Cisco MX60 User manual
MX Sizing Guide
MARCH 2014
This technical document provides guidelines for choosing the right
Cisco Meraki security appliance based on real-world deployments,
industry standard benchmarks and in-depth feature descriptions.
MX60 MX60W MX80 MX100 MX400 MX600
Dual Wan Links ✓ ✓ ✓ ✓ ✓ ✓
3G / 4G Failover ✓ ✓ ✓ ✓ ✓ ✓
Built-In Wireless ✓
Hard drive
(Tb)
1 1 1 4
WAN Opt Caching ✓ ✓ ✓ ✓
Fiber Connectivity SFP SFP, SFP+ SFP, SFP+
Dual Power Supply ✓ ✓
Form Factor Desktop Desktop 1U 1U 1U 2U
Overview
Cisco Meraki MX Security Appliances are Unified Threat Management (UTM) products.
UTM products oer multiple security features in a simple-to-deploy, consolidated form factor.
Given the number of security features that can be deployed in any given MX, device performance
will vary depending on the use-case. Choosing the right MX depends on the use-case and the
deployment characteristics.
This technical guide is designed to help answer the following questions:
• How do I decide which MX model I need?
• Which features should I turn on?
• How do MX models compare against the competition?
Choosing the right hardware
Cisco Meraki MX products come in 6 models. The chart below outlines MX hardware properties for each model:
Cisco Systems, Inc. | 500 Terry A. Francois Blvd, San Francisco, CA 94158 | (415) 432-1000 | sales@meraki.com
2
Network performance benchmarks
Industry standard benchmarks are designed to help you compare MX security appliances to
firewalls from other vendors. These tests assume perfect network conditions with ideal trac
patterns. When measuring maximum throughput for a certain feature, all other features are
disabled. Actual results in production networks will vary.
MX60 / MX60W MX80 MX100 MX400 MX600
Max throughput with all
security features enabled
10Mbps 40Mbps 75Mbps 160Mbps 160Mbps
Recommended max users 25 100 500 2000 10000
Max Stateful (L3) firewall
throughput in passthrough
mode
100Mbps 250Mbps 500Mbps 1Gbps 2Gbps
Stateful (L3) fw in NAT
mode
100Mbps 250Mbps 500Mbps 1Gbps 2Gbps
Max connections 100,000 100,000 500,000 1,000,000 2,000,000
Max connections per sec 2,500 4,500 12,000 30,000 30,000
Max VPN throughput
(per tunnel, no WAN Opt)
35Mbps 80Mbps 100Mbps 200Mbps 200Mbps
Max VPN connections
(site-to-site or client VPN)
25 50 250 1000 5000
Max AV throughput 90Mbps 200Mbps 410Mbps 970Mbps 1.2Gbps
Max IDS throughput 65Mbps 95Mbps 330Mbps 725Mbps 1Gbps
Max WAN opt throughput 15Mbps 40Mbps 50Mbps 100Mbps 100Mbps
Cisco Systems, Inc. | 500 Terry A. Francois Blvd, San Francisco, CA 94158 | (415) 432-1000 | sales@meraki.com
3
Features, benefits and performance impact
UTM products come with a variety of security and networking features. Understanding the benefits
and tradeos of these features is crucial to getting the maximum security benefit without unnecessary
performance degradation.
BENEFITS PERFORMANCE
IMPACT
RECOMMENDATIONS
WAN opt Minimizes latency, reduces
amount of trac between
sites
High Use only between sites that have high latency (>50ms) and low
bandwidth (< 5 mbps). Use split-tunnel VPN and enable WAN opt only
for specific hosts and ports
Anti-virus /
anti-phishing
Provides flow based
protection for Web trac
(port 80).
High Consider disabling for guest VLANs and using firewall rules to isolate
those VLANs. Also consider disabling AV/anti-phishing if you run a full
AV client on host devices.
IDS / IPS Provides alerts / prevention
for suspicious network
trac
High Consider not sending IDS/IPS syslog data over VPN in low-bandwidth
networks.
VPN Secure, encrypted trac
between locations
Medium Use split-tunnel VPN and deploy security services at the edge.
Web caching Accelerating access to Web
content by caching locally
Medium Ideal for repetitively accessing heavy multimedia content frequently
for low bandwidth networks. Not recommended for high bandwidth
networks. Please note that YouTube doesn’t support web caching.
Content filtering
(top sites)
Category based URL
filtering using locally
downloaded database
Low Choose this option if your priority is speed over coverage.
Content filtering
(full list)
Category based URL
filtering using the full
database hosted at
Brightcloud.com
Medium Choose this option if your priority is 100% coverage and security.
