Meraki MX/Z Security and SD-WAN Licensing
Overview
The Meraki MX security appliance is a multi-functional security & SD-WAN enterprise appliance with a wide set of capabilities to address multiple use cases for organizations of all sizes, in all industries.
Given the range of use cases that can be solved, there are three license options for the MX security appliance that provides customers the flexibility to select the license most appropriate for their intended use.
|
Enterprise |
Advanced Security |
Secure SD-WAN Plus |
| “All I require is Auto VPN and a firewall” | “I connect directly to the Internet so need a UTM too” | “My business is reliant on SaaS/IaaS/DC served apps” |
|
|
|
The licensing structure for MX security appliances is the same as that of any other Meraki device – 1:1 ratio of devices to licenses. Pair your chosen MX appliance(s) with the relevant license for your use case:
-
Enterprise license
OR
-
Advanced security license
OR
-
Secure SD-WAN Plus license (Org-Wide and Per Device)
Features by License Option
Note: The following feature breakdown is from the latest stable release. For the latest firmware release and its features, please refer the features directory documentation.
For API support, please refer to the API documentation.
|
Feature |
Enterprise |
Advanced Security |
Secure SD-WAN Plus |
|
✔ |
✔ |
✔ |
|
|
✔ |
✔ |
✔ |
|
|
✔ |
✔ |
✔ |
|
|
✔ |
✔ |
✔ |
|
|
✔ |
✔ |
✔ |
|
|
✔ |
✔ |
✔ |
|
|
✔ |
✔ |
✔ |
|
|
✔ |
✔ |
✔ |
|
|
✔ |
✔ |
✔ |
|
|
✔ |
✔ |
✔ |
|
|
✔ |
✔ |
✔ |
|
| SD-WAN Over Cellular | ✔ | ✔ | ✔ |
|
✔ |
✔ |
✔ |
|
|
✔ |
✔ |
✔ |
|
| IPv6 Support |
✔ |
✔ |
✔ |
|
✔ |
✔ |
✔ |
|
|
✔ |
✔ |
✔ |
|
|
✔ |
✔ |
✔ |
|
|
✔ |
✔ |
✔ |
|
|
✔ |
✔ |
✔ |
|
|
✔ |
✔ |
✔ |
|
|
✔ |
✔ |
✔ |
|
|
✔ |
✔ |
✔ |
|
|
✔ |
✔ |
✔ |
|
|
✔ |
✔ |
✔ |
|
|
✔ |
✔ |
✔ |
|
|
✔ |
✔ |
✔ |
|
|
Dual+ WAN functionality (pending release) |
✔ |
✔ |
✔ |
|
✔ |
✔ |
✔ |
|
|
✔ |
✔ |
✔ |
|
|
✔ |
✔ |
✔ |
|
|
✔ |
✔ |
✔ |
|
|
✔ |
✔ |
✔ |
|
|
Next-gen Traffic Analytics Engine - Network-Based Application Recognition (NBAR) Integration |
✔ |
✔ |
✔ |
| Layer 7 (Application) Enforcement powered by NBAR |
✔ |
✔ |
✔ |
|
✔ |
✔ |
✔ |
|
| Traffic Shaping Enforcement powered by NBAR |
✔ |
✔ |
✔ |
|
|
✔ |
✔ |
|
| Trusted Traffic Exclusions powered by NBAR |
✔ |
✔ |
|
|
|
✔ |
✔ |
|
|
|
✔ |
✔ |
|
|
|
✔ |
✔ |
|
|
|
✔ |
✔ |
|
|
|
✔ |
✔ |
|
|
|
✔ |
✔ |
|
|
Cisco Secure Malware Analytics Integration (formerly know as Threat Grid)** |
✔ |
✔ |
|
|
✔ |
✔ |
||
|
✔ |
✔ |
||
|
|
✔ |
||
|
|
✔ |
||
|
|
✔ |
||
|
|
✔ |
||
|
✔ |
|||
|
✔ |
|||
|
✔ |
|||
|
✔ |
**Requires a separate license
Note: For licenses and their respective features available in mainland China, please refer to the following article for the details.
Teleworker Gateway License Breakdown
The Meraki Teleworker Gateway is a type of a security appliance intended for use in small remote offices and homes of remote workers. Allowing them to securely connect back to their head offices while also offering the same security as our MX security appliance Platform.
With the introduction of the Z4/C, we are also introducing two new types of licenses for the Teleworker series.
