cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
84212
Views
35
Helpful
15
Replies

HSEC License and the 4000 series

Joe Bloggs
Level 1
Level 1

Can someone explain to me if adding on the HSEC license to the 4000 series increases the encrypted and unencrypted throughput on the 4321, 4331 and 4331 routers?

 

I have interpreted the below info from the FAQ to mean that the basic throughput is a specific value (X) with VPN throughput being significantly lower (Y). When you add the HSEC license the base forwarding throughput (X) increases as does the encrypted tunnel count and encrypted throughput (Y). Is my understanding correct?

 

"The Cisco 4000 Series has a performance-on-demand license to increase the base forwarding throughput with no hardware changes. Also present is the High Security (HSEC) license, which removes the curtailment enforced by the U.S. government export restrictions on the encrypted tunnel count and encrypted throughput. The HSECK9 license is a separately required license for a feature to have full crypto functionality. Without the HSECK9 license, only 225 secure tunnels and 85 Mbps of crypto bandwidth would be available."

 

https://www.cisco.com/c/en/us/products/collateral/routers/4000-series-integrated-services-routers-isr/qa_c67-728261.html

1 Accepted Solution

Accepted Solutions

Hello Gavin,

if you look at table 3 in the second document you have provided you will see that with the HSEC license the C4321 reach 92 Mbps of effective IPSEC traffic because the built-in traffic shaper is triggered to protect the CPU.

 

As shown in Table 3, even though performance in Mbps is not reaching maximum theoretical licensed level, traffic is hitting the license shaper before CPU is maxed out.

 

Table 3.       Test Details for IPSec with Single and Multi Tunnel

IPsec Test Cases in IMIX

IPsec Single Tunnel

IPsec Multitunnel

 
 

Model

License

Mbps

Hitting Shaper

CPU %

Mbps

Hitting Shaper

CPU %

 

4321

50

45

Yes

23

45

Yes

25

 

100

92

Yes

44

92

Yes

48

 

4331

100

92

Yes

34

92

Yes

36

 

300

279

Yes

69

279

Yes

73

 

 

So I would confirm that you should also achieve an improvement in encrypted throughput with the HSEC license.

edit:

As Joseph has noted there are two different type of lycenses one for high performance and one for HSEC. I think he is right about the specific model C4321.

 

Hope to help

Giuseppe

 

View solution in original post

15 Replies 15

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello Gavin,

my understanding of the FAQ document you have provided is the following:

the HSEC license allows to create more then 225 IPSEC tunnels and to go above the 85 Mbps of encrypted traffic.

I do not think the HSEC license provides an increase in throughput of unencrypted traffic that should be limited by the hardware architecture of the 4000 series.

 

Q.    Is a High Security (HSEC) license offered on the Cisco 4000 Series to achieve greater cryptographic tunnel count and throughput?
A.     Yes, an HSEC license is required to achieve more than 225 cryptographic tunnel count and 170 Mbps of total IP Security (IPsec) throughput (bidirectional traffic).
Q.    What is an HSEC license?
A.     An add-on license above the Security (SEC) technology package license, known as HSEC, provides export controls for strong levels of encryption. HSEC is available to customers in all currently nonembargoed countries as listed by the U.S. Department of Commerce. Without an HSEC license, SEC performance is limited to 225 tunnels and a total of 170 Mbps of IPsec throughput. An HSEC license removes this limitation. Because of these export control requirements, the HSEC license is the only license on the Cisco 4000 Series that requires installation of a license key file to activate. In other words, HSEC is not an RTU license.
 
And about the HW architecture:
 
Q.    What type of backplane is used between components in the Cisco 4000 Series?
A.     The 4000 Series uses multigigabit fabric (MGF) for Layer 2 connectivity between the modules. On the 4451-X, the MGF can provide either 2 Gbps to all NIM slots or up to 10 Gbps to all SM-X slots. The MGF is completely nonblocking and can forward in excess of 50 Gbps.
 
So I would expect only improvements related to IPSEC VPN scalability and encrypted throughput
 
Hope to help
Giuseppe
 

 

 

Thanks for the clarity,

So am I correct in thinking if you purchased the HSEC license for say the 4321 you would see no performance increase in VPN throughput other than the ability to have more tunnels? Or are we saying that we can go up to the 100 listed in the table below?

