Product basics and selection

What are the Cisco Meraki MX67 and MX68 security appliances?

The MX67 and MX68 are cloud-managed security and SD-WAN appliances designed for small businesses and remote branch offices supporting up to 50 users. They combine next-generation firewall, VPN, content filtering, and intrusion prevention in compact, fanless devices managed entirely through Meraki's cloud dashboard. Both models deliver 700 Mbps firewall throughput and 400 Mbps site-to-site VPN performance, eliminating the need for on-premises controllers or complex configurations.

Which businesses are the MX67 and MX68 best suited for?

These appliances are ideal for small remote locations, distributed branch offices, and sites requiring cellular failover for business continuity. Organizations with up to 50 connected devices per location benefit most from these models. They're particularly valuable for businesses needing simplified cloud management across multiple sites, reliable SD-WAN connectivity with unreliable ISPs, or all-in-one security without dedicated IT staff at each location.

What's the main difference between the MX67 and MX68 models?

The MX68 offers significantly more connectivity with 12 total ports versus the MX67's 4-5 ports, including 2 dedicated PoE+ ports capable of powering access points, phones, and cameras with 60W total budget. The MX67 has a smaller footprint (9.4" width) and lower power draw (18W), making it ideal for very small locations. Performance specifications—including 700 Mbps firewall throughput and 50 VPN tunnels—remain identical across both models, so your choice depends primarily on port density and PoE requirements.

How do I choose between the base, wireless, and cellular model variants?

Start with your connectivity needs: choose cellular models (MX67C or MX68CW) if you need LTE failover, wireless models (MX67W or MX68W) if you want built-in WiFi to reduce equipment, or base models (MX67-HW or MX68-HW) for wired-only deployments. The MX68CW combines all features—cellular, wireless, and PoE—in one device, while MX67 series separates these as distinct models. Consider that wireless models support up to 4 SSIDs with 802.11ac Wave 2 at 1.3 Gbps maximum data rates.

What part numbers do I need for North American cellular deployments?

For North American cellular connectivity, specify MX67C-HW-NA for the MX67 series, which includes LTE bands 2, 4, 5, 12/17, 13, and 29 certified for Verizon, AT&T, T-Mobile, Bell Canada, Telus, and Rogers. The MX68CW uses the worldwide variant (MX68CW-HW-WW) that supports different LTE bands. All cellular models require a nano-SIM card purchased separately from your chosen carrier and include a SIM tray with ejector tool in the box.

Technical specifications and performance

What firewall and VPN throughput can I expect from these appliances?

Both models deliver 700 Mbps stateful firewall throughput in NAT mode and passthrough configurations, with 400 Mbps maximum VPN throughput for site-to-site connections. When enabling advanced security features like IDS/IPS and AMP malware protection simultaneously, expect 300 Mbps throughput. They support up to 50 concurrent VPN tunnels (site-to-site or client VPN) and can handle 50 recommended maximum LAN clients, making them suitable for internet connections up to 400-700 Mbps depending on security features enabled.

What network interfaces do the MX67 and MX68 provide?

The MX67 includes 1 dedicated GbE WAN port and 3 dedicated GbE LAN ports, plus 1 convertible port that can function as either WAN or LAN depending on your configuration. The MX68 provides 2 dedicated GbE WAN ports and 10 GbE LAN ports (8 standard + 2 with PoE+). All Ethernet ports are Gigabit RJ45 connections. Both models include a USB port for third-party 3G/4G modems, though this support is being deprecated with security vulnerability support ending April 2024 and full support ending June 2026.

Does the MX68 support Power over Ethernet for access points and phones?

Yes, the MX68, MX68W, and MX68CW models include 2 GbE LAN ports with 802.3at PoE+ capability, each delivering up to 30W with a 60W total PoE budget. This eliminates the need for separate PoE injectors or unmanaged PoE switches when powering Meraki access points, IP phones, security cameras, or other PoE-enabled devices. The MX67 series does not offer any PoE capability, so you'd need external PoE equipment for those models.

Can these appliances handle wireless connectivity without separate access points?

The wireless variants (MX67W, MX68W, MX68CW) include built-in 802.11ac Wave 2 radios with dual-band 2.4 GHz and 5 GHz support, 2x2 MU-MIMO, and maximum 1.3 Gbps data rates. They support up to 4 SSIDs with integrated enterprise security and guest access. The MX67W and MX68W use external removable dual-band dipole antennas with RP-SMA connectors, while the MX68CW features fixed non-removable paddle antennas serving both WiFi and LTE. For larger deployments or better coverage, dedicated Meraki access points still provide superior performance.

What cellular bands and carriers are supported on the LTE models?

North American models (MX67C-HW-NA) support FDD-LTE bands 2, 4, 5, 12/17, 13, 29 plus HSPA+ bands 2, 4, 5, certified for Verizon, AT&T, T-Mobile, Bell Canada, Telus, and Rogers. Worldwide models (MX67C-HW-WW, MX68CW-HW-WW) support different LTE bands including 1, 3, 7, 8, 20, 26/5, 28A/B and TD-LTE bands, certified for carriers including Orange, Vodafone, Telstra, and others. All cellular models use CAT 6 LTE modems with 300 Mbps maximum throughput and support custom APN configuration.

Deployment and management

How difficult is it to set up and deploy these security appliances?

Setup is remarkably simple with zero-touch provisioning—just connect the appliance to power and internet, and it automatically registers with your Meraki Dashboard account. The 100% cloud-managed architecture means no on-premises controller, no complex CLI commands, and no manual firmware management. Configuration happens entirely through the intuitive web-based dashboard with real-time changes pushed to the device. Most deployments are fully operational within 30 minutes, and remote sites can ship pre-configured appliances to non-technical staff for plug-and-play installation.

