Changelog: Wireless Bridge-mode Client Isolation

Changelog: Wireless Bridge-mode Client Isolation

Another week, another exciting round of feature enhancements from the Cisco Meraki Engineering team. The biggest announcement was the addition of a new Bridge-mode Client Isolation feature for MR networks.

L2 client isolation has been a distinguishing feature of Meraki NAT-mode SSIDs for some time and is an incredibly useful security tool to prevent wireless clients from communicating with each other on the same SSID. NAT-mode is great if public DNS, AP-delivered DHCP, and client IP NATing to the AP’s management IP is fine for your use case. Guest service in a click.

If you would prefer to run your own DNS, DHCP, and terminate the guest segment on an upstream L3 device, then bridge-mode is a better option. It essentially bridges the SSID frames to the local switch port on the appropriate VLAN and the switch forwards it on from there.

When it comes to client isolation, the most common use is in guest wifi networks were there is no good reason for untrusted devices to talk to any other clients on the same SSID or VLAN segment. The AP filters unicast and broadcast frames to any local destination (but allows DHCP, DNS queries, and local gateway access).

Because client isolation filters broadcast and unicast traffic sourced from the wireless client to other destinations on the same segment, this could lead to some interesting outcomes – namely enabling the use of dramatically larger L2 subnets per SSID.

To enable the wireless Bridge-mode Client Isolation feature, simply navigate to Wireless > Firewall & traffic shaping > Firewall > Layer 2 LAN isolation > Enabled

Additional Bridge-mode Isolation Considerations


  • Today the L2 filter relies on DHCP inspection through the AP to learn the appropriate gateway and DNS servers to whitelist. If a wireless client on a bridge mode SSID has a static IP assignment, the AP will not permit local or gateway communication for the device (since there is no DHCP interaction). This is a short-term limitation as support for static IP inspection is in development.
  • It appears bridge-mode client isolation currently does not work on SSID’s that have a splash page enabled.
  • The required firmware version to enable the feature is MR25.8

That’s all for now. More detail on the wireless bridge-mode client isolation can be found on the Meraki KB.

The Changelog series is an opportunity for to highlight the constant, behind-the-scenes updates to the Meraki cloud Dashboard that many operators aren’t aware of. Part of what makes the Cisco Meraki platform so compelling is the pace at which the Engineering and UI teams continue to iterate and improve the management experience. Featuring updates gives the community better insight into the elements being delivered. And, new is fun.