Switch Ports

Meraki's MS switch allows you to configure anything from a single port to thousands of ports through our industry-first,
Virtual Stacking technology. Virtual Stacking provides centralized management for up to 10,000 switch ports and unlike
traditional stacking, virtually stacked switches do not require a physical connection, can be in different physical locations,
and can be of different switch models, thereby simplifying large scale, distributed deployments.
From the Configure > Switch Ports page, you can name your ports, turn ports on/off, enable spanning tree (RSTP),
define port types (access/trunk), and specify VLANs (data and voice).

Searching for ports

The virtual stack allows for you to view all your switch ports in one easy-to-navigate page. To further simplify switch port
management, a dynamic search bar is available at the top to allow for you to quickly find the port(s) you are looking for.

Search terms
Enter any value in to the search omnibox for an instant search result
Use conditional operators to separate multiple search queries (AND, OR)
Use a wildcard to search for more general results ( * )
Enter specific search terms to find a particular port:

Search Type

Search Value

Result

Port

port:value

return all specified

ports or port ranges

port:1-10

Name

name:value

return all ports with the

specified switch name

name:"joe's desktop"

Switch

switch:value

return all ports for the

designated switch(es)

switch:"1st floor"

Detected Uplink

is:uplink

return interface(s)
detected as uplink to
Meraki Cloud

Example

is:uplink
not:uplink

Search Type

Search Value

Result

Tags

tag:value

return all ports with the

specified tag

vlan:value
VLAN

vlan:native
vlan:voice

return all ports with the

specified vlan
return all ports with a
native vlan
return all ports with a
voice vlan

Example

tag:"blue 132"

vlan:"60"
vlan:"native 60"
vlan:"voice 20"

LLDP

lldp:value

return all ports

containing matching
LLDP information

lldp:"MR24"

Type

is:value

will return all ports with

type "trunk" or type
"access"

is:trunk

link:value

return all ports with the

link type set to
specified speed/duplex

Link

link:"100 mbps"
link:"10 gbps"

is:aggregated

return only link

aggregated (LACP)
ports

is:"aggregated"

Access Policy

ap:value

return all ports with the

specified access policy
applied (wildcard
supported)

ap:*

Port Schedule

schedule:value

return all ports with the

specified port schedule
(wildcard supported)

schedule:*

Group

group:value

return all ports

belonging to a common

Link Aggregate

group:1

Search Type

Search Value

Result
group (the virtual stack
automatically
categorizes the 3 most
common configuration
types into groups 1,2
and 3)

MAC Whitelist

mac_whitelist:*

return all ports with a

mac-whitelist enabled
(you can substitute the
* with a mac address
value using colons as
separators)

Example

group:2
group:3

mac_whitelist:aa:bb:cc:dd:ee:ff
mac_whitelist:*

The search tool is also capable of intelligently combining multiple search queries. See a few examples below.

Search: name:"joe's port" AND switch:"2nd floor POE"

Result: returns all port(s) with the name "joe's port" on the switch named "2nd floor POE"
Search: port:1-15 link:"10 gbps" switch:"2nd floor IDF"
Result: Returns all ports configured for 10gbit from the port range of 1-15 on the switch named "2nd floor IDF"

Making Configuration Changes

Making a Selection

In order to make changes to a port or port group on your MS switch, select the port or ports you would like to change by
checking their prospective check box(es).

Editing your Selection

Choose "Edit selected items" and make the desired changes. See the screenshot below for all configurable items.

Applying your Changes

Once you are satisfied with the changes you've made, save them by selecting "Update ports". This will instantly push the
changes to your MS Switch.

Configuring a Trunk Port

Configuring a trunk port will cause the selected port(s) to accept 802.1Q tagged traffic for the VLANs specified. You will
also have the opportunity to specify a Native VLAN for traffic that has no VLAN tag on ingress. This port configuration
type is often used when configuring ports uplinks and devices that support 802.1Q.

Selecting a Native VLAN

If you would like untagged traffic to be tagged with a Native VLAN on egress, specify the Native VLAN by entering the
VLAN ID in the appropriate field.

Choosing Allowed VLANs

In the VLAN field on the configuration window, enter the VLAN ID for the appropriate VLAN. Please note that making
changes to your uplink port is not recommended as you may lose connectivity to the Meraki Cloud Controller.

Configuring an Access Port

Configuring a port with type "access" will cause for port to accept untagged traffic on ingress and send it to the VLAN
specified. This is often used when configuring ports for edge devices.

Specifying the VLAN

In the VLAN field on the configuration window, enter the VLAN ID for the appropriate VLAN. Please note that making
changes to your uplink port is not recommended as you may lose connectivity to the Meraki Cloud Controller.

Adding a Voice VLAN

If a voice VLAN is specified, the port will accept tagged traffic on the voice VLAN. In addition, the port will send out LLDP
and CDP advertisements recommending devices use that VLAN for voice traffic.