What licensing is required and what does it include?

These appliances require per-device, per-year licensing available in two tiers: Enterprise License (base features) and Advanced Security License (adds content filtering, IDS/IPS, and AMP malware protection). Licenses are available in 1, 3, 5, 7, and 10-year terms. Every license includes the limited lifetime hardware warranty, 24/7 enterprise support, automatic firmware upgrades, cloud dashboard access, and all feature updates at no extra cost. The device won't function without an active license, so ensure licensing before deployment.

Can I manage multiple MX appliances across different locations from one dashboard?

Absolutely—centralized management is a core Meraki advantage. A single cloud dashboard provides unified control over all your MX security appliances, switches, and wireless access points across unlimited locations worldwide. You get real-time visibility into network topology, automatic configuration rollouts, template-based deployments, and organization-level security monitoring through the Meraki Security Center. This eliminates the need to VPN into individual sites for management and enables consistent security policies across your entire distributed network.

Warranty and support

What warranty coverage comes with the MX67 and MX68 appliances?

Cisco Meraki provides a limited lifetime hardware warranty at no additional cost, with advanced next-day replacement service included. The warranty coverage extends through the product's lifetime, which ends concurrently with the End-of-Support (EOST) date per Meraki's End of Life Policy. This non-transferable warranty begins on the date hardware ships to the original purchaser. Accessories receive a 1-year warranty. Additionally, your license subscription includes 24/7 enterprise support, phone support, and automatic firmware upgrades throughout the license term.

How quickly can I get a replacement if my appliance fails?

Meraki's warranty includes advanced next-day replacement for failed hardware. When you report a hardware failure to Meraki support, they immediately ship a replacement appliance overnight before you return the defective unit. The replacement arrives pre-configured with your settings thanks to cloud management, minimizing downtime. Once the replacement is connected, your configuration automatically syncs from the dashboard. This advance replacement program—included at no extra cost—ensures business continuity without maintaining spare hardware inventory.

Regulatory compliance and export

What are the HS and HTS tariff codes for customs and import duties?

For international shipping and customs classification, these appliances use Harmonized System code 8517.62 (internationally) or US HTS code 8517.62.00.20, classified as "Switching and Routing Apparatus" under telecommunications equipment. Some customs databases may also list alternative codes like 8517.69.90 or 8517.62.90 depending on the destination country. These codes fall under heading 8517 covering apparatus for transmission or reception of voice, images, or data. Consult your licensed customs broker for specific country tariff rates and requirements.

What is the ECCN export control classification for these devices?

The MX67 and MX68 series are typically classified under ECCN 5A992.c (telecommunications equipment with mass market encryption) based on standard Cisco Meraki product classifications. This classification qualifies them for License Exception ENC under EAR 740.17, meaning No License Required (NLR) for exports to most destinations. Products controlled under 5A992.c can generally be exported to civilian, commercial, and most government end users without individual export licenses. For specific part number verification, use Cisco's PEPD (Public Export Product Data) tool with your exact model numbers.

Are there any export restrictions or prohibited destinations for these appliances?

Yes, these products cannot be exported to Cuba, Iran, North Korea, Syria, or the Crimea, Donetsk, and Luhansk regions of Ukraine due to U.S. export control regulations. Additional export licenses may be required for certain government entities in restricted countries or for parties listed on denied party lists (BIS Lists of Parties of Concern). Before exporting, always screen all parties against current denied party lists and verify current sanctions. These are commercial products not subject to ITAR (International Traffic in Arms Regulations) and are controlled exclusively under EAR.

Use cases and applications

What security features protect my network with these appliances?

Both models provide comprehensive Layer 3/7 stateful firewall, application-based firewalling, and geo-based blocking as baseline features. With an Advanced Security License, you gain Cisco AMP (Advanced Malware Protection) for blocking malicious file downloads, SNORT-based IDS/IPS with Cisco Talos threat intelligence, and category-based content filtering with custom allow/block lists. Additional features include Auto VPN for zero-touch site-to-site connectivity, client VPN endpoint, 1:1 and 1:Many NAT, Active Directory integration, and Layer 7 application fingerprinting for granular traffic control.

Can these appliances provide reliable failover for business-critical connections?

Yes, automatic WAN failover is a core SD-WAN capability with dual WAN uplinks on both models. The cellular variants (MX67C, MX68CW) add LTE failover with CAT 6 modem (300 Mbps max) that can function as backup or—with firmware MX16.2+—as a primary uplink. The appliances continuously monitor link health and automatically switch to backup connections within seconds when primary links fail. Policy-based routing and application-aware routing optimize traffic distribution across multiple uplinks, while quality of service (QoS) ensures business-critical applications maintain performance during failover events.

How do these compare to other models in the Meraki MX family?

The MX67/68 series sits in the mid-range of the MX family with 700 Mbps firewall throughput, positioned above the MX64 series (250 Mbps) and below the MX84 (500 Mbps) and MX100 (750 Mbps) rack-mount models. For higher performance, the MX250 delivers 4 Gbps and MX450 provides 6 Gbps. Choose MX67/68 for branch offices with 50 users and internet connections up to 400-700 Mbps. The compact desktop/wall-mount form factor differentiates these from rack-mount enterprise models. If your utilization consistently exceeds 85% during normal operation, consider upgrading to a higher-throughput model.

Implementation Note for Developers

This FAQ section should be implemented with JSON-LD schema markup for enhanced search engine visibility. Include FAQPage structured data in the page head, and use semantic HTML5 elements (section, h2, h3) for proper content hierarchy. Consider implementing an accordion/collapsible format for mobile optimization while ensuring all content remains accessible to search engines.