Cisco Meraki Dashboard Licensing: Enterprise vs Advanced vs Plus

Why Tier Selection Matters More Than You Think

The Cisco Meraki Dashboard is the single management plane for all Meraki devices — access points, security appliances, switches, cameras, and endpoint management. Every Meraki device requires a dashboard-linked licence to function, and the tier of that licence determines which features are available for that device. The tier decision is therefore not just a procurement choice — it determines your network's operational capabilities for the full term of the licence.

Two dynamics make tier selection especially consequential for enterprise buyers. First, Cisco MX licensing editions are applied uniformly across the organisation — you cannot mix Advanced Security and Enterprise licences across different MX appliances in the same organisation. This means a single location requiring Advanced Security features pulls the entire organisation to that tier. Second, tier upsells are one of Cisco's most reliable renewal levers: account teams are incentivised to move buyers from Enterprise to Advanced Security, where the list price premium is 80–100% but the operational justification is often partial at best.

For the full context of how tier selection interacts with renewal negotiation and ELA structure, see our Cisco Meraki licensing and negotiation pillar guide.

MR (Wireless): Enterprise vs Advanced

The MR wireless product line offers two licence tiers. Enterprise is the baseline and covers the full cloud management experience that makes Meraki attractive to begin with: zero-touch provisioning, automatic firmware updates, RF optimisation through Auto RF, VLAN and SSID management, client analytics, guest access portals, and integration with Cisco Identity Services Engine (ISE) for policy enforcement. For the majority of corporate wireless deployments — office buildings, branch offices, retail locations, and warehouses — MR Enterprise is functionally complete.

MR Advanced adds a substantive layer of AI-driven capabilities that are genuinely differentiating in security-sensitive or high-complexity environments. The key additions include adaptive policy for fine-grained microsegmentation, enhanced application visibility and traffic shaping at the application layer, deeper Cisco Umbrella integration for DNS-layer security enforcement, and AI-powered anomaly detection across the wireless estate. Advanced also includes Cisco's Assurance capabilities — proactive monitoring and anomaly detection that can reduce network operations overhead in large, distributed environments.

The upgrade question should be driven by two criteria: does your organisation have genuine application-layer security requirements that the Enterprise tier cannot satisfy, and does your IT team have the capacity to operationalise the Advanced features? Paying for Advanced across a 500-AP estate when the primary use case is corporate internet access and guest Wi-Fi is a significant and unnecessary cost. Conversely, for organisations in regulated industries with SASE deployments or Cisco Umbrella integrations already in scope, Advanced may be the right baseline from the outset.

MX (Security Appliances / SD-WAN): Three Tiers

The MX product line has the most consequential tier structure — and the highest cost differential between tiers. Enterprise, Advanced Security, and Secure SD-WAN Plus each represent materially different capability and cost levels.

MX Enterprise

The Enterprise tier covers Meraki's core SD-WAN and security capabilities: stateful firewall, site-to-site and client VPN, Layer 3/4 traffic policies, DHCP, NAT, and multi-WAN failover. It includes the full Meraki Dashboard management experience and all cloud-management and zero-touch provisioning features. For branch offices with predictable, policy-defined traffic patterns and no requirement for advanced threat inspection, Enterprise is a viable choice — particularly for smaller sites where the Advanced Security premium is hard to justify on a per-site basis.

MX Advanced Security

Advanced Security adds the full Cisco security stack on top of the Enterprise base: intrusion detection and prevention (IDS/IPS) powered by Snort signatures updated hourly, content and URL filtering with customisable categories, Cisco Advanced Malware Protection (AMP) for file reputation and sandboxing, and Cisco Umbrella Secure Internet Gateway integration. The Advanced Security tier also includes application-layer visibility and quality of service controls that are unavailable in the Enterprise tier.

At list price, Advanced Security carries an 80–100% premium over Enterprise for the same MX appliance model — approximately $450–$550 for a three-year MX67 Advanced Security licence versus $225–$275 for Enterprise. This is Cisco's most valuable upsell in the Meraki estate. The commercial justification is that you are essentially buying Cisco's security platform (IDS/IPS, AMP, Umbrella) bundled into the Meraki licensing construct rather than as separate SKUs. Whether this bundling delivers better value than purchasing those security capabilities separately depends entirely on your existing Cisco security investment and the alternative sourcing options available to you. Our Cisco security licensing guide covers this tradeoff in detail.

