Comparison of Cisco Meraki MX64 vs MX65 vs MX67 vs MX68

Meraki is a Cloud-Managed IT company based in San Francisco, California which was purchased by Cisco Systems in December 2012.

Cisco Meraki provides networking products which are configured and managed through a cloud-based web portal.

These products include MX Security Appliances, MS Network Switches, MR Wireless Access Points, MV Wireless Cameras and more recently, IOT devices such as wireless temperature sensors etc.

Meraki products are marketed as simple to install and easy to configure with basic connectivity being established within a few minutes of plugging the device into an internet connected interface.

This negates the need for an expensive Network Engineer to complete the install.

In this article we will compare and discuss several popular Meraki MX Firewall devices, specifically the MX64, MX65, MX67 and MX68.

MX Security Appliances – Brief Description

The Meraki MX64, MX65, MX67 and MX68 products are all marketed as Small Branch Cloud-Managed Security and SDWAN devices.

These models all provide the same cloud-based security features and applications but have differing physical connectivity and hardware performance specifications depending on the model.

As with all Meraki MX or MS devices, the design is minimalistic with a single led on the front of the device which changes colour from orange to rainbow, to white and to purple while the device is being configured or booting up.

The casing is made from metal which give the device a solid feel with the silver design like that of an apple MacBook Pro.

The Security and SDWAN features of an MX Security Appliance include the following:

• L3/L7 Stateful Firewall
• Geo-based firewall rules
• 1:1 and 1: Many NAT
• Client VPN endpoint
• Meraki AutoVPN and L2TP/IPSec VPN endpoint
• Content Filtering
• Web search filtering
• Malware Protection (AMP) w/ optional Threat Grid integration
• IDS/IPS protection
• Syslog integration
• Remote Packet Capture tools
• Youtube for Schools
• SDWAN
• Active Directory Integration
• Layer 7 Application and Visibility
• User And Device Quarantine
• Identity based Policies
• And more

The SD-WAN and load balancing capabilities enables autonomous switchover between the different available WAN connections in the event of an outage.

The SD-WAN feature is also able to Load balance traffic over multiple links or choose the best performing link in which to forward traffic based upon measurements such as speed, latency, and jitter.

Comparison Table

Preview

Model

Meraki MX64

Meraki MX65

Meraki MX67

Meraki MX68

Star Rating

-

-

Physical Interfaces

1xGbE WAN dedicated

1xGbE WAN dual-purpose

4xGbE LAN

2xGbE WAN dedicated

10xGbE LAN dedicated

1xGbE WAN dedicated

1xGbE WAN dual-purpose

4xGbE LAN

2xGbE WAN dedicated

10xGbE LAN dedicated

Cellular Failover

YES (1xUSB)

YES (1xUSB)

YES (1xUSB)

YES (1xUSB)

PoE+ Interfaces

NO

YES (2xGbE)

NO

YES (2xGbE)

Form Factor

Desktop or Wall mounted

Desktop or Wall mounted

Desktop or Wall mounted

Desktop or Wall mounted

Stateful Firewall Throughput

250 Mbps

250 Mbps

450 Mbps

450 Mbps

VPN Throughput

100 Mbps

100 Mbps

200 Mbps

200 Mbps

Advanced Security Throughput

200 Mbps

200 Mbps

300 Mbps

300 Mbps

Users

50

50

50

50

Price

Check Details

Check Details

Check Details

Check Details

Preview

Model

Meraki MX64

Star Rating

Physical Interfaces

1xGbE WAN dedicated

1xGbE WAN dual-purpose

4xGbE LAN

Cellular Failover

YES (1xUSB)

PoE+ Interfaces

NO

Form Factor

Desktop or Wall mounted

Stateful Firewall Throughput

250 Mbps

VPN Throughput

100 Mbps

Advanced Security Throughput

200 Mbps

Users

50

Price

Check Details

Preview

Model

Meraki MX65

Star Rating

-

Physical Interfaces

2xGbE WAN dedicated

10xGbE LAN dedicated

Cellular Failover

YES (1xUSB)

PoE+ Interfaces

YES (2xGbE)

