This document provides a comprehensive Sizing Guide for networks deploying Cisco Meraki MX firewall appliances. It is designed to assist you in selecting the most appropriate MX model, understanding performance variations based on enabled features, and comparing MX appliances to other vendors.
Current Firmware Version: MX 18.2x
Understanding This Sizing Guide
This guide is intended to support the architectural design of networks incorporating MX security and SD-WAN appliances. It aims to address key questions such as:
- How to determine the ideal MX model for evaluation?
- How do different features impact device performance?
- How do MX models stack up against competitors?
While this document offers valuable guidance, we highly recommend conducting a proof of concept in your specific network environment to validate design and implementation. Each network possesses unique characteristics, and real-world testing is crucial.
With each new MX firmware release, performance metrics like throughput, feature-specific data, and session/flow capacity may be updated. This guide will be regularly revised to reflect the latest performance benchmarks across various scenarios and network environments.
It’s important to remember that the performance figures presented here are derived from controlled testing environments, simulating optimal network conditions. Real-world network behavior and traffic profiles can vary, and these factors should be considered during your sizing process.
The performance metrics detailed in this guide are based on the Current Firmware Version mentioned above. Please note that MX 18.2x firmware is not supported on all platforms. Further compatibility details can be found here.
Cisco Meraki MX Portfolio Capabilities: An Overview
Cisco Meraki MX Security and SD-WAN Appliances offer a robust, all-in-one solution, integrating unified threat management (UTM) and SD-WAN functionalities. Selecting the right MX appliance hinges on your specific use case and deployment needs. For detailed specifications of vMX devices, please consult the vMX specific data sheet.
The following tables summarize the hardware capabilities across the MX, Z-Series, and vMX portfolios.
MX-Series Appliances
For MX67(C/W) models, a convertible LAN interface provides dual WAN capability. Cellular failover is available for models without integrated cellular by using an MG cellular gateway. Dual power supply models feature active/standby redundancy but do not offer combined power output. MX68 and MX75 offer PoE+ on LAN ports, while MX85, MX95, and MX105 provide PoE+ on WAN ports, supporting PoE/PoE+ to an MG gateway. Refer to specific product datasheets for complete details. HTTPS Inspection is supported natively via Cisco Umbrella SD-WAN extension or through third-party VPN integration.
| MX67 (C/W) | MX68 (W/CW) | MX75 | MX85 | MX95 | MX105 | MX250 | MX450 | |
|---|---|---|---|---|---|---|---|---|
| Dual Active WAN | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
| 3G/4G Failover | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
| Built-in LTE Modem* | Yes | Yes | No | No | No | No | No | No |
| Built-in Wi-Fi** | Yes | Yes | No | No | No | No | No | No |
| Built-in PoE+ | No | Yes | Yes | Yes | Yes | Yes | No | No |
| WAN Fiber Connectivity | No | No | SFP | SFP | SFP+ | SFP+ | SFP, SFP+ | SFP, SFP+ |
| Dual Power Supply | No | No | No | No | No | Yes | Yes | Yes |
| Form Factor | Desktop | Desktop | Desktop | 1U | 1U | 1U | 1U | 1U |
| HTTPS Inspection | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
| Advanced Malware Protection (AMP) | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
| Intrusion Detection and Prevention (SNORT IPS/IDS) | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
* – Only on models designated with ‘C’ (e.g., MX67C, MX68C). ** – Only on models designated with ‘W’ (e.g., MX67W, MX68W).
