Showing results for 
Search instead for 
Did you mean: 
Join Customer Connection to register!

Cisco 4331 IPsec Throughput


Hi All,


I cant seem to find a consistent answer to this.


I have a Cisco 4331 router with the performance license installed to support 300Mbps throughput. I also have the HSEC license installed to allow greater than 85Mbps crypto throughput. What I cant seem to confirm is if the HSEC license, coupled with the performance license, allows up to 300Mbps crypto throughput? Can anyone confirm if this?



Ben Samayoa

Hi there, I am attaching a  PDF doc for you and hopefully will help you with your question. Please rate it if helpful.

Leo Laohoo
VIP Community Legend

Rule of thumb is to take half the value of the bandwidth licensed.
Joseph W. Doherty
Hall of Fame Expert

Logically, yes, physically, likely not. For the latter, review the reference bensen_22 provided.

Oh, also keep in mind the throughput rating is aggregate, so if you had just one duplex, you would split the maximum across both directions.

Hi Josept,

I read from your post and someone else about ISR4331. I'm not sure i get the correct understanding or not? If it's wrong , could you please correct for me too?

1. With normal , ISR4331 aggregate throughput is 100 Mpbs.

2. If we use "Performance license" , aggregate throughput is up to 300 Mpbs.

3. But if we use IPsec with Perf Lic but no HSEC license , such IPsec site-to-site, the IPsec aggregate throughput will be not exceed 85 Mbps. And IPsec tunnel will not be exceeded 225 tunnels too.

4. If we use IPsec with Perf Lic and HSEC license, such IPsec site-to-site, the IPsec aggregate throughput will can be exceeded 85 Mpbs. But will can't exceed maximum of aggregate throughput too, such ISR4331 if we use Perf lic then max aggregate throughtput will be 300 Mbps. But with additional HSEC lic , the IPsec aggregate throughput will can't exceed 300 Mbps. And if we consider per direction, it still can't exceed  85 Mbps too.

Hi Joseph, i'm not sure something above that i understand , they are correct or not? If they are wrong ,could you please correct for me and anyone that are confusing about ISR4K license throughput too.

Thanks a lot ,


#1 I believe that's the case.

#2 Ditto.

#3 I think (?) the 65 Mbps is limited to what's generated/encrupted by router. I.e. Decryption might not be limited. Also, If the device is licencse for higher performance, that could still be applied to non-crypto traffic. (BTW, I recall reading later IOS versions have increased the default cap of 85 to 250 Mbps.)

# 4 I believe all true again except decryption might not be part of the crypto limit and also again later IOS versions may have increased the default crypto limit.

Cisco pre-sales (?) should be able to explain their licensing.


do you really need high throughput ipsec? 1Gb?

there are another solutions