Ipsec router with 2x10G SFP ports, which would support ~5gb/s IPSec

from88 · ‎09-12-2024

Hello,

I need 1x Ipsec router with 2x10G SFP interfaces, which would support ~4-5gb/s throughput of tunneled IPSec traffic. With no need of anything like DNA, just basic routing and ipsec f-nality.

The one we looked for was: Cisco 8300-1N1S-4T2X, but the bandwidth Tier 3 license to support more than 2gb/s of traffic costs about ~17K USD. So totally one router would cost ~25k. That's hell of a price comparing homemade with Linux router + Strongswan/Wireguard setup.

The Cisco licensing is quite difficult so maybe you can say do i'm correct saying that i need that expensive licesnse called DNA-P-T3-P-3Y ? Which list price is almost 40K USD ?

Maybe some lower license would work for ~4-5gb/s throughput of tunneled IPSec traffic without any DNA ?

parshant-mishra91 · ‎09-12-2024

Greeting,One of my site is using cisco C8200L-1N-4T router and Bandwidth of link is 16 M ideally we will use the below mention DNA IPsec licence. Now we are upgrading the link from 16 M to 30 M then generally we will use the T1 license instead of T0. Could you please support to share the command from where i can see the currently DNA license is used.

Because if i am checking the throughput of device then it showing the 250 M but on DNA T0 licence throughput is Max. 50 M.

Giuseppe Larosa · ‎09-12-2024

Hello @from88 ,

from the following document yes it looks like you need both the Tier 3 DNA license and the HSEC K9 license in order to make a complete BOM.

From the table 3 it looks like that for 5 Gbps IPSec throughput you should go to the Cat 8500 models.

Hope to help

Giuseppe

https://www.cisco.com/c/en/us/td/docs/routers/cloud_edge/c8300/software_config/cat8300swcfg-xe-17-book/m-available-licenses.html?dtid=osscdc000283#tier-and-numeric-throughput-mapping

we see

Table 3

from88 · ‎09-12-2024

thanks, now i'm confused - here it seems:

That Cisco 8300-1N1S-4T2X supports ~5Gb/s IMIX crypto performance.

Giuseppe Larosa · ‎09-12-2024

Hello @from88 ,

ok the table you have provided says the model 8300-1N1S-4T2X can support 6,6 Gbps IPsec traffic with IMIX so it looks like it has the performance for your current needs.

You need to take in account both licenses HSECK9 and DNA Tier3 to make an offer.

By the way the licensing Table 3 reports the following and this is a little misleading as it appears Tier 3 = 2,5 Gbps

Hope to help

Giuseppe

parshant-mishra91 · ‎09-12-2024

Hello Giuseppe,

Could you please confirm how we can verify DNA-P-T1-E-3Y license is installed on Cisco 8200 Chassis ??

and also please confirm what is the requirement of DNA-P-T1-E-3Y

Giuseppe Larosa · ‎09-13-2024

Hello @parshant-mishra91 ,

you can use the following show command

show license summary

see link below

https://www.cisco.com/c/en/us/td/docs/routers/cloud_edge/c8300/software_config/cat8300swcfg-xe-17-book/m-available-licenses.html?dtid=osscdc000283

For Cat 8200 models Tier 1 means IPSec throughput between 25 Mbps and 100 Mbps .

Depending on the number of IPSec tunnels you may need the HSECK9 license also

Edit:

before there is the following note:

When you purchase a license PID with a tier-based throughput value of T1, an HSECK9 license is automatically provided.

Hope to help

Giuseppe