Cisco Meraki MX64

Basic Information

• Model: MX64 (also available as MX64W for wireless variant)
• Version: Cloud-managed security appliance
• Release Date: 2015
• Minimum Requirements: Internet connection (20 Mbps down, 10 Mbps up recommended), DHCP enabled on upstream router/modem for initial setup.
• Supported Operating Systems: Managed via Cisco Meraki Dashboard (web-based).
• Latest Stable Version: MX18.1 firmware is the maximum running build for MX64 platforms. MX 18.2 and above firmware builds are not supported.
• End of Support Date: July 26, 2027
• End of Life Date: The product was End-of-Sale on July 26, 2022.
• Auto-update Expiration Date: Not explicitly stated, but firmware updates are automatic as long as the device is licensed and supported.
• License Type: Per-device, per-year licensing. Available in Enterprise, Advanced Security, and Secure SD-WAN Plus tiers.
• Deployment Model: Cloud-managed, requiring connection to the Meraki cloud for centralized management and control.

The Cisco Meraki MX64 is an enterprise security appliance designed for distributed deployments and small branch networks, offering remote administration through the Cisco Meraki Dashboard. It was released in 2015 and has reached its end-of-sale date, with end-of-support scheduled for July 26, 2027. The device operates on a cloud-managed model, requiring an annual license for functionality, support, and firmware updates. The MX64 supports firmware up to version MX18.1.

Technical Specifications

• Processor: Purpose-built for cloud management, with CPU resources designed for application and content-aware security.
• RAM: Memory resources designed for application and content-aware security.
• Storage: Settings are stored locally.
• Display: LED indicators on the front panel for status.
• Ports:
  • WAN: 1 x Gigabit Ethernet RJ45 (dedicated), 1 x USB (for cellular failover).
  • LAN: 4 x Gigabit Ethernet RJ45 (one can be repurposed for WAN).
  • Management: 1 x USB (for 3G/4G wireless cards).
• Operating System: Meraki's proprietary cloud-managed OS.
• Dimensions (W x D x H): 9.5 x 5.2 x 1 inch (239mm x 132mm x 25mm).
• Weight: 1.61 lb (0.7 kg) or 3.09 lbs (1.4 kg).
• Power Supply: 30W DC (MA-PWR-30WAC).
• Power Load (idle/max): 4W / 10W.
• Operating Temperature: 32°F - 113°F (0°C - 45°C) or 32°F to 104°F (0°C to 40°C).
• Humidity: 5% to 95% (non-condensing).

The MX64 is a compact, fanless appliance designed for desktop or wall mounting. It features multiple Gigabit Ethernet ports for flexible WAN and LAN connectivity, including a USB port for 3G/4G cellular failover. The hardware is optimized for cloud management, ensuring efficient processing for security and network services.

Support & Compatibility

• Latest Version: MX18.1 firmware.
• OS Support: Managed via the web-based Cisco Meraki Dashboard.
• End of Support Date: July 26, 2027.
• Localization: Not explicitly detailed, but the cloud dashboard is accessible globally. Power cords are region-specific.
• Available Drivers: Not applicable, as it is a network appliance managed via a web interface.

The MX64 is a cloud-managed device, meaning its functionality and support are intrinsically linked to the Meraki cloud. It receives automatic firmware upgrades and security patches as long as it is under a valid license and within its support window. The end-of-support date is July 26, 2027, after which active support, firmware updates, and security patches will cease. The device is managed entirely through the Cisco Meraki Dashboard, which provides a centralized interface for configuration and monitoring.

Security Status

• Security Features: L3/L7 Stateful Firewall, Geo-based firewall rules, 1:1 and 1:Many NAT, Meraki AutoVPN, L2TP/IPSec VPN endpoint, Active Directory integration, Content Filtering, Malware Protection (AMP) with optional Threat Grid integration, IDS/IPS protection (SNORT engine), Custom Traffic Shaping, Web search filtering (Google SafeSearch, YouTube for Schools), SD-WAN capabilities, Client VPN (IPsec), User and device quarantine.
• Known Vulnerabilities: Not specifically listed in public documentation, but regular firmware updates address potential issues.
• Blacklist Status: Not applicable.
• Certifications: PCI 3.0 compliance for intrusion prevention.
• Encryption Support: 128-bit AES for VPN tunnels.
• Authentication Methods: Active Directory integration, Client VPN (IPsec).
• General Recommendations: Requires an Advanced Security License for full UTM features like Content Filtering, SNORT-based IDS/IPS, and Cisco Advanced Malware Protection (AMP).

The MX64 offers a comprehensive suite of security features, positioning it as a Unified Threat Management (UTM) solution. It includes a stateful firewall, intrusion detection/prevention (IDS/IPS) powered by the SNORT engine, advanced malware protection (AMP), content filtering, and VPN capabilities. The device integrates with Active Directory for identity-based policies and supports 128-bit AES encryption for VPNs. While specific known vulnerabilities are not publicly detailed, the cloud-managed nature ensures automatic firmware and security signature updates, crucial for maintaining a strong security posture. Full advanced security features require an Advanced Security License.

Performance & Benchmarks

• Benchmark Scores:
  • Stateful Firewall Throughput: 250 Mbps.
  • Advanced Security Throughput: 200 Mbps.
  • Maximum VPN Throughput: 70 Mbps to 100 Mbps.
  • Maximum Concurrent VPN Tunnels: 50. Some sources state 25.
• Real-World Performance Metrics: Capable of routing and protecting data even with large payloads without slowing down. Real-world tests with advanced security features enabled show speeds around 250Mbps down and 45Mbps up.
• Power Consumption: Idle: 4W / Max: 10W.
• Carbon Footprint: Not specified in available documentation.
• Comparison with Similar Assets: Designed for small branch deployments, supporting up to 50 recommended clients. Replaced by the MX67 model.