Z-Series Teleworker Gateways
| Z3 (C) | Z4 (C) | |
|---|---|---|
| Dual Active WAN | No | No |
| 3G/4G Failover Model Available | Yes | Yes |
| Built-in LTE Modem Model Available | Yes | Yes |
| Built-in Wi-Fi Available | Yes | Yes |
| Built-in PoE (LAN Port) Model Available | Yes (802.3af, PoE) | Yes (802.3at, PoE+) |
| WAN Fiber Connectivity | No | No |
| Dual Power Supply | No | No |
| Form Factor | Desktop | Desktop |
| HTTPS Inspection | Yes | Yes |
| Advanced Malware Protection (AMP) | No | Yes |
| Intrusion Detection and Prevention (SNORT IPS/IDS) | No | No |
vMX-Series Virtual Appliances
| vMX-Small | vMX-Medium | vMX-Large | vMX-Extra Large | |
|---|---|---|---|---|
| Dual WAN | N/A | N/A | N/A | N/A |
| 3G/4G/5G Failover | N/A | N/A | N/A | N/A |
| Built-in LTE Modem Model Available | N/A | N/A | N/A | N/A |
| Built-in Wireless Available | N/A | N/A | N/A | N/A |
| Built-in PoE+ Model Available | N/A | N/A | N/A | N/A |
| WAN Fiber Connectivity | N/A | N/A | N/A | N/A |
| Dual Power Supply | N/A | N/A | N/A | N/A |
| Form Factor | Virtual | Virtual | Virtual | Virtual |
| HTTPS Inspection | N/A | N/A | N/A | N/A |
| Advanced Malware Protection (AMP) | N/A | N/A | N/A | N/A |
| Intrusion Detection and Prevention (SNORT IPS/IDS) | N/A | N/A | N/A | N/A |
Use Case Based MX Model Recommendations
Device throughput, feature set, and flow table capacity are key factors in determining use case suitability. For sizing purposes, we assume each client consumes up to 50 flows.
MX-Series Recommended Device Count
| MX67 | MX68 | MX75 | MX85 | MX95 | MX105 | MX250 | MX450 | |
|---|---|---|---|---|---|---|---|---|
| Recommended Maximum Device Count | 50 | 50 | 200 | 250 | 500 | 750 | 2,000 | 10,000 |
Z-Series Recommended Device Count
| Z3 (C) | Z4 (C) | |
|---|---|---|
| Recommended Maximum Device Count | 5 | 15 |
vMX-Series Recommended Device Count
| vMX-Small | vMX-Medium | vMX-Large | vMX-Extra Large | |
|---|---|---|---|---|
| Recommended Maximum Device Count | 500 | 2,500 | 10,000 | 20,000 |
Feature-Specific Performance Data
Consider the following points regarding feature performance:
- Maximum site-to-site VPN tunnel counts are based on lab tests without client traffic over VPN.
- Recommended maximum site-to-site VPN tunnel counts are based on lab tests with client traffic over VPN.
- Client VPN load balancing can be implemented for deployments requiring over 500 connections.
- Specific criteria must be met for WAN, dynamic path selection, or tunnel failover times to be achieved.
MX-Series Feature Performance
| MX67 | MX68 | MX75 | MX85 | MX95 | MX105 | MX250 | MX450 | |
|---|---|---|---|---|---|---|---|---|
| Maximum Site to Site VPN Tunnel Count | 50 | 50 | 75 | 200 | 500 | 1,000 | 3,000 | 5,000 |
| Recommended Maximum Site to Site VPN Tunnel Count | 50 | 50 | 75 | 100 | 250 | 500 | 1,000 | 1,500 |
| Maximum Number of Client VPN Tunnels | 50 | 50 | 75 | 100 | 250 | 250 | 500 | 500 |
| Maximum Number of AnyConnect Sessions | 100 | 100 | 250 | 250 | 500 | 750 | 1000 | 1500 |
| WAN Failover | < 5 Sec | < 5 Sec | < 5 Sec | < 5 Sec | < 5 Sec | < 5 Sec | < 5 Sec | < 5 Sec |
| Auto VPN Tunnel Failover | Sub-second | Sub-second | Sub-second | Sub-second | Sub-second | Sub-second | Sub-second | Sub-second |
| Dynamic Path Selection | Sub-second | Sub-second | Sub-second | Sub-second | Sub-second | Sub-second | Sub-second | Sub-second |
Z-Series Feature Performance
| Z3 (C) | Z4 (C) | |
|---|---|---|
| Maximum Site to Site VPN Tunnel Count | 10 | 10 |
| Recommended Maximum Site to Site VPN Tunnel Count | 4 | 8 |
| Maximum Number of Client VPN Tunnels | 1 | 2 |
| WAN Failover | < 5 Sec | < 5 Sec |
| Auto VPN Tunnel Failover | Sub-second | Sub-second |
| Dynamic Path Selection | Sub-second | Sub-second |
vMX-Series Feature Performance
| vMX-Small | vMX-Medium | vMX-Large | vMX-Extra Large | |
|---|---|---|---|---|
| Maximum Site to Site VPN Tunnel Count | 50 | 250 | 1,000 | 10,000 |
| Recommended Maximum Site to Site VPN Tunnel Count | 50 | 250 | 1,000 | 10,000 |
| Maximum Number of Client VPN Tunnels | 50 | 250 | 500 | To be announced |
| WAN Failover | N/A | N/A | N/A | N/A |
| Auto VPN Tunnel Failover | Sub-second | Sub-second | Sub-second | Sub-second |
| Dynamic Path Selection | Sub-second | Sub-second | Sub-second | Sub-second |
Flow and Session Capacity for MX Appliances
Understanding the flow and session capacity of each appliance is crucial for proper sizing. A flow is defined as any transmission on an open socket within a 5-minute window. These values represent maximum capacities, not recommended operating levels.
