MX Sizing Guide

SEPTEMBER 2018
This technical document provides guidelines for choosing the right
Cisco Meraki security appliance based on real-world deployments,
industry standard benchmarks and in-depth feature descriptions.
Overview
Cisco Meraki MX Security Appliances are Unified Threat Management (UTM) products.
UTM products offer multiple security features in a simple-to-deploy, consolidated form factor.
Given the number of security features that can be deployed in any given MX, device performance
will vary depending on the use-case. Choosing the right MX depends on the use-case and the
deployment characteristics.

This technical guide is designed to help answer the following questions:

• How do I decide which MX model I need?

• Which features should I turn on?

• How do MX models compare against the competition?

Choosing the right hardware

Cisco Meraki MX products come in 8 product families. The chart below outlines MX hardware properties available under each family:

MX 6 4 ( W ) MX6 5( W ) MX6 7 ( W / C ) M X 6 8 (W / CW ) MX84 M X 10 0 MX250 M X4 5 0

Dual Wan Links ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓

3G / 4G Failover ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓

Built-In LTE
Modem Model ✓ ✓
Available

Built-In Wireless
Available
✓ ✓ ✓ ✓

Built-In PoE+
Model Available
✓ ✓

Hard Drive 1TB 1TB 128GB (SSD) 128GB (SSD)

Fiber
SFP SFP SFP, SFP+ SFP, SFP+
Connectivity

Dual Power
Supply
✓ ✓

Form Factor Desktop Desktop Desktop Desktop 1U 1U 1U 1U

2 Cisco Systems, Inc. | 500 Terry A. Francois Blvd, San Francisco, CA 94158 | (415) 432-1000 | [email protected]
Network performance benchmarks
Industry standard benchmarks are designed to help you compare MX security appliances to
firewalls from other vendors. These tests assume perfect network conditions with ideal traffic
patterns. When measuring maximum throughput for a certain feature, all other features are disabled.
Actual results in production networks will vary.

MX6 4 /6 5 M X 6 7/ 6 8
MX84 M X 10 0 MX250 M X4 5 0
series series

Max throughput with all security

200 Mbps 300 Mbps 320 Mbps 650 Mbps 2 Gbps 4 Gbps
features enabled

Max Stateful (L3) firewall

250 Mbps 450 Mbps 500 Mbps 750 Mbps 4 Gbps 6 Gbps
throughput in passthrough mode

Max Stateful (L3) firewall

200 Mbps 450 Mbps 500 Mbps 750 Mbps 4 Gbps 6 Gbps
throughput in NAT mode

Max VPN throughput 100 Mbps 200 Mbps 250 Mbps 500 Mbps 1 Gbps 2 Gbps

Max concurrent VPN tunnels 1

50 50 100 250 3,000 5,000
(site-to-site or client VPN)

Recommended maximum
concurrent VPN tunnels 2 50 50 100 250 1,000 1,500
(site-to-site or client VPN)

Max AMP throughput 250 Mbps 300 Mbps 500 Mbps 750 Mbps 2 Gbps 4 Gbps

Max IDS throughput 200 Mbps 300 Mbps 320 Mbps 650 Mbps 2 Gbps 4 Gbps

The SD-WAN feature set for the MX includes active-active VPN, which creates VPN tunnels between peers on all available uplinks in order to make the most efficient possible use of
available WAN bandwidth. A connection between two peers can therefore contain up to four tunnels, depending on the number of MX uplinks at each site. This should be taken into
consideration when making VPN sizing decisions.

1
The maximum concurrent VPN tunnels are based on lab testing scenarios where no client traffic is transferring over the VPN tunnels.

2
Recommended concurrent VPN tunnels are based on lab testing scenarios with client traffic transferring over VPN tunnels.

3 Cisco Systems, Inc. | 500 Terry A. Francois Blvd, San Francisco, CA 94158 | (415) 432-1000 | [email protected]
Features, benefits and performance impact
UTM products come with a variety of security and networking features. Understanding the benefits
and tradeoffs of these features is crucial to getting the maximum security benefit without
unnecessary performance degradation.

BE N E F ITS P E R FO R M A N CE R E C O M M E N DAT I O N S
IM PACT

Blocks HTTP-based filed

Consider disabling for guest VLANs and using firewall rules to isolate
downloads based on the
Malware protection High those VLANs. Also consider disabling if you run a full malware client
disposition received from
like AMP for Endpoints on host devices.
the Cisco AMP cloud.

Provides alerts / prevention

Consider not sending IDS/IPS syslog data over VPN in low-bandwidth
IDS / IPS for suspicious network High
networks.
traffic

Secure, encrypted traffic

VPN Medium Use split-tunnel VPN and deploy security services at the edge.
between locations

Ideal for repetitively accessing heavy multimedia content frequently

Accelerating access to Web
Web caching Medium for low bandwidth networks. Not recommended for high bandwidth
content by caching locally
networks. Please note that YouTube doesn’t support web caching.

Category based URL

Content filtering
filtering using locally Low Choose this option if your priority is speed over coverage.
(top sites)
downloaded database

Category based URL

Choose this option if your priority is 100% coverage and security.
Content filtering filtering using the full
Medium Web browsing will be slightly slower at the beginning but will improve
(full list) database hosted at
as more and more URL categories are cached.
Brightcloud.com

Turning Google / Must be deployed in tandem with “disable encrypted search” option
Web safe-search Low
Bing safe-search option on to be effective.

Disabling Google / Bing

Blocking Must be deployed in tandem with “Web safe-search” to be effective.
searches via https (port
encrypted Low Requires a DNS setting modification, otherwise will also break
443), allowing Web safe-
search Google apps. Check Meraki knowledge base for further information.
search enforcement

4 Cisco Systems, Inc. | 500 Terry A. Francois Blvd, San Francisco, CA 94158 | (415) 432-1000 | [email protected]
 Client recommendations
Although there is no hard limit on the number of client devices that can be deployed below MX
Security Appliances, for purposes of this document all tests were performed with the client counts
shown in the table below. Exceeding these client counts may result in performance that varies from
the sizing data contained in this guide.

RECOMMENDED NUMBER OF CLIENT DEVICES

MX6 4 /6 5 MX6 7 /6 8 MX84 M X 10 0 MX250 M X4 5 0

series series

Recommended 50 50 200 500 2,000 10,000

client devices

Built-in MX Device utilization

This guide aims to educate the user on the expected utilization and load levels for specific MX models with
certain features enabled. However, to accurately predict the load on the device, it must be tested in its designated
environment, under expected conditions. There are a large number of variables in each individual network that
will affect real-world performance, such as the unique traffic blend and the features in use.

MX Device utilization helps provide a better understanding of the device’s load over time and can be used to
assess the utilization level and whether a higher end device or a load reduction is required.If an MX device is
consistently over 85% utilization during normal operation*, upgrading to a higher throughput model or reducing
the per device load should be considered. The MX Device utilization tool is available through an API or as a graph
shown on the Summary Report page.

MX Device utilization calculation

The device utilization data reported to the Meraki Dashboard is based on a load average measured over a period
of one minute. The load value is returned in numeric value ranging from 1 through 100. A lower value indicates
a lower load, and a higher value indicates a more intense workload. Currently, the device utilization value is
calculated based upon the CPU utilization of the MX as well as its traffic load.

Due to load averaging, it’s possible for transient load spikes to occur without being visible in the utilization metric.
For example, a device load that is consistently shown as less than 85% may still be experiencing transient load
spikes. These transient load spikes may cause packets received in excess of the device’s forwarding capacity to
be dropped.

* With all the desired features turned on, the expected number of clients connected, and the expected traffic mix traversing the device.

5 Cisco Systems, Inc. | 500 Terry A. Francois Blvd, San Francisco, CA 94158 | (415) 432-1000 | [email protected]
Conclusion
While every network will have a unique traffic pattern, this guide highlights a few common
scenarios to help you choose the right Cisco Meraki MX product for your environment.
Consider planning for future growth by allocating buffer room in your firewall selection
(e.g., if you currently have 550 users, choose an MX that supports 1000 users). This will
ensure that you can continue enabling additional security and network features as they
become available. Also considering ISP speeds are increasing year over year, it is important to
choose a firewall that will serve you well over many years.

6 Cisco Systems, Inc. | 500 Terry A. Francois Blvd, San Francisco, CA 94158 | (415) 432-1000 | [email protected]