Meraki is a Cloud-Managed IT company based in San Francisco, California which was purchased by Cisco Systems in December 2012.
Cisco Meraki provides networking products which are configured and managed through a cloud-based web portal.
These products include MX Security Appliances, MS Network Switches, MR Wireless Access Points, MV Wireless Cameras and more recently, IOT devices such as wireless temperature sensors etc.
Meraki products are marketed as simple to install and easy to configure with basic connectivity being established within a few minutes of plugging the device into an internet connected interface.
This negates the need for an expensive Network Engineer to complete the install.
In this article we will compare and discuss several popular Meraki MX Firewall devices, specifically the MX64, MX65, MX67 and MX68.
MX Security Appliances – Brief Description
The Meraki MX64, MX65, MX67 and MX68 products are all marketed as Small Branch Cloud-Managed Security and SDWAN devices.
These models all provide the same cloud-based security features and applications but have differing physical connectivity and hardware performance specifications depending on the model.
As with all Meraki MX or MS devices, the design is minimalistic with a single led on the front of the device which changes colour from orange to rainbow, to white and to purple while the device is being configured or booting up.
The casing is made from metal which give the device a solid feel with the silver design like that of an apple MacBook Pro.
The Security and SDWAN features of an MX Security Appliance include the following:
- L3/L7 Stateful Firewall
- Geo-based firewall rules
- 1:1 and 1: Many NAT
- Client VPN endpoint
- Meraki AutoVPN and L2TP/IPSec VPN endpoint
- Content Filtering
- Web search filtering
- Malware Protection (AMP) w/ optional Threat Grid integration
- IDS/IPS protection
- Syslog integration
- Remote Packet Capture tools
- Youtube for Schools
- SDWAN
- Active Directory Integration
- Layer 7 Application and Visibility
- User And Device Quarantine
- Identity based Policies
- And more
The SD-WAN and load balancing capabilities enables autonomous switchover between the different available WAN connections in the event of an outage.
The SD-WAN feature is also able to Load balance traffic over multiple links or choose the best performing link in which to forward traffic based upon measurements such as speed, latency, and jitter.
Comparison Table
1xGbE WAN dual-purpose
4xGbE LAN
10xGbE LAN dedicated
1xGbE WAN dual-purpose
4xGbE LAN
10xGbE LAN dedicated
1xGbE WAN dual-purpose
4xGbE LAN
10xGbE LAN dedicated
1xGbE WAN dual-purpose
4xGbE LAN
10xGbE LAN dedicated
Last update on 2023-09-29 at 12:08 / Affiliate links / Images from Amazon Product Advertising API
Physical Characteristics and Performance
Meraki MX64
- Stateful firewall throughput: 250 Mbps
- Recommended maximum clients: 50
- Managed centrally over the web
Last update on 2023-09-29 at 12:08 / Affiliate links / Images from Amazon Product Advertising API
The Meraki MX64 is quite small at only 9.5 x 5.2 x 1in and can be desktop or wall mounted.
The MX64 has one dedicated 1 GbE WAN Ethernet interfaces and 4 LAN GbE interfaces, one of which can be configured as an additional WAN interface if dual WAN is required.
There is a USB connection which can be used to attach a 3rd party Wireless 3G or 4G Mobile dongle to provide backup WAN connectivity should the Primary WAN links not be available for any reason.
The stateful firewall on an MX64 has a maximum throughput of 250Mbps with a maximum VPN throughput of 100Mbps.
The MX64 can support a maximum of 50 Users and does not have any Power over Ethernet (POE) capabilities.
Meraki MX65
- Stateful firewall throughput: 250 Mbps, small form factor
- Recommended maximum clients: 50, Content filtering
- Layer 7 application visibility and traffic shaping
Last update on 2023-09-29 at 12:08 / Affiliate links / Images from Amazon Product Advertising API
The MX65 provides the same security features as the MX64 however this model is slightly larger at 10.5 x 5.2 x 1in and can also be desktop or wall mounted.
It also comes with a larger 90Watt DC power supply due to this model supporting POE+.
The MX65 has a total of 12 GbE interfaces, two of which are used as dedicated WAN links and the remaining 10 are 1xGbE LAN interfaces.
Two of the 10 LAN interfaces are capable of POE+ which allows devices such IP phones or Access Points to be attached and powered by the MX Security Appliance.
On the side of the MX65 there is also a USB port for attaching a 3rd party 3G or 4G Mobile Dongle to provide redundancy in the event of the main WAN connections being unavailable.
The MX65 is also recommended for a maximum of 50 LAN clients with the stateful firewall throughput matching that of the MX64 at a maximum of 250Mbps.
