Cisco MX60, MX60W, MX80, MX100, MX400 User Manual

MX Sizing Guide

MARCH 2014

This technical document provides guidelines for choosing the right
Cisco Meraki security appliance based on real-world deployments,
industry standard benchmarks and in-depth feature descriptions.

Overview

Cisco Meraki MX Security Appliances are Unified Threat Management (UTM) products.

UTM products oer multiple security features in a simple-to-deploy, consolidated form factor.

Given the number of security features that can be deployed in any given MX, device performance

will vary depending on the use-case. Choosing the right MX depends on the use-case and the
deployment characteristics.

This technical guide is designed to help answer the following questions:

• How do I decide which MX model I need?

• Which features should I turn on?

• How do MX models compare against the competition?

Choosing the right hardware

Cisco Meraki MX products come in 6 models. The chart below outlines MX hardware properties for each model:

MX60 MX60W MX80 MX100 MX400 MX600

Dual Wan Links

3G / 4G Failover

Built-In Wireless

Hard drive

(Tb)

WAN Opt Caching

Fiber Connectivity SFP SFP, SFP+ SFP, SFP+

Dual Power Supply

Form Factor Desktop Desktop 1U 1U 1U 2U

✓ ✓ ✓ ✓ ✓ ✓

✓ ✓ ✓ ✓ ✓ ✓

✓

1 1 1 4

✓ ✓ ✓ ✓

✓ ✓

2

Cisco Systems, Inc. | 500 Terry A. Francois Blvd, San Francisco, CA 94158 | (415) 432-1000 | sales@meraki.com

Network performance benchmarks

Industry standard benchmarks are designed to help you compare MX security appliances to
firewalls from other vendors. These tests assume perfect network conditions with ideal trac
patterns. When measuring maximum throughput for a certain feature, all other features are
disabled. Actual results in production networks will vary.

MX60 / MX60W MX80 MX100 MX400 MX600

Max throughput with all
security features enabled

Recommended max users 25 100 500 2000 10000

Max Stateful (L3) firewall
throughput in passthrough
mode

Stateful (L3) fw in NAT
mode

Max connections 100,000 100,000 500,000 1,000,000 2,000,000

Max connections per sec 2,500 4,500 12,000 30,000 30,000

Max VPN throughput

(per tunnel, no WAN Opt)

10Mbps 40Mbps 75Mbps 160Mbps 160Mbps

100Mbps 250Mbps 500Mbps 1Gbps 2Gbps

100Mbps 250Mbps 500Mbps 1Gbps 2Gbps

35Mbps 80Mbps 100Mbps 200Mbps 200Mbps

Max VPN connections

(site-to-site or client VPN)

Max AV throughput 90Mbps 200Mbps 410Mbps 970Mbps 1.2Gbps

Max IDS throughput 65Mbps 95Mbps 330Mbps 725Mbps 1Gbps

Max WAN opt throughput 15Mbps 40Mbps 50Mbps 100Mbps 100Mbps

3

Cisco Systems, Inc. | 500 Terry A. Francois Blvd, San Francisco, CA 94158 | (415) 432-1000 | sales@meraki.com

25 50 250 1000 5000

Features, benefits and performance impact

UTM products come with a variety of security and networking features. Understanding the benefits
and tradeos of these features is crucial to getting the maximum security benefit without unnecessary
performance degradation.

BENEFITS PERFORMANCE

WAN opt Minimizes latency, reduces

amount of trac between
sites

Anti-virus /
anti-phishing

IDS / IPS Provides alerts / prevention

VPN Secure, encrypted trac

Web caching Accelerating access to Web

Content filtering
(top sites)

Provides flow based
protection for Web trac
(port 80).

for suspicious network
trac

between locations

content by caching locally

Category based URL
filtering using locally
downloaded database

RECOMMENDATIONS

IMPACT

High Use only between sites that have high latency (>50ms) and low

bandwidth (< 5 mbps). Use split-tunnel VPN and enable WAN opt only
for specific hosts and ports

High Consider disabling for guest VLANs and using firewall rules to isolate

those VLANs. Also consider disabling AV/anti-phishing if you run a full
AV client on host devices.

High Consider not sending IDS/IPS syslog data over VPN in low-bandwidth

networks.

