Summary: Defines approved hardware models, HA posture, licensing terms, and sizing guidance for firewalls, SD-WAN appliances, switching, and wireless access points across all managed sites.
| Field | Value |
|---|---|
| Author | Mike Jones |
| Owner | Network Team |
| Status | Approved |
| Version | 1.0 |
| Last Reviewed | 2026-04-29 |
| Review Due | 2027-04-29 |
| Approver | Mike Jones |
| Approved Date | 2026-04-29 |
| Version | Date | Author | Description |
|---|---|---|---|
| 1.0 | 2026-04-29 | Mike Jones | Approved — promoted from draft to STN-001 |
| 0.6 | 2026-04-28 | Mike Jones | Fixed ToC anchor links — wiki.js prefixes digit-starting anchors with h- |
| 0.5 | 2026-04-28 | Mike Jones | Switched ToC links to Obsidian native heading format; fixed anchor links for wiki.js |
| 0.4 | 2026-04-28 | Mike Jones | Added numbered headings and table of contents |
| 0.3 | 2026-04-28 | Mike Jones | Added spacing between sections for readability |
| 0.2 | 2026-04-28 | Mike Jones | Requirements reformatted from numbered list to bullets |
| 0.1 | 2026-04-28 | Mike Jones | Initial draft |
This standard defines the approved hardware models, high-availability posture, licensing requirements, and sizing criteria for network infrastructure equipment across all managed sites. It exists to ensure consistent, supportable, and fit-for-purpose deployments and to guide procurement decisions.
This standard applies to all network infrastructure procurement at managed sites, including firewalls, SD-WAN appliances, campus switching, and wireless access points. It covers both new deployments and like-for-like replacements.
Out of scope: end-user devices, consumer-grade equipment, cloud compute infrastructure, and third-party or partner-managed network equipment not under direct operational control.
| FTD1220CX | FTD1230 | |
|---|---|---|
| Deployment | Small / medium sites | Large sites (DC, CNX, VPN headends) |
| Form factor | Desktop (shelf mount) | 1U rack |
| HA | Recommended where budget permits | Mandatory |
| Licensing | TC, 3-year term | TC, 3-year term |
| Firewall throughput | 15 Gbps | 18 Gbps |
| IPS throughput | 1.13 Gbps | 9–12 Gbps |
| TLS inspection throughput | 1.5 Gbps | 2.5 Gbps |
| Concurrent connections | 300,000 | — |
| Max RA VPN clients | 300 | 500 |
| Ports | 8 (mix of 10G SFP+ and 1G RJ45) | 1G/10G interfaces (1U) |
Reference: Cisco Secure Firewall 1200 Series Datasheet
| MX75 | MX95 | vMX Large | |
|---|---|---|---|
| Deployment | Small / medium sites | Large sites | Cloud (AWS, Azure, GCP) |
| Form factor | Desktop (shelf mount) | 1U rack | Virtual appliance |
| HA | Recommended where budget permits | Mandatory | Not supported |
| HA notes | Edge switch segregation required between ISP edge and network core | — | — |
| Licensing | SD-WAN, 3-year | SD-WAN, 3-year | SD-WAN, 3-year |
| Sizing note | — | — | LARGE only — cannot be upgraded in place; must be replaced if undersized |
| Firewall throughput | 1 Gbps | 3 Gbps | 1 Gbps |
| VPN throughput | 1 Gbps | 2.5 Gbps | 1 Gbps |
| NGFW/AMP throughput | 1 Gbps | 2 Gbps | 1 Gbps |
| Max S2S VPN tunnels | 75 | 500 | 1,000 |
| Max concurrent clients | 200 | 500 | — |
| WAN ports | 3 (1× SFP + 2× RJ45 GbE) | 4 (2× SFP+ 10G + 2× RJ45 2.5G) | N/A |
Reference: Meraki MX Family Datasheet
| C9300-48P-M | C9300-24P-M | C9300X-12Y-M | C9300X-24Y-M | |
|---|---|---|---|---|
| Access ports | 48× 1G PoE+ RJ45 | 24× 1G PoE+ RJ45 | None | None |
| Uplink ports | Modular (8× 10G SFP+ standard) | Modular (8× 10G SFP+ standard) | 12× 25G SFP28 | 24× 25G SFP28 |
| PoE budget (single PSU) | 437W | 445W | None | None |
| PoE budget (dual PSU) | Up to 1,440W | Up to 720W | None | None |
| Switching capacity | 256 Gbps | 208 Gbps | 1,000 Gbps | 2,000 Gbps |
| Forwarding rate | 190 Mpps | 155 Mpps | 744 Mpps | 1,488 Mpps |
| Stacking technology | StackWise-480 | StackWise-480 | StackWise-1T | StackWise-1T |
| Stacking bandwidth | 480 Gbps | 480 Gbps | 1 Tbps | 1 Tbps |
| PSU | Dual, standard | Dual, standard | Dual, standard | Dual, standard |
| Form factor | 1U | 1U | 1U | 1U |
| Suitable for | Sites with up to ~12–14 access stacks | Sites with up to ~12–14 access stacks | Very large sites or SFP28 server connections | Very large sites or SFP28 server connections |
Where C9300X-M series is required for SFP+/SFP28 density, a mixed stack may be advisable — the C9300-M provides 1G RJ45 access ports alongside C9300X-M SFP+/SFP28 uplink capacity. The C9300X-M models have no access ports of their own; they function purely as aggregation/uplink switches.