MX-Series Session Capacity
| MX67 | MX68 | MX75 | MX85 | MX95 | MX105 | MX250 | MX450 | |
|---|---|---|---|---|---|---|---|---|
| Maximum Concurrent Sessions | 25,000 | 25,000 | 50,000 | 125,000 | 200,000 | 250,000 | 500,000 | 1,000,000 |
Z-Series Session Capacity
| Z3 (C) | Z4 (C) | |
|---|---|---|
| Maximum Concurrent Sessions | 5,000 | 10,000 |
vMX-Series Session Capacity
| vMX-Small | vMX-Medium | vMX-Large | vMX-Extra Large | |
|---|---|---|---|---|
| Maximum Concurrent Sessions | 25,000 | 125,000 | 1,000,000 | 1,000,000 |
Performance Benchmarks for MX Appliances
Industry-standard benchmarks facilitate comparisons between MX appliances and those from other vendors. These tests are conducted under ideal network conditions with optimized traffic patterns. Unless specified, features are disabled when measuring maximum throughput for a given feature. Actual performance may vary.
Key considerations for performance data:
- Firewall Throughput Tests: Layer 3 Firewall, QoS, and DPI (NBAR) are enabled.
- Advanced Security Throughput Tests (MX-Series): QoS, DPI (NBAR), IPS Ruleset ‘Connectivity’, AMP, Content Filtering, and IPS Mode (Detection or Prevention) are enabled.
- Single & Multi-Tunnel VPN Throughput Tests: QoS, DPI (NBAR), and Layer 3 Firewall are enabled.
- Secure Teleworker Throughput Tests (Z-Series): QoS, DPI (NBAR), and AMP are enabled.
MX-Series Performance Data
| MX67 | MX68 | MX75 | MX85 | MX95 | MX105 | MX250 | MX450 | |
|---|---|---|---|---|---|---|---|---|
| Firewall Throughput RFC2544 – 1518 Byte | 700 Mbps | 700 Mbps | 1 Gbps | 1 Gbps | 2.5 Gbps | 5 Gbps | 7.5 Gbps | 10 Gbps |
| Firewall Throughput EMIX | 700 Mbps | 700 Mbps | 1 Gbps | 1 Gbps | 2.5 Gbps | 5 Gbps | 7 Gbps | 10 Gbps |
| NGFW Throughput (Advanced Security – Prevention) EMIX | 300 Mbps | 300 Mbps | 500 Mbps | 500 Mbps | 1.5 Gbps | 2 Gbps | 1.5 Gbps | 3.5 Gbps |
| NGFW Throughput (Advanced Security – Detection) EMIX | 400 Mbps | 400 Mbps | 1 Gbps | 1 Gbps | 2 Gbps | 2.5 Gbps | 3.5 Gbps | 7 Gbps |
| Single Tunnel VPN Throughput RFC2544 1400 Byte | 400 Mbps | 400 Mbps | 1 Gbps | 1 Gbps | 2.0 Gbps | 2.5 Gbps | 3 Gbps | 3.5 Gbps |
| Multi-Tunnel VPN Throughput RFC2544 1400 Byte | ≤ 400 Mbps | ≤ 400 Mbps | 1 Gbps | 1 Gbps | 2.5 Gbps | 3 Gbps | 3.5 Gbps | 4.5 Gbps |
| Single Tunnel VPN Throughput EMIX | 300 Mbps | 300 Mbps | 1 Gbps | 1 Gbps | 1.5 Gbps | 2 Gbps | 2 Gbps | 3 Gbps |
| Multi-Tunnel VPN Throughput EMIX | ≤ 300 Mbps | ≤300 Mbps | ≤ 1 Gbps | ≤ 1 Gbps | ≤ 1.5 Gbps | ≤ 2 Gbps | ≤ 2 Gbps | 4.5 Gbps |
Note: NGFW = next-generation firewall, EMIX = enterprise mix
Z-Series Performance Data
| Z3 (C) | Z4 (C) | |
|---|---|---|
| Secure Teleworker Throughput | NA | 300 Mbps |
| Firewall Throughput RFC2544 – 1518 Byte | 200 Mbps | 500 Mbps |
| Firewall Throughput EMIX | 200 Mbps | 500 Mbps |
