Recommendations on environment


Recommendations on environment

Hello Everyone,

I just inherited a new Meraki environment, and wanted to get some feedback on if the setup makes sense, or if there are some changes you'd made. I come from a traditional on-prem controller based background.

Background info:
We have about 11,000 clients and 312 Access Points. Mostly MR18s, but some MR46s as well.

1) Primary 802.1x SSID in NAT Mode (Dual Band)
2) Primary 802.1x SSID in NAT Mode (5GHz Band)
3) "Admin" 802.1x SSID in Bridge Mode (Dual Band)

4) Guest Open SSID in NAT Mode

My first question is about the dual band/5GHz SSID. Is the client steering option in Meraki reliable? Is there any reason to have those 2 SSIDs (beyond personal preference?)

My second question is about the primary SSIDS in NAT Mode. My understanding of NAT Mode was that would usually be used for a Guest like SSID, not for an SSID where people need to access on-prem resources?

I read that you can tunnel traffic to an MX appliance, like it's a traditional controller. Is that widely used by customers?

Any help or guidance is appreciated


Meraki Employee

Yes, client steering is usually reliable and I honestly rarely see any issues with it. I would use it unless you see proof of issues.


Agreed on the second point about SSIDs 1 & 2 being NAT mode. NAT mode is typically a guest use case only. I would use bridge mode for employee devices.


You can tunnel SSIDs to a MX. Loosely similar to guest tunnel to a WLC. It uses a VPN tunnel. So, there is crypto overhead that impacts AP throughput. Also, you need to size the MX appropriately for the number of APs (tunnels) it will terminate. Also, you'd want to have a HA pair or primary & secondary MX to eliminate a single point of failure for guests. All of this adds up to more infrastructure, cost, and management.


If it were me I would use NAT mode for guests, along with MR firewall rules, traffic shaping, etc and keep cost lower and design more simple. I support hundreds of customers and I can only think of a couple that do guest tunneling to a MX.

Kind of a big deal
Kind of a big deal

@srich14 with the size of your environment and the fact that lots of the APs are old small models I'd change all SSIDs to bridge mode.


We run sites that have up to 2000 users and do this for all SSIDs.  The corporate SSIDs go to VLANs that end up on an HA pair of MXs that link back to the data centre and the guest SSIDs go to an MX that provides DHCP for that VLAN and sends the traffic out of a local Internet connection. 


As far as I'm concerned NAT mode is only for small setups as it breaks roaming (the device gets a new IP address on each AP it connects to).  We also avoid L3 roaming as the device's traffic all routes back through the first AP that it connects to.


Thank you both for the insight. I'll plan on making those changes and get rid of NAT mode for the production SSIDs, since that seems to be a common recommendation. Long term we might look at the pricing for the MXs, but long term goal maybe 🙂

Thanks again

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.