Understanding the Meraki MX Product Lineup: Choosing the Right Security Appliance

The Cisco Meraki MX security appliance family includes models ranging from small office solutions to enterprise deployments. Each model addresses different bandwidth requirements, feature sets, and deployment scales. Understanding the lineup prevents over-specification (purchasing more than needed) and under-specification (buying equipment that can’t meet requirements).

Organizations often face confusion when selecting MX appliances. The model numbers seem similar. Feature comparisons are difficult. Pricing doesn’t always correlate obviously with capability. Without clear guidance, decision-makers either choose conservatively (spending more than necessary) or optimistically (deploying equipment that underperforms).

This guide explains the Meraki MX product family, helping organizations select the right appliance for their specific requirements.

The MX Product Family Overview

Cisco Meraki organizes MX appliances into tiers based on throughput, concurrent connections, and advanced feature support.

Key Specifications Affecting Selection

Throughput (Gbps)

Maximum data transmission speed through the appliance. Critical for bandwidth-heavy organizations or sites with multiple users.

Concurrent Sessions

Number of simultaneous network connections the appliance can track. More sessions support more users or higher activity levels.

Interfaces

Number and type of network ports. More interfaces enable complex network designs without additional switches.

VPN Performance

Maximum throughput through VPN tunnels. Important for organizations heavily using VPN for site-to-site or remote user connectivity.

Advanced Features

Some models support features like:

• Advanced threat protection
• SD-WAN optimization
• Additional VPN tunnels
• Higher concurrent VPN connections

Entry-Level Models: MX64, MX65, MX67

These appliances serve small offices and branch locations with modest bandwidth and user counts.

MX64

• Throughput: 280 Mbps
• Concurrent sessions: 60,000
• Interfaces: 1 WAN, 4 LAN
• Best for: Micro offices, very small deployments
• Considerations: Limited throughput for bandwidth-heavy sites

MX65

• Throughput: 350 Mbps
• Concurrent sessions: 65,000
• Interfaces: 1 WAN, 4 LAN with PoE
• Best for: Small offices with VoIP phones needing PoE
• Considerations: Power delivery enables connected devices without separate power

MX67

• Throughput: 500 Mbps
• Concurrent sessions: 100,000
• Interfaces: 2 WAN, 4 LAN
• Best for: Small to medium offices, typical branch locations
• Considerations: Dual WAN enables failover; solid all-around appliance

When to Choose Entry-Level

These models suit organizations with:

• Under 50 concurrent users
• Bandwidth under 300 Mbps sustained
• Basic security requirements
• Limited VPN needs

Entry-level models keep costs manageable while providing adequate protection for small deployments.

Mid-Range Models: MX84, MX85, MX95

Mid-range appliances serve most organizations, balancing capability and cost.

MX84 (Being phased out – approaching EOL in 2026)

• Throughput: 500 Mbps
• Concurrent sessions: 150,000
• Interfaces: 2 WAN, 4 LAN
• Best for: Medium offices, regional headquarters
• Note: Newer models (MX85, MX95) replace this

MX85

• Throughput: 500 Mbps
• Concurrent sessions: 200,000
• Interfaces: 2 WAN, 4 LAN with PoE
• Best for: Standard mid-size locations
• Advantages: PoE support, improved processing over MX84

MX95

• Throughput: 1 Gbps (1,000 Mbps)
• Concurrent sessions: 500,000
• Interfaces: 2 WAN, 4 LAN with PoE
• Best for: Larger offices, multiple departments
• Advantages: Double the throughput of MX85, handles busier networks

When to Choose Mid-Range

These models suit organizations with:

• 50-300 concurrent users
• Bandwidth 500 Mbps to 1 Gbps
• Standard security requirements
• Some VPN needs
• Standard feature set sufficient

Mid-range models represent the “sweet spot” for most organizations—enough capability for robust operations without over-specification.

High-Performance Models: MX105, MX250

These appliances serve large deployments and bandwidth-intensive organizations.

MX105

• Throughput: 1.5 Gbps
• Concurrent sessions: 1 million
• Interfaces: 4 WAN, 8 LAN with PoE
• Best for: Headquarters, data centers, high-traffic locations
• Advantages: Multiple WAN connections for load balancing or failover

MX250

• Throughput: 2.5 Gbps
• Concurrent sessions: 2.5 million
• Interfaces: 4 WAN, 8 LAN with PoE
• Best for: Enterprise headquarters, service providers
• Advantages: Highest performance, handles most demanding environments

When to Choose High-Performance

These models suit organizations with:

• Over 300 concurrent users
• Bandwidth over 1 Gbps sustained
• Multiple departments/divisions
• Heavy VPN usage
• Advanced security requirements

High-performance models handle the most demanding enterprise scenarios.