Note: These licenses are not be supported by the Z1 and Z3 teleworker gateways
|
Z-Enterprise |
Secure Teleworker |
|
|
Teleworker Features by License Options
|
Feature |
Z-Enterprise |
Secure Teleworker |
|
Centralized management |
✔ |
✔ |
|
Zero-touch firmware updates |
✔ |
✔ |
|
True zero-touch provisioning |
✔ |
✔ |
|
24x7 enterprise support |
✔ |
✔ |
|
Open APIs |
✔ |
✔ |
|
Automatic WAN failover |
✔ |
✔ |
|
Sub-second site-to-site VPN failover |
✔ |
✔ |
|
Sub-second dynamic path selection |
✔ |
✔ |
| Cellular failover | ✔ | ✔ |
|
Stateful firewall |
✔ |
✔ |
|
VLAN to VLAN routing |
✔ |
✔ |
|
Advanced Routing |
✔ |
✔ |
|
Traffic shaping/prioritization |
✔ |
✔ |
|
Site-to-site VPN |
✔ |
✔ |
|
Client VPN |
✔ |
✔ |
|
Splash pages |
✔ |
✔ |
|
Configuration templates |
✔ |
✔ |
|
Group Policies |
✔ |
✔ |
|
Client connectivity alerts |
✔ |
✔ |
|
Source-Based Routing |
✔ |
✔ |
|
Local Breakout (IP based) |
✔ |
✔ |
|
Umbrella DNS Integration** |
|
✔ |
|
Geography based firewall rules |
✔ |
|
|
Content filtering |
✔ |
|
|
YouTube Content Restriction |
✔ |
|
|
Web Search Filtering |
✔ |
|
|
Cisco Advanced Malware Protection (AMP) |
✔ |
|
|
Threat Grid Integration** |
✔ |
|
|
WAN Health Analytics (MI) |
✔ |
|
|
VoIP Health Analytics (MI) |
✔ |
|
|
Smart breakout |
✔ |
Z4 Licenses are as follows:
- Z-Enterprise: LIC-Z4-ENT-[X]Y
- Secure Teleworker: LIC-Z4-SEC-[X]Y
X= Number of Years
Per Device SD-WAN+ License
Note: For Enterprise Agreement Customers, please reach out to your Meraki seller if you are interested in adding Per Device SD-WAN+ Licensing to your Meraki EA Dashboard. Please note the following key points about this licensing:
- Legacy Enterprise Agreement Dashboard customers will be able to utilize Per Device SD-WAN+ (Per Dev SDW+) as they would in an a-la-carte co-term dashboard.
- EA terms including True Forward and Value Shift will apply to per-device SDW as well.
This new license type will bring SDW+ license on a per-network basis for organizations on the Coterm Licensing model with Advanced Security Licensing. Customers can now purchase the appropriate license type and assign them to the respective network to get all SD-WAN features on a per-network basis. The terms available are 1, 3 and 5 years only. Please see the table below to have the MX platforms mapped to their respective SKUs.
Once the licenses are claimed under Organization→ License info, you will need to go to Insight→ Configure→ Licensing to assign the licenses to the respective compatible networks.
In Per-Device Licensing Organizations, Insight > Configure > Licensing changes to Insight > Configure > Inventory. In such scenarios, follow the assignment process as detailed under Assigning a License to a Device (Licenses Tab).
-
You can assign the licenses using the ‘Add licenses to network’ or remove licenses using the ‘Remove Licenses from network’
-
You can assign a higher license-tiered SKU to a lower licensed-tiered network. Example: You can assign LIC-MX-SDW-M-1YR to a MX64
Note: No extra term will be added or subtracted when you add a higher-licensed tier to lower-tiered devices.
If Per Dev SDW+ is added to an already licensed MI network, this will replace the license and the MI license will be added back to the MI license pool
3. Assigning the Per Dev SDW+ SKU to a network will give that network access to all of the below SD-WAN features
Note: Enterprise licensed customers cannot be in a mixed license environment.
Advance Security License is required to support a mixed license environment on the Coterm Licensing model. Please refer to the FAQ section below for mode details.
Per Device SD-WAN+ License is a per network license used to upgrade a network from Advance Security to SD-WAN+.
| MX Platform | SKU |
| MX64/W, MX65/W | LIC-MX-SDW-XS-1Y |
| MX64/W, MX65/W | LIC-MX-SDW-XS-3Y |
| MX64/W, MX65/W | LIC-MX-SDW-XS-5Y |
| MX67/C/W, MX68C/W | LIC-MX-SDW-S-1Y |
| MX67/C/W, MX68C/W | LIC-MX-SDW-S-3Y |
| MX67/C/W, MX68C/W | LIC-MX-SDW-S-5Y |
| MX75, MX84, MX85 | LIC-MX-SDW-M-1Y |
| MX75, MX84, MX85 | LIC-MX-SDW-M-3Y |
| MX75, MX84, MX85 | LIC-MX-SDW-M-5Y |
| MX95, MX100, MX105 | LIC-MX-SDW-L-1Y |
| MX95, MX100, MX105 | LIC-MX-SDW-L-3Y |
| MX95, MX100, MX105 | LIC-MX-SDW-L-5Y |
| MX250, MX450 | LIC-MX-SDW-XL-1Y |
| MX250, MX450 | LIC-MX-SDW-XL-3Y |
| MX250, MX450 | LIC-MX-SDW-XL-5Y |
FAQ
How are licenses enforced on MX security appliance?
