Bridge Mode
In bridge mode, the Meraki APs act as bridges, allowing wireless clients to obtain their IP addresses from an upstream DHCP server.
Bridge mode should be enabled when any of the following is true:
- Wired and wireless clients in the network need to reach each other (e.g., a wireless laptop needs to discover the IP address of a network printer, or wired desktop needs to connect to a wireless surveillance camera)
- Layer 2 multicast and broadcast packets (e.g., ARP, Bonjour) need to propagate in a limited manner to both wired and wireless clients for device discovery, networking, etc.
- The wireless network needs to support legacy VPN clients (i.e., those that do not support NAT Traversal)
- Wired and wireless clients need to have IP addresses in the same subnet for monitoring and/or access control reasons (e.g., a web gateway in the network allows/denies internet access based on the client’s IP address)
- Wireless traffic needs to be VLAN-tagged between the Meraki AP and the upstream wired infrastructure
- If IPv6 is used on the network; see the article on IPv6 bridging for more information
The implications of enabling bridge mode are as follows:
An administrator cannot enable adult content filtering on the SSID; it is disabled by bridge mode using the DNS server(s) advertised by the network’s DHCP server because the feature is DNS-based
Multiple DHCP servers are allowed, but they must assign IP addresses to wireless clients from the same subnet; this enables the IP addresses to be routed by the LAN, to which the Meraki APs are connected
Use Cases
Bridge mode works well in most circumstances, particularly for seamless roaming, and is the simplest option to put wireless clients on the LAN. Layer 3/7 firewall rules and traffic shaping can be used to restrict client traffic before it can reach the wired network, and VLAN tagging can be used to put wireless clients on a specific subnet upstream.
Bridge Mode
In bridge mode, the Meraki APs act as bridges, allowing wireless clients to obtain their IP addresses from an upstream DHCP server.
Bridge mode should be enabled when any of the following is true:
Wired and wireless clients in the network need to reach each other (e.g., a wireless laptop needs to discover the IP address of a network printer, or wired desktop needs to connect to a wireless surveillance camera)
Layer 2 multicast and broadcast packets (e.g., ARP, Bonjour) need to propagate in a limited manner to both wired and wireless clients for device discovery, networking, etc.
The wireless network needs to support legacy VPN clients (i.e., those that do not support NAT Traversal)
Wired and wireless clients need to have IP addresses in the same subnet for monitoring and/or access control reasons (e.g., a web gateway in the network allows/denies internet access based on the client’s IP address)
Wireless traffic needs to be VLAN-tagged between the Meraki AP and the upstream wired infrastructure
If IPv6 is used on the network; see the article on IPv6 bridging for more information
The implications of enabling bridge mode are as follows:
An administrator cannot enable adult content filtering on the SSID; it is disabled by bridge mode using the DNS server(s) advertised by the network’s DHCP server because the feature is DNS-based
Multiple DHCP servers are allowed, but they must assign IP addresses to wireless clients from the same subnet; this enables the IP addresses to be routed by the LAN, to which the Meraki APs are connected
Use Cases
Bridge mode works well in most circumstances, particularly for seamless roaming, and is the simplest option to put wireless clients on the LAN. Layer 3/7 firewall rules and traffic shaping can be used to restrict client traffic before it can reach the wired network, and VLAN tagging can be used to put wireless clients on a specific subnet upstream.