⚠️ Model Verification Required
The MS150-24FP-4X listed in this standard may not exist as a shipping product. The documented 24-port MS150 variants are the MS150-24P-4X (370W PoE) and MS150-24MP-4X (multi-gig). Verify the correct model number before ordering.
| C9200L-48P-4X-M | C9200L-24P-4X-M | MS150-48FP-4X | MS150-24FP-4X | MS130 (8/12 port) | |
|---|---|---|---|---|---|
| Access ports | 48× 1G PoE+ RJ45 | 24× 1G PoE+ RJ45 | 48× 1G PoE+ RJ45 | 24× 1G PoE+ RJ45 | 8 or 12× 1G RJ45 PoE+ |
| Uplink ports | 4× 10G SFP+ | 4× 10G SFP+ | 4× 10G SFP+ | 4× 10G SFP+ | 2× 1G or 10G SFP/SFP+ |
| PoE budget | 740W (single PSU) | 370W (single PSU) | 740W | 370W | 120–240W |
| Switching capacity | 176 Gbps | 128 Gbps | 176 Gbps | 128 Gbps | 20–76 Gbps |
| Stacking bandwidth | 80 Gbps | 80 Gbps | 80 Gbps | 80 Gbps | None |
| PSU | Dual | Dual | Single | Single | Single |
| PoE | Mandatory | Mandatory | Mandatory | Mandatory | — |
| Stacking | Always buy stacking kit, even for a single switch | Always buy stacking kit, even for a single switch | Always buy 80Gb/s stack cables, even for a single switch | Always buy 80Gb/s stack cables, even for a single switch | Not supported |
| Form factor | 1U | 1U | 1U | 1U | Desktop / wall mount |
| Use case | Standard access layer | Standard access layer | Cost-reduced access layer | Cost-reduced access layer | Space-constrained locations |
| Notes | Dual PSU provides resilience | Dual PSU provides resilience | Single PSU is accepted risk | Single PSU is accepted risk | Do not deploy 24- or 48-port MS130 variants |
None of the access switch models above support Multi-Gigabit Ethernet (2.5G/5G) on access ports. If the CW9164I-MR is adopted as the standard AP, MGIG-capable access switches will be required to make full use of its 2.5G uplink. This must be factored into the wireless AP review before the AP standard is agreed.
Reference: Meraki MS Family Datasheet
⚠️ Pending Review
The wireless AP standard has not yet been agreed. Specifications for the CW9164I-MR are included below as a reference point for discussion. A review is needed to confirm whether to standardise on the 9164 or an alternative platform.
| Specification | Detail |
|---|---|
| Wi-Fi standard | Wi-Fi 6E (802.11ax) |
| 2.4 GHz radio | 2× 2:2 MIMO |
| 5 GHz radio | 4× 4:4 MIMO |
| 6 GHz radio | 4× 4:4 MIMO |
| Aggregate throughput | 7.49 Gbps |
| Additional radios | Dedicated tri-band scanning radio (WIDS/WIPS); Bluetooth 5.1 LE |
| PoE requirement | 802.3bt preferred (25W without USB, 30.5W with USB); 802.3at supported |
| Uplink port | 1× 2.5G mGig RJ45 (100M / 1G / 2.5G) |
| Antenna | Internal omnidirectional (3 dBi @ 2.4 GHz, 5 dBi @ 5 GHz, 4 dBi @ 6 GHz) |
| USB | 1× USB 2.0 Type-A (4.5W, for third-party integrations) |
| Form factor | Ceiling mount — 241 × 241 × 57 mm |
| Management | Meraki dashboard |
The 2.5G uplink means the CW9164I-MR will be limited to 1G throughput on any access switch that does not support MGIG. At high client density this may become a bottleneck.
The FTD1220CX and FTD1230 are Cisco's current-generation 1RU firewall platforms in the 1200 series. They replace the legacy ASA and older FTD appliances and are fully supported under Cisco's Threat Defence operating model. The 1230 is selected for large sites due to its significantly higher IPS throughput (9–12 Gbps vs 1.13 Gbps) and larger RA VPN client capacity.
The MX75 and MX95 are selected as they sit in the mid-range of the Meraki MX portfolio and are appropriately sized for small/medium and large managed sites respectively. The vMX LARGE is the only tier that provides sufficient VPN tunnel capacity (1,000 tunnels) for cloud-hosted deployments.
Catalyst 9300 and 9200 series switches are selected as the campus switching standard because they are Cisco's current-generation enterprise platforms and are certified for Meraki managed mode. The MS150 provides a cost-reduced alternative for access layer deployments where Catalyst capabilities (stacking bandwidth, dual PSU) are not required. The MS130 is limited to 8 and 12-port variants to avoid deploying large Meraki-only access switches without stacking support in environments that require resilience.
Stack limits of four switches per stack are applied to bound the failure domain and remain within practical management constraints.
The CW9164I-MR is the candidate AP platform due to its Wi-Fi 6E capability, dedicated scanning radio, and tri-band support. Final adoption is pending a wireless review.
Deviations from the approved models listed in this standard require written approval from the Network Team lead before procurement. Common grounds for exception include: end-of-availability of a listed model, site-specific physical constraints that preclude a standard form factor, or a project with a defined short lifespan where a lower-tier platform is justified.
Exceptions must be documented in the relevant site's equipment record. No blanket or standing exceptions are permitted.