MX650 Installation Guide
This document describes how to install and set up the MX650 security appliance. Additional reference documents are available online at: www.meraki.com/library/products.
MX650 Overview
The Meraki MX650 is an enterprise security appliance designed for distributed networks that require remote administration. It is ideal for network administrators who demand both ease of deployment and a state-of-the-art feature set. The MX650 appliance provides the following new features:
- 2 SFP28 25G Ports
- Support for 2 configurable 10GbE SFP+ connections
- Support for 8 configurable GbE(RJ45) connections
- Dedicated management port
- Front panel rack mounts
- 32GB M.2 Storage Module
- Dedicated console port for factory reset functionality
The MX650 currently operates in One-Arm Concentrator mode with support for a single link. At this time, port 11 (SFP28 25G) is the statically available WAN port.
When troubleshooting link connectivity for the MX650 please consider the use of FEC. Configuration of FEC on the SFP28 interfaces is available via the local status page.
Package Contents
In addition to the MX650, the following are provided:
- Rack mount kit (including screws)
- Grounding kit
MX650 Front Panel
Ports and Status Indicators
The MX650 uses LEDs to inform the user of the device's status. When the device powers on, all the Internet LEDs flash twice. Additional functions are described below
Front Panel LED Table
| Item | Function | LED Status | Meaning |
| 1 | Cisco Logo | Off | System is off |
| Blue | System is powered on | ||
| 2 | PSU | Off | System is off |
| Orange | A Power Supply in the system is not functioning correctly | ||
| Flashing orange | All installed PSUs are operating correctly | ||
| 3 | Status | Off | System is off |
| Rainbow colors | Unit is attempting to contact the Cloud | ||
| Flashing white | Operation is in progress | ||
| Solid white | Fully operational | ||
| 4 | Minor Alarm | Off | No minor alarm |
| Amber | Minor alarm raised | ||
| 5 | Major Alarm | Off | No major alarm |
| Amber | Minor alarm raised | ||
| 6 | Critical Alarm | Off | No critical alarm |
| Amber | Critical alarm raised | ||
| 7 | USB CON | Off | No USB Connectivity |
| Green | USB Connectivity active. | ||
| 8 | Serial CON | Off | No serial connectivity |
| Green | Serial connectivity active |
Ethernet LED Behavior
| Item | Function | LED Status | Meaning |
| 1 | SFP LEDs | Off | Not present or not configured |
| Yellow | Loss of signal | ||
| Green | Link established | ||
| 2 | RJ45 Ethernet Link Management LED | Off | No link |
| Green | Link established | ||
| 3 | RJ45 Ethernet Speed Management LED | Off | No link |
| Blink frequency (1) | 10 Mbps Link | ||
| Blink frequency (2) | 100 Mbps Link | ||
| Blink frequency (3) | 1000 Mbps Link |
MX650 Back Panel
Please note that the serial number is located on the product label at the back panel of the MX650-HW.
Mounting Hardware
The mounting hardware includes four sets of standard slot-head rack screws and nuts. The additional screws and nuts are different screw standards meant to accommodate the most common rack mounts. When installing the appliance, make sure that there is sufficient space between the rear of the rack and other obstacles to ensure adequate airflow. Ventilation is from side to side not from front to back. This MX security appliance requires a minimum of 10mm clearance between the venting holes and any obstruction.
Safety Guidelines
Warning: The system must be disconnected from all sources of power and the power cord removed from the power supply module(s) before accessing, installing, or removing system components.
Caution: The Optical Transceiver product should use UL listed, and Rated Laser Class I, 3.3Vdc.
Performing a Factory Reset
Below is an outline of how to access the serial connection of a MX650 Security Appliance via the console port
Serial Connectivity Setup
Connectivity is achieved via a RJ45 Console port OR via Micro USB. A console cable will be required to connect to the security appliance. Below are steps to access the device via serial:
RJ45 Console is currently the recommended method for serial access
- Windows
- Identify the port assigned to the serial interface
- Typically this is available within the device manager's Ports (COM & LPT) section
- Via PuTTY or another terminal emulator assign the following settings to the serial connection
- Relevant port, identified above
- Speed (baud): 115200
- Data bits: 8
- Stop bits: 1
- Parity: Off
- Flow control: Off
- Identify the port assigned to the serial interface
CLI Prompt Input
Only the factory reset function is available via serial access.
Serial access is unauthenticated by default, matching previous hardware reset functions.
Should authentication be desired, please contact Meraki support in order to enable authentication. Authentication will match the local status page credentials configured once enabled.
If the authentication credentials are lost after enabling, and the device is unable to contact the Meraki dashboard, an RMA will be required. As a result, it is strongly advised that these credentials are securely documented when enabling or modifying them.
Once at the Meraki prompt, input the command 'reset_shell'
If authentication is not configured you will be greeted by a help menu as detailed below.
<Meraki> reset_shell In reset shell Online Documentation: https://documentation.meraki.com/General_Administration/Support/Resetting_Cisco_Meraki_Devices_to_Factory_Defaults Warning: any reset command will reset LSP credentials until synced with Dashboard Commands: reset_factory : recommended for recovery reset_soft logout <Meraki Reset Shell> reset_factory
Connecting to WAN
All Meraki MX devices must have an IP address. This section describes how to configure your local area network before you deploy it. A local management web service, running on the appliance, is accessed through a browser running on a client PC. This web service is used for configuring and monitoring basic ISP/WAN connectivity.
Setting up a Static IP Address
To ensure that the client PC is redirected to the local web service in the following step, you must disable all other network services (ex: wi-fi) on your client machine.
Do the following to configure basic connectivity and other networking parameters:
- Using a client machine such as a laptop, connect to the management port of the MX.
- Using a browser on the client machine, access the appliance's built-in web service by browsing to http://setup.meraki.com. (You do not have to be connected to the Internet to reach this address)
- Click Uplink configuration under the Local status tab. The default credentials use the device serial number as the username, with a blank password field.
- Choose Static for the IP Assignment option.
- Enter the IP address, subnet mask, default gateway IP and DNS server information.
Setting up a DHCP IP Address
By default all MX devices are configured to DHCP from upstream WAN / ISP servers. Simply plug the MX's WAN / Internet port to your upstream circuit and wait a few minutes for the unit to negotiate a DHCP address.
When the WAN connection is fully enabled, Internet LED will turn green.
Additional Settings
Please note that all these settings below are accessible only via the local management console.
Setting VLANs
If your WAN uplink is on a trunk port, choose VLAN tagging > Use VLAN tagging and enter the appropriate value for VLAN ID for your network.
Setting PPPoE
PPPoE authentication may be required if you are connecting MX device to a DSL circuit. You need to know your authentication option and credentials (supplied by your ISP) in order to complete these steps.
- Choose Connection Type > PPPoE.
- Select your Authentication option.
- If you select Use authentication, enter appropriate values for Username and Password.
Web Proxy Pettings
These settings take effect if the MX device has to fall back to using HTTP to contact the Cloud Controller. By default, web proxy is disabled. To enable web proxy, do the following:
- Choose Web proxy > Yes.
- Enter values as appropriate for Hostname or IP and Port.
- If you require authentication, choose Authentication > Use authentication, and enter appropriate values for Username and Password.
To apply all configuration settings to the appliance, be sure to click Save Settings at the bottom of the page.
Configuring Physical link settings
To configure physical link settings on the Ethernet ports, click Local status > Ethernet configuration. You can enable half duplex, full duplex, and autonegotiation, as well as set 10 or 100-Mbps data rates.