Medium Use split-tunnel VPN and deploy security services at the edge.

Medium Ideal for repetitively accessing heavy multimedia content frequently

for low bandwidth networks. Not recommended for high bandwidth
networks. Please note that YouTube doesn’t support web caching.

Low Choose this option if your priority is speed over coverage.

Content filtering
(full list)

Web safe-search Turning Google / Bing safe-

Blocking
encrypted
search

4

Cisco Systems, Inc. | 500 Terry A. Francois Blvd, San Francisco, CA 94158 | (415) 432-1000 | sales@meraki.com

Category based URL
filtering using the full
database hosted at
Brightcloud.com

search option on

Disabling Google / Bing
searches via https (port

443), allowing Web safe­search enforcement

Medium Choose this option if your priority is 100% coverage and security.

Web browsing will be slightly slower at the beginning but will improve
as more and more URL categories are cached.

Low Must be deployed in tandem with “disable encrypted search” option

to be eective.

Low Must be deployed in tandem with “Web safe-search” to be eective.

Requires a DNS setting modification, otherwise will also break
Google apps. Check Meraki knowledge base for more.

Real-world Use Cases

In this section, we’ll cover the most common deployment use cases for the Meraki MX:

•“Everything on”

• K-12 school with limited bandwidth

• K-12 school with high bandwidth

• College / higher education institution

• Retail branch

• Head-end concentrator for retail branches

For each case, we’ll articulate which features should be turned on and measure the maximum

throughput achieved with each MX model.

USE CASE:

Often, administrators would like to know what network throughput would look like if they turned
on all of the features of their MX security appliance (worst-case scenario). Please refer to the

“Features, benefits, and the performance impact” table in this document when fine-tuning the

firewall configuration to achieve maximum security without unnecessary performance degradation.

FIREWALL CONFIGURATION

Security features enabled:

• NAT mode

• Split-tunnel VPN

• WAN opt

• Content filtering (full list mode enabled on MX60,

partial list mode enabled on all other models)

• Trac shaping

• Anti-virus/anti-phishing

• IPS

• Web caching (not available on MX60/MX60W)

“Everything On”

TEST TRAFFIC PATTERN

Trac flowing through the MX security appliance for testing
purposes was composed of the following protocols/applications.

10% HTTP browsing

20% HTTPS browsing

20% HTTP download

20% FTP

20% CIFS non-VPN

5% HTTP over VPN

5% CIFS over VPN

THROUGHPUT CONFIGURATION

MX60 / MX60W MX80 MX100 MX400 MX600

Max throughput 10Mbps 40Mbps 75Mbps 160Mbps 160Mbps

Client count 25 100 500 2,000 10,000

5

Cisco Systems, Inc. | 500 Terry A. Francois Blvd, San Francisco, CA 94158 | (415) 432-1000 | sales@meraki.com

USE CASE:

K-12 school deployment with limited bandwidth

Schools need strong URL filtering, application control and security features.

In addition, schools with low bandwidth also need trac shaping and web caching.

FIREWALL CONFIGURATION

Security features enabled:

• NAT mode

• Content filtering

• Layer 7 Firewall

• Trac shaping

• Anti-virus/anti-phishing

• Google safe-search

• YouTube for Schools

• Web caching (not available

on MX60/MX60W)

TEST TRAFFIC PATTERN

Trac flowing through the MX security appliance for testing

purposes was composed of the following protocols/applications.

The trac is heavily skewed towards HTTP/S (70%).

20% HTTP browsing

15% HTTPS browsing

35% HTTP download

30% FTP to simulate

“other” TCP trac

THROUGHPUT CONFIGURATION

MX60 / MX60W MX80 MX100 MX400 MX600

Max throughput 20Mbps 50Mbps 100Mbps 200Mbps 200Mbps

Client count 25 100 500 2,000 10,000

USE CASE: K-12 school with high bandwidth

Schools with high-bandwidth may not need Web caching or trac shaping.

FIREWALL CONFIGURATION

Security features enabled:

• NAT mode

TEST TRAFFIC PATTERN

Trac flowing through the MX security appliance for testing

purposes was composed of the following protocols/applications.

The trac is heavily skewed towards HTTP/S (70%).

