Skip to main content
Cisco Meraki Documentation

MX Addressing and VLANs

Appliance settings are accessible through the Security & SD-WAN > Configure > Addressing & VLANs page and include deployment settings for routed or passthrough / VPN Concentrator mode, client tracking methods, subnet and VLAN configuration, and static routes.

Deployment Settings

The WAN appliance can be deployed in two possible modes:

  • Routed
  • Passthrough or VPN concentrator

Note: Making changes in Security & SD-WAN > Configure > Addressing & VLANs page can cause minor network disruption. It is not recommended to make changes during production hours.

Routed Mode

This is the default selection. Choose this option if you want to use the WAN appliance as a layer 7 firewall to isolate and protect LAN traffic from the Internet (WAN). Client traffic to the Internet will have its source IP rewritten to match the WAN IP of the appliance. In this mode, the WAN appliance is generally also the default gateway for devices on the LAN. This section also provides a link to the DHCP settings page.

Passthrough or VPN Concentrator Mode

As a layer 2 passthrough device

Choose this option if you simply want to deploy the WAN appliance:

  • In bridge mode for traffic shaping and additional network visibility.
  • As a one-armed VPN concentrator.

In this mode, the WAN appliance does not provide any address translation and operates as a passthrough device between the Internet and the LAN ports (sometimes referred to as a layer 2 bridge). The WAN appliance also provides VPN tunneling functionality.

For more information, please refer to the Deployment guides.


Placing a WAN appliance in Passthrough mode at the perimeter of your network with a publicly routable IP address is not recommended and can present security risks. As a best practice, Passthrough mode WAN appliances should always be deployed behind an edge firewall.

Client tracking

Here you can configure how the WAN appliance identifies and tracks client devices in order to apply network access policies and store information on client activity. You have three options available:

  • Track clients by Unique client identifier: This is an option that exists only if certain requirements are met, which are described in the guide on Client Tracking Options. This option is best for combined networks where the WAN appliance and at least one Meraki layer 3 routing switch are in the same network, and there is no non-Meraki layer 3 device in the network. 
  • Track clients by MAC address: This is the default selection. Use this option if all client devices are within the VLANs/subnets configured on the WAN appliance, and there is no layer 3 device between the WAN appliance and the clients.
  • Track clients by IP address: Use this option if there is a non-Meraki layer 3 device between the WAN appliance and the clients, and MAC address identification is consequently not reliable or accurate. Some ARP-based (layer 2) tools will be unavailable in this mode. These include client ping and client connectivity alerts.



NOTE: If it is the first time enabling VLANs on a network, Security & SD-WAN > Configure > Site-to-Site VPN > Local Networks > VPN mode for the default VLAN (VLAN ID 1 after enabling VLANs) will be set to Disabled.

Re-enabling VLANs from Single VLAN will set VPN mode to the previously configured state for that network.

Newly created VLAN would inherit DNS custom name server configuration from the DHCP setting of original subnet in previous Single LAN mode. This is persistent for network being either created from default or cloned from other network currently in VLANs mode; however, with pre-existing custom name server configuration for Single LAN mode.

Deleting all VLANs will result in an error. If no VLANs are required, change the LAN setting to Single LAN mode.

You can configure a single LAN or enable VLANs under the Routing section of the Addressing & VLANs page. To enable VLANs, check the VLANs box.


VLANs allow you to partition your network into different subnets such that downstream hosts are separated into different broadcast domains based on the VLAN they operate in. VLAN-based network separation can be an effective tool for isolating and identifying different segments of your network and therefore provides an additional layer of security and control. The appliance has multiple LAN IPs, each of which is the default gateway address on its particular VLAN.

To add a new VLAN, click Add VLAN at the top right of the Subnets table. To modify an existing VLAN, click on that VLAN in the Subnets table. The following fields can be set for a local VLAN:

  • VLAN Name: The name of the VLAN.
  • VLAN ID: The numerical identifier that is assigned to the VLAN.
  • Group Policy: The Group Policy you wish to apply to this VLAN, if any (see Group policies).
  • VPN mode: Determines whether the WAN appliance advertises this VLAN to site-to-site VPN peers.
  • VLAN interface IP: The IP address of the WAN appliance in this particular VLAN/subnet. This is the default gateway IP address on that VLAN.
  • Subnet: Use this option to enter the IP subnet for the VLAN. Note that as with Single LAN mode, you need to provide this information in CIDR notation. The CIDR notation subnet must contain at least four IPs ("/30" or larger), since two are reserved for the network and broadcast addresses.

