Meraki Wifi Best Practice for multiple APs: Bridge Mode

Bridge Mode

In bridge mode, the Meraki APs act as bridges, allowing wireless clients to obtain their IP addresses from an upstream DHCP server.

Bridge mode should be enabled when any of the following is true:

  • Wired and wireless clients in the network need to reach each other (e.g., a wireless laptop needs to discover the IP address of a network printer, or wired desktop needs to connect to a wireless surveillance camera).
  • Layer 2 multicast and broadcast packets (e.g., ARP, Bonjour) need to propagate in a limited manner to both wired and wireless clients for device discovery, networking, etc.
  • The wireless network needs to support legacy VPN clients (i.e., those that do not support NAT Traversal).
  • Wired and wireless clients need to have IP addresses in the same subnet for monitoring and/or access control reasons (e.g., a web gateway in the network allows/denies Internet access based on the client’s IP address).
  • Wireless traffic needs to be VLAN-tagged between the Meraki AP and the upstream wired infrastructure.
  • If IPv6 is used on the network. More information on IPv6 bridging can be found within this article.


The implications of enabling bridge mode are as follows:

  • An administrator cannot enable adult content filtering on the SSID. Because the adult content filtering feature is DNS-based, bridge mode disables adult content filtering by using the DNS server(s) advertised by the network’s DHCP server.
  • Multiple DHCP servers are allowed, but they must assign IP addresses to wireless clients from the same subnet. This enables these IP addresses to be routed by the LAN to which the Meraki APs are connected.

Use Cases

Bridge mode works well in most circumstances, particularly for seamless roaming, and is the simplest option to put wireless clients on the LAN. Layer 3/7 firewall rules and traffic shaping can be used to restrict client traffic before it can reach the wired network, and VLAN tagging can be used to put wireless clients on a specific subnet upstream.


In the example below, note that the source IP address of the client traffic remains the same after transparently passing through the access point.




Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s