Skip to main content
Cisco Meraki Documentation

Security and SD-WAN (MX,Z) Features Directory

Security and SD-WAN (MX,Z) Features Directory

Overview

This article describes MX/Z features and their dependencies on MX/Z firmware releases.

Note: All products have a minimum runnable firmware version, and some have a maximum runnable firmware version. Please refer to Product Firmware Version Restrictions for more information.  

Refer to the latest sizing guide and principles here.

For API support, please refer to the API documentation

The table below explains the platform differentiation:

Use Case

Platform

Co-term Licenses (detailed breakdown)

Subsciption Licenses (MX and Z breakdown)

Security and SD-WAN (multi-WAN, security, wireless, HA, and cellular support)

All MX models (active models

Enterprise, Advanced Security, Secure SD-WAN Plus

Essential, Advantage

Teleworker (single-WAN, basic security, wireless, and cellular support)

All Z models (active models)

Enterprise, Advanced Teleworker

Essential, Advantage

Virtual MX (single-WAN and native-cloud hosting)

All vMX models (active models)

Enterprise

Essential

Note: 

Refer to the Cisco Meraki Firmware FAQ documentation to learn about the firmware upgrade process.

Beta Release - MX 19.1.X Firmware Features

Feature

Description

Type

Platforms Supported

Minimum Required License Type

(co-term; subscription)

Catalyst + Meraki SD-WAN Interconnect  (eBGP over IPSec)

Linking Meraki and Catalyst SD-WAN fabrics will streamline operations for customers using MX and Catalyst devices.

New Feature

Z4, Z4C, MX67, MX67W, MX67C, MX68, MX68W, MX68CW, MX75, MX85, MX95, MX105, MX250, MX450, vMX-S/M/L

Enterprise; Essential

IPSec SSE tunnel monitoring, redundancy, and DIA

Simplified dashboard experience for failover and failback paths for SSE integrations. This feature includes tunnel monitoring (including L7 endpoints), establishing active and backup tunnels, as well as DIA failopen functionality.

New Feature

Z4, Z4C, MX67, MX67W, MX67C, MX68, MX68W, MX68CW, MX75, MX85, MX95, MX105, MX250, MX450, vMX-S/M/L

Enterprise; Essential

Dynamic Protocol Status Page

This page provides status information about configured dynamic routing peers.

New Feature

Z4, Z4C, MX67, MX67W, MX67C, MX68, MX68W, MX68CW, MX75, MX85, MX95, MX105, MX250, MX450, vMX-S/M/L

Enterprise; Essential

Cisco XDR Integration

Seamlessly integrate XDR with Meraki to stream telemetry from your MX devices to XDR. Leveraging AI/ML and advanced analytics, XDR processes this telemetry to detect potential threats. You can view and manage detected XDR incidents directly in the Meraki Dashboard.

New Feature

Z4, Z4C, MX67, MX67W, MX67C, MX68, MX68W, MX68CW, MX75, MX85, MX95, MX105, MX250, MX450, vMX-S/M/L

Enterprise; Essential

SD-AVC Integration - Cloud delivered Application intelligence Updates

With the SD-AVC Cloud integration, customers can effortlessly opt in and take advantage of the latest application signatures. This process occurs seamlessly behind the scenes, without requiring manual intervention or firmware upgrades.

New Feature

Z4, Z4C, MX67, MX67W, MX67C, MX68, MX68W, MX68CW, MX250, MX450, MX75, MX85, MX95, MX105, vMX-S/M/L

Enterprise; Essential

FedRAMP/GovCloud support

Select Advanced Security license features are now supported in the GovCloud.

New Feature

MX67, MX67W, MX67C, MX68, MX68W, MX68CW, MX75, MX85, MX95, MX105, MX250, MX450, vMX-S/M/L

Advanced Security; Essential

Advanced Security on vMX

Securing workloads in the Cloud with Advanced Security on vMX powered by Cisco Talos.

New Feature

vMX-S/M/L

Advanced Security; Essential

30-day Complimentary AT&T eSIM try-and-buy

AT&T and Cisco jointly developed an innovative, out-of-the-box experience in these devices by offering a deep integration with AT&T Wireless services to help businesses get started even faster. 

New Feature

MG52, MG52E

Enterprise; Essential

Enhancements to the local status page

Additional visibility and status on the local status page.

