Home > Security and SD-WAN > Networks and Routing > Passthrough Mode on the MX Security Appliance and Z-series Teleworker Gateway

Passthrough Mode on the MX Security Appliance and Z-series Teleworker Gateway

The MX Series Security Appliance and Z-series Teleworker Gateway can be deployed in Passthrough or VPN Concentrator mode. In this mode, it will not perform address translation and acts as a layer 2 bridge between the Internet and LAN ports. 

When in passthrough mode, the MX is best used for in-line:

  • Layer 3/7 firewall rules, traffic shaping, and analysis
  • Network asset discovery and reporting
  • Intrusion detection
  • Security and content filtering
  • Client and site-to-site VPN

Configuration Differences

There are a number of differences in configuration between Routed and passthrough modes on the MX:

  • Secondary uplinks cannot be used for Internet connectivity. Thus Security & SD-WAN > Configure > SD-WAN & traffic shaping > Uplink configuration only has the option for limiting bandwidth on WAN 1.
  • Site-to-site VPN can only operate in split-tunnel mode when configured as a hub. Traffic bound to VPN subnets must be directed to the MX.
  • DHCP is no longer available. DHCP requests will simply pass through the MX.
  • Cellular uplink is no longer available.
  • VLANs cannot be configured. The MX/Z1 will act as a bridge between the Internet and LAN ports.

Considerations for VPN and Other Features

When using an MX as a site-to-site VPN peer, it will only be able to send client traffic over the VPN tunnel if that traffic has been directed to it. As such, a router or L3 switch on the network will need to have static routes configured, such that VPN-bound traffic is sent to the MX. This traffic will then be encrypted and sent through the site-to-site VPN tunnel. Traffic bound to the Internet or other destinations will simply pass through the appliance:



An MX in passthrough mode can be configured to perform a number of functions like when in Routed mode. However, the appliance acts as an invisible third party, only touching traffic when required by a configured function. It can passively perform intrusion detection and collect statistics about traffic passing through it without taking action. It can also perform traffic shaping and content/security filtering functions to intercept and manipulate traffic as needed:c7da4d43-b4f0-4eca-9528-7acdfd1fff4a

Additional Resources

For details on how to configure IDS, traffic shaping, content filtering, security filtering, warm spare, and other MX functions, please visit the MX Series Configuration Guide.

Last modified



This page has no classifications.

Explore the Product

Click to Learn More

Article ID

ID: 1501

Explore Meraki

You can find out more about Cisco Meraki on our main site, including information on products, contacting sales and finding a vendor.

Explore Meraki

Contact Support

Most questions can be answered by reviewing our documentation, but if you need more help, Cisco Meraki Support is ready to work with you.

Open a Case

Ask the Community

In the Meraki Community, you can keep track of the latest announcements, find answers provided by fellow Meraki users and ask questions of your own.

Visit the Community