Meraki

Sweemz · ‎Jul 10 2025

Hi All,

Not the end of the world, the service is working fine but I just wondered if anyone has come across this and or can explain.

For networks where we’ve deployed all-in-one ‘W’ series MX devices (e.g. MX68W), we’ve possibly identified a limitation:
When configuring RADIUS targets, we can only specify the IP address of the last created VLAN. It seems it is not possible to target specific VLAN interface IPs directly?

For example we would typically create the following VLANs:

VLAN 1 - Not Used

VLAN 380 - 10.38.0.1 (Core Network)

VLAN 381 - 10.38.1.1 (LAN Network)

VLAN 382 - 10.38.2.1 (WiFi RADIUS)

VLAN 383 - 10.38.3.1 (Printers)

etc.

As you can see we create a specific VLAN for RADIUS WiFi connectivity and ideally we would like to set it to 10.38.2.1 (VLAN 382) but for some reason these all-in-one MX's will only accept the last created VLAN interface IP.. which then means we have to enable VPN Mode on the Printers VLAN or other which is not ideal (security).

In bigger offices/networks we use dedicated Catalyst AP's and would target the AP's individually and don't have this issue.

Is this a known limitation or am I missing a configuration somewhere?

Thank you in advance for any pointers/assistance 🫡

alemabrahao · ‎Jul 10 2025

In this case, this is the expected behavior, the VLAN with the highest ID will be used for this communication.

For MX/Z running firmware older than MX 19.1.6, when the MX is configured with Multiple VLANs, the NAS-IP will be the MX IP of the VLAN with the lowest VLAN ID. This is still the case even if that VLAN is not VPN-Enabled.

For all MX/Z running MX 19.1.6 and later, the NAS-IP will be the MX IP of the Highest-numbered VLAN ID.

MX and Z-series Source IP for RADIUS Authentication - Cisco Meraki Documentation

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

View solution in original post

alemabrahao · ‎Jul 10 2025

In this case, this is the expected behavior, the VLAN with the highest ID will be used for this communication.

For MX/Z running firmware older than MX 19.1.6, when the MX is configured with Multiple VLANs, the NAS-IP will be the MX IP of the VLAN with the lowest VLAN ID. This is still the case even if that VLAN is not VPN-Enabled.

For all MX/Z running MX 19.1.6 and later, the NAS-IP will be the MX IP of the Highest-numbered VLAN ID.

MX and Z-series Source IP for RADIUS Authentication - Cisco Meraki Documentation

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

RaphaelL · ‎Jul 10 2025

The MX will always use the highest VLAN ID to source MGMT traffic since the MX doesn't have a dedicated mgmt interface. That includes syslog , Radius and maybe other stuff.

PhilipDAth · ‎Jul 10 2025

>which then means we have to enable VPN Mode on the Printers VLAN

When the highest VLAN number is NOT in AutoVPN, the MX/Z will NAT it into the 6.0.0.0/8 address. If you do a packet capture on your RADIUS server you'll see it being hit by these packets. You can add these IP addresses to your RADIUS server as a RADIUS client.

Fun fact; all of your AutoVPN peers actually use these 6.0.0.0/8 IP addresses to talk/route to each other, it's just not something that is usually visible. But in some rare cases, like this one, they are exposed.

Sweemz · ‎Jul 10 2025

Great info, thanks! I’ll have a dig into it and see how I get on.

Meraki

Community

MX-XX-W Series | Radius Wireless IP = Last VLAN Created

MX-XX-W Series | Radius Wireless IP = Last VLAN Created