology:
Track by IP
Note: Track by IP is not supported in combined dashboard networks. To combine an MX network that is tracking clients by IP, switch it first to track by MAC address or Unique Client Identifier before proceeding.
Note: Similar to Track by Unique client identifier, some tools, such as client connectivity alerts and client ping, are based on ARP and will not be available when using Track by IP.
This option is best used in the two case scenarios:
First is in split networks, where all layer three devices are Meraki devices but they are in separate dashboard networks.
Second, in cases where there is a non-Meraki layer 3 switch performing inter-VLAN routing downstream of the MX. If you are using Meraki layer 3 switches, enable Unique Client Identifier instead. Since non-Meraki layer 3 devices will modify the source MAC address of client traffic, the MX cannot identify clients by their MAC as shown below.
In order to identify clients downstream of the non-Meraki layer 3 switch, the MX can be changed to track clients by their IP. Since the non-Meraki layer 3 switch won't be modifying the source IP of client traffic, the MX can identify different clients by IP:
When an MX is set to track clients by IP, the client MAC addresses displayed on the clients list may not be accurate.
Additional Resources