Form Factor

Desktop or Wall mounted

Stateful Firewall Throughput

250 Mbps

VPN Throughput

100 Mbps

Advanced Security Throughput

200 Mbps

Users

50

Price

Check Details

Preview

Model

Meraki MX67

Star Rating

Physical Interfaces

1xGbE WAN dedicated

1xGbE WAN dual-purpose

4xGbE LAN

Cellular Failover

YES (1xUSB)

PoE+ Interfaces

NO

Form Factor

Desktop or Wall mounted

Stateful Firewall Throughput

450 Mbps

VPN Throughput

200 Mbps

Advanced Security Throughput

300 Mbps

Users

50

Price

Check Details

Preview

Model

Meraki MX68

Star Rating

-

Physical Interfaces

2xGbE WAN dedicated

10xGbE LAN dedicated

Cellular Failover

YES (1xUSB)

PoE+ Interfaces

YES (2xGbE)

Form Factor

Desktop or Wall mounted

Stateful Firewall Throughput

450 Mbps

VPN Throughput

200 Mbps

Advanced Security Throughput

300 Mbps

Users

50

Price

Check Details

Last update on 2023-09-29 at 12:08 / Affiliate links / Images from Amazon Product Advertising API

Physical Characteristics and Performance

Meraki MX64

16 Reviews

Cisco Meraki MX64 Small Branch Security Appliance

• Stateful firewall throughput: 250 Mbps
• Recommended maximum clients: 50
• Managed centrally over the web

$574.19

Check Details Price incl. tax, excl. shipping

Last update on 2023-09-29 at 12:08 / Affiliate links / Images from Amazon Product Advertising API

The Meraki MX64 is quite small at only 9.5 x 5.2 x 1in and can be desktop or wall mounted.

The MX64 has one dedicated 1 GbE WAN Ethernet interfaces and 4 LAN GbE interfaces, one of which can be configured as an additional WAN interface if dual WAN is required.

There is a USB connection which can be used to attach a 3^rd party Wireless 3G or 4G Mobile dongle to provide backup WAN connectivity should the Primary WAN links not be available for any reason.

The stateful firewall on an MX64 has a maximum throughput of 250Mbps with a maximum VPN throughput of 100Mbps.

The MX64 can support a maximum of 50 Users and does not have any Power over Ethernet (POE) capabilities.

Meraki MX65

Cisco Meraki MX65 Small Branch Security Appliance (250Mbps FW, Layer 7, POE, Licensing Required)

• Stateful firewall throughput: 250 Mbps, small form factor
• Recommended maximum clients: 50, Content filtering
• Layer 7 application visibility and traffic shaping

$350.00

Check Details Price incl. tax, excl. shipping

Last update on 2023-09-29 at 12:08 / Affiliate links / Images from Amazon Product Advertising API

The MX65 provides the same security features as the MX64 however this model is slightly larger at 10.5 x 5.2 x 1in and can also be desktop or wall mounted.

It also comes with a larger 90Watt DC power supply due to this model supporting POE+.

The MX65 has a total of 12 GbE interfaces, two of which are used as dedicated WAN links and the remaining 10 are 1xGbE LAN interfaces.

Two of the 10 LAN interfaces are capable of POE+ which allows devices such IP phones or Access Points to be attached and powered by the MX Security Appliance.

On the side of the MX65 there is also a USB port for attaching a 3^rd party 3G or 4G Mobile Dongle to provide redundancy in the event of the main WAN connections being unavailable.

The MX65 is also recommended for a maximum of 50 LAN clients with the stateful firewall throughput matching that of the MX64 at a maximum of 250Mbps.

The Maximum VPN throughput is also the same as the MX64 at 100Mbps.

Meraki MX64W and MX65W

The MX64W and MX65W models both have the same features and specifications as seen in the MX64 and MX65 models but add a Wireless interface to the Security Appliance which allows clients to connect wirelessly over 802.11a/b/g/n/ac radios.

These models can still only support a maximum of 50 clients with a maximum wireless throughput of 1.2Gb per second depending on the wireless protocol that is configured.

Meraki MX67

13 Reviews

Cisco Meraki MX67 Cloud-Managed Security Appliance | MX67-HW | 450 Mbps throughput | Firewall and DHCP Device

• Stateful firewall throughput: 450 Mbps.
• Recommended maximum clients: 50.
• Managed centrally over the web. Classifies applications, users and devices.

