Meraki

Community

Client isolation

Karl_Jacobsen
Getting noticed
‎Jul 18 2025 5:09 AM
‎Jul 18 2025 5:09 AM

Client isolation

I have several networks setup as Meraki AP assigned (NAT mode). I absolutely love this feature. It lets me quickly deploy an Internet only network and everything is self contained in Meraki. I typically use this for visiting groups coming to our campus for short stays, kind of a quick, limited time, guest network. The only problem I run into is due to the client isolation feature, there's no way to print from this network. What are others doing to provide access to a wireless printer on a Meraki AP assigned network? Is there any way to allow sharing to one device as an exception or is there a cloud print service that would work?

0 Kudos
8 Replies 8
RaphaelL
Kind of a big deal
Kind of a big deal
‎Jul 18 2025 5:19 AM
‎Jul 18 2025 5:19 AM

If you use recent firmware you can whitelist the MAC of your printer

 

https://documentation.meraki.com/MR/Firewall_and_Traffic_Shaping/Wireless_Client_Isolation

0 Kudos
In response to RaphaelL
Karl_Jacobsen
Getting noticed
‎Jul 18 2025 5:22 AM
‎Jul 18 2025 5:22 AM

Ah, I've done this before but I thought it was only for traffic shaping rules and splash page override. Does it affect the client isolation rule?

0 Kudos
In response to Karl_Jacobsen
RaphaelL
Kind of a big deal
Kind of a big deal
‎Jul 18 2025 5:23 AM
‎Jul 18 2025 5:23 AM

You are confusing some other feature. 

 

What I'm refering to is : 

 

We have added the ability to allow specific MAC addresses to "break" the L2 isolation, up to 16 MAC addresses can be defined in this list.

In the case of a network where you want isolation, but have a common resource like a printer that needs to be available.

 

RaphaelL_0-1752841406701.png

 

In response to RaphaelL
Karl_Jacobsen
Getting noticed
‎Jul 18 2025 5:38 AM
‎Jul 18 2025 5:38 AM

It took a little digging to find this but I found it. I have to enable bridge mode on the network. If I do, I can't use Meraki AP assigned (NAT mode) which relies on my DHCP servers and not on the Meraki equipment itself.

0 Kudos
In response to Karl_Jacobsen
RaphaelL
Kind of a big deal
Kind of a big deal
‎Jul 18 2025 5:42 AM
‎Jul 18 2025 5:42 AM

Bridge the SSID , Tag the vlans and where ever those vlans are configured just configure the relays to your DHCP servers. 

 

 

0 Kudos
In response to Karl_Jacobsen
TBHPTL
Head in the Cloud
‎Jul 18 2025 10:53 AM
‎Jul 18 2025 10:53 AM

Bridged Mode . This is the way...  When you are using MerakiDHCP/NAT mode EACH AP is its own  mini DHCP/PROXY island and EACH AP is doing its own thing,  its a security mechanism of sorts. but as you have discovered it has its limitations. It also cause issues with roaming and application that require smooth roaming like voice etc.

 

 

nicdc01
Getting noticed
‎Jul 21 2025 1:13 AM
‎Jul 21 2025 1:13 AM

With NAT mode you might struggle there. The AP runs the DHCP Server so there is not really much you can do from this point as you cant route traffic in anyway. One limitation there.

If you use WPN on the network you can achieve the same type of client isolation however this only works when using Identity PSK without Radius. Splash Access also has some solutions for this.
I managed to by pass this by segmenting the printer onto a different VLAN (if wired) and allowing in the 'User' SSID, Wireless > Access Control > External DHCP Server Assigned > Bonjour Forwarding to allow Printer Traffic.

This does mean you have to switch to bridged to break the limitation. 

0 Kudos
Brash
Kind of a big deal
Kind of a big deal
‎Jul 21 2025 7:57 PM
‎Jul 21 2025 7:57 PM

As has been said above, Bridge mode is the only way to do it.

As much as Meraki NAT is great, as soon as you have any additional requirements it becomes a bit of a hassle.

I typically use bridge mode and configure L3 firewall rules on the SSID to block access to RFC 1918 IP addresses, allowing only the shared resource clients need to access (Eg. printer/print server) and internet locations.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
© 2025 Cisco Systems, Inc.