Web browsing will be slightly slower at the beginning but will improve
as more and more URL categories are cached.
Web safe-search Turning Google / Bing safe-
search option on
Low Must be deployed in tandem with “disable encrypted search” option
to be eective.
Blocking
encrypted
search
Disabling Google / Bing
searches via https (port
443), allowing Web safe-
search enforcement
Low Must be deployed in tandem with “Web safe-search” to be eective.
Requires a DNS setting modification, otherwise will also break
Google apps. Check Meraki knowledge base for more.
Cisco Systems, Inc. | 500 Terry A. Francois Blvd, San Francisco, CA 94158 | (415) 432-1000 | sales@meraki.com
4
Real-world Use Cases
In this section, we’ll cover the most common deployment use cases for the Meraki MX:
•“Everything on”
• K-12 school with limited bandwidth
• K-12 school with high bandwidth
• College / higher education institution
• Retail branch
• Head-end concentrator for retail branches
For each case, we’ll articulate which features should be turned on and measure the maximum
throughput achieved with each MX model.
FIREWALL CONFIGURATION
Security features enabled:
• NAT mode
• Split-tunnel VPN
• WAN opt
• Content filtering (full list mode enabled on MX60,
partial list mode enabled on all other models)
• Trac shaping
• Anti-virus/anti-phishing
• IPS
• Web caching (not available on MX60/MX60W)
TEST TRAFFIC PATTERN
Trac flowing through the MX security appliance for testing
purposes was composed of the following protocols/applications.
MX60 / MX60W MX80 MX100 MX400 MX600
Max throughput 10Mbps 40Mbps 75Mbps 160Mbps 160Mbps
Client count 25 100 500 2,000 10,000
10% HTTP browsing
20% HTTPS browsing
20% HTTP download
20% FTP
20% CIFS non-VPN
5% HTTP over VPN
5% CIFS over VPN
THROUGHPUT CONFIGURATION
USE CASE: “Everything On”
Often, administrators would like to know what network throughput would look like if they turned
on all of the features of their MX security appliance (worst-case scenario). Please refer to the
“Features, benefits, and the performance impact” table in this document when fine-tuning the
firewall configuration to achieve maximum security without unnecessary performance degradation.
Cisco Systems, Inc. | 500 Terry A. Francois Blvd, San Francisco, CA 94158 | (415) 432-1000 | sales@meraki.com
5
FIREWALL CONFIGURATION
Security features enabled:
• NAT mode
• Content filtering
• Layer 7 Firewall
• Trac shaping
• Anti-virus/anti-phishing
• Google safe-search
FIREWALL CONFIGURATION
Security features enabled:
• NAT mode
• Content filtering
• Layer 7 Firewall
• Anti-virus/anti-phishing
• Google safe-search
• YouTube for Schools
TEST TRAFFIC PATTERN
Trac flowing through the MX security appliance for testing
purposes was composed of the following protocols/applications.
The trac is heavily skewed towards HTTP/S (70%).
TEST TRAFFIC PATTERN
Trac flowing through the MX security appliance for testing
purposes was composed of the following protocols/applications.
The trac is heavily skewed towards HTTP/S (70%).
MX60 / MX60W MX80 MX100 MX400 MX600
Max throughput 20Mbps 50Mbps 100Mbps 200Mbps 200Mbps
Client count 25 100 500 2,000 10,000
MX60 / MX60W MX80 MX100 MX400 MX600
Max throughput 20Mbps 50Mbps 100Mbps 200Mbps 200Mbps
Client count 25 100 500 2,000 10,000
• YouTube for Schools
• Web caching (not available
on MX60/MX60W)
THROUGHPUT CONFIGURATION
THROUGHPUT CONFIGURATION
USE CASE: K-12 school deployment with limited bandwidth
Schools need strong URL filtering, application control and security features.
In addition, schools with low bandwidth also need trac shaping and web caching.
USE CASE: K-12 school with high bandwidth
Schools with high-bandwidth may not need Web caching or trac shaping.
20% HTTP browsing
15% HTTPS browsing
35% HTTP download
30% FTP to simulate
“other” TCP trac
20% HTTP browsing
15% HTTPS browsing
35% HTTP download
30% FTP to simulate
“other” TCP trac
Cisco Systems, Inc. | 500 Terry A. Francois Blvd, San Francisco, CA 94158 | (415) 432-1000 | sales@meraki.com
6
FIREWALL CONFIGURATION
Security features enabled:
• NAT mode
• AV
• Layer 7 Firewall (block BitTorrent)
FIREWALL CONFIGURATION
Security features enabled:
• NAT mode
• Split-tunnel VPN
• WAN opt
• Content filtering
• Trac shaping (max throughput on guest VLAN)
• Anti-virus/anti-fishing
TEST TRAFFIC PATTERN
Trac (for testing purposes) was composed of the following
protocols/applications. Compared to the previous scenario,
there is more multimedia streaming (simulating a typical dorm
use case).
