Skip to main content

 

Cisco Meraki Documentation

MX650 Installation Guide

This document describes how to install and set up the MX650 security appliance. Additional reference documents are available online at: www.meraki.com/library/products.

MX650 Overview 

The Meraki MX650 is an enterprise security appliance designed for distributed networks that require remote administration. It is ideal for network administrators who demand both ease of deployment and a state-of-the-art feature set. The MX650 appliance provides the following new features:

  • 2 SFP28 25G Ports
  • Support for 2 configurable 10GbE SFP+ connections
  • Support for 8 configurable GbE(RJ45) connections
  • Dedicated management port
  • Front panel rack mounts
  • 32GB M.2 Storage Module
  • Dedicated console port for factory reset functionality

The MX650 currently operates in One-Arm Concentrator mode with support for a single link. At this time, port 11 (SFP28 25G) is the statically available WAN port. 

When troubleshooting link connectivity for the MX650 please consider the use of FEC. Configuration of FEC on the SFP28 interfaces is available via the local status page. 

Package Contents 

In addition to the MX650, the following are provided:

  • Rack mount kit (including screws)
  • Grounding kit

MX650 Front Panel 

1983_244_1.5.png

 

Ports and Status Indicators 

The MX650 uses LEDs to inform the user of the device's status. When the device powers on, all the Internet LEDs flash twice. Additional functions are described below

Front Panel LED Table

Item Function LED Status Meaning
1 Cisco Logo Off System is off
    Blue System is powered on
2 PSU Off System is off
    Orange A Power Supply in the system is not functioning correctly
    Flashing orange All installed PSUs are operating correctly
3 Status Off System is off
    Rainbow colors Unit is attempting to contact the Cloud
    Flashing white Operation is in progress
    Solid white Fully operational
4 Minor Alarm Off No minor alarm
    Amber Minor alarm raised
5 Major Alarm Off No major alarm
    Amber Minor alarm raised
6 Critical Alarm Off No critical alarm
    Amber Critical alarm raised
7 USB CON Off No USB Connectivity
    Green USB Connectivity active. 
8 Serial CON Off No serial connectivity
    Green Serial connectivity active

Ethernet LED Behavior

Item Function LED Status Meaning
1 SFP LEDs Off Not present or not configured
    Yellow Loss of signal
    Green Link established
2 RJ45 Ethernet Link Management LED Off No link
    Green Link established
3 RJ45 Ethernet Speed Management LED Off No link
    Blink frequency (1) 10 Mbps Link
    Blink frequency (2) 100 Mbps Link
    Blink frequency (3) 1000 Mbps Link

MX650 Back Panel

1278_146_1.5.png

Please note that the serial number is located on the product label at the back panel of the MX650-HW.

 

Mounting Hardware

The mounting hardware includes four sets of standard slot-head rack screws and nuts. The additional screws and nuts are different screw standards meant to accommodate the most common rack mounts. When installing the appliance, make sure that there is sufficient space between the rear of the rack and other obstacles to ensure adequate airflow. Ventilation is from side to side not from front to back. This MX security appliance requires a minimum of 10mm clearance between the venting holes and any obstruction.

 

Safety Guidelines

 Picture4.png

Warning: The system must be disconnected from all sources of power and the power cord removed from the power supply module(s) before accessing, installing, or removing system components.

 

Picture6.png

 

Caution: The Optical Transceiver product should use UL listed, and Rated Laser Class I, 3.3Vdc.

 

Performing a Factory Reset

Below is an outline of how to access the serial connection of a MX650 Security Appliance via the console port

Serial Connectivity Setup

Connectivity is achieved via a RJ45 Console port OR via Micro USB. A console cable will be required to connect to the security appliance. Below are steps to access the device via serial:

RJ45 Console is currently the recommended method for serial access

  • Windows
    • Identify the port assigned to the serial interface
      • Typically this is available within the device manager's Ports (COM & LPT) section
    • Via PuTTY or another terminal emulator assign the following settings to the serial connection
      • Relevant port, identified above
      • Speed (baud): 115200
      • Data bits: 8
      • Stop bits: 1
      • Parity: Off
      • Flow control: Off 

CLI Prompt Input

Only the factory reset function is available via serial access. 
Serial access is unauthenticated by default, matching previous hardware reset functions.

Should authentication be desired, please contact Meraki support in order to enable authentication. Authentication will match the local status page credentials configured once enabled.

If the authentication credentials are lost after enabling, and the device is unable to contact the Meraki dashboard, an RMA will be required. As a result, it is strongly advised that these credentials are securely documented when enabling or modifying them. 

Once at the Meraki prompt, input the command 'reset_shell'
If authentication is not configured you will be greeted by a help menu as detailed below. 

<Meraki> reset_shell
In reset shell
Online Documentation: https://documentation.meraki.com/General_Administration/Support/Resetting_Cisco_Meraki_Devices_to_Factory_Defaults
Warning: any reset command will reset LSP credentials until synced with Dashboard
Commands:
  reset_factory : recommended for recovery
  reset_soft
  logout
<Meraki Reset Shell> reset_factory

Connecting to WAN  

All Meraki MX devices must have an IP address. This section describes how to configure your local area network before you deploy it. A local management web service, running on the appliance, is accessed through a browser running on a client PC. This web service is used for configuring and monitoring basic ISP/WAN connectivity.

Setting up a Static IP Address  

To ensure that the client PC is redirected to the local web service in the following step, you must disable all other network services (ex: wi-fi) on your client machine.

Do the following to configure basic connectivity and other networking parameters:

  1. Using a client machine such as a laptop, connect to the management port of the MX.
  2. Using a browser on the client machine, access the appliance's built-in web service by browsing to http://setup.meraki.com. (You do not have to be connected to the Internet to reach this address)
  3. Click Uplink configuration under the Local status tab. The default credentials use the device serial number as the username, with a blank password field.
  4. Choose Static for the IP Assignment option.
  5. Enter the IP address, subnet mask, default gateway IP and DNS server information.

Setting up a DHCP IP Address  

By default all MX devices are configured to DHCP from upstream WAN / ISP servers. Simply plug the MX's WAN / Internet port to your upstream circuit and wait a few minutes for the unit to negotiate a DHCP address.

When the WAN connection is fully enabled, Internet LED will turn green.

Additional Settings  

Please note that all these settings below are accessible only via the local management console.

Setting VLANs  

If your WAN uplink is on a trunk port, choose VLAN tagging > Use VLAN tagging and enter the appropriate value for VLAN ID for your network.

Setting PPPoE  

PPPoE authentication may be required if you are connecting MX device to a DSL circuit. You need to know your authentication option and credentials (supplied by your ISP) in order to complete these steps.

  • Choose Connection Type > PPPoE.
  • Select your Authentication option.
  • If you select Use authentication, enter appropriate values for Username and Password.

Web Proxy Pettings  

These settings take effect if the MX device has to fall back to using HTTP to contact the Cloud Controller. By default, web proxy is disabled. To enable web proxy, do the following:

  • Choose Web proxy > Yes.
  • Enter values as appropriate for Hostname or IP and Port.
  • If you require authentication, choose Authentication > Use authentication, and enter appropriate values for Username and Password.

To apply all configuration settings to the appliance, be sure to click Save Settings at the bottom of the page.

Configuring Physical link settings  

To configure physical link settings on the Ethernet ports, click Local status > Ethernet configuration. You can enable half duplex, full duplex, and autonegotiation, as well as set 10 or 100-Mbps data rates.