C8200 IPSEC - DNA LICENSE TIER - HSEC LICENSE

RaeIT · ‎02-21-2024

Hello,

I am trying to clearly understand C8200-1N-4T licensing. Thing is I need 250 Mbps limit encrypted traffic in this router and also IPsec license for 200 Mbps Bandwidth.

If I go by cisco rules I would have chosen T1 DNA license, but even if I choose T0, according to some datasheets and QA it would be ok as bandwidth tiers don't get enforced with throughput and also if the configuration includes C8000-HSEC license the traffic is automatically up to 250 Mbps.

1:

@https://www.cisco.com/c/en/us/products/collateral/routers/catalyst-8200-series-edge-platforms/catalyst-8200-series-edge-platforms-faq.html

"HSEC is an add-on license above the Security (SEC) technology package license that provides export controls for strong levels of encryption. HSEC is available to customers in all currently non-embargoed countries, as listed by the U.S. Department of Commerce. Without an HSEC license, SEC performance is limited to 1000 tunnels and a total of 250 Mbps of IPsec throughput in each direction. An HSEC license removes this limitation. Because of these export control requirements, the HSEC license requires installation of a license key file to activate. In other words, HSEC is not an RTU license."

2:

@https://www.cisco.com/c/en/us/products/collateral/software/one-wan-subscription/nb-06-dna-sw-rout-sub-faq-ctp-en.html

Q.Are bandwidth or throughput tiers enforced?

A.There is no hard enforcement of non-crypto throughput tiers on any platform except the Catalyst 8000V. In all other cases, if the customer chooses to configure a throughput tier for which they do not own a valid license, they will get out-of-compliance messages and will not be entitled to Cisco Technical Assistance Center (TAC) support for related issues. Note that for all platforms without a valid HSEC license, encrypted traffic will be throttled at 250Mbps.

If anyone is familiar with Cisco Licensing Rules for this Router it would really help me

Regards.

liviu.gheorghe · ‎02-21-2024

Hello @RaeIT ,

with the C8200 things are as follows:

1. You need to install a throughput license for non-encrypted traffic, which are DNA T0 or T1 or T2, because those are the rules provided by Cisco, but this license is not enforced by Cisco for the C8200 platform. For example if you install a DNA T1 license which gives you the right to a 400 Mbps bidirectional throughput in your router and you have for a certain period of time a 800 Mbps throughput, you will get a compliance message warning but your traffic will be routed normally.

2. For the encrypted traffic, you don't need the HSEC license if your encrypted traffic doesn't exceed 250 Mbps in either direction, you only need the SEC-K9 license. If you have more than 250 Mbps download or upload encrypted traffic, you will need the HSEC license.

Hope this helps.

Regards, LG
*** Please Rate All Helpful Responses ***

RaeIT · ‎02-21-2024

Hello @liviu.gheorghe,
Your explanation made it very clear to me. I can freely configure T0 then. Thank you very much
Just a question regarding SEC-K9 that you mentioned; I do not think it is available for C8200 as far as I read, only for ISR. So I am thinking it is included in HSEC? But If you meant HSECK9:
" If the throughput you order is greater than 250 Mbps, or Tier 2 or a higher tier, an HSECK9 license is required."
@https://www.cisco.com/c/en/us/td/docs/routers/cloud_edge/c8300/software_config/cat8300swcfg-xe-17-book/m-available-licenses.html#Cisco_Concept.dita_14b3156a-8ac6-430d-ad1f-666aff880189

The most confusing thing is that if I configure T0 it adds the C8000-HSEC license by default which leads me to think t0 is no longer up to 50Mbps Agg but more (250 in this case).

Thank you again