Skip to main content
Cisco Meraki Documentation

MX Sizing Guide & Principles

Click 日本語 for Japanese

Use of This Document

Current Firmware Version: MX 18.2x

This document is to be used to assist in the architecture and design of networks in which MX firewall appliances will be present. Key questions which this document is designed to help answer are:

  • How do I decide which MX model(s) I should evaluate?
  • How does device performance vary by features enabled?
  • How do MX models compare against other vendors? 

It is highly recommended to leverage this document with a proof of concept for further validation of design and implementation as each network environment is unique. 

With the release of each major MX firmware version throughput; feature specific data, or flow and session specific data may change. This document will provide guidance on these MX performance metrics in a variety of scenarios and environments.

Note that each network environment and traffic profile is unique. It should be taken into account that the numbers presented in this document are obtained during testing in a vacuum where no detrimental network or traffic profile behavior is present.  

The Performance metrics detailed in this document are based on the Current Firmware Version listed above. It should be noted not all platforms can support MX 18.2x, more details surrounding this can be found here.

Portfolio Capabilities

Cisco Meraki MX Security and SD-WAN Appliances provide unified threat management (UTM) and SD-WAN in a powerful all-in-one device. 

Choosing the right MX depends on the use case and deployment characteristics. 
For detailed sizing and capabilities of vMX devices please review the vMX specific data sheet. 

Below is a breakdown of the MX; Z-Series, and vMX Portfolio's hardware capabilities. 

MX-Series 

For MX67(C/W) devices, dual WAN is available via a convertible LAN interface.

For models without integrated cellular, cellular failover is available when leveraging a MG cellular gateway.

MX68 and MX75 PoE+ capabilities are available for LAN ports. MX85, MX95, and MX105 PoE+ capabilities are available for WAN ports. PoE/PoE+ is provided to an MG via these ports is supported. Please refer to product-specific data sheets for additional details. 

HTTPS Inspection is available natively on indicated platforms via Cisco Umbrella SD-WAN extension, or via a third-party provider reachable via VPN. 

  MX67 
(C/W)
MX68 (W/CW) MX75 MX85 MX95 MX105 MX250 MX450

Dual Active WAN

Yes Yes Yes Yes Yes Yes Yes Yes
3G/4G Failover Model Available Yes Yes Yes Yes Yes Yes Yes Yes
Built-in LTE Modem Model Available Yes Yes No No No No No No
Built-in Wi-Fi Available Yes Yes No No No No No No
Built-in PoE+ Model Available No Yes Yes Yes Yes Yes No No
WAN Fiber Connectivity No No SFP SFP SFP+ SFP+ SFP, SFP+ SFP, SFP+
Dual Power Supply No No No No No Yes Yes Yes
Form Factor Desktop Desktop Desktop 1U 1U 1U 1U 1U
HTTPS Inspection Yes Yes Yes Yes Yes Yes Yes Yes
Advanced Malware Protection (AMP) Yes Yes Yes Yes Yes Yes Yes Yes
Intrusion Detection and Prevention (SNORT IPS/IDS) Yes Yes Yes Yes Yes Yes Yes Yes

Z-Series

  Z3 (C) Z4 (C) 
Dual Active WAN No No
3G/4G Failover Model Available Yes Yes
Built-in LTE Modem Model Available Yes Yes
Built-in Wi-Fi  Available Yes Yes
Built-in PoE (LAN Port) Model Available Yes (802.3af, PoE) Yes (802.3at, PoE+)
WAN Fiber Connectivity No No
Dual Power Supply No No
Form Factor Desktop Desktop
HTTPS Inspection Yes Yes
Advanced Malware Protection (AMP) No Yes
Intrusion Detection and Prevention (SNORT IPS/IDS)

No

No

vMX-Series

  vMX-Small vMX-Medium vMX-Large

Dual WAN

N/A N/A N/A
3G/4G/5G Failover N/A N/A N/A
Built-in LTE Modem Model Available N/A N/A N/A
Built-in Wireless Available N/A N/A N/A
Built-in PoE+ Model Available N/A N/A N/A
WAN Fiber Connectivity N/A N/A N/A
Dual Power Supply N/A N/A N/A
Form Factor Virtual Virtual Virtual
HTTPS Inspection N/A N/A N/A
Advanced Malware Protection (AMP) N/A N/A N/A
Intrusion Detection and Prevention (SNORT IPS/IDS) N/A N/A N/A

Use Case Recommendations

A use case recommendation is based off of the device throughput; available feature set, and maximum flow table capacity. In this calculation, each client is considered to consume up to 50 flows. 