| Single Tunnel VPN Throughput RFC2544 1400 Byte | 75 Mbps | 250 Mbps |
| Single Tunnel VPN Throughput EMIX | 50 Mbps | 250 Mbps |
vMX-Series Performance Data
| vMX-Small | vMX-Medium | vMX-Large | vMX-Extra Large | |
|---|---|---|---|---|
| vMX VPN Throughput iPerf | 250 Mbps | 500 Mbps | 1 Gbps | 10 Gbps |
Feature Benefits and Performance Considerations
Each MX feature offers distinct advantages for specific network scenarios. Below is a detailed look at key features, their use cases, and sizing recommendations for deployment.
Cisco Advanced Malware Protection (AMP)
Cisco AMP, a leading anti-malware solution, is integrated into MX Security Appliances. For guest VLANs, consider disabling AMP and using firewall rules for isolation. If endpoints are protected by a robust malware client like AMP for Endpoints, disabling AMP on the MX for internal traffic might be considered for optimized performance.
Content Filtering
Powered by Cisco TALOS, content filtering allows blocking website categories based on organizational policies. Implement content filtering strategically, blocking only necessary categories aligned with your organization’s security posture.
Web-Safe Search
MX Security Appliances can enforce web-safe search filtering for all web searches. For effective filtering, this feature should be used in conjunction with the “disable encrypted search” option.
Cisco IPS/IDS (SNORT)
The Snort-based Intrusion Prevention and Detection System (IPS/IDS) monitors and safeguards your network from malicious activities. Rulesets beyond ‘Connectivity’ can have a greater impact on performance. In bandwidth-constrained environments, avoid sending IDS/IPS syslog data over VPN.
HTTPS Inspection
HTTPS Inspection enhances advanced security features by enabling inspection of encrypted HTTPS traffic. Utilizing Cisco Umbrella SD-WAN extensions to offload HTTPS Inspection processing from MX appliances can significantly reduce performance overhead.
VPN Tunnel Count
Auto VPN simplifies VPN tunnel creation between sites. Consider using split-tunnel VPN configurations when deploying security services at the network edge to optimize VPN tunnel usage and performance.
FIPS Mode
FIPS (Federal Information Processing Standard) mode ensures that MX devices utilize only FIPS-compliant cryptographic mechanisms. When planning to implement FIPS mode, consult with your account specialist for proper sizing and network architecture guidance, as it can impact performance, especially with VPN services.
Performance Impact Breakdown by Feature
| Feature Name | Performance Impact |
|---|---|
| Cisco Advanced Malware Protection (AMP) | Low |
| Content Filtering | Low |
| Web-Safe Search | Low |
| FIPS Mode (Non-VPN Services) | Low |
| Cisco IDS/IPS (SNORT) | Medium |
| HTTPS Inspection (On-device) | High |
| Number of VPN Tunnels | High |
| FIPS Mode (VPN Services) | High |