Please note that STP Portfast (immediate forwarding state) is enabled by default on ports configured as Access
ports

Enabling BPDU Guard

BPDU guard is a spanning tree enhancement that will instruct the switchport to go into a discarding state if a BPDU is
received on the interface. The interface will remain in discarding state for 15 seconds.

Enabling Root Guard

Root guard is typically enabled on switch to switch connections and when enabled, will keep the port in a designated
role. If a superior BPDU is received, the port will go into a discarding state. Once the port stops receiving superior
BPDUs it will automatically go back to learning/forwarding state

Configuring MAC whitelist

MS switches support whitelist based port-security which allows administrators to configure basic port-level protection
against unauthorized network access. By default the whitelist is empty and disabled, thus allowing the switch to add any
mac address to its forwarding table. However, by specifying one or more mac addresses, one can limit which devices
are permitted on a per-port basis.

Port Isolation

In certain deployments, it may be desired to enable Port Isolation. Enabling this feature prevents any isolated port from
communicating with other isolated ports. This feature has two options:
Enabled - Port has complete Layer 2 separation from all other isolated ports on the same VLANs. Port can only
receive/send traffic to non-isolated ports.
Disabled - Port can communicate with all interfaces on the same VLANs, including isolated ports.

A common use case for this feature is a hotel that wants to enable guest isolation between rooms for wired ports. For
further information on this feature, please reference our documentation.

MAC whitelist with Sticky

In addition to MAC Whitelisting, you can optionally enable "Sticky MAC" learning with a maximum quantity of learned
addresses. This will instruct the configured switch port(s) to dynamically learn the MAC addresses of the connected
devices up to the maximum amount specified.
This feature is useful for secured environments where the connected devices do not and should not change (i.e. a point
of sale system in a retail environment with PCI compliance requirements).

Identifying ports
It can be very useful to name or tag individual ports for management and troubleshooting purposes. For example, you
may want to label the Uplink or stack interconnect port in the event you need to make a change to that port. You can
then search your entire virtual stack by port name to easily locate a particular port or range of ports (ie. all ports
containing the term "uplink"). See Searching for ports for more info.

Applying an Access Policy (802.1x)

If you would like to configure and implement 802.1x wired authentication, you must first create an Access policy. For
more information, see Creating an Access Policy.
Once you have successfully created an access policy, simply select the port or ports you would like to configure. Now,
select the appropriate policy from the "Access Policy" dropdown. Choosing "open" will remove all authentication
requirements from the ports you're modifying.
Note: In order to configure 802.1x wired authentication, you must configure the port as an Access port.

Link Aggregation
The MS series supports Link Aggregation (LACP) groups of up to 8 ports. To configure an aggregate, simply choose the
ports you would like to aggregate by checking their respective boxes and then select the "Aggregate" option at the top of
the page (see video 1 below).
Doing this will create an LACP port group running mode:active.

A "Link Aggregate" is a combination of ports that act as one logical link. This is often referred to as Link
Bonding, Link Aggregation, or EtherChannel. A link aggregate will load balance across the different physical
links for additional performance, and will also give higher reliability because the link aggregate will continue to
function as long as at least one of the physical links is working.

By default the MS series runs an LACP Passive instance per port. This is to prevent loops when a bond is
connected to a switch running default configuration.

It is generally recommended that you first configure a link aggregate and then physically connect the aggregated
ports. Be sure to configure the aggregate (or have LACP enabled) on both ends of the link.

Aggregated ports allow you to use multiple physical ports on your switch in order to create one logical connection with
another switch or host. This assumes that the device you're connecting to is also configured to aggregate its connected
ports. This is useful for providing higher throughput as well as high availability as the link continues to function even if
part of the aggregate connection fails.

Selecting your Aggregate ports

In your virtual stack, select the ports you would like to aggregate. Once you have selected the target ports, choose
"Aggregate Ports" at the top or bottom of the port list and accept the change notification.

Splitting your Port Aggregates

If you decide to remove or modify your port aggregation links, simply select the aggregated port and choose "Split
Aggregates". This will revert the changes and split the group into it's own separate ports.
*For more specific configuration and interoperability information, please reference our documentation.

Port Mirroring
It may be necessary to configure a mirrored port or range of ports. This is often useful for network devices that require
monitoring of network traffic, such as a VoIP recording solution or an IDS (Intrusion Detection System).

MS switches support one-to-one or many-to-one mirror sessions.

Configuration
In order to enable and configure a mirrored port or range of ports, navigate to Switch >> Switch Ports. On this page
select the ports that are intended for mirroring and hit the mirror button.

After which enter the destination port for the mirror session. If the ports are in a switch stack then also select the desired
switch in the stack for the mirror destination.
Once the Mirror is configured it can be easily identified using the "Mirror" column in dashboard.

10