Home > Security and SD-WAN > Networks and Routing > MX Addressing and VLANs

MX Addressing and VLANs

Appliance settings are accessible through the Security Appliance > Configure > Addressing & VLANs page and include Network name, passthrough or NAT mode, client tracking methods, subnet and VLAN configuration, Static LAN routes, and Dynamic DNS settings.


This field allows you to set or modify the name of the Dashboard network that contains the security appliance.

Deployment Mode

The MX appliance can be deployed in two possible modes:

  • Passthrough or VPN concentrator mode
  • NAT mode

Passthrough or VPN Concentrator Mode

As a Layer 2 passthrough device

Choose this option if you simply want to deploy the MX device:

  • In bridge mode for traffic shaping and additional network visibility.
  • As a one-armed VPN concentrator.

In this mode, the MX device does not provide any address translation and operates as a passthrough device between the Internet and the LAN ports (sometimes referred to as a Layer 2 bridge). The appliance also provides VPN tunneling functionality.

For more information, please refer to the Deployment guides.


Placing an MX appliance in Passthrough mode at the perimeter of your network with a publicly routable IP address is not recommended and can present security risks. As a best practice, Passthrough mode MX appliances should always be deployed behind an edge firewall.

Network Address Translation (NAT)

Choose this option if you want to use the MX appliance as a Layer 7 firewall to isolate and protect LAN traffic from the Internet (WAN). Client traffic to the Internet will have its source IP rewritten to match the WAN IP of the appliance. In this mode, the MX appliance is generally also the default gateway for devices on the LAN. This section also provides a link to the DHCP settings page.

Client tracking

Here you can configure how the MX appliance identifies and tracks client devices in order to apply network access policies and store information on client activity. You have two options available:

  • Track client by MAC address: This is the default selection. Use this option if all client devices are within the VLANs/subnets configured on the appliance, and there is no Layer 3 device between the appliance and the clients.
  • Track clients by IP address: Use this option if there is a Layer 3 device between the appliance and the clients, and MAC address identification is therefore not reliable or accurate. Some ARP-based (Layer 2) tools will be unavailable in this mode. These include client ping and client connectivity alerts.

Enabling VLANs

You can configure a single LAN or multiple VLANs through the Addressing & VLANs page. You can use the VLAN selector to configure the appliance to use a single LAN subnet or multiple LAN subnets (VLANs).


This section displays the local routes configured on the MX appliance. This includes configured subnets or VLANs as well as static routes. VLANs and Static Routes can be added, deleted, or modified here.

The status of configured routes can be viewed on the Route table page.


Please refer to MPLS to VPN failover deployment guide for a detailed discussion on route failure detection and implementing a resilient WAN architecture.


VLANs allow you to partition your network into different subnets such that downstream hosts are separated into different broadcast domains based on the VLAN they operate in. VLAN-based network separation can be an effective tool for isolating and identifying different segments of your network and therefore provides an additional layer of security and control. The appliance has multiple LAN IPs, each of which is the default gateway address on its particular VLAN.

To add a new VLAN, click "Add a local VLAN" at the bottom of the routes table. To modify an existing VLAN, click on that VLAN in the Routes table. The following fields can be set for a local VLAN:

  • Name: The name of the VLAN.
  • Subnet: Use this option to enter the IP subnet for the VLAN. Note that as with Single LAN mode, you need to provide this information in CIDR notation.
  • MX IP: The IP address of the MX appliance in this particular VLAN/subnet. This is the default gateway IP address on that VLAN.
  • VLAN ID: The numerical identifier that is assigned to the VLAN.
  • Group Policy: The Group Policy you wish to apply to this VLAN, if any (see Group policies).
  • In VPN: Determines whether the MX advertises this VLAN to site-to-site VPN peers.

To delete a VLAN, click on the X next to that VLAN on the far right side of the Routes table.

Static LAN routes

Static LAN routes are used to reach a subnet that is behind a layer-3 switch or otherwise not directly connected to or configured on the appliance.

