Addressing and VLANs

Appliance settings are accessible through the Security Appliance > Configure > Addressing & VLANs page and
include Network name, passthrough or NAT mode, client tracking methods, subnet and VLAN configuration, Static LAN
routes, and Dynamic DNS settings.

Name
This field allows you to set or modify the name of the Dashboard network that contains the security appliance.

Deployment Mode
The MX appliance can be deployed in two possible modes:
Passthrough or VPN concentrator mode
NAT mode

Passthrough or VPN concentrator mode

As a Layer 2 passthrough device

Choose this option if you simply want to deploy the MX device:

In bridge mode for traffic shaping and additional network visibility.
As a one-armed VPN concentrator.

In this mode, the MX device does not provide any address translation and operates as a passthrough device between
the Internet and the LAN ports (sometimes referred to as a Layer 2 bridge). The appliance also provides VPN tunneling
functionality.

For more information, please refer to the Deployment guides.

Placing an MX appliance in Passthrough mode at the perimeter of your network with a publicly routable IP
address is not recommended and can present security risks. As a best practice, Passthrough mode MX
appliances should always be deployed behind an edge firewall.

1
Network Address Translation (NAT)
Choose this option if you want to use the MX appliance as a Layer 7 firewall to isolate and protect LAN traffic from the
Internet (WAN). Client traffic to the Internet will have its source IP rewritten to match the WAN IP of the appliance. In this
mode, the MX appliance is generally also the default gateway for devices on the LAN. This section also provides a link
to the DHCP settings page.

Client tracking
Here you can configure how the MX appliance identifies and tracks client devices in order to apply network access
policies and store information on client activity. You have two options available:
Track client by MAC address: This is the default selection. Use this option if all client devices are within the
VLANs/subnets configured on the appliance, and there is no Layer 3 device between the appliance and the clients.
Track clients by IP address: Use this option if there is a Layer 3 device between the appliance and the clients, and
MAC address identification is therefore not reliable or accurate. Some ARP-based (Layer 2) tools will be unavailable
in this mode. These include client ping and client connectivity alerts.

Enabling VLANs
You can configure a single LAN or multiple VLANs through the Addressing & VLANs page. You can use the VLAN
selector to configure the appliance to use a single LAN subnet or multiple LAN subnets (VLANs).

Routes
This section displays the local routes configured on the MX appliance. This includes configured subnets or VLANs as
well as static routes. VLANs and Static Routes can be added, deleted, or modified here.

The status of configured routes can be viewed on the Route table page.

Please refer to MPLS to VPN failover deployment guide for a detailed discussion on route failure detection and
implementing a resilient WAN architecture.

VLANs
VLANs allow you to partition your network into different subnets such that downstream hosts are separated into different
broadcast domains based on the VLAN they operate in. VLAN-based network separation can be an effective tool for
isolating and identifying different segments of your network and therefore provides an additional layer of security and
control. The appliance has multiple LAN IPs, each of which is the default gateway address on its particular VLAN.

2
To add a new VLAN, click "Add a local VLAN" at the bottom of the routes table. To modify an existing VLAN, click on
that VLAN in the Routes table. The following fields can be set for a local VLAN:
Name: The name of the VLAN.
Subnet: Use this option to enter the IP subnet for the VLAN. Note that as with Single LAN mode, you need to
provide this information in CIDR notation.
MX IP: The IP address of the MX appliance in this particular VLAN/subnet. This is the default gateway IP address
on that VLAN.
VLAN ID: The numerical identifier that is assigned to the VLAN.
Group Policy: The Group Policy you wish to apply to this VLAN, if any (see Group policies).
In VPN: Determines whether the MX advertises this VLAN to site-to-site VPN peers.

To delete a VLAN, click on the X next to that VLAN on the far right side of the Routes table.

Static LAN routes

Static LAN routes are used to reach a subnet that is behind a layer-3 switch or otherwise not directly connected to or
configured on the appliance.

