Solved: Re: HSEC License and the 4000 series

Gavin Sparks · ‎02-07-2018

Can someone explain to me if adding on the HSEC license to the 4000 series increases the encrypted and unencrypted throughput on the 4321, 4331 and 4331 routers?

I have interpreted the below info from the FAQ to mean that the basic throughput is a specific value (X) with VPN throughput being significantly lower (Y). When you add the HSEC license the base forwarding throughput (X) increases as does the encrypted tunnel count and encrypted throughput (Y). Is my understanding correct?

"The Cisco 4000 Series has a performance-on-demand license to increase the base forwarding throughput with no hardware changes. Also present is the High Security (HSEC) license, which removes the curtailment enforced by the U.S. government export restrictions on the encrypted tunnel count and encrypted throughput. The HSECK9 license is a separately required license for a feature to have full crypto functionality. Without the HSECK9 license, only 225 secure tunnels and 85 Mbps of crypto bandwidth would be available."

https://www.cisco.com/c/en/us/products/collateral/routers/4000-series-integrated-services-routers-isr/qa_c67-728261.html

Giuseppe Larosa · ‎02-07-2018

Hello Gavin,

if you look at table 3 in the second document you have provided you will see that with the HSEC license the C4321 reach 92 Mbps of effective IPSEC traffic because the built-in traffic shaper is triggered to protect the CPU.

As shown in Table 3, even though performance in Mbps is not reaching maximum theoretical licensed level, traffic is hitting the license shaper before CPU is maxed out.

Table 3. Test Details for IPSec with Single and Multi Tunnel

IPsec Test Cases in IMIX		IPsec Single Tunnel			IPsec Multitunnel
IPsec Test Cases in IMIX		IPsec Single Tunnel			IPsec Multitunnel
Model	License	Mbps	Hitting Shaper	CPU %	Mbps	Hitting Shaper	CPU %
4321	50	45	Yes	23	45	Yes	25
4321	100	92	Yes	44	92	Yes	48
4331	100	92	Yes	34	92	Yes	36
4331	300	279	Yes	69	279	Yes	73

So I would confirm that you should also achieve an improvement in encrypted throughput with the HSEC license.

edit:

As Joseph has noted there are two different type of lycenses one for high performance and one for HSEC. I think he is right about the specific model C4321.

Hope to help

Giuseppe

View solution in original post

Giuseppe Larosa · ‎02-07-2018

Hello Gavin,

my understanding of the FAQ document you have provided is the following:

the HSEC license allows to create more then 225 IPSEC tunnels and to go above the 85 Mbps of encrypted traffic.

I do not think the HSEC license provides an increase in throughput of unencrypted traffic that should be limited by the hardware architecture of the 4000 series.

Q. Is a High Security (HSEC) license offered on the Cisco 4000 Series to achieve greater cryptographic tunnel count and throughput?

A. Yes, an HSEC license is required to achieve more than 225 cryptographic tunnel count and 170 Mbps of total IP Security (IPsec) throughput (bidirectional traffic).

Q. What is an HSEC license?

A. An add-on license above the Security (SEC) technology package license, known as HSEC, provides export controls for strong levels of encryption. HSEC is available to customers in all currently nonembargoed countries as listed by the U.S. Department of Commerce. Without an HSEC license, SEC performance is limited to 225 tunnels and a total of 170 Mbps of IPsec throughput. An HSEC license removes this limitation. Because of these export control requirements, the HSEC license is the only license on the Cisco 4000 Series that requires installation of a license key file to activate. In other words, HSEC is not an RTU license.

And about the HW architecture:

Q. What type of backplane is used between components in the Cisco 4000 Series?

A. The 4000 Series uses multigigabit fabric (MGF) for Layer 2 connectivity between the modules. On the 4451-X, the MGF can provide either 2 Gbps to all NIM slots or up to 10 Gbps to all SM-X slots. The MGF is completely nonblocking and can forward in excess of 50 Gbps.

So I would expect only improvements related to IPSEC VPN scalability and encrypted throughput

Hope to help

Giuseppe

Gavin Sparks · ‎02-07-2018

Thanks for the clarity,

So am I correct in thinking if you purchased the HSEC license for say the 4321 you would see no performance increase in VPN throughput other than the ability to have more tunnels? Or are we saying that we can go up to the 100 listed in the table below?

I am looking at

https://www.cisco.com/c/en/us/products/collateral/routers/4000-series-integrated-services-routers-isr/white-paper-c11-734550.html

Performance Levels
Model	Factory Default	High-Performance License
4321	50	100
4331	100	300
4351	200	400
4431	500	1000
4451	1000	2000

Joseph W. Doherty · ‎02-07-2018

There's two different licenses. One license, high performance, generally doubles the overall capacity of the router. The other license, HSEC, removes the security performance restriction, which is independent of the overall router's performance. However, if the performance restriction for crypto is less that than overall performance of the device, the HSEC restriction doesn't matter.

