MX Series and Gig Home Office Network

Kwisatz
Here to help

MX Series and Gig Home Office Network

When will Meraki build a Home Office tier security router that won't cripple a Gig Internet connection when SPI is enabled?

23 REPLIES 23
JohnD
Getting noticed

As an aside, I'm not sure there's anything that can be disabled to make the MX67/68 push a gigabit. It seems like the appliance is inherently limited at the rated throughput.

PhilipDAth
Kind of a big deal
Kind of a big deal

The MX67 is the closest and is software limited to 450Mb/s.  It can deliver 450Mb/s with everything enabled.

Johnfnadez
Building a reputation

Where Can I see the ability to handle traffic regarding the feautures that I have enabled in my MX?

Regards,
Johnny Fernandez
Network & Security Engineer
CCNP | JNCIP-SEC | CMNA

The MX Sizing Guide is the best reference for this info: https://meraki.cisco.com/lib/pdf/meraki_whitepaper_mx_sizing_guide.pdf

I've found that the "Max Stateful (L3) firewall throughput in NAT mode " number to be an extremely accurate top limit of the best throughput you'll ever see out the WAN side of the MX.

Meanwhile, the "max throughput with all features enabled" is a bit pessimistic. In the real world I usually see it performing closer to the former number than the latter number.
Uberseehandel
Kind of a big deal

The reality is that for many domestic installations, another router/security appliance has to be placed ahead of the MX to handle such commonly used services as multicast IPTV and true IPv6. Effectively this diverts some of the used bandwidth away from the MX, which means the under-capacity is less obvious in practice than it is in theory.🤓

Robin St.Clair | Principal, Caithness Analytics | @uberseehandel

If you have disabled the advanced security features (AMP and IPS) you still have to make sure your uplink speed is set correctly in the traffic shaping page.

If that parameter is set lower to your actual max bandwidth your MX will enforce the configured speed by shaping to it.  That's how the MX can correctly calculate bandwidth for it's CBWFQ config.

JohnD
Getting noticed

Unfortunately you can't set the max bandwidth above the rated bandwidth of the appliance. With a gigabit circuit I never saw more than about 460-470mbit out of my MX68.
burnz
Getting noticed

Hope there will be something like a MX69 which will support for 1Gig WAN with full IPv6 and maybe a fiber sfp for internet uplink 🙂

 

As a MX250 is way too expensive for my home setup, while there is a need for these high download and upload speeds..

Agreed, an MX250 is way overkill feature wise for a home network as well...we just need a simple, even a new 70 series, that would address at least 1 Gig WAN w/SFP and stateful firewall...the rest of the stuff could fall in line feature wise with the rest of portfolio

Looking at something like the Firewalla Pro that is plastered all over my Facebook timeline, it claims to do 3 Gbps with DPI/Stateful inspection...I feel like this shouldn't be a huge hurdle to get into the product as a baseline feature...I realize it probably requires a HW respin of some sort, but Meraki is falling behind in the MVO feature list for HO/SMB devices, and the coming ubiquity of Gig internet connections...

AnythingHosted
Building a reputation

I've had a similar problem for a client. 


We have put in a full stack at both his delis and loves the dashboard (albeit read only). All the till guys said that a site-to-site VPN would never work (to link the pricing etc between the venues) -but it did just work!

 

We wanted to put in an MX and also MS/MR into his house so that he could update the tills without the need for RDP and generally improve his home network. The problem was he has 1Gbps up and down at home and laughed when I said it was only the MX250 that could supply the speed. Even suggested perhaps MX100. No idea why he needs 1Gbps, but that's another story. 

 

We have ended up ordering a Z3 for him at home and the desktop used for RDP will simply be plugged into that and used to connect to the two sites. The downside for us (and Meraki) is that we could have another full stack order. 

Honestly I would be totally happy with just being to get 1gbit symmetric NAT/L3 FW performance, and accept the tradeoff that the speeds are the currently quoted MX67/68 speeds if I turn on IDS, AMP, or use site to site VPN. It's understandable why the latter features require significant computational power in order to reliably push 1gbit, but 1gbit NAT is something easily achievable on the ARM chips that are used for the MX67/68 -- in fact, there are plenty of pro-sumer products that can do this.

 

At-home use cases for 1gbit are almost always about download speeds. It is the difference between a Windows 10 installer downloading in 2 minutes or 5 minutes. Or a Xbox video game title downloading in 10 minutes vs 20 minutes. That's something that consumers appreciate, especially when in a lot of places, fiber to the premise gigabit is being offered at a lower monthly price than 100-200mbit cable internet.

Just for visual reference 😉 

20200429_131356.jpg

burnz
Getting noticed

Any news about a small MX which can handle 500Mbit/s+ ?

Well, I just got an upgrade from my ISP that bumps me over 500mbps, it's now become critical to have a SOHO focused security device that can handle SOHO Gigabit speeds...Any news yet??  Bueller...? Bueller...?

There is a sea change happening that may simplify a Meraki firewall so it could work at 1gbps.

 

Due to encrypted web pages and soon encrypted DNS, it may be more cost effective to do little to no inspection in the firewall, and use a service like Umbrella do do the heaving lifting, and a capable EDR system for additional client protection.

 

 

Dave Anderson

Google Fiber to offer 2 Gig internet for $100 a month starting this year!

 

https://www.theverge.com/2020/9/15/21437958/google-fiber-2-gig-gbps-internet-nashville-huntsville-sp...

Dave Anderson
Kwisatz
Here to help

Just turning the soil to keep it fresh... 🙂

https://hothardware.com/news/google-fiber-your-own-wi-fi-router-requirements

 

And another reason Meraki should have a secure, higher bandwidth option in the wings...

My Charter Business drep says Charter can give me 960 mbps.  It is too expensive for me, but it is available!

 

That said, the job of a firewall has gotten even harder with encrypted DNS.

Dave Anderson
cmr
Kind of a big deal
Kind of a big deal

Don't worry, the new high speed services are probably IPv6 only 😉

...also ouch...

SonicWall recently announced MultiGig firewalls.  The TZ firewall 470 has 1.5 GBPS Threat protection throughput and Zero Touch deployment through their cloud based single pane of glass interface.  They are still missing the ease of use that Meraki has.

 

The tea leaves are pointing in different directions due to Covid19, but we will eventually go back to offices and MutiGig is becoming a reality.

 

-Dave

Dave Anderson
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels