02-07-2018 05:17 AM - edited 03-05-2019 09:53 AM
Can someone explain to me if adding on the HSEC license to the 4000 series increases the encrypted and unencrypted throughput on the 4321, 4331 and 4331 routers?
I have interpreted the below info from the FAQ to mean that the basic throughput is a specific value (X) with VPN throughput being significantly lower (Y). When you add the HSEC license the base forwarding throughput (X) increases as does the encrypted tunnel count and encrypted throughput (Y). Is my understanding correct?
"The Cisco 4000 Series has a performance-on-demand license to increase the base forwarding throughput with no hardware changes. Also present is the High Security (HSEC) license, which removes the curtailment enforced by the U.S. government export restrictions on the encrypted tunnel count and encrypted throughput. The HSECK9 license is a separately required license for a feature to have full crypto functionality. Without the HSECK9 license, only 225 secure tunnels and 85 Mbps of crypto bandwidth would be available."
Solved! Go to Solution.
02-07-2018 06:39 AM - edited 02-07-2018 06:43 AM
Hello Gavin,
if you look at table 3 in the second document you have provided you will see that with the HSEC license the C4321 reach 92 Mbps of effective IPSEC traffic because the built-in traffic shaper is triggered to protect the CPU.
As shown in Table 3, even though performance in Mbps is not reaching maximum theoretical licensed level, traffic is hitting the license shaper before CPU is maxed out.
Table 3. Test Details for IPSec with Single and Multi Tunnel
IPsec Test Cases in IMIX |
IPsec Single Tunnel |
IPsec Multitunnel |
||||||
Model |
License |
Mbps |
Hitting Shaper |
CPU % |
Mbps |
Hitting Shaper |
CPU % |
|
4321 |
50 |
45 |
Yes |
23 |
45 |
Yes |
25 |
|
100 |
92 |
Yes |
44 |
92 |
Yes |
48 |
|
|
4331 |
100 |
92 |
Yes |
34 |
92 |
Yes |
36 |
|
300 |
279 |
Yes |
69 |
279 |
Yes |
73 |
|
So I would confirm that you should also achieve an improvement in encrypted throughput with the HSEC license.
edit:
As Joseph has noted there are two different type of lycenses one for high performance and one for HSEC. I think he is right about the specific model C4321.
Hope to help
Giuseppe
02-07-2018 05:53 AM
Hello Gavin,
my understanding of the FAQ document you have provided is the following:
the HSEC license allows to create more then 225 IPSEC tunnels and to go above the 85 Mbps of encrypted traffic.
I do not think the HSEC license provides an increase in throughput of unencrypted traffic that should be limited by the hardware architecture of the 4000 series.
02-07-2018 06:11 AM
Thanks for the clarity,
So am I correct in thinking if you purchased the HSEC license for say the 4321 you would see no performance increase in VPN throughput other than the ability to have more tunnels? Or are we saying that we can go up to the 100 listed in the table below?
I am looking at
Performance Levels |
||
Model |
Factory Default |
High-Performance License |
4321 |
50 |
100 |
4331 |
100 |
300 |
4351 |
200 |
400 |
4431 |
500 |
1000 |
4451 |
1000 |
2000 |
02-07-2018 06:25 AM
02-07-2018 07:03 AM
03-18-2019 12:56 AM
Hi Joseph
As you mentioned “There's two different licenses”
when HSEC is used together with Performance License or Booster License is there any restrictions?
If HSEC+Performance License are used : maximum ipsec throughput should be same as Performance License maximum throughput OR HSEC License maximum throughput OR smaller value of the two?
If HSEC+Booster License are used : maximum ipsec throughput should be same as HSEC License maximum throughput,right?
03-22-2019 02:05 AM
can someone advise me about which router should i use for the following
4000+ IPSEC tunnels to be created for my 4000 + locations having a small device sending some data in kbs 24x7 to a hub location where my server is there. please advise
05-28-2020 03:21 PM
You could explain this phrase:
"However, if the performance restriction for crypto is less that than overall performance of the device, the HSEC restriction doesn't matter."
What do you talk about this? This correct will be "the performance restriction for crypto is less that than overall performance..." or "the performance restriction for crypto is less that than overall performance...".
Looking for your example below, the maximum encrypted tunnel count and encrypted throughput = overall performance of the device is less than performance restriction for crypto so performance restriction for crypto is more than overall performance of the device.
Thank you!
05-28-2020 04:51 PM
02-07-2018 06:39 AM - edited 02-07-2018 06:43 AM
Hello Gavin,
if you look at table 3 in the second document you have provided you will see that with the HSEC license the C4321 reach 92 Mbps of effective IPSEC traffic because the built-in traffic shaper is triggered to protect the CPU.
As shown in Table 3, even though performance in Mbps is not reaching maximum theoretical licensed level, traffic is hitting the license shaper before CPU is maxed out.
Table 3. Test Details for IPSec with Single and Multi Tunnel
IPsec Test Cases in IMIX |
IPsec Single Tunnel |
IPsec Multitunnel |
||||||
Model |
License |
Mbps |
Hitting Shaper |
CPU % |
Mbps |
Hitting Shaper |
CPU % |
|
4321 |
50 |
45 |
Yes |
23 |
45 |
Yes |
25 |
|
100 |
92 |
Yes |
44 |
92 |
Yes |
48 |
|
|
4331 |
100 |
92 |
Yes |
34 |
92 |
Yes |
36 |
|
300 |
279 |
Yes |
69 |
279 |
Yes |
73 |
|
So I would confirm that you should also achieve an improvement in encrypted throughput with the HSEC license.
edit:
As Joseph has noted there are two different type of lycenses one for high performance and one for HSEC. I think he is right about the specific model C4321.
Hope to help
Giuseppe
02-07-2018 07:03 AM
03-09-2018 08:21 PM
is the HSEC license available on the 4221 or are the physical limits below what is restricted without the license?
03-12-2018 12:20 PM
05-18-2019 01:58 AM
One thing to add is that when Smart Licensing is in use on the ISR4000/ISR1000 the HSECk9 license will be authorized/consumed only after enabling HSECk9 feature:
(config) # license feature hseck9
This is the step that is often being forgotten and in such case the HSECK9 license would not show up in the output of "show license status".
05-07-2019 11:06 AM
Hello,
according the latest datasheet the ISR4K routers could perform higher IPSEC throughput just with the performance license
The Cisco 4000 Series has a performance-on-demand license to increase the base forwarding throughput with no hardware changes. Also present is the High Security (HSEC) license, which removes the curtailment enforced by the U.S. government export restrictions on the encrypted tunnel count and encrypted throughput. The HSECK9 license is a separately required license for a feature to have full crypto functionality. Without the HSECK9 license, only 1000 secure tunnels and 250 Mbps of crypto bandwidth would be available.
The change to 250Mbps was achieved in the IOS-XE version 16.8.1 pursuant to revised Federal regulations
Best Regards,
Peter
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide