Cisco Mx60 User manual

MX Sizing Guide

MARCH 2014

This technical document provides guidelines for choosing the right

Cisco Meraki security appliance based on real-world deployments,

industry standard benchmarks and in-depth feature descriptions.

MX60 MX60W MX80 MX100 MX400 MX600

Dual Wan Links ✓ ✓ ✓ ✓ ✓ ✓

3G / 4G Failover ✓ ✓ ✓ ✓ ✓ ✓

Built-In Wireless ✓

Hard drive

(Tb)

1 1 1 4

WAN Opt Caching ✓ ✓ ✓ ✓

Fiber Connectivity SFP SFP, SFP+ SFP, SFP+

Dual Power Supply ✓ ✓

Form Factor Desktop Desktop 1U 1U 1U 2U

Overview

Cisco Meraki MX Security Appliances are Uniﬁed Threat Management (UTM) products.

UTM products oer multiple security features in a simple-to-deploy, consolidated form factor.

Given the number of security features that can be deployed in any given MX, device performance

will vary depending on the use-case. Choosing the right MX depends on the use-case and the

deployment characteristics.

This technical guide is designed to help answer the following questions:

• How do I decide which MX model I need?

• Which features should I turn on?

• How do MX models compare against the competition?

Choosing the right hardware

Cisco Meraki MX products come in 6 models. The chart below outlines MX hardware properties for each model:

Cisco Systems, Inc. | 500 Terry A. Francois Blvd, San Francisco, CA 94158 | (415) 432-1000 | sales@meraki.com

Network performance benchmarks

Industry standard benchmarks are designed to help you compare MX security appliances to

ﬁrewalls from other vendors. These tests assume perfect network conditions with ideal trac

patterns. When measuring maximum throughput for a certain feature, all other features are

disabled. Actual results in production networks will vary.

MX60 / MX60W MX80 MX100 MX400 MX600

Max throughput with all

security features enabled

10Mbps 40Mbps 75Mbps 160Mbps 160Mbps

Recommended max users 25 100 500 2000 10000

Max Stateful (L3) ﬁrewall

throughput in passthrough

mode

100Mbps 250Mbps 500Mbps 1Gbps 2Gbps

Stateful (L3) fw in NAT

mode

100Mbps 250Mbps 500Mbps 1Gbps 2Gbps

Max connections 100,000 100,000 500,000 1,000,000 2,000,000

Max connections per sec 2,500 4,500 12,000 30,000 30,000

Max VPN throughput

(per tunnel, no WAN Opt)

35Mbps 80Mbps 100Mbps 200Mbps 200Mbps

Max VPN connections

(site-to-site or client VPN)

25 50 250 1000 5000

Max AV throughput 90Mbps 200Mbps 410Mbps 970Mbps 1.2Gbps

Max IDS throughput 65Mbps 95Mbps 330Mbps 725Mbps 1Gbps

Max WAN opt throughput 15Mbps 40Mbps 50Mbps 100Mbps 100Mbps

Cisco Systems, Inc. | 500 Terry A. Francois Blvd, San Francisco, CA 94158 | (415) 432-1000 | sales@meraki.com

Features, beneﬁts and performance impact

UTM products come with a variety of security and networking features. Understanding the beneﬁts

and tradeos of these features is crucial to getting the maximum security beneﬁt without unnecessary

performance degradation.

BENEFITS PERFORMANCE

IMPACT

RECOMMENDATIONS

WAN opt Minimizes latency, reduces

amount of trac between

sites

High Use only between sites that have high latency (>50ms) and low

bandwidth (< 5 mbps). Use split-tunnel VPN and enable WAN opt only

for speciﬁc hosts and ports

Anti-virus /

anti-phishing

Provides ﬂow based

protection for Web trac

(port 80).

High Consider disabling for guest VLANs and using ﬁrewall rules to isolate

those VLANs. Also consider disabling AV/anti-phishing if you run a full

AV client on host devices.