$466.77

Check Details Price incl. tax, excl. shipping

Last update on 2023-09-29 at 12:08 / Affiliate links / Images from Amazon Product Advertising API

The Meraki MX 67 is similar in size and shape to the MX64 and MX65 Models measuring 9.4 x 5.1 x 1.1in and can be desktop or wall mounted.

The MX67 does not have any POE capabilities and as such is supplied with a smaller 18W DC Power pack.

There are 3 versions of the MX67 which are the MX67, MX67C and MX67W.

The MX67 has the same number of interfaces as the MX64 with a single dedicated GbE WAN interface and 4 GbE LAN interfaces, one of which can be converted to a WAN interface should dual WAN connectivity be required.

This model also has a USB connection which can be used for connecting a 3^rd Party 3G/4G mobile dongle to provide cellular connectivity as a backup.

The MX67C has the same physical interfaces as the MX67 however this model has Cellular connectivity built in. The cellular connection requires a 3^rd party SIM card to be installed and has 2 non-removable cellular antennas fixed to the chassis.

The MX67W has the same physical interfaces as the MX67 however this model also has wireless connectivity over 802.11a/b/g/n/ac radios. There are two fixed Wireless 2.4Ghz and 5Ghz antennas attached to the chassis.

Performance of the MX67 is almost double that of the MX64/65 with the firewall capable of 450Mbps throughput and 200 Mbps over VPN. The recommended number of clients for this device remains at 50.

Meraki MX68

Cisco Meraki MX68 Cloud-Managed Security Appliance | MX68-HW | 450 Mbps throughput | Firewall and DHCP Device

• 10 × GbE (2 WAN, 2 PoE+), 1 × USB 2.0 for 3G/4G failover
• Stateful firewall throughput: 450 Mbps, VPN throughput: 200 Mbps
• Recommended maximum clients: 50, Layer 7 application visibility and traffic shaping

$675.54

Check Details Price incl. tax, excl. shipping

Last update on 2023-09-29 at 12:08 / Affiliate links / Images from Amazon Product Advertising API

The MX68 is the largest and heaviest of all the models featured in this article with measurements of 11.2 x 5.8 x 1in but can still be desk or wall mounted.

There are 3 versions of the MX68 which are the MX68, MX68C and MX68W.

The MX68 has the same number of physical interfaces as the MX65 and has a total of 12 GbE interfaces, two of which are used as dedicated WAN links and the remaining 10 are 1GbE LAN interfaces.

Two of the 10 LAN interfaces are capable of POE+ which allows devices such an IP phones or Access Points to be attached and powered by the MX Security Appliance.

On the side of the MX65 there is also a USB port for attaching a 3^rd party 3G or 4G Mobile Dongle to provide redundancy in the event of the main WAN connections being unavailable.

The MX68C has the same physical interfaces as the MX68 however this model has Cellular connectivity built in. The cellular connection requires a 3^rd party SIM card to be installed and has 2 non-removable cellular antennas fixed to the chassis.

The MX68W has the same physical interfaces as the MX68 however this model has wireless connectivity over 802.11a/b/g/n/ac radios built in. There are two fixed Wireless 2.4Ghz and 5Ghz antennas attached to the chassis.

The Performance of the MX68 is the same as the MX67 at almost double that of the MX64/65 with the firewall capable of 450Mbps throughput and 200 Mbps over VPN. The recommended number of clients for this device remains at 50.

Summary Performance Comparison of MX64/65 vs MX67/68

The only difference between the MX64/65 and the MX67/68 is the internal hardware which provides the processing power for the firewall and security applications.

All the same security features are available on all versions regardless of the model number, but the MX67/68 are faster and able to provide better performance and throughput for the Firewall and VPN features.

If your Internet Line speed is up to 200-250Mbps, then the MX64/65 will be able to fully utilize the Internet line.

On the other hand, if you have higher Internet Speed tier (around 400-450 Mbps), then you should go with MX67/68 models to fully utilize the Internet line capacity.  

Use Cases

MX64/65

These security appliance models are best used in a scattered deployment for connecting remote locations such as small branch offices to a main Head Quarters office or even as standalone devices working as border Internet firewalls in SMB environments.  