MX Secure SD-WAN Plus

Secure SD-WAN Plus is the premium MX tier, adding enterprise-grade SD-WAN capabilities including advanced application-aware routing, dynamic path selection, SD-WAN health monitoring and analytics, and deeper integration with Cisco's ThousandEyes network intelligence platform. It is the appropriate choice for organisations building a comprehensive SD-WAN strategy across multi-site and multi-WAN environments where application performance assurance is critical.

The Secure SD-WAN Plus premium over Advanced Security is typically 20–30% at list price. For organisations that have already committed to Cisco's SD-WAN vision and are replacing MPLS with internet-first architectures at scale, the additional capabilities often justify the premium. For organisations whose primary use case is secure internet breakout at branch sites, Advanced Security is likely the right tier.

MS (Switches): Enterprise vs Advanced

The MS switch product line mirrors the MR structure with two tiers, but with an important hardware constraint: the Advanced tier is only available on specific switch models — the MS130, MS150, MS390, and the Catalyst C9300-M and C9200L-M. This means the tier decision for switches is often pre-determined by the hardware you have selected, and upgrading to Advanced may require hardware refresh if your current switches are not Advanced-capable.

MS Enterprise covers the full cloud management and switching feature set: Layer 2/3 switching, VLAN management, QoS, port mirroring, link aggregation, and stacking. For standard campus switching deployments, Enterprise is functionally complete. MS Advanced adds dynamic segmentation through Cisco's Group-Based Policy (GBP) framework, enhanced analytics including synthetic traffic monitoring and adaptive troubleshooting, and tighter integration with Cisco DNA Centre and ISE for policy-based automation. These capabilities are most relevant for organisations building zero-trust network architectures or managing large, complex segmentation policies at scale.

Tier Decision Framework

Use the following criteria to evaluate tier decisions at your next renewal or new deployment:

Tier Negotiation: The Upgrade Push to Expect

At every Meraki renewal, expect Cisco's account team to propose a tier upgrade — particularly from MX Enterprise to Advanced Security or from MR Enterprise to Advanced. This proposal is almost always framed around security posture improvement rather than commercial benefit, and it is often legitimate. The question is not whether the Advanced tier features have value, but whether the full-estate premium is justified when a subset of deployments may be the only locations where those features are actively used.

Before accepting a tier upgrade at renewal, audit which devices are actually using the Advanced or Advanced Security features in the Dashboard telemetry. If feature utilisation data shows that IDS/IPS policies are only deployed at headquarters and two data-centre connected sites, a per-site upgrade for those locations — if the licensing model supports it — is worth exploring. For MX, where the org-wide uniform tier constraint applies, this audit is the basis for a legitimate pushback on a blanket upgrade proposal. Our Cisco licensing advisory team conducts this analysis as part of pre-renewal preparation.

How Tiers Interact with ELA 3.0

When Meraki is included in a Cisco Enterprise Agreement, the tier selection interacts with the ELA Suite pricing in important ways. Suite pricing in ELA 3.0 is based on a total device count and spend commitment across the included products. If you commit to Advanced Security across your entire MX estate in an ELA context, the resulting spend commitment unlocks better Suite-level discounts — but it also locks you into the Advanced Security premium for the full ELA term. Conversely, negotiating down to Enterprise tier across a portion of the estate before entering the ELA reduces the per-device cost but may lower the overall commitment and the associated discount tier.

The optimal tier strategy for ELA inclusion is not always obvious and depends on the specific composition of your estate. For organisations approaching an ELA negotiation with Meraki in scope, conducting a feature utilisation audit before entering the negotiation is essential. See our complete analysis of Meraki ELA inclusion strategy and our Cisco ELA guide 2026 for the full picture. To understand how tier decisions affect your renewal compliance position, our Cisco ELA true-up guide covers the mechanics of over-deployment and true-forward adjustments. Contact Redress Compliance for an independent review of your Meraki tier strategy ahead of your next renewal.