To add a new static LAN route, click "Add a static route" at the bottom of the routes table. To modify an existing static
route, click on it in the Routes table. The following fields can be set for a static LAN route:
Enabled: Whether the MX should use the route or not. Use this setting if you wish to temporarily remove a route
from the MX without having to manually recreate it later.
Name: The name of the static route.
Subnet: Use this option to enter the remote subnet that is reached via this static route (in CIDR notation).
Next hop IP: IP address of the device (such as a router or layer 3 switch) that connects the MX appliance to the
static route subnet. This is also sometimes referred to as the 'route gateway IP'.
Active: Conditions that control when this route will be used. A static route can be set to one of three modes:
Always: Route is always used.
While next hop responds to ping: Route is used only if the MX can successfully ping the next hop IP
configured for the route.
While host responds to ping: Route is used only if the MX can ping a specified host IP using the route.
Host IP to ping: Only appears if While host responds to ping is selected above. This is the IP that the MX will
ping via the static route to determine whether the route is working properly. This device must be in the subnet
specified in the static route, and should always be a device with a static IP or a DHCP reservation (such as a
server).
In VPN: Determines whether the MX advertises this static route to site-to-site VPN peers.

To delete a static LAN route, click on the X next to that route on the far right side of the Routes table.

3
Per-port VLAN configuration
Here you can view and modify the VLAN settings for your MX appliance on a per-port basis. To modify the per-port
VLAN settings, select the port or ports you wish to reconfigure and click Edit. You will be presented with a menu that
allows you to set the following parameters:
Enabled: Enable or disable the port. If the port is set to Disabled, no other options will be available.
Type: Set the port to either trunk or access mode. A port configured in trunk mode can pass traffic on multiple
VLANs, while an access mode port passes traffic for only one VLAN.
Native VLAN (trunk mode only): Sets the Native VLAN for the port. All untagged traffic that comes in on this port
will be treated as if it belonged to this VLAN. This can also be set to 'Drop untagged traffic'.
Allowed VLANs (trunk mode only): The VLANs for which this port will accept and pass traffic. This must include
the Native VLAN if one is set.
VLAN (access mode only): The VLAN for which this port will accept and pass traffic. All untagged traffic will
automatically be treated as if it belonged to this VLAN.

Dynamic DNS
Dynamic DNS allows you to reach a public-facing MX appliance over the internet even if the public IP address changes.
Meraki will automatically issue a unique FQDN (fully qualified domain name) for the appliance and auto-register the MX
through Meraki's own Dynamic DNS service. This public DNS record will be updated if the public IP address of the
appliance changes due to DHCP lease renewal or uplink failover.

Custom FQDN name:

Creating a custom DNS name for your appliance is simple. Let's assume that you have an MX90 that you've named
"myMX90" and you want to name it "myMX90.example.com". Meraki will auto-generate a unique FQDN, for example:
myMX90-wmktpbbzt.dynamic-m.com.

Using a type of DNS record called a CNAME record, you can map arbitrary DNS names to other DNS names. If you
register a domain (e.g., example.com), your registrar should be able to help you set up a CNAME from your new domain
(or a subdomain) to myMX90-wmktpbbzt.dynamic-m.com. At this point your custom DNS name would resolve to the
public IP of the appliance the same way that the original, auto-generated FQDN would.

Warm spare
Here you can add a second MX appliance as a warm spare unit to create a high availability (HA) pair. To do so, click the
Add a warm spare button and enter the serial number of the spare, along with virtual IPs for any uplinks that are being
used.

You can perform the following functions on an existing HA pair:

Change the virtual IP(s) being used for the uplink(s)
Swap the primary and secondary roles of the appliances in the pair by clicking the Swap primary and spare button

4
 Remove the spare from the network to be used elsewhere by clicking the Remove spare button. The spare will
return to default configuration, so it is highly recommended that it be removed from the network or taken offline
before this action is taken.

You can learn more about warm spare functionality on the Warm spare page.