Which Meraki Firewall Should I Buy?
If you’re shopping for a Meraki firewall, you’re likely looking for a reliable, easy-to-manage security solution for your network. The Meraki MX series, Cisco’s cloud-managed security and SD-WAN appliances, cover everything from small office setups to large enterprise environments.
But with multiple models and overlapping specs, choosing the right one can be confusing. This guide breaks down what each model is for, what features matter, and which Meraki firewall is right for your setup.
What is a Meraki MX?
Meraki MX appliances combine several functions in one device:
-
Firewall (stateful)
-
SD-WAN with Auto VPN
-
Intrusion detection and prevention (IDS/IPS)
-
Advanced malware protection (AMP)
-
Content filtering
-
Application visibility and control
-
Traffic shaping and failover
They’re all cloud-managed via the Meraki Dashboard, which makes deployment, updates, and troubleshooting much easier, especially across multiple sites.
You can run an MX in one of two ways:
-
Passthrough or VPN Concentrator mode (for hub sites or where the MX isn’t your internet edge)
-
Routed mode (for sites where the MX is your gateway to the internet)
Licensing: What You Need to Know
All MX devices require a license. You have two main choices:
-
Enterprise license - Basic firewall, Auto VPN, site-to-site VPN, traffic shaping, and monitoring.
-
Advanced Security license - Adds content filtering, AMP, and IDS/IPS powered by Cisco Snort.
-
Secure SD-WAN Plus - Adds cloud-based analytics and ML-powered insights (great for MSPs and enterprises).
Licensing is simple: it’s per device, per year (1, 3, 5, 7, or 10 years).
Meraki MX Firewall Model Guide
Here’s a breakdown of the current models available and which ones make sense for different use cases:
|
Model |
Ideal For |
Max Clients |
Throughput (Firewall / VPN) |
Notes |
|
MX64 |
Small branch/small office |
~50 |
250 Mbps / 100 Mbps |
Fanless, 1 WAN, 4 LAN |
|
MX67 |
Small branch/small office |
~50 |
450 Mbps / 200 Mbps |
Adds better throughput, optional cellular |
|
MX68 |
Small office with PoE needs |
~50 |
450 Mbps / 200 Mbps |
Adds 2 x PoE ports |
|
MX75 |
Growing branch office |
~200 |
1 Gbps / 500 Mbps |
Dual WAN, no PoE |
|
MX85 |
Medium office |
~250 |
1 Gbps / 500 Mbps |
10G SFP+, dual WAN, 12 ports |
|
MX95 |
Mid-sized business |
~500 |
2 Gbps / 800 Mbps |
10G fiber, scalable uplink |
|
MX105 |
High-performance branch/core |
~1,000 |
3 Gbps / 1 Gbps |
Redundant power, SFP+ uplinks |
|
MX250 |
Enterprise HQ / Data Center |
~2,000 |
4 Gbps / 1 Gbps |
10G fiber, high density |
|
MX450 |
Large Campus / Core Firewall |
~10,000 |
6 Gbps / 1 Gbps |
Redundant PSU, for high availability |
⚠️ Throughput values are real-world estimates, not theoretical max. VPN throughput especially depends on the number of tunnels and features enabled.
Use Case Scenarios
Home Office or Small Branch
💡 Use: MX64 or MX67
If you just need secure internet access, Auto VPN, and basic firewall protection, these fanless models are compact and reliable. Choose the MX67 if you want more throughput or integrated cellular backup (MX67C).
Small Office with a Few Switches or APs
💡 Use: MX68
Same firewall as the MX67, but includes 2 x PoE ports, perfect if you want to power a couple of Meraki APs or cameras without needing a switch.
Fast-growing Branch Site
💡 Use: MX75 or MX85
If you’ve got dozens of users and growing traffic, these rack-mount models offer more throughput and SFP uplinks. The MX85 adds more 10G options for WAN and LAN uplinks.
Mid-Sized Office or Light HQ
💡 Use: MX95 or MX105
MX95 handles 2 Gbps firewall throughput and supports fiber uplinks. MX105 adds redundant power and is ideal if you need higher availability.
Large Enterprise / Core Deployment
💡 Use: MX250 or MX450
These are heavy hitters. Designed for thousands of users, high throughput, multiple uplinks, and enterprise-level routing performance.
Cellular Backup Options
If you want LTE failover, you’ve got two options:
-
Buy a “C” model, e.g., MX67C or MX68CW, includes built-in cellular
-
Or use an MG series Meraki cellular gateway, connects via Ethernet
Both integrate with the dashboard and support WAN failover logic.
Stack It with SD-WAN
If you have multiple branches, SD-WAN is one of the best reasons to go Meraki.
-
Automatically builds VPN tunnels between sites
-
Dynamic path selection: reroutes traffic based on latency/loss
-
Central policy management: no more configuring each firewall individuallyl
This is especially powerful in hybrid WAN environments with fiber and LTE or broadband failover.
Final Thoughts
The Meraki MX line is a solid, simple-to-manage solution that works across many different deployment sizes. As always, it’s about choosing the right size for your needs, not just today, but where you’re heading.
📦 Need help picking the right model or license?
Contact us at The Networking Nerds we’ll help you find the best fit.
