Passthrough or VPN Concentrator

Here to help

Passthrough or VPN Concentrator



When we select the MX to be in Passthrough or VPN Concentrator mode how does the MX know which mode to operate on? What features do we gain or loan in Passthrough or VPN Concentrator mode?

Building a reputation


Choose this option if you simply want to deploy the MX device:

  • In bridge mode for traffic shaping and additional network visibility.
  • As a one-armed VPN concentrator.
  • it is also one of the best recommendation for SD WAN deployment


Networks and Routing > MX Addressing and VLANs




In bridge mode do I still get firewall functionality? My understanding is bridge mode is firewall operating in layer 2 mode which means no routing, with one-armed concentrator deployment its still a layer 3 device, so by Passthrough or VPN Concentrator how does the MX know it needs to work on bridge mode with no routing and or VPN concentrator mode?

Building a reputation

@Aamir  Passthrough/Concentrator Mode is best used when there is an existing Layer 3 device upstream handling network routing functions.  The MX in this instance would still act as a security appliance, but with less functionality for Layer 3 networking.

Building a reputation

The recommended use case for the MX security appliance in passthrough mode is when it is acting as a VPN Concentrator for the Cisco Meraki Auto VPN feature.  Passthrough/VPN Concentrator mode ensures easy integration into an existing network that may already have layer 3 functionality and edge security in place.  With this mode, a Cisco Meraki MX security appliance can be integrated into the existing topology and allow for seamless site to site communication with minimal configuration needed.

@merakichampThank you for that info.

I have a follow up question though. In MX's documentation it is written :

"When using an MX as a site-to-site VPN peer, it will only be able to send client traffic over the VPN tunnel if that traffic has been directed to it. As such, a router or L3 switch on the network will need to have static routes configured, such that VPN-bound traffic is sent to the MX. This traffic will then be encrypted and sent through the site-to-site VPN tunnel. Traffic bound to the Internet or other destinations will simply pass through the appliance:"


Let's say that I have that kind of topology

Internet -Edge FW - DMZ - MX L2/VPN concentrator - Router - LAN


if I have a layer 3 functionality to ensure routing, if I set the MX in passthrough mode, is it possible for it to deal with S2S VPN, Client VPN AND to still pass all internet traffic (incoming and outgoing) through the MX using filtrering, IPS and AMP functionalities ?

if it's not clear, i can ce more specific.

thanks for your help.



Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.