The MX64 delivers a stateful firewall throughput of 250 Mbps and an advanced security throughput of 200 Mbps, making it suitable for small branch offices with up to 50 users. VPN throughput ranges from 70 to 100 Mbps, supporting up to 50 concurrent VPN tunnels. Real-world performance indicates it maintains high speeds even with security features enabled. Its low power consumption of 4W idle and 10W max highlights its energy efficiency. The MX64 is designed for environments where ease of deployment and cloud-managed security are priorities, offering a robust solution for its target segment.

User Reviews & Feedback

Users generally praise the Cisco Meraki MX64 for its ease of deployment and cloud-managed simplicity. The Meraki Dashboard is highlighted as intuitive, allowing for quick setup and remote management without extensive IT expertise. Strengths include its comprehensive suite of security features, such as intrusion prevention, anti-malware, and content filtering, which are easily configurable. The AutoVPN technology for site-to-site VPNs is also frequently cited as a significant advantage, simplifying branch connectivity. Its small form factor and desktop/wall-mount options are appreciated for flexible placement.

However, a common weakness noted is the dependency on the Meraki cloud license; without an active license, the device ceases to function. Some users also point out that while throughput is adequate for small branches, it may not scale for larger environments, necessitating an upgrade to higher-end MX models. The end-of-sale status and upcoming end-of-support date mean that new deployments should consider the successor MX67.

Recommended use cases include small branch offices, retail locations, and educational institutions with limited IT staff, where centralized management and robust, easily deployable security are critical. It is particularly well-suited for organizations seeking a Unified Threat Management (UTM) solution that simplifies network administration.

Vulnerabilities

• CVE-2025-20212
  Published: 2025-04-02 - Updated: 2025-04-07 - CVSS: 7.7 - EPSS: 0.14%
  A vulnerability in the Cisco AnyConnect VPN server of Cisco Meraki MX and Cisco Meraki Z Series devices could allow an authenticated, remote attacker to cause a denial of service (DoS) condition in the Cisco AnyConnect service on an affected device. To exploit this vulnerability, the attacker must have valid VPN user credentials on the affected device.
• This vulnerability exists because a variable is not initialized when an SSL VPN session is established. An attacker could exploit this vulnerability by supplying crafted attributes while establishing an SSL VPN session with an affected device. A successful exploit could allow the attacker to cause the Cisco AnyConnect VPN server to restart, resulting in the failure of the established SSL VPN sessions and forcing remote users to initiate a new VPN connection and reauthenticate. A sustained attack could prevent new SSL VPN connections from being established.
  Published: - Updated: - CVSS: - EPSS:
  
• Note: When the attack traffic stops, the Cisco AnyConnect VPN server recovers without manual intervention.
  Published: - Updated: - CVSS: - EPSS:
  
• CVE-2024-20513
  Published: 2024-10-02 - Updated: 2025-06-04 - CVSS: 5.8 - EPSS: 0.30%
  A vulnerability in the Cisco AnyConnect VPN server of Cisco Meraki MX and Cisco Meraki Z Series Teleworker Gateway devices could allow an unauthenticated, remote attacker to cause a DoS condition for targeted users of the AnyConnect service on an affected device.
• This vulnerability is due to insufficient entropy for handlers that are used during SSL VPN session establishment. An unauthenticated attacker could exploit this vulnerability by brute forcing valid session handlers. An authenticated attacker could exploit this vulnerability by connecting to the AnyConnect VPN service of an affected device to retrieve a valid session handler and, based on that handler, predict further valid session handlers. The attacker would then send a crafted HTTPS request using the brute-forced or predicted session handler to the AnyConnect VPN server of the device. A successful exploit could allow the attacker to terminate targeted SSL VPN sessions, forcing remote users to initiate new VPN connections and reauthenticate.
  Published: - Updated: - CVSS: - EPSS:
  

View more

Summary

The Cisco Meraki MX64 is a cloud-managed security appliance designed for small branch offices and distributed deployments, offering a comprehensive Unified Threat Management (UTM) solution. Its primary strength lies in its ease of deployment and management through the intuitive Meraki Dashboard, enabling remote configuration and monitoring with minimal IT overhead. Key features include a stateful firewall, IDS/IPS (powered by SNORT), advanced malware protection (AMP), content filtering, and robust VPN capabilities with 128-bit AES encryption. The device provides a solid performance profile for its target audience, with a stateful firewall throughput of 250 Mbps and advanced security throughput of 200 Mbps, supporting up to 50 concurrent VPN tunnels and 50 recommended clients. Its low power consumption and compact design further enhance its appeal for small environments.

However, the MX64 has reached its end-of-sale date (July 26, 2022), with end-of-support scheduled for July 26, 2027. This means that while existing devices will continue to be supported for a period, new deployments should consider its successor, the MX67. A significant aspect of the Meraki ecosystem is its mandatory per-device, per-year licensing model, which is essential for device functionality, cloud management, and access to support and automatic firmware updates. Without an active license, the device ceases to operate.

Overall, the MX64 is a capable and user-friendly security appliance for organizations prioritizing simplified, cloud-based network security and management. Its integrated feature set reduces the need for multiple appliances, streamlining network services. For continued support and access to the latest features, users should be aware of its end-of-life cycle and plan for migration to newer hardware.

Information provided is based on publicly available data and may vary depending on specific device configurations. For up-to-date information, please consult official manufacturer resources.