Skip to main content
Cisco Meraki

MX Addressing and VLANs

Appliance settings are accessible through the Security & SD-WAN > Configure > Addressing & VLANs page and include MX routing mode, client tracking methods, subnet and VLAN configuration, and static routes.

Deployment Settings

The MX appliance can be deployed in two possible modes:

  • Routed
  • Passthrough or VPN concentrator

Routed Mode

This is the default selection. Choose this option if you want to use the MX appliance as a layer 7 firewall to isolate and protect LAN traffic from the Internet (WAN). Client traffic to the Internet will have its source IP rewritten to match the WAN IP of the appliance. In this mode, the MX appliance is generally also the default gateway for devices on the LAN. This section also provides a link to the DHCP settings page.

Passthrough or VPN Concentrator Mode

As a layer 2 passthrough device

Choose this option if you simply want to deploy the MX device:

  • In bridge mode for traffic shaping and additional network visibility.
  • As a one-armed VPN concentrator.

In this mode, the MX device does not provide any address translation and operates as a passthrough device between the Internet and the LAN ports (sometimes referred to as a layer 2 bridge). The appliance also provides VPN tunneling functionality.

For more information, please refer to the Deployment guides.


Placing an MX appliance in Passthrough mode at the perimeter of your network with a publicly routable IP address is not recommended and can present security risks. As a best practice, Passthrough mode MX appliances should always be deployed behind an edge firewall.

Client tracking

Here you can configure how the MX appliance identifies and tracks client devices in order to apply network access policies and store information on client activity. You have three options available:

  • Track clients by Unique client identifier: This is an option that exists only if certain requirements are met, which are described in the guide on Client Tracking Options. This option is best for combined networks where the MX and at least one Meraki layer 3 routing switch are in the same network, and there is no non-Meraki layer 3 device in the network. 
  • Track clients by MAC address: This is the default selection. Use this option if all client devices are within the VLANs/subnets configured on the appliance, and there is no layer 3 device between the appliance and the clients.
  • Track clients by IP address: Use this option if there is a non-Meraki layer 3 device between the appliance and the clients, and MAC address identification is consequently not reliable or accurate. Some ARP-based (layer 2) tools will be unavailable in this mode. These include client ping and client connectivity alerts.



NOTE: If it is the first time enabling VLANs on a network, Security & SD-WAN > Site-to-Site VPN > Local Networks > VPN Participation for the default VLAN (VLAN ID 1 after enabling VLANs) will be set to Off.

Re-enabling VLANs from Single VLAN will set VPN Participation to the previously configured state for that network.

Newly created VLAN would inherit DNS custom name server configuration from the DHCP setting of original subnet in previous Single LAN mode. This is persistent for network being either created from default or cloned from other network currently in VLANs mode; however, with pre-existing custom name server configuration for Single LAN mode.

Deleting all VLANs will result in an error. If no VLANs are required, change the LAN setting to Single LAN mode.

You can configure a single LAN or enable VLANs under the Routing section of the Addressing & VLANs page. To enable VLANs, check the Use VLANs box.


VLANs allow you to partition your network into different subnets such that downstream hosts are separated into different broadcast domains based on the VLAN they operate in. VLAN-based network separation can be an effective tool for isolating and identifying different segments of your network and therefore provides an additional layer of security and control. The appliance has multiple LAN IPs, each of which is the default gateway address on its particular VLAN.

To add a new VLAN, click Add VLAN at the top right of the Subnets table. To modify an existing VLAN, click on that VLAN in the Subnets table. The following fields can be set for a local VLAN:

  • Name: The name of the VLAN.
  • Subnet: Use this option to enter the IP subnet for the VLAN. Note that as with Single LAN mode, you need to provide this information in CIDR notation. The CIDR notation subnet must contain at least four IPs ("/30" or larger), since two are reserved for the network and broadcast addresses.
  • MX IP: The IP address of the MX appliance in this particular VLAN/subnet. This is the default gateway IP address on that VLAN.
  • VLAN ID: The numerical identifier that is assigned to the VLAN.
  • Group Policy: The Group Policy you wish to apply to this VLAN, if any (see Group policies).
  • In VPN: Determines whether the MX advertises this VLAN to site-to-site VPN peers.

