The RADIUS server returns a Tunnel-Private-Group-ID (e.g.In either case, the SSID must be configured in bridge mode. VLAN tagging can be configured either per SSID, per user, or per device type. The AP drops all packets with VLAN IDs that are not associated to any of its wireless users or SSIDs. Conversely, when the AP receives VLAN-tagged traffic from the upstream switch/router, it forwards that traffic to the correct client and/or SSID. When the switch/router sees VLAN- tagged traffic from a Meraki AP, it can apply different policies to that traffic, including access control (e.g., send traffic straight to the firewall for Internet-only access) or QoS (e.g., prioritize traffic on the VOIP SSID). Meraki APs use tag-based VLANs (i.e., VLAN tagging) to identify wireless traffic to an upstream switch/router. VLANs can be port-based (assigning a physical port on a device to a VLAN) or tag-based (tagging particular kinds of traffic with a VLAN tag, as defined by 802.1q). If the primary motivation for VLAN tagging is the first use case, an administrator should consider using Meraki’s LAN isolation or Custom Firewall rules features.Ī typical VLAN configuration might break up a physical LAN by department (e.g., Engineering, HR, Marketing) or by user class (Employee, Guest). Note that VLAN tagging typically requires a non-trivial amount of LAN configuration on the upstream switches, routers, and firewalls. Increase performance by limiting broadcast domains.Enhance network security by preventing wireless devices from accessing LAN resources.There are a couple of reasons to use VLANs, including: Virtual Local Area Networks (VLANs) allow a single physical Ethernet network to appear to be multiple logical networks.