Security and SD-WAN (MX,Z) Features Directory
Overview
This article describes MX/Z features and their dependencies on MX/Z firmware releases.
Note: All products have a minimum runnable firmware version, and some have a maximum runnable firmware version. Please refer to Product Firmware Version Restrictions for more information.
The table below explains the platform differentiation:
Use Case |
Platform |
Compatible Licenses (detailed breakdown) |
Security and SD-WAN (multi-WAN, security, wireless, HA, and cellular support) |
All MX models (active models) |
Enterprise, Advanced Security, Secure SD-WAN Plus |
Teleworker (single-WAN, basic security, wireless, and cellular support) |
All Z models (active models) |
Enterprise |
Virtual MX (single-WAN and native-cloud hosting) |
All vMX models (active models) |
Enterprise |
Note: There is only one official Beta, Stable Release Candidate, and Stable firmware release. If you see more than one, this means you have patch versions available for nodes running the major versions.
Let's take the following example:
- MX 16.16 is the current stable release as of this writing.
- MX 16.16.3 is the stable patch release for nodes running MX 16.16.
- MX 15.42.3 is the stable patch release for nodes running MX 15.42.
- MX 15.44.3 is the stable patch release for nodes running MX 15.44.
Therefore, if your organization does not contain nodes running MX 15.x, then you will not see MX 15.x.y as a firmware upgrade option. Similarly, if your organization does not contain nodes running MX 16.x, then you will not see MX 16.x.y as a firmware upgrade option.
Stable Release - MX 18.1.X Firmware Features
Feature |
Description |
Type |
Platforms Supported |
Minimum Required License Type |
Stability and performance improvements.
|
Enhancement |
Z3, Z3C, MX64, MX64W, MX65, MX65W, MX67, MX67W, MX67C, MX68, MX68W, MX68CW, MX84, MX100, MX250, MX450, MX75, MX85, MX95, MX105, vMX100, vMX-S/M/L, UMB-SIG |
Enterprise |
|
This feature enables customers to use FQDN instead of IP while configuring Non-Meraki VPN peers. Using IP addresses can be tedious because with a dynamic IP address, a customer has to manually modify the Non-Meraki VPN settings on the Site-to-Site VPN page. |
New Feature |
Z3, Z3C, MX64, MX64W, MX65, MX65W, MX67, MX67W, MX67C, MX68, MX68W, MX68CW, MX84, MX100, MX250, MX450, MX75, MX85, MX95, MX105, vMX100, vMX-S/M/L, UMB-SIG |
Enterprise |
|
IPv6 (Second Public Release) | Support for AMP, Theat Grid, and other UX enhancements | New Feature | Z3, Z3C, MX64, MX64W, MX65, MX65W, MX67, MX67W, MX67C, MX68, MX68W, MX68CW, MX84, MX100, MX250, MX450, MX75, MX85, MX95, MX105, vMX100, vMX-S/M/L, UMB-SIG, MG51, MG51E | Enterprise |
VPN full-tunnel exclusion is a feature on the MX whereby the administrator can configure rules to determine exceptions to a full-tunnel VPN configuration. The feature applies to both Auto VPN and Non-Meraki VPN (NMVPN) connections. |
New Feature |
Z3, Z3C, MX64, MX64W, MX65, MX65W, MX67, MX67W, MX67C, MX68, MX68W, MX68CW, MX84, MX100, MX250, MX450, MX75, MX85, MX95, MX105, vMX100, vMX-S/M/L, UMB-SIG |
L3 - Enterprise L7 - Secure SD-WAN Plus |
|
A limited NAT mode capability can be enabled on the vMX in which traffic from the spokes will be NATed to the vMX's IP as it egresses the vMX in to your datacenter. |
New Feature |
vMX100, vMX-S/M/L, UMB-SIG |
Enterprise |
|
The main advantage of Network Objects comes from the single Network Objects management page. Here, we are able to create/modify/delete Network Objects and Groups. This is highly beneficial to network administrators making adjustments to large firewall rulesets. |
Enhancement |
Z3, Z3C, MX64, MX64W, MX65, MX65W, MX67, MX67W, MX67C, MX68, MX68W, MX68CW, MX84, MX100, MX250, MX450, MX75, MX85, MX95, MX105, vMX100, vMX-S/M/L, UMB-SIG |
Enterprise |
|
Traditional segmentation is based on subnets, VLANs and ACL rules. The rule sets are limited to the network which it resides in and is not meant to be globally scalable. Adaptive Policy help address these limitations with micro-segmentation and more. |
New Feature |
Z3, Z3C, MX64, MX64W, MX65, MX65W, MX67, MX67W, MX67C, MX68, MX68W, MX68CW, MX84, MX100, MX250, MX450, MX75, MX85, MX95, MX105, vMX100, vMX-S/M/L, UMB-SIG |
Advanced Security |
|
ThousandEyes Agent | Onboarding the ThousandEyes Agent to our MX family | New Feature | MX67, MX67W, MX67C, MX68, MX68W, MX68CW, MX75, MX85, MX95, MX105, MX250, MX450 | Secure SD-WAN Plus + (more options being discussed) |
Old Stable Release - MX 17.X Firmware Features
Feature |
Description |
Type |
Platforms Supported |
Minimum Required License Type |
IPv6 is an ongoing cross-product initiative for Meraki as IPv4 addresses are being exhausted and with more hosts such as IoT devices requiring addressing, IPv6 provides a new structure to accommodate a larger number of hosts. |
New feature |
MX, Z, vMX |
Enterprise |
|
Network-Based Application Recognition (NBAR) is an advanced application recognition engine developed by Cisco that utilizes several classification techniques. |
Enhancement |
MX, Z |
Enterprise |
|
This allows the MX’s Content Filtering feature to classify URLs based on web content and threat categories curated by Cisco Talos. |
New Feature |
MX |
Advanced Security |
|
Internet traffic policy configuration remains consistent with VPN traffic policy configuration, albeit with different options. There are 2 different SD-Internet policies that can be configured:
|
New Feature |
MX |
Secure SD-WAN Plus |
|
Mandatory DHCP enabled VLANs must request for a DHCP address before gaining access to the network. |
New Feature |
MX |
Enterprise |
|
Flow failover and failback the instant the primary uplink is deemed reliable. |
New Feature |
MX |
Enterprise |
ARCHIVE
MX 16.X Firmware Features
Feature |
Description |
Type |
Platforms Supported |
Minimum Required License Type |
Network-Based Application Recognition (NBAR) is an advanced application recognition engine developed by Cisco that utilizes several classification techniques. |
New feature |
MX, Z |
Enterprise |
|
Introduces native Cisco AnyConnect support from the Meraki dashboard. |
New feature |
MX, Z, vMX |
Enterprise |
|
With this feature in place the cellular connection that was previously only enabled as backup can be configured as an active uplink in the SD-WAN & traffic shaping page. |
New Feature |
MX |
Enterprise |
|
vMX deployment in Google Cloud Platform. |
New Feature |
vMX |
Enterprise |
|
You may need PPPoE if your ISP requires a username and password to access your DSL connection. |
New Feature |
MX, Z |
Enterprise |
|
Snort version upgrades. |
Enhancement |
MX |
Advanced Security |
|
The function of this feature is to steer customer traffic to SaaS or public cloud-based applications over the best-performing WAN connection at the time the traffic is forwarded. |
New Feature |
MX |
Secure SD-WAN Plus |