To add a new static LAN route, click "Add a static route" at the bottom of the routes table. To modify an existing static route, click on it in the Routes table. The following fields can be set for a static LAN route:

  • Enabled: Whether the MX should use the route or not. Use this setting if you wish to temporarily remove a route from the MX without having to manually recreate it later.
  • Name: The name of the static route.
  • Subnet: Use this option to enter the remote subnet that is reached via this static route (in CIDR notation).
  • Next hop IP: IP address of the device (such as a router or layer 3 switch) that connects the MX appliance to the static route subnet. This is also sometimes referred to as the 'route gateway IP'.
  • Active: Conditions that control when this route will be used. A static route can be set to one of three modes:
    • Always: Route is always used.
    • While next hop responds to ping: Route is used only if the MX can successfully ping the next hop IP configured for the route.
    • While host responds to ping: Route is used only if the MX can ping a specified host IP using the route.
  • Host IP to ping: Only appears if While host responds to ping is selected above. This is the IP that the MX will ping via the static route to determine whether the route is working properly. This device must be in the subnet specified in the static route, and should always be a device with a static IP or a DHCP reservation (such as a server).
  • In VPN: Determines whether the MX advertises this static route to site-to-site VPN peers.

To delete a static LAN route, click on the X next to that route on the far right side of the Routes table.

Per-port VLAN configuration

Here you can view and modify the VLAN settings for your MX appliance on a per-port basis. To modify the per-port VLAN settings, select the port or ports you wish to reconfigure and click Edit. You will be presented with a menu that allows you to set the following parameters:

  • Enabled: Enable or disable the port. If the port is set to Disabled, no other options will be available.
  • Type: Set the port to either trunk or access mode. A port configured in trunk mode can pass traffic on multiple VLANs, while an access mode port passes traffic for only one VLAN.
  • Native VLAN (trunk mode only): Sets the Native VLAN for the port. All untagged traffic that comes in on this port will be treated as if it belonged to this VLAN. This can also be set to 'Drop untagged traffic'.
  • Allowed VLANs (trunk mode only): The VLANs for which this port will accept and pass traffic. This must include the Native VLAN if one is set.
  • VLAN (access mode only): The VLAN for which this port will accept and pass traffic. All untagged traffic will automatically be treated as if it belonged to this VLAN.

Dynamic DNS

Dynamic DNS allows you to reach a public-facing MX appliance over the internet even if the public IP address changes. Meraki will automatically issue a unique FQDN (fully qualified domain name) for the appliance and auto-register the MX through Meraki's own Dynamic DNS service. This public DNS record will be updated if the public IP address of the appliance changes due to DHCP lease renewal or uplink failover.

Custom FQDN name:

Creating a custom DNS name for your appliance is simple. Let's assume that you have an MX90 that you've named "myMX90" and you want to name it "myMX90.example.com". Meraki will auto-generate a unique FQDN, for example: myMX90-wmktpbbzt.dynamic-m.com.

Using a type of DNS record called a CNAME record, you can map arbitrary DNS names to other DNS names. If you register a domain (e.g., example.com), your registrar should be able to help you set up a CNAME from your new domain (or a subdomain) to myMX90-wmktpbbzt.dynamic-m.com. At this point your custom DNS name would resolve to the public IP of the appliance the same way that the original, auto-generated FQDN would.

Warm spare

Here you can add a second MX appliance as a warm spare unit to create a high availability (HA) pair. To do so, click the Add a warm spare button and enter the serial number of the spare, along with virtual IPs for any uplinks that are being used.

You can perform the following functions on an existing HA pair:

  • Change the virtual IP(s) being used for the uplink(s)
  • Swap the primary and secondary roles of the appliances in the pair by clicking the Swap primary and spare button
  • Remove the spare from the network to be used elsewhere by clicking the Remove spare button. The spare will return to default configuration, so it is highly recommended that it be removed from the network or taken offline before this action is taken.

You can learn more about warm spare functionality on the Warm spare page.

Last modified



This page has no classifications.

Explore the Product

Click to Learn More

Article ID

ID: 4171

Explore Meraki

You can find out more about Cisco Meraki on our main site, including information on products, contacting sales and finding a vendor.

Explore Meraki

Contact Support

Most questions can be answered by reviewing our documentation, but if you need more help, Cisco Meraki Support is ready to work with you.

Open a Case

Ask the Community

In the Meraki Community, you can keep track of the latest announcements, find answers provided by fellow Meraki users and ask questions of your own.

Visit the Community