TEST TRAFFIC PATTERN
In this use case, retail trac is a mixture of guest trac (HTTP/S)
as well as VPN trac for file transfers, nightly backups and other
corporate data.
MX60 / MX60W MX80 MX100 MX400 MX600
Max throughput 75Mbps 125Mbps 160Mbps 400Mbps 400Mbps
Client count 25 100 500 2,000 10,000
MX60 / MX60W MX80 MX100 MX400 MX600
Max throughput 10Mbps 40Mbps 75Mbps 160Mbps 160Mbps
Client count 25 100 500 2,000 10,000
20% HTTP browsing
20% HTTPS browsing
20% HTTP download
20% FTP
20% streaming media
(10% Amazon media, 10% Netflix)
30% HTTP browsing
30% HTTPS browsing
20% HTTP download
10% CIFS
10% VPN
THROUGHPUT CONFIGURATION
THROUGHPUT CONFIGURATION
USE CASE: Higher-Ed firewall
Higher-Ed institutions traditionally don’t filter Web content due to freedom of speech concerns.
Also, most Higher-Ed institutions have very high-throughput Internet access, so there is no need
to do trac shaping or Web caching.
USE CASE: Retail branch with guest access
Retailers are looking for a cost-eective yet secure solution to provide reliable VPN access for
corporate applications like POS transactions, while oering a guest wireless access that is safe
and filtered from inappropriate content.
Cisco Systems, Inc. | 500 Terry A. Francois Blvd, San Francisco, CA 94158 | (415) 432-1000 | sales@meraki.com
7
FIREWALL CONFIGURATION
Security features enabled:
• VPN concentrator mode
• Full-tunnel VPN
• WAN optimization
TEST TRAFFIC PATTERN
All trac is via VPN, including HTTP/S for Web browsing and
download, and considerable amount of file transfers to simulate
backup and other corporate data exchange.
MX60 / MX60W MX80 MX100 MX400 MX600
Max VPN throughput 40Mbps 70Mbps 200Mbps 500Mbps 1Gbps
Max per-tunnel VPN
throughput
15Mbps 40Mbps 50Mbps 100Mbps 100Mbps
Max VPN Sessions 25 50 250 1,000 5,000
100% VPN
30% HTTP
30% HTTPS
40% FTP
THROUGHPUT CONFIGURATION
USE CASE: Head-end concentrator for retail branches
MX is deployed in the datacenter as a one-armed VPN / WAN optimization aggregator,
possibly as an Active / Passive HA pair.
Conclusion
While every network will have a unique trac pattern, this guide highlights a few common
scenarios to help you choose the right Cisco Meraki MX product for your environment.
Consider planning for future growth by allocating buer room in your firewall selection
(e.g., if you currently have 550 users, choose an MX that supports 1000 users). This will
ensure that you can continue enabling additional security and network features as they
become available. Also considering ISP speeds are increasing 29% year over year, it is
important to choose a firewall that will serve you well over many years.
Cisco Systems, Inc. | 500 Terry A. Francois Blvd, San Francisco, CA 94158 | (415) 432-1000 | sales@meraki.com
8
This manual suits for next models
5
Other Cisco Network Hardware manuals
Cisco
Cisco GS7000 Operating instructions
Cisco
Cisco Meraki Catalyst 9300/X/L-M Series User manual
Cisco
Cisco NSS2000 Series User manual
Cisco
Cisco MERAKI MX85 Series Manual
Cisco
Cisco MXE 3000 Manual
Cisco
Cisco MERAKI MR57 User manual
Cisco
Cisco SCE 2000 4/8xFE Operator's manual
Cisco
Cisco PRISMA II XD User manual
Cisco
Cisco FirePOWER 8000 Series User manual
Cisco
Cisco Mc3810 - 16MB Flash Memory Quick guide
Cisco
Cisco ONS 15327 Manual
Cisco
Cisco Firepower 1010 User manual
Cisco
Cisco ESR-PRE2 User manual
Cisco
Cisco CVPN3015-NR - VPN Concentrator 3015 User manual
Cisco
Cisco C7200-I - Input/Output Controller - Control... User manual
Cisco
Cisco ONS 15540 ESP Manual
Cisco
Cisco Secure Network Server 3700 Series Manual
Cisco
Cisco Catalyst 8300 Series Manual
Cisco
Cisco CMX 3375 User manual
Cisco
Cisco NCS 2006 Manual
