Security and SD-WAN (MX,Z) Features Directory
Overview
This article describes MX/Z features and their dependencies on MX/Z firmware releases.
Note: All products have a minimum runnable firmware version, and some have a maximum runnable firmware version. Please refer to Product Firmware Version Restrictions for more information.
Refer to the latest sizing guide and principles here.
For API support, please refer to the API documentation.
The table below explains the platform differentiation:
|
Use Case |
Platform |
Co-term Licenses (detailed breakdown) |
|
|
Security and SD-WAN (multi-WAN, security, wireless, HA, and cellular support) |
All MX models (active models) |
Enterprise, Advanced Security, Secure SD-WAN Plus |
Essential, Advantage |
|
Teleworker (single-WAN, basic security, wireless, and cellular support) |
All Z models (active models) |
Enterprise, Advanced Teleworker |
Essential, Advantage |
|
Virtual MX (single-WAN and native-cloud hosting) |
All vMX models (active models) |
Enterprise |
Essential |
Note:
Refer to the Cisco Meraki Firmware FAQ documentation to learn about the firmware upgrade process.
Note - The MX19.2 firmware release will be the maximum running build for Z1. These platforms will not run MX 20.1 and above firmware builds. We recommend you stay up to date with all the latest features with the next-generation hardware platforms. Please consult your sales representative for more information on the latest hardware and software releases. Thank you
Public BETA Release - MX 19.2.X Firmware Features
|
Feature |
Description |
Type |
Platforms Supported |
Minimum Required License Type (co-term; subscription) |
| DH15 and DH21 support in IPsec | The implementation of Diffie-Hellman Groups 15 and 21 provides a robust enhancement to the security architecture of VPN peers. By leveraging these advanced cryptographic groups, this feature strengthens encryption protocols and ensures a higher level of protection for secure communications |
New Feature |
Z4, Z4C, MX67, MX67W, MX67C, MX68, MX68W, MX68CW, MX75, MX85, MX95, MX105, MX250, MX450, vMX-S/M/L |
Enterprise; Essential |
| Modem Firmware Version on Dashboard |
With the intention of granting users greater transparency and control, this feature enhances visibility and management of cellular devices and modem firmware status. |
New Feature |
Z4C, MG41/E, MG51/E, MG52/E |
Enterprise; Essential |
| IPsec Active-Active Peering, Monitoring, and Statistics** |
Introducing a native dashboard experience designed for active-active paths within Cisco Secure Access and SSE integrations. This feature encompasses advanced functionalities such as comprehensive tunnel monitoring (including Layer 7 endpoints), the ability to establish active-active tunnels, and support for Direct Internet Access (DIA) fail-open functionality, ensuring enhanced resilience and operational efficiency. | New Feature |
Z4*, Z4C*, MX67, MX67W, MX67C, MX68, MX68W, MX68CW, MX75, MX85, MX95, MX105, MX250, MX450, vMX-S/M/L* |
Enterprise; Essential |
| Enhanced DC-DC Failover with Quality of Experience Metrics** | This feature introduces proactive failover to an alternate data center, ensuring seamless continuity based on predefined, customized performance metric SLAs. By leveraging these metrics, it offers robust reliability and tailored protection against service disruptions. | New Feature |
Z4*, Z4C*, MX67, MX67W, MX67C, MX68, MX68W, MX68CW, MX75, MX85, MX95, MX105, MX250, MX450, vMX-S/M/L* |
Secure SD-WAN Plus; Advantage |
* = Z and vMX-S/M/L platforms support singular WAN uplinks and do not accommodate Active-Active configurations. However, they continue to offer Monitoring and Statistics functionalities.