As the MX64/65 models are fairly small and only capable of servicing a maximum of 50 Client devices, these models are ideal for supporting small remote offices which contain only a handful of users but add the connectivity, redundancy and security of an enterprise environment to those locations.

An example of an ideal use case would be for an estate agent office that is located in different towns or for care homes or small community centers which have a small office for Admin staff.

MX67/68

The larger MX67 and MX68 models have a similar use case but would be able to support sites which have larger bandwidth requirements such as retail stores or small business environments with Internet connection speeds above 250 Mbps.

Licensing (Meraki MX Enterprise vs Advanced vs SD-WAN Plus)

Licensing for Meraki devices follow the same rules no matter which device is purchased.

Each Meraki device requires a License, but it is based on a 1:1 ratio rather than fixed by serial number.

This means that you can move devices around and only worry about the quantity of licenses required rather than which device the license is tied to.

Licenses can also be purchased on a Co-term basis where required.

There are 3 levels of licensing for the Meraki MX.

• Enterprise license – Essential SD WAN, Secure connectivity, and basic security
• Advanced security license – All enterprise features and Unified Threat Management.
• Secure SD-WAN Plus license – All advanced security features, advanced analytics with machine learning, Smart SaaS QoE.

The full feature set for each license can be found here.

Meraki Dashboard

The Meraki dashboard is a web-based portal that manages all the Meraki devices registered to a particular network.

The Meraki dashboard also supports multiple tenants which allows multiple sites or multiple networks to be added to a single dashboard.

This is useful for Managed Service Providers (MSP’s) who are responsible for managing the networks for multiple customers as all the managed networks and site locations can be organised under each different customer headings on a single dashboard window.

The benefit of a cloud-based management portal is that the portal can be reached from any device which has a web browser, whether it is a Windows machine, a MacBook or a Linux Server it doesn’t matter just as long as it has a web browser and connectivity to the internet.

There is also an App that can be installed on your mobile phone to access the Meraki Dashboard.

The downside of a cloud-based system is that internet connectivity is required to access the Meraki dashboard to view the status of or configure any of the devices.

If a change is made to a device on the dashboard which then cuts off connectivity to the internet for the network, then all the Meraki devices within that network are unreachable until internet connectivity is restored.

Meraki devices do not have a command line interface like a standard Cisco device, so it is not possible to connect a console cable to the physical Meraki device and change its configuration as you could with a standard Cisco appliance.

All Configuration changes must be made via the Meraki Dashboard.

Configuring a Meraki Device

As covered earlier, Meraki devices do not have a console port or a command Line Interface (CLI).

To initially configure a Meraki device, connectivity is first made by connecting an ethernet cable from the device directly to a host laptop or computer or by connecting to an existing network switch and by opening a web browser on the host machine.

The device can then be accessed via IP address or by its DNS name. By default, Meraki devices can be accessed through the following IP addresses and URL’s when the Host device is configured within the same IP subnet.

MR – http://ap.meraki.com or 10.128.128.125 255.255.255.0

MS – http://switch.meraki.com or 1.1.1.100 255.255.255.0

MX – http://mx.meraki.com or http://wired.meraki.com

Most MX devices have a dedicated management interface which is used to access the Local Status Page and by default the MX runs a dedicated DHCP server so once a host is connected to it the default gateway can be found on the host and then this address can be used to access the local status page through a web browser.

Once connectivity is established, the Local status page can be accessed. This page will show differing information depending on what type of device is being accessed.

It is mainly used to provide the IP configuration for the uplink port which connects to the internet.

Once the device has internet connectivity it can be enrolled into the Meraki dashboard and full configuration options are then available through this dashboard.

MX devices have a Dual WAN option where connections from multiple service providers can be configured on the device.

In the Local Service Page this device will show two separate options in the uplink configuration page, one for each of these separate Internet WAN connections.

Claiming a Meraki Device

Before a Meraki device can be managed through the Meraki dashboard it must first be claimed by an organisation that has been registered to that dashboard.

The new device is registered through the following pages:

Organization -> Inventory -> click Claim or through Config -> add devices -> click Claim. Enter the serial number of the devices which are to be claimed. This will add that device to the inventory and make it available to be added to a network.