Specialized Models: MX64W, MX67W

These wireless-equipped models combine firewall and WiFi in one appliance.

MX64W

• Includes built-in WiFi (2×2 802.11n)
• Combines MX64 firewall with basic WiFi
• For locations where dedicated WiFi isn’t needed
• Cost-effective for simple single-site deployments

MX67W

• Includes better WiFi (2×2 802.11ac)
• Combines MX67 firewall with stronger WiFi
• Better for locations requiring WiFi alongside firewall

When to Choose Wireless Models

These suit organizations with:

• Need for basic WiFi at small locations
• Space constraints (combining devices)
• Simple requirements (not dense deployments)

Note: For organizations needing robust WiFi, separate Meraki access points are preferable to built-in WiFi.

Selection Matrix

Use this to narrow your choice:

Need	Suggested Model
1-10 users, micro office	MX64 or MX64W
10-50 users, small office	MX65, MX67, or MX67W
50-150 users, branch	MX84 or MX85
150-300 users, large office	MX95
300+ users, datacenter	MX105 or MX250
Need WiFi included	MX64W or MX67W
High-speed requirements (1+ Gbps)	MX95, MX105, MX250

Throughput Considerations

Understanding Bandwidth Needs

Appliance throughput doesn’t need to match your ISP bandwidth, but should provide headroom:

• Internet link is 300 Mbps → Choose appliance with at least 350+ Mbps throughput
• Internet link is 500 Mbps → Choose appliance with at least 600+ Mbps throughput
• Internet link is 1 Gbps → Choose appliance with at least 1.2+ Gbps throughput

The extra headroom accounts for security inspection overhead and future growth.

VPN Considerations

Site-to-Site VPN Throughput

If you heavily use VPN for multi-site connectivity:

• MX67/MX85: ~300 Mbps VPN throughput
• MX95: ~500 Mbps VPN throughput
• MX105: ~1 Gbps VPN throughput

High VPN throughput needs might require upgraded models.

Client VPN Capacity

Remote worker counts affect model selection:

• MX67: ~50 concurrent remote users
• MX85: ~100 concurrent remote users
• MX95: ~300+ concurrent remote users

Organizations with large remote workforces need higher capacity models.

Feature Availability by Model

Not all features are available on all models:

Feature	MX64/65	MX67	MX84/85	MX95	MX105/250
Basic Firewall	✅	✅	✅	✅	✅
VPN	✅	✅	✅	✅	✅
IDS/IPS	✅	✅	✅	✅	✅
Content Filtering	✅	✅	✅	✅	✅
Advanced Threat	Limited	✅	✅	✅	✅
SD-WAN	Limited	✅	✅	✅	✅
Multiple WAN	Single	Dual	Dual	Dual	Quad

Entry-level models support core features. Mid-range and above unlock advanced capabilities.

Cost vs. Capability Analysis

Model selection involves balancing cost and capability:

Cost-Focused Organizations

Choose entry-level (MX64, MX65, MX67) if:

• Budget is primary constraint
• Requirements are modest
• Performance headroom isn’t critical

Balanced Approach

Choose mid-range (MX85, MX95) if:

• Good balance of capability and cost
• Reasonable future growth expected
• Most organizations fit here

Performance-Focused Organizations

Choose high-performance (MX105, MX250) if:

• High throughput essential
• Future growth anticipated
• Performance headroom critical

Licensing Differences

All MX models require licenses enabling features:

• Security licensing – Enables IDS/IPS, content filtering, threat prevention
• Advanced Security licensing – Unlocks advanced threat protection
• SD-WAN Plus licensing – Enables advanced SD-WAN features

Licensing costs vary by model but allow organizations to start with base features and upgrade later if needed.

Migration Path Considerations

Organizations planning growth should consider whether current model provides upgrade path:

• No growth expected – Entry-level sufficient
• Some growth expected – Mid-range provides room
• Significant growth expected – Start with higher model to avoid replacement

Replacing appliances mid-lifecycle is expensive and disruptive. Starting with slightly more capability often costs less than replacing appliances later.

Making Your Selection

Step 1: Assess Requirements

Gather:

• Number of concurrent users
• Current and projected bandwidth needs
• VPN usage patterns
• Feature requirements (advanced threat, SD-WAN, etc.)

Step 2: Calculate Headroom

Add 20-30% headroom to requirements to account for growth and inspection overhead.

Step 3: Review Feature Needs

Confirm the model tier supports features you need.

Step 4: Evaluate Costs

Compare hardware, licensing, and lifecycle costs across models.

Step 5: Consult Experts

For complex requirements, work with Stratus Information Systems to validate selection. Our team helps organizations choose right-sized Cisco Meraki security appliances preventing both under and over-specification.