Enhancement

Z4, Z4C, MX67, MX67W, MX67C, MX68, MX68W, MX68CW, MX75, MX85, MX95, MX105, MX250, MX450, vMX-S/M/L

Enterprise; Essential

APIs for Local and Split DNS Service

This feature allows administrators to determine which DNS requests are answered by which DNS servers.

New Feature

Z4, Z4C, MX67, MX67W, MX67C, MX68, MX68W, MX68CW, MX75, MX85, MX95, MX105, MX250, MX450, vMX-S/M/L

Enterprise; Essential

API for enabling Multicast Forwarding

API support for Multicast forwarding.

Enhancement

Z4, Z4C, MX67, MX67W, MX67C, MX68, MX68W, MX68CW, MX75, MX85, MX95, MX105, MX250, MX450, vMX-S/M/L

Enterprise; Essential

APIs for VPN NAT

API support for VPN NAT translations.

Enhancement

Z4, Z4C, MX67, MX67W, MX67C, MX68, MX68W, MX68CW, MX75, MX85, MX95, MX105, MX250, MX450, vMX-S/M/L

Enterprise; Essential

APIs for Policy Object

API support for Policy Objects .

Enhancement

Z4, Z4C, MX67, MX67W, MX67C, MX68, MX68W, MX68CW, MX75, MX85, MX95, MX105, MX250, MX450, vMX-S/M/L

Enterprise; Essential

 

Stable Release - MX 18.2.X Firmware Features

Note - The MX18.1 firmware release will be the maximum running build for MX64, MX64W, MX65, MX65W, MX84, MX100, and vMX100 platforms. These platforms will not run MX 18.2 and above firmware builds. We recommend you stay up to date with all the latest features with the next-generation hardware platforms. Please consult your sales representative for more information on the latest hardware and software releases. Thank you

Note - MX75, MX85, MX95, MX105, MX250, and MX450 will have a performance boost (up to 3x with no additional cost) enabled by default in MX 18.2 and above firmware release. For more details, refer to the latest sizing guide and principles here.

 

 

Feature

Description

Type

Platforms Supported

Minimum Required License Type

(co-term; subscription)

Routed Mode eBGP 

Alow for eBGP on the WAN with authentication. New visibility added to see status of BGP sessions. New Feature Z4C, MX67, MX67W, MX67C, MX68, MX68W, MX68CW, MX75, MX85, MX95, MX105, MX250, MX450, vMX-S/M/L Enterprise; Essential

Mult-WAN (2 Active + 1 Backup)

Introducing two designated WAN ports with one backup WAN port. New Feature MX75, MX85, MX95, MX105 Enterprise; Essential
vMX-L in Azure vMX-L support on Azure for higher performance and scalability. New Feature vMX-L Enterprise; Essential

Cloud Integrations (AWS)

Deploy and manage your vMX via the Meraki dashboard. New Feature vMX-S/M/L Enterprise; Essential
IPv6 Enhancements Additional IPv6 support in RDNSS, and NMVPN. Enhancement Z4, Z4C, MX67, MX67W, MX67C, MX68, MX68W, MX68CW, MX250, MX450, MX75, MX85, MX95, MX105, vMX-S/M/L Enterprise; Essential
Auto VPN Enhancements The MX will automatically select new ports to self heal the Auto VPN connection. Enhancement Z4, Z4C, MX67, MX67W, MX67C, MX68, MX68W, MX68CW, MX75, MX85, MX95, MX105, MX250, MX450, vMX-S/M/L Enterprise; Essential
AnyConnect Enhancements Introducing SAML and Custom certification support Enhancement Z4, Z4C, MX67, MX67W, MX67C, MX68, MX68W, MX68CW, MX75, MX85, MX95, MX105, MX250, MX450, vMX-S/M/L Enterprise; Essential

Firewall Logging Live Tool

The live firewall log will allow network administrators to troubleshoot or test their firewall policies, rulesets and FW decision-making in real-time. New Feature Z4, Z4C, MX67, MX67W, MX67C, MX68, MX68W, MX68CW, MX75, MX85, MX95, MX105, MX250, MX450, vMX-S/M/L Enterprise; Essential
Adaptive Policy Enhancements Added support for SGT transport on WAN (VPNC mode) and static SGT assignment for port, and VLAN.  Enhancement Z4, Z4C, MX67, MX67W, MX67C, MX68, MX68W, MX68CW, MX75, MX85, MX95, MX105, MX250, MX450 Secure SD-WAN Plus; Advantage
Trusted Traffic Exclusions The trusted traffic will be exempt from inspection and a higher throughput can be achieved. New Feature MX67, MX67W, MX67C, MX68, MX68W, MX68CW, MX75, MX85, MX95, MX105, MX250, MX450 Advanced Security; Essential
Talos Content Filtering support in Group Policies The Group Policy UI has been updated to show the Content Categories and Threat Categories which are now curated by Cisco Talos Intelligence. New Feature Z4, Z4C, MX67, MX67W, MX67C, MX68, MX68W, MX68CW, MX75, MX85, MX95, MX105, MX250, MX450 Advanced Security; Essential
VPN Exclusions APIs Update VPN exclusion rules via API Enhancement MX67, MX67W, MX67C, MX68, MX68W, MX68CW, MX75, MX85, MX95, MX105, MX250, MX450, vMX-S/M/L Secure SD-WAN Plus; Advantage

SD-Internet powered by NBAR2

Leveraging NBAR2 for Steering traffic to SaaS or public cloud-based applications over the best performing WAN connection at the time the traffic is forwarded. This is not VPN exclusions (smart breakout). New Feature MX67, MX67W, MX67C, MX68, MX68W, MX68CW, MX75, MX85, MX95, MX105, MX250, MX450 Secure SD-WAN Plus; Advantage

vMX-XL in AWS

Highly scalable vMX with upto 10 Gbps VPN throughput from a single instance. Enhancement vMX-XL Enterprise; Essential
SD-WAN and SD-Internet APIs API support for VPN Exclusions and SD-Internet Policy New Feature Z4, Z4C, MX67, MX67W, MX67C, MX68, MX68W, MX68CW, MX250, MX450, MX75, MX85, MX95, MX105, vMX-S/M/L Enterprise; Essential
WAN Health Enhancements  Introducing speed tests, top contributors to usage, download option to export WAN Health page metrics, and much more. Enhancement Z4, Z4C, MX67, MX67W, MX67C, MX68, MX68W, MX68CW, MX250, MX450, MX75, MX85, MX95, MX105 Secure SD-WAN Plus; Advantage

 

Old Stable Release - MX 18.1.X Firmware Features

Feature

Description

Type

Platforms Supported

Minimum Required License Type

AutoVPN enhancements

Stability and performance improvements.

 

Enhancement

Z3, Z3C, MX64, MX64W, MX65, MX65W, MX67, MX67W, MX67C, MX68, MX68W, MX68CW, MX84, MX100, MX250, MX450, MX75, MX85, MX95, MX105, vMX100, vMX-S/M/L, UMB-SIG

Enterprise

Non-Meraki VPN peering with FQDN

This feature enables customers to use FQDN instead of IP while configuring Non-Meraki VPN peers. Using IP addresses can be tedious because with a dynamic IP address, a customer has to manually modify the Non-Meraki VPN settings on the Site-to-Site VPN page.

New Feature

Z3, Z3C, MX64, MX64W, MX65, MX65W, MX67, MX67W, MX67C, MX68, MX68W, MX68CW, MX84, MX100, MX250, MX450, MX75, MX85, MX95, MX105, vMX100, vMX-S/M/L, UMB-SIG

Enterprise

IPv6 (Second Public Release) Support for AMP, Theat Grid, and other UX enhancements New Feature Z3, Z3C, MX64, MX64W, MX65, MX65W, MX67, MX67W, MX67C, MX68, MX68W, MX68CW, MX84, MX100, MX250, MX450, MX75, MX85, MX95, MX105, vMX100, vMX-S/M/L, UMB-SIG, MG51, MG51E Enterprise

Non-Meraki and Meraki VPN exclusions

VPN full-tunnel exclusion is a feature on the MX whereby the administrator can configure rules to determine exceptions to a full-tunnel VPN configuration. The feature applies to both Auto VPN and Non-Meraki VPN (NMVPN) connections.

New Feature

Z3, Z3C, MX64, MX64W, MX65, MX65W, MX67, MX67W, MX67C, MX68, MX68W, MX68CW, MX84, MX100, MX250, MX450, MX75, MX85, MX95, MX105, vMX100, vMX-S/M/L, UMB-SIG

L3 - Enterprise

L7 - Secure SD-WAN Plus

vMX NAT mode

A limited NAT mode capability can be enabled on the vMX in which traffic from the spokes will be NATed to the vMX's IP as it egresses the vMX in to your datacenter.

New Feature

vMX100, vMX-S/M/L, UMB-SIG

Enterprise

Policy Objects GA

The main advantage of Network Objects comes from the single Network Objects management page. Here, we are able to create/modify/delete Network Objects and Groups. This is highly beneficial to network administrators making adjustments to large firewall rulesets.

Enhancement

Z3, Z3C, MX64, MX64W, MX65, MX65W, MX67, MX67W, MX67C, MX68, MX68W, MX68CW, MX84, MX100, MX250, MX450, MX75, MX85, MX95, MX105, vMX100, vMX-S/M/L, UMB-SIG

Enterprise

Adaptive Policy (Phase 1)

Traditional segmentation is based on subnets, VLANs and ACL rules. The rule sets are limited to the network which it resides in and is not meant to be globally scalable. Adaptive Policy helps address these limitations with micro-segmentation and more. Phase 1 introduces SGT Transport. More details on this can be found in the MX Adaptive Policy Configuration KB

New Feature

Z3, Z3C, MX64, MX64W, MX65, MX65W, MX67, MX67W, MX67C, MX68, MX68W, MX68CW, MX84, MX100, MX250, MX450, MX75, MX85, MX95, MX105, vMX100, vMX-S/M/L, UMB-SIG

Advanced Security 

ThousandEyes Agent Onboarding the ThousandEyes Agent to our MX family New Feature MX67, MX67W, MX67C, MX68, MX68W, MX68CW, MX75, MX85, MX95, MX105, MX250, MX450 Secure SD-WAN Plus + (more options being discussed)

Old Stable Release - MX 17.X Firmware Features

Feature

Description

Type

Platforms Supported

Minimum Required License Type

IPv6 (First Public Release)

IPv6 is an ongoing cross-product initiative for Meraki as IPv4 addresses are being exhausted and with more hosts such as IoT devices requiring addressing, IPv6 provides a new structure to accommodate a larger number of hosts. 

New feature

MX, Z, vMX

Enterprise

NBAR2

Network-Based Application Recognition (NBAR) is an advanced application recognition engine developed by Cisco that utilizes several classification techniques.

Enhancement

MX, Z

Enterprise

Content Filtering Powered by Cisco Talos

This allows the MX’s Content Filtering feature to classify URLs based on web content and threat categories curated by Cisco Talos.

New Feature

MX

Advanced Security

SD-Internet Steering (Top 10 Apps)

Internet traffic policy configuration remains consistent with VPN traffic policy configuration, albeit with different options. There are 2 different SD-Internet policies that can be configured:

  • Custom expression polices
  • Major application polices

New Feature

MX

Secure SD-WAN Plus

Mandatory DHCP

Mandatory DHCP enabled VLANs must request for a DHCP address before gaining access to the network.

New Feature

MX

Enterprise

Enhanced WAN Failover and Failback

Flow failover and failback the instant the primary uplink is deemed reliable.

New Feature

MX

Enterprise

 

Archive

MX 16.X Firmware Features

Feature

Description

Type

Platforms Supported

Minimum Required License Type

Traffic Analytics Classified by NBAR2

Network-Based Application Recognition (NBAR) is an advanced application recognition engine developed by Cisco that utilizes several classification techniques.

New feature

MX, Z

Enterprise

Cisco AnyConnect 

Introduces native Cisco AnyConnect support from the Meraki dashboard.

New feature

MX, Z, vMX

Enterprise

SD-WAN over Cellular

With this feature in place the cellular connection that was previously only enabled as backup can be configured as an active uplink in the SD-WAN & traffic shaping page.

New Feature

MX

Enterprise

vMX in GCP

vMX deployment in Google Cloud Platform.

New Feature

vMX

Enterprise

PPPoE support

You may need PPPoE if your ISP requires a username and password to access your DSL connection.

New Feature

MX, Z

Enterprise

Enhanced SNORT

Snort version upgrades.

Enhancement

MX

Advanced Security

SD-Internet Steering (L3)

The function of this feature is to steer customer traffic to SaaS or public cloud-based applications over the best-performing WAN connection at the time the traffic is forwarded.

New Feature

MX

Secure SD-WAN Plus

 

MX 15.X Firmware Features

     

    • Was this article helpful?