cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1347
Views
0
Helpful
2
Replies

DMVPN & HSEC license scalability query

dnsroot13
Level 1
Level 1

Hi Guys,

we are having 3900 router which is currently having below DMVPN s router acting as a HUB

C3900-SPE250/K9(CISCO3945-CHASSIS)

c3900e-universalk9-mz.SPA.151-4.M4.bin

"Need  advise whether should buy HSEC license if it goes up to 125 spokes(sites) connecting via this 3945 dmVPN router"

below are the required command output of the current settings in router having seck9 license  .

Upon researching, I found the following information.

Without the HSEC solution, the 3945 ISR supports 255 IPSec tunnel. If you add HSEC, it can scale up to 2000 IPSec tunnel.

Now if you see the output below IPSec-Session :   212 active,  6399 max, & Number of tunnels     max shows  225 so for above mentioned new spokes will that HSEC license is require (as there 2 things IPSEC sessions and active tunnels)

Currently we have around 110 Spokes (sites) connected to 3945 hub router.



Reference:
HSEC-K9 License
http://www3.cisco.com/c/en/us/products/collateral/routers/3900-series-integrated-services-routers-isr/q-and-a-c67-606268.html

http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/118746-technote-isr-00.html#anc1
show crypto eli detail

show crypto isa sa count
show crypto ipsec sa count
show platform cerm-information

----------------------------------

 sh crypto eli
Hardware Encryption : ACTIVE
 Number of hardware crypto engines = 1

 CryptoEngine Onboard VPN details: state = Active
 Capability    : IPPCP, DES, 3DES, AES, IPv6, GDOI, FAILCLOSE, HA

 IPSec-Session :   212 active,  6399 max, 0 failed

-------------------------------------

sh crypto isakmp sa count
Active ISAKMP SA's: 101
Standby ISAKMP SA's: 0
Currently being negotiated ISAKMP SA's: 0

=============================

sh crypto ipsec sa cou
IPsec SA total: 208, active: 204, rekeying: 4, unused: 0, invalid: 0

============================

#sh platform cerm-information
Crypto Export Restrictions Manager(CERM) Information:
 CERM functionality: ENABLED

 ----------------------------------------------------------------
 ResourceMaximum LimitAvailable
 ----------------------------------------------------------------
 Tx Bandwidth(in kbps)  8500085000
 Rx Bandwidth(in kbps)  8500085000
 Number of tunnels      225123
 Number of TLS sessions 10001000

 Resource reservation information:
 D - Dynamic
 -----------------------------------------------------------------------
 ClientTx BandwidthRx BandwidthTunnels    TLS Sessions
        (in kbps)   (in kbps)
 -----------------------------------------------------------------------
 VOICE    0     0      0      0   
 IPSEC    D     D      102    N/A
 SSLVPN   D     D      0      N/A

 Statistics information:
 Failed tunnels     : 0
 Failed sessions    : 0
 Failed tx bandwidth: 0
 Failed rx bandwidth: 0
 Failed encrypt pkts: 0
 Failed decrypt pkts: 0
 Failed encrypt pkt bytes: 0
 Failed decrypt pkt bytes: 0
 Passed encrypt pkts: 23746321255
 Passed decrypt pkts: 20079132018
 Passed encrypt pkt bytes: 21892230873508
 Passed decrypt pkt bytes: 9815317896176

==========================

 

1 Accepted Solution

Accepted Solutions

Philip D'Ath
VIP Alumni
VIP Alumni

Yes, I would buy the HSEC licence.  With that many spokes I would have suggested you buy it anyway, regardless of the SA count.

View solution in original post

2 Replies 2

Philip D'Ath
VIP Alumni
VIP Alumni

Yes, I would buy the HSEC licence.  With that many spokes I would have suggested you buy it anyway, regardless of the SA count.

Thanks Philip