To delete a VLAN, click the check box next to the VLAN and click the Delete button, then click Save.

Per-port VLAN Settings

Here you can view and modify the VLAN settings for your WAN appliance on a per-port basis. To modify the per-port VLAN settings, select the port or ports you wish to reconfigure and click Edit. You will be presented with a menu that allows you to set the following parameters:

  • Enabled: Enable or disable the port. If the port is set to Disabled, no other options will be available.
  • Type: Set the port to either trunk or access mode. A port configured in trunk mode can pass traffic on multiple VLANs, while an access mode port passes traffic for only one VLAN.
  • Native VLAN (trunk mode only): Sets the Native VLAN for the port. All untagged traffic that comes in on this port will be treated as if it belonged to this VLAN. This can also be set to Drop Untagged Traffic.

    NOTE: If a VLAN in use as the Native VLAN for one or more ports is deleted, those ports will be disabled until a new Native VLAN is configured

  • Allowed VLANs (trunk mode only): The VLANs for which this port will accept and pass traffic. This must include the Native VLAN if one is set.
  • VLAN (access mode only): The VLAN for which this port will accept and pass traffic. All untagged traffic will automatically be treated as if it belonged to this VLAN.
  • Access Policy (access mode only): Certain models can be configured with 802.1X Access Policies. For more information click here.

Static routes

Static routes are used to reach subnets that are behind a layer 3 switch or otherwise not directly connected to or configured on the WAN appliance.

To add a new static route, click "Add Static Route" at the top right of the Static routes table. To modify an existing static route, click on it in the Static routes table. The following fields can be set for a static route:

  • Enabled: Whether the WAN appliance should use the route or not. Use this setting if you wish to temporarily remove a route from the WAN appliance without having to manually recreate it later.
  • Name: The name of the static route.
  • IP version: The IP version to use; either IPv4 or IPv6 addressing.
  • Subnet: Use this option to enter the remote subnet that is reached via this static route (in CIDR notation).
  • Next hop IP: IP address of the device (such as a router or layer 3 switch) that connects the WAN appliance to the static route subnet. This is also sometimes referred to as the 'gateway IP'.
  • Active: Conditions that control when this route will be used. A static route can be set to one of three modes:
    • Always: Route is always used.
    • While next hop responds to ping: Route is used only if the WAN appliance can successfully ping the next hop IP configured for the route.
    • While host responds to ping: Route is used only if the WAN appliance can ping a specified host IP using the route.
      • Host IP to ping: Only appears if While host responds to ping is selected above. This is the IP that the WAN appliance will ping via the static route to determine whether the route is working properly. This device must be in the subnet specified in the static route, and should always be a device with a static IP or a DHCP reservation (such as a server).
  • VPN mode: Determines whether the WAN appliance advertises this static route to site-to-site VPN peers.

To delete a static route, click on the check box next to that route on the left side of the Static routes table.

The status of configured routes can be viewed on the Security & SD-WAN > Monitor > Route table page.

When a static route is setup with one of these conditions; While next hop responds to ping or While host responds to ping, the WAN appliance will generate ICMP requests that are sourced from the VLAN interface that the next hop IP is in. 

Please refer to MPLS to VPN failover deployment guide for a detailed discussion on route failure detection and implementing a resilient WAN architecture.

Warm spare

Warm spare can be configured on the Security & SD-WAN > Monitor > Appliance status page. You can learn more about warm spare functionality here.

Dynamic DNS

Dynamic DNS allows you to reach a public-facing WAN appliance over the Internet even if the public IP address changes. Meraki will automatically issue a unique FQDN (fully qualified domain name) for the WAN appliance and auto-register the WAN appliance through Meraki's own Dynamic DNS service. This public DNS record will be updated if the public IP address of the WAN appliance changes due to DHCP lease renewal or uplink failover. To configure Dynamic DNS, go to the Security & SD-WAN > Monitor > Appliance status page.