SSID Tunneling on MX, different VLANS

Here to help

SSID Tunneling on MX, different VLANS

Hey all,
We're about to test out a Meraki wireless solution for a client. Part of the solution's requirement is to match the existing legacy Cisco WLC design (sitting within DMZ) for Guest Wi-Fi traffic, integrating with ISE for central web authentication.
Therefore, we're going to put a MX250 (in one-armed mode) within the clients DMZ as a concentrator in order to segregate guest SSID traffic from corporate traffic.

Now what I'm unsure and I'm hoping for people more knowledgeable to confirm my understanding.

Since the MX250 will be configured in one-armed mode as recommended in SSID tunneling doco.


My understanding is that we can design it in a way with the MX250 WAN1 port trunked to the DMZ switch/firewall with two configured VLANS on the trunk port.

With say VLAN 243 as the management/Out-of-band VLAN for MX250 AND as the tunnel endpoint for MR access points?

The other VLAN 305 will be for tagged guest SSID traffic egress from MX to external FW/Internet?

By doing this we're separating mgmt/out-of-band traffic.







Therefore, in terms of configuration.

WAN1 port on MX250 as per below tagged with VLAN 243?



Guest SSID would be configured with traffic tagged on VLAN 305 as per below?



The doco about SSID tunneling unfortunately isn't really comprehensive, so I appreciate if anyone could validate the above.


Kind of a big deal
Kind of a big deal

that should work.

you could also make 243 native in the trunk to mx then you can leave the vlan field (@wan1) empty

Building a reputation

I have a replication of Cisco WLC controllers infra in few locations and it is exactly like you said.

Except, I am doing exactly like WW suggested - on the switch I have a trunk port with native vlan for management, and other vlans to tunnel different type of clients, including Guests.

Kind of a big deal

@henleyjj, it works exactly as you describe and as @ww and @RomanMD state. You can actually use the Layer 3 with concentrator option too for your client IP addressing (rather Han the VPN option), it tunnels the traffic in the same way, but just doesn’t give the option of a split tunnel.


The one gotcha I’ve hit with this is that whereas some of the Cisco WLC’s can provide DHCP services, the MX can’t when used like this, so you need to rely on upstream infrastructure to provide DHCP addresses for the clients on the wireless network.


Like the others said, stick with the native VLAN for the management interface on the MX if you can; does make things easier.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.