To delete a VLAN, click the check the box next to the VLAN and click the Delete button, then click Save.

Per-port VLAN Settings

Here you can view and modify the VLAN settings for your MX appliance on a per-port basis. To modify the per-port VLAN settings, select the port or ports you wish to reconfigure and click Edit. You will be presented with a menu that allows you to set the following parameters:

  • Enabled: Enable or disable the port. If the port is set to Disabled, no other options will be available.
  • Type: Set the port to either trunk or access mode. A port configured in trunk mode can pass traffic on multiple VLANs, while an access mode port passes traffic for only one VLAN.
  • Native VLAN (trunk mode only): Sets the Native VLAN for the port. All untagged traffic that comes in on this port will be treated as if it belonged to this VLAN. This can also be set to Drop Untagged Traffic.

    NOTE: If a VLAN in use as the Native VLAN for one or more ports is deleted, those ports will be disabled until a new Native VLAN is configured

  • Allowed VLANs (trunk mode only): The VLANs for which this port will accept and pass traffic. This must include the Native VLAN if one is set.
  • VLAN (access mode only): The VLAN for which this port will accept and pass traffic. All untagged traffic will automatically be treated as if it belonged to this VLAN.
  • Access Policy (access mode only): Certain models can be configured with 802.1X Access Policies. For more information click here.

Static routes

Static routes are used to reach subnets that are behind a layer 3 switch or otherwise not directly connected to or configured on the appliance.

To add a new static route, click "Add Static Route" at the top right of the Static routes table. To modify an existing static route, click on it in the Static routes table. The following fields can be set for a static route:

  • Enabled: Whether the MX should use the route or not. Use this setting if you wish to temporarily remove a route from the MX without having to manually recreate it later.
  • Name: The name of the static route.
  • Subnet: Use this option to enter the remote subnet that is reached via this static route (in CIDR notation).
  • Gateway IP: IP address of the device (such as a router or layer 3 switch) that connects the MX appliance to the static route subnet. This is also sometimes referred to as the 'next hop IP'.
  • Conditions: Conditions that control when this route will be used. A static route can be set to one of three modes:
    • Always: Route is always used.
    • While next hop responds to ping: Route is used only if the MX can successfully ping the next hop IP configured for the route.
    • While host responds to ping: Route is used only if the MX can ping a specified host IP using the route.
  • Host IP to ping: Only appears if While host responds to ping is selected above. This is the IP that the MX will ping via the static route to determine whether the route is working properly. This device must be in the subnet specified in the static route, and should always be a device with a static IP or a DHCP reservation (such as a server).
  • In VPN: Determines whether the MX advertises this static route to site-to-site VPN peers.

To delete a static route, click on the check box next to that route on the left side of the Static routes table.

The status of configured routes can be viewed on the Security & SD-WAN > Monitor > Route table page.

When a static route is setup with one of these conditions; While next hop responds to ping or While host responds to ping, the MX will generate ICMP requests that are sourced from the VLAN interface that the next hop IP is in. 

Please refer to MPLS to VPN failover deployment guide for a detailed discussion on route failure detection and implementing a resilient WAN architecture.

Warm spare

Warm spare can be configured on the Security & SD-WAN > Monitor > Appliance status page. You can learn more about warm spare functionality here.

Dynamic DNS

Dynamic DNS allows you to reach a public-facing MX appliance over the Internet even if the public IP address changes. Meraki will automatically issue a unique FQDN (fully qualified domain name) for the appliance and auto-register the MX through Meraki's own Dynamic DNS service. This public DNS record will be updated if the public IP address of the appliance changes due to DHCP lease renewal or uplink failover. To configure Dynamic DNS, go to the Security & SD-WAN > Monitor > Appliance status page.