Skip to main content
Cisco Meraki Documentation

Port Bypass on the MX Series

The MX400 and the MX600 support a hardware feature known as port bypass which enables traffic to flow through the devices in the event that the MX loses power or is shut down unexpectedly. This is done by the pairing of circuiting between WAN port one with LAN port one and WAN port two with LAN port two. 

This is useful if the MX is configured in passthrough mode because if it were to lose power traffic would still be able to flow through MX from the LAN port to the WAN port and vice versa. Because it is powered down the traffic flowing through the device will not be subject to a variety of features performed by the MX such as content filtering, traffic shaping and WAN optimization.


Port bypass is a hardware feature that cannot be disabled, because of this, issues can arise when the MX is used in NAT mode. This is because clients behind the NAT of the MX will begin to flow out of the WAN uplink without having their private IP addresses translated to the WAN IP address, thereby exposing your private LAN to the public. This can cause IP address conflicts with stations on the WAN subnet, or prevent clients from utilizing their default gateway and potentially flooding the subnet with broadcast traffic that could bring a network to a standstill. To prevent this possibility simply split up the WAN and LAN pairings, for example use the WAN one port as the uplink and use the LAN two port as the downlink. 

Administrators that utilize the MX400/600 in passthrough mode would most likely prefer having the bypass functionality. To do so, plug your LAN subnet into the LAN port of the MX400/600 and plug the WAN uplink into the adjacent Ethernet port (ie WAN1 with LAN1 and/or WAN2 with LAN2).

  • Was this article helpful?