Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Wired Client Connection Through ETH1 or the Module Port of the AP

Along with extending a corporate Juniper Mist network to remote office workers, you must also connect wired devices to the corporate network. For example, devices like a security camera and an IP phone require tight security policing on the firewall, after onboarding. Therefore, you must place these devices in a unique VLAN. You can configure the devices access point (AP) by AP or through AP overrides. If you prefer, you can create device profiles and assign these to the devices. In either case, the configuration is exactly the same.

Example: AP12 Wired Port Configuration for Tunneling

When multiple remote user APs require same port configuration, you can create a device profile and map the device profile to the APs. You can also configure individual APs as well.

Example: AP12 Wired Port Configuration for Tunneling

Port configuration is as follows:

Port 0—AP management traffic is sent untagged. All local WLANs and VLANs are autotagged on Eth0. Therefore, you can configure Eth0 with List of VLAN ID(s) and set Port VLAN ID to 1.

Other ports— Map other ports to single VLAN or multiple VLAN as illustrated. If you map other port to single VLAN, the wired host receives IP address from that VLAN. If you configure other ports as a trunk with multiple allowed VLAN and one of them as native VLAN, it behaves as a trunk.

Use the additional wired ports to extend a tunneled VLAN to a wired port.

Example: AP12 Wired Port Configuration for Tunneling

Note: A wired port does not support split tunneling. Therefore, omit VLAN 1726 from the configuration. You can include VLAN 110 on a wired port, because it tunnels for the wired device.

The following image illustrates the Eth0+PoE port and pass-through (Pass Thru) ports.

Figure 1: Eth0+PoE and Pass Thru Ports Eth0+PoE and Pass Thru Ports Eth0+PoE and Pass Thru Ports

You can plug the Eth0+PoE port into the PoE switch or PoE brick to power on the AP12. The port uses a DHCP IP address for management. Pass-through ports marked Pass Thru act as a patch from the back to the side port. You can use a pass-through port in cases where you need to connect a device behind a wall mount, such as a TV in a hotel.

You can configure ports Eth1, Eth2, and Eth3 on the AP Details or Device Profile page in the Juniper Mist portal. You can map the ports to a management VLAN or a tunneled VLAN.

Example: Second Port Configuration for AP41

The following image shows the second port configuration for AP41.

Example: Second Port Configuration for AP41

In the example, Port VLAN ID is the same as Native VLAN ID or Untagged VLAN. Note that only the Module port is capable of providing power over Ethernet (PoE)-out to power a low-powered device, such as an IP phone. POE Passthrough is supported only if a PoE injector—not a DC power supply—powers an AP.


AP12, AP41, AP43 and AP45 can provide PoE-out. The following ports provide power over Ethernet (PoE)-out on different APs:

  • Module port on AP41

  • ETH1 on AP41 and AP43

  • Passthrough port on AP12