To quote from your referenced paper:
"The HSEC-K9 license does not apply to the Cisco 1900, 2901, 2911, and 4321 platforms because their maximum encrypted tunnel count and encrypted throughput are below the restricted limits."

Gavin Sparks · ‎02-07-2018

Many thanks that's clarified it perfectly. I didn't click about the PERF license.

Alice Wang · ‎03-18-2019

Hi Joseph

As you mentioned “There's two different licenses”

when HSEC is used together with Performance License or Booster License is there any restrictions?

If HSEC+Performance License are used : maximum ipsec throughput should be same as Performance License maximum throughput OR HSEC License maximum throughput OR smaller value of the two?

If HSEC+Booster License are used : maximum ipsec throughput should be same as HSEC License maximum throughput,right?

nishantradiant · ‎03-22-2019

can someone advise me about which router should i use for the following

4000+ IPSEC tunnels to be created for my 4000 + locations having a small device sending some data in kbs 24x7 to a hub location where my server is there. please advise

apereira3 · ‎05-28-2020

Hi @Joseph W. Doherty

You could explain this phrase:

"However, if the performance restriction for crypto is less that than overall performance of the device, the HSEC restriction doesn't matter."

What do you talk about this? This correct will be "the performance restriction for crypto is less that than overall performance..." or "the performance restriction for crypto is less that than overall performance...".

Looking for your example below, the maximum encrypted tunnel count and encrypted throughput = overall performance of the device is less than performance restriction for crypto so performance restriction for crypto is more than overall performance of the device.

Thank you!

Joseph W. Doherty · ‎05-28-2020

Oops, you're quite correct, my statement is the opposite of what I intended. I.e. meant to say if the router's performance capacity is less than the security license restriction, then the latter doesn't matter.

Giuseppe Larosa · ‎02-07-2018

Hello Gavin,

if you look at table 3 in the second document you have provided you will see that with the HSEC license the C4321 reach 92 Mbps of effective IPSEC traffic because the built-in traffic shaper is triggered to protect the CPU.

As shown in Table 3, even though performance in Mbps is not reaching maximum theoretical licensed level, traffic is hitting the license shaper before CPU is maxed out.

Table 3. Test Details for IPSec with Single and Multi Tunnel

IPsec Test Cases in IMIX		IPsec Single Tunnel			IPsec Multitunnel
IPsec Test Cases in IMIX		IPsec Single Tunnel			IPsec Multitunnel
Model	License	Mbps	Hitting Shaper	CPU %	Mbps	Hitting Shaper	CPU %
4321	50	45	Yes	23	45	Yes	25
4321	100	92	Yes	44	92	Yes	48
4331	100	92	Yes	34	92	Yes	36
4331	300	279	Yes	69	279	Yes	73

So I would confirm that you should also achieve an improvement in encrypted throughput with the HSEC license.

edit:

As Joseph has noted there are two different type of lycenses one for high performance and one for HSEC. I think he is right about the specific model C4321.

Hope to help

Giuseppe

Gavin Sparks · ‎02-07-2018

Thanks again for your knowledge. It makes sense now. Thanks

darren.marinko@gmail.com · ‎03-09-2018

is the HSEC license available on the 4221 or are the physical limits below what is restricted without the license?

Joseph W. Doherty · ‎03-12-2018

The 4221 performance capacity is under the cap of not having a HSEC license.

Michal Stanczyk · ‎05-18-2019

One thing to add is that when Smart Licensing is in use on the ISR4000/ISR1000 the HSECk9 license will be authorized/consumed only after enabling HSECk9 feature:

(config) # license feature hseck9

This is the step that is often being forgotten and in such case the HSECK9 license would not show up in the output of "show license status".

filopeter · ‎05-07-2019

Hello,

according the latest datasheet the ISR4K routers could perform higher IPSEC throughput just with the performance license

The Cisco 4000 Series has a performance-on-demand license to increase the base forwarding throughput with no hardware changes. Also present is the High Security (HSEC) license, which removes the curtailment enforced by the U.S. government export restrictions on the encrypted tunnel count and encrypted throughput. The HSECK9 license is a separately required license for a feature to have full crypto functionality. Without the HSECK9 license, only 1000 secure tunnels and 250 Mbps of crypto bandwidth would be available.

The change to 250Mbps was achieved in the IOS-XE version 16.8.1 pursuant to revised Federal regulations

Best Regards,

Peter