MX-Series

  MX67
MX68
MX75 MX85 MX95 MX105 MX250 MX450
Recommended Maximum Device Count 50 200 250 500 750 2,000 10,000

Z-Series

  Z3 (C) Z4 (C)
Recommended Maximum Device Count 5 15

vMX-Series

  vMX-Small vMX-Medium vMX-Large
Recommended Maximum Device Count 500 2,500 10,000

Feature Specific Data

The following items should be noted:

  • Max site-to-site VPN tunnels are based on lab-testing scenarios where no client traffic is transferring over the VPN tunnels.
  • Recommended max site-to-site VPN tunnels are based on lab-testing scenarios with client traffic transferring over VPN tunnels.
  • Load balancing for client VPN can be utilized if more than 500 connections are required.
  • Criteria must be met prior to WAN; dynamic path selection, or tunnel failover times occurring. 

MX-Series

  MX67
MX68
MX75 MX85 MX95 MX105 MX250 MX450
Maximum Site to Site VPN Tunnel Count 50 75 200 500 1,000 3,000 5,000
Recommended Maximum Site to Site VPN Tunnel Count 50 75 100 250 500 1,000 1,500
Maximum Number of Client VPN Tunnels  50 75 100 250 250 500 500
Maximum Number of AnyConnect Sessions 100 250 250 500 750 1000 1500
WAN Failover < 5 Sec < 5 Sec < 5 Sec < 5 Sec < 5 Sec < 5 Sec < 5 Sec
Auto VPN Tunnel Failover Sub-second Sub-second Sub-second Sub-second Sub-second Sub-second Sub-second
Dynamic Path Selection Sub-second Sub-second Sub-second Sub-second Sub-second Sub-second Sub-second

Z-Series

  Z3 (C) Z4 (C)
Maximum Site to Site VPN Tunnel Count 10 10
Recommended Maximum Site to Site VPN Tunnel Count 4 8
Maximum Number of Client VPN Tunnels  1 2
WAN Failover < 5 Sec < 5 Sec
Auto VPN Tunnel Failover Sub-second Sub-second
Dynamic Path Selection Sub-second Sub-second

vMX-Series

  vMX-Small vMX-Medium vMX-Large
Maximum Site to Site VPN Tunnel Count 50 250 1,000
Recommended Maximum Site to Site VPN Tunnel Count 50 250 1,000
Maximum Number of Client VPN Tunnels  50 250 500
WAN Failover N/A N/A N/A
Auto VPN Tunnel Failover Sub-second Sub-second Sub-second
Dynamic Path Selection Sub-second Sub-second

Sub-second

Flow and Session Data

It is important to understand the number of flows, or open sessions, supported by each appliance. For purposes of sizing, a flow is any transmission on an open socket within the last 5 minutes.  Note that this is not a recommended flow capacity number, but instead these values are to be maximums. 

MX-Series

  MX67
MX68
MX75 MX85 MX95 MX105 MX250 MX450
Maximum Concurrent Sessions 25,000 50,000 125,000 200,000 250,000 500,000 1,000,000

Z-Series

  Z3 (C) Z4 (C)
Maximum Concurrent Sessions 5,000 10,000

vMX-Series

  vMX-Small vMX-Medium vMX-Large
Maximum Concurrent Sessions 25,000 125,000 1,000,000

Performance Data

Industry-standard benchmarks are designed to help you compare MX appliances to those from other vendors. These tests assume perfect network conditions with ideal traffic patterns. When measuring maximum throughput for a certain feature, all other features are disabled. Actual results will vary. 

The following items should be noted during review:

  • Next Generation Firewall tests have the following configuration applied:
    • Layer 3 Firewall enabled
    • QoS
    • DPI (NBAR)
  • Advanced Security Throughput Tests are performed for MX-Series devices with the following configuration:
    • QoS
    • DPI (NBAR)
    • IPS Ruleset: 'Connectivity'
    • AMP enabled
    • Content Filtering enabled
    • IPS Mode in Detection or Prevention configuration
  • Secure Teleworker Throughput Tests are performed for Z-Series devices with the following configuration:
    • QoS
    • DPI (NBAR)
    • AMP Enabled