The Maximum VPN throughput is also the same as the MX64 at 100Mbps.
Meraki MX64W and MX65W
The MX64W and MX65W models both have the same features and specifications as seen in the MX64 and MX65 models but add a Wireless interface to the Security Appliance which allows clients to connect wirelessly over 802.11a/b/g/n/ac radios.
These models can still only support a maximum of 50 clients with a maximum wireless throughput of 1.2Gb per second depending on the wireless protocol that is configured.
Meraki MX67
- Stateful firewall throughput: 450 Mbps.
- Recommended maximum clients: 50.
- Managed centrally over the web. Classifies applications, users and devices.
Last update on 2023-09-29 at 12:08 / Affiliate links / Images from Amazon Product Advertising API
The Meraki MX 67 is similar in size and shape to the MX64 and MX65 Models measuring 9.4 x 5.1 x 1.1in and can be desktop or wall mounted.
The MX67 does not have any POE capabilities and as such is supplied with a smaller 18W DC Power pack.
There are 3 versions of the MX67 which are the MX67, MX67C and MX67W.
The MX67 has the same number of interfaces as the MX64 with a single dedicated GbE WAN interface and 4 GbE LAN interfaces, one of which can be converted to a WAN interface should dual WAN connectivity be required.
This model also has a USB connection which can be used for connecting a 3rd Party 3G/4G mobile dongle to provide cellular connectivity as a backup.
The MX67C has the same physical interfaces as the MX67 however this model has Cellular connectivity built in. The cellular connection requires a 3rd party SIM card to be installed and has 2 non-removable cellular antennas fixed to the chassis.
The MX67W has the same physical interfaces as the MX67 however this model also has wireless connectivity over 802.11a/b/g/n/ac radios. There are two fixed Wireless 2.4Ghz and 5Ghz antennas attached to the chassis.
Performance of the MX67 is almost double that of the MX64/65 with the firewall capable of 450Mbps throughput and 200 Mbps over VPN. The recommended number of clients for this device remains at 50.
Meraki MX68
- 10 × GbE (2 WAN, 2 PoE+), 1 × USB 2.0 for 3G/4G failover
- Stateful firewall throughput: 450 Mbps, VPN throughput: 200 Mbps
- Recommended maximum clients: 50, Layer 7 application visibility and traffic shaping
Last update on 2023-09-29 at 12:08 / Affiliate links / Images from Amazon Product Advertising API
The MX68 is the largest and heaviest of all the models featured in this article with measurements of 11.2 x 5.8 x 1in but can still be desk or wall mounted.
There are 3 versions of the MX68 which are the MX68, MX68C and MX68W.
The MX68 has the same number of physical interfaces as the MX65 and has a total of 12 GbE interfaces, two of which are used as dedicated WAN links and the remaining 10 are 1GbE LAN interfaces.
Two of the 10 LAN interfaces are capable of POE+ which allows devices such an IP phones or Access Points to be attached and powered by the MX Security Appliance.
On the side of the MX65 there is also a USB port for attaching a 3rd party 3G or 4G Mobile Dongle to provide redundancy in the event of the main WAN connections being unavailable.
The MX68C has the same physical interfaces as the MX68 however this model has Cellular connectivity built in. The cellular connection requires a 3rd party SIM card to be installed and has 2 non-removable cellular antennas fixed to the chassis.
The MX68W has the same physical interfaces as the MX68 however this model has wireless connectivity over 802.11a/b/g/n/ac radios built in. There are two fixed Wireless 2.4Ghz and 5Ghz antennas attached to the chassis.
The Performance of the MX68 is the same as the MX67 at almost double that of the MX64/65 with the firewall capable of 450Mbps throughput and 200 Mbps over VPN. The recommended number of clients for this device remains at 50.
Summary Performance Comparison of MX64/65 vs MX67/68
The only difference between the MX64/65 and the MX67/68 is the internal hardware which provides the processing power for the firewall and security applications.
All the same security features are available on all versions regardless of the model number, but the MX67/68 are faster and able to provide better performance and throughput for the Firewall and VPN features.
If your Internet Line speed is up to 200-250Mbps, then the MX64/65 will be able to fully utilize the Internet line.
On the other hand, if you have higher Internet Speed tier (around 400-450 Mbps), then you should go with MX67/68 models to fully utilize the Internet line capacity.
Use Cases
MX64/65
These security appliance models are best used in a scattered deployment for connecting remote locations such as small branch offices to a main Head Quarters office or even as standalone devices working as border Internet firewalls in SMB environments.
