Meraki MX Sizing Principles English 121422
Meraki MX Sizing Principles English 121422
Meraki MX Sizing Principles English 121422
December 2022
This document provides information to supplement the section of suitable Cisco Meraki MX security and SD-WAN
appliances based on industry-standard benchmarks and in-depth feature descriptions. It is highly recommended the
information in this document be used in conjunction with a proof-of-concept trial to finalize model selection.
MX Sizing Principles | 2
Overview
Cisco Meraki MX security and SD-WAN appliances provide unified threat management (UTM) and SD-WAN in a powerful all-in-one device.
Given the broad range of configurations an MX can be deployed in, device performance will vary depending on the use case.
Choosing the right MX depends on the use case and the deployment characteristics.
The technical information contained in this document is designed to help answer the following questions:
MX portfolio capabilities
Dual links
3G/4G failover
Built-in PoE+
model available
WAN fiber SFP SFP SFP SFP+ SFP SFP+ SFP, SFP+ SFP, SFP+
connectivity
*Available via native built-in SD-WAN extension to Cisco Umbrella or via VPN to a third party.
MX Sizing Principles | 3
Max throughput
with all security 200 Mbps 300 Mbps 500 Mbps 320 Mbps 500 Mbps 1 Gbps 650 Mbps 1.5 Gbps 2 Gbps 4 Gbps
features enabled1
Max stateful
(L3) firewall
250 Mbps 600 Mbps 1 Gbps 500 Mbps 1 Gbps 2 Gbps 750 Mbps 3 Gbps 4 Gbps 6 Gbps N/A
throughput in
passthrough mode
Max site-to-site
100 Mbps 300 Mbps 500 Mbps 250 Mbps 500 Mbps 800 Mbps 500 Mbps 1 Gbps 1 Gbps 2 Gbps 200 Mbps 500 Mbps 1 Gbps
VPN throughput
Max site-to-site
50 50 75 100 200 500 250 1,000 3,000 5,000 50 250 1,000
VPN tunnels2
Recommended
maximum
50 50 75 100 100 250 250 500 1,000 1,500 50 250 1,000
site-to-site VPN
tunnels 3
Recommended
maximum client 50 50 75 100 100 250 250 250 500 4 500 4 50 250 500
VPN tunnels
Auto VPN
Sub-second
tunnel failover5
Dynamic path
Sub-second
selection5
All throughout performance results above are achieved running MX 14.39 firmware using the recognized, industry-standard IXIA BreakingPoint testing software.
1
Max "throughput" is based on IDP in prevention mode using the "connectivity" rule set.
2
The maximum site-to-site VPN tunnels are based on lab testing scenarios where no client traffic is transferring over the VPN tunnels.
3
Recommended site-to-site VPN tunnels are based on lab testing scenarios with client traffic transferring over VPN tunnels.
4
More than 500 client VPN connections can be achieved, please refer to this guide.
5
Times for failover after failover criteria has been met.
MX Sizing Principles | 4
Benefits Pe r fo r m a n c e i m p a c t Recommendations
Cisco advanced
Consider disabling for guest VLANs and using firewall rules to isolate those VLANs. Also consider disabling if you run a full
malware protection Blocks HTTP-based file downloads based on the disposition received from the Cisco AMP cloud. Low
malware client like AMP for endpoints on host devices.
(AMP)
Cisco IDS/IPS
Provides alerts/prevention for suspicious network traffic. Medium Consider not sending IDS/IPS syslog data over VPN in low-bandwidth networks.
(SNORT)
The performance impact of HTTPS inspection will be high on any appliance on the market. An alternative could be to consider
HTTPS inspection Allows advanced security features on the MX to inspect and act on HTTPS traffic. High
moving the HTTPS inspection workload to the cloud with Cisco Umbella SIG.
Number of
Secure, encrypted traffic between locations. High Use split-tunnel VPN and deploy security services at the edge.
VPN tunnels
Content filtering
Category-based URL filtering using a locally downloaded database. Low Choose this option if your priority is speed over coverage.
(top sites)
Content filtering Choose this option if your priority is 100% coverage and security. Web browsing will be slightly slower at the beginning, but will
Category-based URL filtering using the full database hosted at Brightcloud.com. Low
(full list) improve as more and more URL categories are cached.
Browser safe
Turning Google/Bing safe-search option on. Low Must be deployed in tandem with “disable encrypted search” option to be effective.
search
Small branch with Small branch with Small branch with Small to medium branch with up Medium to large branch with up Large branch with Campus or VPN concentrator Campus or VPN concentrator
up to 50 users up to 50 users up to 200 users to 250 users to 500 users up to 750 users with up to 2,000 users with up to 10,000 users
MX Sizing Principles | 5
MX device utilization helps provide a better understanding of the device’s load over time and can be used to assess the utilization level and whether
a higher end device or a load reduction is required. If an MX device is consistently over 85% utilization during normal operation*, upgrading to a higher
throughput model or reducing the per-device load should be considered. The MX device utilization tool is available through an API or as a graph shown
on the Summary Report page.
The device utilization data reported to the Meraki dashboard is based on a load average measured over a period of one minute. The load value is returned
in numeric value ranging from 1 through 100. A lower value indicates a lower load, and a higher value indicates a more intense workload. Currently, the
device utilization value is calculated based upon the CPU utilization of the MX as well as its traffic load.
Due to load averaging, it’s possible for transient load spikes to occur without being visible in the utilization metric. For example, a device load that is
consistently shown as less than 85% may still be experiencing transient load spikes. These transient load spikes may cause packets received in excess of
the device’s forwarding capacity to be dropped.
* With all the desired features turned on, the expected number of clients connected, and the expected traffic mix traversing the device.
Conclusion
While every network will have a unique traffic pattern, this highlights a few common scenarios to help you choose the right Cisco Meraki MX product for
your environment. Consider planning for future growth by allocating buffer room in your firewall selection (i.e., if you currently have 550 users, choose an
MX that supports 1,000 users). This will ensure that you can continue enabling additional security and network features as they become available. Also,
considering ISP speeds are increasing year over year, it is important to choose a firewall that will serve you well over many years.