IDS / IPS Provides alerts / prevention

for suspicious network

trac

High Consider not sending IDS/IPS syslog data over VPN in low-bandwidth

networks.

VPN Secure, encrypted trac

between locations

Medium Use split-tunnel VPN and deploy security services at the edge.

Web caching Accelerating access to Web

content by caching locally

Medium Ideal for repetitively accessing heavy multimedia content frequently

for low bandwidth networks. Not recommended for high bandwidth

networks. Please note that YouTube doesn’t support web caching.

Content ﬁltering

(top sites)

Category based URL

ﬁltering using locally

downloaded database

Low Choose this option if your priority is speed over coverage.

Content ﬁltering

(full list)

Category based URL

ﬁltering using the full

database hosted at

Brightcloud.com

Medium Choose this option if your priority is 100% coverage and security.

Web browsing will be slightly slower at the beginning but will improve

as more and more URL categories are cached.

Web safe-search Turning Google / Bing safe-

search option on

Low Must be deployed in tandem with “disable encrypted search” option

to be eective.

Blocking

encrypted

Disabling Google / Bing

searches via https (port

443), allowing Web safe-

search enforcement

Low Must be deployed in tandem with “Web safe-search” to be eective.

Requires a DNS setting modiﬁcation, otherwise will also break

Google apps. Check Meraki knowledge base for more.

Cisco Systems, Inc. | 500 Terry A. Francois Blvd, San Francisco, CA 94158 | (415) 432-1000 | sales@meraki.com

Real-world Use Cases

In this section, we’ll cover the most common deployment use cases for the Meraki MX:

•“Everything on”

• K-12 school with limited bandwidth

• K-12 school with high bandwidth

• College / higher education institution

• Retail branch

• Head-end concentrator for retail branches

For each case, we’ll articulate which features should be turned on and measure the maximum

throughput achieved with each MX model.

FIREWALL CONFIGURATION

Security features enabled:

• NAT mode

• Split-tunnel VPN

• WAN opt

• Content ﬁltering (full list mode enabled on MX60,

partial list mode enabled on all other models)

• Trac shaping

• Anti-virus/anti-phishing

• IPS

• Web caching (not available on MX60/MX60W)

TEST TRAFFIC PATTERN

Trac ﬂowing through the MX security appliance for testing

purposes was composed of the following protocols/applications.

MX60 / MX60W MX80 MX100 MX400 MX600

Max throughput 10Mbps 40Mbps 75Mbps 160Mbps 160Mbps

Client count 25 100 500 2,000 10,000

10% HTTP browsing

20% HTTPS browsing

20% HTTP download

20% FTP

20% CIFS non-VPN

5% HTTP over VPN

5% CIFS over VPN

THROUGHPUT CONFIGURATION

USE CASE: “Everything On”

Often, administrators would like to know what network throughput would look like if they turned

on all of the features of their MX security appliance (worst-case scenario). Please refer to the

“Features, beneﬁts, and the performance impact” table in this document when ﬁne-tuning the

ﬁrewall conﬁguration to achieve maximum security without unnecessary performance degradation.

Cisco Systems, Inc. | 500 Terry A. Francois Blvd, San Francisco, CA 94158 | (415) 432-1000 | sales@meraki.com

FIREWALL CONFIGURATION

Security features enabled:

• NAT mode

• Content ﬁltering

• Layer 7 Firewall

• Trac shaping

• Anti-virus/anti-phishing

• Google safe-search

FIREWALL CONFIGURATION

Security features enabled:

• NAT mode

• Content ﬁltering

• Layer 7 Firewall

• Anti-virus/anti-phishing

• Google safe-search

• YouTube for Schools

TEST TRAFFIC PATTERN

Trac ﬂowing through the MX security appliance for testing

purposes was composed of the following protocols/applications.

The trac is heavily skewed towards HTTP/S (70%).