** = Pending future release
Stable Release Candidate - MX 19.1.X Firmware Features
|
Feature |
Description |
Type |
Platforms Supported |
Minimum Required License Type (co-term; subscription) |
|
Linking Meraki and Catalyst SD-WAN fabrics will streamline operations for customers using MX and Catalyst devices. |
New Feature |
Z4, Z4C, MX67, MX67W, MX67C, MX68, MX68W, MX68CW, MX75, MX85, MX95, MX105, MX250, MX450, vMX-S/M/L |
Enterprise; Essential |
|
| Simplified dashboard experience for failover and failback paths for SSE integrations. This feature includes tunnel monitoring (including L7 endpoints), establishing active and backup tunnels, as well as DIA failopen functionality. |
New Feature |
Z4, Z4C, MX67, MX67W, MX67C, MX68, MX68W, MX68CW, MX75, MX85, MX95, MX105, MX250, MX450, vMX-S/M/L |
Enterprise; Essential |
|
|
This page provides status information about configured dynamic routing peers. |
New Feature |
Z4, Z4C, MX67, MX67W, MX67C, MX68, MX68W, MX68CW, MX75, MX85, MX95, MX105, MX250, MX450, vMX-S/M/L |
Enterprise; Essential |
|
| Seamlessly integrate XDR with Meraki to stream telemetry from your MX devices to XDR. Leveraging AI/ML and advanced analytics, XDR processes this telemetry to detect potential threats. You can view and manage detected XDR incidents directly in the Meraki Dashboard. |
New Feature |
Z4, Z4C, MX67, MX67W, MX67C, MX68, MX68W, MX68CW, MX75, MX85, MX95, MX105, MX250, MX450, vMX-S/M/L |
Enterprise; Essential |
|
|
SD-AVC Integration - Smart Application Updates Delivered via the Cloud |
With the SD-AVC Cloud integration, customers can effortlessly opt in and take advantage of the latest application signatures. This process occurs seamlessly behind the scenes, without requiring manual intervention or firmware upgrades. |
New Feature |
Z4, Z4C, MX67, MX67W, MX67C, MX68, MX68W, MX68CW, MX250, MX450, MX75, MX85, MX95, MX105, vMX-S/M/L |
Enterprise; Essential |
|
Select Advanced Security license features are now supported in the GovCloud. |
New Feature |
MX67, MX67W, MX67C, MX68, MX68W, MX68CW, MX75, MX85, MX95, MX105, MX250, MX450, vMX-S/M/L |
Advanced Security; Essential |
|
|
Securing workloads in the Cloud with Advanced Security on vMX powered by Cisco Talos. |
New Feature |
vMX-S/M/L |
Advanced Security; Essential |
|
|
AT&T and Cisco jointly developed an innovative, out-of-the-box experience in these devices by offering a deep integration with AT&T Wireless services to help businesses get started even faster. |
New Feature |
MG52, MG52E |
Enterprise; Essential |
|
|
Enhancements to the local status page |
Additional visibility and status on the local status page. |
Enhancement |
Z4, Z4C, MX67, MX67W, MX67C, MX68, MX68W, MX68CW, MX75, MX85, MX95, MX105, MX250, MX450, vMX-S/M/L |
Enterprise; Essential |
| This feature allows administrators to determine which DNS requests are answered by which DNS servers. |
New Feature |
Z4, Z4C, MX67, MX67W, MX67C, MX68, MX68W, MX68CW, MX75, MX85, MX95, MX105, MX250, MX450, vMX-S/M/L |
Enterprise; Essential |
|
|
API support for Multicast forwarding. |
Enhancement |
Z4, Z4C, MX67, MX67W, MX67C, MX68, MX68W, MX68CW, MX75, MX85, MX95, MX105, MX250, MX450, vMX-S/M/L |
Enterprise; Essential |
|
|
API support for VPN NAT translations. |
Enhancement |
Z4, Z4C, MX67, MX67W, MX67C, MX68, MX68W, MX68CW, MX75, MX85, MX95, MX105, MX250, MX450, vMX-S/M/L |
Enterprise; Essential |
|
|
API support for Policy Objects . |
Enhancement |
Z4, Z4C, MX67, MX67W, MX67C, MX68, MX68W, MX68CW, MX75, MX85, MX95, MX105, MX250, MX450, vMX-S/M/L |
Enterprise; Essential |
Stable Release - MX 18.2.X Firmware Features
Note - The MX18.1 firmware release will be the maximum running build for MX64, MX64W, MX65, MX65W, MX84, MX100, and vMX100 platforms. These platforms will not run MX 18.2 and above firmware builds. We recommend you stay up to date with all the latest features with the next-generation hardware platforms. Please consult your sales representative for more information on the latest hardware and software releases. Thank you
Note - MX75, MX85, MX95, MX105, MX250, and MX450 will have a performance boost (up to 3x with no additional cost) enabled by default in MX 18.2 and above firmware release. For more details, refer to the latest sizing guide and principles here.
