Skip to main content

 

Cisco Meraki Documentation

Passthrough Mode on the MX Security Appliance and Z-series Teleworker Gateway

  1. Last updated
  2. Save as PDF

The MX Series Security Appliance and Z-series Teleworker Gateway can be deployed in Passthrough or VPN Concentrator mode. In this mode, it will not perform address translation and acts as a layer 2 bridge between the Internet and LAN ports. 

When in passthrough mode, the MX is best used for in-line:

  • Layer 3/7 firewall rules, traffic shaping, and analysis
  • Network asset discovery and reporting
  • Intrusion detection
  • Client and site-to-site VPN

vMX does not support Advanced Security and Secure SD-WAN Plus features as vMX licensing is limited to Enterprise licensing. Please refer our Meraki Licensing FAQs and vMX Comparison Datasheet documents for more information.

Configuration Differences

There are a number of differences in configuration between Routed and passthrough modes on the MX:

  • Secondary uplinks cannot be used for Internet connectivity. Thus Security & SD-WAN > Configure > SD-WAN & traffic shaping > Uplink configuration only has the option for limiting bandwidth on WAN 1.
  • Site-to-site VPN can only operate in split-tunnel mode when configured as a hub. Traffic bound to VPN subnets must be directed to the MX.
  • DHCP is no longer available. DHCP requests will simply pass through the MX.
  • Cellular uplink is no longer available.
  • VLANs cannot be configured. The MX/Z1 will act as a bridge between the Internet and LAN ports.

Only the first WAN interface is supported on MXs in passthrough mode. Connecting other WAN interfaces is unsupported and may cause connectivity issues.

Tag the IP address configured on the WAN interface of the MXs in passthrough mode with the appropriate VLAN ID if the upstream port is expecting only tagged traffic.

Considerations for VPN and Other Features

When using an MX as a site-to-site VPN peer, it will only be able to send client traffic over the VPN tunnel if that traffic has been directed to it. As such, a router or L3 switch on the network will need to have static routes configured, such that VPN-bound traffic is sent to the MX. This traffic will then be encrypted and sent through the site-to-site VPN tunnel. Traffic bound to the Internet or other destinations will simply pass through the appliance:

Diagram of the Passthrough MX VPN topology described above (Client > Switch > Passthrough MX/Z1 > Edge router > Internet). When the client sends VPN traffic, it is first sent to the Edge router, directed back to the MX/Z1, which then encrypts the traffic and sends it through the tunnel.

 

An MX in passthrough mode can be configured to perform a number of functions like when in Routed mode. However, the appliance acts as an invisible third party, only touching traffic when required by a configured function. It can passively perform intrusion detection and collect statistics about traffic passing through it without taking action. It can also perform traffic shaping and content/security filtering functions to intercept and manipulate traffic as needed.

When in Passthrough or Routed/NAT mode in Single LAN the MX will source traffic from a 6.X.X.X address for services such as Syslog, Netflow, RADIUS access requests and potentially others.

 

When using the MX as a one-armed VPN concentrator for VPN endpoints, be sure to not connect anything to the MX's LAN ports. However, if the MX is only being used as a passthrough device, its LAN ports can be used without issue.

 

Same topology as above. In this case, the passthrough MX is performing IDS, filtering, traffic analysis, and client tracking in-line.

Additional Resources

For details on how to configure IDS, traffic shaping, security filtering, warm spare, and other MX functions, please visit the MX Series Configuration Guide.

  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Article type
    Reference
    Stage
    Final
  2. Tags
    1. Passthrough mode
    2. vpn concentrator