TEST TRAFFIC PATTERN

Trac ﬂowing through the MX security appliance for testing

purposes was composed of the following protocols/applications.

The trac is heavily skewed towards HTTP/S (70%).

MX60 / MX60W MX80 MX100 MX400 MX600

Max throughput 20Mbps 50Mbps 100Mbps 200Mbps 200Mbps

Client count 25 100 500 2,000 10,000

MX60 / MX60W MX80 MX100 MX400 MX600

Max throughput 20Mbps 50Mbps 100Mbps 200Mbps 200Mbps

Client count 25 100 500 2,000 10,000

• YouTube for Schools

• Web caching (not available

on MX60/MX60W)

THROUGHPUT CONFIGURATION

USE CASE: K-12 school deployment with limited bandwidth

Schools need strong URL ﬁltering, application control and security features.

In addition, schools with low bandwidth also need trac shaping and web caching.

USE CASE: K-12 school with high bandwidth

Schools with high-bandwidth may not need Web caching or trac shaping.

20% HTTP browsing

15% HTTPS browsing

35% HTTP download

30% FTP to simulate

“other” TCP trac

20% HTTP browsing

15% HTTPS browsing

35% HTTP download

30% FTP to simulate

“other” TCP trac

Cisco Systems, Inc. | 500 Terry A. Francois Blvd, San Francisco, CA 94158 | (415) 432-1000 | sales@meraki.com

FIREWALL CONFIGURATION

Security features enabled:

• NAT mode

• AV

• Layer 7 Firewall (block BitTorrent)

FIREWALL CONFIGURATION

Security features enabled:

• NAT mode

• Split-tunnel VPN

• WAN opt

• Content ﬁltering

• Trac shaping (max throughput on guest VLAN)

• Anti-virus/anti-ﬁshing

TEST TRAFFIC PATTERN

Trac (for testing purposes) was composed of the following

protocols/applications. Compared to the previous scenario,

there is more multimedia streaming (simulating a typical dorm

use case).

TEST TRAFFIC PATTERN

In this use case, retail trac is a mixture of guest trac (HTTP/S)

as well as VPN trac for ﬁle transfers, nightly backups and other

corporate data.

MX60 / MX60W MX80 MX100 MX400 MX600

Max throughput 75Mbps 125Mbps 160Mbps 400Mbps 400Mbps

Client count 25 100 500 2,000 10,000

MX60 / MX60W MX80 MX100 MX400 MX600

Max throughput 10Mbps 40Mbps 75Mbps 160Mbps 160Mbps

Client count 25 100 500 2,000 10,000

20% HTTP browsing

20% HTTPS browsing

20% HTTP download

20% FTP

20% streaming media

(10% Amazon media, 10% Netﬂix)

30% HTTP browsing

30% HTTPS browsing

20% HTTP download

10% CIFS

10% VPN

THROUGHPUT CONFIGURATION

USE CASE: Higher-Ed ﬁrewall

Higher-Ed institutions traditionally don’t ﬁlter Web content due to freedom of speech concerns.

Also, most Higher-Ed institutions have very high-throughput Internet access, so there is no need

to do trac shaping or Web caching.

USE CASE: Retail branch with guest access

Retailers are looking for a cost-eective yet secure solution to provide reliable VPN access for

corporate applications like POS transactions, while oering a guest wireless access that is safe

and ﬁltered from inappropriate content.

Cisco Systems, Inc. | 500 Terry A. Francois Blvd, San Francisco, CA 94158 | (415) 432-1000 | sales@meraki.com

FIREWALL CONFIGURATION

Security features enabled:

• VPN concentrator mode

• Full-tunnel VPN

• WAN optimization

TEST TRAFFIC PATTERN

All trac is via VPN, including HTTP/S for Web browsing and

download, and considerable amount of ﬁle transfers to simulate

backup and other corporate data exchange.