• Content filtering

• Layer 7 Firewall

• Anti-virus/anti-phishing

• Google safe-search

• YouTube for Schools

20% HTTP browsing

15% HTTPS browsing

35% HTTP download

30% FTP to simulate

“other” TCP trac

THROUGHPUT CONFIGURATION

MX60 / MX60W MX80 MX100 MX400 MX600

Max throughput 20Mbps 50Mbps 100Mbps 200Mbps 200Mbps

Client count 25 100 500 2,000 10,000

6

Cisco Systems, Inc. | 500 Terry A. Francois Blvd, San Francisco, CA 94158 | (415) 432-1000 | sales@meraki.com

USE CASE:

Higher-Ed firewall

Higher-Ed institutions traditionally don’t filter Web content due to freedom of speech concerns.

Also, most Higher-Ed institutions have very high-throughput Internet access, so there is no need

to do trac shaping or Web caching.

FIREWALL CONFIGURATION

Security features enabled:

TEST TRAFFIC PATTERN

Trac (for testing purposes) was composed of the following

protocols/applications. Compared to the previous scenario,

• NAT mode

• AV

• Layer 7 Firewall (block BitTorrent)

there is more multimedia streaming (simulating a typical dorm
use case).

20% HTTP browsing

20% HTTPS browsing

20% HTTP download

20% FTP

20% streaming media
(10% Amazon media, 10% Netflix)

THROUGHPUT CONFIGURATION

MX60 / MX60W MX80 MX100 MX400 MX600

Max throughput 75Mbps 125Mbps 160Mbps 400Mbps 400Mbps

Client count 25 100 500 2,000 10,000

USE CASE: Retail branch with guest access

Retailers are looking for a cost-eective yet secure solution to provide reliable VPN access for
corporate applications like POS transactions, while oering a guest wireless access that is safe
and filtered from inappropriate content.

FIREWALL CONFIGURATION

Security features enabled:

TEST TRAFFIC PATTERN

In this use case, retail trac is a mixture of guest trac (HTTP/S)
as well as VPN trac for file transfers, nightly backups and other

• NAT mode
corporate data.

• Split-tunnel VPN

• WAN opt

• Content filtering

• Trac shaping (max throughput on guest VLAN)

• Anti-virus/anti-fishing

30% HTTP browsing

30% HTTPS browsing

20% HTTP download

10% CIFS

10% VPN

THROUGHPUT CONFIGURATION

MX60 / MX60W MX80 MX100 MX400 MX600

Max throughput 10Mbps 40Mbps 75Mbps 160Mbps 160Mbps

Client count 25 100 500 2,000 10,000

7

Cisco Systems, Inc. | 500 Terry A. Francois Blvd, San Francisco, CA 94158 | (415) 432-1000 | sales@meraki.com

USE CASE:

MX is deployed in the datacenter as a one-armed VPN / WAN optimization aggregator,
possibly as an Active / Passive HA pair.

Head-end concentrator for retail branches

FIREWALL CONFIGURATION

Security features enabled:

• VPN concentrator mode

• Full-tunnel VPN

• WAN optimization

THROUGHPUT CONFIGURATION

MX60 / MX60W MX80 MX100 MX400 MX600

Max VPN throughput 40Mbps 70Mbps 200Mbps 500Mbps 1Gbps

Max per-tunnel VPN
throughput

Max VPN Sessions 25 50 250 1,000 5,000

15Mbps 40Mbps 50Mbps 100Mbps 100Mbps

TEST TRAFFIC PATTERN

All trac is via VPN, including HTTP/S for Web browsing and
download, and considerable amount of file transfers to simulate
backup and other corporate data exchange.

100% VPN

30% HTTP

30% HTTPS

40% FTP

Conclusion

While every network will have a unique trac pattern, this guide highlights a few common
scenarios to help you choose the right Cisco Meraki MX product for your environment.
Consider planning for future growth by allocating buer room in your firewall selection
(e.g., if you currently have 550 users, choose an MX that supports 1000 users). This will
ensure that you can continue enabling additional security and network features as they
become available. Also considering ISP speeds are increasing 29% year over year, it is
important to choose a firewall that will serve you well over many years.

8

Cisco Systems, Inc. | 500 Terry A. Francois Blvd, San Francisco, CA 94158 | (415) 432-1000 | sales@meraki.com