MX-Series 

  MX67
MX68
MX75 MX85 MX95 MX105 MX250 MX450

NGFW 
Throughput

RFC2544 - 1518 Byte

600 Mbps 1 Gbps 1 Gbps 2.5 Gbps 5 Gbps 7.5 Gbps 10 Gbps

NGFW Throughput

EMIX

600 Mbps
 
1 Gbps 1 Gbps 2.5 Gbps 5 Gbps 7 Gbps 10 Gbps

Advanced Security Throughput
(Prevention)

EMIX

300 Mbps 500 Mbps 500 Mbps 1.5 Gbps 2 Gbps 1.5 Gbps 3.5 Gbps

Advanced Security Throughput
(Detection)

EMIX

400 Mbps 1 Gbps 1 Gbps 2 Gbps 2.5 Gbps 3.5 Gbps 7 Gbps

Single Tunnel VPN Throughput RFC2544 1400 Byte 

400 Mbps 1 Gbps 1 Gbps 2.0 Gbps 2.5 Gbps 3 Gbps 3.5 Gbps

Multi-Tunnel VPN Throughput RFC2544 1400 Byte

≤ 400 Mbps 1 Gbps 1 Gbps 2.5 Gbps 3 Gbps 3.5 Gbps 4.5 Gbps
Single Tunnel VPN Throughput EMIX 300 Mbps 1 Gbps 1 Gbps 1.5 Gbps 2 Gbps 2 Gbps 3 Gbps
Multi-Tunnel VPN Throughput EMIX ≤300 Mbps ≤ 1 Gbps ≤ 1 Gbps ≤ 1.5 Gbps ≤ 2 Gbps ≤ 2 Gbps 4.5 Gbps

Z-Series 

  Z3 (C) Z4 (C)
Secure Teleworker Throughput NA 300 Mbps

NGFW 
Throughput

RFC2544 - 1518 Byte

200 Mbps 500 Mbps

NGFW Throughput

EMIX

200 Mbps 500 Mbps

Single Tunnel VPN Throughput RFC2544 1400 Byte 

75 Mbps 250 Mbps
Single Tunnel VPN Throughput EMIX 50 Mbps 250 Mbps

vMX-Series

 

vMX-Small vMX-Medium vMX-Large

vMX VPN Throughput 

iPerf

250 Mbps 500 Mbps 1 Gbps

Features, benefits, and performance impact

Features and Benefits

Each feature provides advanced benefits tailored to specific use cases. Below is an elaboration on a feature; it's use case, and a recommendation for sizing appropriately for deployment or implementation.

Cisco Advanced Malware Protection (AMP)

Cisco Advanced Malware Protection (AMP) is an industry-leading anti-malware technology from Sourcefire®, integrated into MX Security Appliances. 
Consider disabling this feature for guest VLANs and leveraging firewall rules to isolate guest VLANs. Also consider disabling if clients within the network are secured via a full malware client, such as AMP for endpoints. 

Content Filtering

Content filtering, powered by Cisco TALOS, allows you to block certain categories of websites based on your organizational policies.
Consider blocking only necessary categories while aligning with your organization's security guidelines.

Web-Safe Search

MX Security Appliances have the option to force all web searches to use Web search filtering.
Must be deployed in tandem with "disable encrypted search" option to be effective.

Cisco IPS/IDS (SNORT)

Intrusion Detection and Prevention, powered by Sourcefire® SNORT®, monitors and protects your network from malicious activity. 
Rulesets other than 'Connecitvity' have a larger performance impact. Additionally, consider not sending IDS/IPS syslog data over VPN in low-bandwidth environments. 

HTTPS Inspection

HTTPS Inspection enhances Advanced Security features by enabling them to inspect and act on HTTPS traffic. 
Use of Cisco Umbrella SD-WAN extensions to offload processing from edge or concetrator devices will reduce performance impacts to MX devices. 

Number of VPN Tunnels

Auto VPN creates VPN tunnels between sites in an automated, seamless fashion. 
Consider using split tunnel VPN while deplyoying security services at the edge of your network environments.

FIPS Mode

FIPS Mode enables the use of only FIPS compliant mechanisms for MX devices.
Consider engaging your account specialist for appropriate sizing and network architecture when planning to leverage this feature. 

Performance Impact Breakdown

Feature Name Performance Impact
Cisco Advanced Malware Protection (AMP) Low
Content Filtering Low
Web-Safe Search Low
FIPS Mode (Non-VPN Services) Low
Cisco IDS/IPS (SNORT) Medium
HTTPS Inspection (On device, not offloaded) High
Number of VPN Tunnels High
FIPS Mode (VPN Services) High