MX60 / MX60W MX80 MX100 MX400 MX600

Max VPN throughput 40Mbps 70Mbps 200Mbps 500Mbps 1Gbps

Max per-tunnel VPN

throughput

15Mbps 40Mbps 50Mbps 100Mbps 100Mbps

Max VPN Sessions 25 50 250 1,000 5,000

100% VPN

30% HTTP

30% HTTPS

40% FTP

THROUGHPUT CONFIGURATION

USE CASE: Head-end concentrator for retail branches

MX is deployed in the datacenter as a one-armed VPN / WAN optimization aggregator,

possibly as an Active / Passive HA pair.

Conclusion

While every network will have a unique trac pattern, this guide highlights a few common

scenarios to help you choose the right Cisco Meraki MX product for your environment.

Consider planning for future growth by allocating buer room in your ﬁrewall selection

(e.g., if you currently have 550 users, choose an MX that supports 1000 users). This will

ensure that you can continue enabling additional security and network features as they

become available. Also considering ISP speeds are increasing 29% year over year, it is

important to choose a ﬁrewall that will serve you well over many years.

Cisco Systems, Inc. | 500 Terry A. Francois Blvd, San Francisco, CA 94158 | (415) 432-1000 | sales@meraki.com

This manual suits for next models

Other Cisco Network Hardware manuals

Cisco

Cisco linksys PLTK300 User manual

Cisco

Cisco NCS 1001 Manual

Cisco

Cisco Firepower 1010 User manual

Cisco

Cisco 2600 Series Technical document

Cisco

Cisco Nexus 93600CD-GX Manual

Cisco

Cisco NSS4100 - Gigabit Storage System Instruction Manual

Cisco

Cisco ATM Cable Interface Processor ACIP-SM(=) Operator's manual

Cisco

Cisco IAD1101 User manual

Cisco

Cisco Remote PHY Shelf 7200 Installation manual

Cisco

Cisco NCS 1004 User manual

Cisco

Cisco CGR 1000 Series User manual

Cisco

Cisco WBPN User manual

Cisco

Cisco S170 Web User manual

Cisco

Cisco Network Storage System NSS3000 Series User manual

Cisco

Cisco Network Adapter VIP-FE-TX/4E Operator's manual

Cisco

Cisco 5500 Series User manual

Cisco

Cisco IDS 4210 - Intrusion Detection Sys 4210... User manual

Cisco

Cisco NCS 1000 User manual

Cisco

Cisco SA-VAM - VPN Acceleration Module Operator's manual

Cisco

Cisco Firepower 1010 User manual

Cisco

Cisco MERAKI MX75 User manual

Cisco

Cisco ASA Quick start guide

Cisco

Cisco CATALYST 6000 Installation and operation manual

Cisco

Cisco Firepower 2100 Series User manual

Popular Network Hardware manuals by other brands

socomec

socomec SNMP Card II quick start guide

NVR SYSTEMS

NVR SYSTEMS 4-CH user manual

Draytek

Draytek VigorSwitch G1240 quick start guide

Westermo

Westermo TD-34 LV installation manual

LaCie

LaCie Network Space MAX Quick install guide

ZoneVu

ZoneVu ZSI-450-IP Installation guide & user manual

QNAP

QNAP Turbo NAS Application notes

OpenEye

OpenEye MV Series quick start guide

Huawei

Huawei SmartAX MT880a quick start guide

Proxim

Proxim Tsunami QuickBridge 2454-R installation guide

Bay Networks

Bay Networks CLAM quick start guide

Innodisk

Innodisk SATADOM-SH 3SE Series manual

Matrix Switch Corporation

Matrix Switch Corporation MSC-HD161DEL product manual

National Instruments

National Instruments NI 653x user manual

B&B Electronics

B&B Electronics ZXT9-IO-222R2 product manual

Yudor

Yudor YDS-16 user manual

D-Link

D-Link ShareCenter DNS-320L datasheet

Samsung

Samsung ES1642dc Hardware user manual

Cisco MX60 User manual

Popular Network Hardware manuals by other brands