|
Feature |
Description |
Type |
Platforms Supported |
Minimum Required License Type (co-term; subscription) |
| Alow for eBGP on the WAN with authentication. New visibility added to see status of BGP sessions. | New Feature | Z4C, MX67, MX67W, MX67C, MX68, MX68W, MX68CW, MX75, MX85, MX95, MX105, MX250, MX450, vMX-S/M/L | Enterprise; Essential | |
| Introducing two designated WAN ports with one backup WAN port. | New Feature | MX75, MX85, MX95, MX105 | Enterprise; Essential | |
| vMX-L in Azure | vMX-L support on Azure for higher performance and scalability. | New Feature | vMX-L | Enterprise; Essential |
| Deploy and manage your vMX via the Meraki dashboard. | New Feature | vMX-S/M/L | Enterprise; Essential | |
| IPv6 Enhancements | Additional IPv6 support in RDNSS, and NMVPN. | Enhancement | Z4, Z4C, MX67, MX67W, MX67C, MX68, MX68W, MX68CW, MX250, MX450, MX75, MX85, MX95, MX105, vMX-S/M/L | Enterprise; Essential |
| Auto VPN Enhancements | The MX will automatically select new ports to self heal the Auto VPN connection. | Enhancement | Z4, Z4C, MX67, MX67W, MX67C, MX68, MX68W, MX68CW, MX75, MX85, MX95, MX105, MX250, MX450, vMX-S/M/L | Enterprise; Essential |
| AnyConnect Enhancements | Introducing SAML and Custom certification support | Enhancement | Z4, Z4C, MX67, MX67W, MX67C, MX68, MX68W, MX68CW, MX75, MX85, MX95, MX105, MX250, MX450, vMX-S/M/L | Enterprise; Essential |
| The live firewall log will allow network administrators to troubleshoot or test their firewall policies, rulesets and FW decision-making in real-time. | New Feature | Z4, Z4C, MX67, MX67W, MX67C, MX68, MX68W, MX68CW, MX75, MX85, MX95, MX105, MX250, MX450, vMX-S/M/L | Enterprise; Essential | |
| Adaptive Policy Enhancements | Added support for SGT transport on WAN (VPNC mode) and static SGT assignment for port, and VLAN. | Enhancement | Z4, Z4C, MX67, MX67W, MX67C, MX68, MX68W, MX68CW, MX75, MX85, MX95, MX105, MX250, MX450 | Secure SD-WAN Plus; Advantage |
| Trusted Traffic Exclusions | The trusted traffic will be exempt from inspection and a higher throughput can be achieved. | New Feature | MX67, MX67W, MX67C, MX68, MX68W, MX68CW, MX75, MX85, MX95, MX105, MX250, MX450 | Advanced Security; Essential |
| Talos Content Filtering support in Group Policies | The Group Policy UI has been updated to show the Content Categories and Threat Categories which are now curated by Cisco Talos Intelligence. | New Feature | Z4, Z4C, MX67, MX67W, MX67C, MX68, MX68W, MX68CW, MX75, MX85, MX95, MX105, MX250, MX450 | Advanced Security; Essential |
| VPN Exclusions APIs | Update VPN exclusion rules via API | Enhancement | MX67, MX67W, MX67C, MX68, MX68W, MX68CW, MX75, MX85, MX95, MX105, MX250, MX450, vMX-S/M/L | Secure SD-WAN Plus; Advantage |
| Leveraging NBAR2 for Steering traffic to SaaS or public cloud-based applications over the best performing WAN connection at the time the traffic is forwarded. This is not VPN exclusions (smart breakout). | New Feature | MX67, MX67W, MX67C, MX68, MX68W, MX68CW, MX75, MX85, MX95, MX105, MX250, MX450 | Secure SD-WAN Plus; Advantage | |