As the MX64/65 models are fairly small and only capable of servicing a maximum of 50 Client devices, these models are ideal for supporting small remote offices which contain only a handful of users but add the connectivity, redundancy and security of an enterprise environment to those locations.
An example of an ideal use case would be for an estate agent office that is located in different towns or for care homes or small community centers which have a small office for Admin staff.
MX67/68
The larger MX67 and MX68 models have a similar use case but would be able to support sites which have larger bandwidth requirements such as retail stores or small business environments with Internet connection speeds above 250 Mbps.
Licensing (Meraki MX Enterprise vs Advanced vs SD-WAN Plus)
Licensing for Meraki devices follow the same rules no matter which device is purchased.
Each Meraki device requires a License, but it is based on a 1:1 ratio rather than fixed by serial number.
This means that you can move devices around and only worry about the quantity of licenses required rather than which device the license is tied to.
Licenses can also be purchased on a Co-term basis where required.
There are 3 levels of licensing for the Meraki MX.
- Enterprise license – Essential SD WAN, Secure connectivity, and basic security
- Advanced security license – All enterprise features and Unified Threat Management.
- Secure SD-WAN Plus license – All advanced security features, advanced analytics with machine learning, Smart SaaS QoE.
The full feature set for each license can be found here.
Meraki Dashboard
The Meraki dashboard is a web-based portal that manages all the Meraki devices registered to a particular network.
The Meraki dashboard also supports multiple tenants which allows multiple sites or multiple networks to be added to a single dashboard.
This is useful for Managed Service Providers (MSP’s) who are responsible for managing the networks for multiple customers as all the managed networks and site locations can be organised under each different customer headings on a single dashboard window.
The benefit of a cloud-based management portal is that the portal can be reached from any device which has a web browser, whether it is a Windows machine, a MacBook or a Linux Server it doesn’t matter just as long as it has a web browser and connectivity to the internet.
There is also an App that can be installed on your mobile phone to access the Meraki Dashboard.
The downside of a cloud-based system is that internet connectivity is required to access the Meraki dashboard to view the status of or configure any of the devices.
If a change is made to a device on the dashboard which then cuts off connectivity to the internet for the network, then all the Meraki devices within that network are unreachable until internet connectivity is restored.
Meraki devices do not have a command line interface like a standard Cisco device, so it is not possible to connect a console cable to the physical Meraki device and change its configuration as you could with a standard Cisco appliance.
All Configuration changes must be made via the Meraki Dashboard.
Configuring a Meraki Device
As covered earlier, Meraki devices do not have a console port or a command Line Interface (CLI).
To initially configure a Meraki device, connectivity is first made by connecting an ethernet cable from the device directly to a host laptop or computer or by connecting to an existing network switch and by opening a web browser on the host machine.
The device can then be accessed via IP address or by its DNS name. By default, Meraki devices can be accessed through the following IP addresses and URL’s when the Host device is configured within the same IP subnet.
MR – http://ap.meraki.com
or 10.128.128.125 255.255.255.0
MS – http://switch.meraki.com
or 1.1.1.100 255.255.255.0
MX – http://mx.meraki.com
or http://wired.meraki.com
Most MX devices have a dedicated management interface which is used to access the Local Status Page and by default the MX runs a dedicated DHCP server so once a host is connected to it the default gateway can be found on the host and then this address can be used to access the local status page through a web browser.
Once connectivity is established, the Local status page can be accessed. This page will show differing information depending on what type of device is being accessed.
It is mainly used to provide the IP configuration for the uplink port which connects to the internet.
Once the device has internet connectivity it can be enrolled into the Meraki dashboard and full configuration options are then available through this dashboard.
MX devices have a Dual WAN option where connections from multiple service providers can be configured on the device.
In the Local Service Page this device will show two separate options in the uplink configuration page, one for each of these separate Internet WAN connections.
Claiming a Meraki Device
Before a Meraki device can be managed through the Meraki dashboard it must first be claimed by an organisation that has been registered to that dashboard.
The new device is registered through the following pages:
Organization -> Inventory -> click Claim or through Config -> add devices -> click Claim. Enter the serial number of the devices which are to be claimed. This will add that device to the inventory and make it available to be added to a network.
Related Posts
- 12 Best Computer Networking Books for Beginners & Experts
- 8 Best Wired Routers for Home and Small Business Networks
- 10 Best Hardware Firewalls for Home and Small Business Networks
- Fortinet Fortigate 30E vs 50E/51E vs 60E/61E/60F – Firewall Comparison
- Ubiquiti Unifi Security Gateway (USG) Vs Edgerouter 4/Lite