I am looking at

https://www.cisco.com/c/en/us/products/collateral/routers/4000-series-integrated-services-routers-isr/white-paper-c11-734550.html

 

Performance Levels

Model

Factory Default

High-Performance License

4321

50

100

4331

100

300

4351

200

400

4431

500

1000

4451

1000

2000

There's two different licenses. One license, high performance, generally doubles the overall capacity of the router. The other license, HSEC, removes the security performance restriction, which is independent of the overall router's performance. However, if the performance restriction for crypto is less that than overall performance of the device, the HSEC restriction doesn't matter.

To quote from your referenced paper:
"The HSEC-K9 license does not apply to the Cisco 1900, 2901, 2911, and 4321 platforms because their maximum encrypted tunnel count and encrypted throughput are below the restricted limits."

Many thanks that's clarified it perfectly. I didn't click about the PERF license.

Hi Joseph

As you mentioned “There's two different licenses”

when HSEC is used together with Performance License or Booster License is there any restrictions?

 

If HSEC+Performance License are used : maximum ipsec throughput should be same as Performance License maximum throughput OR HSEC License maximum throughput OR smaller value of the two?

 

If HSEC+Booster License are used : maximum ipsec throughput should be same as HSEC License maximum throughput,right?

can someone advise me about which router should i use for the following

 

4000+ IPSEC tunnels to be created for my 4000 + locations having a small device sending some data in kbs 24x7 to a hub location where my server is there. please advise

Hi @Joseph W. Doherty 

 

You could explain this phrase:

 

"However, if the performance restriction for crypto is less that than overall performance of the device, the HSEC restriction doesn't matter."

 

What do you talk about this? This correct will be "the performance restriction for crypto is less that than overall performance..." or "the performance restriction for crypto is less that than overall performance...".

 

Looking for your example below, the maximum encrypted tunnel count and encrypted throughput = overall performance of the device is less than performance restriction for crypto so performance restriction for crypto is more than overall performance of the device.

 

 

 

 

 

Thank you!

Oops, you're quite correct, my statement is the opposite of what I intended. I.e. meant to say if the router's performance capacity is less than the security license restriction, then the latter doesn't matter.

Hello Gavin,

if you look at table 3 in the second document you have provided you will see that with the HSEC license the C4321 reach 92 Mbps of effective IPSEC traffic because the built-in traffic shaper is triggered to protect the CPU.

 

As shown in Table 3, even though performance in Mbps is not reaching maximum theoretical licensed level, traffic is hitting the license shaper before CPU is maxed out.

 

Table 3.       Test Details for IPSec with Single and Multi Tunnel

IPsec Test Cases in IMIX

IPsec Single Tunnel

IPsec Multitunnel

 
 

Model

License

Mbps

Hitting Shaper

CPU %

Mbps

Hitting Shaper

CPU %

 

4321

50

45

Yes

23

45

Yes

25

 

100

92

Yes

44

92

Yes

48

 

4331

100

92

Yes

34

92

Yes

36

 

300

279

Yes

69

279

Yes

73

 

 

So I would confirm that you should also achieve an improvement in encrypted throughput with the HSEC license.

edit:

As Joseph has noted there are two different type of lycenses one for high performance and one for HSEC. I think he is right about the specific model C4321.

 

Hope to help

Giuseppe

 

Thanks again for your knowledge. It makes sense now. Thanks

is the HSEC license available on the 4221 or are the physical limits below what is restricted without the license?

The 4221 performance capacity is under the cap of not having a HSEC license.

One thing to add is that when Smart Licensing is in use on the ISR4000/ISR1000 the HSECk9 license will be authorized/consumed only after enabling HSECk9 feature:

 

(config) # license feature hseck9

 

This is the step that is often being forgotten and in such case the HSECK9 license would not show up in the output of "show license status".

filopeter
Level 1
Level 1

Hello,

 

according the latest datasheet the ISR4K routers could perform higher IPSEC throughput just with the performance license

 

The Cisco 4000 Series has a performance-on-demand license to increase the base forwarding throughput with no hardware changes. Also present is the High Security (HSEC) license, which removes the curtailment enforced by the U.S. government export restrictions on the encrypted tunnel count and encrypted throughput. The HSECK9 license is a separately required license for a feature to have full crypto functionality. Without the HSECK9 license, only 1000 secure tunnels and 250 Mbps of crypto bandwidth would be available.

 

The change to 250Mbps was achieved in the IOS-XE version 16.8.1 pursuant to revised Federal regulations

 

Best Regards,

 

Peter

Review Cisco Networking for a $25 gift card