| Highly scalable vMX with upto 10 Gbps VPN throughput from a single instance. | Enhancement | vMX-XL | Enterprise; Essential | |
| SD-WAN and SD-Internet APIs | API support for VPN Exclusions and SD-Internet Policy | New Feature | Z4, Z4C, MX67, MX67W, MX67C, MX68, MX68W, MX68CW, MX250, MX450, MX75, MX85, MX95, MX105, vMX-S/M/L | Enterprise; Essential |
| WAN Health Enhancements | Introducing speed tests, top contributors to usage, download option to export WAN Health page metrics, and much more. | Enhancement | Z4, Z4C, MX67, MX67W, MX67C, MX68, MX68W, MX68CW, MX250, MX450, MX75, MX85, MX95, MX105 | Secure SD-WAN Plus; Advantage |
Old Stable Release - MX 18.1.X Firmware Features
|
Feature |
Description |
Type |
Platforms Supported |
Minimum Required License Type |
|
Stability and performance improvements.
|
Enhancement |
Z3, Z3C, MX64, MX64W, MX65, MX65W, MX67, MX67W, MX67C, MX68, MX68W, MX68CW, MX84, MX100, MX250, MX450, MX75, MX85, MX95, MX105, vMX100, vMX-S/M/L, UMB-SIG |
Enterprise |
|
|
This feature enables customers to use FQDN instead of IP while configuring Non-Meraki VPN peers. Using IP addresses can be tedious because with a dynamic IP address, a customer has to manually modify the Non-Meraki VPN settings on the Site-to-Site VPN page. |
New Feature |
Z3, Z3C, MX64, MX64W, MX65, MX65W, MX67, MX67W, MX67C, MX68, MX68W, MX68CW, MX84, MX100, MX250, MX450, MX75, MX85, MX95, MX105, vMX100, vMX-S/M/L, UMB-SIG |
Enterprise |
|
| IPv6 (Second Public Release) | Support for AMP, Theat Grid, and other UX enhancements | New Feature | Z3, Z3C, MX64, MX64W, MX65, MX65W, MX67, MX67W, MX67C, MX68, MX68W, MX68CW, MX84, MX100, MX250, MX450, MX75, MX85, MX95, MX105, vMX100, vMX-S/M/L, UMB-SIG, MG51, MG51E | Enterprise |
|
VPN full-tunnel exclusion is a feature on the MX whereby the administrator can configure rules to determine exceptions to a full-tunnel VPN configuration. The feature applies to both Auto VPN and Non-Meraki VPN (NMVPN) connections. |
New Feature |
Z3, Z3C, MX64, MX64W, MX65, MX65W, MX67, MX67W, MX67C, MX68, MX68W, MX68CW, MX84, MX100, MX250, MX450, MX75, MX85, MX95, MX105, vMX100, vMX-S/M/L, UMB-SIG |
L3 - Enterprise L7 - Secure SD-WAN Plus |
|
|
A limited NAT mode capability can be enabled on the vMX in which traffic from the spokes will be NATed to the vMX's IP as it egresses the vMX in to your datacenter. |
New Feature |
vMX100, vMX-S/M/L, UMB-SIG |
Enterprise |
|
|
The main advantage of Network Objects comes from the single Network Objects management page. Here, we are able to create/modify/delete Network Objects and Groups. This is highly beneficial to network administrators making adjustments to large firewall rulesets. |
Enhancement |
Z3, Z3C, MX64, MX64W, MX65, MX65W, MX67, MX67W, MX67C, MX68, MX68W, MX68CW, MX84, MX100, MX250, MX450, MX75, MX85, MX95, MX105, vMX100, vMX-S/M/L, UMB-SIG |
Enterprise |
|
|
Adaptive Policy (Phase 1) |
Traditional segmentation is based on subnets, VLANs and ACL rules. The rule sets are limited to the network which it resides in and is not meant to be globally scalable. Adaptive Policy helps address these limitations with micro-segmentation and more. Phase 1 introduces SGT Transport. More details on this can be found in the MX Adaptive Policy Configuration KB |
New Feature |
Z3, Z3C, MX64, MX64W, MX65, MX65W, MX67, MX67W, MX67C, MX68, MX68W, MX68CW, MX84, MX100, MX250, MX450, MX75, MX85, MX95, MX105, vMX100, vMX-S/M/L, UMB-SIG |
Advanced Security |
| ThousandEyes Agent | Onboarding the ThousandEyes Agent to our MX family | New Feature | MX67, MX67W, MX67C, MX68, MX68W, MX68CW, MX75, MX85, MX95, MX105, MX250, MX450 | Secure SD-WAN Plus + (more options being discussed) |
Old Stable Release - MX 17.X Firmware Features
|
Feature |
Description |
Type |
Platforms Supported |
Minimum Required License Type |
|
IPv6 is an ongoing cross-product initiative for Meraki as IPv4 addresses are being exhausted and with more hosts such as IoT devices requiring addressing, IPv6 provides a new structure to accommodate a larger number of hosts. |
New feature |
MX, Z, vMX |
Enterprise |
|
|
Network-Based Application Recognition (NBAR) is an advanced application recognition engine developed by Cisco that utilizes several classification techniques. |
Enhancement |
MX, Z |
Enterprise |
|
|
This allows the MX’s Content Filtering feature to classify URLs based on web content and threat categories curated by Cisco Talos. |
New Feature |
MX |
Advanced Security |
|
|
Internet traffic policy configuration remains consistent with VPN traffic policy configuration, albeit with different options. There are 2 different SD-Internet policies that can be configured:
|
New Feature |
MX |
Secure SD-WAN Plus |
|
|
Mandatory DHCP enabled VLANs must request for a DHCP address before gaining access to the network. |
New Feature |
MX |
Enterprise |
|
|
Flow failover and failback the instant the primary uplink is deemed reliable. |
New Feature |
MX |
Enterprise |
Archive
MX 16.X Firmware Features
|
Feature |
Description |
Type |
Platforms Supported |
Minimum Required License Type |
|
Network-Based Application Recognition (NBAR) is an advanced application recognition engine developed by Cisco that utilizes several classification techniques. |
New feature |
MX, Z |
Enterprise |
|
|
Introduces native Cisco AnyConnect support from the Meraki dashboard. |
New feature |
MX, Z, vMX |
Enterprise |
|
|
With this feature in place the cellular connection that was previously only enabled as backup can be configured as an active uplink in the SD-WAN & traffic shaping page. |
New Feature |
MX |
Enterprise |
|
|
vMX deployment in Google Cloud Platform. |
New Feature |
vMX |
Enterprise |
|
|
You may need PPPoE if your ISP requires a username and password to access your DSL connection. |
New Feature |
MX, Z |
Enterprise |
|
|
Snort version upgrades. |
Enhancement |
MX |
Advanced Security |
|
|
The function of this feature is to steer customer traffic to SaaS or public cloud-based applications over the best-performing WAN connection at the time the traffic is forwarded. |
New Feature |
MX |
Secure SD-WAN Plus |