The licenses are on a per-model basis. Every MX model has a corresponding license. They are non-transferable between appliance models. For instance, an MX64 license will not be covered by an MX84 license.
Can we mix two license types in a single organization?
Yes, but it depends on the Organization's use-case. The following use-cases are possible:
- Organization is licensed in Co-termination Enterprise license: this Org can add Per device Z-Series or vMXs licenses.
Note: Z-Series and vMX licenses can be added to organizations regardless of current MX license type. In general, Enterprise licensed customers cannot be in a mixed license environment. However, this does not apply to Z-Series devices or vMX (including the new Z-Series Secure Teleworker licenses).
- Organization is licensed in Co-termination Advanced Security license: this Org can add Per Device SD-WAN+ licenses.
Check section Per Device SD-WAN+ licenses for more details. Example: if you have 25 MX networks in your organization, you can have 20 MX devices with Advance Security features and upgrade 5 MX devices with Per Device SD-WAN Plus licenses to get SD-WAN features.
Note: this is not supported with Enterprise licenses.
Is there a separate license to cover support or device warranty or software upgrades?
Each license is inclusive of device RMA, 24x7 enterprise support, and software upgrades.
Will there be a requirement to pay extra for new features?
New features are added by license type.
- Features added to the enterprise license option will be available free-of-charge to all existing MX customers.
- Features added to the advanced security license option will be available free-of-charge to all existing MX customers with an advanced security or SD-WAN Plus license.
- Features added to the Secure SD-WAN Plus license option will be available free-of-charge to all existing MX customers with an SD-WAN Plus license.
Are MX licenses available on both Co-Term and PDL versions?
All of the MX licenses are available under Co-Term as well as Per-Device Licensing (PDL), with the exception of the Per Dev SDW+ license, which is not supported in PDL. For More information and general differences between the two, please see the documentation on Meraki Licensing.
Can you move from one MX license edition to another, for example, Enterprise to Advanced Security or SD-WAN Plus?
Currently, there are two ways to move to a different MX license edition:
- Purchase the desired MX license type (one license for all compatible MXs in the organization) and apply them to the organization which will convert the entire organization to the desired license type. Note: This will adjust your remaining licensing term depending on the license type (duration, MX model, license type)
-
If you are claiming the key using the “Renew my dashboard” option (in the co-termination licensing model), it will automatically upgrade the entire organization to reflect the product edition of the new key. Note: There is no such thing as a “partial” renewal in the co-termination model, so if you wish to convert using this option, you must ensure you have new licenses for all other devices as well.
-
If you are claiming the license using the “License more devices” option, you will need to reach out to Meraki Support for assistance, as the organization (all existing MX licenses) will first need to be upgraded to the desired security edition before the dashboard allows you to claim the new security edition to your organization. In order for Support to fulfill the request, it must come from a write privilege organizational-level administrator.
-
- Contact Meraki support and convert the organization to the desired license option. Note: You will have a new co-termination date for your organization with this method.
- If upgrading moving from Enterprise to Advanced Security, the remaining credit for the MXs will be cut in half due to the increased feature set.
- If upgrading from Enterprise to SD-WAN+, the remaining credit for the MXs will be cut by 60 to 75% depending on the MX model being converted.
- If upgrading from Advanced Security to SD-WAN+, the remaining credit for the MXs will be cut by 25% to 50% depending on the MX model being converted.
- The following MXs are eligible for SD-WAN+ Upgrades: MX64/W, MX65/W, MX67/W/C, MX68/W/CW, MX75, MX84, MX85, MX95, MX100, MX105, MX250, MX450
- If you are choosing to downgrade your organization's security edition, there will be no additional credit given back.
Note: Upgrading to SD-WAN+ is only available in Co-Term through the above-mentioned ways. To upgrade to SD-WAN+ in a Per-Device-Licensing organization, you must purchase the corresponding SD-WAN+ device licenses and claim them to the organization, which will force the organization into SD-WAN+.
Are free trials available for each of the MX license types?
Yes. Please contact your Meraki Sales representative for more information.
How does Warm-Spare MX set up work with the license?
In a network where two MXs are configured in Warm-Spare mode will only require one MX license.
Will Meraki Insight be available as a separate license?
No. The separate Meraki Insight license has been deprecated. If you need the Meraki Insight current and future feature sets, please use the Secure SD-WAN Plus license.
Is Per Dev SDW+ going to be available on PDL or subscriptions?
No, Per Dev SDW+ is only available in Co-term and won’t be available in PDL or subscriptions.
Can Per Dev SDW+ be assigned to networks with Enterprise License?
No, the minimum requirement to have Per Dev SDW+ assignment is for the org to have Advance Security licenses.
Will Per Dev SDW+ affect my co-term date?
Yes, it will follow the same logic as the other licenses and will affect the co-term end date.
Where can I find information on Licensing and Free Tests for the ThousandEyes integration with the Meraki MX?
The licensing and free tests information for the ThousandEyes integration can be found in the Meraki MX ThousandEyes Configuration Guide