OVERKILL
$100 Site Donor 2021
I've had this in service for about 6 months now and am extremely impressed with its performance, configurability as well as the visibility provided for threats that it has blocked. I'm not going to delve into all of the features here, as this is just a basic review, but some that may be of interest are:
- AMP - Advanced Malware Protection (details on this can be found here: https://documentation.meraki.com/MX/Content_Filtering_and_Threat_Protection/Threat_Protection )
- Content filtering, which includes web search filtering and the ability to restrict Youtube content
- Access Control - Allows you to use a click-through portal or authentication via Facebook or 3rd party credentials. Good for if you were hosting guest WiFi
- Site-to-site and Client VPN capabilities
- Wireless Concentrator
- VLAN's
- Per-client bandwidth limitations as well as schedules to control who can have access when. I use this for kicking my kids off the Internet in the evening during the school year.
Cisco/Meraki spec the hardware quite differently from the typical Cisco ASA or ISR products. These MX devices are WAN speed limited to give themselves generous headroom to handle all services enabled simultaneously while having next to no impact on traffic speed. What this means is that one needs to be careful to properly select a device appropriate to the not only currently available WAN speeds, but to what may be in place during the service life of the device.
With respect to the specs of this device in particular:
https://meraki.cisco.com/products/appliances/mx64
- 250Mbit WAN throughput (software limited)
- 100Mbit VPN throughput
- 1x (2x) Gigabit WAN ports
- 4x (3x) Gigabit LAN ports (one can be separated as a 2nd WAN link)
- Cellular failover
It is also available with integrated wireless, which I did not opt for, as I use a separate access point. The device is quite compact and runs cool. It has a very "Apple-esque" appearance to it, with only the one multi-coloured LED on the front to indicate status.
This device was a breeze to configure when compared to an ISR or ASA. My home LAN setup is pretty basic:
ISP provided modem -> MX64 Firewall -> Cisco 2960S PoE Gigabit switch -> HP Aruba 207 Access Point + clients
I run 3x VLAN's, one for my and my wife's stuff, one for computers I bring home to work on/guests, which is locked down pretty hard, and one for the kids. OpenDNS/Umbrella is used in conjunction with the firewall functions of the device to increase the security/configurability. Typical client load on the device is 25-30.
This is a screen cap of what one sees in the Security Centre when events are present:
Pros:
- This device is an excellent SMB offering and given that it doesn't require extensive network knowledge to configure and operate, means your typical IT Tech should have no problem installing and configuring it, unlike with an ASA, SSG, Firepower....etc.
- It provides a "robust enough" suite of features that it should be a security upgrade for most, provided the appropriate services are purchased as part of the subscription.
- Price of the unit itself is not ridiculous, and the subscription prices aren't awful.
- Cloud managed means you can keep an eye on your network(s) from anywhere
- 2-factor authentication for management
- Can be integrated into a "service provider" portal giving you a birds eye view of your network, company or entire organization.
Cons:
- Lack of SSL VPN means that this is not a drop-in replacement for an ASA or other device that serves up something similar to AnyConnect
- If your license lapses, the device will cease to pass traffic after 30 days. Means there really isn't a used market for these once they are EOL, as the subscription price would make it unappealing.
- Software limit on throughput means that for locations with high bandwidth relative to user base, they are forced to spend a lot more money than should be necessary if they aren't buying the whole security suite license or using VPN's.
- No DNS proxy means you don't have insight into queries unless you are using an internal DNS server or using something like OpenDNS
Overall, I think there is definitely a market for these devices and I expect Cisco will do quite well with this arm of their brand.
![[Linked Image from meraki.cisco.com]](https://meraki.cisco.com/img/products/appliances/mx64/mx64-mantle.jpg)
![[Linked Image]](https://www.bobistheoilguy.com/forums/attachments/usergals/2019/09/full-21028-36197-meraki_security_centre_01.jpg)