Meraki

Community

Can 1 AP terminate tunnels on 2 different MCGs?

GinaR
Conversationalist
Tuesday
Tuesday

Can 1 AP terminate tunnels on 2 different MCGs?

With the newly launched Cisco Meraki Campus Gateway (MCG), Can 1 AP terminating its tunnels on more than one controllers residing in different networks for segmentation?

 

image (7).png

0 Kudos
13 Replies 13
alemabrahao
Kind of a big deal
Kind of a big deal
Tuesday
Tuesday

Meraki APs can only establish a tunnel to one gateway/controller at a time. This is because the AP’s control and data plane are tightly coupled with the assigned gateway for policy enforcement and traffic steering.
The architecture does not support multi-homing or simultaneous tunnel termination on multiple MCGs. Each AP is associated with a single MCG for its tunnel termination.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
In response to alemabrahao
PhilipDAth
Kind of a big deal
Kind of a big deal
Wednesday
Wednesday

When would you want to use an MCG?  I'm struggling to understand the use case or benefit.

In response to PhilipDAth
alemabrahao
Kind of a big deal
Kind of a big deal
Wednesday
Wednesday

Well, from my point of view, MCG solves the challenges that arise in large campuses or deployments with multiple buildings, where Meraki access points need centralized tunnel termination for traffic, instead of sending everything directly to the internet, consistent application of policies across multiple VLANs and SSIDs, and segmentation and security without relying on complex Layer 3 designs or distributed firewalls.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
In response to PhilipDAth
gregpalmer2
Getting noticed
Thursday
Thursday

I had a scenario where we had a building with multiple floors where users would go from floor to floor for different meetings. The constant roaming caused DHCP lease issues. Setting the DHCP timer to short or too long created issues. The MCG would have solved our roaming issue because the device keeps the same IP address, regardless of location.


If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
RWelch
Kind of a big deal
Kind of a big deal
Tuesday
Tuesday

Screenshot 2025-11-18 at 14.20.10.png

Not 100% sure about the "different network" part of the question but the next slide that you referenced shows:

Each AP establishes two QUIC tunnels to both Primary and Backup Campus Gateway

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
In response to RWelch
alemabrahao
Kind of a big deal
Kind of a big deal
Tuesday
Tuesday

This statement is true for the Control Plane, but not for the Data Plane.

 

An AP can maintain control plane connectivity to two MCGs simultaneously (Primary + Backup), data plane tunnels are still single-homed—traffic flows through only one gateway at a time.
The dual control plane tunnels are for redundancy and HA, not for segmentation or active-active forwarding.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
In response to alemabrahao
FlyingFrames
Building a reputation
Tuesday
Tuesday

But does that mean we cannot accomplish a usecase like this below on the same AP?

On one Meraki AP have Employee SSID tunneled to MCG cluster 1, guest SSID tunneled to MCG cluster 2.

0 Kudos
In response to FlyingFrames
alemabrahao
Kind of a big deal
Kind of a big deal
Tuesday
Tuesday

No, it's not possible. Meraki APs can only establish a tunnel to one gateway/controller at a time. 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to FlyingFrames
TBHPTL
Head in the Cloud
Thursday
Thursday

You can do this WITHOUT a MCG. You can tunnel SSIDS to an MX directly as long as the MX is in the same org

0 Kudos
GIdenJoe
Kind of a big deal
Kind of a big deal
Wednesday
Wednesday

That has never been possible.  Also not in native Cisco WLC's.

The use case where they had a second WLC behind a firewall for guest access (guest anchoring) was made where the first WLC just tunnels to the second WLC.  The AP is always connected to only 1 WLC at a time.

But you do have centralized SSID's so you can just tunnel your guest traffic so it comes out on a centralized guest VLAN at the MCG.  So I don't see the issue there.

0 Kudos
In response to GIdenJoe
FlyingFrames
Building a reputation
Wednesday
Wednesday

Thanks but our guest traffic needs to be opened out at DMZ, where MCG will not be in DMZ, so they can terminate employee traffic.

Does this mean my guest traffic has to go through the internal network? Since i do not see a way MCG can tunnel to another MCG in DMZ OR the AP cannot create tunnels to MCG on internal network & MCG in DMZ network at the same time?

0 Kudos
In response to FlyingFrames
GIdenJoe
Kind of a big deal
Kind of a big deal
Thursday
Thursday

So are you saying you don't have a layer 2 connection possible between your MCG and your DMZ firewall?
If you DO then just use a VLAN termination for guests only that runs on your switching between your DMZ firewall interface and the MCG's.
If you DON'T then the MCG will not be the best solution.
It would then be better to opt for the classic Cisco WLC solution where you have the foreign anchor deployment available here: https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/213912...

 

Then you could enroll the WLC into dashboard and still have some cloud management available.  There are of course some dashboard design elements that have to be taking into consideration.  So I will leave you with this document 😉
https://documentation.meraki.com/Wireless/Cloud-Managed_Hybrid_Operating_Mode_for_Catalyst_Wireless_...

 

0 Kudos
gregpalmer2
Getting noticed
Thursday
Thursday

Taken from the Campus Gateway Deployment Guide.

https://documentation.meraki.com/Wireless/Design_and_Configure/Deployment_Guides/Campus_Gateway_Depl...

 

“Active-Active clustering will be automatically configured by Dashboard whenever there are two Campus Gateways in to cluster. The members of a cluster will also be configured as mobility peers, so clients will be able to roam across APs tunneling to different primary Campus Gateways in the cluster seamlessly.”

 

IMG_1927.png


If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
© 2025 Cisco Systems, Inc.